Search the web
Sign In
New User? Sign Up
Testking_Mcse · Testking_Mcse_Cisco
? Already a member? Sign in to Yahoo!

Yahoo! Groups Tips

Did you know...
Hear how Yahoo! Groups has changed the lives of others. Take me there.

Best of Y! Groups

   Check them out and nominate your group.
Having problems with message search? Fill out this form to ensure your group is one of the first to be migrated to the new message search system.

Messages

  Messages Help
Advanced
Messages 904 - 933 of 933   Newest  |  < Newer  |  Older >  |  Oldest
Messages: Show Message Summaries   (Group by Topic) Sort by Date v  
#933 From: Testking_Mcse@yahoogroups.com
Date: Sun Dec 13, 2009 9:06 am
Subject: File - Microsoft exam 70-291 preparation guide.html
Testking_Mcse@yahoogroups.com
Send Email Send Email
 

Microsoft exam 70-291 preparation guide

Contents:

Part 1: Understanding Windows networks and TCP/IP
Part 2: Troubleshooting and monitoring TCP/IP
Part 3: Implementing, configuring and troubleshooting DNS servers
Part 4: Implementing, configuring and troubleshooting DHCP servers
Part 5: Implementing, configuring and troubleshooting routing and remote access in Windows networks
Part 6: Managing network infrastructure and security

Preface

I have written this short preparation guide as a way for myself to ease studying for the Mcirosoft 70-291 exam titled: "Implementing, managing and maintaining a Microsoft Windows Server 2003 network infrastructure". I provide this guide as is, without any guarantees, explicit or implied, as to its contents. You may use the information contained herein in your computer career, however I take no responsibility for any damages you may incur as a result of following this guide. You may use this document freely and share it with anybody as long as you provide the whole document in one piece and do not charge any money for it. If you find any mistakes, please feel free to inform me about them Tom Kitta. Legal stuff aside, let us start.

Guide version 0.006 last updated on 17/06/2004

Part 1: Understanding Windows networks and TCP/IP

[1.1] Basic networking definitions
  • Network infrastructure - set of physical and logical components that allow for, among other futures, security, management and connectivity
  • Physical infrastructure - is also known as network's topology, the physical layout of hardware components and the type of hardware as well as the technology used with hardware for data transmission.
  • Logical infrastructure - is the software that allows for communication over physical infrastructure, it includes services that run on the network like DNS
  • Network connection - is a logical interface between software and hardware layers
  • Network protocol - is the language used for communication between networked computers
  • Network service - is a program that provides features to hosts or protocols on the network
  • Network client - is a program that allows a computer to connect to a network operating system
  • Addressing - is the practice of maintaining a coherent system of addresses within organization's network that allow all computer to communicate
  • Name resolution - is the process of translating a computer name into an address and the other way around
  • Workgroup - is a simple grouping of resources which by default uses NetBIOS naming system. NetBIOS is used together with Common Internet File System (CIFS), an extension of Server Message Block (SMB) protocol, to provide file sharing. There is no centralized security in a workgroup environment. The default workgroup name is WORKGROUP. In the absence of a WINS server the NetBIOS names are resolved using broadcasts to local network segment.
  • Domain - is a collection of computers that share a common directory, security policies and relationships with other domains. The name 'domain' is used both by grouping of computers in AD and as names in DNS, they are different things.
  • Active directory - is a distributed database that provides directory service
  • Remote access - is a connection that is configured for users that want to access resources from non-local site. There are two types, VPN and dial-up.
  • Network Address Translation (NAT) - is the system which allows computers with private addresses to communicate with computers on the internet
  • NWLink - Microsoft implementation of Novell IPX/SPX protocol used by NetWare networks
  • Certificate - is used for public key cryptography
  • NetBT - NetBIOS over TCP/IP, provides for higher level communications such as SMB (Server Message Blocks) and CIFS
  • CIFS - an extension of the SMB protocol that is used with basic file sharing. One of the advantages of CIFS over SMB is the ability to operate directly over DNS without the use of NetBIOS.
  • TCP/IP - most popular, scalable, routable and based on open standards protocol.
  • Redirector - client component that decides whatever the request is to be serviced locally or remotely. In Windows the redirector is called Client for Microsoft Networks. It uses SMB/CIFS for communication.
[1.2] Network connection
  • Components that make up a connection: network clients, services and protocols
  • Connections by themselves don't provide communication, it occurs through components bound to the connection
  • Client for Microsoft Networks is by default bound to all local area connections, it allows client computers to perform CIFS related tasks
  • TCP/IP protocol is bound to all connections by default
  • File and printer sharing for Microsoft Windows is installed and bound to all connections by default
  • Advanced connection settings allow administrator to change the priority of each connection
  • Provider order tab in advanced settings dialog box allows administrator to change the network providers order. This setting is for all connections. By default, Microsoft Terminal Services is given priority over the Microsoft Network because Terminal Services are meant to be used in place of all other connections.
  • In the provider tab one also finds print provider order, by default LanMan Print Services is given priority over HTTP Print Services
[1.3] Default TCP/IP Settings, APIPA
  • APIPA stands for automatic private IP addressing
  • By default the IP address and DNS servers are to be obtained automatically from the DHCP server
  • If the computer cannot get address automatically it uses APIPA to assign itself one
  • APIPA assigns PC address from the range 169.241.0.1 to 169.254.255.254, in use since Windows 98
  • Administrators can combine APIPA with alternate configuration, when IP can be obtained from DHCP, APIPA turns itself off - no one can override DHCP obtained address with APIPA
  • To disable APIPA administrator can either configure alternative IP address or edit registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\interface registry entry IPAutoconfigurationEnabled set to 0 and reboot
  • An all zero address might indicate that the IP has been released and never renewed
  • When a computer fails to obtain APIPA address in the absence of DHCP server and static address, the administrator should look for a hardware problem
[1.4] Management and monitoring tools
  • Connection Manager - allows creation of customized remote access connections
  • Connection Point Services - Phone Book Service that needs IIS
  • Network Monitor - pocket analyzer
  • SNMP - Simple network management protocol, agents that monitor activity in network devices and report to network management console. For use with both Windows and UNIX, works with almost any network device.
  • WMI SNMP Provider - lets client applications to access static and dynamic SNMP information through WMI
[1.5] TCP/IP model
  • The TCP/IP model is the newer networking model, OSI Open System Interconnection model is an older model
  • Network interface - is the layer in the communications process that describes standards for physical media, for example ethernet. In OSI model it is both Physical layer and Data link layer.
  • Internet - is the layer in the communications process during which information is packaged, addressed and routed to other network destinations. ARP is used for address resolution, IP for addressing and routing data and ICMP for reporting errors and exchanging limited control/status information. In OSI model this layer is called the Network layer.
  • Transport - is the layer in the communications process during which the standards of data transport are determined. TCP protocol with its guarantees of delivery and connectionless unguaranteed but fast UDP protocol. This layer has the same name in the OSI model.
  • Application - is the layer in the communications process during which end user data is changed, packaged and sent to and from transport layer, for example telenet. In OSI we have three layers, Session, Presentation and Application.
[1.6] OSI model
  • OSI stands for Open System Interconnection model, it is an older networking model
  • 7 Application layer
  • 6 Presentation layer
  • 5 Session layer
  • 4 Transport layer
  • 3 Network layer
  • 2 Data link layer
  • 1 Physical layer
  • Layers 7, 6, and 5 correspond to Application layer in TCP/IP model
  • Layer 4 correspond to Transport layer in TCP/IP model
  • Layer 3 corresponds to Internet layer in TCP/IP model
  • Layer 2 and 1 correspond to Network Interface layer in TCP/IP model
  • Protocols that were not originally part of the TCP/IP specifications are referred not by position in TCP/IP model but by OSI model. For example NetBT is a session (or layer 5) protocol.
[1.7] Protocols, their port numbers and layers in TCP/IP model they are in
  • Protocol number - is used to define a stream of data associated with a specific service
  • The transport is provided by TCP and UDP protocols
  • Internet layer protocols are ARP, IP and ICMP
  • HTTP - hypertext transfer protocol TCP port 80 (application layer)
  • SSL - Secure socket layers TCP port 443
  • SMTP - TCP port 25. Files stored in LocalDrive:\Inetpub\Mailroot
  • SNMP - simple network management protocol used to provide information about TCP/IP hosts, UDP port 161.
  • FTP - only basic authentication allowed, TCP port 20 (data) TCP port 21 (control). Files stored in LocalDrive:\Inetpub\Ftproot (application layer)
  • POP - TCP port 110
  • DNS - UDP port 53 (query) TCP port 53 (zone transfer)
  • NNTP - TCP port 119. Files stored in LocalDrive:\Inetpub\Nntpfile\Root
  • PPTP - Point to point tunneling protocol TCP port 1723; protocol number 47
  • L2TP/IPSec - UDP ports 500, 1701 and 4500; protocol number 50
  • ARP, ICMP and IP (internet layer)
[1.8] IP addressing
  • Internet Assigned Numbers Authority (IANA) divides up non reserved portions of IP address space
  • IANA gives address blocks to local authorities such as ARIN which in turn give it to large ISP
  • Private addresses are in ranges 10.0.0.0 - 10.255.255.254, 172.16.0.0 - 172.31.255.254, 192.168.0.0 - 192.168.255.254
  • IP addresses are just a representation of a 32 bit number broken into 8 bit parts for ease of visualization by the administrator
  • IP address is made up of two parts, network address and host address. Network prefix is the number of bits in network id.
  • IP class assignments
    • Class A 1-126.x.x.x, hosts supported 16777214, with mask 255.0.0.0
    • Class B 128-191.x.x.x, hosts supported 65534, with mask 255.255.0.0
    • Class C 192-223.x.x.x, hosts supported 254, with mask 255.255.255.0
    • Class D 224-239.x.x.x, reserved for multicast addressing
    • Class E 240-254.x.x.x, reserved for experimental use
  • Subnet mask is used to determine whatever the packet is destined for the current network or not. It does that by masking the network part of the IP address. The PC proceeds by finding his own network address using his IP and subnet mask in a bitwise AND operation. Then the PC does a bitwise AND operation on the destination IP and his subnet mask to determine foreign network address. If the addresses match then the packet is to travel on the local network, if the don't then the packet is destined to a foreign address.
  • CIDR - this is a shorthand notation for a subnet mask, classless interdomain routing notation. It counts the number of 1's in the subnet masks binary representation and is displayed after the ip address, for example 192.168.2.12/24 means that the subnet mask is 255.255.255.0 since we have 24 1's in the subnet mask. It is not compatible with RIP v.1. It is the name administrators commonly refer to when talking about supernetting since CIDR is used to shorten routing tables.
  • Default gateway is the IP address of a routing device that accepts packets destined to other networks. Other networks are subnets that are not within the broadcast range of the PC that contacts default gateway (itself it is within broadcast range).
  • Follow these simple steps to spot an IP address that is invalid:
    • Host without a subnet mask
    • No unique network ID (per WAN) or no unique host name per LAN
    • Neither network ID nor host ID can be all 1 (since that is the broadcast address)
[1.9] Subnetting and supernetting IP networks
  • Subnetting - occurs when one needs to divide default A,B or C class address space into smaller spaces. The logical division is accomplished by extending the string of 1's in the subnet mask.
  • Subnetting is used for: accommodating security needs, physical topology, limitation of broadcasting
  • Number of hosts on a subnet = 2^(32-subnets # of 1's)-2. We subtract 2 since one address is needed for network ID and one for network broadcast
  • Host ID with all 0's is the network ID and host ID with all 1's is broadcast address
  • Supernetting - occurs when one wants to combine default A, B or C class address spaces into one large space. This method allows for more efficient allocation of network address space.
  • In supernetting's major difference from subnetting is the removal of 1's from the network address. Thus one might have /23 /22 /21 /20 supernet masks.
  • Conversion from binary to decimal and back is based on the power each system uses, 2 for binary 10 for decimal and so on. The position of a digit in a number, starting from zero, determines to which power the base is raised. The value of the digit is the number by which the base to the power is multiplied by. Sum all the digits to get the number in decimal. For example number 123 in base 8 is 1*8^2+2*8^1+3*8^0 = 83 in decimal. To minimize errors it is best to use a calculator.
  • Variable length subnet masks (VLSMs) - allow for subnets to be subnetted themselves making the use in large organizations of network address space more efficient. They allow administrators to create subnets of varying sizes.
  • Classless Inter-Domain Routing (CIDR - defined in RFC 1519) using variable length subnet masks (VLSM) was created to allow for greater flexibility with routed IP networks, to allow for the accelerating expansion of the Internet.
  • VLSMs use Subnet IDs to create subnets of different sizes, they are not compatible with old routing protocols like RIP 1
[1.10] Other points
  • Administrator can install on a computer file and print services for Macintosh but only print services for Unix
  • TCP/IP is installed by default by Windows setup
  • The following are installed as part of simple TCP/IP services: Character Generator, Daytime, Discard, Echo, Quote of the day
  • The MAC address cache on a computer can be cleared manually (it refreshes itself every 2 minutes) by issuing arp -d command
  • Most computers on the network use DHCP for addressing as it produces less human error than static addressing. Static addressing is used by servers.

Part 2: Troubleshooting and monitoring TCP/IP

[2.1] Analyzing traffic using network monitor
  • Frame is an encapsulation of network interface layer (layer 2) data. Each frame contains source and destination computer addresses, header of the protocol used to send data and data itself.
  • Packet is an encapsulation of internet layer (layer 3) data
  • There are two versions of Network Monitor, the basic version ships with Windows Server 2003. Network administrator needs to purchase the advanced version from Microsoft. Advanced version can capture data from all devices on a network provided the administrator used hubs not more common switches.
  • Network Monitor is made up of two components, administrative tool called Network Monitor and an agent called Network Monitor Driver
  • Network Monitor Driver can be installed by itself on windows XP/2000/2003 PCs in the same manner as one installs a new protocol
  • The monitor can be used to find NIC's MAC address, computers GUID and many other useful information
  • Parsing is the process of reading, analyzing and describing the contents of frames. Administrator can add new parsers to network monitor by adding parser dll files into %systemroot%\system32\Netmon\Parsers folder and modifying parser.ini file in %systemroot%\system32\Netmon folder. By default network monitor supports over 90 protocols.
[2.2] Problems with TCP/IP connections
  • Network diagnostics is a graphical tool that administrator can access from help and support tools menu. Users can save output to a file for examination by network administrator.
  • Netdiag is a command line tool that is used to run different network tests. Administrator needs to install the tool first from the Windows CD, the support tools file is called suptools.msi.
  • Tracert - shows the path a packet takes to reach given destination, this is done by setting different TTL values in the IP header of ICMP echo requests. Up to 30 hops, tells administrator when connectivity stops.
  • Pathping - as tracert but shows the path that a packet takes to reach a given destination, however it also shows detailed analysis of traffic. Used to troubleshoot erratic network behaviour such as packets being delayed, where tracert is used for network connectivity.
  • Arp - used to show the Arp cache on the PC. Sometimes local network computers can have wrong MAC addresses of each other cached and thus cannot communicate, use arp to check whatever addresses are correct. To cleat arp cache use arp -d command. Arp -a is used to check hardware address mappings, if it checks out look for hardware problem
  • If the administrator is able to ping loopback address, PC own address and the local gateway but no other PCs the problem is most likely with arp cache being corrupted.
  • Troubleshooting steps: loopback, local PC, default gateway, remote host by IP, remote host by name.

Part 3: Implementing, configuring and troubleshooting DNS servers

[3.1] Differences between DNS and NetBIOS
  • NetBIOS (Network Basic Input Output System) is not a naming system, it is an API that provides naming and name resolution services
  • DNS is the preferred name resolution system in Windows, but it needs configuration unlike NetBIOS
  • NetBIOS is used for browsing Microsoft Windows Network through My Network Places and connecting to shares using UNC paths (File and Print for Microsoft Networks)
  • NetBIOS name space is flat, while DNS is hierarchical
  • NetBIOS name - used to identify a NetBIOS service that is listening on the first IP that is bound to the adapter
  • Maximum computer name length in NetBIOS is 15 bytes (characters) while in DNS host name can be up to 63 bytes and FQDN up to 255. When the computer name is longer than 15 characters then the NetBIOS name is the computer name's first 15 characters.
  • To view NetBIOS PC name go to system properties, network identification, properties and more button
  • Host name - the first label of a FQDN, it is just about any network interface with an IP bound to it
  • Primary DNS suffix - also known as primary domain name or the domain name, specified on the computer name tab
  • FQDN - DNS name that uniquely identifies the computer on the network. It is concatenation of the host name, primary DNS suffix and a period. The full computer name is a type of FQDN, the same computer can be identified by more than one FQDN but only the FQDN that concatenates the host name and primary DNS suffix represents the full computer name.
  • NetBIOS resolves names through WINS server, Local NetBIOS cache, NetBIOS broadcast, LMHOSTS file
  • DNS resolves names through DNS server or Hosts file (which is part of client cache). Entries added to the hosts file are immediately loaded into resolver cache.
  • Both LMhosts and hosts files are located in %systemroot%\system32\drivers\etc folder
  • Nbtstat is used to interact with NetBIOS from command line, -c switch lists local cache contents, -R purges the cache, view cache, use nbstat -n
  • DNS is required for Windows 2000/2003 domains (AD) and internet
  • NetBIOS is needed by older Windows operating systems, workgroups in Windows 95/98/Me/NT
  • NetBIOS is enabled by default for all local area connections, administrator can disable NetBIOS to increase security from TCP/IP properties screen, but users will no longer be able to use computer browser service
  • Windows Server 2003 client computer always tries to resolve names using DNS before NetBIOS
[3.2] DNS as part of Windows Network
  • DNS is a hierarchical system based on a tree structure called DNS namespace
  • Each DNS namespace has to have a root that can have unlimited number of subdomains. The root is an empty string
  • Every node in the DNS namespace has a specific address by which it can be identified, called a FQDN
  • The dot is the standard separator between domain lables. The dot also separates the root from the subdomains, but is usually omitted by end-user and automatically added by DNS client service during a query.
  • On the internet the DNS root and top-level domains are under control of Internet Corporation for Assigned Names and Numbers (ICANN)
  • There are three types of internet top-level domains, organizational, geographical and reverse (in-addr.arpa)
  • DNS server can be authorized for one or more zones which contain one or more domains. Server is said to be authorized for a zone if it hosts the zone as primary or secondary server.
  • When client or DNS service are stopped, their caches are cleared
  • DNS client is installed by default, server component is not
  • A forwarder is a DNS server that is used to resolve queries external to the server using it
  • A conditional forwarder is a DNS server that examines the domain name of the query and forwards it (the query) to specific server based on name asked in the query. All forwarder options are set from the forwarders tab on the DNS server properties dialog box.
[3.3] DNS components
  • DNS zone is a portion of a DNS namespace for which DNS server is authorative. A server can be authorative for one or more zones and each zone can contain one or more domains. Zone files store resource records, they are usually text files but on Windows 2000/2003 administrators have an option of active directory integrated zones.
  • DNS resolver is a service that uses DNS protocol to query for information from DNS servers. On Windows 2003 this is done by DNS Client Service
  • The third component is the DNS server itself. Above breakdown hold for any DNS implementation.
[3.4] DNS server query process
  • Each query message contains the following information:
    • DNS domain name as FQDN
    • Query type, resource record by type or specialized type of query operation
    • Specified class for the DNS domain name
  • When user wants to resolve an address the first place DNS client service looks in is user's computer local cache and hosts file
  • If local resources don't resolve the name, DNS client uses server search list to query preferred DNS server, if it is unavailable alternate DNS servers are used according to their positioning on the server preference list
  • The DNS server after receiving a query first checks to see whatever it is authorative for the domain in question, if it is not, it checks local cache for already performed queries. If that doesn't resolve as well, a recursive query is performed.
  • For recursive queries DNS server needs to be configured with Root Hints, which by default are stored in file cache.dns in %systemroot%\system32\dns folder
  • Server asks the appropriate root server for an address of more knowledgeable server, then it asks that server etc. till it gets the answer. It is like walking the namespace tree.
  • The most common responses to the client are: An authorative answer, a positive answer, referral answer and negative answer.
  • If recursion is disabled on the server it will send a referral answer back to the client. The client will need to perform iteration (repeated query to different DNS servers - DNS tree walk) to get the answer it seeks.
  • After a query client gets a positive answer it is frequently authorative the first time around, while consecutive answers are non-authorative. This is due to DNS server caching of the original query.
  • Reverse query - is performed by taking an ip address in the form a.b.c.d and presenting query to the DNS server in the form d.c.b.a.in-addr.arpa. ARPA stands for Advanced Research Projects Agency. Due to luck of vision the first DNS implementation didn't support reverse queries, PTR records are just pointers to A records.
[3.5] DNS client query process timeout
  • DNS client sends a query to preferred DNS server and waits for 1 second for response
  • If no response is received the client sends a query to the first server on all adapters and waits for 2 seconds
  • If there is still no response, client sends a query to all DNS servers on all adapters and waits for 2 seconds
  • If no response continues client sends query to all servers again and waits for 4 seconds, then again and waits for 8 seconds
  • If after performing all of above steps client didn't get any response, it returns time out to the calling process
[3.6] Configuring DNS server
  • Network administrator can create two types of zones, forward or reverse lookup. In forward lookup zone the FQDN is mapped to an IP address, this is a conventional zone. In reverse lookup zone the IP address is mapped to FQDN
  • There are three types of DNS server roles with respect to a zone (i.e. we look at the zone and if our server is primary for that zone we say we have DNS server in primary role, however the same server can be secondary for a different zone (call it B) as well, in which case it is said to be in secondary role for zone B):
    • Primary - provides original data, can be updated
    • Secondary - provides a copy of original data, cannot be updated
    • Stub - copy of a zone containing only those resources records necessary to identify the authorative DNS server for the master zone, enables parent zone to keep updated list of name servers in the child zone
    • Caching only - no zones at all stored on the server
  • When administrator wants to decrease the amount of name resolution traffic while avoiding zone transfer traffic install caching only server
  • When DNS server is installed it is automatically configured to act as a caching only server
  • When a zone is created it automatically has in it SOA and NS records
  • To view the contents of the DNS server cache administrator needs to select 'Advanced' from view menu
  • In the resource record file lines that are blank or start with ; (semi-colon) are ignored by the DNS server
  • Master server is the server from which secondary server got zone information (can be a primary server or another secondary server)
  • When DNS server zone data is stored in AD (AD integrated) all DNS servers become peers
  • In non-Microsoft implementations of DNS server the secondary zone is also known as the slave zone, while the primary zone is also known as the master zone
[3.7] Resource records
  • Resource records have the following syntax: Owner TTL Class Type RDATA
  • Owner - the name of the host or the DNS domain to which this resource record belongs
  • Time to live (TTL) - A 32 bit integer representation of the time the record should be cached
  • Class - protocol family in use, optional field, IN (internet class) for Windows based DNS service
  • Type - for example A or TXT
  • RDATA - this is where actual resource record data is stored
[3.8] Basic resource record types
  • Host (A) - most common record type, used to associate computers to IP addresses. Administrator can add them manually, they can be added by DHCP Client service, updated by proxy for older Windows OS and DHCP on Windows Server 2003.
  • Alias (CNAME) - also known as canonical names. These records allow computers to use an alternative name to point to a host. They are quite often abused. They are recommended for use when a generic service such as ftp needs to resolve to a group of computers or when renaming a host.
  • MX - these are mail exchange records and they point to a mail servers for a given domain, more than one are used for fault tolerance (if the company can afford extra hardware and software needed)
  • PTR - pointer records are used to perform reverse lookup. Reverse lookups are performed in the zones with root in-addr.arpa. Same methods of creation as an A record - they are opposite of each other.
  • SRV - service locator records are used to specify location of services in a domain. Windows Server 2003 AD uses SRV records, all the records needed by AD can be found in Netlogon.dns in %systemroot\System32\Config folder, if the records need fixing use netdiag /fix.
  • NS - name server record is used to indicate which DNS server(s) are designated as authoritative for the zone. Any server specified in the NS record is considered an authoritative source by other servers for given zone. It is able to answer with certainty any queries made for names included in the zone.
  • SOA - start of authority indicates the name of origin for the zone and contains the name of the server that is the primary source for information about the zone. It also indicates other basic properties of the zone like the primary DNS server, responsible person, serial number, refresh interval, retry interval, expire interval and TTL. SOA record is always the first record in any standard zone.
[3.9] Configuring client computers for use of DNS
  • In order to configure DNS on a client system an administrator needs to do three things:
    • Administrator needs to set host name for each computer that is going to use DNS, it can have up to 63 bytes (for NetBIOS compatibility up to 15 bytes (characters)) and can only contain letters numbers and '-', it is not case sensitive
    • Administrator also needs to set primary DNS suffix for each computer, the suffix together with the host name forms a FQDN, it is selected from the system properties -> computer name -> change button -> More, by default it is the same as the AD name in which the PC resides
    • Finally, administrator need to write a list of DNS servers that the clint is to use in order, starting with preferred DNS server
  • Administrator may configure connection specific DNS suffix for each adapter on the DNS client PC, this is done from Advanced TCP/IP settings dialog box, it gives to different FQDN to the same computer so it can communicate on different subnet in addition to its full DNS computer name. For each FQDN and for computer name an A and PTR records are created in appropriate zones and DNS servers.
  • If network administrator configures DNS suffix search list then the computer will be able to resolve single-label unqualified names and multiple label unqualified names. By default, the search is performed using primary domain suffix and, if applicable, connection specific suffixes.
  • The ipconfig /displaydns command shows DNS cache on client, ipconfig /flushdns clears DNS cache
  • When a query is submitted with an unqualified name the client service by default adds to it the primary DNS suffix and checks the query. If that doesn't work the client adds connection specific DNS suffixes and retries. If there is still no positive response, client adds the parent suffix of the primary DNS suffix to the name and does the final check.
  • If the administrator is only able to ping the user computer by IP (from another PC), he can try to use ipconfig /registerdns on Windows XP/2000/2003
[3.10] Updating of client records in the DNS
  • Windows server 2000/2003 and BIND 8.1.2 or later can accept dynamic updates of A and PTR records performed by clients or on behalf of clients by DHCP server.
  • By default, clients with static IP address attempt to update both A and PTR records for all IPs. Registration is based on domain membership settings.
  • Windows 2000/XP/2003 computers with dynamic address (assigned by DHCP) attempt only to update their A records (PTR left for DHCP server to update if needed). The client contacts the server every 24h to update the mapping unless one of the following occurs:
    • Computer name changes
    • Member computer is promoted to the role of DC
    • One of the commands listed is used: ipconfig /release, ipconfig /renew, ipconfig /registerdns
    • When the local IP address changes, including IP address lease from the DHCP server
  • Computers with operating system earlier than Windows 2000 (i.e. 95/98/Me) that use dynamic address have the DHCP server do all the work (both A and PTR records due to client unaware of dynamic update functionality). User can force registration by client using ipconfig /registerdns
[3.11] DNS server properties
  • Interfaces - which IP addresses should server computer listen for requests, by default all IP addresses
  • Forwarders - allows for setting up upstream DNS servers that current DNS server will forward queries to. The process of forwarding selected queries is called conditional forwarding. This tab allows the administrator to disable recursion (on per domain basis) on queries that have been sent to forwarder (by default if forwarder fails to resolve local server tries to resolve using recursion). When DNS server A has forwarder server B set and server A has disabled recursion then server A is called a slave server since it is totally dependant on server B (forwarder) for queries it cannot resolve locally. The default timeout for forwarded query is 5 seconds.
  • Advanced tab - allows enabling and disabling of special futures. If administrator disables recursion then it is disabled for all queries and forwarders are disabled as well.
  • Root hints - this tab contains copy of information found in %systemroot%\system32\dns\cache.dns file. The list of root servers rarely changes, network administrators can get the latest file one from ftp://rs.internic.net/domain/named.cache. Administrator should delete this file if the DNS server is a root server, in which case this screen is disabled.
  • Debug logging - allows network administrator to troubleshoot his DNS server by logging selected incoming and outgoing pockets. Debug logging in processor and resource intensive operation.
  • Event logging - allows network administrator to restrict the events written to the DNS event log
  • Monitoring - basic functionality tests (2) are performed here. The first test is reverse query targeted at self, the second test does reverse query targeted at root DNS server. Administrators are allowed to schedule these tests to be performed between certain time intervals.
  • Security - this tab is available only if the DNS server is also a domain controller and allows one to set the settings for the users that are given permission to view edit and set DNS zones data.
[3.12] Configuring Zone properties
  • General tab - used to configure zone type, zone file name, dynamic updates and aging. Administrators can pause name resolution for a zone. AD integrated zones have replication settings enabled, administrator can select to which servers DNS replication data is being sent. There are three dynamic update settings for AD integrated zones, none, non-secure and secure. Aging is the process of placing a time stamp on a dynamically registered resource record and then tracking record age. Scavenging is the process of deleting outdated records. When aging and scavenging are enabled then the zone files are not compatible with Windows DNS servers that are not at least Windows 2000.
  • Start of authority (SOA) tab - administrator can set a serial number which acts as a revision number, this is used to synchronize zone transfers. Primary server box contains the full name of the server, it must end with a period. Responsible person is the domain mailbox name for the responsible person, should always end with a period. Refresh interval is the amount of time the secondary server will wait before checking the master server for an updated copy of the zone, by default it is 15 minutes. Retry interval is the amount of time, default 10min secondary server waits before re-trying zone transfer. Expires after is the amount of time secondary server without contact with master server continues to answer queries, default is 1 day after that data is unreliable. Minimum (default) TTL this is the time to live applied to all resource records in the zone, default is 1 hour. TTL for this record is the TTL for the SOA resource record, overrides general TTL setting above this box.
  • Name Servers tab - this tab allows administrator to create NS resource records, they can be created only here (unless manually created). Every zone must contain at least one NS record. In Windows Server 2003 for primary zones the zone transfer is allowed by default only to the servers specified in the Name Servers tab.
  • Security tab - ACL that defines who can manage and modify zone file data.
  • WINS tab - used to configure WINS servers to aid in name resolution. When administrator configures WINS, a WINS resource record is added to the zone database. If WINS and DNS servers are set for forward and revers zones, then data is added to both forward and revers zones.
  • Zone transfer tab - allows the system administrator to restrict the servers to which zone data will be transferred. Primary servers have zone transfers either disabled or limited to the NS tab servers. Administrator can also specify the servers they want data to be transferred to by IP address. Secondary servers by default don't allow zone transfers, need to enable them 1st. The 'to any server' setting was enabled on Windows 2000, but was a huge security hole. Administrator can also notify the secondary servers of a zone file change, notification is enabled by default. There is no need for notification in AD integrated zones. If the server to which DNS data is to be transferred has multiple IP addresses on the same subnet, then they all have to be included for transfers to be successful.
[3.13] Configuring Zone properties - AD integration
  • Application directory - is replicated among DC, applicable to DNS application directories are DomainDnsZones and ForestDnsZones. The name of each application directory is the previous name concatenated with the FQDN, for example DomainDnsZone.microsoft.com. The domain application directory is replicated to domain servers, forest application directory is replicated to all servers in the forest. Administrator can add new application directories for the use of DNS server using dnscmd [server] /createdirectorypartition [full partition name (FQDN)] to enlist other DNS servers in the partition, administrator needs to issue command dnscmd [server] /enlistdirectorypartition [full partition name (FQDN)] There are no application directories on Windows 2000 (this is new to Windows 2003) To work with application directories administrator needs to be a member of the enterprise administrators security group.
  • There are four options for zone data replication when the administrator chooses to use AD-integrated zones. On the general tab of zone properties a button is available to change zone replication scope when the zone is AD-integrated. Zone data can be replicated
    • To all DNS servers in the AD forest - broad scope of replication
    • To all DNS servers in the AD domain
    • To all DC in AD domain [domain here] - select if Windows 2000 DNS servers are to load AD zone
    • To all DC specified in the scope of the following application directory - replicates as the application directory specified, if zone is to be stored in specified application directory partition the DNS server hosting the zone must enlist in the application directory partition that contains that zone.
  • Secure dynamic updates can be performed only in AD-integrated zones, they use Kerberos for security. Only computers that have Windows XP/2000/2003 are capable of secure updates.
  • DnsUpdateProxy group - used to solve a problem that occurs with secure dynamic updates. The computer that registered the record becomes its owner and it is the only PC that can update it. Thus, for example if DHCP server registers A record for a PC, it becomes its owner, not the PC to which A record points. When DHCP server is a member of DnsUpdateProxy group it is prevented from taking the ownership of the record - secure less entry exists till the real owner takes its ownership.
  • Only primary zones can be AD-integrated. Secondary zones are always stored as text files, there are no AD-integrated secondary zones since AD-integration makes all servers into peers.
[3.14] Advanced DNS server properties
  • Disable recursion - DNS server uses recursion to resolve client queries if the disabled default state is left as is. When the option is enabled the DNS server does not answer the query for the client but instead provides the client with referrals. When recursion is disabled the DNS server will not be able to use forwarders.
  • BIND Secondaries - DNS server does not use fast transfer format when performing a zone transfer to a secondary server based on BIND. This allows for a compatibility with older versions of BIND, versions 4.9.4 and later support fast zone transfer and this option should be disabled for these. The fast transfer format is efficient, it allows data compression and multiple record transfer per TCP message, it is always used among Windows based DNS servers. This option is enabled by default.
  • Fail on Load if Bad Zone Data - when this option is disabled (default setting) the DNS server will load zone even if errors are found in the database file. Any errors that occur will be logged. When option is enabled damaged zone database does stop load operation dead cold.
  • Enable netmask ordering - when selected (default setting) this option makes sure that when a client query matches multiple A records the one in client's subnet is returned first in a response list that contains all matching records. This option is also sometimes referred to as LocalNetPriority option (this comes from same referral in dnscmd utility).
  • Enable round robin - this setting (enabled by default) ensures that for a query that matches multiple A records the first entries in the returned response list rotate. This method is used as a poor man's network load balancing. Local subnet priority is taken into consideration before round robin is. When round robin is disabled records are returned in the order they are in the zone file.
  • Secure cache against pollution - this setting (enabled by default) prevents the DNS server form accepting referrals that might be polluting its cache or be insecure. The server will cache only these records that have a name that corresponds to the domain for which the original queried name was made, any other are discarded.
  • Name checking - the default setting of Multibyte (UTF8) ensures that the DNS server verifies that all domain names confirm to the Unicode Transformation Format (UTF). Use strict RFC if the server cannot work with UTF, other two options are only for special circumstances (they are: all names and non-RFC).
  • Load zone data on startup - specifies from where initial zone data is to be loaded from, by default it is from active directory and registry. Another storage option is to use the registry or a file. The file is from BIND based DNS servers and is usually named Named.boot in older BIND 4 format (not BIND 8).
  • Enable automatic scavenging of stale records - this option is disabled by default, when enabled DNS server will perform scavenging of stale records automatically in pre-defined time intervals.
[3.15] Creating zone delegations
  • When administrator delegates a zone he assigns a portion of authority over main DNS namespace to subdomains within main namespace. The responsibility is passed from the parent domain to the subdomain.
  • Network administrator should consider delegation when:
    • There is a need for hosts whose names are structured around department affiliation
    • Central company administrative body wants departments to handle their own business
    • Network traffic is creating the need to distribute query load on multiple DNS databases
  • The parent zone will need to contain the A record and the NS record of the child zone, both records are created automatically when new delegation is created. The glue record (A resource record) is hidden from view of the administrator, but it is still there.
  • The NS record is known as the delegation record, it is used for advertising of the name server and performs the actual delegation. The A resource record is known as the glue record, it is needed if the authorized server is also in the delegated zone.
  • Delegation takes precedence over forwarding, i.e. if a server knows of a child that can answer the query it will contact it not do a forwarding query request.
[3.16] Stub Zones
  • Stub zone is a shrunk copy of a zone updated at regular intervals that contains only the NS records belonging to the master zone. As a result of that, the server that hosts the stub zone doesn't answer queries directly, instead it directs queries to name servers specified in stub zone's NS records.
  • Stub zone keeps all NS records from master zone current. When administrator configures a stub zone he needs to specify at least one name server whose IP address doesn't change. Any further name servers added to the zone will be added automatically through zone transfer. The administrator is unable to modify the stub zone data directly, the data is modified automatically when the parent zone changes.
  • When delegating control for a zone to another server the master server will not learn of new servers added to the child zones. Administrator needs to setup a stub zone for the child on the master server to ensure that the master server will learn of the new name servers in the child zone.
  • Stub zones can also be used to provide additional connectivity across domains without redundancy provided by secondary servers. Enhanced connectivity is achieved without increase in replication traffic.
  • A stub zone contains SOA, NS and A glue resource records for authorative DNS servers in the zone. The SOA record points to the master server while NS records point to other name servers, the A record hold IP addresses of authorative servers.
  • The stub zone name resolution process: client queries a server with a stub zone, DNS server uses stub zone resource records in resolution. Authorative servers in the stub zone are contacted , if they cannot be a standard recursion is performed. The response from stub zone's authorative server is not placed in the stub zone but cached with TTL as in stub zone SOA record.
  • Stub zones offer the following advantages
    • Stub zones improve the name resolution by allowing the server to perform recursion without using the root servers
    • Keep foreign zone information current by updating the stub zone at regular intervals the zone keeps an accurate list of the name servers in the child zone.
    • Simplify DNS administration by distributing zone information without the need for secondary zones.
[3.17] Understanding DNS troubleshooting tools
  • Nslookup is a command line tool used in querying the DNS server. In the interactive mode the commands entered are case sensitive. Here is a short description of more advanced options available:
    • The command set q=[recordtype|any] is used to search for specific records
    • To use a different server use "server new_server_name"
    • Network administrator can use the 'ls' command to simulate a zone transfer, all data can be listed. Note that by default on Windows Server 2003 zone transfers are restricted to approved hosts only. The -a switch returns alias and canonical names, -d returns all data, -t filters by type
  • DNS debug log is found in %systemroot%\system32\dns folder and is named Dns.log. Administrator should view this file when the DNS service is stopped. The default file format is RTF, to open it user need WordPad (not notepad or other basic text editor). By default only DNS errors are logged but administrator can change that from the DNS server properties Debug logging tab.
  • The DNS event log logs everything by default, administrator can change that default behaviour by using the Event Logging tab in the DNS server properties. This is a Windows standard log file and all size and filtering options are the same as for any other log.
  • Commands entered into nslookup during interactive mode are case sensitive
  • Support tools include utility called DNSLint which is useful when troubleshooting delegation issues
  • The dnscmd tool includes two useful troubleshooting switches, /clearcache and /info (whose actions are self explanatory)
[3.18] Stale records
  • Stale records (records that are no longer valid) can be left on the server. One common way this can happen if client PC is not allowed to clean after itself, it is improperly disconnected from the network.
  • The following futures of the DNS server in Windows 2003 help system administrators get rid of stale records:
    • Records can have a time stamp attached to them in primary zone (as per DNS server time), manually added records have time stamp value of zero indicating that they don't age
    • Records are aged as per TTL. Secondary zones are scavenged by the primary server.
  • If stale records persists on the system, they may cause following problems:
    • Improper name resolution, a FQDN prevented from being used by another PC
    • Poor server performance, too many records to search and very large zone files to transfer
[3.19] Using DNS monitoring tools
  • To monitor the resource impact of DNS server on the PC use performance monitor, perfmon.exe. The DNS object includes 62 different counters that computer can keep track of.
  • For AD integrated zones there is an option of using AD native monitoring to trace the replication traffic. Replmon.exe from Windows support tool is used to monitor and troubleshoot AD replication.
  • The replication monitor will display 5 or more directory partitions, administrator needs to find out in which one is DNS zone data stored. The command dnscmd /zoneinfo [domain name] can be used to find zone information. Once directory partition is known, administrator can use replication monitor to force zone replication - r-click the directory and choose synchronize with all servers. Any general replication errors are displayed by the replication monitor.
  • For more advanced AD debugging use repadmin utility provided as part of Windows support tools.
[3.20] Improving DNS server performance
  • By installing a caching only server close to the clients the load on the primary and secondary server's is greatly decreased
[3.21] Other points
  • DNS cache is cleared each time DNS service is restarted. DNS cache can also be cleared using dnscmd /clearcache from command line
  • DNS server test consist of a single reverse lookup of loopback device, if it fails make sure you have record named '1' in reverse lookup zone 0.0.127.in-addr.arpa. Another test checks for recursive DNS.
  • Zone transfer can be started if one of the four events occurs:
    • Refresh interval of the primary zone SOA record expires
    • The secondary server boots up (DNS service is restarted)
    • Change occurs in the configuration of the zone records on the primary server and it notifies the secondary of the change
    • DNS console is used at the secondary server for the zone to manually initiate a transfer from its master server
  • When zone transfer occurs it is by default incremental zone transfer (IXFR) which transfers only changed records, it is described in Request for Comments (RFC) 1995. Some older DNS servers that don't support IXFR will use all zone transfer (AXFR) which is also supported by Windows Server 2003. The older standard transfers the whole DNS database.
  • Stub and secondary zone update operations explained
    • Reload - reloads the zone from the local storage of the DNS server hosting it
    • Transfer from Master - the server hosting the zone checks its SOA record for expired data and performs a zone transfer from zones master server
    • Reload from Master - this operation performs a zone transfer from the zone master server regardless of the serial number expire date in the zone's SOA record

Part 4: Implementing, configuring and troubleshooting DHCP servers

[4.1] Configuring DHCP server
  • DHCP server allows system administrator to automatically assign IP addresses, subnet masks and other configuration information like DNS and WINS servers to client computers on local network.
  • Through the use of DHCP server network administrators save time required for configuration and re-configuration of computers.
  • Administrator should install DHCP service on a computer that was assigned a static IP address (this prevents clients to look all over the subnet to get their addresses renewed)
  • You need to have administrative privileges to install and administer DHCP server
  • You need to authorize your DHCP server if it is to be integrated in AD network (Person authorizing the DHCP server needs to be a member of the enterprise administrators security group). Stand alone DHCP servers can still be deployed but they should not share subnet with authorized DHCP servers. Stand alone servers that are deployed together with authorized servers are called rogue servers. The rogue server will automatically stop its DHCP service when it detects authorized server on the subnet.
  • DHCP scope is a pool of IP addresses within a logical subnet which DHCP server assigns to its clients. Scopes provide for IP address management.
  • When an IP is offered for a client it is said that IP address is a lease. When the lease is made it is said to be active. Leases are renewed for different reasons, client will try to renew when 50% of old lease expires.
  • The DHCP server has to have IP address compatible with the scope it is assigned, i.e. the server itself has to be in the scope.
  • The 80/20 rule - to provide for fault tolerance in an environment with two DHCP servers, the first server (A) should have 80% of the addresses for his local subnet, 20% of addresses for the subnet on which another DNS server (B) is present. The same assignment is repeated on server (B) which gets 80% of addresses in its own subnet and 20% of addresses in the subnet on which server (A) is present. This concept is applied when 2 or more DHCP servers are present.
  • Reservations are placements in the scope reserved for specific computers. You reserve IP address for a specific network adapter using its MAC address. To create new reservation open the scope in which you want to create new reservation r-click Reservations and select New Reservation. Reservations cannot be used interchangeably with manual static configurations. Reservations don't work when address is simultaneously reserved and excluded. Reservations are used as an alternative to static addresses for computers that are no essential to network function (i.e. not critical servers).
  • The scope needs to be activated before the server can hand out addresses (for AD integration it also need to be authorized). To activate a scope open the DHCP console, select scope you want to activate, from actions menu select Activate.
  • Exclusion range - group of IP addresses residing in the scope that administrator doesn't wish to be leased to DHCP clients
  • DHCP is na extension of the Boot Protocol (BOOTP). Microsoft DHCP server can assign addresses to BOOTP clients.
[4.2] DHCP scope options
  • DHCP options can be configured on reservation, scope and server level. To configure options for reservation, select it and from the actions menu choose 'Configure options'. To configure options for a scope select scope options folder and then 'Configure options'. To configure server options select server options folder and then 'Configure options'
  • There are more than 60 different options available for the DHCP server, the most common (important ones are):
    • 003 Router - IP addresses of routers on the same as client subnet, used by client for packet forwarding
    • 006 DNS servers - IP addresses of DNS servers
    • 015 DNS domain name - domain name DHCP clients should use when resolving unqualified names during DNS domain name resolution; allows for client dynamic DNS update
    • 044 WINS/NBNS servers - IP addresses of WINS servers
    • 051 Lease - special lease option for remote clients
  • Options set on the DHCP server take effect when clients renew or obtain new lease
[4.3] DHCP scope futures
  • Scope name page - you can give your scope a name
  • IP address range - you can define starting and ending IP address of the scope and the subnet mask. You should choose consecutive address range of the subnet and later exclude the computers with static addresses.
  • Add exclusions - these are the addresses that will not be leased to DHCP clients
  • Lease duration - length of lease
  • Configure DHCP options - whatever to configure DHCP options for the scope through further pages in the wizard or later in the DHCP console, you can configure options at the reservations level, scope level or server level. There are more than 60 different DHCP options.
  • Router (Default Gateway) - optional, which default gateway should be assigned to DHCP clients
  • Domain name and DNS servers - optional, which domain will be assigned as parent and which DNS servers will be given to the DHCP client
  • WINS servers - optional, addresses of WINS servers that are to be assigned to the DHCP client
  • Activate scope - optional, whatever the scope will be activated after the DHCP wizard finishes
[4.4] Managing DHCP server
  • To change the DHCP server status open the DHCP console, go to actions menu and select one of Start, Stop, Pause, Restart and Resume
  • You can also use the Net command to change the status of DHCP server, the command line syntax is Net [operation like start/stop/pause/continue] DHCP_server
  • You can manage DHCP server from command line using netsh command line tool, with dhcp subcommand option.
  • Superscope is an administrative grouping of scopes that is used to support multiple logical subnets also known as multinets on a single network segment. They exist on 1 physical network and work with multiple logical networks. This method is used for DHCP server to provide clients with addresses from multiple scopes. Administrator needs to delete the superscope before deleting any scope that is contained within it. Superscopes group scopes that can be activated together, it doesn't carry any details about the scopes.
  • To move a scope to a new addressing range first create a new scope with new range and then activate it and deactivate the old scope. Either manually or by waiting make sure all clients move to the new scope, delete old scope.
  • If a superscope is not defined on a server then only one scope can be active at a time.
  • In order for the DHCP server to not assign already assigned IP address to a new client DHCP has conflict detection (advanced tab of DHCP server properties) in which the server pings the address it is about to assign in order to check whatever it is free.
  • Multicast scope - regular DHCP scopes to provide client configurations by allocating ranges of IP addresses from the standard classes (A, B, or C). The multicast address range uses an extra address class, D, IP addresses from 224.0.0.0 to 239.255.255.255 for use in IP multicasting. In every TCP/IP network, each host is gets own IP address, from regular address classes. The unicast IP address is assigned before host can support and use secondary IP addresses, such as a multicast IP address. Multiple PCs can share the same multicast IP address. On private networks it is recommended to start with 239.192.0.0 range. When a packet is sent with destination that is a multicast address it gets delivered to all PCs that have it. Multicast scopes are supported through the use of MADCAP (Multicast Address Dynamic Client Allocation Protocol).
  • DHCP server performs backup by itself up every 60 minutes, you can also do manual backup. Manual backup is performed from Backup command in the DHCP console. When the backup is made the whole DHCP database is saved. Some things, like credentials are not saved. The manual backup default location is %systemroot%\system32\dhcp\backup. The following data is backed up: all scope information including superscopes and multicast scopes, reservations, leases, all options. The database backup file is called DHCP.mdb.
    • To change backup behaviour of DHCP server, one needs to edit the following registry keys:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupInterval\
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupDatabasePath\
  • To migrate DHCP server all you need to do is move the database, simply back it up and then restore it on the new computer
  • Jetpack.exe is a tool that allows support for offline compaction and repair of Jet databases such as DHCP or WINS. You can use dynamic compacting of DHCP server database without the need to bring server offline, but offline defragmentation is more efficient. Compacting should be done whenever the database size grows beyond 30 Mb or you get corruption errors.
  • Option class - they way DHCP server manage provided to clients within a scope. When an option class is added, clients of that class can get class specific configuration options. There are two types of classes, Vendor classes and User classes.
    • Vendor class is used to assign vendor specific options to clients that share common vendor
    • User class is used to assign options to clients that share user defined similarities
  • The DHCP server has a default user class called 'Default routing and remote access'. Options in this class apply only to clients that request address while connecting through Routing and Remote access. You can set different options, for example you can assign shorter leases to the clients connected remotely (this is option number 051 Lease).
  • To create your own user or vendor class open DHCP console and r-click the DHCP server and select 'Define User classes'. After defining a new class you need to assign ID to it and options. On the client side you need to make sure that the clients know in what class they are, you do this by executing ipconfig /setclassid. To view all classes allowed by the DHCP server execute ipconfig /showclassid
[4.5] DHCP and DNS working together
  • Windows 2000 and later computers try to register their own A record but they ask DHCP server to register PTR record
  • By default the DHCP server only attempts to update client records if such operation is requested by the client computer
  • You can also configure the DHCP server to attempt to update A and PTR records regardless of clients requests
  • By default the DHCP server discards the A and PTR records when the lease expires (you can set it so they are kept)
  • By default DHCP server will not perform dynamic updates on behalf of older Windows clients that don't request updates to be done
  • The update settings are configured on the DNS tab of DHCP server properties
  • DnsUpdateProxy is a security group that sets records updated/created by its members in security less setting (objects created by members of this group have no security related settings). When a DHCP server that is not a member of the group modifies or creates an entry in the DNS, it becomes the owner of that entry and only it can change the entry. This might create problems when for example, client cannot modify a record because server took ownership of the record. The membership of the DHCP server in this group solves stale record problems.
  • Usage of the DnsUpdateProxy group also might cause some problems if the DHCP service is installed on a DC since all records created are not secure (same holds for the A records of the non-DC DHCP servers, but one can modify these manually giving them an owner). In particular, the records created by DC netlogon service are not secure.
[4.6] Analyzing DHCP server traffic
  • Communication between DHCP server and DHCP client for lease:
    • Client seeking IP address brodcasts on the network DHCPDISCOVER message
    • Any DHCP server that receives the message and has available IP addresses sends a DHCPOFFER for a period of time called lease
    • If no DHCP servers are available, the client can use APIPA or use alternative configuration, older clients fail to initialize and continue to send DHCPDISCOVER messages every 4 times per 5 minutes
    • Client selects one of the offers and brodcasts DHCPREQUEST indicating its selection
    • DHCP server sends DHCPACK message to the client with possible configuration information like DNS server IPs
  • Communication between DHCP server and DHCP client for lease renewal:
    • Client computer sends DHCP Request message to the server that leased it the IP address, it contains the FQDN of the client computer. The DHCP request message is also used by the client to request dynamic updates from the DHCP server.
    • If the DHCP server can be reached, it sends DHCPACK message back indicating renewal of the current lease (or remains silent)
    • If the DHCP server cannot be reached then the client waits until it reaches the rebinding state which usually occurs 7 days after last lease renewal. When the state is reached the clients attempts to renew with any available DHCP server.
    • If the server responds with DHCP offer message the client renews the lease and continues its operation
    • If the lease expires and client doesn't renew it ceases to use the leased IP address. It then tries to obtain new IP address lease.
    • DHCP Server can also issue DHCPNACK response indicating that the requested IP address is unavailable. In this case lease renewal fails and client is forced to initiate new lease request process.
[4.7] DHCP audit logging
  • In its default configuration the DHCP server writes daily audit logs to the folder %systemroot%\system32\dhcp. The text files that are created there are named after the day of the week they were created on. You can modify file location from the advanced tab of the DHCP server properties. The files are in the format DhcpSrvLog-[3-letter day of the week abbreviation].
  • You can turn logging off on the general tab of DHCP server properties. By default, the largest log file is 1Mb and logging stops if the amount of disk drive space falls under 20 Mb.
  • The log file entry contains the ID, date, time, description, IP address, host name and MAC address. A CSV format is used for columns, some may be blank.
  • The log file contains a summary of the event IDs that show up in the main body of the log file up to event ID 50. Event IDs that have number above 50 are used for AD authorization issues.
[4.8] DHCP problem resolution
  • The first step of fixing DHCP related problems is to make sure that there is no problem with the client, use ipconfig command to verify connectivity. If an address conflict occurred you will by warned of this by system tray warning popup as well as address conflict event in system log.
  • Dhcploc.exe can be used to locate DHCP servers including rogue servers, this utility is part of Windows support tools. For AD authorized servers only, use command netsh dhcp show server.
  • The repair button on the remote connection information screen performs these functions:
    • Broadcast DHCP Request message to renew the lease, if this computer is a DHCP client
    • Flush the arp cache, the same thing as arp -d
    • Flush NetBIOS cache, same as nbtstat -R
    • Flush DNS cache, same as ipconfig /flushdns
    • Register computer with WINS server, same as nbtstat -RR
    • Register computer with DNS server, same as ipconfig /registerdns
  • If the computer fails to connect to DHCP server make sure the network medium is up and the DHCP server is operational. Make sure the scope is active and that it still has leases available for its clients.
  • DHCP server knows from which scope to assign address by looking at the address of the 1542 compliant router added to the discovery packet sent out by the client computer (no extra IP added means local subnet)
  • If a client get an IP address from DHCP server, but it is from the wrong scope, verify with dhcploc utility presence of competing DHCP servers. Make sure all authorized servers are leasing from non-overlapping ranges. A single DHCP server can have multiple scopes active on it, scope not native to DHCP server's subnet are used for remote clients. DHCP matches remote clients to their scope when RFC-1542 compliant router or DHCP relay agent is properly configured. The DHCP Request message contains field named 'Giaaddr' which contains originating subnet, when it is empty client is assumed local and assigned address from local scope.
  • For a server to hand out addresses it must be on the same subnet as its clients and DHCP service must be bound to the connection, this is checked from advanced tab in server properties.
  • Make sure scope is active and that scope's network ID matches that of DHCP server. Also, through it sounds trivial, make sure DHCP server has some addresses available for a lease. To accommodate more users you can simply shorten the lease duration. Don't forget static addresses exclusions and reserved addresses
  • If the problem lies within the DHCP database, you will need to reconcile the DHCP data for one or all scopes. The data is stored in detailed and summary form on DHCP server, when reconciling the data in these two forms is compared.
  • You can also use the jetpack utility to perform database compaction or use netsh dhcp server set databaserestoreflag 1
  • When the administrator needs to renew IP addresses on few computers he can issue command ipconfig /renew on each one of them, in the case there are more computers, it is easier to just re-boot them using shutdown /i command line utility (show nice GUI interface).
  • To get a mac address only quickly and of any computer, including remote PCs, use getmac /s /v [server name] command line utility

Part 5: Implementing, configuring and troubleshooting routing and remote access in Windows networks

[5.1] Chapter definitions
  • Routing is the process of transferring data from one local area network to another local area network
  • Bridge is a network connection that connects two or more network segments and shares traffic as necessary according to hardware addresses. A bridge is a layer two device (data link).
  • Router is a device that receives and forwards traffic according to software addresses. A router is a layer three device according to OSI model.
  • Network interface is a software object that connects to a physical device such as modem or network card
  • Demand dial interfaces - these are interfaces such as VPN, persistent dial-up connection and PPPoE connection. New demand dial interfaces are added through Network Interfaces node.
  • Windows includes software router called Routing and Remote access service. This is a multiprotocol router capable of LAN to LAN, LAN to WAN, VPN, NAT routing through IP networks. It also supports routing futures such as IP multicasting, demand-dialing, packet filtering, DHCP relay, build in support for RIP 2 and OSPF.
  • Unnumbered connections - connections in which one or both of the logical interfaces fail to obtain an IP address. The unnumbered connections happen mostly with demand-dial connections when one (or both) routers don't support APIPA
  • NAT stands for network address translation and is a service that is part of a router in which the header information in IP datagrams is modified by the router before being sent out. This allows many computer with private addresses to share a single public IP and still be able to surf the net.
[5.2] Routing with Routing and remote access
  • The server computer needs to be configured with Routing and remote access since it is installed in disabled state. It will detect all installed network adapters and configure them. However, the system administrator will need to setup all additional VPN and dial-up connections since they are not pre-configured during setup.
  • When you add a new network card to already configured Routing and Remote access service, you will need to add a new interface through Routing and Remote access console
  • The number of network segments to which R&R access can act as a router is limited by the number of interfaces installed on the server.
  • Routing and Remote access properties for the IP routing node:
    • The general tab allows the network administrator to configure R&R access service as LAN router, demand dial router or remote access server.
    • The security tab allows the network administrator to configure authentication methods, connection request logging and preshared keys for IPSec protocol. All options set on the security tab are applied to remote access clients and demand dial routers.
    • The IP tab allows the network administrator to configure how IP packets are routed over LAN, remote access or demand-dial connections. You have an option to use DHCP server to assign IP addresses to remote hosts. If the DHCP server is not on the same PC as the R&R access service it must be connected through DHCP relay agent. If you don't have a DHCP server close at hand you can use static address pool, R&R access service will act as a DHCP server. The "Enable Broadcast Name Resolution" check box when checked enables R&R access clients to resolve computer names on all network segments connected to R&R access server without the help of DNS or WINS servers, this option is enabled by default and it works by permitting NetBT broadcasts from remote clients.
    • The PPP tab allows the network administrator to authenticate and negotiate dial-up connections. You can enable or disable following options: Multilink connections, Link control Protocol (LCP) extensions, software compression and Dynamic Bandwidth Control with BAP or BACP, all options are enabled by default.
      • Multilink connections allow multiple physical links to operate as a single logical link increasing the bandwidth
      • Dynamic Bandwidth control with BAP or BACP when bandwidth demands change multilink connections are created or dropped to allow for changes, both protocols work together to provide bandwidth on demand (BOD)
      • Link Control Protocol (LCP) Extensions - support for advanced PPP futures such as callback, disable if client is older and cannot use these advanced futures
      • Software compression - software based compression of data, leave on unless modem used can compress data at hardware level (no need to do idle work at software level)
    • Logging tab allows administrator to select the events to be logged, by default only errors are written to the log file. Log files are located in the %systemroot\tracing directory.
  • IP routing properties, accessed from General Properties dialog box associated with general subnode of IP routing node
    • Logging tab - which IP routing events are to be logged, by default only errors are logged
    • Preference levels tab allows the administrator to assign a priority to routes collected from various sources. When two different sources provide conflicting routing information only one source's data can be entered into the routing table, this data comes from the source with higher priority setting. The highest priority is 120, lowest is 1.
    • Multicast scopes - add/remove multicast scopes (to add new scope provide its name, base IP address and mask)
  • Routing and Remote access server supports SLIP and PPP for serial asynchronous connections. PPP - Point-to-Point Protocol that provides advanced futures (like: IPX, NetBEUI and TCP/IP, encrypted authentication if configured) not found in Serial Line Internet Protocol (SLIP)
[5.3] Routing tables explained
  • There are three types of routes that one finds inside a routing table:
    • Default route - there is a single entry for this route in the table, the address provided is used as a destination for packets whose address doesn't match any other entry in the routing table. This route is indicated by both address and network mask of 0.0.0.0
    • Host route - provides route to a specific host or a broadcast address, this type of routes is marked by network mask of 255.255.255.255
    • Network route - provides route to a specific network, this type of routes can have a subnet mask between 0.0.0.0 and 255.255.255.255
  • To view the routing table of any computer (for any computer has one) from command line type route print
  • Routing tables are organized into five columns, which are in the following order: Network destination, Netmask, Gateway, Interface and Metric
    • Network Destination - router compares entries from this column with destination address of every IP packet. The 0.0.0.0 entry is the default route, 127.0.0.1 is the loopback device. Each entry with 224.0.0.0 refers to multicast route. Entries with last octet of 255 represent broadcast addresses, the 255.255.255.255 is the limited broadcast address which is general for all networks and routers, other broadcast addresses are limited broadcast addresses.
    • Netmask - the value of this column determines which part of the IP address packet's destination is compared to the entries in the Network Destination column. The closest match determines the route that the packet will be given
    • Gateway - the value represents the address the packet will take if this particular route is chosen. The address should be different than the Network Destination value on the same row in the table. The gateway is the direction a packet takes in its voyage to the destination address (network destination). It is logical that the direction one must take to arrive at X is different then X itself.
    • Interface - the value of the local network interface that will be used to transport the packet if this route is chosen
    • Metric - the cost of using a route, lower metric values carry more weight compared to higher values, so value of 1 is higher than 50. RIP uses the number of hops to determine route's metric.
  • By default the computer will preset certain route entries, however to implement smooth communication with hosts that are outside broadcast range one must set up either static or dynamic routing
  • Static routing is when administrator adds new routes to the routing table, routers do not share routing information and tables have to be manually checked for accuracy. This makes static routing difficult in large networked environments. Static routing works best for small single path internetworks with 10 or less subnets. Static routing supports unnumbered connections. Static routes survive server restart since they are persistent.
  • You can add new static routes from the Routing and Remote access console or using the command line, route add [destination address] mask [netmask] [gateway] metric [metric cost] if [interface]. Please note that the static routes added with the command line utility route are not persistent by default. To make them persistent use -p switch. If routes are not persistent they are not listed under the 'static heading in the R&R access console.
  • To delete a route from command line use route delete [destination address]
  • In real life static routes are rarely used since RIP is easy to configure. You might need to use static routes for connections to remote routers that are intermittent since dynamic routing protocols require to much communication over the link.
  • You should avoid placing default route for two or more routers that point to each other since that puts unreachable traffic into an endless loop.
  • Dynamic routing uses RIP 2 or OSPF to share information between routers and ensure that the routing tables are build and kept accurate dynamically
  • There is nothing to be done as far as configuration is concerned by the administrator if the router is physically connected to all network segments
[5.4] Configuring routing protocols
  • Windows Server supports four routing protocols, RIP, OSPF, multicast IGMP and DHCP Relay agent
  • RIP (Routing Information Protocol) uses lowest cost route choosing, routes with cost higher than 15 are discarded, limiting the network size. RIP routers advertise their whole tables to each other every 30 seconds.
  • RIP works best in small to medium sized networks with a maximum of 15 routers, multipath networks with dynamic topology are well suited for RIP.
  • The main advantage of RIP is its ease of use, its disadvantage is its limited hop based cost estimate and 15 hop size limit
  • RIP can use simple password authentication that prevents attacker from polluting the routing tables, unfortunately passwords are plain text. You can configure list of routers (peer filtering) from which your router is to accept RIP announcements (by IP address). You can configure route filters on each RIP interface thus making routes that are reachable from your network the only one's that will be considered for addition to the routing table.
  • By default RIP either uses broadcasts or multicasts (only in RIP 2). To prevent traffic from being sent to nodes that are not RIP routers system administrator can set RIP neighbors.
  • OSPF (open shortest path first) is an efficient protocol which uses shortest path first algorithm to compute routes. OSPF routers don't share routing tables, instead they relay on a map called link state database of the internetwork. Neighboring routers form an adjacency.
  • The OSPF protocol can scale to very large networks due to no hop limit, fast convergence times, little network bandwidth and loop-free routes. Unfortunately it is not supported on the 64bit edition of Windows 2003 server.
  • The changes to the network topology are sent to all routers in the network, which recompute their routing tables
  • The OSPF divides the network into areas (collection of continuous networks) which are connected to each other through backbone. Each router keeps a link state database only for areas to which it is connected. Area border routers connect to the backbone area and other areas. OSPF also supports stub areas which contain only one entry and exit points.
  • DHCP relay agent is a routing protocol that allows client computers to obtain an address from a DHCP server on a remote subnet. DHCP server send their DHCP Discover packets as broadcasts that are blocked by routers, one either needs to deploy RFC 1542 compliant router or a DHCP Relay Agent for these packets to get through to the other subnet. You cannot use DHCP Relay Agent on a computer that is also running DHCP server, the NAT (with automatic addressing turned on) or ICS. You install DHCP relay agent just like any other protocol. Routers that are RFC 1542 compliant use BOOTP (boot protocol) for DHCP packet forwarding.
[5.5] Demand-dial routing
  • You can enable the on demand-dial routing from the general tab of the Routing and Remote Access properties
  • You can set dial credentials, get unreachability reason, set IP demand-dial filters and dial-out hours from the actions menu. These options are only for the demand dial interface.
  • On the properties page of the demand-dial router you can set modem futures such as source phone number, dialing properties such as call frequency, security protocol used - CHAP by default.
  • You can access port and device properties from the ports node. From this dialog box you can configure your modem as to whatever it will be used for inbound or/and outbound connections. You can also set devices phone number.
  • Clicking on General node of IP Routing when demand dial is activated reveals some specific to dial-in commands (when one r-clicks on the demand dial interface):
    • Update routes is used to update routes if RIP is installed. Static routes are updated and are known as autostatic routes. Autostatic routes are used instead of normal RIP router to router communication due to the nature of the connection (demand dial).
    • TCP/IP statistic allows administrator to see information similar to one provided by ipconfig and netstat
    • IP routing interface properties is a shortcut to another dialog box that has General, Multicast boundaries and Multicast heartbeat tabs
      • On the General tab "Enable IP Router Manager" is enabled by default, it is service that is responsible for numerous futures such as ip packet filtering, if you disable it the administrative status of the device changes to disabled. Another option is "Enable Router Discovery Advertisements" check box, off by default, it is a future in which network hosts send out router solicitations to discover routers, it needs to be configured at the host. Pocket filtering is handled by two buttons, Inbound and outbound filters. Part of packet filtering is the "Enable fragmentation checking" check box, off by default.
      • Multicast boundaries tab - administrative barriers for forwarding of IP multicast traffic. If boundaries didn't exist then IP multicast router would forwards all appropriate IP multicast traffic. You can configure the boundary using multicast scope or TTL in the IP header.
      • Multicast heartbeat tab - server listens for a regular multicast notification for a specified group address to verify that IP multicast connectivity is available on the network. You can configure timeout interval and the group address.
  • Demand dial router to router configuration options:
    • Connection endpoint addressing - end point of a connection that goes over a public network must be identified by an endpoint identifier (such as a phone number).
    • Both ends of the demand dial connection must be configured for normal (bi-directional) traffic to flow, they both need R&R access to be running
    • Authentication of the caller router is based on credentials that correspond to user account, authorization of the caller router is based on user permissions.
    • The process of differentiating a router and a user calling is done by matching the user name to the interface being called, it is a router calling if the user name matches exactly the name of the demand dial interface on the answering router.
    • Static routes are to be configured for both connection ends, the check box 'use this route to initiate demand dial connection' should be checked
[5.6] Configuring NAT
  • NAT - network address translation is a service that modifies packet header information before sending them to their destination.
  • The main difference between NAT and ICS is in their configuration options. ICS is simple and pre-configured, while with NAT you can choose any IP range for the private addresses and you can disable both DHCP and DNS proxy capabilities. You can configure multiple external interfaces with NAT and NAT recognizes static addresses within your network. ICS doesn't check for the existance of static addresses in its scope, this can cause problems.
  • NAT needs some configuration to work, ICS is just single checkbox. For NAT you need to configure external interface and make sure you add a route to it. Both DHCP and DNS server should be present.
  • The firewall in ICS is called Internet Connection firewall, while in NAT it is called Basic Firewall
  • For both NAT and ICS the computer running the translation service becomes the default gateway for the client PCs
  • NAT properties include 'Services and ports' tab which can be used to map internal service to external device using protocol and port number that given service uses.
  • ICS is available on computers running Windows 98 and above, while for NAT Windows server 2000 or higher is needed
[5.7] Packet filtering
  • Packet filter - a rule for an interface that restricts or allows traffic based on: direction, protocol, source address and destination address. There are two types of filters, outbound and inbound. Administrator may also choose to add filters through remote access policy.
  • You can set to allow all traffic through except packets administrator specify or discard all traffic except packets allowed by the filters to specific PC (basic firewall block all traffic that is configured as inappropriate)
  • You can create new packet filters through Routing and Remote access console, IP routing node, either General or NAT/Basic firewall node.
  • It is important to define correctly the filter direction and action
[5.8] Configuring remote access authentication
  • Remote access is provided by either VPN or dial-up networking
  • Every computer that is connected to Remote Access server gets an IP assignment
  • The Remote Access server can use existing DHCP server in which case it will lease a block(s) of 10 IP addresses upon startup. If 10 addresses cannot be leased then the Remote Access server doesn't work properly. If a block of 10 addresses is not available APIPA is used to assign IP addresses and its usage signifies problem with addressing as APIPA addresses are not designed for remote access.
  • Alternatively administrator can choose to use static IP address range assignment. In that case the Remote Access server is used for IP address assignment.
  • If the subnet you choose is different then the one on which Remote Access server is, you will need to configure routing on your router (as with any additional subnet)
  • Remote Access server client computers must be authenticated to access the network, you can use Remote Authentication Dial-in User Service (RADIUS) or R&R access.
  • When user places a call to Remote Access server he supplies his user name and password for authentication. For authorization, if the R&R access server is a domain member, domain logon is presented, for stand alone R&R access servers this step is omitted.
  • The authentication method chosen is always the most secure method enabled in the Remote Access server client properties, remote server properties and the remote access policy applied onto the connection in question.
  • If the user is changing his or her password during the authentication phase then the client and server must be using either MS-chap or MS-chap 2 for communication.
  • Remote access protocols
    • MS-chap (Microsoft Challenge Handshake Authentication Protocol) still supports NTLM (but not by default) Same encryption key is used for all connections, both authentication and connection data is encrypted
    • MS-chap v2 no NTLM and stronger encryption (like salting passed encrypted password strings) both MS-chap protocols are the only ones that can change passwords during the authentication process. New key is used for each connection and direction. Not supported by Windows 95. Both authentication and connection data is encrypted.
    • Chap - need to enable storage of a reversibly encrypted user passwords, encryption of authentication data through MD5 hashing. No encryption of connection data.
    • PAP (Password Authentication Protocol) passwords are unencrypted as well as connection data
    • SPAP (Shiva Password Authentication Protocol) - less secure than CHAP or MS-CHAP, no encryption of connection data
    • EAP-TLS (Extensible Authentication Protocol - transport level security) - certification based authentication (EAP) used with smart cards, both authentication and connection data are encrypted, not supported on stand alone servers - only for domains. EAP-TLS is supported only by Windows Server 2003, Windows XP/2000.
    • EAP-MD5 CHAP (Extensible Authentication Protocol - Message Digest 5 Challenge Handshake Authentication protocol) - this is a version of Chap that was ported to EAP framework. Encrypts only authentication data, not connection data, same like Chap. EAP is supported only by Windows Server 2003, Windows XP/2000.
    • Unauthenticated access - connections without credentials, good for testing
  • To modify security settings on the server r-click on the server icon in the Routing and Remote access console and select properties - security tab
  • To modify security settings on the client select connection properties and then the security tab
[5.9] Authorizing remote access
  • After remote connection has been authenticated, i.e. user credentials have been verified, the user has to be granted access to resources, a process known as authorization.
  • User Dial-in properties for both dial-in and VPN connections are accessed from user properties dialog box, Dial-in tab
  • From the dial-in tab administrator can set the following options:
    • Remote access permission can be set to allow, deny or control through Remote Access Policy.
      • Remote Access Policy option is available when the domain functional level is set to Windows 2000 native or higher. The allow access and deny access options override the options set in the remote access policy. However, when the action of allow is set the remote access profile is still read and applied, thus for example the logon hour restrictions set in remote access policy will apply if the action of allow access is set and logon hour restrictions are supplied.
      • The remote access policy option is not available in AD Windows 2000 mixed mode. In this mode the allow access action corresponds to control through access policy. By default, allow permission is set.
    • The caller ID can be verified if the phone system supports it.
    • Callback options can be set to no callback (default), always callback to specified number and set by user. Callback requires Link Control Protocol (LCP) extensions to be enabled, which is default setting. During the initial call to the server only authentication information is passed.
    • You can also assign user a static IP address and define static routes
  • Remote Access Policy is the preferred way to control authorization of users. It is a set of permissions and restrictions that is processed by remote access authenticating server and applies only to remote access connections. It is separate entity from the Group Policy and lives on the Routing and Remote Access server.
  • By default there are two remote access policies created that can be read by either RADIUS or Routing and Remote Access servers and written to the local hard drive
    • Connections to Microsoft Routing and Remote Access Server policy is set to match every connection except non-Microsoft network access server type
    • Connections to Other Access Servers policy matches every connection. Due to ordering the first policy is evaluated first.
  • You can restrict policy to members of a group. Only members of global security groups can serve as remote policy condition, no local or universal groups will do.
  • Each policy has an associated policy profile which administrator can edit. You have dial-in constraints, IP properties, Multilink, Authentication, Encryption and advanced tabs
  • On the dial-in tab you can restrict amount of time connection can last, specific connection phone number, media type and time of day
  • On the IP tab you can set who supplies IP address, client or server, static address assignment and packet filters
  • Multilink tab allows administrator to link multiple modems together, Bandwidth Allocation Protocol (BAP) can be used to when extra lines are connected and when they are dropped
  • On the authentication tab you can specify protocols such as Chap, by default MS-Chap and MS-Chap 2 are enabled
  • On the encryption tab security administrator can choose RSA or DES encryption. There are four different settings:
    • No encryption - no security
    • Basic Encryption (MPPE 40bit) - used for dial-up and PPTP VPN connections, 56bit for L2TP/IPSec
    • Strong Encryption (MPPE 56bit) - used for dial-up and PPTP VPN connections and for L2TP/IPSec VPN 56bit DES is used
    • Strongest Encryption (MPPE 128bit) - used for dial-up and PPTP VPN connections and for L2TP/IPSec VPN 168bit 3DES is used
  • On the advanced tab one sets settings only readable for RADIUS server (not readable by R&R access)
  • To enable remote users to connect to resources outside Remote Access server you need to configure RAS as a router. Make sure routing option is selected in server properties, check that IP Routing is selected in the IP tab of server properties. If you want to use NetBIOS name resolution without WINS, enable it on IP tab as well.
  • When there are no remote access policies (all are deleted) and user is set to use remote access policy user access is denied.
[5.10] Configuring VPN
  • VPN - virtual private network is a logical network that works on the physical layer that spans the internet
  • VPN are used to securely connect users to a remote network or two remote network segments together
  • There are two distinct VPN deployment environments:
    • Basic remote access VPN, client PC connects to the VPN server. On the server remote access policy grants access to a global telecommuters security group (need to create one 1st) and Nas-port-type condition of Virtual VPN. On the client side the end user uses New Connection Wizard.
    • Extranet also know as router to router VPN. Two networks are connected using VPN through servers that run R&R access. The authorization is based on demand dial interfaces not on individual users credentials. Each demand dial interface is configured with user name, password and domain. The user name has to be identical to the demand dial interface name of the other VPN server. The configuration of the access through remote access policy is as above. To allow functional useful extranet connectivity routing has to be established to direct traffic between remote network segments.
  • When an user attempts connection through VPN as network administrator make sure the following conditions are meat:
    • Make sure you have enough ports for the appropriate VPN type
    • Make sure there are no conflicts between remote access policy and remote access server
    • Verify that the client has appropriate permissions and he/she has same protocol as the server enabled, remote access server or RADIUS has to be member of RAS and IAS security groups
    • The encryption strength has to be set the same across the board (remote access policy and remote access server)
    • If MS-Chap is used user password has to be 14 characters or less
  • For router to router VPN connections network administrator must make sure the following conditions are meat in addition to above:
    • The routers have to be set as such on each connection end
    • Make sure IP Routing is enabled and static routes are created
  • By default 128 ports are created of each type if VPN server role is specified, each port enables a single connection. If server role of VPN is not specified, by default there are 5 ports of each type created (PPTP and L2TP). Windows Server 2003 supports 1000 VPN connections of each type, thus this is the maximum number of ports you can specify
  • For routing RIP can be implemented with announcements exceeding default 30s interval, for dial-up connections autostatic routes are a better choice.
[5.11] PPTP and L2TP/IPSec
  • PPTP connections are easier to setup and configure but they are considered to be less secure than L2TP connections, there is a price one pays for more security
  • PPTP connections do not provide any proof that the data was not modified during transfer
  • The only way to distinguish VPN connection is through the NAS-port type of "Virtual (VPN)", you cannot distinguish between PPTP and L2TP
  • PPTP VPNs are good when remote users cannot use certificates for connection establishment
  • In L2TP/IPSec connections the L2TP protocol provides VPN tunneling while Encapsulation Security Protocol (ESP) a future of IPSec provides data encryption.
  • L2TP connections need to authenticate both the user and the computer the user is using. Computer authentication is done first by the means of certificates whose purpose is for client authentication or for IPSec purpose.
  • When both the server and client are Windows Server 2003 computers don't have to use certificates, the authentication can be done using preshared key. This is less secure than certificates because they are passed over the network in plain text and is good for testing only.
  • If EAP-TLS user authentication method is used certificates must be preinstalled on all clients and servers (if RADIUS is used)
  • Administrator can disable L2TP/IPSec connections by setting the number of ports to 0, this cannot be done with PPTP connections
  • PPTP uses MPPE for encryption, link between two network segments is treated as a PPP connection. PPP frame is encrypted and wrapped with Generic Routing Encapsulation (GRE) header.
  • L2TP encryption is provided by Encapsulation Security Payload (ESP) protocol (which is a future of IPSec).
[5.12] Configuring IAS, Microsoft RADIUS
  • Internet authentication service (IAS) is Microsoft's implementation of RADIUS
  • RADIUS is used to centralize remote access authentication, authorization and logging. RADIUS server uses RADIUS protocol for communication. The RADIUS protocol is open standard, thus there is no need to use Microsoft RADIUS solution.
  • RADIUS server group is a group of RADIUS server which network access requests are balanced by RADIUS proxy
  • RADIUS proxy can also be used to route requests to appropriate RADIUS servers based on realm name attribute of connection
  • Administrator needs to configure Routing and Remote Access Server as a client to RADIUS server. This operation is done from properties dialog box security tab of Remote Access server console.
  • To configure a RADIUS client open server properties from R&R access console and select the security tab. On the screen shown administrator can select RADIUS as Authentication and/or Accounting provider
  • When administrator selects the role(s) RADIUS server is to take, he needs to configure it (by clicking the configure button) the following options are available on popup screen:
    • Secret - plain text password
    • Time-out - how long to wait for RADIUS server
    • Initial Score - ordering for query priority of different RADIUS servers
    • Port - default port is UDP 1812 for authentication and UDP 1813 for accounting
    • Always Use Message Authenticator - MD5 hash of the RADIUS message with Secret as key, message without this will be discarded if option is enabled
  • This is the interaction that exists between RADIUS and other servers and/or clients:
    • When VPN, wireless, dial-up clients (all remote) connect to one of multiple network access servers (R&R access servers) they need to be authorized and authenticated.
    • The network access server is configured to use RADIUS for that purpose, it connect to the RADIUS server using RADIUS protocol
    • If the network is large and there are multiple RADIUS servers the network access server first connects to the RADIUS proxy server and asks it for correct RADIUS server based on realm name
    • RADIUS proxy is used for load balancing as well as environments where there are multiple realms with distinct security settings
  • To configure RADIUS on a PC, network administrator needs to do three things:
    • Install IAS networking component
    • Register IAS server in the AD
    • From RADIUS console add new RADIUS clients
  • Administrator needs to register IAS server in the AD, IAS server needs to be member of RAS and IAS security groups
  • Administrator can migrate, restore and backup RADIUS server from command line using netsh and subcommand 'aaaa'
[5.13] Other points
  • AppleTalk routing is supported on Windows server 2003
  • IPX routing was supported on Windows server 2000 but is no longer supported on Windows server 2003
  • To list all running system service use tasklist /svc. User account needs to be granted 'log on as service' user right for services to be run in its context.
  • To configure Remote Access Account lockout, system administrator needs to configure following registry setting:
    • To turn remote access lockout set in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout maxDenails to 1 or greater
    • To reset locked account: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\domain name:user name
  • To set up RAS client, the operator needs to use New Connection Wizard from the control panel

Part 6: Managing network infrastructure and security

[6.1] Network Security protocols
  • Authentication: Kerberos and NTLM (for backward compatibility only)
  • Authorization: Kerberos and NTLM
  • Confidentiality: Encryption parts of Kerberos, IPSec and NTLM
  • Integrity: Parts of Kerberos, IPSec and NTLM
  • Non repudiation: Kerberos and IPSec (who sent and received the message)
[6.2] Using security templates
  • Security Templates snap-in is by default linked to %systemroot%\security\templates folder. More templates are stored in %systemroot%\Inf folder, you can copy them to the security folder to view them with this snap-in.
  • Administrator should create a master template for all PCs and server role based templates. It is a good practice to create rollback templates before applying new templates.
  • These are default templates available with Windows Server 2003:
    • Setup security.inf - default settings applied to current machine on installation
    • Compatws.inf - used for backwards compatibility, so applications not certified for Windows XP can work (not for DC)
    • Secure*.inf - implements recommended security in all areas except files,folders and registry keys
    • Hisec*.inf - high security network communication, Windows XP can communicate only with other XP or 2000 computers (not Windows 95/98/Me due to DC - client communication problem)
    • Rootsec.inf - new root permissions introduced in XP are going to be applied
    • Notssid.inf - removes default permissions granted to terminal server SID
    • DC security - default security settings for DC
    • Iesacls - registry permissions and keys relevant to IE are applied, everyone group gets full control
    • Securedc - limits account policies and applies LAN manager restrictions
    • Defltsv - default server templates used during installation
    • Defltdc - default DC template used during dcpromo execution
  • For security template to take effect you need to apply them using Security configuration and analysis snap-in.
  • Administrator can compare two templates and current security settings of a computer to a baseline template using Security Configuration and Analysis snap-in
  • When applying templates the administrator must choose whatever to 'clear the database' if he does so only the settings in the template he is currently applying will be applied. If he doesn't clear the database, one of three things can happen:
    • If setting is defined in the new template but not the old one, new setting is applied
    • If setting is defined in the old template but not the new one, setting stays as is
    • If setting is both in new and old templates, new setting takes precedence over old one
  • Secedit is a command line tool used to apply security templates, it is a command line version of Security configuration and analysis snap-in
  • It is a part of good practice to never modify default templates, instead use copies of current templates in separate location and modify them
  • Administrator can modify a security template by editing Inf files directly
  • The IP Security and Public Key policies cannot be modified using a security template
[6.3] IPSec protocol
  • IPSec is natively supported on Windows 2000/2003/XP, a legacy client is available for Windows NT4/Me/98
  • IPSec can be used to encrypt traffic, allow traffic to leave or enter PC and block traffic from entering or leaving PC
  • The IPSec protocol can be monitored, if IPSec service is started, using IP security monitor snap-in, in Windows 2000 command line utility ipsecmon.exe - has two modes of operation, quick and main
  • IPSec policies are a set of filters that describe some network protocol action. Filters are organized into filter lists which are part of rules. Each rule defines filter action, which can be one of: Block, allow or negotiate security. IPSec policy can have many rules, but each rule can have only one filter action.
  • IKE is the algorithm used to open first secure channel, master key is derived separately on each PC and never transported over the network
  • Negotiation is the process of determining which IPSec mini-protocol will be used and what specifics are to be used, such as the key strength
  • Offloading of IPSec encryption to NIC is supported for improved server performance
  • Netsh is a command line tool that is used to modify and display local and remote network configuration. This is a tool that administrators can use for scripting. Its subcommand is ipsec, two modes are possible, dynamic and static. To show all IPSec settings use netsh ipsec static show all
  • IP security monitor is used to monitor IPSec traffic, you can see traffic statistics according to many different counters
  • Netcap.exe is a command line utility that is used to capture network traffic to a file. Administrator can run the utility on Windows XP and Network Monitor is not needed as preinstalled component.
  • Routers will pass IPSec traffic through, but firewalls and packet filters need to be configured to allow IPSec to pass through them
[6.4] Kerberos protocol
  • Kerberos protocol is used for authentication. Kerberos is superior to older NTLM protocol, it is preferred protocol in Windows 2000/XP/2003. It is explained RFC 1510.
  • The time difference between server and client is called time skew, by default if the time difference is more than 5 min the authentication will fail (at this time NTLM authentication might be attempted). Client and DC computers synchronize their clocks only if the difference between them is less than 30 minutes.
  • Port 88 UDP is used for Kerberos traffic, ticket granting ticket (TGT) is requested by client from the DC
  • Kerberos service or user ticket is granted in order for the user to use a specific service. Tickets are cached and can be reused and renewed. If a ticket cannot be renewed, new ticket can be issued.
  • TGT is stored in Kerberos ticket cache which can be analysed and viewed using kerbtray.exe found in the support tools
  • To see a list of tickets that are in the cache you can use klist.exe found in the support tools
  • Administrator can use netdiag utility to run network tests one of which is a kerberos test
  • When kerberos is used for logon and administrator wants to see it logged in the event log, auditing must be enabled for logon event and account logon event.
  • Network administrator is unable to turn the NTLM authentication off. For example, NTLM is still used when drivers are mapped by IP address instead of by computer name.
  • Ksetup - command line tool used to configure Kerberos, used to: set up a realm entry, set up computer's password in the kerberos realm and set up local account to kerberos account mappings
  • Ktpass - command line tool used configure a non-Windows Server 2003 kerberos service as a security principal in AD
[6.5] Network performance monitoring
  • The easiest tool to use is task manager's networking tab
  • If one cannot detect problems using task manager, there is always performance monitor with it networking related performance objects. Object include network interface, TCPv4, NBT connection, RAS Port, RAS total.
  • Alerts are created when specific counter(s) go above or below a specific value. When an alert is triggered you can do one of the following:
    • You can log alerts in application log
    • Can send a network message
    • Start performance data log
    • Run a program
  • Performance logs and alerts are used to perform long term analysis:
    • Using the default Windows XP Pro data provider or another application provider, trace logs record detailed system application events when certain activities, such as a disk I/O operation occurs. When the event occurs, your OS logs the system data to a file. A parsing tool is required to interpret the trace log output, like Tracerpt
    • When counter logs are in use, the service obtains data from the system when the update interval has elapsed, rather than waiting for a specific event.
  • Remember that trace logs are event driven and Counter logs are update interval driven
  • Netstat - this is command line tool used to monitor network connection
[6.6] Performance indicators
  • Memory: pages faults/sec - data not found in CPU cache creates a fault, most processors can handle large amounts of soft page faults, compare with memory: pages/sec
  • Available memory in bytes - need more if less than 10% available (could be an application memory leak)
  • Memory: pages/sec - hard drive access to page file, a rate of 20 or more indicates a need for more RAM
  • Page file percent close to 100, need more space on file or more RAM
  • Physical disk: percentage disk time above 70% - is too high, if paging file usage is excessive as well it indicates more RAM is needed otherwise a disk is the bottleneck
  • Physical disk average queue length above 2 - check paging file and physical memory
  • Physical disk current queue length - a value above 2 indicates a problem
  • CPU close to 100% - need more CPU power if situation continues for excessive amounts of time
  • Number of open files indicates how busy the server is, compare to baseline
  • Server: bytes total/sec - indicates network throughput
  • Baselining is the process of determining average/normal system performance. Should be done over a period of 3 to 4 weeks using counter logs.
[6.7] SUS - software update service
  • SUS - software update service, can distribute updates (need to be approved by the admin before distribution occurs) to clients.
  • Minimum requirements for the clients to connect to SUS are Windows XP SP1, or Win2k SP3 or later.
  • SUS server is really just a webpage with ActiveX functionality that piggybacks on top of IIS.
  • In order for SUS to work you need to point client computers to SUS server using GPO
  • You need to install SUS10SP1.exe on the server
  • Server computer must be running at least version 5 of IIS
  • SUS virtual administrative directory http://yourservername/SUSadmin
  • SUS needs NTFS with at least 100Mb to install package and 6Gb for storing updates, SUS runs from the 'default website' and stores all data there
  • SUS notification is shown for Administrators only
  • If you have P III 700, 512Mb RAM SUS server can handle up to 15000 clients
  • SUS server is not set to synchronize with Windows update site by default, administrator must do that or manually synchronize
[6.8] Other points
  • Runas is also known as secondary logon, you need to have Secondary Logon service running to use it. This command line utility is used to run programs within different user's security context. For example, network administrator is logged on as a regular user and needs to run system utility that requires administrative privileges. Instead of logging out and back in as an administrator, the user could use runas command which uses the following syntax: runas /user:ComputerName\UserName "program name"
  • Microsoft Operations Manager (MOM) can be used to archive security logs
  • Services dependency can be shown using GUI program called dependency walker, depends.exe
  • Things that should be audited: Audit both success and failure events in the systems event category. Audit success events in the Policy Change event category for all DC, audit success events in the Account Management event category, audit success events in the Logon event category and audit success events in the account logon event category on DC.

#932 From: Testking_Mcse@yahoogroups.com
Date: Sun Dec 13, 2009 9:06 am
Subject: File - Microsoft exam 70-290 preparation guide.html
Testking_Mcse@yahoogroups.com
Send Email Send Email
 

Microsoft exam 70-290 preparation guide

Contents:

Part 1: Installing and upgrading Windows 2003
Part 2: Managing and Maintaining Physical & logicel drives
Part 3: Managing users, computers and groups
Part 4: Managing and monitoring access to resources
Part 5: Managing and maintaining a server environment
Part 6: Managing and implementing disaster recovery
Part 7: Active directory primer

Preface

I have written this short preparation guide as a way for myself to ease studying for the Mcirosoft 70-290 exam titled: "Managing and maintaining Microsoft Windows 2003 server environment". I provide this guide as is, without any guarantees, explicit or implied, as to its contents. You may use the information contained herein in your computer career, however I take no responsibility for any damages you may incur as a result of following this guide. You may use this document freely and share it with anybody as long as you provide the whole document in one piece and do not charge any money for it. If you find any mistakes, please feel free to inform me about them Tom Kitta. Legal stuff aside, let us start.

Guide version 0.13 last updated on 28/05/2004

Part 1: Installing and upgrading Windows 2003

[1.1] Clean install
  • During installation of Windows 2003 if you need to install special storage adapter that Windows does not have press F6
  • You can install to a dynamic disk that was converted from boot or system volume (MBR presence)
  • Product key
    • Retail/OEM - one key per install, product activation
    • Volume licensing - only one key for multiple instalations
    • Product activation is a proof of ownership that uses 25 character key
    • You have 14 days to activate your product, if you run out of time you can still start the server in safe mode (no network)
  • Windows 2003 is a server software, some modules are disabled by defalut:
    • No audio service (disabled by default)
    • Limited video acceleration (DirectX off by default)
  • Dynamic update that occurs during the installation is for critical updates only (not drivers) and need internet connection
  • You must have the Unattend.txt or Winnt.sif (copy of unattend.txt when using CD for install) files if you want to fully automate the remote installation of a Windows Server 2003 operating system.
[1.2] Windows editions
  • Standard edition
    • Maximum of 4 CPU
    • Maximum of 4GB of RAM
    • Network load balancing
  • Enterprise edition
    • Can be 32 or 64 bit (64bit edition needs Intel Itanium)
    • Has hot add memory capability (on 32bit edition only), clustering
    • Maximum of 32GB RAM, 64GB RAM on 64bit
    • Maximum of 8 CPUs
    • Up to 8 cluster nodes
  • Datacentre edition
    • Needs to be purchased through Microsoft
    • Maximum of 64CPUs, 512GB RAM on 64bit edition
    • Up to 8 cluster nodes
  • Web edition
    • Up to 2 CPUs and maximum of 2GB of RAM
    • Used to host websites, web applications including DNS, no non-web based applications like SQL server
    • OEM or volume licensing, cannot buy retail
  • XP profesional
    • Minimum P233, recommended PII 300
    • Minimum 64Mb RAM, recommended 128Mb
    • Minimum 1.5Gb of free space on HD, recommended 2Gb
[1.3] Hardware requierments
  • CPU minimum 133Mhz (datacentre edition 400Mhz), recommended 550-733Mhz
  • RAM minimum 128Mb (datacentre edition 512Mb), recommended 256Mb
  • HD minimum 1.5Gb
  • Pentium Pro and Pentium II multiprocessor systems have a bug in them, multiprocessor support is disabled
[1.4] Licensing
  • To administer Windows 2003 OS licensing for sites or the enterprise, use Licensing in Administrative Tools.
  • The Licensing option in Control Panel manages licensing requirements for a single computer running a Windows 2003 OS.
  • You must have a Client Access License (CAL) for each device or user that connects to your server.
  • Per Device or Per User licensing mode is the best option if your clients frequently use multiple servers on the network. It is client side licensing used in enterprises. The number of simultaneous connections to any server is unlimited for every client.
  • Per Server licensing mode is the best licensing option when a server product is installed on only one server accessed at any time by no more than a subset of your users. For example if you have 5 CALs 5 clients can connect to your server on first come basis.
  • Use license groups when there is 1 to many, many to 1 or many to many relationship between users and devices
  • License Logging service is needed for license monitoring but not enforcment
  • If a client PC is used by 10 or less users only 1 CAL is required
  • For control panel licensing you got only 1 licensing type change, for enterprise licencing you will loose your licences
  • You can find your licensing server in 'AD Sites and Services'
[1.5] General upgrade points
  • You need at least Windows NT4 SP5 to upgrade to Windows 2003
  • You must upgrade to the same or more powerful edition (i.e. for example from Windows 2000 Advanced Server to Windows 2003 Enterprise, cannot upgrade to Windows 2003 Standard)
  • If the PC you are upgrading will be (or is) a domain controller you will need NTFS (among other things to store SYSVOL folder which stores GPO)
  • Check partition size, you need minimum of 1.5GB for Windows 2003 installation
[1.6] Upgrading from Windows NT4 to Windows 2003
  • You need to upgrade PDC 1st (Windows 2003 will emulate PDC for older clients). Note that Windows 2000 and XP PCs will prefer to use Windows 2003 server over NT4. This can cause network congestion problems. Need to change registry on server to make it look like NT4 PDC.
  • You need to upgrade RAS server before you upgrade last BDC (you want to get rid of the old NTLM authorization method)
  • AD installation wizard will start after OS upgrade completes (if PC was a DC). By default forest functionality level will be set to Windows 2003 interim.
  • NT4 mirror and strip sets will not mount on Windows 2003, you need to
    • Break mirror and\or kill stripe volume
    • If you forget about above, use ftonline utility to mount NT mirror or stripe in read only mode on Windows 2003
[1.7] Upgrading from Windows 2000 to Windows 2003
  • AD was introduced in Windows 2000 to manage authentication
  • You will need to make sure all Windows DC have SP2 or above installed on them
  • Before OS upgrade you need to run utility called adprep on the DC
    • Adprep.exe is located on Windows 2003 CD. Its role is to go through Windows 2000 AD schema and include enchancments needed for Windows 2003 DC to be accepted
    • You will need to run adprep.exe /forestprep first on the schema master. You will need to be a member of both Enterprise admins and Schema admins. It is recommended to take schema master PC offline during utility run.
    • After you have run adprep.exe /forestprep you will need to run adprep.exe /domainprep on the infrastructure master in each domain. You need to be a member of domain admins or enterprise admins. Make sure that before the run all changes from adprep.exe /forestprep replicated down to all DCs.
[1.8] Domain functional levels
  • Forest functional level
    • Effects all domains in the forest
    • Windows 2000 (default) accepts NT4, 2000 and 2003 DC
    • Windows 2003 Interim accepts NT4 and 2003 DC
    • Windows 2003 accepts 2003 DC
  • Domain functional level
    • Effects only one domain
    • Windows 2000 mixed (default) accepts NT4, 2000 and 2003 DC
    • Windows 2000 native accepts 2000 and 2003 DC
    • Windows 2003 interim (you will get this option if you upgraded a totaly NT4 domain) accepts NT4 and 2003 DC
    • Windows 2003 accepts 2003 DC

Part 2: Managing and Maintaining Physical & logicel drives

[2.1] Plug & play
  • For plug & play to operate we need the following:
    • Plug & play BIOS
    • OS that is plug & play capable
    • Device that supports plug & play
  • When Windows finds new hardware but is unable to install it we can go to Device Manager and run troubleshooter as well as look at the error codes
  • Uninstalling the device using 'Device manager' only removes the driver and uninstalls it from the OS (not from the PC!). If the device is not physically removed from the PC, it will be detected the next time PC boots up. To prevent this from happening one must disable the device.
  • When Windows 2003 fails to detect new hardware use 'Add new hardware wizard'
[2.2] Hardware supported
  • Virtual Disk service API for storage systems, SANs (storage area networks)
  • IEEE 1394, RAID, USB 2.0, Video, Sound
  • Wireless supports
    • Wireless and cable network bridging
    • Roaming and autoconfiguration
  • USB 2.0 supports up to 127 devices per root hub and up to 5 deep nested external hubs. You can see power & bandwith usage by checking out root properties.
  • Windows 2003 has the ability to burn CD-R and CD-RW using IMAPI service, however it is disabled by default
  • You will need a decoder for video DVDs (data DVDs are OK)
  • DVD+RW and DVD-RW are not supported, need manufacturer's driver
[2.3] Access needed to install new hardware
  • You will need to be a member of the Administrators group or have 'load and unload device drivers' user privelage to install new hardware, unless
    • Driver the the hardware uses is signed or has the Designed for Windows Logo
    • No further action is required to install the device, no requirement for Windows to display a user interface. No need to use 'Add Hardware Wizard'
    • Device driver is already on the system
    • No network policy settings are preventing you from installing hardware.
  • This way ordinary users can for example connect a USB pen drive to the PC without beeing member of the administrators group
[2.4] Device Manager can be accessed in 4 ways
  • By going to start -> all programs -> administrative tools -> computer managment-> device manager tree selection
  • Control panel -> system -> hardware tab -> device manager button
  • R-click on 'My computer' and select properties ->hardware tab -> device manager button
  • Custom made MMC snap-in
[2.5] Device Manager views
  • Devices by type - when you use this view all network adapters present will be listed under 'network adapters', all disk drives under 'disk drives' etc. This is the default view.
  • Devices by connection - you can for example see what devices are connected to the motherboard on the PCI slot by expanding Standard PC node and expanding PCI bus node.
  • Resources by type - sorts devices by type, i.e. DMA devices, I/O devices, IRQ devices and memory devices. Good for IRQ conflict troubleshooting.
  • Resources by connection - sorts devices by connection instead of type
  • Show hidden devices - shows the non plug and play devices that have been removed from the PC but have installed drivers.
[2.6] Device properties tab
  • General - for example manufacturer and device status
  • Advanced settings - optional, not every device has them. For example, for a network card we could have card link speed selector.
  • Resources tab - shows things like IRQ assignments. You can only edit IRQ if there is a conflict. Also the device has to be plug and play capable.
  • Power managment - not applicable to servers
  • Hardware profiles - good mostly for laptops, when say you have different hardware connected to your PC at the office and at home office. Also can be used for troubleshooting, you can limit the hardware in each profile.
[2.7] Driver properties
  • Details of installed driver
  • Update driver
  • Roll back driver (new in Windows 2003)
  • Uninistall driver
  • Driver signing:
    • Harmful driver install prevention
    • HCL - Hardware compatabilty list, to be replaced by Windows catalog
    • Run d:\i386\winnt32 /checkupgradeonly from Windows 2003 CD to check hardware compatability
    • Command line sigverif.exe is used to check drivers from command line
    • By default system is set to warn user if he or she is installing unsigned driver (other options are: ignore and block)
    • Unsigned driver means that the driver was not tested by Microsoft and is not supported by Microsoft. For most part these drivers are still OK
    • When driver is signed by Microsoft it and the hardware are tested by Microsoft
  • Some older devices (like CD-ROM etc.) plug into LPT port on the PC. You will need to set LPT port to "Legacy plug and play support" on port settings tab for older devices to work.
  • The easiest way to solve embedded device conflict with an add on device is to disable the onboard device. For example, to use add on music card, you will need to disable onboard music card
  • Many problems are caused by incorrect drivers, for example graphic card that displays only 800x600 resolution. Update driver to solve these problems.
[2.8] HAL - hardware abstraction layer
  • Computer driver which is the interface to BIOS, kernel is build on top of this driver
  • You can choose HAL during install by pressing F5
  • Multiple processors - when installing a 2nd processor in a single processor system (UP - uni processor) you will need to update HAL for the CPU from single CPU to multiple CPU (SMP - symmetric multi processor driver)
  • Do not upgrade from standard HAL to ACPI (advanced configuration and power interface) HAL and vice versa
[2.9] Windows update & automatic update
  • 1st appeared in Windows 98
  • Windows 2003 adds scheduling of updates capability
  • To access follow: control panel -> system -> system properties -> automatic update button
  • Can set up Windows update properties via GP settings
    • Specify Intranet Microsoft Update service location
    • Configure automatic updates
    • Reschedule Automatic updates scheduled installations
    • No auto-restart for scheduled automatic updates
[2.10] Printers
  • Printer - this is how we call a piece of software on your PC
  • Print device - this is the actual hardware printer
  • Print server - PC to which a local printer is connected - any Windows PC. It is the computer that sends print jobs to the print device. For a network printer you send jobs to the server as well.
  • Print spooler - also referred to as print queue this is a directory on print server where jobs are being stored prior to being printed
  • Print processor - also known as rendering is the process that determines whatever a print job needs further processing once job has been sent to the spooler
  • Printer pool - configuration that allows to use one printer for multiple print devices
  • Print driver - piece of software that understands your print device codes
  • Physical port - port through which a printer is directly connected to the computer, COM or LPT
  • Logical port - port through which a printer with a network card is attached to network, much faster than a physical port
  • Local printer - printer that uses a physical port and has not been shared
  • Network printer - printer that is available to local and network users, can use either physical or logical port
  • Windows server 2003 can be in a "print server" role. In this role the server is set to manage network printers (this includes local printers connected to other PCs which are shared)
  • You can use UNIX (LPR) protocol, for this you will need to add LPR port. LPR is included in "print services" for UNIX, which is installed as a separate component of Windows Server 2003
  • You can also have print services for Macintosh and for Netware
  • Whenever you hear anything that deals with: LPR, LPD, LPQ think UNIX
  • You can load into your Windows 2003 server in "print server" role additional drivers for other Windows versions (Windows 95/98/NT4/2000/XP)
  • You can set printer priority (1-99) as well as printer avability (which means when the printer will be available timewise) to different user groups as well as access to the print device itself to different user groups and individual users.
  • For network printers that are attached using ethernet cable to the network and use TCP/IP for communication any Windows 2003 server can be a print server provided that it is connected to the same network
    • To implement above you need to create a new TCP/IP port
    • To create a port you will also need IP of the network printer or its share name (so IP can be pulled from active directory)
  • You can print from Windows XP clients to print server computers running a Windows 2003 by using a Uniform Resource Locator (URL). Internet printing uses Internet Printing Protocol (IPP).
  • For example to use different print priority for two groups you need to setup two print devices, restrict their use and set priority on them
  • If you want to know printer utilization track print queue object in system monitor
  • %systemdir%\system32\spool\printers\ is the default location of the spool folder. You should change it if your server serves many printers.
  • A port is defined as the interface that allows the PC to communicate with the print device. Local ports are for print devices attached to the PC directly.
  • Separator pages are used in multi user environments, sample files are found in %systemroot/system32/ folder with .sep ending
  • Print.exe - sends a text file to a printer
  • Net Print - displays information about a specified printer queue, displays information about a specified print job, or controls a specified print job
[2.11] Printer Poling
  • One printer, multiple print devices
  • Think of it as load balancing for printers, used in larger enterprises
  • Need to use the same driver for all print devices that are member of the pool. Many newer printer devices will work with older driver, use driver that is the newest for the oldest printer.
[2.12] Management of printers using print server role of Windows 2003 server
  • Surf to http://printserver/printers/ where 'printserver' is the name (or IP) of your print server PC
  • Can restrict access to this web interface using group policy
  • For above to work you will need to install IIS 6
[2.13] Redirecting print jobs
  • You can redirect print jobs provided both printers use the same driver
  • When user placed into a queue a request to print a document on a print device which failed to print BEFORE comencment of printing you can redirect printing to another printer
  • To redirect a print job select print device you want jobs redirected from
  • If the new printer is on this print server, just select new port to which the new printer is attached, otherwise
  • Click on 'ports' tab
  • Click on 'add port', select local printer and click on 'new port'
  • Type in UNC share name of the printer you want the job redirected to, in format \\other_print_server\share_name
  • Check the check box next to the port you just created
[2.14] Disk drives
  • SCSI 15000RPM, 20Mbps transfer
  • IDE 7200RPM, 16.7Mbps transfer
  • SATA (similar to IDE)
  • Both SCSI and SATA support up to 15 drives on a single controller
  • IDE drives have 'cable select' option on them which automatically determines master and slave. It is best practice to manually set jumpers for master and slave.
[2.15] ARC path designation (Advanced RISC computing)
  • ARC dates back to NT 3.5 days (in the form presented here, otherwise NT 3.1)
  • The file boot.ini is used to find '\windows\' directory
  • Bootcfg.exe configures, queries, or changes Boot.ini file settings
  • Boot.ini switches:
    • /debug - for debugging (/nodebug)
    • /bootlog - enable boot logging
    • /sos - display driver names while they are being loaded during the Windows boot
  • Please note that Microsoft has changed the default install directory from WINNT to WINDOWS for Windows server 2003. For upgrades we will still use WINNT directory.
  • Multi
    • Identifies the controller physical disk is on
    • Multi(x) syntax of the ARC path is only used on x86-based computers
    • For IDE or pure SCSI disks when OS is on the 1st or 2nd SCSI drive
    • The Multi(x) syntax indicates to Windows NT that it should rely on the computers BIOS to load system files. This means that the operating system will be using interrupt (INT) 13 BIOS calls to find and load NTOSKRNL.EXE and any other files needed to boot Windows NT.
    • Numbering starts at 0, for example Multi(0), due to technical reasons it should always be 0
    • In a pure IDE system, the Multi(x) syntax will work for up to the 4 drives on the primary and secondary channels of a dual-channel controller
    • In a pure SCSI system, the Multi(x) syntax will work for the first 2 drives on the first SCSI controller (that is, the controller whose BIOS loads first)
    • In a mixed SCSI and IDE system, the Multi(x) syntax will work only for the IDE drives on the first controller
  • SCSI
    • Identifies the controller physical disk is on
    • The SCSI(x) syntax is used on both RISC and x86-based computers
    • Using SCSI() notation indicates that Windows NT will load a boot device driver and use that driver to access the boot partition
    • On an x86-based computer, the device driver used is NTBOOTDD.SYS, on a RISC computer, the driver is built into the firmware
    • Numbering starts at 0, for example SCSI(0)
    • Windows NT Setup always uses Multi(x) syntax for these first two drives
  • Disk
    • Identifies the physical disk attached to controller
    • 0 if Multi(x) present, Disk is only for SCSI
    • For SCSI value of Disk(x) is the SCSI ID and can be 0-15 Note: one channel is always reserved for the controller itself
    • Numbering starts at 0, for example Disk(0)
  • Rdisk
    • Identifies the physical disk attached to controller
    • Almost always 0 if SCSI(x) is present, Rdisk is for Multi(x), ordinal for the disk, usually number 0-3
    • Numbering starts at 0, for example Rdisk(0)
  • Partition
    • Refers to the partition on the hard disk where Windows system folder is located on
    • All partitions receive a number except for type 5 (MS-DOS Extended) and type 0 (unused) partitions, with primary partitions being numbered first and then logical drives
    • A partition is a logical definition of hard drive space
    • Numbering starts at 1, for example Partition(1)
  • Signature
    • Used when system BIOS or controller hosting the boot partition cannot use INT-13 Extensions
    • The signature() syntax is equivalent to the scsi() syntax
    • Using the signature() syntax instructs Ntldr to locate the drive whose disk signature matches the value in the parentheses, no matter which SCSI controller number the drive is connected to
    • The signature() value is extracted from the physical disk's Master Boot Record (MBR)
[2.16] Easy way to memorize ARC
  • There are 5 letters in the word 'Multi' and 5 letters in the word 'Rdisk'
  • There are 4 letters in the word 'SCSI' and 4 letters in the word 'Disk'
  • 'SCSI' works together with 'Disk' while 'Multi' works together with 'Rdisk'
  • When system uses Multi(x) it uses BIOS INT-13 Extensions, so on board BIOS has to be enabled
[2.17] Disk Managment MMC snap-in
  • To activate: start -> all programs -> administrative tools -> computer managment -> disk managment tree node
  • Another ways is to r-click on My computer and select 'manage' from the list
  • Finally you can just create a custom MMC snap in
  • Using disk managment, among other things, you can:
    • Initialize new disks
    • Create new volumes and partitions
  • If you r-click and select properties -> general tab you can see location heading with a number. That number is the ARC number of the HD.
  • If you need a disk formatted in FAT or FAT32 you cannot do it from disk manager, you need to use: format x: /fs:FAT32 Note Windows can format FAT 32 disks up to maximum of 32Gb but can read higher capacity drives
  • DiskPart.exe - you can create scripts to automate tasks, such as creating volumes or converting disks to dynamic.
  • Fsutil.exe - perform many NTFS file system related tasks, such as managing disk quotas, dismounting a volume, or querying volume information.
  • Mountvol.exe to mount a volume at an NTFS folder or unmount the volume from the NTFS folder.
[2.18] Remote managment
  • Computer managment is not just for the local machine, you can also manage other PCs, to activate r-click on computer managment (local) and select 'connect to another pc'
  • By default Domain Admins are part of local administrators group and you need these right to connect and administer remote PCs
  • If you cannot access Device Manager from the Computer Management extension snap-ins on a remote computer, ensure that the Remote Registry service is started on the remote computer.
  • Computer Management does not support remote access to computers that are running Windows 95.
  • In remote managment 'Device Manager' is in read only mode
[2.19] Basic Disks
  • Primary partition is the only one that is bootable and there is a maximum of 4 primary partitions
  • Extended partitions are not bootable
  • Logical drives are created in extended partitions. There are no limits as to the number of logical drives each extended partition may have.
  • Primary partitions and logical drives are assigned drive letters
  • Basic Disk FAT is located on the first sector of the hard disk; space is shared with the MBR
[2.20] Dynamic disks
  • Fault tolerance better than basic disks, due to multiple storage places for information. 1Mb database is placed at the end of each physical hard disk containing information about all dynamic disk located in this particular system, this creates multiple storage spaces of the same data.
  • Can be one of the following:
    • Simple volume:
      • Single disk
      • No fault tolerance
      • Can be NTFS or FAT
    • Spanned volume:
      • maximum of 32 disks
      • Cannot extend spanned volumes, need to delete and recreate
      • No fault tolerance
    • Extended simple volume:
      • Similar to spanned volume but uses the same physical HD with simple volume
      • You can extend a simple volume only if it does not have a file system or if it is formatted using the NTFS file system. You also need free space on HD and the volume could not have been originally a basic disk partition.
      • You cannot extend volumes formatted using FAT or FAT32
      • You cannot extend a system volume, boot volume, striped volume, mirrored volume, or RAID-5 volume
    • Mirror volume:
      • Also known as RAID 1
      • The only volume besides simple volume in Windows 2003 which can boot and system partitions can both reside on
      • Can be NTFS or FAT
      • Fault tolerance, data is the same on both disks
      • To replace the failed mirror in a mirrored volume, right-click the failed mirror and then click Remove Mirror, and then right-click the other volume and click Add Mirror to create a new mirror on another disk
      • Variation of mirroring called duplexing uses HD connected to different controllers for even more fault tolerance
    • Striped volume:
      • Also known as RAID 0
      • Maximum of 32 disks
      • Breaks data into 64Kb chunks for writing to different disks that make up the stripe
      • It is recommended to use same type of hard drives for member drive
      • Windows 2003 cannot be installed on software RAID 0
      • You cannot extend striped volume, need to recreate it
      • No fault tolerance
    • RAID 5:
      • Made up of three disks with each storing parity information
      • Fault tolerance when one disk fails
      • Maximum of 32 disks, minimum of 3
      • Not available in Windows XP professional
      • To replace the failed disk region in a RAID-5 volume, right-click the RAID-5 volume and then click Repair Volume
  • Only in Windows XP Professional, windows 2000 Professional and Windows 2003 Server (all editions) you can use dynamic disks
  • Note: if disk fails for which ARC path is in boot.ini system will not boot. You should have a disk with modified boot.ini
  • Mounted volumes - can mount HD as a NTFS folder
  • Uninstall disks prior to moving them, Re-scan disk when you attach it
  • Dynamic disks can be re-configured without re-boot
  • When your boot disk is also a dynamic disk, then you will not be able to dual boot into OS that is not dynamic disk capable
  • Dynamic disks are not supported on laptops due to luck of advantage over basic disks in this scenario
  • Dynamic disk partition table types:
    • dynamic GUID partition table (GPT) disks, for 64bit editions of Windows
    • dynamic MBR disks, for 32 and 64bit editions of Windows
  • The Foreign status occurs when you move a dynamic disk to the local computer from another computer
  • You can have a maximum of 2000 volumes on a dynamic disk, recommended maximum is 32
  • Volumes created after the 26th drive letter has been used must be accessed using volume mount points
  • Hard drives that are connected to the Pc using USB or IEEE 1394 can not be converted to dynamic volumes
  • Volume status descriptions
    • Failed - basic or dynamic volume cannot be started automatically or the disk is damaged
    • Failed Redundancy - data on a mirrored or RAID-5 volume is no longer fault tolerant because one of the underlying disks is not online, has substatuses
    • Formatting - occurs only while a volume is being formatted with a file system
    • Healthy - normal volume status on both basic and dynamic volumes, no known problems, has substatuses
    • Regenerating - occurs when a missing disk in a RAID-5 volume is reactivated
    • Resynching - occurs when creating a mirror or restarting a computer with a mirrored volume
    • Unknown - occurs when the boot sector for the volume is corrupted
    • Data Incomplete - displayed in the Foreign Disk Volumes dialog box, and occurs when data spans multiple disks, but not all of the disks were moved.
    • Data Not Redundant - displayed in the Foreign Disk Volumes dialog box when you import all but one of the disks in a mirrored or RAID-5 volume
    • Stale Data - displayed in the Foreign Disk Volumes dialog box, and occurs when a mirrored or RAID-5 volume has stale mirror information, stale parity information, or I/O errors
[2.21] Converting to dynamic disk and back to basic disk
  • If you convert a boot disk, or if a volume or partition is in use on the disk you attempt to convert, you must restart the computer for the conversion to succeed.
  • The conversion may fail if you change the disk layout of a disk to be converted or if the disk has I/O errors during the conversion.
  • After you convert a basic disk into a dynamic disk, any existing partitions on the basic disk become (dynamic) simple volumes.
  • If you are using shadow copies and they are stored on a different disk then original you must first dismount and take offline the volume containing the original files before you convert the disk containing shadow copies to a dynamic disk.
  • If you are converting disks form dynamic to basic the disk being converted must not have any volumes on it nor contain any data before you can change it back to a basic disk. If you want to keep your data, back it up before you convert the disk to a basic disk.
[2.22] File systems
  • FAT 16 bit (File Allocation Table)
  • FAT 32 bit
  • NTFS (New Technology File System)
  • To convert from FAT to NTFS use: convert x: /fs:NTFS
[2.23] Folder compression (zipped)
  • Create new compressed folder (zipped)
  • All new items added to that folder will be compressed (zipped)
  • For command line operations use compress.exe, which acts like winzip
[2.24] Compression (NTFS)
  • When you compress a whole folder:
    • All files are compressed automatically when added but not current folder occupants
    • OR
    • Compression can also be applied to current files and subfolders
  • Decompression is a reverse process of compression
  • Moving a file on the same volume means that the file location is moved in MFT only, not the physical file itself.
  • When you copy a file, no matter whatever on the same volume or not, the destination file will inherit the destination folder's permissions
  • When you move a file on the same volume, it keeps its original permissions (explicit permissions only). When you move a file to another volume, the move is treated as a copy operation and the file permissions are inherited from the destination folder.
  • All file attributes behave in the same way with the exception of encryption
  • File compression is supported only on NTFS volumes with cluster sizes 4 KB and smaller
  • For command line use compact.exe, it can display and modify compression attributes but it works only on NTFS
[2.25] Encryption:
  • Only users who created the files, users whom owner gave access to view the file (new in Windows 2003, additional users need to already be issued certificates) and recovery agents can decrypt the file
  • When moving encrypted file from one volume to another volume, it stays encrypted. When copying file it also stays encrypted. This behaviour is unique for encryption!
  • Note that user which has NTFS permissions to an encrypted file can delete that file, even if he/she cannot view that file
  • Cannot encrypt and compress at the same time (due to encryption process using pseudo random salt which cannot be further compressed due to its nature)
  • You can zip 1st then encrypt to get encrypted and compressed file
  • Executable file cipher.exe is a command line encryption utility
  • By default, the recovery agent is the Administrator account on the 1st DC, there is no default for stand alone server
  • For encryption property, moving/copying a file to a FAT system decrypts file without warning
  • It is recommended to store recovery agent certificate on a floppy disk in secured location. It is also recommended to copy their file to be recovered to the recovery agent PC where it will be recovered.
[2.26] How EFS (encrypted file system) works
  • When the user chooses to encrypt a file, a file encryption key is generated
  • This encryption key, together with encryption algorithm is used to encrypt the contents of the file
  • The file encryption key is encrypted itself using user's public key and stored together with the encrypted file. The file encryption key is also protected by the public key of each additional EFS user that has been authorized to decrypt the file and each recovery agent.
  • File can only be decrypted by using user's private key, by using private key of users given permission to view the file and private key of recovery agent
  • Private/public pair is created using user's certificate
  • On stand alone machines user's certificate is created the 1st time he or she tries to encrypt a file
  • For domain user certificate is issued by the certification authority - user needs permission to get a certificate
  • Files marked with the System attribute cannot be encrypted, nor can files in the systemroot directory structure.
  • Before users can encrypt or decrypt files and folders that reside on a remote server, an administrator must designate the remote server as trusted for delegation.
  • If you open the encrypted file over the network, the data that is transmitted over the network by this process is not encrypted.
  • Users can use EFS remotely only when both computers are members of the same Windows Server 2003 family forest
  • Encrypted files are not accessible from Macintosh clients
  • Encrypting File System (EFS) no longer requires a recovery agent

Part 3: Managing users, computers and groups

[3.1] User accounts
  • User account consist of:
    • Name and password
    • SID (security identifier) - consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain. SIDs are unique in the network.
    • Can have other attributes, like group membership
  • User accounts and computer accounts (as well as groups) are also referred to as security principals
  • Security principals are directory objects that are automatically assigned security IDs (SIDs)
  • Can be either local or domain
  • All local user accounts are stored in local database that every PC has except the domain controller.
  • Local accounts cannot be used to grant access to network resources
  • At logon time user select whatever he wants to logon into a domain or local PC. depending on his or her selection system uses local or AD user database
  • Username must be unique, for pre-2000 maximum of 20 characters, spaces and period are OK, but no special characters. Usernames are not case sensitive while passwords are.
  • InetOrgPerson is used in several non-MS LDAP and X.500 directory services to represent people within an organization, in AD for compatibility
  • In order to interactively log in to DC user needs to be member of Domain admins, Enterprise admins, Account Operators, Administrators, Backup Operators, Print Operators, and Server Operators or explicitly granted permission to logon
[3.2] Build in local user accounts
  • Administrator - even when the Administrator account has been disabled, it can still be used to gain access to a computer using Safe Mode
  • Guest (by default in disabled state)
  • Support account (Support_388945a0)
[3.3] Build in local groups
  • Administrators - full control, by default it's member is the Administrator account. This account cannot be removed. When joined to a domain, Domains Admin global group is also added to local administrators group.
  • Backup Operators - can backup and restore files on the server ignoring security settings that protect these files. Can access server from the network,logon locally and shout down the system.
  • DHCP Administrators (installed with the DHCP Server service) - have administrative access to the Dynamic Host Configuration Protocol (DHCP) Server service.
  • DHCP Users (installed with the DHCP Server service) - have read-only access to the DHCP Server service.
  • Guests - temporary profile created at the logon time, deleted at log off. Member of the Guest group, no default user rights.
  • Help service group - used to set up right common to all support applications, only member is Support_388945a0, do not add users
  • Network configuration operators - can make changes to TCP/IP
  • Performance log users - can manage performance counters, logs and alerts locally or remotely
  • Performance monitor users - can monitor performance counters only, locally or remotely
  • Power users - they can add users/shares/groups. The power users cannot: change Administrators group membership, take ownership of files, load or unload device drivers and manage security logs.
  • Print operators - can manage printers and print queue
  • Remote Desktop Users - can remotely logon to the server
  • Replicator - the only member should be domain user account used to logon the replicator service on a DC. Do not add users to this group
  • Terminal Server Users - users who are currently logged on to the system using Terminal Server
  • Users - can do common task such as running programs and printing stuff. Can access locally or through network, all user accounts are members of the Users group by default.
  • WINS Users (installed with WINS service) - permitted read-only access to Windows Internet Name Service (WINS)
[3.4] Complex passwords
  • Complex password needs to be at least 6 characters long
  • Cannot use any part (or all of) of user account name
  • A complex password need to consist of 3 out of these 4:
    • English uppercase characters
    • English lowercase characters
    • Base 10 digits
    • A special character, such as [,),^
  • By default, complex passwords are enabled on DC, disabled on stand alone servers
  • Windows 2003 passwords can be up to 127 characters long. Windows 95/98 passwords can be up to 14 characters long.
  • Password reset disks are used on stand alone servers to recover user password, otherwise users will loose encrypted data
[3.5] Organization
  • On DC on Windows 2000 local users & groups display red X, on Windows 2003 there is no local users & groups
  • When installing AD local user accounts and groups are moved to the AD and local DB is deleted
  • Data that is allowed to be stored in the active directory is defined in the active directory "schema".
  • OU (organizational units) are acting as a container for groups, users and other OU
  • You can limit users to logon only on certain computers (but not exclude them from certain PCs). You can also limit users login hours.
[3.6] Using profile for local PC
  • Local profile is located in 'documents and settings' directory on local PC
  • You can use network share for profile location (can be used for backup)
  • Mandatory profile - users cannot save changes (they can delete, but it comes back!)
  • Home folders - where you automatically go after you hit 'save as'
  • Folder redirection - allows Administrators to redirect personal folders for all users to a single location
  • All user settings and preferences are stored in a file ntuser.dat
[3.7] Roaming profile
  • User sees the same thing on every PC (network profile)
  • Enebled on user properties screen in Active Directory Users and Computers; Cannot be modified using GPO.
  • ntuser.dat is stored on network share
  • Local profile on local PC is used if network connection cannot be established
  • Network problems can occur (network congestion) if large files are saved to the desktop or 'My Computer'. To resolve this issue use GPO - set file processing only if user wants to use given file
  • Only files that have been changed since the profile was last loaded are saved
[3.8] Other profile information
  • To create a mandatory profile rename ntuser.dat to ntuser.man
  • Terminal service profile - different look and feel when connecting through terminal server. This may be needed if regular profile could have adverse effect on the network (contains options that for example use a lot of bandwidth)
[3.9] Account and password options
  • Available options are:
  • User must change password at the next logon
  • User cannot change password
  • Password never expires
  • Store password using reversible encryption
  • Account is disabled
  • Smart card required for interactive logon
  • Account is trusted for delegation
  • Account is sensitive and cannot be delegated
  • Use DES encryption for this account
  • Do not require kerberos for preauthentication
[3.10] Terminal services
  • Thin clients are like good old dumb terminals
  • Terminal services are part of user settings
  • Remote control: user in terminal services application mode, similar to remote assistance
  • Use Terminal services Configuration to set session timeouts
[3.11] Remote access (VPN/Dial-in)
  • Remote access is denied by default
  • Remote access policy which can use either RRAS or IAS (RADIUS)
  • Remote access policy is much more flexible than user Dial-in properties (which in turn override remote access policy)
  • For traveling executive, set 'callback' option to 'set by caller'
  • Dial-in
    • Dial-in properties allow you to assign a specific IP to user
    • This is the only way in Windows 2003 that you can assign a specific IP to a user
  • Routing and remote access protocols
    • MS-chap (Microsoft Challenge Handshake Authentication Protocol) still supports NTLM (but not by default) Same encryption key is used for all connections, both authentication and connection data are encrypted
    • MS-chap v2 no NTLM and stronger encryption (like salting passed encrypted password strings) both MS-chap protocols are the only ones that can change passwords during the authentication process. New key is used for each connection and direction.
    • Chap - need to enable storage of a reversibly encrypted user passwords, encryption of authentication data through MD5 hashing. No encryption of connection data.
    • PAP (Password Authentication Protocol) passwords are unencrypted as well as connection data
    • SPAP (Shiva Password Authentication Protocol) - less secure than CHAP or MS-CHAP, no encryption of connection data
    • EAP-TLS (Extensible Authentication Protocol - transport level security) - certification based authentication (EAP) used with smart cards, both authentication and connection data are encrypted, not supported on stand alone servers - only for domains.
    • EAP-MD5 CHAP (Extensible Authentication Protocol - Message Digest 5 Challenge Handshake Authentication protocol) - this is a version of Chap that was ported to EAP framework. Encrypts only authentication data, not connection data, same like Chap.
    • Unauthenticated access - connections without credentials, good for testing
[3.12] DC/OU/CN example

Here is how DC/OU/CN work. User is CN - canonical name, DN - distinguished name. For example, energyshop.com/IT/John Doe DC - energyshop DC - com OU - IT CN - John Doe

[3.13] UPN - user principal name
  • User principal name in e-mail format which can be used when logging in and not using dropdown, example joe@.... UPN must be unique in the forest.
[3.14] Dealing with user passwords
  • Do not delete user accounts, disable them instead
  • Rename users as a quick way to set up new accounts
  • To move users to a different domain in the same forest use movetree.exe (initiated on the RID master of the domain where object lives). For different forest need ADMT (AD migration tool).
[3.15] Password policy
  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Complexity requirement
  • Store passwords using reversible encryption
[3.16] Account lockout policy
  • Account lockout duration
  • Account lockout threshold
  • Reset account lockout counter after X minutes
[3.17] Computer accounts
  • Managed PCs are computers whose OS was installed using RIS service (remotely)
  • For RIS to work you need a network card that is PXE (pre-execution environment) enabled
  • If you network card is non-PXE but is PCI based you can use Rbfg.exe to create remote boot disk
  • No computer account for Windows 98 systems, Windows 98 can still log in to the domain, provided that AD client is installed and SMB signing is disabled
  • To create computer accounts you need to have 'create computer accounts' permission
  • You can set up common attributes on several user accounts at once using the multiselect option, you can set: Profile, Organization, Account Tab, Address, General Tab
[3.18] RIS - remote installation service
  • Each PC has a GUID (globally unique identifier) sometimes called UUID
  • You can get PC's GUID from
    • From DHCP discovery pockets PC sends when it wants to get IP address from DHCP server
    • PC documentation
    • PC startup screen (BIOS)
  • RIS options
    • Respond to client PCs requesting service
    • Do not respond to unknown PCs (unknown PCs are not found in the AD)
  • For RIS following must be available on the network
    • Active Directory
    • DNS
    • DHCP
[3.19] Contacts
  • These are not user accounts
  • They are used to add people that are outside of your domain
[3.20] Automation
  • Bulk import data into active directory using csvde.exe (comma separated value directory exchange), using CSV format. It is easier to modify spreadsheet to confirm to csvde than ldifde.
  • Executable file ldifde.exe stands for: LDAP data interexchange format directory exchange
  • Executable file ldifde is used to import AND modify active directory, csvde can only import
  • Import creates accounts with blank passwords, best to create accounts in disabled state by specifying user control value of 514
[3.21] Build in domain user accounts
  • Administrator - when the Administrator account is disabled, it can still be used to gain access to a domain controller using Safe Mode
  • Guest (in disabled state by default)
  • Support
  • krbtgt
[3.22] Domain Groups
  • Security - can have object permissions (but also works just for e-mail distribution)
  • Distribution - only for e-mail
  • Group scopes:
    • Domain local
    • Global
    • Universal
[3.23] Built in domain local groups
  • Domain local groups can contain users and groups from any trusted domain.
  • Account operators - can create and administer domain user accounts and groups
  • Administrators - full control over domain
  • Backup operators - ignores security in order to backup or restore files
  • Guests - has same access as domain users group
  • Incoming forest trust builders - can create incoming, one way trusts to this forest
  • Network configuration operators - can modify network settings like TCP/IP
  • Performance log users - can remotely configure and view performance logs
  • Performance monitor users - can remotely view performance logs
  • Pre-Windows 2000 computer access (for win NT) - has read permission to all users and groups in the domain and the right to access DC from network
  • Print operators - administrator for printers
  • Remote desktop users - can logon into any PC in the domain remotely (only logon ability, nothing else)
  • Replicators - supports file replication in the domain
  • Server operators - can manage DC, shout down, create shares, manage disks and more
  • Terminal server license servers - local group for Terminal Server license servers
  • Users - cannot install new applications, can run applications that already exist, cannot logon to DC
[3.24] Global groups
  • Used to organize users but only from its own domain
  • Create by job function or job description
  • DNS update proxy - can preform updates to the DNS on behalf of other clients. When secure dynamic updates are enabled on DNS, the DHCP servers must be made members of this group to be able to update clients.
  • Domain admins - complete administrative rights in the domain. Member of Administrators domain local group (as well as local Administrators group on all PCs)
  • Domain computers - all PCs that are joined to the domain
  • Domain controllers - all DC are members of this group
  • Domain guests - used to grant access to users that don't have valid user account in the domain. Member of domain local guest group by default
  • Domain users - all users are members of this group. Normal access to workstations. When new share gets created, they get 'read' access
  • Group policy creator owner - members can create and mange GP. Administrator account is a member of this group by default.
[3.25] Universal groups
  • Used for many to many relationships, like many users that need to access resources in many domains
  • Can contain users, global groups, local groups from any domain in the forest
  • Cannot contain users from domains that are outside the forest
  • Universal groups are used to organize users across domains
  • It is recommended to place only global groups inside universal groups
  • You need to have domain functional level set to at least Windows 2000 native
  • Build in (admin in root domain is the only member) :
    • Enterprise admins - have access to all domains in the forest
    • Schema admins
[3.26] Access between domains
  • We trust in the authentication of another DC
  • Automatic trusts between parent and child domains are set in Windows 2000 native or above
  • Types:
    • 2 way trusts (NT4 domains) - need to be set up at both sides (i.e. from domain A to B 1 setup and 1 from B to A == no automation)
    • 2 way transitive trusts (Windows 2000)
    • Forest trust (Windows 2003)
[3.27] Remember the acronym AGLP
  • Accounts - create users accounts
  • Global groups - place users in global groups
  • Local groups - place global group into local group
  • Permissions - assign permissions to the local group
[3.28] Windows 2000/Windows 2003 domain vis mixed mode
  • Universal group is added in Windows 2000 native mode
  • Group nesting - same type of group in same type
  • Changing of group types (distribution vis security) is enabled in Windows 2000 native mode
  • For Windows 2000/ Windows 2003 domain we are going to use AGULP
  • U stands for universal group
  • We place global groups into universal group and universal groups into local groups
[3.29] MMC
  • Access control
    • Author mode - full customization of the MMC console
    • User mode-full access - as author mode, except that users cannot add or remove snap-ins, change console options, create Favorites, or create taskpads
    • User mode-limited access, multiple windows - access only to those parts of the console tree that were visible when the console file was saved. Users can create new windows but cannot close any existing windows.
    • User mode-limited access, single window - as 'user mode limited access, multiple windows' but users cannot create new windows
[3.30] Special groups (special identities)
  • Anonymous Logon - users and services that access a computer and its resources through the network without using an account name, password, or domain name
  • Everyone - all current network users
  • Network - users currently accessing a given resource over the network
  • Interactive - all users currently logged on to a particular computer and accessing a given resource located on that computer
  • Special groups can be assigned rights and permissions to resources but their memberships cannot be modified or viewed and scopes do not apply. Users are added automatically.
[3.31] Other points
  • Home folder can be on local PC or a network share
  • Rename Guest and Administrator accounts, for local accounts use GPO
  • PC and DC use a secure channel to communicate password changes every 30 days. If they are out of synchronization you will need to reset the PC (message is: 'Domain member failed to authenticate'). This is by going to the computer account and clicking on 'reset account'.

Part 4: Managing and monitoring access to resources

[4.1] ACL - access control list
  • Every object in AD has ACL
  • ACE - access control entries
  • ACL is a list of ACEs. Each ACE has deny or accept action and an associated SID (security identifier).
  • The process of checking user access is preformed in this way:
    • User SID is checked against ACE on ACL list of the resource user wants to access
    • Also groups that the user belongs to (group SID) is checked against ACE in ACL
    • If there is no entry, then access is denied
    • Accept if ACE = SIDs in ACL and associated ACE action is accept
    • Windows resolves SID and presents name as ACE
    • Deny right takes precedence over allow right in group and user security context. This is true even for Administrator and object owner.
[4.2] General NTFS permissions for files
  • Read - also allows for viewing of file attributes
  • Write
  • Read and execute
  • Modify = read + write + delete + execute
  • Full control
[4.3] General NTFS permissions for folders
  • Read - also allows to view folder attributes
  • Write
  • Read and execute
  • Modify = read, execute, write, delete
  • List folder contents, includes subfolders
  • Full control = all of above permissions plus permission change permission plus ownership change permission
[4.4] Share permissions
  • Only applicable for folders, no share permissions for files
  • Read = read file data, file names and subfolder names + execute (default assigned to everyone group)
  • Change = read permission + delete files and subfolders + write
  • Full control = all of above permissions + change of share permissions right only
  • Share permissions do not apply to users that are logged into the OS interactively (i.e. locally)
  • NTFS general permissions always apply, even for a share i.e. user needs two read permissions in order to access a file over the network
  • Use NTFS permissions to tighten security
  • To add share form command prompt: net share 'folder name'='path'
  • To delete share form command prompt: net delete 'folder name'
  • When a share name ends in $ it is hidden and cannot be browsed to, full name needs to be typed in
  • Share permissions are not included in a backup or restore of a data volume
  • Share permissions do not replicate through the File Replication service
[4.5] Special permissions
  • In Windows 2003 object ownership can be given to another user, not just taken by the current user as in Windows 2000
  • When user is in multiple groups the least restrictive permissions are chosen
  • Special permissions:
    • Traverse folder/ execute file
    • List folder/ read data
    • Read attributes
    • Read extended attributes (created by program)
    • Create file/write data
    • Create folders/append data
    • Write attribute
    • Write extended attribute
    • Delete subfolders and files
    • Delete
    • Read permissions
    • Change permissions
    • Take ownership
    • Synchronize (not users and groups)
  • Everyone group is no longer granted full control (it is granted read and execute only). The built-in Everyone group includes Authenticated Users and Guests, but no longer includes members of the Anonymous logon group.
  • A quick way to see the permission structure is to click on 'view effective permissions'
  • The Effective Permissions tool only produces an approximation of the permissions that a user has. The actual permissions the user has may be different, since permissions can be granted or denied based on how a user logs on. This logon-specific information cannot be determined by the Effective Permissions tool, since the user is not logged on; therefore, the effective permissions it displays reflect only those permissions specified by the user or group and not the permissions specified by the logon.
[4.6] Explicit permissions and inherited permissions for files and folders
  • There are two types of permissions: explicit permissions and inherited permissions.
  • Explicit permissions are those that are set by default when the object is created, by user action.
  • Inherited permissions are those that are propagated to an object from a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.
  • Explicit permissions take precedence over inherited permissions, even inherited Deny permissions. This has nothing to do with user and group security context.
[4.7] Inherited permissions (file and folders)
  • All files and folders inherit their permissions from the parent folder by default
  • There are three ways to make changes to inherited permissions:
    • Make the changes to the parent folder, and then the file or folder will inherit these permissions. Remember this is not related to user and group security!
    • Select the opposite permission (Allow or Deny) to override the inherited permission.
    • Clear the 'Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here' check box. You can then make changes to the permissions or remove the user or group from the permissions list. However, the file or folder will no longer inherit permissions from the parent folder. You be presented with a confirmation dialog that has these options
      • You can 'copy' permission entries making all entries explicit (convert inherited entries into explicit)
      • Or you can remove all inherited permissions and keep only the current explicit permissions
  • You cannot change parent permissions inside a child object - they show as grayed out if inheritance is on.
  • If the object is inheriting conflicting settings from different parents then the setting inherited from the parent closest to the object in the subtree will have precedence.
  • Only inheritable permissions are inherited by child objects. When setting permissions on the parent object, you can decide whether folders or subfolders can inherit them with Apply onto.
[4.8] Ownership
  • Ownership general points:
    • To decrypt a file owner still needs correct private/public key pair
    • File owner always has 'change permissions' permission
    • An administrator who needs to repair or change permissions on a file must begin by taking ownership of the file.
    • Every object has an owner, whether in an NTFS volume or Active Directory. By default, in the Windows Server 2003 family, the owner is the Administrators group.
    • Transferring ownership (new in Windows 2003) is preferred to giving users 'take ownership right'.
  • Ownership can be taken by:
    • An administrator. By default, the Administrators group is given the Take ownership of files or other objects user right.
    • Anyone or any group who has the Take ownership permission on the object in question.
    • A user who has the Restore files and directories privilege.
  • Ownership can be transferred in the following ways:
    • The current owner can grant the Take ownership permission to another user, allowing that user to take ownership at any time. The user must actually take ownership to complete the transfer. Or transfer ownership by using 'Other users or groups' button.
    • An administrator can take ownership.
    • A user who has the Restore files and directories privilege can use 'Other users or groups' button and choose any user or group to assign ownership to.
[4.9] Ways to create shares in Windows 2003
  • Using MMC
  • Server roles (file server role)
  • Using explorer
[4.10] Share options
  • Offline caching occurs when users have local copies of network files
  • Offline caching is also controled by the use of group policy
  • Offline caching is turned on by default when a share is created on the server
  • The following settings are available on the client
    • Use of the offline feature
    • Synchronize when logging on
    • Encrypt offline files cache
    • Prohibit making available file and folders offline
    • Configure slow link speed
  • Windows XP computer can allow a maximum of 10 simultaneous connections to a shared folder
  • Share permissions are managed like NTFS permissions but you cannot block inheritance and there are no special permissions
[4.11] Special shares
  • drive letter$ - shared resource that enables administrators to connect to the root directory of a drive
  • ADMIN$ - resource that is used during remote administration of a computer. The path of this resource is always the path to the system root (ex. c:\windows)
  • IPC$ - resource that shares the named pipes that are essential for communication between programs. You use IPC$ during remote administration of a computer and when you view a computer's shared resources. You cannot delete this resource.
  • NETLOGON - required resource that is used on domain controllers
  • SYSVOL - required resource that is used on domain controllers
  • PRINT$ - resource that is used during remote administration of printers
  • FAX$ - shared folder on a server that is used by fax clients in the process of sending a fax
  • You cannot browse to $ shares (cannot see them in Explorer)
[4.12] Web sharing
  • You can share your folders online, web sharing of folders - viewed using IE
  • You need to install IIS on the server
  • You will need to allow directory browsing permission for files other then .htm and .asp to be accessible
[4.13] Shadow copies (new in Windows 2003)
  • Accidental deletions
  • Accidental overwrites
  • File corruption
  • Need to run VSS - volume shadow copy service
  • Snapshot are taken at default or user defined intervals
  • There can be at any time maximum of 64 different snapshots stored on the system
  • Windows XP and 2000 need installation of client software, twcli32.msi
  • Information is stored in the hidden system folder 'system volume information'
  • Form command prompt: vssadmin create shadow /for=volume
  • If you need to restore a file using shadow copies that has been deleted you will need to restore the whole folder
  • Shadow copies can be accessed from:
    • Windows explorer
    • Shared folders snap-in
    • Command prompt
  • If you want to move shadow copy storage location you need to destroy and recreate the shadow
[4.14] Distributed file system (DFS)
  • DFS exposes shared folders without explicitly starting where it is located
  • DFS is like an index for shares on the network
  • Domain based root (preferred) or standalone root
  • Replication fault tolerance (for domain only)
  • Stored in active directory (DFS root - domain based)
  • To access distributed file system go to start -> all programs -> Administrative tools -> Distributed file system
  • DFS on the Windows 2003 can only be used with the NTFS file system
  • Set replication policy for DFS
  • Do not create FRS replica sets on a volume that is managed by Remote Storage (performance hit)
  • Automatic file replication through the File Replication service (FRS) is only available with domain DFS
  • Dfsutil.exe and dfscmd.exe are command line tools used to administer DFS
[4.15] Enabling auditing for files, folders and printers
  • You will need to enable auditing for object access policy
  • And you also need to enable auditing for individual files and folders through NTFS security or through printer security
[4.16] Auditing
  • Account logon events - success or failure of domain logon
  • Account logon management - events such as resetting passwords and modifying user properties
  • Directory services - any time user access AD an event is generated
  • Logon events - success or failure of local logon or logon to a share
  • Object access - file, folder or printer access
  • Policy change - success or failure of change of security options, user rights, account policies and audit policies. Both domain and local PC changes are tracked.
  • Process tracking - useful for applications
  • System - system events such as shutting down PC or clearing the logs
[4.17] Terminal services
  • Any Windows PC with client installed can connect to the terminal server
  • There is no need to install terminal services if one intends only to use it for administrative purposes
  • Terminal server can be transparent to users (for example thin clients)
  • In order for the user to connect to the terminal server he or she needs local logon right
  • All clients need a CAL (Windows 2000 and XP have one build in)
  • You need to have terminal services licensing installed on DC in a single domain environment, it will need to connect to Microsoft. If it cannot connect to Microsoft clearing house it will still issue temporary licenses. It can also connect to the clearing house by fax or phone.
  • Licensing server can issue temporary CAL (non-renewable) for 120 days
  • Terminal server client connection uses RDP protocol
  • There is an option of remote control of user if server is in application server role
  • Terminal services are not installed by default
  • Before users can use terminal services you will need to grant users access to RDP in Terminal Services configuration
  • Tscc.msc - terminal services clients and connections MMC, you can override AD user account settings
  • To install Terminal Services programs use 'Add & remove programs' when all user sessions are disconnected
  • There are compatability scripts available for many popular programs
  • Use Terminal Services GP to configure one or more terminal servers, or to manage Terminal Server user settings
[4.18] Remote desktop
  • Remote desktop connection = terminal services client
  • Remote desktop is installed and activated by default. For multiple remote desktop connections try Remote Desktops MMC.
  • Remote desktop depends on terminal services service
[4.19] Remote assistance
  • For Windows 2003 and XP
  • Concurrent session with logged in user
  • Logged in user has to authorize access
  • You can send invitation from 'Help and Support' menu. You can send invitations through e-mail or Microsoft messanger. You also need to supply a connection password.
  • You can also offer remote assistance to others (disabled in GP by default)
[4.20] User rights
  • Administrators can assign specific rights to group accounts or to individual user accounts. If a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than one set of rights. The only time that rights assigned to one group might conflict with those assigned to another is in the case of certain logon rights.
  • There are two types of user rights:
    • Privileges, such as the right to back up files and directories
    • Logon rights, such as the right to logon to a system locally
[4.21] Security best practices
  • Use Deny permission to exclude users
  • Use security templates rather than individual permissions
  • Avoid changing default permission on system objects (including AD objects)
  • Never deny Everyone group access to an object. Instead just remove Everyone group.
  • Assign permissions as high as possible up the inheritance tree
  • Privileges can sometimes override permissions
  • Assign permissions to groups rather than single users
  • Avoid giving 'Full control' permission, give users what they need to do their work
  • Minimize the number of ACEs that apply to children (are inheritable)
  • Assign the same permissions to multiple objects, this way the AD will only have to store one copy of ACL
  • When possible, assign access rights on a broad level rather then specific

Part 5: Managing and maintaining a server environment

[5.1] Performance and system events
  • Task manager
  • Event viewer
  • System monitor (to activate you can run prefmon.exe from command line)
  • Performance logs and alerts
  • Network monitor
[5.2] Performance
  • To set process priority at run time, go use start "process name" /"priority value"
  • Another way is to: cmd /c start /"priority setting""application name" -- you cannot use this from the run menu
  • Priority types:
    • Real time (you will need Administrator access to set this priority level)
    • High
    • Above normal
    • Normal
    • Below normal
    • Low
  • Relog - extracts performance counters from performance counter logs into other formats, such as text-TSV, text-CSV, binary-BIN, or SQL
  • Logman - manages and schedules performance counter and event trace log collections on local and remote systems
[5.3] Performance indicators
  • Memory: pages faults/sec - data not found in CPU cache creates a fault, most processors can handle large amounts of soft page faults, compare with memory: pages/sec
  • Available memory in bytes - need more if less than 10% available (could be an application memory leak)
  • Memory: pages/sec - hard drive access to page file, a rate of 20 or more indicates a need for more RAM
  • Page file percent close to 100, need more space on file or more RAM
  • Physical disk: percentage disk time above 70% - is too high, if paging file usage is excessive as well it indicates more RAM is needed otherwise a disk is the bottleneck
  • Physical disk average queue length above 2 - check paging file and physical memory
  • Physical disk current queue length - a value above 2 indicates a problem
  • CPU close to 100% - need more CPU power if situation continues for excessive amounts of time
  • Number of open files indicates how busy the server is, compare to baseline
  • Server: bytes total/sec - indicates network throughput
  • Baselining is the process of determining average/normal system performance. Should be done over a period of 3 to 4 weeks using counter logs.
  • Performance logs and alerts are used to perform long term analysis:
    • Using the default Windows 2003 data provider or another application provider, trace logs record detailed system application events when certain activities, such as a disk I/O operation occurs. When the event occurs, your OS logs the system data to a file. A parsing tool is required to interpret the trace log output, like Tracerpt
    • When counter logs are in use, the service obtains data from the system when the update interval has elapsed, rather than waiting for a specific event.
[5.4] Log file settings
  • Maximum log size
  • Overwrite log events as needed
  • Overwrite log events older than X days
  • Do not overwrite events (clear log manually)
  • Microsoft recommends keeping 7 day logs
[5.5] Log files
  • DefaultDefalut log files:
    • Application
    • Security
    • System
  • Active directory adds:
    • Directory service log
    • File replication service log
  • DNS adds: DNS service log
  • Log file extension is .evt (files with this extension can be viewed by event viewer)
  • Tracerpt - processes event trace logs or real-time data from instrumented event trace providers
[5.6] Log filtering
  • Event type
  • Event source
  • Event ID
  • User
  • Computer
  • Date range
[5.7] Event information
  • Eventvwr - used to lunch event viewer
  • Eventtriggers.exe - displays and configures event triggers on local or remote machines.
  • Eventcreate.exe - enables an administrator to create a custom event in a specified event log
  • Eventquery.vbs - lists the events and event properties from one or more event logs
[5.8] Page file
  • Page file size should be at least 1-1.5 times the size of physical RAM
  • Don't let system manage the size of the page file (fragmentation of page file due to constant resizes)
  • Set minimum=maximum size of the page file in order to prevent any page file resizes
  • If you move page file from the system drive you will no longer get any memory dumps
  • You will need to restart your PC once you make changes to the page file
[5.9] Disk quotas
  • Disk quota applies to everyone using the volume except administrators
  • Remember that every user needs few Mb (min 2) for storage of the profile which is needed for logging in
  • Quota entry can be created per user but not per group, only volumes and users have quota entries
  • Quota limit is calculated using the uncompressed file size, thus compressing files will not create more space
  • The default quota entry is for all users of given volume. You can add additional quota entries on per user basis only.
  • Once again, quota entries are per user per volume, no groups are allowed.
  • Remember that once a user uses a volume with quota set on it an entry is automatically added. Thus, if you had a general entry for all users and later on some users run out of space and need more you modify quota entries not add new ones.
  • Disk quota is only applied to the files that are being added after the quota entry got created, it doesn't apply to files that were already there
  • Each file can contain up to 64kb of metadata that is not applied towards users quota limit
  • Fsutil is used to manage quota from command line
  • To free some space run disk cleanup, from command prompt: cleanmgr.exe (note it doesn't clear internet temporary files)
[5.10] Defragmenting
  • You will need at least 15% of free HD space in order to defragment
  • You may need to repeat the process several times in order to achieve planned results
  • Defragmenting should be done on every volume every 1 to 2 months
  • You cannot schedule defragmenting task (unless you use custom scripts)
  • Windows defragmenter works with FAT16, FAT32 and NTFS
  • On modern computer systems that use NTFS and don't use the file system extensively (desktops) the benefits of defragmenting a hard drive are measurable but not noticable for the end user. Thus defragmenting is only significant performance tool for file servers.
[5.11] Internet Information server 6 (IIS.6)
  • Can server files from local/network/redirected URL
  • IIS runs as w3wp.exe process
  • You can run multiple sites using one of these methods:
    • Different IP per site
    • Use headers, not preferred method, no SSL/HTTPS, need HTTP 1.1 compliant browser
    • Different port per site
  • Front page extensions are to be used with front page only
  • To create Virtual directory you can use regular wizard or web share a folder
  • IIS 6 is not installed by default in Windows 2003 (it was in Windows 2000)
  • For anonymous access IIS6 uses IUSR_computerName account
  • IWAM_computerName account is for IIS to start out of process applications
  • All users of the website have to authorize to the domain, even anonymous users (by default users are anonymous)
  • You can backup just IIS using the IIS manager or isbackup.vbs. Backup copies store only the metabase configuration and schema. (not site content)
  • Custom error templates (.htm) are located in %systemroot%\help\iishelp\common\
  • Other:
    • Can change home directory
    • Can change default document name
    • You can limit bandwidth and total connections numbers
    • Different logging options
  • Certificates are used with SSL, can have personal certificates
  • SMTP and e-mail services are not the best, use in emergency, try to avoid
  • ISAPI filters - internet server application programming interface filters
  • Content expiry - this setting tells client browser whatever it should use cached copy or load new data from the website
  • Web service access permission and NTFS permissions work together, more restrictive choosen, recommended to use NTFS
[5.12] Application pools in IIS.6
  • IIS modes of operation
    • Worker process isolation mode, which runs all processes in an isolated environment (needed for application pools)
    • IIS 5.0 isolation mode, in which you can run Web applications that are not compatible with worker process isolation mode
  • Application pools are like separate memory spaces in which sites live. More formally, an application pool is a configuration that links one or more applications to a set of one or more worker processes.
  • Two ways to recycle the assigned worker process
    • By default, the worker process that is to be terminated is kept running until after a new worker process is started up
    • Alternatively, the WWW service can terminate a worker process and then start a new worker process
  • An application pool that uses more than one worker process is called a Web garden
  • When more than one server is used to host a website we have a web farm
[5.13] Authentication methods
  • Integrated Windows authorization, uses kerberos or NTLM depending on client capability, popular on intranets. Uses domain user or local user account information passed hashed over the network. If AD (not required) is installed can use Kerberos if not NTLM.
  • Digest authorization, uses MD5 algorithm transmission, no password are transmitted. Values are compared to AD (user needs account in AD, AD needs to be installed). This is used when integrated Windows authorization is not available. Requires the accounts to store passwords using reversible encryption. Internet Explorer 5.0, HTTP 1.1 at minimum.
  • Basic authorization, uses clear text passwords (base64 encoded), supported by almost any environment, AD or local account
  • .Net authorization - native Windows XP and 2003 support
  • Can restrict access based on IP or/and domain name
  • Kerberos authentication is used by computers that have account in AD and are above Windows NT4.
[5.14] Website Logging
  • Web site logging can be out of synchronization with local time - enable log rollover for local time.
  • Web site logging formats:
    • W3C Extended Log File Format (default)
    • Microsoft IIS Log File Format
    • NCSA Common Log File Format
    • ODBC Logging
[5.15] SUS - software update service
  • SUS - software update service, can distribute updates (need to be approved by the admin before distribution occurs) to clients.
  • Minimum requirements for the clients to connect to SUS are Windows XP SP1, or Win2k SP3 or later.
  • SUS server is really just a webpage with ActiveX functionality that piggybacks on top of IIS.
  • In order for SUS to work you need to point client computers to SUS server using GPO
  • You need to install SUS10SP1.exe on the server
  • Server computer must be running at least version 5 of IIS
  • SUS virtual administrative directory http://yourservername/SUSadmin
  • SUS needs NTFS with at least 100Mb to install package and 6Gb for storing updates, SUS runs from the 'default website' and stores all data there
  • SUS notification is shown for Administrators only
  • If you have P III 700, 512Mb RAM SUS server can handle up to 15000 clients
  • SUS server is not set to synchronize with Windows update site by defalut, administrator must do that or manually synchronize
[5.16] Services
  • HTTP - hypertext transfer protocol TCP port 80
  • SSL - Secure socket layers TCP port 443
  • SMTP - TCP port 25. Files stored in LocalDrive:\Inetpub\Mailroot
  • SNMP - simple network management protocol used to provide information about TCP/IP hosts, UDP port 161.
  • FTP - only basic authentication allowed, TCP port 20 (data) TCP port 21 (control). Files stored in LocalDrive:\Inetpub\Ftproot
  • POP - TCP port 110
  • DNS - UDP port 53 (query) TCP port 53 (zone transfer)
  • NNTP - TCP port 119. Files stored in LocalDrive:\Inetpub\Nntpfile\Root
  • PPTP - Point to point tuneling protocol TCP port 1723
  • L2TP/IPSec - UDP ports 500, 1701 and 4500
[5.17] Other points
  • By default Windows 2003 Server uses 25% of RAM for system cache (Windows 2003 server assumes it will be a file server)
  • Dos and 16bit programs run as NTVDM processes. Windows 64bit editions cannot run 16bit programs.
  • You should assign more RAM for the system cache if server is a file server

Part 6: Managing and implementing disaster recovery

[6.1] Overview
  • Document everything in your plan, test your plan
  • Posses a 'recovery toolkit' with stuff like backup utilities/system utilities etc.
  • Make sure you backup:
    • User data
    • Critical system files
    • Critical applications
  • Recovery point - how much data can we loose? Most medium size companies are OK with loosing up to 24h - thus daily backup is OK.
  • Time frame for recovery - how long does it take to recover affected systems
  • Hot sites are ultimate backup solution (a hot site can take on all functions of the current site, is kept synchronized and is in a different physical location)
  • Backup files have .bkf extension
  • When files are backed up they retain all of their original attributes including encryption
  • File attributes are lost when you restore backup to a FAT volume
[6.2] Backup types
  • Normal (full) - Clears archive bit, backs up all data on volume that is beeing baced up.
  • Incremental - backs up only these files that have their archive bit set to 1 (since last full or incremental backup). Clears archive bit. Restore process will have to chain multiple incremental backups. This backup is fastest when combined with normal backup.
  • Differential - backs up only these files whose archive bit is set to 1. Does not clear archive bit, no chaining of backups during restore process
  • Copy - only backup type that can back up registry and other critical system files. Like full backup, but does not clear or set any archive bits. This type of backup is used for archiving or when backing up between incremental and normal backup routine.
  • Daily - backs up only these files that were modified today. Does not clear archive bit.
  • You can exclude files from being backed up
  • System state - boot and system files, AD (if DC), SYSVOL directory (if DC), COM+ Class Registration database, registry, Cluster service information (if server is part of a cluster), IIS Metadirectory (if installed) - only for local system!
  • All backed up files keep their file attributes, unless you are restoring to FAT
  • For command prompt use: ntbackup.exe
  • Backup cannot be preformed to CD-R and DVD-R
  • When NTBackup creates a backup set it also creates a listing of files and folders included on the set, called a catalog. It is stored on both the disk of the server and the backup set itself.
[6.3] Backup log
  • By default 10 backup logs are kept on the server
  • There are three logging options:
    • No log
    • Summary log (default)
    • Detailed log
[6.4] Restore options
  • Do not replace files (default)
  • Replace only if the file on disk is older
  • Always replace files
  • Options do you have to restore the files to
    • Restore to alternate location
    • Restore to single folder
    • Restore to original location
[6.5] Authorative vis normal (non-authorative restore) vis primary restore
  • DC use Universal sequence numbers (USN) to keep track of state
  • Authorative restore makes sure that the current DC is the one with master copy
  • Authorative restore is used in situations when you accidentally deleted something in AD and now want it undeleted
  • To run restore, use: ntdsutil.exe
  • Use ntdsutil.exe utility is used to mark specific objects as authorative
  • A primary restore is used to rebuild a domain from backup when the only DC in domain or all domain controllers have failed.
  • Select primary restore only when restoring the first replica set to the network.
[6.6] Running normal (non-authorative restore) steps
  • Boot the DC into Directory Services restore mode and enter restore password
  • Run ntbackup.exe and restore system state backup. After restore completes you need to restart the PC
[6.7] Running authorative restore steps
  • Preform steps like in 5.6 except the reboot in step 2
  • Start ntdsutil.exe utility and type 'authorative restore'
  • At the ntdsutil prompt type 'restore database'
  • When restore completes reboot your DC
[6.8] Running primary restore steps
  • Proceed as in normal (non-authorative) restore, but when restoring replicated data sets, mark the 'restored data as the primary data for all replicas' box
[6.9] Boot problems
  • Hit F8 for boot menu during startup
  • Last known good configuration is the control set in the registry (current settings, like used drivers)
  • Last known good configuration is still good choice only if user has not logged on since problem arouse
  • Safe mode does not backup the 'Last known good configuration'
  • To access recovery console: 'winnt32.exe /cmdcons' - this places recovery console option into boot.ini
  • Recovery console is good for missing boot files
  • Can run recovery console from Windows 2003 CD, to run console from CD boot from CD and press R (repair installation)
  • When boot files are missing you will have to copy new ones from installation CD
  • Directory services restore mode:
    • This is like a safe mode for a domain controller
    • Active directory is not started
[6.10] Advanced boot options
  • Safe mode - in boot.ini /safeboot:minimal /sos /bootlog /noguiboot
  • Safe mode with networking - in boot.ini /safeboot:network /sos /bootlog /noguiboot
  • Safe mode with command prompt - in boot.ini /safeboot:minimal(alternateshell) /sos /bootlog /noguiboot
  • Enable boot logging - in boot.ini /bootlog
  • Enable VGA mode - in boot.ini /basevideo
  • Last known good configuration - in boot.ini
  • Directory services restore mode (Windows domain controllers only) - in boot.ini /safeboot:dsrepair /sos
  • Debugging mode - in boot.ini /debug
[6.11] ASR - Automated system recovery
  • Replaces ERD (emergency repair disk)
  • Stores system state data
  • Need Windows 2003 CD and ASR floppy to do a clean install and apply system settings
  • ASR is needed to recover from boot failures
  • To create ASR disk either run ntbackup.exe from command prompt or go to: start -> all programs -> accessories -> system tools ->backup
  • Using ASR recovers the system up to the point ASR was created
  • If you create ASR for system without floppy files are saved to the %systemroot%\repair folder on the server. ASR restore will not work without a floppy drive and the floppy disk.
  • To preform ASR recovery you need:
    • ASR floppy disk
    • ASR Backup set
    • Windows 2003 setup CDROM
[6.12] Best practices for backup
  • Develop backup and restore strategies and test them; train people.
  • Always create an Automated System Recovery (ASR) backup set when the operating system changes
  • Always choose to create a backup log for each backup
  • Keep at least three copies of the backup media. Secure both the storage device and the backup media.
  • Perform a trial restoration periodically to verify that your files were properly backed up
  • Use volume shadow copies when performing a backup (default setting)
[6.13] Other points
  • System state data can only be restored and backed up locally (there are 3rd party software utilities that can restore and backup over the network)
  • Using 'last known good configuration' can be used to recover from most stop errors if the user has not logged in BUT server must be able to boot, i.e. if ntldr error need to use ASR or recovery console
  • For major hardware failures such as motherboard replacement you will need to reinstall Windows Server 2003. However, you will still need to restore system state prior to full Windows boot in order to preserve original SID.
  • Recovery password can be different than administrator password
  • For problems with boot files use recovery console and copy needed files over from the CD

Part 7: Active directory primer

[7.1] The operations master roles (FSMO (Flexible Single Master Operations) roles)
  • Every forest must have the following roles: Schema master and Domain naming master
  • Every domain in the forest must have the following roles: PDC emulator master, RID master and Infrastructure master
  • At any time, there can be only one DC acting out his role in his respective scope
  • Domain naming master - addition or removal of domains in the forest
  • Infrastructure master
    • Responsible for updating references from objects in its domain to objects in other domains
    • Compares its data with that of a global catalog
    • Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog.
  • Primary domain controller (PDC) emulator master
    • Needed for computers operating without Windows 2000 or Windows XP Pro client software or if domain contains Windows NT BDCs
    • PDC is responsible for synchronizing the time on all DCs throughout the domain
    • External time source net time \\ServerName /setsntp:TimeSource
    • If a logon authentication fails at another DC due to a bad password, that DC will forward the authentication request to the PDC emulator before rejecting the logon attempt since PDC emulator gets preferential treatment
    • Supports both NTLM and Kerberos authentication
  • Relative ID (RID) master - allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain
  • Schema master - all updates and modifications to the schema, need additional DLL to be registered if transferred
[7.2] AD troubleshooting and seizing a FSMO role
  • Use ntdsutil.exe to transfer FSMO roles
  • Use ntdsutil.exe utility for AD related tasks
  • Do not seize the FSMO role if you can transfer it instead. Seizing the FSMO role is a drastic step that should be considered only if the current operations master will never be available again.
  • Before seizing the chosen FSMO role, use the repadmin utility to verify whether the new operations master has received any updates performed by the previous role holder, and then remove the current operations master from the network.
[7.3] Other AD information
  • Dcpromo.exe is used to promote member service to DC and to demote DC back to member service
  • A global catalog is a DC that stores a copy of all AD objects in a forest. It stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest. It is managed from 'Active Directory Sites and Services'.
  • Netdom - This command-line tool enables administrators to manage Windows 2003 and Windows 2000 domains and trust relationships from the command line (need support tools suptools.msi)
  • The DS*.exe family of tools
    • Dsadd - adds a computer, contact, group, organization unit, or user to a directory
    • Dsmove - moves any object from its current location in the directory to a new location, as long as the move can be accommodated within a single domain controller, and renames an object without moving it in the directory tree
    • Dsquery - queries and finds a list of computers, groups, organizational units, servers, or users in the directory by using specified search criterion
    • Dsrm - deletes an object of a specific type or any general object from the directory
    • Dsget - displays selected attributes of a computer, contact, group, organizational unit, server or user in a directory
    • Dsmod - modifies an existing object of a specific type in the directory
[7.4] Other GP information
  • GPUpdate - refreshes local GP settings and GP settings that are stored in AD, including security settings
  • Order in which Group Policies get applied: Local computer, Site, Domain, OU. This means that Site GP are more relevant than Local, Domain more relevant than Site and OU the most relevant.
  • OU is the smallest scope to which you can delegate authority or apply GP against
  • RSoP.msc - Resultant set of Policies is a GP tool that can be loaded as a Management Console snap-in. Resultant set of policies is the final set of policies that is applied to the user and computer.
  • Gpedit.msc - GP editor MMC
[7.5] DHCP
  • Dhcploc.exe - displays the DHCP servers active on the subnet including unauthorized servers
  • DHCP server must be authorized in the AD before it can give out addresses
  • IP autoconfiguration - when PC does not get IP address from DHCP it by default autoconfigures itself to address in range 169.254.x.x
[7.6] Other points
  • Whoami - returns domain name, computer name, user name, group names, logon identifier, and privileges for the user who is currently logged on
  • Removable Storage makes it easy for you to track your removable storage media (tapes and optical disks). Use rss or rsm utilities
  • Media pool description:
    • Blank or Foreign tape - unrecognized
    • Newly formatted tape - free
    • Tapes previously used by NTBackup - backup
    • Tapes not cataloged - import
  • Windows File Protection (WFP) - prevents the replacement of protected system files such as .sys, .dll, .ocx, .ttf, .fon, and .exe files. Turned on by default. Original files are stored in %SYSTEMROOT%\system32\dllcache
  • Systeminfo.exe or msinfo32 (has to be executed from Run window NOT command line) - can be used to display system information
  • MBSA Microsoft Baseline Security Analyzer
    • mbsacli.exe for command line, mbsa.exe for GUI
    • Windows NT 4.0 Service Pack 4 (SP4) and later (remote scan only), Windows 2000, XP, 2003
    • IIS 4.0, 5.0, 5.1 or 6.0 are supported by scan
    • Internet Explorer 5.01 or later are supported by scan
    • SQL 7.0, 2000 are supported by scan
    • Office 2000, Office XP, or Office 2003 are supported by scan
    • Security update checks, password checks, Windows system check
  • Regedit.exe - used to edit registry (only one editor in 2003)
  • Runas is also known as secondary logon, you need to have Secondary Logon service running to use it. This command line utility is used to run programs within different user's security context. For example, network administrator is logged on as a regular user and needs to run system utility that requires administrative privelages. Instead of loging out and back in as an administrator, the user could use runas command which uses the following syntax: runas /user:ComputerName\UserName "program name"
  • qchain.exe is used for multiple hot fixes (so as not to have to restart server multiple times)

#931 From: Testking_Mcse@yahoogroups.com
Date: Sun Dec 13, 2009 9:06 am
Subject: File - Microsoft exam 70-270 preparation guide.html
Testking_Mcse@yahoogroups.com
Send Email Send Email
 

Microsoft exam 70-270 preparation guide

Contents:

Part 1: Getting started with Windows XP Pro
Part 2: Automating installation
Part 3: Upgrading to Windows XP
Part 4: Configuring Windows XP Pro environment
Part 5: Managing the Desktop
Part 6: Managing users and groups
Part 7: Managing security
Part 8: Managing disks
Part 9: Accessing files and folders
Part 10: Managing network connections
Part 11: Managing printing
Part 12: Dial-up networking and Internet
Part 13: Optimizing Windows XP Pro
Part 14: Performing system recovery

Preface

I have written this short preparation guide as a way for myself to ease studying for the Mcirosoft 70-270 exam titled: "Installing, configuring and administrating Microsoft Windows XP Professional". I provide this guide as is, without any guarantees, explicit or implied, as to its contents. You may use the information contained herein in your computer career, however I take no responsibility for any damages you may incur as a result of following this guide. You may use this document freely and share it with anybody as long as you provide the whole document in one piece and do not charge any money for it. If you find any mistakes, please feel free to inform me about them Tom Kitta. Legal stuff aside, let us start.

Guide version 0.12 last updated on 24/05/2004

Part 1: Getting started with Windows XP Pro

[1.1] Windows XP Professional hardware requirements
  • Processor minimum P233, recommended PII 300
  • RAM minimum 64Mb, recommended 128Mb
  • Disk Space minimum 1.5Gb, recommended 2Gb
  • Network needed if installing using it
  • Display minimum SVGA 800x600 or better
  • Peripheral devices: keyboard and mouse (or other pointing device)
  • CD-ROM or DVD-ROM if installing from CD, recommended 12x or faster
  • Floppy drive if you intend to use ASR (Automated System Recovery)
  • Windows XP Professional supports up to 2 CPUs, while Windows XP Home edition supports only 1 CPU, there are not other hardware requirement differences between Windows editions
[1.2] Windows XP Professional install steps
  • Collecting information
    • Insert Windows XP CD and reboot the PC
    • Setup program starts when you boot from the CD. Press F6 for third party disk driver, F2 for automatic recovery
    • A welcome dialog box appears, press enter to install XP, R for repair of XP installation, F3 to quit
    • Licensing agreement, F8 to accept, ESC to refuse
    • Partitions screen appears
    • Copying of setup files
    • Remove CD and reboot PC
  • Installing Windows
    • Regional settings, choose locale (numbers, currencies, dates and times view options) and keyboard layouts
    • User name and organization screen
    • Product key screen, 25 character key
    • Computer name
      • up to 15 bytes for NetBIOS compatibility
      • 1 byte is 1 character in most languages (2 in say Chinese)
      • FQDN has a limit of 155 bytes for DC in Windows 2000/2003 (255 bytes in NT 4.0)
      • Computer name has a limit of 63 bytes
      • Computer name has to be unique on the network
    • Administrative password
    • If you have a plug and play modem, you set it up now
    • Date and time
    • Network settings
    • Work group name or domain affiliation
    • Automated finishing tasks
[1.3] Install options
  • For clean install/upgrade on computers running win 3.x or DOS (16 bit systems) use winnt.exe
  • For install/upgrade on computers running 32 bit OS use winnt32.exe
[1.4] After installation
  • The default network setup is for the Windows XP to be a DHCP client
  • You need to activate your product within 30 days unless you have corporate licence
  • After 30 days you will not be able to logon to your PC without activation if you log out or restart your PC (you will still be able to access your PC in safe mode without network support)
  • Activation can be done over the phone or online
  • There are three log files created after installation
    • %systemdir%\setupact.log - installation actions log
    • %systemdir%\setuperr.log - errors that occurred during installation
    • %systemdir%\netsetup.log - network related log (like domain joining)
[1.5] Support for multiboot
  • Windows XP will configure multiboot automatically if it detect compatible OS (i.e. Microsoft OS) and you are using clean install option
  • Do not use dynamic disks or NTFS if the other OS doesn't support it
  • Windows XP will not be able to read volumes compressed with Windows NT4 compression
[1.6] Joining a domain
  • You can pre-authorize a computer in the AD
  • Or, you can enter user name and password of the domain user that has 'Add computers to the domain' permission to add computer to the AD
[1.7] Laptop special Windows XP features
  • Credential manager
  • Clear type
  • Hot docking
[1.8] Other points
  • Hardware compatibility list (HCL) http://www.microsoft.com/hcl/ now Windows catalog http://www.microsoft.com/windows/catalog/
  • If hardware is not found in the Windows catalog you will not get any support from Microsoft
  • BIOS is preferred with ACPI (Advanced Configuration and Power Interface) functionality, APM (Advanced Power Management) is the API for ACPI hardware
  • If you are upgrading from Windows 98/Me checks whatever there are drivers for your hardware, since 98/Me drivers are VxDs (virtual device drivers) and don't work on Windows XP
  • You can upgrade from Windows 98/Me/NT4/NT3.51/2000 Pro (due to a bug win95 will qualify as upgrade media but only for clean install)
  • System partition is the location of the files that are needed for Windows XP to boot, vary little space, default is the active partition
  • Boot partition is the location of Windows XP OS (all files)
  • Note that Microsoft changed the default directory for installation from WINNT to WINDOWS
  • Installation files are in \I386 directory on the CD
  • WFP - Windows file protection is used to protect Windows system DLL files from modification, files are stored in %SystemRoot%\System32\Dllcache
  • Sfc.exe - scans and verifies the versions of all protected system files when the computer is booting
  • Dynamic update runs during installation of Windows XP. You can disable it with /dudisable switch of winnt32, /duprepare:pathname to prepare network share for dynamic update files, /dushare:pathname to specify network share with dynamic update files.

Part 2: Automating installation

[2.1] Types of automated installation
  • Remote Installation Service (RIS) introduced in Windows 2000 - for use with multiple PCs for automatic deploy
  • Disk imaging (cloning) which uses reference PC - for use with PCs that have similar hardware
  • Unattended installation - use when you have lots of PCs with network cards that are not PXE-compliant
[2.2] Create answer files with Setup manager
  • Answer files are automated installation scripts used to answer the questions that appear during a normal Windows XP Professional installation
  • Answer files are used with all methods of unattended installations. To create answer files you use Setup manager (setupmgr)
  • To use setup manager you need to extract it from \support\tools\deploy.cab found on installation CD
  • There is a sample answer file on the installation CD, unattend.txt
  • Through answer file you can configure
    • Mass storage devices
    • Plug and Play devices
    • HALs
    • Set passwords
    • Configure language, regional, and time zone settings
    • Display settings
    • Converting to NTFS
    • Installing applications can choose from the following options
      • Use cmdlines.txt to add applications during GUI portion of the setup
      • Within answer file configure [GuiRunOnce] section to install an application the first time a user logs on
      • Create a batch file
      • Use the Windows installer
      • Use sysdiff tool to install applications that don't have automated install procedures
[2.3] Using RIS (Remote Installation Service)
  • You can configure RIS server to distribute 2 types of images:
    • CD based image
      • Contains only Windows XP OS
      • Copies all files to the target PC before commencing installation of the Windows XP OS
      • Created automatically during installation of RIS
    • A Remote Installation Preparation (RIPrep) image
      • Can contain both Windows XP OS and applications
      • This images is based on pre-configured computer
      • Copies only files needed for installation on given PC, thus faster than CD based image which copies everything
      • Can be deployed to the clients that have the same HAL and HD controller
      • Must be created manually, not automatic like CD based image
  • For RIS you need DHCP, DNS and AD configured on your network
  • RIS server uses Boot information negotiation layer (BINL) for initial contact, then TFTP is used to transfer bootstrap image
  • RIS and DHCP server need to be authorized in AD, RIS server is authorized through DHCP manager
  • The following services are run as part of RIS: BINL, SIS, SIS Groveler, TFTP
  • To configure RIS server use risetup.exe
  • NTFS is required to store image files with at least 2Gb free space on separate from OS partition
  • RIS template files are used to specify installation parameters, default file is ristndrd.sif
  • You need following user rights to install images using RIS
    • Create Computer accounts
    • Logon as batch job (Administrator doesn't have this right by default)
  • For non-PXE network cards use rbfg.exe utility to create RIS boot disk (this utility doesn't support all network cards)
[2.4] Using disk images
  • Uses reference computer HD image that needs to prepared first with sysprep which needs to be extracted from deploy.cab found in installation CD
  • Source and target computer must satisfy
    • Both computers must have the same HD controller
    • Both computers must have the same HAL
    • Plug and Play devices may not be the same as long as there are drivers for all of them
  • You will need to extract sysprep utility from the deploy.cab
  • Sysprep strips user personal data from the installation image
  • After you copy the installation image to the destination PC a mini wizard runs (unless you have an answer file)
  • Sysprep modes:
    • Audit: allows for the verification of hardware and software installation by a system builder while running in factory floor mode. Audit boots allow a system builder to reboot after factory floor mode has completed its automated pre-install customization, in order to complete hardware and software installation and verification, if necessary.
    • Factory: allows for the automated customization of a pre-install on the factory floor by using a Bill of Materials file to automate software installations, software, and driver updates, updates to the file system, the registry, and INI files such as Sysprep.inf. This mode is invoked via the "sysprep -factory" command.
    • Reseal: is run after an original equipment manufacturer (OEM) has run Sysprep in factory mode and is ready to prepare the computer for delivery to a customer. This mode is invoked via the "sysprep -reseal" command.
    • Clean: Sysprep will clean the critical device database. The critical device database is a registry listing of devices and services that have to start in order for Windows XP to boot successfully. Upon setup completion, the devices not physically present in the system are cleaned out of the database, and the critical devices present are left in tact. This mode is invoked via the "sysprep -clean" command.
[2.5] Unattended installation
  • With this method you use a distribution server or Windows XP installation CD on it to install Windows XP on target PC
  • The distribution may have answer file
  • The target computer must be able to connect to the distribution server over the network (if used)
  • End user interaction levels:
    • Fully automated installation
    • GUI attended installation
    • Read only installation
    • Hide pages installation
    • Provide defaults installation
[2.6] Installing applications with Windows Installer Packages
  • Microsoft installer (MSI) files - provided by software vendor
  • Repackaged application (MSI) - do not include native Windows installer packages, used to provide applications that can be cleanly installed
  • ZAP files - used when you don't have MSI files and install applications using native setup program
  • MSP files (modification files) - provide paths to installed Microsoft software, must be assigned to MSI file at deployment
  • Windows installed packages work as
    • Published applications - not advertised, can be installed through Add/Remove programs. They can also be installed through opening of a document that uses uninstalled published application.
    • Assigned applications - advertised through programs menu, installed next time user starts the PC, before log on prompt appears
  • Please note that Windows Installer packages cannot be published to computers in Windows XP, all other options are OK, i.e. you can assign applications to computers and assign/publish applications to users
  • You can create your own MSI files using VERITAS Software Console or WinINSTALL LE Discover
  • You create GPO for MSI package which is to be published or assigned. If it is for a user, User Configuration\Software Settings\Software, if it is a computer Computer Configuration\Software Settings\Software
  • Using AD you can uninstall old application, upgrade on top of old application. Computers can accept only mandatory upgrades, users support both optional and mandatory upgrades.
  • If you have multiple versions of the same software, you will need to configure install order and/or whatever it is a mandatory install
  • You need AD to deploy packages which are found on a share on a file server
  • Msiexec.exe - provides the means to install, modify, and perform operations on Windows Installer from the command line. For example you can force end user to enter CD key for the software that is being installed

Part 3: Upgrading to Windows XP

[3.1] Upgrade general points
  • You can upgrade from Windows 98/Me/NT4/NT3.51/2000 Pro (Windows Home edition can upgrade from only 98/Me/2000) There is a bug on the CD allowing a clean install provided Windows 95 CD.
  • Choose upgrade if you want to keep existing applications and preserve current local users and groups
  • Clean install will allow you to multiboot
  • Upgrade from Windows NT/2000 Pro is easier than from 98/Me due to their similarity to XP
  • You can generate Windows XP compatibility report winnt32 /checkupgradeonly
  • Upgrade your BIOS so you can use advanced power futures and device configurations
  • Before the upgrade remove or disable any client software like virus scanners or network services
  • If older applications fail to run on Windows XP due to security issues, use compatws.inf template
  • Upgrade of Windows 98/Me can be undone using osuninst.exe or through add and remove programs control panel
  • For upgrade you have a choice of Express upgrade or Custom upgrade
[3.2] Unsupported by upgrade Windows 9x software properties
  • File system applications
  • Custom plug and play solutions
  • Custom power management solutions
  • Third part disk compression utilities, defragmenters (Windows NT and 2000 as well)
  • Partitions compressed with DriveSpace or DoubleSpace are not supported
[3.3] Migrating user data
  • User state management tool (USMT) is used for migration of users from one computer to another
  • ScanState.exe - collects user data and settings information based on the configuration of the Migapp.inf, Migsys.inf, Miguser.inf, sysFiles.inf
  • LoadState.exe - deposits information collected on the source computer to a PC running copy of Windows XP. Cannot be used on a computer that was upgraded to Windows XP.
  • Supports Windows 95/98/Me/2000 to XP
  • F.A.S.T.
    • Files and Settings Transfer Wizard (F.A.S.T.) It is one of the least known new features in Windows XP.
    • Supports all Windows versions from Windows 95 (with IE4) through Windows XP (XP as destination only)
    • Can be used as poor man's backup utility, creates a backup files that can be stored to HD or CD-RW
    • Can move user accounts one at a time, good for single users

Part 4: Configuring Windows XP Pro environment

[4.1] Windows image acquisition architecture
  • WIA is used to manage images between image capture devices and computer software applications
  • Supported devices
    • IEEE 1394
    • USB
    • SCSI
  • Devices connected through standard COM port or infrared connection are not supported by WIA
[4.2] Support for digital audio and video
  • Multichannel audio output
  • Acoustic echo cancellation (AEC)
  • Global effects (GFX)
[4.3] Microsoft Management Console (MMC)
  • The MMC is an utility used to create, save, and open collections of administrative tools that are called consoles
  • Access control options for MMC
    • Author mode - full customization of the MMC console
    • User mode-full access - as author mode, except that users cannot add or remove snap-ins, change console options, create Favorites, or create taskpads
    • User mode-limited access, multiple windows - access only to those parts of the console tree that were visible when the console file was saved. Users can create new windows but cannot close any existing windows.
    • User mode-limited access, single window - as 'user mode limited access, multiple windows' but users cannot create new windows
[4.4] Installing hardware
  • Plug and Play support
  • Non-plug and play devices can be installed using 'Add hardware wizard'
  • DVDs regional settings can be changed up to 5 times (hardware change, need new DVD-ROM after that)
[4.5] Device drivers
  • Accessed from 'Device manager'
  • You can update drivers
  • You can roll back drivers (new in Windows XP)
  • You can also uninstall driver
  • Driver signing:
    • Harmful driver install prevention
    • HCL - Hardware compatibility list, replaced by Windows catalog
    • Run d:\i386\winnt32 /checkupgradeonly from Windows XP CD to check hardware compatibility
    • Command line sigverif.exe is used to check drivers from command line
    • By default system is set to warn user if he or she is installing unsigned driver (other options are: ignore and block)
    • Driver signing can also be controlled from GP using object settings for local computer (or computer configuration for domain) choices are: Silently succeed, Warn but allow installation and Do not allow installation.
    • Unsigned driver means that the driver was not tested by Microsoft and is not supported by Microsoft. For most part these drivers are still OK
    • When driver is signed by Microsoft it and the hardware are tested by Microsoft
  • Some older devices (like CD-ROM etc.) plug into LPT port on the PC. You will need to set LPT port to "Legacy plug and play support" on port settings tab for older devices to work.
  • The easiest way to solve embedded device conflict with an add on device is to disable the on board device. For example, to use add on music card, you will need to disable on board music card
  • Many problems are caused by incorrect drivers, for example graphic card that displays only 800x600 resolution. Update driver to solve these problems.
  • Driver.cab on Windows XP CD contains all original Windows XP drivers
[4.6] Multiple display support
  • To avoid flickering monitor resolution should be set to at least 72Hz
  • Maximum of 10 monitors per PC
  • When you install 2nd video card the build into the motherboard card gets disabled and new card becomes primary display adapter
  • Secondary adapter has to support multiple-displays
[4.7] Computer power states
  • Complete shutdown of PC
  • Hibernation - saves all of the desktop state into a file which uses as much HD space as there is RAM in the system, to go back to active mode press power button
  • Standby (three levels on ACPI compliant PC)
    • Level one turns off the monitor and hard drives
    • Level two turns off the CPU and cache as well
    • Level three turns off everything but the RAM
  • Fully active PC
  • You configure standby through the Power options in Control panel, Level 2 and 3 of standby are only available if universal power supply (UPS) has been configured
  • Through power options you can also configure alerts when system is running on battery power and behaviour of power button
[4.8] PCMCIA (Personal Computer Memory Card International Association) Cards
  • Type I cards - are up to 3.3mm thick. Used for adding more RAM to the PC
  • Type II cards - are up to 5.5mm thick. Used for modem and network cards
  • Type III cards - are up to 10.5mm thick. Used for portable disk drives
[4.9] Configuring I/O devices
  • Through Keyboard properties you can configure typing delay and cursor behaviour as well as keyboard key layout
  • You need a keyboard in order to install Windows XP
  • Through Mouse properties you can configure mouse properties such as: speed, buttons, wheel and pointers
  • USB 2.0 supports up to 127 devices per root hub, up to 5 deep nested external hubs, transfer speeds up to 12Mbps. You can see power & bandwith usage by checking out root properties.
  • USB supports two speeds, low and high, which use different cables
  • USB controllers require that an IRQ be assigned in the computer BIOS. Make sure you have newest BIOS and/or firmware.
  • Wireless devices, RF - Radio Frequency and IrDA - Infrared Data Association
[4.10] Windows registry
  • Windows registry is a database used by the OS to store system configuration
  • Regedit is used to edit the registry (regedit32 is just a pointer to that file)
  • There are five default keys in the Windows registry:
    • HKEY_CURRENT_USER - for user who is currently logged on the computer
    • HKEY_USERS - configuration data for all users of the PC
    • HKEY_LOCAL_MACHINE - computer hardware and software configuration, devices drivers and startup options
    • HKEY_CLASSES_ROOT - used by Windows explorer for file type to application association, software configuration data and OLE (object linking and embedding) data
    • HKEY_CURRENT_CONFIG - hardware profile that is used during system startup
[4.11] Remote desktop
  • Remote desktop connection = terminal services client
  • In Windows XP terminal services service is limited to single connection only. Service is disabled by default and has to be enabled through system properties Remote tab
  • Remote desktop depends on terminal services service
  • Windows XP Home Edition does not allow connections to it using Remote desktop, XP Pro allows only one connection
[4.12] Remote assistance
  • Remote assistance is available with all editions of Windows server 2003 and Windows XP
  • The person assisting the user has a concurrent session with logged in user
  • Logged in user has to authorize access
  • You can send invitation from 'Help and Support' menu. You can send invitations through e-mail using MAPI enabled client, Microsoft messanger or using a file. You need to supply a connection password.
  • You can also offer remote assistance to others (disabled in GP by default)
  • You can chat using text or voice, you can send and receive files
  • HelpAssistant account is used if help is given by another user, support_XXXX account is used if help is given by Microsoft staff
[4.13] Services
  • A service is a program, routine or a process that performs a specific function
  • Service startup types: automatic, manual and disabled
  • You can choose the account service uses to log on
  • When service fails you can choose the OS to do one of the following options
  • SC.exe used for communication with service control manager
    • Take no action
    • Restart the service
    • Run a file
    • Reboot the computer
[4.14] HAL - hardware abstraction layer
  • Computer driver which is the interface to BIOS, kernel is build on top of this driver
  • You can choose HAL during install by pressing F5
  • Multiple processors - when installing a 2nd processor in a single processor system (UP - uni processor) you will need to update HAL for the CPU from single CPU to multiple CPU (SMP - symmetric multi processor driver)
  • Do not upgrade from standard HAL to ACPI (advanced configuration and power interface) HAL and vice versa
[4.15] Hardware profiles
  • Hardware profile consists of a set of instructions that instruct Windows as to which devices to start when computer starts and/or which settings to use for each device
  • By default you have hardware profile called Profile 1 (for laptops, Docked Profile or Undocked Profile) is created
  • You can designate a default profile. If you want the default hardware profile to load automatically (without showing you the list during startup), enter a 0 in seconds under Hardware profiles selection. If you want to see the list anyway press the SPACEBAR during startup.
  • Windows will ask you which profile to use every time you start your computer if you have more then one profile and you don't specify default profile with 0 wait time
  • You can also use hardware profiles as a debuging tool. For example, you can set up profiles that omit the hardware devices you suspect of being defective.
[4.16] Other hardware
  • Fax service - is used for faxing support, controled through fax applet in control panel when installed
  • Program compatability wizard - accessed from Accessories, used to run programs in Windows 95, 98/Me, NT4, 2000 compatability mode

Part 5: Managing the Desktop

[5.1] Customizing desktop
  • You can configure start menu and taskbar through 'Taskbar and Start menu properties'
  • 'Start menu' modifications are done to Windows XP theme, while 'Classic start menu' modifications are done to Windows 2000 theme
  • Display properties
    • You can select a different theme
    • You can display web page on your desktop or just a picture(s)
    • You can set up a screen saver
    • In appearance you can change many aspect of the choosen theme
    • In settings you can change aspects of video display adapter
  • Default Windows XP theme is also known as 'Luna'
  • Local profile is created when user logs on for the 1st time, consists of following folders: Desktop, NetHood, PrintHood, SendTo, Start Menu, Cookies, Favorites, Application Data
  • Notification area was previously named system trey
[5.2] Multilanguage technology
  • Unicode - internationall standard that allows support for the characters used in world's most common languages
  • National language support API - is used to provide information for locale, character mapping and keyboard layout
  • Multilingual API - used to set up applications to support keyboard input and fonts from various language version of applications
  • Windows XP stores all language specific information in separate files from the OS files
[5.3] Multilanguage support
  • Support for two technologies
    • Multilangual editing and viewing which supports multiple languages while user is viewing, editing and printing documents
    • Multilanguage user interface
  • Localized Windows XP - include fully localized user interface for the language that was selected. This version allows user to view, edit and print documents in more than 60 languages. There is no support for multilangual user interface.
  • Multilanguage Windows XP - provides user interfaces in several different languages. You will need to install the following files
    • Language groups - contain fonts and files needed to process specific language
    • Windows XP multilanguage version files - contain language content required by user interface and help files, can be up to 45Mb in size
  • Use muiseteup.exe to setup default user interface
  • Multilanguage version of Windows XP is not available in retail, need Windows volume licensing
  • On localized version of Windows XP you configure multiple languages through 'Regional and language options'
[5.4] Accessability options
  • Configured through 'Accessability options' in control panel
  • Keyboard settings:
    • StickyKeys - allows user to enter key combinations one key at a time
    • FilterKeys - ignores brief repeated keystrokes
    • ToggleKeys - user hears tones when togling CAPS LOCK/NUM LOCK/SCROLL LOCK
    • MouseKeys - allows you to use the numeric keypad to control the mouse pointer
  • ShowSounds - instructs programs that convey information by sound to also provide information visually
  • SoundSentry - allows you to change settings to generate visual warnings
  • You can also set the time after which options are turned off and when they are turned on (like on user log on)
[5.5] Accessability utilities
  • Accessability wizard - adjust PC based on users vision, hearing and mobility needs
  • Magnifier utility - makes portion of the screen bigger for easier viewing
  • Narrator utility - employes text-to-speech technology to read the contents of the screen
  • On screen keyboard - has three different modes:
    • Clicking mode - user clicks the on-screen keys to type text
    • Scanning mode - on-Screen keyboard highlights areas where you can type characters
    • Hovering mode - use a mouse or joystick to point to a key for period of time to type character
  • Utility manager - start and stop accessability utilities, can start/stop utilities on user log on or when PC is locked

Part 6: Managing users and groups

[6.1] Built-in Accounts
  • Administrator - full control over the PC, even if disabled can be accessed from safe mode, password provided suring setup
  • Guest - for users that don't have username and password on the system, disbled by default
  • Initial user - uses the name of the registered user and exists only if the computer is member of a workgroup not a domain, by default member of the administrative group
  • HelpAssistant - new in Windows XP, used together with remote assistance
  • Support_xxxxxxx - used by Microsoft for help and support services, disabled by default
[6.2] Logging on
  • There are two type of users, local and domain
  • Local user credential are compared to local security database, domain user credentials are checked agains active directory stored on domain controller
  • When user logs onto the system an access token is created
  • Local user credentials cannot be used to access network resources
[6.3] Managing users
  • You manage users through 'Local users and groups' MMC that can be accessed in two ways
    • Custom MMC
    • By right clicking on My computer and selecting 'manage'
  • User account consist of:
    • Name and password
    • SID (security identifier) - consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain. SIDs are unique in the network.
    • Can have other attributes, like group membership
  • User names can be up to 256 bytes (characters) long and must be unique (different than other user names and group names)
  • User names cannot contain *{}\/:;,=|+?"<> and cannot be made of spaces and periods alone
  • User names are not case sensitive but passwords are
  • You can create users using net user
  • You have following user options:
    • User name (required field)
    • Full name (by default same as user name)
    • Description
    • Password textbox (up to 127 bytes (characters), 15 for NTLM)
    • Confirm password textbox
    • User must change password at next logon checkbox
    • User cannot change password checkbox
    • Password never expires checkbox
    • Account is disabled checkbox
  • You can set the following user properties
    • User profile path - stored in 'Documents and settings\%username%' folder, contains user preferences, and file ntuser.dat. In Windows NT 4.0 the path was \%systemdir%\profiles\%username%
    • Logon script - files that are run every time user logs into the PC
    • Home folder - is where users commonly store their personal files and documents
  • Password reset disk - use when user forgot their password. If you just reset the user password access to encrypted data will be lost.
  • Mandatory profiles can only be used with roaming profiles, they don't work with local profiles. Mandatory profiles can only be set up by an administrator
  • You can copy profiles using 'User profiles' tab of 'System properties'
  • UNC path - is in the format //computer_name/share_name
  • Renaming an account maintains all group membership, permissions, and privileges of the account. Copying a user account maintains group membership, permissions, an privileges assigned to its groups, but doing so does not retain permissions associated with the original user account. Deleting and re-creating an account with the same name loses all group membership and permissions.
[6.4] Build-in local groups
  • Administrators - full control over the PC
  • Backup operators - can only access file system through backup utility
  • Network configuration operators (new) - network settings
  • Guests - limited privileges
  • Power users - can add/remove users, create non-administrative shares, manage printers, start and stop services that are not started automatically
  • Remote desktop users (new) - members can logon remotely
  • Replicator - for directory replication used by domain servers
  • Users - run programs, print stuff, nothing special
  • HelpServices (new) - support through Microsoft Help services
[6.5] Special groups
  • Special groups are used by the system. Membership is automatic based on special criteria. You cannot manage these groups.
  • Creator Owner - the account that created or took ownership of an object
  • Creator - the group that created or took ownership of an object
  • Everyone - everyone that can possibly be accessing the PC, doesn't include the anonymous group
  • Interactive - users who use resources interactively (locally)
  • Network - users who access resources over the network
  • Authenticated users - users who access the PC using valid user name and password
  • Anonymous logon - users who access the PC through anonymous logon
  • Batch - user accounts that are only used to run a batch job
  • Dialup - users that logon to the network through dialup connection
  • Service - user accounts that are used only to run a service
  • Local System - a system processes that uses resources as users are members
  • Terminal server users - users who logon through terminal services
[6.6] Managing groups
  • Groups can be up to 256 bytes (characters) long, have to be unique and cannot contain '\'
  • Groups are used to manage and organize users. Add users to a group and then assign permission to the group

Part 7: Managing security

[7.1] Policies
  • Configured through 'Local computer policy' group policy, gpedit.msc MMC
  • Account policies are used to control logon procedures. If you want to control user after logging on, use local policies
  • Local policies are made up of
    • Audit policy - disabled by default
    • User rights assignment - too many to list here, see explanation underneath
    • Security options - also too many to list
  • Local policies are set for all users of the computer, you cannot single users out (you need AD for that)
[7.2] Password policy settings
  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Complexity requirement
  • Store passwords using reversible encryption
[7.3] Account lockout policy
  • Account lockout duration
  • Account lockout threshold
  • Reset account lockout counter after X minutes
[7.4] Enabling auditing for files, folders and printers
  • You will need to enable auditing for object access policy
  • And you also need to enable auditing for individual files and folders through NTFS security or through printer security
  • Auditing data is placed into security log
[7.5] Auditing
  • Account logon events - success or failure of domain logon
  • Account management - events such as resetting passwords and modifying user properties
  • Directory services - any time user access AD an event is generated
  • Logon events - success or failure of local logon or logon to a share
  • Object access - file, folder or printer access
  • Policy change - success or failure of change of security options, user rights, account policies and audit policies. Both domain and local PC changes are tracked.
  • Process tracking - useful for applications
  • System events - system events such as shutting down PC or clearing the logs
[7.6] User rights
  • Administrators can assign specific rights to group accounts or to individual user accounts. If a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than one set of rights. The only time that rights assigned to one group might conflict with those assigned to another is in the case of certain logon rights.
  • There are too many user rights to list
  • There are two types of user rights:
    • Privileges, such as the right to back up files and directories
    • Logon rights, such as the right to logon to a system locally
[7.7] Security options
  • Security option policies are used to configure security for the computer
  • These policies are applied to the computer, not to users and groups
  • Security options are edited through computer part of 'Group policy editor' GP object 'Local computer policy' MMC
  • Security options can also be viewed with secpol.msc
  • There are too many security options to list
[7.8] Security templates
  • secedit.exe is used to compare and analyzes system security by comparing your current configuration to at least one template
  • Security templates are stored in %systemroot%\security\templates folder
  • Setup security.inf - default settings
  • Compatws.inf - used for backwards compatibility, so applications not certified for Windows XP can work
  • Secure*.inf - implements recommended security in all areas except files,folders and registry keys
  • Hisec*.inf - high security network communication, Windows XP can communicate only with other XP or 2000 computers
  • Rootsec.inf - new root permissions introduced in XP are going to be applied
  • Notssid.inf - removes default permissions granted to terminal server SID
[7.9] Using local group policies
  • Normally GP are applied through AD, but they can also be applied locally
  • When you use local group policies there can only be one GP object
  • Policies that have been applied through AD will take precedence over any local group policies
  • You administer local GP through Local group policy object (gpedit.msc)
  • Rsop - resultant set of policies is the final set of policies that is applied to the user and computer. Use gpresult to display Rsop for current user in command line format. Use rsop.msc to start Microsoft management console that displays Rsop.
[7.10] Using group policies with AD
  • When a DC is present you can have GPO in AD, they are stored in %systemroot%/Sysvol folder on every DC by default
  • When user logs into active directory, this is the order of policy application:
    • Local computer
    • Site (group of domains)
    • Domain
    • OU (organizational unit)
  • The following options are available for overriding the default policy application
    • No override - enforce policy inheritance, you force all child policy containers to inherit the parent's policy, even if that policy conflicts with the child's policy and even if Block Inheritance has been set for the child. This option is used by corporations that want to have corporate level security and don't want low level administrators to be able to override it. To set no override option open properties screen of domain or OU in the GPO Links list, r-click the GPO link that you want to enforce, click No Override.
    • Block inheritance - used if you don't want to inherit GP settings from parent containers. You can block policy inheritance at the domain or OU level by opening the properties dialog box for the domain or OU and selecting the 'Block Policy inheritance' check box
  • Group Policy is not inherited from parent to child domains, i.e. blah.boom.com does not inherit from boom.com
  • The smallest unit you can apply GP to is an organizational unit (OU)
[7.11] Other security issues
  • Both Windows XP Pro and Home Edition allow user accounts to utilize blank passwords to log into their local workstations, although in XP Pro, accounts with blank passwords can no longer be used to log on to the computer remotely over the network
  • In XP Home Edition all user accounts have administrative privileges and no password by default
  • Windows XP Home Edition will not allow you to disable the Guest account. When you disable the Guest account via the Control Panel, it only removes the listing of the Guest account from the Fast User Switching Welcome screen, and the Log on Local right. The network credentials will remain intact and guest users will still be able to connect to shared resources.
  • The "Everyone" group has access to Printers assigned by default
  • Remote desktop is not enabled by default on Windows XP Pro

Part 8: Managing disks

[8.1] File systems
  • FAT 16 bit (File Allocation Table)
  • FAT 32 bit
  • NTFS (New Technology File System)
  • To convert from FAT to NTFS use: convert x: /fs:NTFS. You cannot use convert to convert to other file systems.
[8.2] Disk drives
  • SCSI 15000RPM, 20Mbps transfer
  • IDE 7200RPM, 16.7Mbps transfer
  • SATA (similar to IDE)
  • Both SCSI and SATA support up to 15 drives on a single controller
  • IDE drives have 'cable select' option on them which automatically determines master and slave. It is best practice to manually set jumpers for master and slave.
[8.3] ARC path designation (Advanced RISC computing)
  • ARC dates back to NT 3.5 days (in the form presented here, otherwise NT 3.1)
  • The file boot.ini is used to find '\windows\' directory
  • Bootcfg.exe configures, queries, or changes Boot.ini file settings
  • Msconfig can be used to change system startup options including modification of boot.ini
  • Please note that Microsoft has changed the default install directory from WINNT to WINDOWS for Windows XP. For upgrades we will still use WINNT directory.
  • Multi
    • Identifies the controller physical disk is on
    • Multi(x) syntax of the ARC path is only used on x86-based computers
    • For IDE or pure SCSI disks when OS is on the 1st or 2nd SCSI drive
    • The Multi(x) syntax indicates to Windows NT that it should rely on the computers BIOS to load system files. This means that the operating system will be using interrupt (INT) 13 BIOS calls to find and load NTOSKRNL.EXE and any other files needed to boot Windows NT.
    • Numbering starts at 0, for example Multi(0), due to technical reasons it should always be 0
    • In a pure IDE system, the Multi(x) syntax will work for up to the 4 drives on the primary and secondary channels of a dual-channel controller
    • In a pure SCSI system, the Multi(x) syntax will work for the first 2 drives on the first SCSI controller (that is, the controller whose BIOS loads first)
    • In a mixed SCSI and IDE system, the Multi(x) syntax will work only for the IDE drives on the first controller
  • SCSI
    • Identifies the controller physical disk is on
    • The SCSI(x) syntax is used on both RISC and x86-based computers
    • Using SCSI() notation indicates that Windows NT will load a boot device driver and use that driver to access the boot partition
    • On an x86-based computer, the device driver used is NTBOOTDD.SYS, on a RISC computer, the driver is built into the firmware
    • Numbering starts at 0, for example SCSI(0)
    • Windows NT Setup always uses Multi(x) syntax for the first two drives
  • Disk
    • Identifies the physical disk attached to controller
    • 0 if Multi(x) present, Disk is only for SCSI
    • For SCSI value of Disk(x) is the SCSI ID and can be 0-15 Note: one channel is always reserved for the controller itself
    • Numbering starts at 0, for example Disk(0)
  • Rdisk
    • Identifies the physical disk attached to controller
    • Almost always 0 if SCSI(x) is present, Rdisk is for Multi(x), ordinal for the disk, usually number 0-3
    • Numbering starts at 0, for example Rdisk(0)
  • Partition
    • Refers to the partition on the hard disk where Windows system folder is located on
    • All partitions receive a number except for type 5 (MS-DOS Extended) and type 0 (unused) partitions, with primary partitions being numbered first and then logical drives
    • A partition is a logical definition of hard drive space
    • Numbering starts at 1, for example Partition(1)
  • Signature
    • Used when system BIOS or controller hosting the boot partition cannot use INT-13 Extensions
    • The signature() syntax is equivalent to the scsi() syntax
    • Using the signature() syntax instructs Ntldr to locate the drive whose disk signature matches the value in the parentheses, no matter which SCSI controller number the drive is connected to
    • The signature() value is extracted from the physical disk's Master Boot Record (MBR)
[8.4] Easy way to memorize ARC
  • There are 5 letters in the word 'Multi' and 5 letters in the word 'Rdisk'
  • There are 4 letters in the word 'SCSI' and 4 letters in the word 'Disk'
  • 'SCSI' works together with 'Disk' while 'Multi' works together with 'Rdisk'
  • When system uses Multi(x) it uses BIOS INT-13 Extensions, so on board BIOS has to be enabled
[8.5] Disk Management MMC snap-in
  • To activate: start -> all programs -> administrative tools -> computer management -> disk management tree node
  • Another ways is to r-click on My computer and select 'manage' from the list
  • Finally you can just create a custom MMC snap in
  • Using disk management, among other things, you can:
    • Initialize new disks
    • Create new volumes and partitions
  • If you r-click and select properties -> general tab you can see location heading with a number. That number is the ARC number of the HD.
  • If you need a disk formatted in FAT or FAT32 you cannot do it from disk manager, you need to use: format x: /fs:FAT32 Note Windows can format FAT 32 disks up to maximum of 32Gb but can read higher capacity drives
  • DiskPart.exe - you can create scripts to automate tasks, such as creating volumes or converting disks to dynamic.
  • Fsutil.exe - perform many NTFS file system related tasks, such as managing disk quotas, dismounting a volume, or querying volume information.
  • Mountvol.exe to mount a volume at an NTFS folder or unmount the volume from the NTFS folder.
[8.6] Remote management
  • Computer management is not just for the local machine, you can also manage other PCs, to activate r-click on computer management (local) and select 'connect to another pc'
  • By default Domain Admins are part of local administrators group and you need these right to connect and administer remote PCs
  • If you cannot access Device Manager from the Computer Management extension snap-ins on a remote computer, ensure that the Remote Registry service is started on the remote computer.
  • Computer Management does not support remote access to computers that are running Windows 95.
  • In remote management 'Device Manager' is in read only mode
[8.7] Basic Disks
  • Primary partition is the only one that is bootable and there is a maximum of 4 primary partitions
  • Extended partitions are not bootable
  • Logical drives are created in extended partitions. There are no limits as to the number of logical drives each extended partition may have.
  • Primary partitions and logical drives are assigned drive letters
  • Basic Disk FAT is located on the first sector of the hard disk; space is shared with the MBR
[8.8] Dynamic disks
  • Fault tolerance better than basic disks, due to multiple storage places for information. 1Mb database is placed at the end of each physical hard disk containing information about all dynamic disk located in this particular system, this creates multiple storage spaces of the same data.
  • Can be one of the following:
    • Simple volume:
      • Single disk
      • No fault tolerance
      • Can be NTFS or FAT
    • Spanned volume:
      • maximum of 32 disks
      • Cannot extend spanned volumes, need to delete and recreate
      • No fault tolerance
    • Mirror volume:
      • Also known as RAID 1
      • Windows XP Pro does not support mirror volumes
      • Can be NTFS or FAT
      • Fault tolerance, data is the same on both disks
      • To replace the failed mirror in a mirrored volume, right-click the failed mirror and then click Remove Mirror, and then right-click the other volume and click Add Mirror to create a new mirror on another disk
      • Variation of mirroring called duplexing uses HD connected to different controllers for even more fault tolerance
    • Striped volume:
      • Also known as RAID 0
      • Maximum of 32 disks
      • Breaks data into 64Kb chunks for writing to different disks that make up the stripe
      • It is recommended to use same type of hard drives for member drive
      • Windows XP cannot be installed on software RAID 0
      • You cannot extend striped volume, need to recreate it
      • No fault tolerance
    • RAID 5:
      • Made up of three disks with each storing parity information
      • Fault tolerance when one disk fails
      • Maximum of 32 disks, minimum of 3
      • Not available in Windows XP professional
      • To replace the failed disk region in a RAID-5 volume, right-click the RAID-5 volume and then click Repair Volume
  • Only in Windows XP Professional, Windows 2000 Professional and Windows 2003 server (all editions) you can use dynamic disks
  • Note: if disk fails for which ARC path is in boot.ini system will not boot. You should have a disk with modified boot.ini
  • Mounted volumes - can mount HD as a NTFS folder
  • Uninstall disks prior to moving them, Re-scan disk when you attach it
  • Dynamic disks can be re-configured without re-boot
  • When your boot disk is also a dynamic disk, then you will not be able to dual boot into OS that is not dynamic disk capable
  • Dynamic disks are not supported on laptops due to luck of advantage over basic disks in this scenario
  • Dynamic disk partition table types:
    • dynamic GUID partition table (GPT) disks, for 64bit editions of Windows
    • dynamic MBR disks, for 32 and 64bit editions of Windows
  • The Foreign status occurs when you move a dynamic disk to the local computer from another computer
  • You can have a maximum of 2000 volumes on a dynamic disk, recommended maximum is 32
  • Volumes created after the 26th drive letter has been used must be accessed using volume mount points
  • Hard drives that are connected to the Pc using USB or IEEE 1394 can not be converted to dynamic volumes
  • Extending simple volume:
    • Similar to spanned volume but uses the same physical HD with simple volume
    • You can extend a simple volume only if it does not have a file system or if it is formatted using the NTFS file system. You also need free space on HD and the volume could not have been originally a basic disk partition.
    • You cannot extend volumes formatted using FAT or FAT32
    • You cannot extend a system volume, boot volume, striped volume, mirrored volume, or RAID-5 volume
[8.9] Volume status descriptions
  • Failed - basic or dynamic volume cannot be started automatically or the disk is damaged
  • Failed Redundancy - data on a mirrored or RAID-5 volume is no longer fault tolerant because one of the underlying disks is not online, has substatus information
  • Formatting - occurs only while a volume is being formatted with a file system
  • Healthy - normal volume status on both basic and dynamic volumes, no known problems, has substatus information
  • Regenerating - occurs when a missing disk in a RAID-5 volume is reactivated
  • Resynching - occurs when creating a mirror or restarting a computer with a mirrored volume
  • Unknown - occurs when the boot sector for the volume is corrupted
  • Data Incomplete - displayed in the Foreign Disk Volumes dialog box, and occurs when data spans multiple disks, but not all of the disks were moved.
  • Data Not Redundant - displayed in the Foreign Disk Volumes dialog box when you import all but one of the disks in a mirrored or RAID-5 volume
  • Stale Data - displayed in the Foreign Disk Volumes dialog box, and occurs when a mirrored or RAID-5 volume has stale mirror information, stale parity information, or I/O errors
[8.10] Converting to dynamic disk and back to basic disk
  • If you convert a boot disk, or if a volume or partition is in use on the disk you attempt to convert, you must restart the computer for the conversion to succeed.
  • The conversion may fail if you change the disk layout of a disk to be converted or if the disk has I/O errors during the conversion.
  • After you convert a basic disk into a dynamic disk, any existing partitions on the basic disk become (dynamic) simple volumes.
  • If you are using shadow copies and they are stored on a different disk then original you must first dismount and take offline the volume containing the original files before you convert the disk containing shadow copies to a dynamic disk.
  • If you are converting disks form dynamic to basic the disk being converted must not have any volumes on it nor contain any data before you can change it back to a basic disk. If you want to keep your data, back it up before you convert the disk to a basic disk.
[8.11] Disk quotas
  • Disk quota applies to everyone using the volume except administrators
  • Remember that every user needs few Mb (min 2) for storage of the profile which is needed for logging in
  • Quota entry can be created per user but not per group, only volumes and users have quota entries
  • Quota limit is calculated using the uncompressed file size, thus compressing files will not create more space
  • The default quota entry is for all users of given volume. You can add additional quota entries on per user basis only.
  • Once again, quota entries are per user per volume, no groups are allowed.
  • Remember that once a user uses a volume with quota set on it an entry is automatically added. Thus, if you had a general entry for all users and later on some users run out of space and need more you modify quota entries not add new ones.
  • Disk quota is only applied to the files that are being added after the quota entry got created, it doesn't apply to files that were already there
  • Each file can contain up to 64kb of metadata that is not applied towards users quota limit
  • Fsutil is used to manage quota from command line
  • To free some space run disk cleanup, from command prompt: cleanmgr.exe (note it doesn't clear internet temporary files)
[8.12] Defragmenting
  • You will need at least 15% of free HD space in order to defragment
  • You may need to repeat the process several times in order to achieve planned results
  • Defragmenting should be done on every volume every 1 to 2 months
  • You cannot schedule defragmenting task (unless you use custom scripts)
  • Windows defragmenter works with FAT16, FAT32 and NTFS
  • On modern computer systems that use NTFS and don't use the file system extensively (desktops) the benefits of defragmenting a hard drive are measurable but not noticeable for the end user. Thus defragmenting is only significant performance tool for file servers.
[8.13] Encryption:
  • Only users who created the files, users whom owner gave access to view the file (new in Windows XP, additional users need to already be issued certificates) and recovery agents can decrypt the file
  • When moving encrypted file from one volume to another volume, it stays encrypted. When copying file it also stays encrypted. This behaviour is unique for encryption!
  • Note that user which has NTFS permissions to an encrypted file can delete that file, even if he/she cannot view that file. They can also move the file around on the same NTFS volume (different volume would mean a copy operation and possible decryption).
  • Cannot encrypt and compress at the same time (due to encryption process using pseudo random salt which cannot be further compressed due to its nature)
  • You can zip 1st using winzip or other 3rd party compression tool, then encrypt to get encrypted and compressed file
  • Executable file cipher.exe is a command line encryption utility
  • By default, the recovery agent is the Administrator account on the 1st DC, there is no default for stand alone server/workstation
  • For encryption property, moving/copying a file to a FAT system decrypts file without warning
  • It is recommended to store recovery agent certificate on a floppy disk in secured location. It is also recommended to copy their file to be recovered to the recovery agent PC where it will be recovered.
  • User needs correct certificate to perform action on a file that would result in that file being decrypted
[8.14] How EFS (encrypted file system) works
  • When the user chooses to encrypt a file, a file encryption key is generated
  • This encryption key, together with encryption algorithm is used to encrypt the contents of the file
  • The file encryption key is encrypted itself using user's public key and stored together with the encrypted file. The file encryption key is also protected by the public key of each additional EFS user that has been authorized to decrypt the file and each recovery agent.
  • File can only be decrypted by using user's private key, by using private key of users given permission to view the file and private key of recovery agent
  • Private/public pair is created using user's certificate
  • On stand alone machines user's certificate is created the 1st time he or she tries to encrypt a file
  • For domain user certificate is issued by the certification authority - user needs permission to get a certificate
  • Files marked with the System attribute cannot be encrypted, nor can files in the systemroot directory structure.
  • Before users can encrypt or decrypt files and folders that reside on a remote server, an administrator must designate the remote server as trusted for delegation.
  • If you open the encrypted file over the network, the data that is transmitted over the network by this process is not encrypted.
  • Users can use EFS remotely only when both computers are members of the same Windows Server 2003 family forest
  • Encrypted files are not accessible from Macintosh clients
  • Encrypting File System (EFS) no longer requires a recovery agent
[8.15] Compression (NTFS)
  • When you compress a whole folder:
    • All files are compressed automatically when added but not current folder occupants
    • OR
    • Compression can also be applied to current files and subfolders
  • Decompression is a reverse process of compression
  • Moving a file on the same volume means that the file location is moved in MFT only, not the physical file itself.
  • When you copy a file, no matter whatever on the same volume or not, the destination file will inherit the destination folder's permissions
  • When you move a file on the same volume, it keeps its original permissions. When you move a file to another volume, the move is treated as a copy operation and the file permissions are inherited from the destination folder.
  • All file attributes behave in the same way with the exception of encryption
  • File compression is supported only on NTFS volumes with cluster sizes 4 KB and smaller
  • For command line use compact.exe, it can display and modify compression attributes but it works only on NTFS

Part 9: Accessing files and folders

[9.1] General folder options
  • General folder options:
    • Windows classic or web content in the folders
    • Whatever folders are opened all in the same window or separate windows
    • Opening with single or double mouse click
  • Folder view options:
    • Configure things that you see once you open files and folders
    • There are too many options to list
  • File type options are used to associate file extensions with application file types
[9.2] Offline folder options
  • Offline folder options, you can store network files offline
  • On the client side:
    • The first step is to enable (enabled by default) offline file support on the client under Folder options -> Offline files and is available only on Windows XP and above
    • In the folder options for offline files you can set:
      • You can set synchronization options: manually synchronize, automatic synchronization (log on or log off) and reminder at certain time intervals
      • You can also set up an option for how much disk space will be used for temporary network files and whatever these will be encrypted
    • When offline files are enabled connect to a shared folder, right click it and select 'Make available offline' this will bring settings dialog box and start synchronization
    • When the folder is set up as available offline when you right click on it you will have an option to synchronize
    • Folders that are synchronized appear with a small blue arrow pointing down in the lower left corner of the folder icon
  • On the server side:
    • SMB are used for communication between networked computers, for offline file sharing any SMB PC will do as a server
    • You can disable and enable (default) client's ability to use offline content by changing the options in Share properties -> Caching on the server computer
[9.3] ACL - access control list
  • Every object in AD (and on a stand alone PC) has ACL
  • ACE - access control entries
  • ACL is a list of ACEs. Each ACE has deny or accept action and an associated SID (security identifier).
  • The process of checking user access is preformed in this way:
    • User SID is checked against ACE on ACL list of the resource user wants to access
    • Also groups that the user belongs to (group SID) is checked against ACE in ACL
    • If there is no entry, then access is denied
    • Accept if ACE = SIDs in ACL and associated ACE action is accept
    • Windows resolves SID and presents name as ACE
    • Deny right takes precedence over allow right in group and user security context. This is true even for Administrator and object owner.
[9.4] General NTFS permissions for files
  • Read
    • List files attributes
    • Read data in the file
    • Read permissions
  • Write
    • Change file attributes
    • Create new files and write data to files
    • Append data to files
  • Read and execute = 'Read' + execute file permission
  • Modify = 'Read and Execute' + 'Write' + delete permission
  • Full control = all of above permissions + 'Change Permissions' permission + 'Take Ownership' permission
[9.5] General NTFS permissions for folders
  • Read
    • List folder attributes
    • List folder
    • Read permissions
  • Write
    • Change folder attributes
    • Create folders
  • Read and execute
  • Modify = 'Read and Execute' + 'Write' + delete permission
  • List folder contents (only permission for a folder)
    • Traverse folders
    • List the contents of a folder
    • See folder's or file attribute
  • Full control = all of above permissions + 'Change Permissions' permission + 'Take Ownership' permission
[9.6] Share permissions
  • Only applicable for folders, no share permissions for files
  • Read = read file data, file names and subfolder names + execute (default assigned to everyone group)
  • Change = read permission + delete files and subfolders + write
  • Full control = all of above permissions + change of share permissions right only
  • Share permissions do not apply to users that are logged into the OS interactively (i.e. locally)
  • NTFS general permissions always apply, even for a share i.e. user needs two read permissions in order to access a file over the network
  • Use NTFS permissions to tighten security
  • To add share form command prompt: net share 'folder name'='path'
  • To delete share form command prompt: net delete 'folder name'
  • To connect to a share from command prompt use: net use \\computer_name\share_name
  • When a share name ends in $ it is hidden and cannot be browsed to, full name needs to be typed in
  • Share permissions are not included in a backup or restore of a data volume
  • Share permissions do not replicate through the File Replication service
  • When both NTFS and share permissions are applied to a resource the system looks at the effective permissions for NTFS and share permissions and applies to the object the most restrictive set of cumulative permissions
  • Be default, simple file sharing is enabled in Windows XP if you are not connected to a domain. Therefore, the Security tab and the advanced options for permissions are not available. In Windows XP Home edition you have to use simple file sharing.
  • You can not disable simple file sharing in Microsoft Windows XP Home Edition, in Windows XP Pro you use folder options to disable simple file sharing
[9.7] Explicit permissions and inherited permissions for files and folders
  • There are two types of permissions: explicit permissions and inherited permissions.
  • Explicit permissions are those that are set by default when the object is created, by user action.
  • Inherited permissions are those that are propagated to an object from a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.
  • Explicit permissions take precedence over inherited permissions, even inherited Deny permissions. This has nothing to do with user and group security context.
[9.8] Inherited permissions (file and folders)
  • All files and folders inherit their permissions from the parent folder by default
  • There are three ways to make changes to inherited permissions:
    • Make the changes to the parent folder, and then the file or folder will inherit these permissions. Remember this is not related to user and group security!
    • Select the opposite permission (Allow or Deny) to override the inherited permission.
    • Clear the 'Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here' check box. You can then make changes to the permissions or remove the user or group from the permissions list. However, the file or folder will no longer inherit permissions from the parent folder. You be presented with a confirmation dialog that has these options
      • You can 'copy' permission entries making all entries explicit (convert inherited entries into explicit)
      • Or you can remove all inherited permissions and keep only the current explicit permissions
  • You cannot change parent permissions inside a child object - they show as grayed out if inheritance is on.
  • If the object is inheriting conflicting settings from different parents then the setting inherited from the parent closest to the object in the subtree will have precedence.
  • Only inheritable permissions are inherited by child objects. When setting permissions on the parent object, you can decide whether folders or subfolders can inherit them with Apply onto.
[9.9] Special shares
  • drive letter$ - shared resource that enables administrators to connect to the root directory of a drive
  • ADMIN$ - resource that is used during remote administration of a computer. The path of this resource is always the path to the system root (ex. c:\windows)
  • IPC$ - resource that shares the named pipes that are essential for communication between programs. You use IPC$ during remote administration of a computer and when you view a computer's shared resources. You cannot delete this resource.
  • NETLOGON - required resource that is used on domain controllers
  • SYSVOL - required resource that is used on domain controllers
  • PRINT$ - resource that is used during remote administration of printers
  • FAX$ - shared folder on a server that is used by fax clients in the process of sending a fax
  • You cannot browse to $ shares (cannot see them in Explorer)
[9.10] Moving and copying of files
  • Moving a file on the same volume means that the file location is moved in MFT only, not the physical file itself.
  • When you copy a file, no matter whatever on the same volume or not, the destination file will inherit the destination folder's permissions (destination folder and file permission will be the same)
  • When you move a file on the same volume, it keeps its all of its original permissions, explicit and inherited from original folder. Assign the following names: the file, call it F, new folder call it A, original folder, call it B. When you move F from B to A and then make some permissions changes on folder A, they will be inherited by the file F (unless inheritance is blocked on F), old inherited permissions (the one's from folder B) will be removed. However, the file F will keep all explicit permissions, which is different then copy operation, where explicit permissions are removed after copy.
  • When you move a file to another volume, the move is treated as a copy operation. The file permissions are inherited from the destination folder in the same way regular copy operation permission are inherited.
[9.11] Other points
  • Groups or users granted Full Control on a folder can delete any files in that folder regardless of the permissions protecting the file
  • Every general permission has 'Synchronize' permission
  • Read attributes permission includes 'Read Extended Attributes' permission
  • Everyone group is no longer granted full control by default to shares, only read access (as of service pack 1, original had full access)
  • The Anonymous Logon security group has been removed from the Everyone security group
  • Windows XP and 2000 need installation of client software, twcli32.msi to take advantage of Volume Shadow Service (VSS) that is run on Windows Server 2003 computer

Part 10: Managing network connections

[10.1] Installing a network adapter
  • Make sure you install the latest driver
  • If you have a combo network card (that has two network connectors) make sure you configure speed and cable type
  • 70 to 80 percent of network problems are due to faulty cabling
  • If you have a combo network card make sure that the speed and cable type are configured correctly
[10.2] Configuring TCP/IP
  • TCP/IP (transmission control protocol/internet protocol) developed in 1970's
    • Installed by default on Windows XP, most common protocol supported by almost all OSs
    • TCP/IP is scalable, it is a routed protocol
    • TCP/IP is a fault tolerant protocol that will dynamically reroute pockets if network is down and alternate links exist
    • Companion services such as DNS and DHCP exist
    • This is the most popular protocol and is the basis of the internet
  • IP address uniquely identifies computers on the network, it has 32 bits in it
  • The loopback IP address is 127.0.0.1, this is your localhost address. The first address in your network is for the network itself, the last address is for the network broadcast.
  • IP class assignments
    • Class A 1-126.x.x.x, hosts supported 16777214, with mask 255.0.0.0
    • Class B 128-191.x.x.x, hosts supported 65534, with mask 255.255.0.0
    • Class C 192-223.x.x.x, hosts supported 254, with mask 255.255.255.0
  • Subnet mask is used to specify which part of the IP address is the network address and which part of the address is the host part
  • Default gateway is the location where pockets are sent which are not destined for your network (you need routers). Metrics are used to calculate optimal paths to gateways.
  • Router is a device that connects two or more network segments together
  • Ipconfig is used to show PCs IP configuration
  • Ping is used to send ICMP echo request packets
  • Nbtstat is used to display NetBIOS over TCP/IP connection statistics, also known as NBT
  • Alternate configuration you can specify what happens when there is no DHCP server on the network
    • Automatic Private IP Addressing (APIPA) - assigns PC address from the range 169.241.0.1 to 169.254.255.254, in use since Windows 98
    • Manual configuration of alternative settings
[10.3] DHCP
  • DHCP server is used for automatic IP assignment to hosts, here is the whole process:
    • Client seeking IP address brodcasts on the network DHCPDISCOVER message
    • Any DHCP server that receives the message and has available IP addresses sends a DHCPOFFER for a period of time called lease
    • Client selects one of the offers and brodcasts DHCPREQUEST indicating its selection
    • DHCP server sends DHCPACK message to the client with possible configuration information like DNS server IPs
  • DHCP server must be authorized in AD if part of a domain
  • If there is no DHCP server on your network segment you can use DHCP server on another network segment, provided that the other DHCP server is configured to give out addresses to PC on other segments and the router that joins segments acts as a DHCP relay agent
[10.4] DNS
  • DNS servers are used for name to IP and IP to name (reverse DNS) address resolution
  • HOSTS file is used to resolve nicknames or domain names entries, located in systemroot\System32\Drivers\Etc
  • DNS settings:
    • DNS server addresses, in order of use - which DNS server will be used first to resolve a query
    • Append primary and connection-specific DNS suffixes - specifies how unqualified domain names are resolved by DNS, for example if primary suffix is microsoft.com and you enter blah, DNS will try blah.microsoft.com
    • Append parent suffixes of the primary DNS suffix - whatever name resolution includes the parent suffix for the primary DNS suffix, up to second level of the domain name, for example given primary suffix win.ms.com and you enter blah, DNS will 1st try blah.win.ms.com then blah.ms.com
    • Append these DNS suffixes - additional suffixes that will be used to resolve unqualified name
    • DNS suffix for this connection - DNS suffix for the PC, can override data supplied by DNS server
    • Register this connection's address in DNS - dynamic registration using PC name
    • Use this connection's DNS suffix in DNS registration
[10.5] WINS
  • NetBIOS (Basic Input/Output System) resolution to an IP address can be done in 3 ways
    • WINS servers are used for NetBIOS name to IP address resolution, this server is for backward compatibility with NT4
    • Through broadcast (same network segment)
    • LMHOSTS file is a static mapping if IP addresses to NetBIOS computer names, it is located in %systemroot%\System32\Drivers\Etc folder
  • WINS settings:
    • WINS addresses, in order of use
    • Enable LMHOSTS lookup
    • Enable/Disable NetBIOS over TCP/IP
    • Use NetBIOS settings from the DHCP server
  • NetBEUI - NetBIOS Enhanced User Interface
  • AppleTalk - is not supported by Windows XP (was supported before)
[10.6] TCP/IP filtering
  • Through filtering you can specify for your PC:
    • Which TCP ports are permitted
    • Which UDP ports are permitted
    • Which protocols are permitted
  • This is set for all adapters at once and is separate from firewall
  • It is set up from Network connections -> connection -> TCP/IP properties -> advanced button -> options tab
[10.7] Configuring NWLink IPX/SPX/NetBIOS
  • NWLink IPX/SPX/NetBIOS is Microsoft implementation of Novell IPX/SPX (Internetwork Packet Exchange/Sequenced Packet Exchange)
  • This is just a transport protocol that is routable, if you want to access Novell servers you need to install client software
  • Internal network number - used to identify file servers, normally leave as is
  • Frame type - specifies how the data is packaged for transmission
[10.8] Network access authentication
  • Network access control using IEEE 802.1X - you choose a method, password/certificate/smart card
  • Authenticate as computer when computer information is available
  • Authenticate as guest when user or computer information is unavailable
  • Part of connection properties
[10.9] Advanced options
  • Bindings are used to attach protocols to a network adapter. You can improve performance by binding common protocols higher in binding order

Part 11: Managing printing

[11.1] Printing related definitions
  • Printer - this is how we call a piece of software on your PC
  • Print device - this is the actual hardware printer
  • Print server - PC to which a local printer is connected - any Windows PC. It is the computer that sends print jobs to the print device. For a network printer you send jobs to the server as well.
  • Print spooler - also referred to as print queue this is a directory on print server where jobs are being stored prior to being printed
  • Print processor - also known as rendering is the process that determines whatever a print job needs further processing once job has been sent to the spooler
  • Printer pool - configuration that allows to use one printer for multiple print devices
  • Print driver - piece of software that understands your print device codes
  • Physical port - port through which a printer is directly connected to the computer, COM or LPT
  • Logical port - port through which a printer with a network card is attached to network, much faster than a physical port
  • Local printer - printer that uses a physical port and has not been shared
  • Network printer - printer that is available to local and network users, can use either physical or logical port
[11.2] Printer and print device configurations
  • 1 printer per 1 print device
  • 1 printer for many print devices (print pooling)
  • Many printers for 1 print device - used usually for print scheduling
[11.3] Windows print process
  • When user chooses to print the document, request is sent to Graphics Device Interface (GDI) which calls print driver
  • Print job is sent to a local print spooler which sends the job to the print server
  • The print spooler on the print server saves the job to disk
  • Print processor analyzes the print job to determine whatever extra processing is needed, separator page is called if needed
  • Job is passed to the print manager which directs job to the right port at the right time
  • Print device prints the job
[11.4] Printer information
  • You can use UNIX (LPR) protocol, for this you will need to add LPR port. LPR is included in "print services" for UNIX, which is installed as a separate component of Windows XP
  • You can also have print services for Macintosh and for Netware
  • Whenever you hear anything that deals with: LPR, LPD, LPQ think UNIX
  • You can set printer priority (1-99) as well as printer availability (which means when the printer will be available timewise) to different user groups as well as access to the print device itself to different user groups and individual users.
  • For example to use different print priority for two groups you need to setup two print devices, restrict their use and set priority on them
  • If you want to know printer utilization track print queue object in system monitor
  • %systemdir%\system32\spool\printers\ is the default location of the spool folder. You should change it if your server serves many printers.
  • A port is defined as the interface that allows the PC to communicate with the print device
  • Print.exe - sends a text file to a printer
  • Net Print - displays information about a specified printer queue, displays information about a specified print job, or controls a specified print job
  • Bidirectional support - option on ports tab that allows printer to communicate with the computer, for example print errors
[11.5] Spooling
  • Spooling is the process of saving the jobs to disk in a queue before they are sent to the print device
  • You have the option of:
    • Start printing after the last page is spooled - small jobs that enter the queue after large jobs may print before large jobs finish spooling
    • Start printing immediately - strict order of entry into the queue determines who gets printed 1st
    • Print directly to the printer - good for troubleshooting the print device
  • You can change location of print spooler
[11.6] Print processor
  • There are 5 print processors in Windows XP
    • RAW - makes no change to the job
    • RAW (FF appended) - always adds form feed character
    • RAW (FF auto) - tries to determine whatever form feed character needs to be added
    • NT EMF - for use with other Windows XP clients, multiple versions
    • TEXT - interprets all data as plain text
[11.7] Printer Pooling
  • One printer, multiple print devices
  • Think of it as load balancing for printers, used in larger enterprises
  • Need to use the same driver for all print devices that are member of the pool. Many newer printer devices will work with older driver, use driver that is the newest for the oldest printer.
  • It is enabled with a check box found at the bottom of the ports tab
  • When one print device fails the print job gets redirected to another print device in the pool
[11.8] Redirecting print jobs
  • You can redirect print jobs provided both printers use the same driver
  • When user placed into a queue a request to print a document on a print device which failed to print BEFORE commencement of printing you can redirect printing to another printer
  • To redirect a print job select print device you want jobs redirected from
  • If the new printer is on this print server, just select new port to which the new printer is attached, otherwise
  • Click on 'ports' tab
  • Click on 'add port', select local printer and click on 'new port'
  • Type in UNC share name of the printer you want the job redirected to, in format \\other_print_server\share_name
  • Check the check box next to the port you just created
[11.9] Separator pages
  • Separator pages are used in multi user environments, sample files are found in %systemroot/system32/ folder with .sep ending
  • Pcl.sep - used to send a separator page on printers supporting PCL (Printer Control Language), which is a common standard
  • Pscript.sep - doesn't send a separator page but switches the computer to PostScript printing mode
  • Sysprint.sep - used by PostScript printers to send separator pages
  • Sysprintj.sep - same as sysprint.sep but with support for Japanese characters
[11.10] Managing printers
  • To manage printer, right click it, you have following options:
    • Set as Default Printer - jobs will by default be sent to this printer
    • Printing preferences - settings like page layout
    • Pause printer - jobs can still be submitted, but will not print
    • Use printer offline - pauses the printer and saves the print queue so documents in it are available even after PC reboot
    • Other options: Rename, Sharing, Delete
  • You can also manage documents with following options: Pause,Restart,Resume,Cancel,Properties
[11.11] Sharing
  • When you share a printer it becomes a Network printer
  • If you don't share your printer it is a Local printer
  • You cannot share a Fax printer
  • You can specify print drivers for following systems:
    • Alpha Windows NT 4.0
    • IA64 Windows XP
    • Intel Windows 95/98/Me/NT 4.0/2000/XP
[11.12] Security
  • There are three print related permissions:
    • Print - users can send print jobs to a printer
    • Manage Printers - administration of printer consisting of: can pause,restart printer, change spool settings, share/unshare printer, change print permissions
    • Manage documents - pause/restart/resume and delete queued documents, no control over the printer itself
    • Special permissions - used to customize the print options with allow or deny access with: Print, Manage Printers, Manage Documents, Read Permissions, Change Permissions and Take Ownership
  • Administrators and Power users can do all tasks
  • Creator Owner group can Manage Documents only
  • Everyone group can Print only
  • Advanced security settings:
    • Permissions - list all users, computers and groups that have been given permissions to the printer
    • Auditing - tracks who is using the printer and what type of access is being used
    • Owner - owner of the printer
    • Effective permissions

Part 12: Dial-up networking and Internet

[12.1] Configuring a modem
  • General: speaker volume, maximum port speed, wait for dial tone before dialing check box
  • Selection of country and extra initialization string
  • Advanced port settings allow to set buffer size
  • Hardware settings like Data bits, Parity, Stop bits and Modulation
  • Data connection settings like Port speed, data protocol, compression and flow control
  • You can run diagnostics of your modem
[12.2] Connecting to a Remote access server (RAS)
  • You can connect to a RAS server using a modem, ISDN or a null modem cable
  • Both client and server must use the same connectivity settings
  • RAS security settings
    • Allow unsecured passwords
    • Require secured password
    • Use smart card (you will need EAP)
  • Logon security protocols
    • MS-chap (Microsoft Challenge Handshake Authentication Protocol) still supports NTLM (but not by default) Same encryption key is used for all connections, both authentication and connection data are encrypted
    • MS-chap v2 no NTLM and stronger encryption (like salting passed encrypted password strings) both MS-chap protocols are the only ones that can change passwords during the authentication process. New key is used for each connection and direction.
    • Chap - need to enable storage of a reversibly encrypted user passwords, encryption of authentication data through MD5 hashing. No encryption of connection data.
    • PAP (Password Authentication Protocol) passwords are unencrypted as well as connection data
    • SPAP (Shiva Password Authentication Protocol) - less secure than CHAP or MS-CHAP, no encryption of connection data
    • EAP-TLS (Extensible Authentication Protocol - transport level security) - certification based authentication (EAP) used with smart cards, both authentication and connection data are encrypted, not supported on stand alone servers - only for domains.
    • EAP-MD5 CHAP (Extensible Authentication Protocol - Message Digest 5 Challenge Handshake Authentication protocol) - this is a version of Chap that was ported to EAP framework. Encrypts only authentication data, not connection data, same like Chap.
    • Unauthenticated access - connections without credentials, good for testing
[12.3] Using Virtual Private Networking (VPN)
  • Data that is sent over the network is encrypted, for VPN you just need access to a network while for RAS you need to dial-in
  • VPN supports
    • Single inbound connections
    • Tunneling protocols
    • Callback security
    • Multilink support (chaining of multiple modems)
  • PPTP (Point-to-Point Tunneling Protocol) - build in encryption for IP or IPX protocols inside of PPP datagrams, require IP connectivity between your computer and the server
  • L2TP (Layer Two Tunneling Protocol) - Windows XP implementation of L2TP is designed to run natively over IP networks only, does not support native tunneling over X.25, Frame Relay, or ATM networks. Uses IPsec and certificates for security.
[12.4] Using Internet Connection Sharing (ICS)
  • Internet connection sharing (ICS) allows you to connect a small network to the internet through a single connection
  • Internet connection sharing server gets assigned address 192.168.0.1 and its simple DHCP server assigns addresses in the range of 192.168.0.2 - 192.168.0.254 to all client computers
  • You can specify which protocols and ports are to be shared, for example HTTP on port 80
  • You configure connection sharing using Network and Internet connections from control panel in advanced tab
[12.5] Managing IE settings
  • Security zones
    • Internet
    • Local intranet
    • Trusted sites
    • Restricted sites
  • Content
    • Content advisor - you can limit what is accessed based on language, nudity, sex and violence
    • Certificates
    • Personal information - you can configure Auto complete and Microsoft profile assistant
  • Connections - how you connect to the internet, any connection
  • Programs associated with different internet services, HTML editor, E-mail, News groups, Internet call, calendar and contact list
  • Advanced tab has too many options to list
  • You can print to an internet printer if the print server has IIS and supports internet printing
  • Internet printing uses Internet print protocol (IPP)
  • To install internet printer, start the 'Add printer wizard', choose network printer and type as address http://computername/printers/share_name/.printer
  • You can connect through a web browser to print server by surfing to http://print_server/printers if it is allowed and print server has IIS installed
  • To connect using IE to an ftp server that uses password and user name, use: ftp://user_name:password@...; Otherwise IE will ask you to enter your credentials.
[12.6] Internet connection firewall
  • ICF is a stateful firewall
  • Configured from Network Connections -> Connection you wish to firewall -> properties -> advanced tab
  • You can log dropped packets and successful connections
  • You can choose a service that already is listed (like port 80 IIS) or add your own
  • Don't confuse with IP packet filtering which is set for all connections at once.
[12.7] Other points
  • PPP - Point-to-Point Protocol that provides advanced futures (like: IPX, NetBEUI and TCP/IP, encrypted authentication if configured) not found in Serial Line Internet Protocol (SLIP)

Part 13: Optimizing Windows XP Pro

[13.1] Performance and system events
  • Task manager
  • Event viewer
  • System monitor (to activate you can run perfmon.exe from command line)
  • Performance logs and alerts
  • Network monitor
[13.2] Performance
  • To set process priority at run time, go use start "process name" /"priority value"
  • Another way is to: cmd /c start /"priority setting""application name" -- you cannot use this from the run menu
  • Priority types:
    • Real time (you will need Administrator access to set this priority level)
    • High
    • Above normal
    • Normal
    • Below normal
    • Low
  • Processor affinity is the process of assigning specific processors to specific tasks in multiprocessor system, this is done through task manager
  • Relog - extracts performance counters from performance counter logs into other formats, such as text-TSV, text-CSV, binary-BIN, or SQL
  • Logman - manages and schedules performance counter and event trace log collections on local and remote systems
[13.3] Performance indicators
  • Memory: pages faults/sec - data not found in CPU cache creates a fault, most processors can handle large amounts of soft page faults, compare with memory: pages/sec
  • Available memory in bytes - need more if less than 10% available (could be an application memory leak)
  • Memory: pages/sec - hard drive access to page file, a rate of 20 or more indicates a need for more RAM
  • Page file percent close to 100, need more space on file or more RAM
  • Physical disk: percentage disk time above 70% - is too high, if paging file usage is excessive as well it indicates more RAM is needed otherwise a disk is the bottleneck
  • Physical disk average queue length above 2 - check paging file and physical memory
  • Physical disk current queue length - a value above 2 indicates a problem
  • CPU close to 100% - need more CPU power if situation continues for excessive amounts of time
  • Number of open files indicates how busy the server is, compare to baseline
  • Server: bytes total/sec - indicates network throughput
  • Baselining is the process of determining average/normal system performance. Should be done over a period of 3 to 4 weeks using counter logs.
  • Performance logs and alerts are used to perform long term analysis:
    • Using the default Windows XP Pro data provider or another application provider, trace logs record detailed system application events when certain activities, such as a disk I/O operation occurs. When the event occurs, your OS logs the system data to a file. A parsing tool is required to interpret the trace log output, like Tracerpt
    • When counter logs are in use, the service obtains data from the system when the update interval has elapsed, rather than waiting for a specific event.
    • Remember that trace logs are event driven and
    • Counter logs are update interval driven
[13.4] Performance alerts
  • Alerts are created when specific counter(s) go above or below a specific value. When an alert is triggered you can do one of the following:
    • You can log alerts in application log
    • Can send a network message
    • Start performance data log
    • Run a program
[13.5] Log file settings
  • Maximum log size
  • Overwrite log events as needed
  • Overwrite log events older than X days
  • Do not overwrite events (clear log manually)
  • Microsoft recommends keeping 7 day logs
[13.6] Log files
  • Default event log files:
    • Application - tracks events related to applications that are running on your PC
    • Security - tracks events related to Windows XP auditing
    • System - tracks events related to the Windows XP OS
  • Log file extension is .evt (files with this extension can be viewed by event viewer)
  • Tracerpt - processes event trace logs or real-time data from instrumented event trace providers
[13.7] Log filtering
  • Event type
  • Event source
  • Event ID
  • User
  • Computer
  • Date range
[13.8] Log viewer event types
  • Information - logged for informative purposes
  • Warning - non critical events that might indicate a problem
  • Error - indicates a problem
  • Success Audit - indicates occurrence of an even audited for success
  • Failure Audit - indicates occurrence of an even audited for failure
[13.9] Event information
  • Eventvwr - used to lunch event viewer
  • Eventtriggers.exe - displays and configures event triggers on local or remote machines.
  • Eventcreate.exe - enables an administrator to create a custom event in a specified event log
  • Eventquery.vbs - lists the events and event properties from one or more event logs
[13.10] Page file
  • Page file size should be such that the size of it plus size of physical RAM satisfies PCs needs, for light use 512Mb
  • Don't let system manage the size of the page file (fragmentation of page file due to constant resizes)
  • Set initial size of the page file but don't prevent it from growing to large size, it will rarely occur and provide you with a cushion in case of memory intensive application takes up lots of RAM
  • If you move page file from the system drive you will no longer get any memory dumps
  • You will need to restart your PC once you make changes to the page file such as its initial or maximum size
  • It is best to place the page file on a drive whose cluster size matches RAM page file size, on intel PCs its 4Kb, default for NTFS is also 4Kb
  • The Microsoft recommended size is equivalent to 1.5 times the amount of RAM on your system, set by default
  • To create memory dump file, the paging file on the %systemroot% drive must be at least as large as RAM + 11MB, you may to increase it to 1.5*RAM
[13.11] Memory dumps
  • Small memory dumps are stored in %SystemRoot%\Minidump by default and have 64Kb of data
  • Dumpchk.exe - utility that you can use to verify that a memory dump file has been created correctly found in the support tools on the Windows XP CD
  • Windows writes the log file, by default called Memory.dmp, to the same file name each time a Stop error occurs
[13.12] Scheduling tasks
  • To schedule a task go to Performance and Maintenance under Control Panel and select 'Schedule a task'
  • Scheduled task properties:
    • Command line execution for the program that is running the task
    • The folders containing needed for execution files
    • Comments
    • The user name and password of the user the task is to be run as
    • Whatever the task is enabled or not
    • Many other advanced options, like running task when CPU is idle
  • Scheduler service must be running for scheduled task execution to occur
  • Scheduler tasks needs appropriate permissions to run the scheduled task
  • Security can be set by group or user

Part 14: Performing system recovery

[14.1] Overview
  • Document everything in your plan, test your plan
  • Posses a 'recovery toolkit' with stuff like backup utilities/system utilities etc.
  • Make sure you backup:
    • User data
    • Critical system files
    • Critical applications
  • Recovery point - how much data can we loose? Most medium size companies are OK with loosing up to 24h - thus daily backup is OK.
  • Time frame for recovery - how long does it take to recover affected systems
  • Hot sites are ultimate backup solution for server farms (a hot site can take on all functions of the current site, is kept synchronized and is in a different physical location)
  • Backup files have .bkf extension
  • When files are backed up they retain all of their original attributes including encryption
  • File attributes are lost when you restore backup to a FAT volume
[14.2] Windows XP boot sequence
  • Preboot sequence
    • Power on self test (POST) is run when PC is turned on, system configures hardware
    • The Master Boot Record (MBR) is loaded to which BIOS points
    • MBR points to the active partition which in turn is used to specify which partition should be used to boot the OS
    • NTLDR is used to start Windows XP boot process
  • Boot sequence
    • NTLDR switches the processor from real mode to 32-bit flat memory mode and starts mini file system drivers which support PC file systems
    • Operating system selection with BOOT.INI occurs, for OS other than Windows XP file BOOTSECT.DOS is used
    • NTDETECT.COM detects hardware which is stored in registry
    • Control is passed to NTOSKRNL.exe
  • Kernel load sequence
    • HAL (hardware abstraction layer) driver is loaded (hal.dll)
    • Control set that the OS will use is loaded
    • Low level drivers such as disk are loaded
  • Kernel initialization sequence
    • The registry key HKEY_LOCAL_MACHINE\HARDWARE is created with current PC hardware
    • The Clone Control set is created, it is the exact data used to configure the PC without changes made by setup
    • Low level drivers are initialized and higher level subsystems are being loaded
  • Logon sequence
    • Log on dialog box appears, user enters valid credentials
    • Service controller performs scan of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services to see whatever there are any services that still needs to be loaded
[14.3] Backup types
  • Normal (full) - Clears archive bit, backs up all data on volume that is being backed up.
  • Incremental - backs up only these files that have their archive bit set to 1 (since last full or incremental backup). Clears archive bit. Restore process will have to chain multiple incremental backups. This backup is fastest when combined with normal backup.
  • Differential - backs up only these files whose archive bit is set to 1. Does not clear archive bit, no chaining of backups during restore process
  • Copy - only backup type that can back up registry and other critical system files. Like full backup, but does not clear or set any archive bits. This type of backup is used for archiving or when backing up between incremental and normal backup routine.
  • Daily - backs up only these files that were modified today. Does not clear archive bit.
  • You can exclude files from being backed up
  • System state - boot and system files, AD (if DC), SYSVOL directory (if DC), COM+ Class Registration database, registry, Cluster service information (if server is part of a cluster), IIS Metadirectory (if installed) - only for local system!
  • All backed up files keep their file attributes, unless you are restoring to FAT
  • For command prompt use: ntbackup.exe
  • Backup cannot be preformed to CD-R and DVD-R
  • When NTBackup creates a backup set it also creates a listing of files and folders included on the set, called a catalog. It is stored on both the disk of the server and the backup set itself.
[14.4] Backup log
  • By default 10 backup logs are kept on the server
  • There are three logging options:
    • No log
    • Summary log (default)
    • Detailed log
[14.5] Restore options
  • Do not replace files (default)
  • Replace only if the file on disk is older
  • Always replace files
  • Options do you have to restore the files to
    • Restore to alternate location
    • Restore to single folder
    • Restore to original location
[14.6] Boot problems
  • Hit F8 for boot menu during startup
  • Last known good configuration is the control set in the registry (current settings, like used drivers)
  • Last known good configuration is still good choice only if user has not logged on since problem arouse
  • Safe mode does not backup the 'Last known good configuration'
  • To access recovery console: 'winnt32.exe /cmdcons' - this places recovery console option into boot.ini
  • Recovery console is good for missing boot files
  • Can run recovery console from Windows XP CD, to run console from CD boot from CD and press R (repair installation)
  • When boot files are missing you will have to copy new ones from installation CD
  • The maximum number of lines in the [operating systems] section of the Boot.ini file in Windows XP is 10. If you add an 11th line (or more), only lines 1 through 10 will be seen during the boot phase of Windows XP
  • Directory services restore mode:
    • This is like a safe mode for a domain controller
    • Active directory is not started
[14.7] Advanced boot options
  • Safe mode - in boot.ini /safeboot:minimal /sos /bootlog /noguiboot
  • Safe mode with networking - in boot.ini /safeboot:network /sos /bootlog /noguiboot
  • Safe mode with command prompt - in boot.ini /safeboot:minimal(alternateshell) /sos /bootlog /noguiboot
  • Enable boot logging - in boot.ini /bootlog (log is stored in %systemroot%\ntbtlog.txt)
  • Enable VGA mode - in boot.ini /basevideo
  • Last known good configuration - in boot.ini no corresponding switch exists
  • Directory services restore mode (Windows domain controllers only) - in boot.ini /safeboot:dsrepair /sos
  • Debugging mode - in boot.ini /debug
  • The /sos /bootlog /noguiboot switches are not required with any of the above settings, but they are useful to help with troubleshooting. These switches are included if you press F8 and choose one of the modes from startup boot menu.
[14.8] ASR - Automated system recovery
  • Replaces ERD (emergency repair disk)
  • Stores system state data (uses a cd or tape)
  • Need Windows XP CD and ASR floppy to do a clean install and apply system settings
  • ASR is needed to recover from boot failures
  • To create ASR disk either run ntbackup.exe from command prompt or go to: start -> all programs -> accessories -> system tools ->backup
  • Using ASR recovers the system up to the point ASR was created
  • If you create ASR for system without floppy files are saved to the %systemroot%\repair folder. ASR restore will not work without a floppy drive and the floppy disk.
  • To preform ASR recovery you need:
    • ASR floppy disk
    • ASR Backup set
    • Windows XP setup CDROM
  • There is no ASR in Windows XP Home edition
[14.9] Best practices for backup
  • Develop backup and restore strategies and test them; train people.
  • Always create an Automated System Recovery (ASR) backup set when the operating system changes
  • Always choose to create a backup log for each backup
  • Keep at least three copies of the backup media. Secure both the storage device and the backup media.
  • Perform a trial restoration periodically to verify that your files were properly backed up
[14.10] Startup and recovery options
  • Found in System properties advanced tab
  • You can specify the following options:
    • Default operating system - OS loaded by default if no selection is made on OS selection menu
    • Time to display list of OSs - how long the OS selection menu is shown (30 sec by default)
    • Time to display recovery options (30 sec by default)
    • Write event to the system log - event is written each time system fails (enabled by default)
    • Send Administrative alert - when system fails message is sent to the administrator (enabled by default)
    • Automatically restart
    • You can also edit the boot.ini file and specify the size of the kernel dump file
[14.11] Other points
  • System state data can only be restored and backed up locally (there are 3rd party software utilities that can restore and backup over the network)
  • Using 'last known good configuration' can be used to recover from most stop errors if the user has not logged in BUT server must be able to boot, i.e. if ntldr error need to use ASR or recovery console
  • For major hardware failures such as motherboard replacement you will need to reinstall Windows XP. However, you will still need to restore system state prior to full Windows boot in order to preserve original SID.
  • Recovery password can be different than administrator password
  • For problems with boot files use recovery console and copy needed files over from the CD
  • Dr. Watson - used to troubleshoot application errors, DRWTSN32.EXE
  • Boot disk can be created by copying onto a floppy the following files: NTLDR, NTDETECT.COM, NTBOOTDD.SYS (for SCSI without BIOS), BOOT.INI
  • System restore - creates restore points that can be used to restore PC to a previous state. Enabled by default, daily backups or when significant changes occur. To manually create restore points, use system restore wizard, which is located under Accessories -> System Tools -> System Restore. By default 12% of hard drive space is used for system restore data storage
  • Runas is also known as secondary logon, you need to have Secondary Logon service running to use it. This command line utility is used to run programs within different user's security context. For example, network administrator is logged on as a regular user and needs to run system utility that requires administrative privileges. Instead of logging out and back in as an administrator, the user could use runas command which uses the following syntax: runas /user:ComputerName\UserName "program name"

#930 From: Testking_Mcse@yahoogroups.com
Date: Sun Nov 29, 2009 9:05 am
Subject: File - Microsoft exam 70-291 preparation guide.html
Testking_Mcse@yahoogroups.com
Send Email Send Email
 

Microsoft exam 70-291 preparation guide

Contents:

Part 1: Understanding Windows networks and TCP/IP
Part 2: Troubleshooting and monitoring TCP/IP
Part 3: Implementing, configuring and troubleshooting DNS servers
Part 4: Implementing, configuring and troubleshooting DHCP servers
Part 5: Implementing, configuring and troubleshooting routing and remote access in Windows networks
Part 6: Managing network infrastructure and security

Preface

I have written this short preparation guide as a way for myself to ease studying for the Mcirosoft 70-291 exam titled: "Implementing, managing and maintaining a Microsoft Windows Server 2003 network infrastructure". I provide this guide as is, without any guarantees, explicit or implied, as to its contents. You may use the information contained herein in your computer career, however I take no responsibility for any damages you may incur as a result of following this guide. You may use this document freely and share it with anybody as long as you provide the whole document in one piece and do not charge any money for it. If you find any mistakes, please feel free to inform me about them Tom Kitta. Legal stuff aside, let us start.

Guide version 0.006 last updated on 17/06/2004

Part 1: Understanding Windows networks and TCP/IP

[1.1] Basic networking definitions
  • Network infrastructure - set of physical and logical components that allow for, among other futures, security, management and connectivity
  • Physical infrastructure - is also known as network's topology, the physical layout of hardware components and the type of hardware as well as the technology used with hardware for data transmission.
  • Logical infrastructure - is the software that allows for communication over physical infrastructure, it includes services that run on the network like DNS
  • Network connection - is a logical interface between software and hardware layers
  • Network protocol - is the language used for communication between networked computers
  • Network service - is a program that provides features to hosts or protocols on the network
  • Network client - is a program that allows a computer to connect to a network operating system
  • Addressing - is the practice of maintaining a coherent system of addresses within organization's network that allow all computer to communicate
  • Name resolution - is the process of translating a computer name into an address and the other way around
  • Workgroup - is a simple grouping of resources which by default uses NetBIOS naming system. NetBIOS is used together with Common Internet File System (CIFS), an extension of Server Message Block (SMB) protocol, to provide file sharing. There is no centralized security in a workgroup environment. The default workgroup name is WORKGROUP. In the absence of a WINS server the NetBIOS names are resolved using broadcasts to local network segment.
  • Domain - is a collection of computers that share a common directory, security policies and relationships with other domains. The name 'domain' is used both by grouping of computers in AD and as names in DNS, they are different things.
  • Active directory - is a distributed database that provides directory service
  • Remote access - is a connection that is configured for users that want to access resources from non-local site. There are two types, VPN and dial-up.
  • Network Address Translation (NAT) - is the system which allows computers with private addresses to communicate with computers on the internet
  • NWLink - Microsoft implementation of Novell IPX/SPX protocol used by NetWare networks
  • Certificate - is used for public key cryptography
  • NetBT - NetBIOS over TCP/IP, provides for higher level communications such as SMB (Server Message Blocks) and CIFS
  • CIFS - an extension of the SMB protocol that is used with basic file sharing. One of the advantages of CIFS over SMB is the ability to operate directly over DNS without the use of NetBIOS.
  • TCP/IP - most popular, scalable, routable and based on open standards protocol.
  • Redirector - client component that decides whatever the request is to be serviced locally or remotely. In Windows the redirector is called Client for Microsoft Networks. It uses SMB/CIFS for communication.
[1.2] Network connection
  • Components that make up a connection: network clients, services and protocols
  • Connections by themselves don't provide communication, it occurs through components bound to the connection
  • Client for Microsoft Networks is by default bound to all local area connections, it allows client computers to perform CIFS related tasks
  • TCP/IP protocol is bound to all connections by default
  • File and printer sharing for Microsoft Windows is installed and bound to all connections by default
  • Advanced connection settings allow administrator to change the priority of each connection
  • Provider order tab in advanced settings dialog box allows administrator to change the network providers order. This setting is for all connections. By default, Microsoft Terminal Services is given priority over the Microsoft Network because Terminal Services are meant to be used in place of all other connections.
  • In the provider tab one also finds print provider order, by default LanMan Print Services is given priority over HTTP Print Services
[1.3] Default TCP/IP Settings, APIPA
  • APIPA stands for automatic private IP addressing
  • By default the IP address and DNS servers are to be obtained automatically from the DHCP server
  • If the computer cannot get address automatically it uses APIPA to assign itself one
  • APIPA assigns PC address from the range 169.241.0.1 to 169.254.255.254, in use since Windows 98
  • Administrators can combine APIPA with alternate configuration, when IP can be obtained from DHCP, APIPA turns itself off - no one can override DHCP obtained address with APIPA
  • To disable APIPA administrator can either configure alternative IP address or edit registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\interface registry entry IPAutoconfigurationEnabled set to 0 and reboot
  • An all zero address might indicate that the IP has been released and never renewed
  • When a computer fails to obtain APIPA address in the absence of DHCP server and static address, the administrator should look for a hardware problem
[1.4] Management and monitoring tools
  • Connection Manager - allows creation of customized remote access connections
  • Connection Point Services - Phone Book Service that needs IIS
  • Network Monitor - pocket analyzer
  • SNMP - Simple network management protocol, agents that monitor activity in network devices and report to network management console. For use with both Windows and UNIX, works with almost any network device.
  • WMI SNMP Provider - lets client applications to access static and dynamic SNMP information through WMI
[1.5] TCP/IP model
  • The TCP/IP model is the newer networking model, OSI Open System Interconnection model is an older model
  • Network interface - is the layer in the communications process that describes standards for physical media, for example ethernet. In OSI model it is both Physical layer and Data link layer.
  • Internet - is the layer in the communications process during which information is packaged, addressed and routed to other network destinations. ARP is used for address resolution, IP for addressing and routing data and ICMP for reporting errors and exchanging limited control/status information. In OSI model this layer is called the Network layer.
  • Transport - is the layer in the communications process during which the standards of data transport are determined. TCP protocol with its guarantees of delivery and connectionless unguaranteed but fast UDP protocol. This layer has the same name in the OSI model.
  • Application - is the layer in the communications process during which end user data is changed, packaged and sent to and from transport layer, for example telenet. In OSI we have three layers, Session, Presentation and Application.
[1.6] OSI model
  • OSI stands for Open System Interconnection model, it is an older networking model
  • 7 Application layer
  • 6 Presentation layer
  • 5 Session layer
  • 4 Transport layer
  • 3 Network layer
  • 2 Data link layer
  • 1 Physical layer
  • Layers 7, 6, and 5 correspond to Application layer in TCP/IP model
  • Layer 4 correspond to Transport layer in TCP/IP model
  • Layer 3 corresponds to Internet layer in TCP/IP model
  • Layer 2 and 1 correspond to Network Interface layer in TCP/IP model
  • Protocols that were not originally part of the TCP/IP specifications are referred not by position in TCP/IP model but by OSI model. For example NetBT is a session (or layer 5) protocol.
[1.7] Protocols, their port numbers and layers in TCP/IP model they are in
  • Protocol number - is used to define a stream of data associated with a specific service
  • The transport is provided by TCP and UDP protocols
  • Internet layer protocols are ARP, IP and ICMP
  • HTTP - hypertext transfer protocol TCP port 80 (application layer)
  • SSL - Secure socket layers TCP port 443
  • SMTP - TCP port 25. Files stored in LocalDrive:\Inetpub\Mailroot
  • SNMP - simple network management protocol used to provide information about TCP/IP hosts, UDP port 161.
  • FTP - only basic authentication allowed, TCP port 20 (data) TCP port 21 (control). Files stored in LocalDrive:\Inetpub\Ftproot (application layer)
  • POP - TCP port 110
  • DNS - UDP port 53 (query) TCP port 53 (zone transfer)
  • NNTP - TCP port 119. Files stored in LocalDrive:\Inetpub\Nntpfile\Root
  • PPTP - Point to point tunneling protocol TCP port 1723; protocol number 47
  • L2TP/IPSec - UDP ports 500, 1701 and 4500; protocol number 50
  • ARP, ICMP and IP (internet layer)
[1.8] IP addressing
  • Internet Assigned Numbers Authority (IANA) divides up non reserved portions of IP address space
  • IANA gives address blocks to local authorities such as ARIN which in turn give it to large ISP
  • Private addresses are in ranges 10.0.0.0 - 10.255.255.254, 172.16.0.0 - 172.31.255.254, 192.168.0.0 - 192.168.255.254
  • IP addresses are just a representation of a 32 bit number broken into 8 bit parts for ease of visualization by the administrator
  • IP address is made up of two parts, network address and host address. Network prefix is the number of bits in network id.
  • IP class assignments
    • Class A 1-126.x.x.x, hosts supported 16777214, with mask 255.0.0.0
    • Class B 128-191.x.x.x, hosts supported 65534, with mask 255.255.0.0
    • Class C 192-223.x.x.x, hosts supported 254, with mask 255.255.255.0
    • Class D 224-239.x.x.x, reserved for multicast addressing
    • Class E 240-254.x.x.x, reserved for experimental use
  • Subnet mask is used to determine whatever the packet is destined for the current network or not. It does that by masking the network part of the IP address. The PC proceeds by finding his own network address using his IP and subnet mask in a bitwise AND operation. Then the PC does a bitwise AND operation on the destination IP and his subnet mask to determine foreign network address. If the addresses match then the packet is to travel on the local network, if the don't then the packet is destined to a foreign address.
  • CIDR - this is a shorthand notation for a subnet mask, classless interdomain routing notation. It counts the number of 1's in the subnet masks binary representation and is displayed after the ip address, for example 192.168.2.12/24 means that the subnet mask is 255.255.255.0 since we have 24 1's in the subnet mask. It is not compatible with RIP v.1. It is the name administrators commonly refer to when talking about supernetting since CIDR is used to shorten routing tables.
  • Default gateway is the IP address of a routing device that accepts packets destined to other networks. Other networks are subnets that are not within the broadcast range of the PC that contacts default gateway (itself it is within broadcast range).
  • Follow these simple steps to spot an IP address that is invalid:
    • Host without a subnet mask
    • No unique network ID (per WAN) or no unique host name per LAN
    • Neither network ID nor host ID can be all 1 (since that is the broadcast address)
[1.9] Subnetting and supernetting IP networks
  • Subnetting - occurs when one needs to divide default A,B or C class address space into smaller spaces. The logical division is accomplished by extending the string of 1's in the subnet mask.
  • Subnetting is used for: accommodating security needs, physical topology, limitation of broadcasting
  • Number of hosts on a subnet = 2^(32-subnets # of 1's)-2. We subtract 2 since one address is needed for network ID and one for network broadcast
  • Host ID with all 0's is the network ID and host ID with all 1's is broadcast address
  • Supernetting - occurs when one wants to combine default A, B or C class address spaces into one large space. This method allows for more efficient allocation of network address space.
  • In supernetting's major difference from subnetting is the removal of 1's from the network address. Thus one might have /23 /22 /21 /20 supernet masks.
  • Conversion from binary to decimal and back is based on the power each system uses, 2 for binary 10 for decimal and so on. The position of a digit in a number, starting from zero, determines to which power the base is raised. The value of the digit is the number by which the base to the power is multiplied by. Sum all the digits to get the number in decimal. For example number 123 in base 8 is 1*8^2+2*8^1+3*8^0 = 83 in decimal. To minimize errors it is best to use a calculator.
  • Variable length subnet masks (VLSMs) - allow for subnets to be subnetted themselves making the use in large organizations of network address space more efficient. They allow administrators to create subnets of varying sizes.
  • Classless Inter-Domain Routing (CIDR - defined in RFC 1519) using variable length subnet masks (VLSM) was created to allow for greater flexibility with routed IP networks, to allow for the accelerating expansion of the Internet.
  • VLSMs use Subnet IDs to create subnets of different sizes, they are not compatible with old routing protocols like RIP 1
[1.10] Other points
  • Administrator can install on a computer file and print services for Macintosh but only print services for Unix
  • TCP/IP is installed by default by Windows setup
  • The following are installed as part of simple TCP/IP services: Character Generator, Daytime, Discard, Echo, Quote of the day
  • The MAC address cache on a computer can be cleared manually (it refreshes itself every 2 minutes) by issuing arp -d command
  • Most computers on the network use DHCP for addressing as it produces less human error than static addressing. Static addressing is used by servers.

Part 2: Troubleshooting and monitoring TCP/IP

[2.1] Analyzing traffic using network monitor
  • Frame is an encapsulation of network interface layer (layer 2) data. Each frame contains source and destination computer addresses, header of the protocol used to send data and data itself.
  • Packet is an encapsulation of internet layer (layer 3) data
  • There are two versions of Network Monitor, the basic version ships with Windows Server 2003. Network administrator needs to purchase the advanced version from Microsoft. Advanced version can capture data from all devices on a network provided the administrator used hubs not more common switches.
  • Network Monitor is made up of two components, administrative tool called Network Monitor and an agent called Network Monitor Driver
  • Network Monitor Driver can be installed by itself on windows XP/2000/2003 PCs in the same manner as one installs a new protocol
  • The monitor can be used to find NIC's MAC address, computers GUID and many other useful information
  • Parsing is the process of reading, analyzing and describing the contents of frames. Administrator can add new parsers to network monitor by adding parser dll files into %systemroot%\system32\Netmon\Parsers folder and modifying parser.ini file in %systemroot%\system32\Netmon folder. By default network monitor supports over 90 protocols.
[2.2] Problems with TCP/IP connections
  • Network diagnostics is a graphical tool that administrator can access from help and support tools menu. Users can save output to a file for examination by network administrator.
  • Netdiag is a command line tool that is used to run different network tests. Administrator needs to install the tool first from the Windows CD, the support tools file is called suptools.msi.
  • Tracert - shows the path a packet takes to reach given destination, this is done by setting different TTL values in the IP header of ICMP echo requests. Up to 30 hops, tells administrator when connectivity stops.
  • Pathping - as tracert but shows the path that a packet takes to reach a given destination, however it also shows detailed analysis of traffic. Used to troubleshoot erratic network behaviour such as packets being delayed, where tracert is used for network connectivity.
  • Arp - used to show the Arp cache on the PC. Sometimes local network computers can have wrong MAC addresses of each other cached and thus cannot communicate, use arp to check whatever addresses are correct. To cleat arp cache use arp -d command. Arp -a is used to check hardware address mappings, if it checks out look for hardware problem
  • If the administrator is able to ping loopback address, PC own address and the local gateway but no other PCs the problem is most likely with arp cache being corrupted.
  • Troubleshooting steps: loopback, local PC, default gateway, remote host by IP, remote host by name.

Part 3: Implementing, configuring and troubleshooting DNS servers

[3.1] Differences between DNS and NetBIOS
  • NetBIOS (Network Basic Input Output System) is not a naming system, it is an API that provides naming and name resolution services
  • DNS is the preferred name resolution system in Windows, but it needs configuration unlike NetBIOS
  • NetBIOS is used for browsing Microsoft Windows Network through My Network Places and connecting to shares using UNC paths (File and Print for Microsoft Networks)
  • NetBIOS name space is flat, while DNS is hierarchical
  • NetBIOS name - used to identify a NetBIOS service that is listening on the first IP that is bound to the adapter
  • Maximum computer name length in NetBIOS is 15 bytes (characters) while in DNS host name can be up to 63 bytes and FQDN up to 255. When the computer name is longer than 15 characters then the NetBIOS name is the computer name's first 15 characters.
  • To view NetBIOS PC name go to system properties, network identification, properties and more button
  • Host name - the first label of a FQDN, it is just about any network interface with an IP bound to it
  • Primary DNS suffix - also known as primary domain name or the domain name, specified on the computer name tab
  • FQDN - DNS name that uniquely identifies the computer on the network. It is concatenation of the host name, primary DNS suffix and a period. The full computer name is a type of FQDN, the same computer can be identified by more than one FQDN but only the FQDN that concatenates the host name and primary DNS suffix represents the full computer name.
  • NetBIOS resolves names through WINS server, Local NetBIOS cache, NetBIOS broadcast, LMHOSTS file
  • DNS resolves names through DNS server or Hosts file (which is part of client cache). Entries added to the hosts file are immediately loaded into resolver cache.
  • Both LMhosts and hosts files are located in %systemroot%\system32\drivers\etc folder
  • Nbtstat is used to interact with NetBIOS from command line, -c switch lists local cache contents, -R purges the cache, view cache, use nbstat -n
  • DNS is required for Windows 2000/2003 domains (AD) and internet
  • NetBIOS is needed by older Windows operating systems, workgroups in Windows 95/98/Me/NT
  • NetBIOS is enabled by default for all local area connections, administrator can disable NetBIOS to increase security from TCP/IP properties screen, but users will no longer be able to use computer browser service
  • Windows Server 2003 client computer always tries to resolve names using DNS before NetBIOS
[3.2] DNS as part of Windows Network
  • DNS is a hierarchical system based on a tree structure called DNS namespace
  • Each DNS namespace has to have a root that can have unlimited number of subdomains. The root is an empty string
  • Every node in the DNS namespace has a specific address by which it can be identified, called a FQDN
  • The dot is the standard separator between domain lables. The dot also separates the root from the subdomains, but is usually omitted by end-user and automatically added by DNS client service during a query.
  • On the internet the DNS root and top-level domains are under control of Internet Corporation for Assigned Names and Numbers (ICANN)
  • There are three types of internet top-level domains, organizational, geographical and reverse (in-addr.arpa)
  • DNS server can be authorized for one or more zones which contain one or more domains. Server is said to be authorized for a zone if it hosts the zone as primary or secondary server.
  • When client or DNS service are stopped, their caches are cleared
  • DNS client is installed by default, server component is not
  • A forwarder is a DNS server that is used to resolve queries external to the server using it
  • A conditional forwarder is a DNS server that examines the domain name of the query and forwards it (the query) to specific server based on name asked in the query. All forwarder options are set from the forwarders tab on the DNS server properties dialog box.
[3.3] DNS components
  • DNS zone is a portion of a DNS namespace for which DNS server is authorative. A server can be authorative for one or more zones and each zone can contain one or more domains. Zone files store resource records, they are usually text files but on Windows 2000/2003 administrators have an option of active directory integrated zones.
  • DNS resolver is a service that uses DNS protocol to query for information from DNS servers. On Windows 2003 this is done by DNS Client Service
  • The third component is the DNS server itself. Above breakdown hold for any DNS implementation.
[3.4] DNS server query process
  • Each query message contains the following information:
    • DNS domain name as FQDN
    • Query type, resource record by type or specialized type of query operation
    • Specified class for the DNS domain name
  • When user wants to resolve an address the first place DNS client service looks in is user's computer local cache and hosts file
  • If local resources don't resolve the name, DNS client uses server search list to query preferred DNS server, if it is unavailable alternate DNS servers are used according to their positioning on the server preference list
  • The DNS server after receiving a query first checks to see whatever it is authorative for the domain in question, if it is not, it checks local cache for already performed queries. If that doesn't resolve as well, a recursive query is performed.
  • For recursive queries DNS server needs to be configured with Root Hints, which by default are stored in file cache.dns in %systemroot%\system32\dns folder
  • Server asks the appropriate root server for an address of more knowledgeable server, then it asks that server etc. till it gets the answer. It is like walking the namespace tree.
  • The most common responses to the client are: An authorative answer, a positive answer, referral answer and negative answer.
  • If recursion is disabled on the server it will send a referral answer back to the client. The client will need to perform iteration (repeated query to different DNS servers - DNS tree walk) to get the answer it seeks.
  • After a query client gets a positive answer it is frequently authorative the first time around, while consecutive answers are non-authorative. This is due to DNS server caching of the original query.
  • Reverse query - is performed by taking an ip address in the form a.b.c.d and presenting query to the DNS server in the form d.c.b.a.in-addr.arpa. ARPA stands for Advanced Research Projects Agency. Due to luck of vision the first DNS implementation didn't support reverse queries, PTR records are just pointers to A records.
[3.5] DNS client query process timeout
  • DNS client sends a query to preferred DNS server and waits for 1 second for response
  • If no response is received the client sends a query to the first server on all adapters and waits for 2 seconds
  • If there is still no response, client sends a query to all DNS servers on all adapters and waits for 2 seconds
  • If no response continues client sends query to all servers again and waits for 4 seconds, then again and waits for 8 seconds
  • If after performing all of above steps client didn't get any response, it returns time out to the calling process
[3.6] Configuring DNS server
  • Network administrator can create two types of zones, forward or reverse lookup. In forward lookup zone the FQDN is mapped to an IP address, this is a conventional zone. In reverse lookup zone the IP address is mapped to FQDN
  • There are three types of DNS server roles with respect to a zone (i.e. we look at the zone and if our server is primary for that zone we say we have DNS server in primary role, however the same server can be secondary for a different zone (call it B) as well, in which case it is said to be in secondary role for zone B):
    • Primary - provides original data, can be updated
    • Secondary - provides a copy of original data, cannot be updated
    • Stub - copy of a zone containing only those resources records necessary to identify the authorative DNS server for the master zone, enables parent zone to keep updated list of name servers in the child zone
    • Caching only - no zones at all stored on the server
  • When administrator wants to decrease the amount of name resolution traffic while avoiding zone transfer traffic install caching only server
  • When DNS server is installed it is automatically configured to act as a caching only server
  • When a zone is created it automatically has in it SOA and NS records
  • To view the contents of the DNS server cache administrator needs to select 'Advanced' from view menu
  • In the resource record file lines that are blank or start with ; (semi-colon) are ignored by the DNS server
  • Master server is the server from which secondary server got zone information (can be a primary server or another secondary server)
  • When DNS server zone data is stored in AD (AD integrated) all DNS servers become peers
  • In non-Microsoft implementations of DNS server the secondary zone is also known as the slave zone, while the primary zone is also known as the master zone
[3.7] Resource records
  • Resource records have the following syntax: Owner TTL Class Type RDATA
  • Owner - the name of the host or the DNS domain to which this resource record belongs
  • Time to live (TTL) - A 32 bit integer representation of the time the record should be cached
  • Class - protocol family in use, optional field, IN (internet class) for Windows based DNS service
  • Type - for example A or TXT
  • RDATA - this is where actual resource record data is stored
[3.8] Basic resource record types
  • Host (A) - most common record type, used to associate computers to IP addresses. Administrator can add them manually, they can be added by DHCP Client service, updated by proxy for older Windows OS and DHCP on Windows Server 2003.
  • Alias (CNAME) - also known as canonical names. These records allow computers to use an alternative name to point to a host. They are quite often abused. They are recommended for use when a generic service such as ftp needs to resolve to a group of computers or when renaming a host.
  • MX - these are mail exchange records and they point to a mail servers for a given domain, more than one are used for fault tolerance (if the company can afford extra hardware and software needed)
  • PTR - pointer records are used to perform reverse lookup. Reverse lookups are performed in the zones with root in-addr.arpa. Same methods of creation as an A record - they are opposite of each other.
  • SRV - service locator records are used to specify location of services in a domain. Windows Server 2003 AD uses SRV records, all the records needed by AD can be found in Netlogon.dns in %systemroot\System32\Config folder, if the records need fixing use netdiag /fix.
  • NS - name server record is used to indicate which DNS server(s) are designated as authoritative for the zone. Any server specified in the NS record is considered an authoritative source by other servers for given zone. It is able to answer with certainty any queries made for names included in the zone.
  • SOA - start of authority indicates the name of origin for the zone and contains the name of the server that is the primary source for information about the zone. It also indicates other basic properties of the zone like the primary DNS server, responsible person, serial number, refresh interval, retry interval, expire interval and TTL. SOA record is always the first record in any standard zone.
[3.9] Configuring client computers for use of DNS
  • In order to configure DNS on a client system an administrator needs to do three things:
    • Administrator needs to set host name for each computer that is going to use DNS, it can have up to 63 bytes (for NetBIOS compatibility up to 15 bytes (characters)) and can only contain letters numbers and '-', it is not case sensitive
    • Administrator also needs to set primary DNS suffix for each computer, the suffix together with the host name forms a FQDN, it is selected from the system properties -> computer name -> change button -> More, by default it is the same as the AD name in which the PC resides
    • Finally, administrator need to write a list of DNS servers that the clint is to use in order, starting with preferred DNS server
  • Administrator may configure connection specific DNS suffix for each adapter on the DNS client PC, this is done from Advanced TCP/IP settings dialog box, it gives to different FQDN to the same computer so it can communicate on different subnet in addition to its full DNS computer name. For each FQDN and for computer name an A and PTR records are created in appropriate zones and DNS servers.
  • If network administrator configures DNS suffix search list then the computer will be able to resolve single-label unqualified names and multiple label unqualified names. By default, the search is performed using primary domain suffix and, if applicable, connection specific suffixes.
  • The ipconfig /displaydns command shows DNS cache on client, ipconfig /flushdns clears DNS cache
  • When a query is submitted with an unqualified name the client service by default adds to it the primary DNS suffix and checks the query. If that doesn't work the client adds connection specific DNS suffixes and retries. If there is still no positive response, client adds the parent suffix of the primary DNS suffix to the name and does the final check.
  • If the administrator is only able to ping the user computer by IP (from another PC), he can try to use ipconfig /registerdns on Windows XP/2000/2003
[3.10] Updating of client records in the DNS
  • Windows server 2000/2003 and BIND 8.1.2 or later can accept dynamic updates of A and PTR records performed by clients or on behalf of clients by DHCP server.
  • By default, clients with static IP address attempt to update both A and PTR records for all IPs. Registration is based on domain membership settings.
  • Windows 2000/XP/2003 computers with dynamic address (assigned by DHCP) attempt only to update their A records (PTR left for DHCP server to update if needed). The client contacts the server every 24h to update the mapping unless one of the following occurs:
    • Computer name changes
    • Member computer is promoted to the role of DC
    • One of the commands listed is used: ipconfig /release, ipconfig /renew, ipconfig /registerdns
    • When the local IP address changes, including IP address lease from the DHCP server
  • Computers with operating system earlier than Windows 2000 (i.e. 95/98/Me) that use dynamic address have the DHCP server do all the work (both A and PTR records due to client unaware of dynamic update functionality). User can force registration by client using ipconfig /registerdns
[3.11] DNS server properties
  • Interfaces - which IP addresses should server computer listen for requests, by default all IP addresses
  • Forwarders - allows for setting up upstream DNS servers that current DNS server will forward queries to. The process of forwarding selected queries is called conditional forwarding. This tab allows the administrator to disable recursion (on per domain basis) on queries that have been sent to forwarder (by default if forwarder fails to resolve local server tries to resolve using recursion). When DNS server A has forwarder server B set and server A has disabled recursion then server A is called a slave server since it is totally dependant on server B (forwarder) for queries it cannot resolve locally. The default timeout for forwarded query is 5 seconds.
  • Advanced tab - allows enabling and disabling of special futures. If administrator disables recursion then it is disabled for all queries and forwarders are disabled as well.
  • Root hints - this tab contains copy of information found in %systemroot%\system32\dns\cache.dns file. The list of root servers rarely changes, network administrators can get the latest file one from ftp://rs.internic.net/domain/named.cache. Administrator should delete this file if the DNS server is a root server, in which case this screen is disabled.
  • Debug logging - allows network administrator to troubleshoot his DNS server by logging selected incoming and outgoing pockets. Debug logging in processor and resource intensive operation.
  • Event logging - allows network administrator to restrict the events written to the DNS event log
  • Monitoring - basic functionality tests (2) are performed here. The first test is reverse query targeted at self, the second test does reverse query targeted at root DNS server. Administrators are allowed to schedule these tests to be performed between certain time intervals.
  • Security - this tab is available only if the DNS server is also a domain controller and allows one to set the settings for the users that are given permission to view edit and set DNS zones data.
[3.12] Configuring Zone properties
  • General tab - used to configure zone type, zone file name, dynamic updates and aging. Administrators can pause name resolution for a zone. AD integrated zones have replication settings enabled, administrator can select to which servers DNS replication data is being sent. There are three dynamic update settings for AD integrated zones, none, non-secure and secure. Aging is the process of placing a time stamp on a dynamically registered resource record and then tracking record age. Scavenging is the process of deleting outdated records. When aging and scavenging are enabled then the zone files are not compatible with Windows DNS servers that are not at least Windows 2000.
  • Start of authority (SOA) tab - administrator can set a serial number which acts as a revision number, this is used to synchronize zone transfers. Primary server box contains the full name of the server, it must end with a period. Responsible person is the domain mailbox name for the responsible person, should always end with a period. Refresh interval is the amount of time the secondary server will wait before checking the master server for an updated copy of the zone, by default it is 15 minutes. Retry interval is the amount of time, default 10min secondary server waits before re-trying zone transfer. Expires after is the amount of time secondary server without contact with master server continues to answer queries, default is 1 day after that data is unreliable. Minimum (default) TTL this is the time to live applied to all resource records in the zone, default is 1 hour. TTL for this record is the TTL for the SOA resource record, overrides general TTL setting above this box.
  • Name Servers tab - this tab allows administrator to create NS resource records, they can be created only here (unless manually created). Every zone must contain at least one NS record. In Windows Server 2003 for primary zones the zone transfer is allowed by default only to the servers specified in the Name Servers tab.
  • Security tab - ACL that defines who can manage and modify zone file data.
  • WINS tab - used to configure WINS servers to aid in name resolution. When administrator configures WINS, a WINS resource record is added to the zone database. If WINS and DNS servers are set for forward and revers zones, then data is added to both forward and revers zones.
  • Zone transfer tab - allows the system administrator to restrict the servers to which zone data will be transferred. Primary servers have zone transfers either disabled or limited to the NS tab servers. Administrator can also specify the servers they want data to be transferred to by IP address. Secondary servers by default don't allow zone transfers, need to enable them 1st. The 'to any server' setting was enabled on Windows 2000, but was a huge security hole. Administrator can also notify the secondary servers of a zone file change, notification is enabled by default. There is no need for notification in AD integrated zones. If the server to which DNS data is to be transferred has multiple IP addresses on the same subnet, then they all have to be included for transfers to be successful.
[3.13] Configuring Zone properties - AD integration
  • Application directory - is replicated among DC, applicable to DNS application directories are DomainDnsZones and ForestDnsZones. The name of each application directory is the previous name concatenated with the FQDN, for example DomainDnsZone.microsoft.com. The domain application directory is replicated to domain servers, forest application directory is replicated to all servers in the forest. Administrator can add new application directories for the use of DNS server using dnscmd [server] /createdirectorypartition [full partition name (FQDN)] to enlist other DNS servers in the partition, administrator needs to issue command dnscmd [server] /enlistdirectorypartition [full partition name (FQDN)] There are no application directories on Windows 2000 (this is new to Windows 2003) To work with application directories administrator needs to be a member of the enterprise administrators security group.
  • There are four options for zone data replication when the administrator chooses to use AD-integrated zones. On the general tab of zone properties a button is available to change zone replication scope when the zone is AD-integrated. Zone data can be replicated
    • To all DNS servers in the AD forest - broad scope of replication
    • To all DNS servers in the AD domain
    • To all DC in AD domain [domain here] - select if Windows 2000 DNS servers are to load AD zone
    • To all DC specified in the scope of the following application directory - replicates as the application directory specified, if zone is to be stored in specified application directory partition the DNS server hosting the zone must enlist in the application directory partition that contains that zone.
  • Secure dynamic updates can be performed only in AD-integrated zones, they use Kerberos for security. Only computers that have Windows XP/2000/2003 are capable of secure updates.
  • DnsUpdateProxy group - used to solve a problem that occurs with secure dynamic updates. The computer that registered the record becomes its owner and it is the only PC that can update it. Thus, for example if DHCP server registers A record for a PC, it becomes its owner, not the PC to which A record points. When DHCP server is a member of DnsUpdateProxy group it is prevented from taking the ownership of the record - secure less entry exists till the real owner takes its ownership.
  • Only primary zones can be AD-integrated. Secondary zones are always stored as text files, there are no AD-integrated secondary zones since AD-integration makes all servers into peers.
[3.14] Advanced DNS server properties
  • Disable recursion - DNS server uses recursion to resolve client queries if the disabled default state is left as is. When the option is enabled the DNS server does not answer the query for the client but instead provides the client with referrals. When recursion is disabled the DNS server will not be able to use forwarders.
  • BIND Secondaries - DNS server does not use fast transfer format when performing a zone transfer to a secondary server based on BIND. This allows for a compatibility with older versions of BIND, versions 4.9.4 and later support fast zone transfer and this option should be disabled for these. The fast transfer format is efficient, it allows data compression and multiple record transfer per TCP message, it is always used among Windows based DNS servers. This option is enabled by default.
  • Fail on Load if Bad Zone Data - when this option is disabled (default setting) the DNS server will load zone even if errors are found in the database file. Any errors that occur will be logged. When option is enabled damaged zone database does stop load operation dead cold.
  • Enable netmask ordering - when selected (default setting) this option makes sure that when a client query matches multiple A records the one in client's subnet is returned first in a response list that contains all matching records. This option is also sometimes referred to as LocalNetPriority option (this comes from same referral in dnscmd utility).
  • Enable round robin - this setting (enabled by default) ensures that for a query that matches multiple A records the first entries in the returned response list rotate. This method is used as a poor man's network load balancing. Local subnet priority is taken into consideration before round robin is. When round robin is disabled records are returned in the order they are in the zone file.
  • Secure cache against pollution - this setting (enabled by default) prevents the DNS server form accepting referrals that might be polluting its cache or be insecure. The server will cache only these records that have a name that corresponds to the domain for which the original queried name was made, any other are discarded.
  • Name checking - the default setting of Multibyte (UTF8) ensures that the DNS server verifies that all domain names confirm to the Unicode Transformation Format (UTF). Use strict RFC if the server cannot work with UTF, other two options are only for special circumstances (they are: all names and non-RFC).
  • Load zone data on startup - specifies from where initial zone data is to be loaded from, by default it is from active directory and registry. Another storage option is to use the registry or a file. The file is from BIND based DNS servers and is usually named Named.boot in older BIND 4 format (not BIND 8).
  • Enable automatic scavenging of stale records - this option is disabled by default, when enabled DNS server will perform scavenging of stale records automatically in pre-defined time intervals.
[3.15] Creating zone delegations
  • When administrator delegates a zone he assigns a portion of authority over main DNS namespace to subdomains within main namespace. The responsibility is passed from the parent domain to the subdomain.
  • Network administrator should consider delegation when:
    • There is a need for hosts whose names are structured around department affiliation
    • Central company administrative body wants departments to handle their own business
    • Network traffic is creating the need to distribute query load on multiple DNS databases
  • The parent zone will need to contain the A record and the NS record of the child zone, both records are created automatically when new delegation is created. The glue record (A resource record) is hidden from view of the administrator, but it is still there.
  • The NS record is known as the delegation record, it is used for advertising of the name server and performs the actual delegation. The A resource record is known as the glue record, it is needed if the authorized server is also in the delegated zone.
  • Delegation takes precedence over forwarding, i.e. if a server knows of a child that can answer the query it will contact it not do a forwarding query request.
[3.16] Stub Zones
  • Stub zone is a shrunk copy of a zone updated at regular intervals that contains only the NS records belonging to the master zone. As a result of that, the server that hosts the stub zone doesn't answer queries directly, instead it directs queries to name servers specified in stub zone's NS records.
  • Stub zone keeps all NS records from master zone current. When administrator configures a stub zone he needs to specify at least one name server whose IP address doesn't change. Any further name servers added to the zone will be added automatically through zone transfer. The administrator is unable to modify the stub zone data directly, the data is modified automatically when the parent zone changes.
  • When delegating control for a zone to another server the master server will not learn of new servers added to the child zones. Administrator needs to setup a stub zone for the child on the master server to ensure that the master server will learn of the new name servers in the child zone.
  • Stub zones can also be used to provide additional connectivity across domains without redundancy provided by secondary servers. Enhanced connectivity is achieved without increase in replication traffic.
  • A stub zone contains SOA, NS and A glue resource records for authorative DNS servers in the zone. The SOA record points to the master server while NS records point to other name servers, the A record hold IP addresses of authorative servers.
  • The stub zone name resolution process: client queries a server with a stub zone, DNS server uses stub zone resource records in resolution. Authorative servers in the stub zone are contacted , if they cannot be a standard recursion is performed. The response from stub zone's authorative server is not placed in the stub zone but cached with TTL as in stub zone SOA record.
  • Stub zones offer the following advantages
    • Stub zones improve the name resolution by allowing the server to perform recursion without using the root servers
    • Keep foreign zone information current by updating the stub zone at regular intervals the zone keeps an accurate list of the name servers in the child zone.
    • Simplify DNS administration by distributing zone information without the need for secondary zones.
[3.17] Understanding DNS troubleshooting tools
  • Nslookup is a command line tool used in querying the DNS server. In the interactive mode the commands entered are case sensitive. Here is a short description of more advanced options available:
    • The command set q=[recordtype|any] is used to search for specific records
    • To use a different server use "server new_server_name"
    • Network administrator can use the 'ls' command to simulate a zone transfer, all data can be listed. Note that by default on Windows Server 2003 zone transfers are restricted to approved hosts only. The -a switch returns alias and canonical names, -d returns all data, -t filters by type
  • DNS debug log is found in %systemroot%\system32\dns folder and is named Dns.log. Administrator should view this file when the DNS service is stopped. The default file format is RTF, to open it user need WordPad (not notepad or other basic text editor). By default only DNS errors are logged but administrator can change that from the DNS server properties Debug logging tab.
  • The DNS event log logs everything by default, administrator can change that default behaviour by using the Event Logging tab in the DNS server properties. This is a Windows standard log file and all size and filtering options are the same as for any other log.
  • Commands entered into nslookup during interactive mode are case sensitive
  • Support tools include utility called DNSLint which is useful when troubleshooting delegation issues
  • The dnscmd tool includes two useful troubleshooting switches, /clearcache and /info (whose actions are self explanatory)
[3.18] Stale records
  • Stale records (records that are no longer valid) can be left on the server. One common way this can happen if client PC is not allowed to clean after itself, it is improperly disconnected from the network.
  • The following futures of the DNS server in Windows 2003 help system administrators get rid of stale records:
    • Records can have a time stamp attached to them in primary zone (as per DNS server time), manually added records have time stamp value of zero indicating that they don't age
    • Records are aged as per TTL. Secondary zones are scavenged by the primary server.
  • If stale records persists on the system, they may cause following problems:
    • Improper name resolution, a FQDN prevented from being used by another PC
    • Poor server performance, too many records to search and very large zone files to transfer
[3.19] Using DNS monitoring tools
  • To monitor the resource impact of DNS server on the PC use performance monitor, perfmon.exe. The DNS object includes 62 different counters that computer can keep track of.
  • For AD integrated zones there is an option of using AD native monitoring to trace the replication traffic. Replmon.exe from Windows support tool is used to monitor and troubleshoot AD replication.
  • The replication monitor will display 5 or more directory partitions, administrator needs to find out in which one is DNS zone data stored. The command dnscmd /zoneinfo [domain name] can be used to find zone information. Once directory partition is known, administrator can use replication monitor to force zone replication - r-click the directory and choose synchronize with all servers. Any general replication errors are displayed by the replication monitor.
  • For more advanced AD debugging use repadmin utility provided as part of Windows support tools.
[3.20] Improving DNS server performance
  • By installing a caching only server close to the clients the load on the primary and secondary server's is greatly decreased
[3.21] Other points
  • DNS cache is cleared each time DNS service is restarted. DNS cache can also be cleared using dnscmd /clearcache from command line
  • DNS server test consist of a single reverse lookup of loopback device, if it fails make sure you have record named '1' in reverse lookup zone 0.0.127.in-addr.arpa. Another test checks for recursive DNS.
  • Zone transfer can be started if one of the four events occurs:
    • Refresh interval of the primary zone SOA record expires
    • The secondary server boots up (DNS service is restarted)
    • Change occurs in the configuration of the zone records on the primary server and it notifies the secondary of the change
    • DNS console is used at the secondary server for the zone to manually initiate a transfer from its master server
  • When zone transfer occurs it is by default incremental zone transfer (IXFR) which transfers only changed records, it is described in Request for Comments (RFC) 1995. Some older DNS servers that don't support IXFR will use all zone transfer (AXFR) which is also supported by Windows Server 2003. The older standard transfers the whole DNS database.
  • Stub and secondary zone update operations explained
    • Reload - reloads the zone from the local storage of the DNS server hosting it
    • Transfer from Master - the server hosting the zone checks its SOA record for expired data and performs a zone transfer from zones master server
    • Reload from Master - this operation performs a zone transfer from the zone master server regardless of the serial number expire date in the zone's SOA record

Part 4: Implementing, configuring and troubleshooting DHCP servers

[4.1] Configuring DHCP server
  • DHCP server allows system administrator to automatically assign IP addresses, subnet masks and other configuration information like DNS and WINS servers to client computers on local network.
  • Through the use of DHCP server network administrators save time required for configuration and re-configuration of computers.
  • Administrator should install DHCP service on a computer that was assigned a static IP address (this prevents clients to look all over the subnet to get their addresses renewed)
  • You need to have administrative privileges to install and administer DHCP server
  • You need to authorize your DHCP server if it is to be integrated in AD network (Person authorizing the DHCP server needs to be a member of the enterprise administrators security group). Stand alone DHCP servers can still be deployed but they should not share subnet with authorized DHCP servers. Stand alone servers that are deployed together with authorized servers are called rogue servers. The rogue server will automatically stop its DHCP service when it detects authorized server on the subnet.
  • DHCP scope is a pool of IP addresses within a logical subnet which DHCP server assigns to its clients. Scopes provide for IP address management.
  • When an IP is offered for a client it is said that IP address is a lease. When the lease is made it is said to be active. Leases are renewed for different reasons, client will try to renew when 50% of old lease expires.
  • The DHCP server has to have IP address compatible with the scope it is assigned, i.e. the server itself has to be in the scope.
  • The 80/20 rule - to provide for fault tolerance in an environment with two DHCP servers, the first server (A) should have 80% of the addresses for his local subnet, 20% of addresses for the subnet on which another DNS server (B) is present. The same assignment is repeated on server (B) which gets 80% of addresses in its own subnet and 20% of addresses in the subnet on which server (A) is present. This concept is applied when 2 or more DHCP servers are present.
  • Reservations are placements in the scope reserved for specific computers. You reserve IP address for a specific network adapter using its MAC address. To create new reservation open the scope in which you want to create new reservation r-click Reservations and select New Reservation. Reservations cannot be used interchangeably with manual static configurations. Reservations don't work when address is simultaneously reserved and excluded. Reservations are used as an alternative to static addresses for computers that are no essential to network function (i.e. not critical servers).
  • The scope needs to be activated before the server can hand out addresses (for AD integration it also need to be authorized). To activate a scope open the DHCP console, select scope you want to activate, from actions menu select Activate.
  • Exclusion range - group of IP addresses residing in the scope that administrator doesn't wish to be leased to DHCP clients
  • DHCP is na extension of the Boot Protocol (BOOTP). Microsoft DHCP server can assign addresses to BOOTP clients.
[4.2] DHCP scope options
  • DHCP options can be configured on reservation, scope and server level. To configure options for reservation, select it and from the actions menu choose 'Configure options'. To configure options for a scope select scope options folder and then 'Configure options'. To configure server options select server options folder and then 'Configure options'
  • There are more than 60 different options available for the DHCP server, the most common (important ones are):
    • 003 Router - IP addresses of routers on the same as client subnet, used by client for packet forwarding
    • 006 DNS servers - IP addresses of DNS servers
    • 015 DNS domain name - domain name DHCP clients should use when resolving unqualified names during DNS domain name resolution; allows for client dynamic DNS update
    • 044 WINS/NBNS servers - IP addresses of WINS servers
    • 051 Lease - special lease option for remote clients
  • Options set on the DHCP server take effect when clients renew or obtain new lease
[4.3] DHCP scope futures
  • Scope name page - you can give your scope a name
  • IP address range - you can define starting and ending IP address of the scope and the subnet mask. You should choose consecutive address range of the subnet and later exclude the computers with static addresses.
  • Add exclusions - these are the addresses that will not be leased to DHCP clients
  • Lease duration - length of lease
  • Configure DHCP options - whatever to configure DHCP options for the scope through further pages in the wizard or later in the DHCP console, you can configure options at the reservations level, scope level or server level. There are more than 60 different DHCP options.
  • Router (Default Gateway) - optional, which default gateway should be assigned to DHCP clients
  • Domain name and DNS servers - optional, which domain will be assigned as parent and which DNS servers will be given to the DHCP client
  • WINS servers - optional, addresses of WINS servers that are to be assigned to the DHCP client
  • Activate scope - optional, whatever the scope will be activated after the DHCP wizard finishes
[4.4] Managing DHCP server
  • To change the DHCP server status open the DHCP console, go to actions menu and select one of Start, Stop, Pause, Restart and Resume
  • You can also use the Net command to change the status of DHCP server, the command line syntax is Net [operation like start/stop/pause/continue] DHCP_server
  • You can manage DHCP server from command line using netsh command line tool, with dhcp subcommand option.
  • Superscope is an administrative grouping of scopes that is used to support multiple logical subnets also known as multinets on a single network segment. They exist on 1 physical network and work with multiple logical networks. This method is used for DHCP server to provide clients with addresses from multiple scopes. Administrator needs to delete the superscope before deleting any scope that is contained within it. Superscopes group scopes that can be activated together, it doesn't carry any details about the scopes.
  • To move a scope to a new addressing range first create a new scope with new range and then activate it and deactivate the old scope. Either manually or by waiting make sure all clients move to the new scope, delete old scope.
  • If a superscope is not defined on a server then only one scope can be active at a time.
  • In order for the DHCP server to not assign already assigned IP address to a new client DHCP has conflict detection (advanced tab of DHCP server properties) in which the server pings the address it is about to assign in order to check whatever it is free.
  • Multicast scope - regular DHCP scopes to provide client configurations by allocating ranges of IP addresses from the standard classes (A, B, or C). The multicast address range uses an extra address class, D, IP addresses from 224.0.0.0 to 239.255.255.255 for use in IP multicasting. In every TCP/IP network, each host is gets own IP address, from regular address classes. The unicast IP address is assigned before host can support and use secondary IP addresses, such as a multicast IP address. Multiple PCs can share the same multicast IP address. On private networks it is recommended to start with 239.192.0.0 range. When a packet is sent with destination that is a multicast address it gets delivered to all PCs that have it. Multicast scopes are supported through the use of MADCAP (Multicast Address Dynamic Client Allocation Protocol).
  • DHCP server performs backup by itself up every 60 minutes, you can also do manual backup. Manual backup is performed from Backup command in the DHCP console. When the backup is made the whole DHCP database is saved. Some things, like credentials are not saved. The manual backup default location is %systemroot%\system32\dhcp\backup. The following data is backed up: all scope information including superscopes and multicast scopes, reservations, leases, all options. The database backup file is called DHCP.mdb.
    • To change backup behaviour of DHCP server, one needs to edit the following registry keys:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupInterval\
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupDatabasePath\
  • To migrate DHCP server all you need to do is move the database, simply back it up and then restore it on the new computer
  • Jetpack.exe is a tool that allows support for offline compaction and repair of Jet databases such as DHCP or WINS. You can use dynamic compacting of DHCP server database without the need to bring server offline, but offline defragmentation is more efficient. Compacting should be done whenever the database size grows beyond 30 Mb or you get corruption errors.
  • Option class - they way DHCP server manage provided to clients within a scope. When an option class is added, clients of that class can get class specific configuration options. There are two types of classes, Vendor classes and User classes.
    • Vendor class is used to assign vendor specific options to clients that share common vendor
    • User class is used to assign options to clients that share user defined similarities
  • The DHCP server has a default user class called 'Default routing and remote access'. Options in this class apply only to clients that request address while connecting through Routing and Remote access. You can set different options, for example you can assign shorter leases to the clients connected remotely (this is option number 051 Lease).
  • To create your own user or vendor class open DHCP console and r-click the DHCP server and select 'Define User classes'. After defining a new class you need to assign ID to it and options. On the client side you need to make sure that the clients know in what class they are, you do this by executing ipconfig /setclassid. To view all classes allowed by the DHCP server execute ipconfig /showclassid
[4.5] DHCP and DNS working together
  • Windows 2000 and later computers try to register their own A record but they ask DHCP server to register PTR record
  • By default the DHCP server only attempts to update client records if such operation is requested by the client computer
  • You can also configure the DHCP server to attempt to update A and PTR records regardless of clients requests
  • By default the DHCP server discards the A and PTR records when the lease expires (you can set it so they are kept)
  • By default DHCP server will not perform dynamic updates on behalf of older Windows clients that don't request updates to be done
  • The update settings are configured on the DNS tab of DHCP server properties
  • DnsUpdateProxy is a security group that sets records updated/created by its members in security less setting (objects created by members of this group have no security related settings). When a DHCP server that is not a member of the group modifies or creates an entry in the DNS, it becomes the owner of that entry and only it can change the entry. This might create problems when for example, client cannot modify a record because server took ownership of the record. The membership of the DHCP server in this group solves stale record problems.
  • Usage of the DnsUpdateProxy group also might cause some problems if the DHCP service is installed on a DC since all records created are not secure (same holds for the A records of the non-DC DHCP servers, but one can modify these manually giving them an owner). In particular, the records created by DC netlogon service are not secure.
[4.6] Analyzing DHCP server traffic
  • Communication between DHCP server and DHCP client for lease:
    • Client seeking IP address brodcasts on the network DHCPDISCOVER message
    • Any DHCP server that receives the message and has available IP addresses sends a DHCPOFFER for a period of time called lease
    • If no DHCP servers are available, the client can use APIPA or use alternative configuration, older clients fail to initialize and continue to send DHCPDISCOVER messages every 4 times per 5 minutes
    • Client selects one of the offers and brodcasts DHCPREQUEST indicating its selection
    • DHCP server sends DHCPACK message to the client with possible configuration information like DNS server IPs
  • Communication between DHCP server and DHCP client for lease renewal:
    • Client computer sends DHCP Request message to the server that leased it the IP address, it contains the FQDN of the client computer. The DHCP request message is also used by the client to request dynamic updates from the DHCP server.
    • If the DHCP server can be reached, it sends DHCPACK message back indicating renewal of the current lease (or remains silent)
    • If the DHCP server cannot be reached then the client waits until it reaches the rebinding state which usually occurs 7 days after last lease renewal. When the state is reached the clients attempts to renew with any available DHCP server.
    • If the server responds with DHCP offer message the client renews the lease and continues its operation
    • If the lease expires and client doesn't renew it ceases to use the leased IP address. It then tries to obtain new IP address lease.
    • DHCP Server can also issue DHCPNACK response indicating that the requested IP address is unavailable. In this case lease renewal fails and client is forced to initiate new lease request process.
[4.7] DHCP audit logging
  • In its default configuration the DHCP server writes daily audit logs to the folder %systemroot%\system32\dhcp. The text files that are created there are named after the day of the week they were created on. You can modify file location from the advanced tab of the DHCP server properties. The files are in the format DhcpSrvLog-[3-letter day of the week abbreviation].
  • You can turn logging off on the general tab of DHCP server properties. By default, the largest log file is 1Mb and logging stops if the amount of disk drive space falls under 20 Mb.
  • The log file entry contains the ID, date, time, description, IP address, host name and MAC address. A CSV format is used for columns, some may be blank.
  • The log file contains a summary of the event IDs that show up in the main body of the log file up to event ID 50. Event IDs that have number above 50 are used for AD authorization issues.
[4.8] DHCP problem resolution
  • The first step of fixing DHCP related problems is to make sure that there is no problem with the client, use ipconfig command to verify connectivity. If an address conflict occurred you will by warned of this by system tray warning popup as well as address conflict event in system log.
  • Dhcploc.exe can be used to locate DHCP servers including rogue servers, this utility is part of Windows support tools. For AD authorized servers only, use command netsh dhcp show server.
  • The repair button on the remote connection information screen performs these functions:
    • Broadcast DHCP Request message to renew the lease, if this computer is a DHCP client
    • Flush the arp cache, the same thing as arp -d
    • Flush NetBIOS cache, same as nbtstat -R
    • Flush DNS cache, same as ipconfig /flushdns
    • Register computer with WINS server, same as nbtstat -RR
    • Register computer with DNS server, same as ipconfig /registerdns
  • If the computer fails to connect to DHCP server make sure the network medium is up and the DHCP server is operational. Make sure the scope is active and that it still has leases available for its clients.
  • DHCP server knows from which scope to assign address by looking at the address of the 1542 compliant router added to the discovery packet sent out by the client computer (no extra IP added means local subnet)
  • If a client get an IP address from DHCP server, but it is from the wrong scope, verify with dhcploc utility presence of competing DHCP servers. Make sure all authorized servers are leasing from non-overlapping ranges. A single DHCP server can have multiple scopes active on it, scope not native to DHCP server's subnet are used for remote clients. DHCP matches remote clients to their scope when RFC-1542 compliant router or DHCP relay agent is properly configured. The DHCP Request message contains field named 'Giaaddr' which contains originating subnet, when it is empty client is assumed local and assigned address from local scope.
  • For a server to hand out addresses it must be on the same subnet as its clients and DHCP service must be bound to the connection, this is checked from advanced tab in server properties.
  • Make sure scope is active and that scope's network ID matches that of DHCP server. Also, through it sounds trivial, make sure DHCP server has some addresses available for a lease. To accommodate more users you can simply shorten the lease duration. Don't forget static addresses exclusions and reserved addresses
  • If the problem lies within the DHCP database, you will need to reconcile the DHCP data for one or all scopes. The data is stored in detailed and summary form on DHCP server, when reconciling the data in these two forms is compared.
  • You can also use the jetpack utility to perform database compaction or use netsh dhcp server set databaserestoreflag 1
  • When the administrator needs to renew IP addresses on few computers he can issue command ipconfig /renew on each one of them, in the case there are more computers, it is easier to just re-boot them using shutdown /i command line utility (show nice GUI interface).
  • To get a mac address only quickly and of any computer, including remote PCs, use getmac /s /v [server name] command line utility

Part 5: Implementing, configuring and troubleshooting routing and remote access in Windows networks

[5.1] Chapter definitions
  • Routing is the process of transferring data from one local area network to another local area network
  • Bridge is a network connection that connects two or more network segments and shares traffic as necessary according to hardware addresses. A bridge is a layer two device (data link).
  • Router is a device that receives and forwards traffic according to software addresses. A router is a layer three device according to OSI model.
  • Network interface is a software object that connects to a physical device such as modem or network card
  • Demand dial interfaces - these are interfaces such as VPN, persistent dial-up connection and PPPoE connection. New demand dial interfaces are added through Network Interfaces node.
  • Windows includes software router called Routing and Remote access service. This is a multiprotocol router capable of LAN to LAN, LAN to WAN, VPN, NAT routing through IP networks. It also supports routing futures such as IP multicasting, demand-dialing, packet filtering, DHCP relay, build in support for RIP 2 and OSPF.
  • Unnumbered connections - connections in which one or both of the logical interfaces fail to obtain an IP address. The unnumbered connections happen mostly with demand-dial connections when one (or both) routers don't support APIPA
  • NAT stands for network address translation and is a service that is part of a router in which the header information in IP datagrams is modified by the router before being sent out. This allows many computer with private addresses to share a single public IP and still be able to surf the net.
[5.2] Routing with Routing and remote access
  • The server computer needs to be configured with Routing and remote access since it is installed in disabled state. It will detect all installed network adapters and configure them. However, the system administrator will need to setup all additional VPN and dial-up connections since they are not pre-configured during setup.
  • When you add a new network card to already configured Routing and Remote access service, you will need to add a new interface through Routing and Remote access console
  • The number of network segments to which R&R access can act as a router is limited by the number of interfaces installed on the server.
  • Routing and Remote access properties for the IP routing node:
    • The general tab allows the network administrator to configure R&R access service as LAN router, demand dial router or remote access server.
    • The security tab allows the network administrator to configure authentication methods, connection request logging and preshared keys for IPSec protocol. All options set on the security tab are applied to remote access clients and demand dial routers.
    • The IP tab allows the network administrator to configure how IP packets are routed over LAN, remote access or demand-dial connections. You have an option to use DHCP server to assign IP addresses to remote hosts. If the DHCP server is not on the same PC as the R&R access service it must be connected through DHCP relay agent. If you don't have a DHCP server close at hand you can use static address pool, R&R access service will act as a DHCP server. The "Enable Broadcast Name Resolution" check box when checked enables R&R access clients to resolve computer names on all network segments connected to R&R access server without the help of DNS or WINS servers, this option is enabled by default and it works by permitting NetBT broadcasts from remote clients.
    • The PPP tab allows the network administrator to authenticate and negotiate dial-up connections. You can enable or disable following options: Multilink connections, Link control Protocol (LCP) extensions, software compression and Dynamic Bandwidth Control with BAP or BACP, all options are enabled by default.
      • Multilink connections allow multiple physical links to operate as a single logical link increasing the bandwidth
      • Dynamic Bandwidth control with BAP or BACP when bandwidth demands change multilink connections are created or dropped to allow for changes, both protocols work together to provide bandwidth on demand (BOD)
      • Link Control Protocol (LCP) Extensions - support for advanced PPP futures such as callback, disable if client is older and cannot use these advanced futures
      • Software compression - software based compression of data, leave on unless modem used can compress data at hardware level (no need to do idle work at software level)
    • Logging tab allows administrator to select the events to be logged, by default only errors are written to the log file. Log files are located in the %systemroot\tracing directory.
  • IP routing properties, accessed from General Properties dialog box associated with general subnode of IP routing node
    • Logging tab - which IP routing events are to be logged, by default only errors are logged
    • Preference levels tab allows the administrator to assign a priority to routes collected from various sources. When two different sources provide conflicting routing information only one source's data can be entered into the routing table, this data comes from the source with higher priority setting. The highest priority is 120, lowest is 1.
    • Multicast scopes - add/remove multicast scopes (to add new scope provide its name, base IP address and mask)
  • Routing and Remote access server supports SLIP and PPP for serial asynchronous connections. PPP - Point-to-Point Protocol that provides advanced futures (like: IPX, NetBEUI and TCP/IP, encrypted authentication if configured) not found in Serial Line Internet Protocol (SLIP)
[5.3] Routing tables explained
  • There are three types of routes that one finds inside a routing table:
    • Default route - there is a single entry for this route in the table, the address provided is used as a destination for packets whose address doesn't match any other entry in the routing table. This route is indicated by both address and network mask of 0.0.0.0
    • Host route - provides route to a specific host or a broadcast address, this type of routes is marked by network mask of 255.255.255.255
    • Network route - provides route to a specific network, this type of routes can have a subnet mask between 0.0.0.0 and 255.255.255.255
  • To view the routing table of any computer (for any computer has one) from command line type route print
  • Routing tables are organized into five columns, which are in the following order: Network destination, Netmask, Gateway, Interface and Metric
    • Network Destination - router compares entries from this column with destination address of every IP packet. The 0.0.0.0 entry is the default route, 127.0.0.1 is the loopback device. Each entry with 224.0.0.0 refers to multicast route. Entries with last octet of 255 represent broadcast addresses, the 255.255.255.255 is the limited broadcast address which is general for all networks and routers, other broadcast addresses are limited broadcast addresses.
    • Netmask - the value of this column determines which part of the IP address packet's destination is compared to the entries in the Network Destination column. The closest match determines the route that the packet will be given
    • Gateway - the value represents the address the packet will take if this particular route is chosen. The address should be different than the Network Destination value on the same row in the table. The gateway is the direction a packet takes in its voyage to the destination address (network destination). It is logical that the direction one must take to arrive at X is different then X itself.
    • Interface - the value of the local network interface that will be used to transport the packet if this route is chosen
    • Metric - the cost of using a route, lower metric values carry more weight compared to higher values, so value of 1 is higher than 50. RIP uses the number of hops to determine route's metric.
  • By default the computer will preset certain route entries, however to implement smooth communication with hosts that are outside broadcast range one must set up either static or dynamic routing
  • Static routing is when administrator adds new routes to the routing table, routers do not share routing information and tables have to be manually checked for accuracy. This makes static routing difficult in large networked environments. Static routing works best for small single path internetworks with 10 or less subnets. Static routing supports unnumbered connections. Static routes survive server restart since they are persistent.
  • You can add new static routes from the Routing and Remote access console or using the command line, route add [destination address] mask [netmask] [gateway] metric [metric cost] if [interface]. Please note that the static routes added with the command line utility route are not persistent by default. To make them persistent use -p switch. If routes are not persistent they are not listed under the 'static heading in the R&R access console.
  • To delete a route from command line use route delete [destination address]
  • In real life static routes are rarely used since RIP is easy to configure. You might need to use static routes for connections to remote routers that are intermittent since dynamic routing protocols require to much communication over the link.
  • You should avoid placing default route for two or more routers that point to each other since that puts unreachable traffic into an endless loop.
  • Dynamic routing uses RIP 2 or OSPF to share information between routers and ensure that the routing tables are build and kept accurate dynamically
  • There is nothing to be done as far as configuration is concerned by the administrator if the router is physically connected to all network segments
[5.4] Configuring routing protocols
  • Windows Server supports four routing protocols, RIP, OSPF, multicast IGMP and DHCP Relay agent
  • RIP (Routing Information Protocol) uses lowest cost route choosing, routes with cost higher than 15 are discarded, limiting the network size. RIP routers advertise their whole tables to each other every 30 seconds.
  • RIP works best in small to medium sized networks with a maximum of 15 routers, multipath networks with dynamic topology are well suited for RIP.
  • The main advantage of RIP is its ease of use, its disadvantage is its limited hop based cost estimate and 15 hop size limit
  • RIP can use simple password authentication that prevents attacker from polluting the routing tables, unfortunately passwords are plain text. You can configure list of routers (peer filtering) from which your router is to accept RIP announcements (by IP address). You can configure route filters on each RIP interface thus making routes that are reachable from your network the only one's that will be considered for addition to the routing table.
  • By default RIP either uses broadcasts or multicasts (only in RIP 2). To prevent traffic from being sent to nodes that are not RIP routers system administrator can set RIP neighbors.
  • OSPF (open shortest path first) is an efficient protocol which uses shortest path first algorithm to compute routes. OSPF routers don't share routing tables, instead they relay on a map called link state database of the internetwork. Neighboring routers form an adjacency.
  • The OSPF protocol can scale to very large networks due to no hop limit, fast convergence times, little network bandwidth and loop-free routes. Unfortunately it is not supported on the 64bit edition of Windows 2003 server.
  • The changes to the network topology are sent to all routers in the network, which recompute their routing tables
  • The OSPF divides the network into areas (collection of continuous networks) which are connected to each other through backbone. Each router keeps a link state database only for areas to which it is connected. Area border routers connect to the backbone area and other areas. OSPF also supports stub areas which contain only one entry and exit points.
  • DHCP relay agent is a routing protocol that allows client computers to obtain an address from a DHCP server on a remote subnet. DHCP server send their DHCP Discover packets as broadcasts that are blocked by routers, one either needs to deploy RFC 1542 compliant router or a DHCP Relay Agent for these packets to get through to the other subnet. You cannot use DHCP Relay Agent on a computer that is also running DHCP server, the NAT (with automatic addressing turned on) or ICS. You install DHCP relay agent just like any other protocol. Routers that are RFC 1542 compliant use BOOTP (boot protocol) for DHCP packet forwarding.
[5.5] Demand-dial routing
  • You can enable the on demand-dial routing from the general tab of the Routing and Remote Access properties
  • You can set dial credentials, get unreachability reason, set IP demand-dial filters and dial-out hours from the actions menu. These options are only for the demand dial interface.
  • On the properties page of the demand-dial router you can set modem futures such as source phone number, dialing properties such as call frequency, security protocol used - CHAP by default.
  • You can access port and device properties from the ports node. From this dialog box you can configure your modem as to whatever it will be used for inbound or/and outbound connections. You can also set devices phone number.
  • Clicking on General node of IP Routing when demand dial is activated reveals some specific to dial-in commands (when one r-clicks on the demand dial interface):
    • Update routes is used to update routes if RIP is installed. Static routes are updated and are known as autostatic routes. Autostatic routes are used instead of normal RIP router to router communication due to the nature of the connection (demand dial).
    • TCP/IP statistic allows administrator to see information similar to one provided by ipconfig and netstat
    • IP routing interface properties is a shortcut to another dialog box that has General, Multicast boundaries and Multicast heartbeat tabs
      • On the General tab "Enable IP Router Manager" is enabled by default, it is service that is responsible for numerous futures such as ip packet filtering, if you disable it the administrative status of the device changes to disabled. Another option is "Enable Router Discovery Advertisements" check box, off by default, it is a future in which network hosts send out router solicitations to discover routers, it needs to be configured at the host. Pocket filtering is handled by two buttons, Inbound and outbound filters. Part of packet filtering is the "Enable fragmentation checking" check box, off by default.
      • Multicast boundaries tab - administrative barriers for forwarding of IP multicast traffic. If boundaries didn't exist then IP multicast router would forwards all appropriate IP multicast traffic. You can configure the boundary using multicast scope or TTL in the IP header.
      • Multicast heartbeat tab - server listens for a regular multicast notification for a specified group address to verify that IP multicast connectivity is available on the network. You can configure timeout interval and the group address.
  • Demand dial router to router configuration options:
    • Connection endpoint addressing - end point of a connection that goes over a public network must be identified by an endpoint identifier (such as a phone number).
    • Both ends of the demand dial connection must be configured for normal (bi-directional) traffic to flow, they both need R&R access to be running
    • Authentication of the caller router is based on credentials that correspond to user account, authorization of the caller router is based on user permissions.
    • The process of differentiating a router and a user calling is done by matching the user name to the interface being called, it is a router calling if the user name matches exactly the name of the demand dial interface on the answering router.
    • Static routes are to be configured for both connection ends, the check box 'use this route to initiate demand dial connection' should be checked
[5.6] Configuring NAT
  • NAT - network address translation is a service that modifies packet header information before sending them to their destination.
  • The main difference between NAT and ICS is in their configuration options. ICS is simple and pre-configured, while with NAT you can choose any IP range for the private addresses and you can disable both DHCP and DNS proxy capabilities. You can configure multiple external interfaces with NAT and NAT recognizes static addresses within your network. ICS doesn't check for the existance of static addresses in its scope, this can cause problems.
  • NAT needs some configuration to work, ICS is just single checkbox. For NAT you need to configure external interface and make sure you add a route to it. Both DHCP and DNS server should be present.
  • The firewall in ICS is called Internet Connection firewall, while in NAT it is called Basic Firewall
  • For both NAT and ICS the computer running the translation service becomes the default gateway for the client PCs
  • NAT properties include 'Services and ports' tab which can be used to map internal service to external device using protocol and port number that given service uses.
  • ICS is available on computers running Windows 98 and above, while for NAT Windows server 2000 or higher is needed
[5.7] Packet filtering
  • Packet filter - a rule for an interface that restricts or allows traffic based on: direction, protocol, source address and destination address. There are two types of filters, outbound and inbound. Administrator may also choose to add filters through remote access policy.
  • You can set to allow all traffic through except packets administrator specify or discard all traffic except packets allowed by the filters to specific PC (basic firewall block all traffic that is configured as inappropriate)
  • You can create new packet filters through Routing and Remote access console, IP routing node, either General or NAT/Basic firewall node.
  • It is important to define correctly the filter direction and action
[5.8] Configuring remote access authentication
  • Remote access is provided by either VPN or dial-up networking
  • Every computer that is connected to Remote Access server gets an IP assignment
  • The Remote Access server can use existing DHCP server in which case it will lease a block(s) of 10 IP addresses upon startup. If 10 addresses cannot be leased then the Remote Access server doesn't work properly. If a block of 10 addresses is not available APIPA is used to assign IP addresses and its usage signifies problem with addressing as APIPA addresses are not designed for remote access.
  • Alternatively administrator can choose to use static IP address range assignment. In that case the Remote Access server is used for IP address assignment.
  • If the subnet you choose is different then the one on which Remote Access server is, you will need to configure routing on your router (as with any additional subnet)
  • Remote Access server client computers must be authenticated to access the network, you can use Remote Authentication Dial-in User Service (RADIUS) or R&R access.
  • When user places a call to Remote Access server he supplies his user name and password for authentication. For authorization, if the R&R access server is a domain member, domain logon is presented, for stand alone R&R access servers this step is omitted.
  • The authentication method chosen is always the most secure method enabled in the Remote Access server client properties, remote server properties and the remote access policy applied onto the connection in question.
  • If the user is changing his or her password during the authentication phase then the client and server must be using either MS-chap or MS-chap 2 for communication.
  • Remote access protocols
    • MS-chap (Microsoft Challenge Handshake Authentication Protocol) still supports NTLM (but not by default) Same encryption key is used for all connections, both authentication and connection data is encrypted
    • MS-chap v2 no NTLM and stronger encryption (like salting passed encrypted password strings) both MS-chap protocols are the only ones that can change passwords during the authentication process. New key is used for each connection and direction. Not supported by Windows 95. Both authentication and connection data is encrypted.
    • Chap - need to enable storage of a reversibly encrypted user passwords, encryption of authentication data through MD5 hashing. No encryption of connection data.
    • PAP (Password Authentication Protocol) passwords are unencrypted as well as connection data
    • SPAP (Shiva Password Authentication Protocol) - less secure than CHAP or MS-CHAP, no encryption of connection data
    • EAP-TLS (Extensible Authentication Protocol - transport level security) - certification based authentication (EAP) used with smart cards, both authentication and connection data are encrypted, not supported on stand alone servers - only for domains. EAP-TLS is supported only by Windows Server 2003, Windows XP/2000.
    • EAP-MD5 CHAP (Extensible Authentication Protocol - Message Digest 5 Challenge Handshake Authentication protocol) - this is a version of Chap that was ported to EAP framework. Encrypts only authentication data, not connection data, same like Chap. EAP is supported only by Windows Server 2003, Windows XP/2000.
    • Unauthenticated access - connections without credentials, good for testing
  • To modify security settings on the server r-click on the server icon in the Routing and Remote access console and select properties - security tab
  • To modify security settings on the client select connection properties and then the security tab
[5.9] Authorizing remote access
  • After remote connection has been authenticated, i.e. user credentials have been verified, the user has to be granted access to resources, a process known as authorization.
  • User Dial-in properties for both dial-in and VPN connections are accessed from user properties dialog box, Dial-in tab
  • From the dial-in tab administrator can set the following options:
    • Remote access permission can be set to allow, deny or control through Remote Access Policy.
      • Remote Access Policy option is available when the domain functional level is set to Windows 2000 native or higher. The allow access and deny access options override the options set in the remote access policy. However, when the action of allow is set the remote access profile is still read and applied, thus for example the logon hour restrictions set in remote access policy will apply if the action of allow access is set and logon hour restrictions are supplied.
      • The remote access policy option is not available in AD Windows 2000 mixed mode. In this mode the allow access action corresponds to control through access policy. By default, allow permission is set.
    • The caller ID can be verified if the phone system supports it.
    • Callback options can be set to no callback (default), always callback to specified number and set by user. Callback requires Link Control Protocol (LCP) extensions to be enabled, which is default setting. During the initial call to the server only authentication information is passed.
    • You can also assign user a static IP address and define static routes
  • Remote Access Policy is the preferred way to control authorization of users. It is a set of permissions and restrictions that is processed by remote access authenticating server and applies only to remote access connections. It is separate entity from the Group Policy and lives on the Routing and Remote Access server.
  • By default there are two remote access policies created that can be read by either RADIUS or Routing and Remote Access servers and written to the local hard drive
    • Connections to Microsoft Routing and Remote Access Server policy is set to match every connection except non-Microsoft network access server type
    • Connections to Other Access Servers policy matches every connection. Due to ordering the first policy is evaluated first.
  • You can restrict policy to members of a group. Only members of global security groups can serve as remote policy condition, no local or universal groups will do.
  • Each policy has an associated policy profile which administrator can edit. You have dial-in constraints, IP properties, Multilink, Authentication, Encryption and advanced tabs
  • On the dial-in tab you can restrict amount of time connection can last, specific connection phone number, media type and time of day
  • On the IP tab you can set who supplies IP address, client or server, static address assignment and packet filters
  • Multilink tab allows administrator to link multiple modems together, Bandwidth Allocation Protocol (BAP) can be used to when extra lines are connected and when they are dropped
  • On the authentication tab you can specify protocols such as Chap, by default MS-Chap and MS-Chap 2 are enabled
  • On the encryption tab security administrator can choose RSA or DES encryption. There are four different settings:
    • No encryption - no security
    • Basic Encryption (MPPE 40bit) - used for dial-up and PPTP VPN connections, 56bit for L2TP/IPSec
    • Strong Encryption (MPPE 56bit) - used for dial-up and PPTP VPN connections and for L2TP/IPSec VPN 56bit DES is used
    • Strongest Encryption (MPPE 128bit) - used for dial-up and PPTP VPN connections and for L2TP/IPSec VPN 168bit 3DES is used
  • On the advanced tab one sets settings only readable for RADIUS server (not readable by R&R access)
  • To enable remote users to connect to resources outside Remote Access server you need to configure RAS as a router. Make sure routing option is selected in server properties, check that IP Routing is selected in the IP tab of server properties. If you want to use NetBIOS name resolution without WINS, enable it on IP tab as well.
  • When there are no remote access policies (all are deleted) and user is set to use remote access policy user access is denied.
[5.10] Configuring VPN
  • VPN - virtual private network is a logical network that works on the physical layer that spans the internet
  • VPN are used to securely connect users to a remote network or two remote network segments together
  • There are two distinct VPN deployment environments:
    • Basic remote access VPN, client PC connects to the VPN server. On the server remote access policy grants access to a global telecommuters security group (need to create one 1st) and Nas-port-type condition of Virtual VPN. On the client side the end user uses New Connection Wizard.
    • Extranet also know as router to router VPN. Two networks are connected using VPN through servers that run R&R access. The authorization is based on demand dial interfaces not on individual users credentials. Each demand dial interface is configured with user name, password and domain. The user name has to be identical to the demand dial interface name of the other VPN server. The configuration of the access through remote access policy is as above. To allow functional useful extranet connectivity routing has to be established to direct traffic between remote network segments.
  • When an user attempts connection through VPN as network administrator make sure the following conditions are meat:
    • Make sure you have enough ports for the appropriate VPN type
    • Make sure there are no conflicts between remote access policy and remote access server
    • Verify that the client has appropriate permissions and he/she has same protocol as the server enabled, remote access server or RADIUS has to be member of RAS and IAS security groups
    • The encryption strength has to be set the same across the board (remote access policy and remote access server)
    • If MS-Chap is used user password has to be 14 characters or less
  • For router to router VPN connections network administrator must make sure the following conditions are meat in addition to above:
    • The routers have to be set as such on each connection end
    • Make sure IP Routing is enabled and static routes are created
  • By default 128 ports are created of each type if VPN server role is specified, each port enables a single connection. If server role of VPN is not specified, by default there are 5 ports of each type created (PPTP and L2TP). Windows Server 2003 supports 1000 VPN connections of each type, thus this is the maximum number of ports you can specify
  • For routing RIP can be implemented with announcements exceeding default 30s interval, for dial-up connections autostatic routes are a better choice.
[5.11] PPTP and L2TP/IPSec
  • PPTP connections are easier to setup and configure but they are considered to be less secure than L2TP connections, there is a price one pays for more security
  • PPTP connections do not provide any proof that the data was not modified during transfer
  • The only way to distinguish VPN connection is through the NAS-port type of "Virtual (VPN)", you cannot distinguish between PPTP and L2TP
  • PPTP VPNs are good when remote users cannot use certificates for connection establishment
  • In L2TP/IPSec connections the L2TP protocol provides VPN tunneling while Encapsulation Security Protocol (ESP) a future of IPSec provides data encryption.
  • L2TP connections need to authenticate both the user and the computer the user is using. Computer authentication is done first by the means of certificates whose purpose is for client authentication or for IPSec purpose.
  • When both the server and client are Windows Server 2003 computers don't have to use certificates, the authentication can be done using preshared key. This is less secure than certificates because they are passed over the network in plain text and is good for testing only.
  • If EAP-TLS user authentication method is used certificates must be preinstalled on all clients and servers (if RADIUS is used)
  • Administrator can disable L2TP/IPSec connections by setting the number of ports to 0, this cannot be done with PPTP connections
  • PPTP uses MPPE for encryption, link between two network segments is treated as a PPP connection. PPP frame is encrypted and wrapped with Generic Routing Encapsulation (GRE) header.
  • L2TP encryption is provided by Encapsulation Security Payload (ESP) protocol (which is a future of IPSec).
[5.12] Configuring IAS, Microsoft RADIUS
  • Internet authentication service (IAS) is Microsoft's implementation of RADIUS
  • RADIUS is used to centralize remote access authentication, authorization and logging. RADIUS server uses RADIUS protocol for communication. The RADIUS protocol is open standard, thus there is no need to use Microsoft RADIUS solution.
  • RADIUS server group is a group of RADIUS server which network access requests are balanced by RADIUS proxy
  • RADIUS proxy can also be used to route requests to appropriate RADIUS servers based on realm name attribute of connection
  • Administrator needs to configure Routing and Remote Access Server as a client to RADIUS server. This operation is done from properties dialog box security tab of Remote Access server console.
  • To configure a RADIUS client open server properties from R&R access console and select the security tab. On the screen shown administrator can select RADIUS as Authentication and/or Accounting provider
  • When administrator selects the role(s) RADIUS server is to take, he needs to configure it (by clicking the configure button) the following options are available on popup screen:
    • Secret - plain text password
    • Time-out - how long to wait for RADIUS server
    • Initial Score - ordering for query priority of different RADIUS servers
    • Port - default port is UDP 1812 for authentication and UDP 1813 for accounting
    • Always Use Message Authenticator - MD5 hash of the RADIUS message with Secret as key, message without this will be discarded if option is enabled
  • This is the interaction that exists between RADIUS and other servers and/or clients:
    • When VPN, wireless, dial-up clients (all remote) connect to one of multiple network access servers (R&R access servers) they need to be authorized and authenticated.
    • The network access server is configured to use RADIUS for that purpose, it connect to the RADIUS server using RADIUS protocol
    • If the network is large and there are multiple RADIUS servers the network access server first connects to the RADIUS proxy server and asks it for correct RADIUS server based on realm name
    • RADIUS proxy is used for load balancing as well as environments where there are multiple realms with distinct security settings
  • To configure RADIUS on a PC, network administrator needs to do three things:
    • Install IAS networking component
    • Register IAS server in the AD
    • From RADIUS console add new RADIUS clients
  • Administrator needs to register IAS server in the AD, IAS server needs to be member of RAS and IAS security groups
  • Administrator can migrate, restore and backup RADIUS server from command line using netsh and subcommand 'aaaa'
[5.13] Other points
  • AppleTalk routing is supported on Windows server 2003
  • IPX routing was supported on Windows server 2000 but is no longer supported on Windows server 2003
  • To list all running system service use tasklist /svc. User account needs to be granted 'log on as service' user right for services to be run in its context.
  • To configure Remote Access Account lockout, system administrator needs to configure following registry setting:
    • To turn remote access lockout set in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout maxDenails to 1 or greater
    • To reset locked account: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\domain name:user name
  • To set up RAS client, the operator needs to use New Connection Wizard from the control panel

Part 6: Managing network infrastructure and security

[6.1] Network Security protocols
  • Authentication: Kerberos and NTLM (for backward compatibility only)
  • Authorization: Kerberos and NTLM
  • Confidentiality: Encryption parts of Kerberos, IPSec and NTLM
  • Integrity: Parts of Kerberos, IPSec and NTLM
  • Non repudiation: Kerberos and IPSec (who sent and received the message)
[6.2] Using security templates
  • Security Templates snap-in is by default linked to %systemroot%\security\templates folder. More templates are stored in %systemroot%\Inf folder, you can copy them to the security folder to view them with this snap-in.
  • Administrator should create a master template for all PCs and server role based templates. It is a good practice to create rollback templates before applying new templates.
  • These are default templates available with Windows Server 2003:
    • Setup security.inf - default settings applied to current machine on installation
    • Compatws.inf - used for backwards compatibility, so applications not certified for Windows XP can work (not for DC)
    • Secure*.inf - implements recommended security in all areas except files,folders and registry keys
    • Hisec*.inf - high security network communication, Windows XP can communicate only with other XP or 2000 computers (not Windows 95/98/Me due to DC - client communication problem)
    • Rootsec.inf - new root permissions introduced in XP are going to be applied
    • Notssid.inf - removes default permissions granted to terminal server SID
    • DC security - default security settings for DC
    • Iesacls - registry permissions and keys relevant to IE are applied, everyone group gets full control
    • Securedc - limits account policies and applies LAN manager restrictions
    • Defltsv - default server templates used during installation
    • Defltdc - default DC template used during dcpromo execution
  • For security template to take effect you need to apply them using Security configuration and analysis snap-in.
  • Administrator can compare two templates and current security settings of a computer to a baseline template using Security Configuration and Analysis snap-in
  • When applying templates the administrator must choose whatever to 'clear the database' if he does so only the settings in the template he is currently applying will be applied. If he doesn't clear the database, one of three things can happen:
    • If setting is defined in the new template but not the old one, new setting is applied
    • If setting is defined in the old template but not the new one, setting stays as is
    • If setting is both in new and old templates, new setting takes precedence over old one
  • Secedit is a command line tool used to apply security templates, it is a command line version of Security configuration and analysis snap-in
  • It is a part of good practice to never modify default templates, instead use copies of current templates in separate location and modify them
  • Administrator can modify a security template by editing Inf files directly
  • The IP Security and Public Key policies cannot be modified using a security template
[6.3] IPSec protocol
  • IPSec is natively supported on Windows 2000/2003/XP, a legacy client is available for Windows NT4/Me/98
  • IPSec can be used to encrypt traffic, allow traffic to leave or enter PC and block traffic from entering or leaving PC
  • The IPSec protocol can be monitored, if IPSec service is started, using IP security monitor snap-in, in Windows 2000 command line utility ipsecmon.exe - has two modes of operation, quick and main
  • IPSec policies are a set of filters that describe some network protocol action. Filters are organized into filter lists which are part of rules. Each rule defines filter action, which can be one of: Block, allow or negotiate security. IPSec policy can have many rules, but each rule can have only one filter action.
  • IKE is the algorithm used to open first secure channel, master key is derived separately on each PC and never transported over the network
  • Negotiation is the process of determining which IPSec mini-protocol will be used and what specifics are to be used, such as the key strength
  • Offloading of IPSec encryption to NIC is supported for improved server performance
  • Netsh is a command line tool that is used to modify and display local and remote network configuration. This is a tool that administrators can use for scripting. Its subcommand is ipsec, two modes are possible, dynamic and static. To show all IPSec settings use netsh ipsec static show all
  • IP security monitor is used to monitor IPSec traffic, you can see traffic statistics according to many different counters
  • Netcap.exe is a command line utility that is used to capture network traffic to a file. Administrator can run the utility on Windows XP and Network Monitor is not needed as preinstalled component.
  • Routers will pass IPSec traffic through, but firewalls and packet filters need to be configured to allow IPSec to pass through them
[6.4] Kerberos protocol
  • Kerberos protocol is used for authentication. Kerberos is superior to older NTLM protocol, it is preferred protocol in Windows 2000/XP/2003. It is explained RFC 1510.
  • The time difference between server and client is called time skew, by default if the time difference is more than 5 min the authentication will fail (at this time NTLM authentication might be attempted). Client and DC computers synchronize their clocks only if the difference between them is less than 30 minutes.
  • Port 88 UDP is used for Kerberos traffic, ticket granting ticket (TGT) is requested by client from the DC
  • Kerberos service or user ticket is granted in order for the user to use a specific service. Tickets are cached and can be reused and renewed. If a ticket cannot be renewed, new ticket can be issued.
  • TGT is stored in Kerberos ticket cache which can be analysed and viewed using kerbtray.exe found in the support tools
  • To see a list of tickets that are in the cache you can use klist.exe found in the support tools
  • Administrator can use netdiag utility to run network tests one of which is a kerberos test
  • When kerberos is used for logon and administrator wants to see it logged in the event log, auditing must be enabled for logon event and account logon event.
  • Network administrator is unable to turn the NTLM authentication off. For example, NTLM is still used when drivers are mapped by IP address instead of by computer name.
  • Ksetup - command line tool used to configure Kerberos, used to: set up a realm entry, set up computer's password in the kerberos realm and set up local account to kerberos account mappings
  • Ktpass - command line tool used configure a non-Windows Server 2003 kerberos service as a security principal in AD
[6.5] Network performance monitoring
  • The easiest tool to use is task manager's networking tab
  • If one cannot detect problems using task manager, there is always performance monitor with it networking related performance objects. Object include network interface, TCPv4, NBT connection, RAS Port, RAS total.
  • Alerts are created when specific counter(s) go above or below a specific value. When an alert is triggered you can do one of the following:
    • You can log alerts in application log
    • Can send a network message
    • Start performance data log
    • Run a program
  • Performance logs and alerts are used to perform long term analysis:
    • Using the default Windows XP Pro data provider or another application provider, trace logs record detailed system application events when certain activities, such as a disk I/O operation occurs. When the event occurs, your OS logs the system data to a file. A parsing tool is required to interpret the trace log output, like Tracerpt
    • When counter logs are in use, the service obtains data from the system when the update interval has elapsed, rather than waiting for a specific event.
  • Remember that trace logs are event driven and Counter logs are update interval driven
  • Netstat - this is command line tool used to monitor network connection
[6.6] Performance indicators
  • Memory: pages faults/sec - data not found in CPU cache creates a fault, most processors can handle large amounts of soft page faults, compare with memory: pages/sec
  • Available memory in bytes - need more if less than 10% available (could be an application memory leak)
  • Memory: pages/sec - hard drive access to page file, a rate of 20 or more indicates a need for more RAM
  • Page file percent close to 100, need more space on file or more RAM
  • Physical disk: percentage disk time above 70% - is too high, if paging file usage is excessive as well it indicates more RAM is needed otherwise a disk is the bottleneck
  • Physical disk average queue length above 2 - check paging file and physical memory
  • Physical disk current queue length - a value above 2 indicates a problem
  • CPU close to 100% - need more CPU power if situation continues for excessive amounts of time
  • Number of open files indicates how busy the server is, compare to baseline
  • Server: bytes total/sec - indicates network throughput
  • Baselining is the process of determining average/normal system performance. Should be done over a period of 3 to 4 weeks using counter logs.
[6.7] SUS - software update service
  • SUS - software update service, can distribute updates (need to be approved by the admin before distribution occurs) to clients.
  • Minimum requirements for the clients to connect to SUS are Windows XP SP1, or Win2k SP3 or later.
  • SUS server is really just a webpage with ActiveX functionality that piggybacks on top of IIS.
  • In order for SUS to work you need to point client computers to SUS server using GPO
  • You need to install SUS10SP1.exe on the server
  • Server computer must be running at least version 5 of IIS
  • SUS virtual administrative directory http://yourservername/SUSadmin
  • SUS needs NTFS with at least 100Mb to install package and 6Gb for storing updates, SUS runs from the 'default website' and stores all data there
  • SUS notification is shown for Administrators only
  • If you have P III 700, 512Mb RAM SUS server can handle up to 15000 clients
  • SUS server is not set to synchronize with Windows update site by default, administrator must do that or manually synchronize
[6.8] Other points
  • Runas is also known as secondary logon, you need to have Secondary Logon service running to use it. This command line utility is used to run programs within different user's security context. For example, network administrator is logged on as a regular user and needs to run system utility that requires administrative privileges. Instead of logging out and back in as an administrator, the user could use runas command which uses the following syntax: runas /user:ComputerName\UserName "program name"
  • Microsoft Operations Manager (MOM) can be used to archive security logs
  • Services dependency can be shown using GUI program called dependency walker, depends.exe
  • Things that should be audited: Audit both success and failure events in the systems event category. Audit success events in the Policy Change event category for all DC, audit success events in the Account Management event category, audit success events in the Logon event category and audit success events in the account logon event category on DC.

#929 From: Testking_Mcse@yahoogroups.com
Date: Sun Nov 29, 2009 9:05 am
Subject: File - Microsoft exam 70-270 preparation guide.html
Testking_Mcse@yahoogroups.com
Send Email Send Email
 

Microsoft exam 70-270 preparation guide

Contents:

Part 1: Getting started with Windows XP Pro
Part 2: Automating installation
Part 3: Upgrading to Windows XP
Part 4: Configuring Windows XP Pro environment
Part 5: Managing the Desktop
Part 6: Managing users and groups
Part 7: Managing security
Part 8: Managing disks
Part 9: Accessing files and folders
Part 10: Managing network connections
Part 11: Managing printing
Part 12: Dial-up networking and Internet
Part 13: Optimizing Windows XP Pro
Part 14: Performing system recovery

Preface

I have written this short preparation guide as a way for myself to ease studying for the Mcirosoft 70-270 exam titled: "Installing, configuring and administrating Microsoft Windows XP Professional". I provide this guide as is, without any guarantees, explicit or implied, as to its contents. You may use the information contained herein in your computer career, however I take no responsibility for any damages you may incur as a result of following this guide. You may use this document freely and share it with anybody as long as you provide the whole document in one piece and do not charge any money for it. If you find any mistakes, please feel free to inform me about them Tom Kitta. Legal stuff aside, let us start.

Guide version 0.12 last updated on 24/05/2004

Part 1: Getting started with Windows XP Pro

[1.1] Windows XP Professional hardware requirements
  • Processor minimum P233, recommended PII 300
  • RAM minimum 64Mb, recommended 128Mb
  • Disk Space minimum 1.5Gb, recommended 2Gb
  • Network needed if installing using it
  • Display minimum SVGA 800x600 or better
  • Peripheral devices: keyboard and mouse (or other pointing device)
  • CD-ROM or DVD-ROM if installing from CD, recommended 12x or faster
  • Floppy drive if you intend to use ASR (Automated System Recovery)
  • Windows XP Professional supports up to 2 CPUs, while Windows XP Home edition supports only 1 CPU, there are not other hardware requirement differences between Windows editions
[1.2] Windows XP Professional install steps
  • Collecting information
    • Insert Windows XP CD and reboot the PC
    • Setup program starts when you boot from the CD. Press F6 for third party disk driver, F2 for automatic recovery
    • A welcome dialog box appears, press enter to install XP, R for repair of XP installation, F3 to quit
    • Licensing agreement, F8 to accept, ESC to refuse
    • Partitions screen appears
    • Copying of setup files
    • Remove CD and reboot PC
  • Installing Windows
    • Regional settings, choose locale (numbers, currencies, dates and times view options) and keyboard layouts
    • User name and organization screen
    • Product key screen, 25 character key
    • Computer name
      • up to 15 bytes for NetBIOS compatibility
      • 1 byte is 1 character in most languages (2 in say Chinese)
      • FQDN has a limit of 155 bytes for DC in Windows 2000/2003 (255 bytes in NT 4.0)
      • Computer name has a limit of 63 bytes
      • Computer name has to be unique on the network
    • Administrative password
    • If you have a plug and play modem, you set it up now
    • Date and time
    • Network settings
    • Work group name or domain affiliation
    • Automated finishing tasks
[1.3] Install options
  • For clean install/upgrade on computers running win 3.x or DOS (16 bit systems) use winnt.exe
  • For install/upgrade on computers running 32 bit OS use winnt32.exe
[1.4] After installation
  • The default network setup is for the Windows XP to be a DHCP client
  • You need to activate your product within 30 days unless you have corporate licence
  • After 30 days you will not be able to logon to your PC without activation if you log out or restart your PC (you will still be able to access your PC in safe mode without network support)
  • Activation can be done over the phone or online
  • There are three log files created after installation
    • %systemdir%\setupact.log - installation actions log
    • %systemdir%\setuperr.log - errors that occurred during installation
    • %systemdir%\netsetup.log - network related log (like domain joining)
[1.5] Support for multiboot
  • Windows XP will configure multiboot automatically if it detect compatible OS (i.e. Microsoft OS) and you are using clean install option
  • Do not use dynamic disks or NTFS if the other OS doesn't support it
  • Windows XP will not be able to read volumes compressed with Windows NT4 compression
[1.6] Joining a domain
  • You can pre-authorize a computer in the AD
  • Or, you can enter user name and password of the domain user that has 'Add computers to the domain' permission to add computer to the AD
[1.7] Laptop special Windows XP features
  • Credential manager
  • Clear type
  • Hot docking
[1.8] Other points
  • Hardware compatibility list (HCL) http://www.microsoft.com/hcl/ now Windows catalog http://www.microsoft.com/windows/catalog/
  • If hardware is not found in the Windows catalog you will not get any support from Microsoft
  • BIOS is preferred with ACPI (Advanced Configuration and Power Interface) functionality, APM (Advanced Power Management) is the API for ACPI hardware
  • If you are upgrading from Windows 98/Me checks whatever there are drivers for your hardware, since 98/Me drivers are VxDs (virtual device drivers) and don't work on Windows XP
  • You can upgrade from Windows 98/Me/NT4/NT3.51/2000 Pro (due to a bug win95 will qualify as upgrade media but only for clean install)
  • System partition is the location of the files that are needed for Windows XP to boot, vary little space, default is the active partition
  • Boot partition is the location of Windows XP OS (all files)
  • Note that Microsoft changed the default directory for installation from WINNT to WINDOWS
  • Installation files are in \I386 directory on the CD
  • WFP - Windows file protection is used to protect Windows system DLL files from modification, files are stored in %SystemRoot%\System32\Dllcache
  • Sfc.exe - scans and verifies the versions of all protected system files when the computer is booting
  • Dynamic update runs during installation of Windows XP. You can disable it with /dudisable switch of winnt32, /duprepare:pathname to prepare network share for dynamic update files, /dushare:pathname to specify network share with dynamic update files.

Part 2: Automating installation

[2.1] Types of automated installation
  • Remote Installation Service (RIS) introduced in Windows 2000 - for use with multiple PCs for automatic deploy
  • Disk imaging (cloning) which uses reference PC - for use with PCs that have similar hardware
  • Unattended installation - use when you have lots of PCs with network cards that are not PXE-compliant
[2.2] Create answer files with Setup manager
  • Answer files are automated installation scripts used to answer the questions that appear during a normal Windows XP Professional installation
  • Answer files are used with all methods of unattended installations. To create answer files you use Setup manager (setupmgr)
  • To use setup manager you need to extract it from \support\tools\deploy.cab found on installation CD
  • There is a sample answer file on the installation CD, unattend.txt
  • Through answer file you can configure
    • Mass storage devices
    • Plug and Play devices
    • HALs
    • Set passwords
    • Configure language, regional, and time zone settings
    • Display settings
    • Converting to NTFS
    • Installing applications can choose from the following options
      • Use cmdlines.txt to add applications during GUI portion of the setup
      • Within answer file configure [GuiRunOnce] section to install an application the first time a user logs on
      • Create a batch file
      • Use the Windows installer
      • Use sysdiff tool to install applications that don't have automated install procedures
[2.3] Using RIS (Remote Installation Service)
  • You can configure RIS server to distribute 2 types of images:
    • CD based image
      • Contains only Windows XP OS
      • Copies all files to the target PC before commencing installation of the Windows XP OS
      • Created automatically during installation of RIS
    • A Remote Installation Preparation (RIPrep) image
      • Can contain both Windows XP OS and applications
      • This images is based on pre-configured computer
      • Copies only files needed for installation on given PC, thus faster than CD based image which copies everything
      • Can be deployed to the clients that have the same HAL and HD controller
      • Must be created manually, not automatic like CD based image
  • For RIS you need DHCP, DNS and AD configured on your network
  • RIS server uses Boot information negotiation layer (BINL) for initial contact, then TFTP is used to transfer bootstrap image
  • RIS and DHCP server need to be authorized in AD, RIS server is authorized through DHCP manager
  • The following services are run as part of RIS: BINL, SIS, SIS Groveler, TFTP
  • To configure RIS server use risetup.exe
  • NTFS is required to store image files with at least 2Gb free space on separate from OS partition
  • RIS template files are used to specify installation parameters, default file is ristndrd.sif
  • You need following user rights to install images using RIS
    • Create Computer accounts
    • Logon as batch job (Administrator doesn't have this right by default)
  • For non-PXE network cards use rbfg.exe utility to create RIS boot disk (this utility doesn't support all network cards)
[2.4] Using disk images
  • Uses reference computer HD image that needs to prepared first with sysprep which needs to be extracted from deploy.cab found in installation CD
  • Source and target computer must satisfy
    • Both computers must have the same HD controller
    • Both computers must have the same HAL
    • Plug and Play devices may not be the same as long as there are drivers for all of them
  • You will need to extract sysprep utility from the deploy.cab
  • Sysprep strips user personal data from the installation image
  • After you copy the installation image to the destination PC a mini wizard runs (unless you have an answer file)
  • Sysprep modes:
    • Audit: allows for the verification of hardware and software installation by a system builder while running in factory floor mode. Audit boots allow a system builder to reboot after factory floor mode has completed its automated pre-install customization, in order to complete hardware and software installation and verification, if necessary.
    • Factory: allows for the automated customization of a pre-install on the factory floor by using a Bill of Materials file to automate software installations, software, and driver updates, updates to the file system, the registry, and INI files such as Sysprep.inf. This mode is invoked via the "sysprep -factory" command.
    • Reseal: is run after an original equipment manufacturer (OEM) has run Sysprep in factory mode and is ready to prepare the computer for delivery to a customer. This mode is invoked via the "sysprep -reseal" command.
    • Clean: Sysprep will clean the critical device database. The critical device database is a registry listing of devices and services that have to start in order for Windows XP to boot successfully. Upon setup completion, the devices not physically present in the system are cleaned out of the database, and the critical devices present are left in tact. This mode is invoked via the "sysprep -clean" command.
[2.5] Unattended installation
  • With this method you use a distribution server or Windows XP installation CD on it to install Windows XP on target PC
  • The distribution may have answer file
  • The target computer must be able to connect to the distribution server over the network (if used)
  • End user interaction levels:
    • Fully automated installation
    • GUI attended installation
    • Read only installation
    • Hide pages installation
    • Provide defaults installation
[2.6] Installing applications with Windows Installer Packages
  • Microsoft installer (MSI) files - provided by software vendor
  • Repackaged application (MSI) - do not include native Windows installer packages, used to provide applications that can be cleanly installed
  • ZAP files - used when you don't have MSI files and install applications using native setup program
  • MSP files (modification files) - provide paths to installed Microsoft software, must be assigned to MSI file at deployment
  • Windows installed packages work as
    • Published applications - not advertised, can be installed through Add/Remove programs. They can also be installed through opening of a document that uses uninstalled published application.
    • Assigned applications - advertised through programs menu, installed next time user starts the PC, before log on prompt appears
  • Please note that Windows Installer packages cannot be published to computers in Windows XP, all other options are OK, i.e. you can assign applications to computers and assign/publish applications to users
  • You can create your own MSI files using VERITAS Software Console or WinINSTALL LE Discover
  • You create GPO for MSI package which is to be published or assigned. If it is for a user, User Configuration\Software Settings\Software, if it is a computer Computer Configuration\Software Settings\Software
  • Using AD you can uninstall old application, upgrade on top of old application. Computers can accept only mandatory upgrades, users support both optional and mandatory upgrades.
  • If you have multiple versions of the same software, you will need to configure install order and/or whatever it is a mandatory install
  • You need AD to deploy packages which are found on a share on a file server
  • Msiexec.exe - provides the means to install, modify, and perform operations on Windows Installer from the command line. For example you can force end user to enter CD key for the software that is being installed

Part 3: Upgrading to Windows XP

[3.1] Upgrade general points
  • You can upgrade from Windows 98/Me/NT4/NT3.51/2000 Pro (Windows Home edition can upgrade from only 98/Me/2000) There is a bug on the CD allowing a clean install provided Windows 95 CD.
  • Choose upgrade if you want to keep existing applications and preserve current local users and groups
  • Clean install will allow you to multiboot
  • Upgrade from Windows NT/2000 Pro is easier than from 98/Me due to their similarity to XP
  • You can generate Windows XP compatibility report winnt32 /checkupgradeonly
  • Upgrade your BIOS so you can use advanced power futures and device configurations
  • Before the upgrade remove or disable any client software like virus scanners or network services
  • If older applications fail to run on Windows XP due to security issues, use compatws.inf template
  • Upgrade of Windows 98/Me can be undone using osuninst.exe or through add and remove programs control panel
  • For upgrade you have a choice of Express upgrade or Custom upgrade
[3.2] Unsupported by upgrade Windows 9x software properties
  • File system applications
  • Custom plug and play solutions
  • Custom power management solutions
  • Third part disk compression utilities, defragmenters (Windows NT and 2000 as well)
  • Partitions compressed with DriveSpace or DoubleSpace are not supported
[3.3] Migrating user data
  • User state management tool (USMT) is used for migration of users from one computer to another
  • ScanState.exe - collects user data and settings information based on the configuration of the Migapp.inf, Migsys.inf, Miguser.inf, sysFiles.inf
  • LoadState.exe - deposits information collected on the source computer to a PC running copy of Windows XP. Cannot be used on a computer that was upgraded to Windows XP.
  • Supports Windows 95/98/Me/2000 to XP
  • F.A.S.T.
    • Files and Settings Transfer Wizard (F.A.S.T.) It is one of the least known new features in Windows XP.
    • Supports all Windows versions from Windows 95 (with IE4) through Windows XP (XP as destination only)
    • Can be used as poor man's backup utility, creates a backup files that can be stored to HD or CD-RW
    • Can move user accounts one at a time, good for single users

Part 4: Configuring Windows XP Pro environment

[4.1] Windows image acquisition architecture
  • WIA is used to manage images between image capture devices and computer software applications
  • Supported devices
    • IEEE 1394
    • USB
    • SCSI
  • Devices connected through standard COM port or infrared connection are not supported by WIA
[4.2] Support for digital audio and video
  • Multichannel audio output
  • Acoustic echo cancellation (AEC)
  • Global effects (GFX)
[4.3] Microsoft Management Console (MMC)
  • The MMC is an utility used to create, save, and open collections of administrative tools that are called consoles
  • Access control options for MMC
    • Author mode - full customization of the MMC console
    • User mode-full access - as author mode, except that users cannot add or remove snap-ins, change console options, create Favorites, or create taskpads
    • User mode-limited access, multiple windows - access only to those parts of the console tree that were visible when the console file was saved. Users can create new windows but cannot close any existing windows.
    • User mode-limited access, single window - as 'user mode limited access, multiple windows' but users cannot create new windows
[4.4] Installing hardware
  • Plug and Play support
  • Non-plug and play devices can be installed using 'Add hardware wizard'
  • DVDs regional settings can be changed up to 5 times (hardware change, need new DVD-ROM after that)
[4.5] Device drivers
  • Accessed from 'Device manager'
  • You can update drivers
  • You can roll back drivers (new in Windows XP)
  • You can also uninstall driver
  • Driver signing:
    • Harmful driver install prevention
    • HCL - Hardware compatibility list, replaced by Windows catalog
    • Run d:\i386\winnt32 /checkupgradeonly from Windows XP CD to check hardware compatibility
    • Command line sigverif.exe is used to check drivers from command line
    • By default system is set to warn user if he or she is installing unsigned driver (other options are: ignore and block)
    • Driver signing can also be controlled from GP using object settings for local computer (or computer configuration for domain) choices are: Silently succeed, Warn but allow installation and Do not allow installation.
    • Unsigned driver means that the driver was not tested by Microsoft and is not supported by Microsoft. For most part these drivers are still OK
    • When driver is signed by Microsoft it and the hardware are tested by Microsoft
  • Some older devices (like CD-ROM etc.) plug into LPT port on the PC. You will need to set LPT port to "Legacy plug and play support" on port settings tab for older devices to work.
  • The easiest way to solve embedded device conflict with an add on device is to disable the on board device. For example, to use add on music card, you will need to disable on board music card
  • Many problems are caused by incorrect drivers, for example graphic card that displays only 800x600 resolution. Update driver to solve these problems.
  • Driver.cab on Windows XP CD contains all original Windows XP drivers
[4.6] Multiple display support
  • To avoid flickering monitor resolution should be set to at least 72Hz
  • Maximum of 10 monitors per PC
  • When you install 2nd video card the build into the motherboard card gets disabled and new card becomes primary display adapter
  • Secondary adapter has to support multiple-displays
[4.7] Computer power states
  • Complete shutdown of PC
  • Hibernation - saves all of the desktop state into a file which uses as much HD space as there is RAM in the system, to go back to active mode press power button
  • Standby (three levels on ACPI compliant PC)
    • Level one turns off the monitor and hard drives
    • Level two turns off the CPU and cache as well
    • Level three turns off everything but the RAM
  • Fully active PC
  • You configure standby through the Power options in Control panel, Level 2 and 3 of standby are only available if universal power supply (UPS) has been configured
  • Through power options you can also configure alerts when system is running on battery power and behaviour of power button
[4.8] PCMCIA (Personal Computer Memory Card International Association) Cards
  • Type I cards - are up to 3.3mm thick. Used for adding more RAM to the PC
  • Type II cards - are up to 5.5mm thick. Used for modem and network cards
  • Type III cards - are up to 10.5mm thick. Used for portable disk drives
[4.9] Configuring I/O devices
  • Through Keyboard properties you can configure typing delay and cursor behaviour as well as keyboard key layout
  • You need a keyboard in order to install Windows XP
  • Through Mouse properties you can configure mouse properties such as: speed, buttons, wheel and pointers
  • USB 2.0 supports up to 127 devices per root hub, up to 5 deep nested external hubs, transfer speeds up to 12Mbps. You can see power & bandwith usage by checking out root properties.
  • USB supports two speeds, low and high, which use different cables
  • USB controllers require that an IRQ be assigned in the computer BIOS. Make sure you have newest BIOS and/or firmware.
  • Wireless devices, RF - Radio Frequency and IrDA - Infrared Data Association
[4.10] Windows registry
  • Windows registry is a database used by the OS to store system configuration
  • Regedit is used to edit the registry (regedit32 is just a pointer to that file)
  • There are five default keys in the Windows registry:
    • HKEY_CURRENT_USER - for user who is currently logged on the computer
    • HKEY_USERS - configuration data for all users of the PC
    • HKEY_LOCAL_MACHINE - computer hardware and software configuration, devices drivers and startup options
    • HKEY_CLASSES_ROOT - used by Windows explorer for file type to application association, software configuration data and OLE (object linking and embedding) data
    • HKEY_CURRENT_CONFIG - hardware profile that is used during system startup
[4.11] Remote desktop
  • Remote desktop connection = terminal services client
  • In Windows XP terminal services service is limited to single connection only. Service is disabled by default and has to be enabled through system properties Remote tab
  • Remote desktop depends on terminal services service
  • Windows XP Home Edition does not allow connections to it using Remote desktop, XP Pro allows only one connection
[4.12] Remote assistance
  • Remote assistance is available with all editions of Windows server 2003 and Windows XP
  • The person assisting the user has a concurrent session with logged in user
  • Logged in user has to authorize access
  • You can send invitation from 'Help and Support' menu. You can send invitations through e-mail using MAPI enabled client, Microsoft messanger or using a file. You need to supply a connection password.
  • You can also offer remote assistance to others (disabled in GP by default)
  • You can chat using text or voice, you can send and receive files
  • HelpAssistant account is used if help is given by another user, support_XXXX account is used if help is given by Microsoft staff
[4.13] Services
  • A service is a program, routine or a process that performs a specific function
  • Service startup types: automatic, manual and disabled
  • You can choose the account service uses to log on
  • When service fails you can choose the OS to do one of the following options
  • SC.exe used for communication with service control manager
    • Take no action
    • Restart the service
    • Run a file
    • Reboot the computer
[4.14] HAL - hardware abstraction layer
  • Computer driver which is the interface to BIOS, kernel is build on top of this driver
  • You can choose HAL during install by pressing F5
  • Multiple processors - when installing a 2nd processor in a single processor system (UP - uni processor) you will need to update HAL for the CPU from single CPU to multiple CPU (SMP - symmetric multi processor driver)
  • Do not upgrade from standard HAL to ACPI (advanced configuration and power interface) HAL and vice versa
[4.15] Hardware profiles
  • Hardware profile consists of a set of instructions that instruct Windows as to which devices to start when computer starts and/or which settings to use for each device
  • By default you have hardware profile called Profile 1 (for laptops, Docked Profile or Undocked Profile) is created
  • You can designate a default profile. If you want the default hardware profile to load automatically (without showing you the list during startup), enter a 0 in seconds under Hardware profiles selection. If you want to see the list anyway press the SPACEBAR during startup.
  • Windows will ask you which profile to use every time you start your computer if you have more then one profile and you don't specify default profile with 0 wait time
  • You can also use hardware profiles as a debuging tool. For example, you can set up profiles that omit the hardware devices you suspect of being defective.
[4.16] Other hardware
  • Fax service - is used for faxing support, controled through fax applet in control panel when installed
  • Program compatability wizard - accessed from Accessories, used to run programs in Windows 95, 98/Me, NT4, 2000 compatability mode

Part 5: Managing the Desktop

[5.1] Customizing desktop
  • You can configure start menu and taskbar through 'Taskbar and Start menu properties'
  • 'Start menu' modifications are done to Windows XP theme, while 'Classic start menu' modifications are done to Windows 2000 theme
  • Display properties
    • You can select a different theme
    • You can display web page on your desktop or just a picture(s)
    • You can set up a screen saver
    • In appearance you can change many aspect of the choosen theme
    • In settings you can change aspects of video display adapter
  • Default Windows XP theme is also known as 'Luna'
  • Local profile is created when user logs on for the 1st time, consists of following folders: Desktop, NetHood, PrintHood, SendTo, Start Menu, Cookies, Favorites, Application Data
  • Notification area was previously named system trey
[5.2] Multilanguage technology
  • Unicode - internationall standard that allows support for the characters used in world's most common languages
  • National language support API - is used to provide information for locale, character mapping and keyboard layout
  • Multilingual API - used to set up applications to support keyboard input and fonts from various language version of applications
  • Windows XP stores all language specific information in separate files from the OS files
[5.3] Multilanguage support
  • Support for two technologies
    • Multilangual editing and viewing which supports multiple languages while user is viewing, editing and printing documents
    • Multilanguage user interface
  • Localized Windows XP - include fully localized user interface for the language that was selected. This version allows user to view, edit and print documents in more than 60 languages. There is no support for multilangual user interface.
  • Multilanguage Windows XP - provides user interfaces in several different languages. You will need to install the following files
    • Language groups - contain fonts and files needed to process specific language
    • Windows XP multilanguage version files - contain language content required by user interface and help files, can be up to 45Mb in size
  • Use muiseteup.exe to setup default user interface
  • Multilanguage version of Windows XP is not available in retail, need Windows volume licensing
  • On localized version of Windows XP you configure multiple languages through 'Regional and language options'
[5.4] Accessability options
  • Configured through 'Accessability options' in control panel
  • Keyboard settings:
    • StickyKeys - allows user to enter key combinations one key at a time
    • FilterKeys - ignores brief repeated keystrokes
    • ToggleKeys - user hears tones when togling CAPS LOCK/NUM LOCK/SCROLL LOCK
    • MouseKeys - allows you to use the numeric keypad to control the mouse pointer
  • ShowSounds - instructs programs that convey information by sound to also provide information visually
  • SoundSentry - allows you to change settings to generate visual warnings
  • You can also set the time after which options are turned off and when they are turned on (like on user log on)
[5.5] Accessability utilities
  • Accessability wizard - adjust PC based on users vision, hearing and mobility needs
  • Magnifier utility - makes portion of the screen bigger for easier viewing
  • Narrator utility - employes text-to-speech technology to read the contents of the screen
  • On screen keyboard - has three different modes:
    • Clicking mode - user clicks the on-screen keys to type text
    • Scanning mode - on-Screen keyboard highlights areas where you can type characters
    • Hovering mode - use a mouse or joystick to point to a key for period of time to type character
  • Utility manager - start and stop accessability utilities, can start/stop utilities on user log on or when PC is locked

Part 6: Managing users and groups

[6.1] Built-in Accounts
  • Administrator - full control over the PC, even if disabled can be accessed from safe mode, password provided suring setup
  • Guest - for users that don't have username and password on the system, disbled by default
  • Initial user - uses the name of the registered user and exists only if the computer is member of a workgroup not a domain, by default member of the administrative group
  • HelpAssistant - new in Windows XP, used together with remote assistance
  • Support_xxxxxxx - used by Microsoft for help and support services, disabled by default
[6.2] Logging on
  • There are two type of users, local and domain
  • Local user credential are compared to local security database, domain user credentials are checked agains active directory stored on domain controller
  • When user logs onto the system an access token is created
  • Local user credentials cannot be used to access network resources
[6.3] Managing users
  • You manage users through 'Local users and groups' MMC that can be accessed in two ways
    • Custom MMC
    • By right clicking on My computer and selecting 'manage'
  • User account consist of:
    • Name and password
    • SID (security identifier) - consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain. SIDs are unique in the network.
    • Can have other attributes, like group membership
  • User names can be up to 256 bytes (characters) long and must be unique (different than other user names and group names)
  • User names cannot contain *{}\/:;,=|+?"<> and cannot be made of spaces and periods alone
  • User names are not case sensitive but passwords are
  • You can create users using net user
  • You have following user options:
    • User name (required field)
    • Full name (by default same as user name)
    • Description
    • Password textbox (up to 127 bytes (characters), 15 for NTLM)
    • Confirm password textbox
    • User must change password at next logon checkbox
    • User cannot change password checkbox
    • Password never expires checkbox
    • Account is disabled checkbox
  • You can set the following user properties
    • User profile path - stored in 'Documents and settings\%username%' folder, contains user preferences, and file ntuser.dat. In Windows NT 4.0 the path was \%systemdir%\profiles\%username%
    • Logon script - files that are run every time user logs into the PC
    • Home folder - is where users commonly store their personal files and documents
  • Password reset disk - use when user forgot their password. If you just reset the user password access to encrypted data will be lost.
  • Mandatory profiles can only be used with roaming profiles, they don't work with local profiles. Mandatory profiles can only be set up by an administrator
  • You can copy profiles using 'User profiles' tab of 'System properties'
  • UNC path - is in the format //computer_name/share_name
  • Renaming an account maintains all group membership, permissions, and privileges of the account. Copying a user account maintains group membership, permissions, an privileges assigned to its groups, but doing so does not retain permissions associated with the original user account. Deleting and re-creating an account with the same name loses all group membership and permissions.
[6.4] Build-in local groups
  • Administrators - full control over the PC
  • Backup operators - can only access file system through backup utility
  • Network configuration operators (new) - network settings
  • Guests - limited privileges
  • Power users - can add/remove users, create non-administrative shares, manage printers, start and stop services that are not started automatically
  • Remote desktop users (new) - members can logon remotely
  • Replicator - for directory replication used by domain servers
  • Users - run programs, print stuff, nothing special
  • HelpServices (new) - support through Microsoft Help services
[6.5] Special groups
  • Special groups are used by the system. Membership is automatic based on special criteria. You cannot manage these groups.
  • Creator Owner - the account that created or took ownership of an object
  • Creator - the group that created or took ownership of an object
  • Everyone - everyone that can possibly be accessing the PC, doesn't include the anonymous group
  • Interactive - users who use resources interactively (locally)
  • Network - users who access resources over the network
  • Authenticated users - users who access the PC using valid user name and password
  • Anonymous logon - users who access the PC through anonymous logon
  • Batch - user accounts that are only used to run a batch job
  • Dialup - users that logon to the network through dialup connection
  • Service - user accounts that are used only to run a service
  • Local System - a system processes that uses resources as users are members
  • Terminal server users - users who logon through terminal services
[6.6] Managing groups
  • Groups can be up to 256 bytes (characters) long, have to be unique and cannot contain '\'
  • Groups are used to manage and organize users. Add users to a group and then assign permission to the group

Part 7: Managing security

[7.1] Policies
  • Configured through 'Local computer policy' group policy, gpedit.msc MMC
  • Account policies are used to control logon procedures. If you want to control user after logging on, use local policies
  • Local policies are made up of
    • Audit policy - disabled by default
    • User rights assignment - too many to list here, see explanation underneath
    • Security options - also too many to list
  • Local policies are set for all users of the computer, you cannot single users out (you need AD for that)
[7.2] Password policy settings
  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Complexity requirement
  • Store passwords using reversible encryption
[7.3] Account lockout policy
  • Account lockout duration
  • Account lockout threshold
  • Reset account lockout counter after X minutes
[7.4] Enabling auditing for files, folders and printers
  • You will need to enable auditing for object access policy
  • And you also need to enable auditing for individual files and folders through NTFS security or through printer security
  • Auditing data is placed into security log
[7.5] Auditing
  • Account logon events - success or failure of domain logon
  • Account management - events such as resetting passwords and modifying user properties
  • Directory services - any time user access AD an event is generated
  • Logon events - success or failure of local logon or logon to a share
  • Object access - file, folder or printer access
  • Policy change - success or failure of change of security options, user rights, account policies and audit policies. Both domain and local PC changes are tracked.
  • Process tracking - useful for applications
  • System events - system events such as shutting down PC or clearing the logs
[7.6] User rights
  • Administrators can assign specific rights to group accounts or to individual user accounts. If a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than one set of rights. The only time that rights assigned to one group might conflict with those assigned to another is in the case of certain logon rights.
  • There are too many user rights to list
  • There are two types of user rights:
    • Privileges, such as the right to back up files and directories
    • Logon rights, such as the right to logon to a system locally
[7.7] Security options
  • Security option policies are used to configure security for the computer
  • These policies are applied to the computer, not to users and groups
  • Security options are edited through computer part of 'Group policy editor' GP object 'Local computer policy' MMC
  • Security options can also be viewed with secpol.msc
  • There are too many security options to list
[7.8] Security templates
  • secedit.exe is used to compare and analyzes system security by comparing your current configuration to at least one template
  • Security templates are stored in %systemroot%\security\templates folder
  • Setup security.inf - default settings
  • Compatws.inf - used for backwards compatibility, so applications not certified for Windows XP can work
  • Secure*.inf - implements recommended security in all areas except files,folders and registry keys
  • Hisec*.inf - high security network communication, Windows XP can communicate only with other XP or 2000 computers
  • Rootsec.inf - new root permissions introduced in XP are going to be applied
  • Notssid.inf - removes default permissions granted to terminal server SID
[7.9] Using local group policies
  • Normally GP are applied through AD, but they can also be applied locally
  • When you use local group policies there can only be one GP object
  • Policies that have been applied through AD will take precedence over any local group policies
  • You administer local GP through Local group policy object (gpedit.msc)
  • Rsop - resultant set of policies is the final set of policies that is applied to the user and computer. Use gpresult to display Rsop for current user in command line format. Use rsop.msc to start Microsoft management console that displays Rsop.
[7.10] Using group policies with AD
  • When a DC is present you can have GPO in AD, they are stored in %systemroot%/Sysvol folder on every DC by default
  • When user logs into active directory, this is the order of policy application:
    • Local computer
    • Site (group of domains)
    • Domain
    • OU (organizational unit)
  • The following options are available for overriding the default policy application
    • No override - enforce policy inheritance, you force all child policy containers to inherit the parent's policy, even if that policy conflicts with the child's policy and even if Block Inheritance has been set for the child. This option is used by corporations that want to have corporate level security and don't want low level administrators to be able to override it. To set no override option open properties screen of domain or OU in the GPO Links list, r-click the GPO link that you want to enforce, click No Override.
    • Block inheritance - used if you don't want to inherit GP settings from parent containers. You can block policy inheritance at the domain or OU level by opening the properties dialog box for the domain or OU and selecting the 'Block Policy inheritance' check box
  • Group Policy is not inherited from parent to child domains, i.e. blah.boom.com does not inherit from boom.com
  • The smallest unit you can apply GP to is an organizational unit (OU)
[7.11] Other security issues
  • Both Windows XP Pro and Home Edition allow user accounts to utilize blank passwords to log into their local workstations, although in XP Pro, accounts with blank passwords can no longer be used to log on to the computer remotely over the network
  • In XP Home Edition all user accounts have administrative privileges and no password by default
  • Windows XP Home Edition will not allow you to disable the Guest account. When you disable the Guest account via the Control Panel, it only removes the listing of the Guest account from the Fast User Switching Welcome screen, and the Log on Local right. The network credentials will remain intact and guest users will still be able to connect to shared resources.
  • The "Everyone" group has access to Printers assigned by default
  • Remote desktop is not enabled by default on Windows XP Pro

Part 8: Managing disks

[8.1] File systems
  • FAT 16 bit (File Allocation Table)
  • FAT 32 bit
  • NTFS (New Technology File System)
  • To convert from FAT to NTFS use: convert x: /fs:NTFS. You cannot use convert to convert to other file systems.
[8.2] Disk drives
  • SCSI 15000RPM, 20Mbps transfer
  • IDE 7200RPM, 16.7Mbps transfer
  • SATA (similar to IDE)
  • Both SCSI and SATA support up to 15 drives on a single controller
  • IDE drives have 'cable select' option on them which automatically determines master and slave. It is best practice to manually set jumpers for master and slave.
[8.3] ARC path designation (Advanced RISC computing)
  • ARC dates back to NT 3.5 days (in the form presented here, otherwise NT 3.1)
  • The file boot.ini is used to find '\windows\' directory
  • Bootcfg.exe configures, queries, or changes Boot.ini file settings
  • Msconfig can be used to change system startup options including modification of boot.ini
  • Please note that Microsoft has changed the default install directory from WINNT to WINDOWS for Windows XP. For upgrades we will still use WINNT directory.
  • Multi
    • Identifies the controller physical disk is on
    • Multi(x) syntax of the ARC path is only used on x86-based computers
    • For IDE or pure SCSI disks when OS is on the 1st or 2nd SCSI drive
    • The Multi(x) syntax indicates to Windows NT that it should rely on the computers BIOS to load system files. This means that the operating system will be using interrupt (INT) 13 BIOS calls to find and load NTOSKRNL.EXE and any other files needed to boot Windows NT.
    • Numbering starts at 0, for example Multi(0), due to technical reasons it should always be 0
    • In a pure IDE system, the Multi(x) syntax will work for up to the 4 drives on the primary and secondary channels of a dual-channel controller
    • In a pure SCSI system, the Multi(x) syntax will work for the first 2 drives on the first SCSI controller (that is, the controller whose BIOS loads first)
    • In a mixed SCSI and IDE system, the Multi(x) syntax will work only for the IDE drives on the first controller
  • SCSI
    • Identifies the controller physical disk is on
    • The SCSI(x) syntax is used on both RISC and x86-based computers
    • Using SCSI() notation indicates that Windows NT will load a boot device driver and use that driver to access the boot partition
    • On an x86-based computer, the device driver used is NTBOOTDD.SYS, on a RISC computer, the driver is built into the firmware
    • Numbering starts at 0, for example SCSI(0)
    • Windows NT Setup always uses Multi(x) syntax for the first two drives
  • Disk
    • Identifies the physical disk attached to controller
    • 0 if Multi(x) present, Disk is only for SCSI
    • For SCSI value of Disk(x) is the SCSI ID and can be 0-15 Note: one channel is always reserved for the controller itself
    • Numbering starts at 0, for example Disk(0)
  • Rdisk
    • Identifies the physical disk attached to controller
    • Almost always 0 if SCSI(x) is present, Rdisk is for Multi(x), ordinal for the disk, usually number 0-3
    • Numbering starts at 0, for example Rdisk(0)
  • Partition
    • Refers to the partition on the hard disk where Windows system folder is located on
    • All partitions receive a number except for type 5 (MS-DOS Extended) and type 0 (unused) partitions, with primary partitions being numbered first and then logical drives
    • A partition is a logical definition of hard drive space
    • Numbering starts at 1, for example Partition(1)
  • Signature
    • Used when system BIOS or controller hosting the boot partition cannot use INT-13 Extensions
    • The signature() syntax is equivalent to the scsi() syntax
    • Using the signature() syntax instructs Ntldr to locate the drive whose disk signature matches the value in the parentheses, no matter which SCSI controller number the drive is connected to
    • The signature() value is extracted from the physical disk's Master Boot Record (MBR)
[8.4] Easy way to memorize ARC
  • There are 5 letters in the word 'Multi' and 5 letters in the word 'Rdisk'
  • There are 4 letters in the word 'SCSI' and 4 letters in the word 'Disk'
  • 'SCSI' works together with 'Disk' while 'Multi' works together with 'Rdisk'
  • When system uses Multi(x) it uses BIOS INT-13 Extensions, so on board BIOS has to be enabled
[8.5] Disk Management MMC snap-in
  • To activate: start -> all programs -> administrative tools -> computer management -> disk management tree node
  • Another ways is to r-click on My computer and select 'manage' from the list
  • Finally you can just create a custom MMC snap in
  • Using disk management, among other things, you can:
    • Initialize new disks
    • Create new volumes and partitions
  • If you r-click and select properties -> general tab you can see location heading with a number. That number is the ARC number of the HD.
  • If you need a disk formatted in FAT or FAT32 you cannot do it from disk manager, you need to use: format x: /fs:FAT32 Note Windows can format FAT 32 disks up to maximum of 32Gb but can read higher capacity drives
  • DiskPart.exe - you can create scripts to automate tasks, such as creating volumes or converting disks to dynamic.
  • Fsutil.exe - perform many NTFS file system related tasks, such as managing disk quotas, dismounting a volume, or querying volume information.
  • Mountvol.exe to mount a volume at an NTFS folder or unmount the volume from the NTFS folder.
[8.6] Remote management
  • Computer management is not just for the local machine, you can also manage other PCs, to activate r-click on computer management (local) and select 'connect to another pc'
  • By default Domain Admins are part of local administrators group and you need these right to connect and administer remote PCs
  • If you cannot access Device Manager from the Computer Management extension snap-ins on a remote computer, ensure that the Remote Registry service is started on the remote computer.
  • Computer Management does not support remote access to computers that are running Windows 95.
  • In remote management 'Device Manager' is in read only mode
[8.7] Basic Disks
  • Primary partition is the only one that is bootable and there is a maximum of 4 primary partitions
  • Extended partitions are not bootable
  • Logical drives are created in extended partitions. There are no limits as to the number of logical drives each extended partition may have.
  • Primary partitions and logical drives are assigned drive letters
  • Basic Disk FAT is located on the first sector of the hard disk; space is shared with the MBR
[8.8] Dynamic disks
  • Fault tolerance better than basic disks, due to multiple storage places for information. 1Mb database is placed at the end of each physical hard disk containing information about all dynamic disk located in this particular system, this creates multiple storage spaces of the same data.
  • Can be one of the following:
    • Simple volume:
      • Single disk
      • No fault tolerance
      • Can be NTFS or FAT
    • Spanned volume:
      • maximum of 32 disks
      • Cannot extend spanned volumes, need to delete and recreate
      • No fault tolerance
    • Mirror volume:
      • Also known as RAID 1
      • Windows XP Pro does not support mirror volumes
      • Can be NTFS or FAT
      • Fault tolerance, data is the same on both disks
      • To replace the failed mirror in a mirrored volume, right-click the failed mirror and then click Remove Mirror, and then right-click the other volume and click Add Mirror to create a new mirror on another disk
      • Variation of mirroring called duplexing uses HD connected to different controllers for even more fault tolerance
    • Striped volume:
      • Also known as RAID 0
      • Maximum of 32 disks
      • Breaks data into 64Kb chunks for writing to different disks that make up the stripe
      • It is recommended to use same type of hard drives for member drive
      • Windows XP cannot be installed on software RAID 0
      • You cannot extend striped volume, need to recreate it
      • No fault tolerance
    • RAID 5:
      • Made up of three disks with each storing parity information
      • Fault tolerance when one disk fails
      • Maximum of 32 disks, minimum of 3
      • Not available in Windows XP professional
      • To replace the failed disk region in a RAID-5 volume, right-click the RAID-5 volume and then click Repair Volume
  • Only in Windows XP Professional, Windows 2000 Professional and Windows 2003 server (all editions) you can use dynamic disks
  • Note: if disk fails for which ARC path is in boot.ini system will not boot. You should have a disk with modified boot.ini
  • Mounted volumes - can mount HD as a NTFS folder
  • Uninstall disks prior to moving them, Re-scan disk when you attach it
  • Dynamic disks can be re-configured without re-boot
  • When your boot disk is also a dynamic disk, then you will not be able to dual boot into OS that is not dynamic disk capable
  • Dynamic disks are not supported on laptops due to luck of advantage over basic disks in this scenario
  • Dynamic disk partition table types:
    • dynamic GUID partition table (GPT) disks, for 64bit editions of Windows
    • dynamic MBR disks, for 32 and 64bit editions of Windows
  • The Foreign status occurs when you move a dynamic disk to the local computer from another computer
  • You can have a maximum of 2000 volumes on a dynamic disk, recommended maximum is 32
  • Volumes created after the 26th drive letter has been used must be accessed using volume mount points
  • Hard drives that are connected to the Pc using USB or IEEE 1394 can not be converted to dynamic volumes
  • Extending simple volume:
    • Similar to spanned volume but uses the same physical HD with simple volume
    • You can extend a simple volume only if it does not have a file system or if it is formatted using the NTFS file system. You also need free space on HD and the volume could not have been originally a basic disk partition.
    • You cannot extend volumes formatted using FAT or FAT32
    • You cannot extend a system volume, boot volume, striped volume, mirrored volume, or RAID-5 volume
[8.9] Volume status descriptions
  • Failed - basic or dynamic volume cannot be started automatically or the disk is damaged
  • Failed Redundancy - data on a mirrored or RAID-5 volume is no longer fault tolerant because one of the underlying disks is not online, has substatus information
  • Formatting - occurs only while a volume is being formatted with a file system
  • Healthy - normal volume status on both basic and dynamic volumes, no known problems, has substatus information
  • Regenerating - occurs when a missing disk in a RAID-5 volume is reactivated
  • Resynching - occurs when creating a mirror or restarting a computer with a mirrored volume
  • Unknown - occurs when the boot sector for the volume is corrupted
  • Data Incomplete - displayed in the Foreign Disk Volumes dialog box, and occurs when data spans multiple disks, but not all of the disks were moved.
  • Data Not Redundant - displayed in the Foreign Disk Volumes dialog box when you import all but one of the disks in a mirrored or RAID-5 volume
  • Stale Data - displayed in the Foreign Disk Volumes dialog box, and occurs when a mirrored or RAID-5 volume has stale mirror information, stale parity information, or I/O errors
[8.10] Converting to dynamic disk and back to basic disk
  • If you convert a boot disk, or if a volume or partition is in use on the disk you attempt to convert, you must restart the computer for the conversion to succeed.
  • The conversion may fail if you change the disk layout of a disk to be converted or if the disk has I/O errors during the conversion.
  • After you convert a basic disk into a dynamic disk, any existing partitions on the basic disk become (dynamic) simple volumes.
  • If you are using shadow copies and they are stored on a different disk then original you must first dismount and take offline the volume containing the original files before you convert the disk containing shadow copies to a dynamic disk.
  • If you are converting disks form dynamic to basic the disk being converted must not have any volumes on it nor contain any data before you can change it back to a basic disk. If you want to keep your data, back it up before you convert the disk to a basic disk.
[8.11] Disk quotas
  • Disk quota applies to everyone using the volume except administrators
  • Remember that every user needs few Mb (min 2) for storage of the profile which is needed for logging in
  • Quota entry can be created per user but not per group, only volumes and users have quota entries
  • Quota limit is calculated using the uncompressed file size, thus compressing files will not create more space
  • The default quota entry is for all users of given volume. You can add additional quota entries on per user basis only.
  • Once again, quota entries are per user per volume, no groups are allowed.
  • Remember that once a user uses a volume with quota set on it an entry is automatically added. Thus, if you had a general entry for all users and later on some users run out of space and need more you modify quota entries not add new ones.
  • Disk quota is only applied to the files that are being added after the quota entry got created, it doesn't apply to files that were already there
  • Each file can contain up to 64kb of metadata that is not applied towards users quota limit
  • Fsutil is used to manage quota from command line
  • To free some space run disk cleanup, from command prompt: cleanmgr.exe (note it doesn't clear internet temporary files)
[8.12] Defragmenting
  • You will need at least 15% of free HD space in order to defragment
  • You may need to repeat the process several times in order to achieve planned results
  • Defragmenting should be done on every volume every 1 to 2 months
  • You cannot schedule defragmenting task (unless you use custom scripts)
  • Windows defragmenter works with FAT16, FAT32 and NTFS
  • On modern computer systems that use NTFS and don't use the file system extensively (desktops) the benefits of defragmenting a hard drive are measurable but not noticeable for the end user. Thus defragmenting is only significant performance tool for file servers.
[8.13] Encryption:
  • Only users who created the files, users whom owner gave access to view the file (new in Windows XP, additional users need to already be issued certificates) and recovery agents can decrypt the file
  • When moving encrypted file from one volume to another volume, it stays encrypted. When copying file it also stays encrypted. This behaviour is unique for encryption!
  • Note that user which has NTFS permissions to an encrypted file can delete that file, even if he/she cannot view that file. They can also move the file around on the same NTFS volume (different volume would mean a copy operation and possible decryption).
  • Cannot encrypt and compress at the same time (due to encryption process using pseudo random salt which cannot be further compressed due to its nature)
  • You can zip 1st using winzip or other 3rd party compression tool, then encrypt to get encrypted and compressed file
  • Executable file cipher.exe is a command line encryption utility
  • By default, the recovery agent is the Administrator account on the 1st DC, there is no default for stand alone server/workstation
  • For encryption property, moving/copying a file to a FAT system decrypts file without warning
  • It is recommended to store recovery agent certificate on a floppy disk in secured location. It is also recommended to copy their file to be recovered to the recovery agent PC where it will be recovered.
  • User needs correct certificate to perform action on a file that would result in that file being decrypted
[8.14] How EFS (encrypted file system) works
  • When the user chooses to encrypt a file, a file encryption key is generated
  • This encryption key, together with encryption algorithm is used to encrypt the contents of the file
  • The file encryption key is encrypted itself using user's public key and stored together with the encrypted file. The file encryption key is also protected by the public key of each additional EFS user that has been authorized to decrypt the file and each recovery agent.
  • File can only be decrypted by using user's private key, by using private key of users given permission to view the file and private key of recovery agent
  • Private/public pair is created using user's certificate
  • On stand alone machines user's certificate is created the 1st time he or she tries to encrypt a file
  • For domain user certificate is issued by the certification authority - user needs permission to get a certificate
  • Files marked with the System attribute cannot be encrypted, nor can files in the systemroot directory structure.
  • Before users can encrypt or decrypt files and folders that reside on a remote server, an administrator must designate the remote server as trusted for delegation.
  • If you open the encrypted file over the network, the data that is transmitted over the network by this process is not encrypted.
  • Users can use EFS remotely only when both computers are members of the same Windows Server 2003 family forest
  • Encrypted files are not accessible from Macintosh clients
  • Encrypting File System (EFS) no longer requires a recovery agent
[8.15] Compression (NTFS)
  • When you compress a whole folder:
    • All files are compressed automatically when added but not current folder occupants
    • OR
    • Compression can also be applied to current files and subfolders
  • Decompression is a reverse process of compression
  • Moving a file on the same volume means that the file location is moved in MFT only, not the physical file itself.
  • When you copy a file, no matter whatever on the same volume or not, the destination file will inherit the destination folder's permissions
  • When you move a file on the same volume, it keeps its original permissions. When you move a file to another volume, the move is treated as a copy operation and the file permissions are inherited from the destination folder.
  • All file attributes behave in the same way with the exception of encryption
  • File compression is supported only on NTFS volumes with cluster sizes 4 KB and smaller
  • For command line use compact.exe, it can display and modify compression attributes but it works only on NTFS

Part 9: Accessing files and folders

[9.1] General folder options
  • General folder options:
    • Windows classic or web content in the folders
    • Whatever folders are opened all in the same window or separate windows
    • Opening with single or double mouse click
  • Folder view options:
    • Configure things that you see once you open files and folders
    • There are too many options to list
  • File type options are used to associate file extensions with application file types
[9.2] Offline folder options
  • Offline folder options, you can store network files offline
  • On the client side:
    • The first step is to enable (enabled by default) offline file support on the client under Folder options -> Offline files and is available only on Windows XP and above
    • In the folder options for offline files you can set:
      • You can set synchronization options: manually synchronize, automatic synchronization (log on or log off) and reminder at certain time intervals
      • You can also set up an option for how much disk space will be used for temporary network files and whatever these will be encrypted
    • When offline files are enabled connect to a shared folder, right click it and select 'Make available offline' this will bring settings dialog box and start synchronization
    • When the folder is set up as available offline when you right click on it you will have an option to synchronize
    • Folders that are synchronized appear with a small blue arrow pointing down in the lower left corner of the folder icon
  • On the server side:
    • SMB are used for communication between networked computers, for offline file sharing any SMB PC will do as a server
    • You can disable and enable (default) client's ability to use offline content by changing the options in Share properties -> Caching on the server computer
[9.3] ACL - access control list
  • Every object in AD (and on a stand alone PC) has ACL
  • ACE - access control entries
  • ACL is a list of ACEs. Each ACE has deny or accept action and an associated SID (security identifier).
  • The process of checking user access is preformed in this way:
    • User SID is checked against ACE on ACL list of the resource user wants to access
    • Also groups that the user belongs to (group SID) is checked against ACE in ACL
    • If there is no entry, then access is denied
    • Accept if ACE = SIDs in ACL and associated ACE action is accept
    • Windows resolves SID and presents name as ACE
    • Deny right takes precedence over allow right in group and user security context. This is true even for Administrator and object owner.
[9.4] General NTFS permissions for files
  • Read
    • List files attributes
    • Read data in the file
    • Read permissions
  • Write
    • Change file attributes
    • Create new files and write data to files
    • Append data to files
  • Read and execute = 'Read' + execute file permission
  • Modify = 'Read and Execute' + 'Write' + delete permission
  • Full control = all of above permissions + 'Change Permissions' permission + 'Take Ownership' permission
[9.5] General NTFS permissions for folders
  • Read
    • List folder attributes
    • List folder
    • Read permissions
  • Write
    • Change folder attributes
    • Create folders
  • Read and execute
  • Modify = 'Read and Execute' + 'Write' + delete permission
  • List folder contents (only permission for a folder)
    • Traverse folders
    • List the contents of a folder
    • See folder's or file attribute
  • Full control = all of above permissions + 'Change Permissions' permission + 'Take Ownership' permission
[9.6] Share permissions
  • Only applicable for folders, no share permissions for files
  • Read = read file data, file names and subfolder names + execute (default assigned to everyone group)
  • Change = read permission + delete files and subfolders + write
  • Full control = all of above permissions + change of share permissions right only
  • Share permissions do not apply to users that are logged into the OS interactively (i.e. locally)
  • NTFS general permissions always apply, even for a share i.e. user needs two read permissions in order to access a file over the network
  • Use NTFS permissions to tighten security
  • To add share form command prompt: net share 'folder name'='path'
  • To delete share form command prompt: net delete 'folder name'
  • To connect to a share from command prompt use: net use \\computer_name\share_name
  • When a share name ends in $ it is hidden and cannot be browsed to, full name needs to be typed in
  • Share permissions are not included in a backup or restore of a data volume
  • Share permissions do not replicate through the File Replication service
  • When both NTFS and share permissions are applied to a resource the system looks at the effective permissions for NTFS and share permissions and applies to the object the most restrictive set of cumulative permissions
  • Be default, simple file sharing is enabled in Windows XP if you are not connected to a domain. Therefore, the Security tab and the advanced options for permissions are not available. In Windows XP Home edition you have to use simple file sharing.
  • You can not disable simple file sharing in Microsoft Windows XP Home Edition, in Windows XP Pro you use folder options to disable simple file sharing
[9.7] Explicit permissions and inherited permissions for files and folders
  • There are two types of permissions: explicit permissions and inherited permissions.
  • Explicit permissions are those that are set by default when the object is created, by user action.
  • Inherited permissions are those that are propagated to an object from a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.
  • Explicit permissions take precedence over inherited permissions, even inherited Deny permissions. This has nothing to do with user and group security context.
[9.8] Inherited permissions (file and folders)
  • All files and folders inherit their permissions from the parent folder by default
  • There are three ways to make changes to inherited permissions:
    • Make the changes to the parent folder, and then the file or folder will inherit these permissions. Remember this is not related to user and group security!
    • Select the opposite permission (Allow or Deny) to override the inherited permission.
    • Clear the 'Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here' check box. You can then make changes to the permissions or remove the user or group from the permissions list. However, the file or folder will no longer inherit permissions from the parent folder. You be presented with a confirmation dialog that has these options
      • You can 'copy' permission entries making all entries explicit (convert inherited entries into explicit)
      • Or you can remove all inherited permissions and keep only the current explicit permissions
  • You cannot change parent permissions inside a child object - they show as grayed out if inheritance is on.
  • If the object is inheriting conflicting settings from different parents then the setting inherited from the parent closest to the object in the subtree will have precedence.
  • Only inheritable permissions are inherited by child objects. When setting permissions on the parent object, you can decide whether folders or subfolders can inherit them with Apply onto.
[9.9] Special shares
  • drive letter$ - shared resource that enables administrators to connect to the root directory of a drive
  • ADMIN$ - resource that is used during remote administration of a computer. The path of this resource is always the path to the system root (ex. c:\windows)
  • IPC$ - resource that shares the named pipes that are essential for communication between programs. You use IPC$ during remote administration of a computer and when you view a computer's shared resources. You cannot delete this resource.
  • NETLOGON - required resource that is used on domain controllers
  • SYSVOL - required resource that is used on domain controllers
  • PRINT$ - resource that is used during remote administration of printers
  • FAX$ - shared folder on a server that is used by fax clients in the process of sending a fax
  • You cannot browse to $ shares (cannot see them in Explorer)
[9.10] Moving and copying of files
  • Moving a file on the same volume means that the file location is moved in MFT only, not the physical file itself.
  • When you copy a file, no matter whatever on the same volume or not, the destination file will inherit the destination folder's permissions (destination folder and file permission will be the same)
  • When you move a file on the same volume, it keeps its all of its original permissions, explicit and inherited from original folder. Assign the following names: the file, call it F, new folder call it A, original folder, call it B. When you move F from B to A and then make some permissions changes on folder A, they will be inherited by the file F (unless inheritance is blocked on F), old inherited permissions (the one's from folder B) will be removed. However, the file F will keep all explicit permissions, which is different then copy operation, where explicit permissions are removed after copy.
  • When you move a file to another volume, the move is treated as a copy operation. The file permissions are inherited from the destination folder in the same way regular copy operation permission are inherited.
[9.11] Other points
  • Groups or users granted Full Control on a folder can delete any files in that folder regardless of the permissions protecting the file
  • Every general permission has 'Synchronize' permission
  • Read attributes permission includes 'Read Extended Attributes' permission
  • Everyone group is no longer granted full control by default to shares, only read access (as of service pack 1, original had full access)
  • The Anonymous Logon security group has been removed from the Everyone security group
  • Windows XP and 2000 need installation of client software, twcli32.msi to take advantage of Volume Shadow Service (VSS) that is run on Windows Server 2003 computer

Part 10: Managing network connections

[10.1] Installing a network adapter
  • Make sure you install the latest driver
  • If you have a combo network card (that has two network connectors) make sure you configure speed and cable type
  • 70 to 80 percent of network problems are due to faulty cabling
  • If you have a combo network card make sure that the speed and cable type are configured correctly
[10.2] Configuring TCP/IP
  • TCP/IP (transmission control protocol/internet protocol) developed in 1970's
    • Installed by default on Windows XP, most common protocol supported by almost all OSs
    • TCP/IP is scalable, it is a routed protocol
    • TCP/IP is a fault tolerant protocol that will dynamically reroute pockets if network is down and alternate links exist
    • Companion services such as DNS and DHCP exist
    • This is the most popular protocol and is the basis of the internet
  • IP address uniquely identifies computers on the network, it has 32 bits in it
  • The loopback IP address is 127.0.0.1, this is your localhost address. The first address in your network is for the network itself, the last address is for the network broadcast.
  • IP class assignments
    • Class A 1-126.x.x.x, hosts supported 16777214, with mask 255.0.0.0
    • Class B 128-191.x.x.x, hosts supported 65534, with mask 255.255.0.0
    • Class C 192-223.x.x.x, hosts supported 254, with mask 255.255.255.0
  • Subnet mask is used to specify which part of the IP address is the network address and which part of the address is the host part
  • Default gateway is the location where pockets are sent which are not destined for your network (you need routers). Metrics are used to calculate optimal paths to gateways.
  • Router is a device that connects two or more network segments together
  • Ipconfig is used to show PCs IP configuration
  • Ping is used to send ICMP echo request packets
  • Nbtstat is used to display NetBIOS over TCP/IP connection statistics, also known as NBT
  • Alternate configuration you can specify what happens when there is no DHCP server on the network
    • Automatic Private IP Addressing (APIPA) - assigns PC address from the range 169.241.0.1 to 169.254.255.254, in use since Windows 98
    • Manual configuration of alternative settings
[10.3] DHCP
  • DHCP server is used for automatic IP assignment to hosts, here is the whole process:
    • Client seeking IP address brodcasts on the network DHCPDISCOVER message
    • Any DHCP server that receives the message and has available IP addresses sends a DHCPOFFER for a period of time called lease
    • Client selects one of the offers and brodcasts DHCPREQUEST indicating its selection
    • DHCP server sends DHCPACK message to the client with possible configuration information like DNS server IPs
  • DHCP server must be authorized in AD if part of a domain
  • If there is no DHCP server on your network segment you can use DHCP server on another network segment, provided that the other DHCP server is configured to give out addresses to PC on other segments and the router that joins segments acts as a DHCP relay agent
[10.4] DNS
  • DNS servers are used for name to IP and IP to name (reverse DNS) address resolution
  • HOSTS file is used to resolve nicknames or domain names entries, located in systemroot\System32\Drivers\Etc
  • DNS settings:
    • DNS server addresses, in order of use - which DNS server will be used first to resolve a query
    • Append primary and connection-specific DNS suffixes - specifies how unqualified domain names are resolved by DNS, for example if primary suffix is microsoft.com and you enter blah, DNS will try blah.microsoft.com
    • Append parent suffixes of the primary DNS suffix - whatever name resolution includes the parent suffix for the primary DNS suffix, up to second level of the domain name, for example given primary suffix win.ms.com and you enter blah, DNS will 1st try blah.win.ms.com then blah.ms.com
    • Append these DNS suffixes - additional suffixes that will be used to resolve unqualified name
    • DNS suffix for this connection - DNS suffix for the PC, can override data supplied by DNS server
    • Register this connection's address in DNS - dynamic registration using PC name
    • Use this connection's DNS suffix in DNS registration
[10.5] WINS
  • NetBIOS (Basic Input/Output System) resolution to an IP address can be done in 3 ways
    • WINS servers are used for NetBIOS name to IP address resolution, this server is for backward compatibility with NT4
    • Through broadcast (same network segment)
    • LMHOSTS file is a static mapping if IP addresses to NetBIOS computer names, it is located in %systemroot%\System32\Drivers\Etc folder
  • WINS settings:
    • WINS addresses, in order of use
    • Enable LMHOSTS lookup
    • Enable/Disable NetBIOS over TCP/IP
    • Use NetBIOS settings from the DHCP server
  • NetBEUI - NetBIOS Enhanced User Interface
  • AppleTalk - is not supported by Windows XP (was supported before)
[10.6] TCP/IP filtering
  • Through filtering you can specify for your PC:
    • Which TCP ports are permitted
    • Which UDP ports are permitted
    • Which protocols are permitted
  • This is set for all adapters at once and is separate from firewall
  • It is set up from Network connections -> connection -> TCP/IP properties -> advanced button -> options tab
[10.7] Configuring NWLink IPX/SPX/NetBIOS
  • NWLink IPX/SPX/NetBIOS is Microsoft implementation of Novell IPX/SPX (Internetwork Packet Exchange/Sequenced Packet Exchange)
  • This is just a transport protocol that is routable, if you want to access Novell servers you need to install client software
  • Internal network number - used to identify file servers, normally leave as is
  • Frame type - specifies how the data is packaged for transmission
[10.8] Network access authentication
  • Network access control using IEEE 802.1X - you choose a method, password/certificate/smart card
  • Authenticate as computer when computer information is available
  • Authenticate as guest when user or computer information is unavailable
  • Part of connection properties
[10.9] Advanced options
  • Bindings are used to attach protocols to a network adapter. You can improve performance by binding common protocols higher in binding order

Part 11: Managing printing

[11.1] Printing related definitions
  • Printer - this is how we call a piece of software on your PC
  • Print device - this is the actual hardware printer
  • Print server - PC to which a local printer is connected - any Windows PC. It is the computer that sends print jobs to the print device. For a network printer you send jobs to the server as well.
  • Print spooler - also referred to as print queue this is a directory on print server where jobs are being stored prior to being printed
  • Print processor - also known as rendering is the process that determines whatever a print job needs further processing once job has been sent to the spooler
  • Printer pool - configuration that allows to use one printer for multiple print devices
  • Print driver - piece of software that understands your print device codes
  • Physical port - port through which a printer is directly connected to the computer, COM or LPT
  • Logical port - port through which a printer with a network card is attached to network, much faster than a physical port
  • Local printer - printer that uses a physical port and has not been shared
  • Network printer - printer that is available to local and network users, can use either physical or logical port
[11.2] Printer and print device configurations
  • 1 printer per 1 print device
  • 1 printer for many print devices (print pooling)
  • Many printers for 1 print device - used usually for print scheduling
[11.3] Windows print process
  • When user chooses to print the document, request is sent to Graphics Device Interface (GDI) which calls print driver
  • Print job is sent to a local print spooler which sends the job to the print server
  • The print spooler on the print server saves the job to disk
  • Print processor analyzes the print job to determine whatever extra processing is needed, separator page is called if needed
  • Job is passed to the print manager which directs job to the right port at the right time
  • Print device prints the job
[11.4] Printer information
  • You can use UNIX (LPR) protocol, for this you will need to add LPR port. LPR is included in "print services" for UNIX, which is installed as a separate component of Windows XP
  • You can also have print services for Macintosh and for Netware
  • Whenever you hear anything that deals with: LPR, LPD, LPQ think UNIX
  • You can set printer priority (1-99) as well as printer availability (which means when the printer will be available timewise) to different user groups as well as access to the print device itself to different user groups and individual users.
  • For example to use different print priority for two groups you need to setup two print devices, restrict their use and set priority on them
  • If you want to know printer utilization track print queue object in system monitor
  • %systemdir%\system32\spool\printers\ is the default location of the spool folder. You should change it if your server serves many printers.
  • A port is defined as the interface that allows the PC to communicate with the print device
  • Print.exe - sends a text file to a printer
  • Net Print - displays information about a specified printer queue, displays information about a specified print job, or controls a specified print job
  • Bidirectional support - option on ports tab that allows printer to communicate with the computer, for example print errors
[11.5] Spooling
  • Spooling is the process of saving the jobs to disk in a queue before they are sent to the print device
  • You have the option of:
    • Start printing after the last page is spooled - small jobs that enter the queue after large jobs may print before large jobs finish spooling
    • Start printing immediately - strict order of entry into the queue determines who gets printed 1st
    • Print directly to the printer - good for troubleshooting the print device
  • You can change location of print spooler
[11.6] Print processor
  • There are 5 print processors in Windows XP
    • RAW - makes no change to the job
    • RAW (FF appended) - always adds form feed character
    • RAW (FF auto) - tries to determine whatever form feed character needs to be added
    • NT EMF - for use with other Windows XP clients, multiple versions
    • TEXT - interprets all data as plain text
[11.7] Printer Pooling
  • One printer, multiple print devices
  • Think of it as load balancing for printers, used in larger enterprises
  • Need to use the same driver for all print devices that are member of the pool. Many newer printer devices will work with older driver, use driver that is the newest for the oldest printer.
  • It is enabled with a check box found at the bottom of the ports tab
  • When one print device fails the print job gets redirected to another print device in the pool
[11.8] Redirecting print jobs
  • You can redirect print jobs provided both printers use the same driver
  • When user placed into a queue a request to print a document on a print device which failed to print BEFORE commencement of printing you can redirect printing to another printer
  • To redirect a print job select print device you want jobs redirected from
  • If the new printer is on this print server, just select new port to which the new printer is attached, otherwise
  • Click on 'ports' tab
  • Click on 'add port', select local printer and click on 'new port'
  • Type in UNC share name of the printer you want the job redirected to, in format \\other_print_server\share_name
  • Check the check box next to the port you just created
[11.9] Separator pages
  • Separator pages are used in multi user environments, sample files are found in %systemroot/system32/ folder with .sep ending
  • Pcl.sep - used to send a separator page on printers supporting PCL (Printer Control Language), which is a common standard
  • Pscript.sep - doesn't send a separator page but switches the computer to PostScript printing mode
  • Sysprint.sep - used by PostScript printers to send separator pages
  • Sysprintj.sep - same as sysprint.sep but with support for Japanese characters
[11.10] Managing printers
  • To manage printer, right click it, you have following options:
    • Set as Default Printer - jobs will by default be sent to this printer
    • Printing preferences - settings like page layout
    • Pause printer - jobs can still be submitted, but will not print
    • Use printer offline - pauses the printer and saves the print queue so documents in it are available even after PC reboot
    • Other options: Rename, Sharing, Delete
  • You can also manage documents with following options: Pause,Restart,Resume,Cancel,Properties
[11.11] Sharing
  • When you share a printer it becomes a Network printer
  • If you don't share your printer it is a Local printer
  • You cannot share a Fax printer
  • You can specify print drivers for following systems:
    • Alpha Windows NT 4.0
    • IA64 Windows XP
    • Intel Windows 95/98/Me/NT 4.0/2000/XP
[11.12] Security
  • There are three print related permissions:
    • Print - users can send print jobs to a printer
    • Manage Printers - administration of printer consisting of: can pause,restart printer, change spool settings, share/unshare printer, change print permissions
    • Manage documents - pause/restart/resume and delete queued documents, no control over the printer itself
    • Special permissions - used to customize the print options with allow or deny access with: Print, Manage Printers, Manage Documents, Read Permissions, Change Permissions and Take Ownership
  • Administrators and Power users can do all tasks
  • Creator Owner group can Manage Documents only
  • Everyone group can Print only
  • Advanced security settings:
    • Permissions - list all users, computers and groups that have been given permissions to the printer
    • Auditing - tracks who is using the printer and what type of access is being used
    • Owner - owner of the printer
    • Effective permissions

Part 12: Dial-up networking and Internet

[12.1] Configuring a modem
  • General: speaker volume, maximum port speed, wait for dial tone before dialing check box
  • Selection of country and extra initialization string
  • Advanced port settings allow to set buffer size
  • Hardware settings like Data bits, Parity, Stop bits and Modulation
  • Data connection settings like Port speed, data protocol, compression and flow control
  • You can run diagnostics of your modem
[12.2] Connecting to a Remote access server (RAS)
  • You can connect to a RAS server using a modem, ISDN or a null modem cable
  • Both client and server must use the same connectivity settings
  • RAS security settings
    • Allow unsecured passwords
    • Require secured password
    • Use smart card (you will need EAP)
  • Logon security protocols
    • MS-chap (Microsoft Challenge Handshake Authentication Protocol) still supports NTLM (but not by default) Same encryption key is used for all connections, both authentication and connection data are encrypted
    • MS-chap v2 no NTLM and stronger encryption (like salting passed encrypted password strings) both MS-chap protocols are the only ones that can change passwords during the authentication process. New key is used for each connection and direction.
    • Chap - need to enable storage of a reversibly encrypted user passwords, encryption of authentication data through MD5 hashing. No encryption of connection data.
    • PAP (Password Authentication Protocol) passwords are unencrypted as well as connection data
    • SPAP (Shiva Password Authentication Protocol) - less secure than CHAP or MS-CHAP, no encryption of connection data
    • EAP-TLS (Extensible Authentication Protocol - transport level security) - certification based authentication (EAP) used with smart cards, both authentication and connection data are encrypted, not supported on stand alone servers - only for domains.
    • EAP-MD5 CHAP (Extensible Authentication Protocol - Message Digest 5 Challenge Handshake Authentication protocol) - this is a version of Chap that was ported to EAP framework. Encrypts only authentication data, not connection data, same like Chap.
    • Unauthenticated access - connections without credentials, good for testing
[12.3] Using Virtual Private Networking (VPN)
  • Data that is sent over the network is encrypted, for VPN you just need access to a network while for RAS you need to dial-in
  • VPN supports
    • Single inbound connections
    • Tunneling protocols
    • Callback security
    • Multilink support (chaining of multiple modems)
  • PPTP (Point-to-Point Tunneling Protocol) - build in encryption for IP or IPX protocols inside of PPP datagrams, require IP connectivity between your computer and the server
  • L2TP (Layer Two Tunneling Protocol) - Windows XP implementation of L2TP is designed to run natively over IP networks only, does not support native tunneling over X.25, Frame Relay, or ATM networks. Uses IPsec and certificates for security.
[12.4] Using Internet Connection Sharing (ICS)
  • Internet connection sharing (ICS) allows you to connect a small network to the internet through a single connection
  • Internet connection sharing server gets assigned address 192.168.0.1 and its simple DHCP server assigns addresses in the range of 192.168.0.2 - 192.168.0.254 to all client computers
  • You can specify which protocols and ports are to be shared, for example HTTP on port 80
  • You configure connection sharing using Network and Internet connections from control panel in advanced tab
[12.5] Managing IE settings
  • Security zones
    • Internet
    • Local intranet
    • Trusted sites
    • Restricted sites
  • Content
    • Content advisor - you can limit what is accessed based on language, nudity, sex and violence
    • Certificates
    • Personal information - you can configure Auto complete and Microsoft profile assistant
  • Connections - how you connect to the internet, any connection
  • Programs associated with different internet services, HTML editor, E-mail, News groups, Internet call, calendar and contact list
  • Advanced tab has too many options to list
  • You can print to an internet printer if the print server has IIS and supports internet printing
  • Internet printing uses Internet print protocol (IPP)
  • To install internet printer, start the 'Add printer wizard', choose network printer and type as address http://computername/printers/share_name/.printer
  • You can connect through a web browser to print server by surfing to http://print_server/printers if it is allowed and print server has IIS installed
  • To connect using IE to an ftp server that uses password and user name, use: ftp://user_name:password@...; Otherwise IE will ask you to enter your credentials.
[12.6] Internet connection firewall
  • ICF is a stateful firewall
  • Configured from Network Connections -> Connection you wish to firewall -> properties -> advanced tab
  • You can log dropped packets and successful connections
  • You can choose a service that already is listed (like port 80 IIS) or add your own
  • Don't confuse with IP packet filtering which is set for all connections at once.
[12.7] Other points
  • PPP - Point-to-Point Protocol that provides advanced futures (like: IPX, NetBEUI and TCP/IP, encrypted authentication if configured) not found in Serial Line Internet Protocol (SLIP)

Part 13: Optimizing Windows XP Pro

[13.1] Performance and system events
  • Task manager
  • Event viewer
  • System monitor (to activate you can run perfmon.exe from command line)
  • Performance logs and alerts
  • Network monitor
[13.2] Performance
  • To set process priority at run time, go use start "process name" /"priority value"
  • Another way is to: cmd /c start /"priority setting""application name" -- you cannot use this from the run menu
  • Priority types:
    • Real time (you will need Administrator access to set this priority level)
    • High
    • Above normal
    • Normal
    • Below normal
    • Low
  • Processor affinity is the process of assigning specific processors to specific tasks in multiprocessor system, this is done through task manager
  • Relog - extracts performance counters from performance counter logs into other formats, such as text-TSV, text-CSV, binary-BIN, or SQL
  • Logman - manages and schedules performance counter and event trace log collections on local and remote systems
[13.3] Performance indicators
  • Memory: pages faults/sec - data not found in CPU cache creates a fault, most processors can handle large amounts of soft page faults, compare with memory: pages/sec
  • Available memory in bytes - need more if less than 10% available (could be an application memory leak)
  • Memory: pages/sec - hard drive access to page file, a rate of 20 or more indicates a need for more RAM
  • Page file percent close to 100, need more space on file or more RAM
  • Physical disk: percentage disk time above 70% - is too high, if paging file usage is excessive as well it indicates more RAM is needed otherwise a disk is the bottleneck
  • Physical disk average queue length above 2 - check paging file and physical memory
  • Physical disk current queue length - a value above 2 indicates a problem
  • CPU close to 100% - need more CPU power if situation continues for excessive amounts of time
  • Number of open files indicates how busy the server is, compare to baseline
  • Server: bytes total/sec - indicates network throughput
  • Baselining is the process of determining average/normal system performance. Should be done over a period of 3 to 4 weeks using counter logs.
  • Performance logs and alerts are used to perform long term analysis:
    • Using the default Windows XP Pro data provider or another application provider, trace logs record detailed system application events when certain activities, such as a disk I/O operation occurs. When the event occurs, your OS logs the system data to a file. A parsing tool is required to interpret the trace log output, like Tracerpt
    • When counter logs are in use, the service obtains data from the system when the update interval has elapsed, rather than waiting for a specific event.
    • Remember that trace logs are event driven and
    • Counter logs are update interval driven
[13.4] Performance alerts
  • Alerts are created when specific counter(s) go above or below a specific value. When an alert is triggered you can do one of the following:
    • You can log alerts in application log
    • Can send a network message
    • Start performance data log
    • Run a program
[13.5] Log file settings
  • Maximum log size
  • Overwrite log events as needed
  • Overwrite log events older than X days
  • Do not overwrite events (clear log manually)
  • Microsoft recommends keeping 7 day logs
[13.6] Log files
  • Default event log files:
    • Application - tracks events related to applications that are running on your PC
    • Security - tracks events related to Windows XP auditing
    • System - tracks events related to the Windows XP OS
  • Log file extension is .evt (files with this extension can be viewed by event viewer)
  • Tracerpt - processes event trace logs or real-time data from instrumented event trace providers
[13.7] Log filtering
  • Event type
  • Event source
  • Event ID
  • User
  • Computer
  • Date range
[13.8] Log viewer event types
  • Information - logged for informative purposes
  • Warning - non critical events that might indicate a problem
  • Error - indicates a problem
  • Success Audit - indicates occurrence of an even audited for success
  • Failure Audit - indicates occurrence of an even audited for failure
[13.9] Event information
  • Eventvwr - used to lunch event viewer
  • Eventtriggers.exe - displays and configures event triggers on local or remote machines.
  • Eventcreate.exe - enables an administrator to create a custom event in a specified event log
  • Eventquery.vbs - lists the events and event properties from one or more event logs
[13.10] Page file
  • Page file size should be such that the size of it plus size of physical RAM satisfies PCs needs, for light use 512Mb
  • Don't let system manage the size of the page file (fragmentation of page file due to constant resizes)
  • Set initial size of the page file but don't prevent it from growing to large size, it will rarely occur and provide you with a cushion in case of memory intensive application takes up lots of RAM
  • If you move page file from the system drive you will no longer get any memory dumps
  • You will need to restart your PC once you make changes to the page file such as its initial or maximum size
  • It is best to place the page file on a drive whose cluster size matches RAM page file size, on intel PCs its 4Kb, default for NTFS is also 4Kb
  • The Microsoft recommended size is equivalent to 1.5 times the amount of RAM on your system, set by default
  • To create memory dump file, the paging file on the %systemroot% drive must be at least as large as RAM + 11MB, you may to increase it to 1.5*RAM
[13.11] Memory dumps
  • Small memory dumps are stored in %SystemRoot%\Minidump by default and have 64Kb of data
  • Dumpchk.exe - utility that you can use to verify that a memory dump file has been created correctly found in the support tools on the Windows XP CD
  • Windows writes the log file, by default called Memory.dmp, to the same file name each time a Stop error occurs
[13.12] Scheduling tasks
  • To schedule a task go to Performance and Maintenance under Control Panel and select 'Schedule a task'
  • Scheduled task properties:
    • Command line execution for the program that is running the task
    • The folders containing needed for execution files
    • Comments
    • The user name and password of the user the task is to be run as
    • Whatever the task is enabled or not
    • Many other advanced options, like running task when CPU is idle
  • Scheduler service must be running for scheduled task execution to occur
  • Scheduler tasks needs appropriate permissions to run the scheduled task
  • Security can be set by group or user

Part 14: Performing system recovery

[14.1] Overview
  • Document everything in your plan, test your plan
  • Posses a 'recovery toolkit' with stuff like backup utilities/system utilities etc.
  • Make sure you backup:
    • User data
    • Critical system files
    • Critical applications
  • Recovery point - how much data can we loose? Most medium size companies are OK with loosing up to 24h - thus daily backup is OK.
  • Time frame for recovery - how long does it take to recover affected systems
  • Hot sites are ultimate backup solution for server farms (a hot site can take on all functions of the current site, is kept synchronized and is in a different physical location)
  • Backup files have .bkf extension
  • When files are backed up they retain all of their original attributes including encryption
  • File attributes are lost when you restore backup to a FAT volume
[14.2] Windows XP boot sequence
  • Preboot sequence
    • Power on self test (POST) is run when PC is turned on, system configures hardware
    • The Master Boot Record (MBR) is loaded to which BIOS points
    • MBR points to the active partition which in turn is used to specify which partition should be used to boot the OS
    • NTLDR is used to start Windows XP boot process
  • Boot sequence
    • NTLDR switches the processor from real mode to 32-bit flat memory mode and starts mini file system drivers which support PC file systems
    • Operating system selection with BOOT.INI occurs, for OS other than Windows XP file BOOTSECT.DOS is used
    • NTDETECT.COM detects hardware which is stored in registry
    • Control is passed to NTOSKRNL.exe
  • Kernel load sequence
    • HAL (hardware abstraction layer) driver is loaded (hal.dll)
    • Control set that the OS will use is loaded
    • Low level drivers such as disk are loaded
  • Kernel initialization sequence
    • The registry key HKEY_LOCAL_MACHINE\HARDWARE is created with current PC hardware
    • The Clone Control set is created, it is the exact data used to configure the PC without changes made by setup
    • Low level drivers are initialized and higher level subsystems are being loaded
  • Logon sequence
    • Log on dialog box appears, user enters valid credentials
    • Service controller performs scan of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services to see whatever there are any services that still needs to be loaded
[14.3] Backup types
  • Normal (full) - Clears archive bit, backs up all data on volume that is being backed up.
  • Incremental - backs up only these files that have their archive bit set to 1 (since last full or incremental backup). Clears archive bit. Restore process will have to chain multiple incremental backups. This backup is fastest when combined with normal backup.
  • Differential - backs up only these files whose archive bit is set to 1. Does not clear archive bit, no chaining of backups during restore process
  • Copy - only backup type that can back up registry and other critical system files. Like full backup, but does not clear or set any archive bits. This type of backup is used for archiving or when backing up between incremental and normal backup routine.
  • Daily - backs up only these files that were modified today. Does not clear archive bit.
  • You can exclude files from being backed up
  • System state - boot and system files, AD (if DC), SYSVOL directory (if DC), COM+ Class Registration database, registry, Cluster service information (if server is part of a cluster), IIS Metadirectory (if installed) - only for local system!
  • All backed up files keep their file attributes, unless you are restoring to FAT
  • For command prompt use: ntbackup.exe
  • Backup cannot be preformed to CD-R and DVD-R
  • When NTBackup creates a backup set it also creates a listing of files and folders included on the set, called a catalog. It is stored on both the disk of the server and the backup set itself.
[14.4] Backup log
  • By default 10 backup logs are kept on the server
  • There are three logging options:
    • No log
    • Summary log (default)
    • Detailed log
[14.5] Restore options
  • Do not replace files (default)
  • Replace only if the file on disk is older
  • Always replace files
  • Options do you have to restore the files to
    • Restore to alternate location
    • Restore to single folder
    • Restore to original location
[14.6] Boot problems
  • Hit F8 for boot menu during startup
  • Last known good configuration is the control set in the registry (current settings, like used drivers)
  • Last known good configuration is still good choice only if user has not logged on since problem arouse
  • Safe mode does not backup the 'Last known good configuration'
  • To access recovery console: 'winnt32.exe /cmdcons' - this places recovery console option into boot.ini
  • Recovery console is good for missing boot files
  • Can run recovery console from Windows XP CD, to run console from CD boot from CD and press R (repair installation)
  • When boot files are missing you will have to copy new ones from installation CD
  • The maximum number of lines in the [operating systems] section of the Boot.ini file in Windows XP is 10. If you add an 11th line (or more), only lines 1 through 10 will be seen during the boot phase of Windows XP
  • Directory services restore mode:
    • This is like a safe mode for a domain controller
    • Active directory is not started
[14.7] Advanced boot options
  • Safe mode - in boot.ini /safeboot:minimal /sos /bootlog /noguiboot
  • Safe mode with networking - in boot.ini /safeboot:network /sos /bootlog /noguiboot
  • Safe mode with command prompt - in boot.ini /safeboot:minimal(alternateshell) /sos /bootlog /noguiboot
  • Enable boot logging - in boot.ini /bootlog (log is stored in %systemroot%\ntbtlog.txt)
  • Enable VGA mode - in boot.ini /basevideo
  • Last known good configuration - in boot.ini no corresponding switch exists
  • Directory services restore mode (Windows domain controllers only) - in boot.ini /safeboot:dsrepair /sos
  • Debugging mode - in boot.ini /debug
  • The /sos /bootlog /noguiboot switches are not required with any of the above settings, but they are useful to help with troubleshooting. These switches are included if you press F8 and choose one of the modes from startup boot menu.
[14.8] ASR - Automated system recovery
  • Replaces ERD (emergency repair disk)
  • Stores system state data (uses a cd or tape)
  • Need Windows XP CD and ASR floppy to do a clean install and apply system settings
  • ASR is needed to recover from boot failures
  • To create ASR disk either run ntbackup.exe from command prompt or go to: start -> all programs -> accessories -> system tools ->backup
  • Using ASR recovers the system up to the point ASR was created
  • If you create ASR for system without floppy files are saved to the %systemroot%\repair folder. ASR restore will not work without a floppy drive and the floppy disk.
  • To preform ASR recovery you need:
    • ASR floppy disk
    • ASR Backup set
    • Windows XP setup CDROM
  • There is no ASR in Windows XP Home edition
[14.9] Best practices for backup
  • Develop backup and restore strategies and test them; train people.
  • Always create an Automated System Recovery (ASR) backup set when the operating system changes
  • Always choose to create a backup log for each backup
  • Keep at least three copies of the backup media. Secure both the storage device and the backup media.
  • Perform a trial restoration periodically to verify that your files were properly backed up
[14.10] Startup and recovery options
  • Found in System properties advanced tab
  • You can specify the following options:
    • Default operating system - OS loaded by default if no selection is made on OS selection menu
    • Time to display list of OSs - how long the OS selection menu is shown (30 sec by default)
    • Time to display recovery options (30 sec by default)
    • Write event to the system log - event is written each time system fails (enabled by default)
    • Send Administrative alert - when system fails message is sent to the administrator (enabled by default)
    • Automatically restart
    • You can also edit the boot.ini file and specify the size of the kernel dump file
[14.11] Other points
  • System state data can only be restored and backed up locally (there are 3rd party software utilities that can restore and backup over the network)
  • Using 'last known good configuration' can be used to recover from most stop errors if the user has not logged in BUT server must be able to boot, i.e. if ntldr error need to use ASR or recovery console
  • For major hardware failures such as motherboard replacement you will need to reinstall Windows XP. However, you will still need to restore system state prior to full Windows boot in order to preserve original SID.
  • Recovery password can be different than administrator password
  • For problems with boot files use recovery console and copy needed files over from the CD
  • Dr. Watson - used to troubleshoot application errors, DRWTSN32.EXE
  • Boot disk can be created by copying onto a floppy the following files: NTLDR, NTDETECT.COM, NTBOOTDD.SYS (for SCSI without BIOS), BOOT.INI
  • System restore - creates restore points that can be used to restore PC to a previous state. Enabled by default, daily backups or when significant changes occur. To manually create restore points, use system restore wizard, which is located under Accessories -> System Tools -> System Restore. By default 12% of hard drive space is used for system restore data storage
  • Runas is also known as secondary logon, you need to have Secondary Logon service running to use it. This command line utility is used to run programs within different user's security context. For example, network administrator is logged on as a regular user and needs to run system utility that requires administrative privileges. Instead of logging out and back in as an administrator, the user could use runas command which uses the following syntax: runas /user:ComputerName\UserName "program name"

#928 From: Testking_Mcse@yahoogroups.com
Date: Sun Nov 29, 2009 9:05 am
Subject: File - Microsoft exam 70-290 preparation guide.html
Testking_Mcse@yahoogroups.com
Send Email Send Email
 

Microsoft exam 70-290 preparation guide

Contents:

Part 1: Installing and upgrading Windows 2003
Part 2: Managing and Maintaining Physical & logicel drives
Part 3: Managing users, computers and groups
Part 4: Managing and monitoring access to resources
Part 5: Managing and maintaining a server environment
Part 6: Managing and implementing disaster recovery
Part 7: Active directory primer

Preface

I have written this short preparation guide as a way for myself to ease studying for the Mcirosoft 70-290 exam titled: "Managing and maintaining Microsoft Windows 2003 server environment". I provide this guide as is, without any guarantees, explicit or implied, as to its contents. You may use the information contained herein in your computer career, however I take no responsibility for any damages you may incur as a result of following this guide. You may use this document freely and share it with anybody as long as you provide the whole document in one piece and do not charge any money for it. If you find any mistakes, please feel free to inform me about them Tom Kitta. Legal stuff aside, let us start.

Guide version 0.13 last updated on 28/05/2004

Part 1: Installing and upgrading Windows 2003

[1.1] Clean install
  • During installation of Windows 2003 if you need to install special storage adapter that Windows does not have press F6
  • You can install to a dynamic disk that was converted from boot or system volume (MBR presence)
  • Product key
    • Retail/OEM - one key per install, product activation
    • Volume licensing - only one key for multiple instalations
    • Product activation is a proof of ownership that uses 25 character key
    • You have 14 days to activate your product, if you run out of time you can still start the server in safe mode (no network)
  • Windows 2003 is a server software, some modules are disabled by defalut:
    • No audio service (disabled by default)
    • Limited video acceleration (DirectX off by default)
  • Dynamic update that occurs during the installation is for critical updates only (not drivers) and need internet connection
  • You must have the Unattend.txt or Winnt.sif (copy of unattend.txt when using CD for install) files if you want to fully automate the remote installation of a Windows Server 2003 operating system.
[1.2] Windows editions
  • Standard edition
    • Maximum of 4 CPU
    • Maximum of 4GB of RAM
    • Network load balancing
  • Enterprise edition
    • Can be 32 or 64 bit (64bit edition needs Intel Itanium)
    • Has hot add memory capability (on 32bit edition only), clustering
    • Maximum of 32GB RAM, 64GB RAM on 64bit
    • Maximum of 8 CPUs
    • Up to 8 cluster nodes
  • Datacentre edition
    • Needs to be purchased through Microsoft
    • Maximum of 64CPUs, 512GB RAM on 64bit edition
    • Up to 8 cluster nodes
  • Web edition
    • Up to 2 CPUs and maximum of 2GB of RAM
    • Used to host websites, web applications including DNS, no non-web based applications like SQL server
    • OEM or volume licensing, cannot buy retail
  • XP profesional
    • Minimum P233, recommended PII 300
    • Minimum 64Mb RAM, recommended 128Mb
    • Minimum 1.5Gb of free space on HD, recommended 2Gb
[1.3] Hardware requierments
  • CPU minimum 133Mhz (datacentre edition 400Mhz), recommended 550-733Mhz
  • RAM minimum 128Mb (datacentre edition 512Mb), recommended 256Mb
  • HD minimum 1.5Gb
  • Pentium Pro and Pentium II multiprocessor systems have a bug in them, multiprocessor support is disabled
[1.4] Licensing
  • To administer Windows 2003 OS licensing for sites or the enterprise, use Licensing in Administrative Tools.
  • The Licensing option in Control Panel manages licensing requirements for a single computer running a Windows 2003 OS.
  • You must have a Client Access License (CAL) for each device or user that connects to your server.
  • Per Device or Per User licensing mode is the best option if your clients frequently use multiple servers on the network. It is client side licensing used in enterprises. The number of simultaneous connections to any server is unlimited for every client.
  • Per Server licensing mode is the best licensing option when a server product is installed on only one server accessed at any time by no more than a subset of your users. For example if you have 5 CALs 5 clients can connect to your server on first come basis.
  • Use license groups when there is 1 to many, many to 1 or many to many relationship between users and devices
  • License Logging service is needed for license monitoring but not enforcment
  • If a client PC is used by 10 or less users only 1 CAL is required
  • For control panel licensing you got only 1 licensing type change, for enterprise licencing you will loose your licences
  • You can find your licensing server in 'AD Sites and Services'
[1.5] General upgrade points
  • You need at least Windows NT4 SP5 to upgrade to Windows 2003
  • You must upgrade to the same or more powerful edition (i.e. for example from Windows 2000 Advanced Server to Windows 2003 Enterprise, cannot upgrade to Windows 2003 Standard)
  • If the PC you are upgrading will be (or is) a domain controller you will need NTFS (among other things to store SYSVOL folder which stores GPO)
  • Check partition size, you need minimum of 1.5GB for Windows 2003 installation
[1.6] Upgrading from Windows NT4 to Windows 2003
  • You need to upgrade PDC 1st (Windows 2003 will emulate PDC for older clients). Note that Windows 2000 and XP PCs will prefer to use Windows 2003 server over NT4. This can cause network congestion problems. Need to change registry on server to make it look like NT4 PDC.
  • You need to upgrade RAS server before you upgrade last BDC (you want to get rid of the old NTLM authorization method)
  • AD installation wizard will start after OS upgrade completes (if PC was a DC). By default forest functionality level will be set to Windows 2003 interim.
  • NT4 mirror and strip sets will not mount on Windows 2003, you need to
    • Break mirror and\or kill stripe volume
    • If you forget about above, use ftonline utility to mount NT mirror or stripe in read only mode on Windows 2003
[1.7] Upgrading from Windows 2000 to Windows 2003
  • AD was introduced in Windows 2000 to manage authentication
  • You will need to make sure all Windows DC have SP2 or above installed on them
  • Before OS upgrade you need to run utility called adprep on the DC
    • Adprep.exe is located on Windows 2003 CD. Its role is to go through Windows 2000 AD schema and include enchancments needed for Windows 2003 DC to be accepted
    • You will need to run adprep.exe /forestprep first on the schema master. You will need to be a member of both Enterprise admins and Schema admins. It is recommended to take schema master PC offline during utility run.
    • After you have run adprep.exe /forestprep you will need to run adprep.exe /domainprep on the infrastructure master in each domain. You need to be a member of domain admins or enterprise admins. Make sure that before the run all changes from adprep.exe /forestprep replicated down to all DCs.
[1.8] Domain functional levels
  • Forest functional level
    • Effects all domains in the forest
    • Windows 2000 (default) accepts NT4, 2000 and 2003 DC
    • Windows 2003 Interim accepts NT4 and 2003 DC
    • Windows 2003 accepts 2003 DC
  • Domain functional level
    • Effects only one domain
    • Windows 2000 mixed (default) accepts NT4, 2000 and 2003 DC
    • Windows 2000 native accepts 2000 and 2003 DC
    • Windows 2003 interim (you will get this option if you upgraded a totaly NT4 domain) accepts NT4 and 2003 DC
    • Windows 2003 accepts 2003 DC

Part 2: Managing and Maintaining Physical & logicel drives

[2.1] Plug & play
  • For plug & play to operate we need the following:
    • Plug & play BIOS
    • OS that is plug & play capable
    • Device that supports plug & play
  • When Windows finds new hardware but is unable to install it we can go to Device Manager and run troubleshooter as well as look at the error codes
  • Uninstalling the device using 'Device manager' only removes the driver and uninstalls it from the OS (not from the PC!). If the device is not physically removed from the PC, it will be detected the next time PC boots up. To prevent this from happening one must disable the device.
  • When Windows 2003 fails to detect new hardware use 'Add new hardware wizard'
[2.2] Hardware supported
  • Virtual Disk service API for storage systems, SANs (storage area networks)
  • IEEE 1394, RAID, USB 2.0, Video, Sound
  • Wireless supports
    • Wireless and cable network bridging
    • Roaming and autoconfiguration
  • USB 2.0 supports up to 127 devices per root hub and up to 5 deep nested external hubs. You can see power & bandwith usage by checking out root properties.
  • Windows 2003 has the ability to burn CD-R and CD-RW using IMAPI service, however it is disabled by default
  • You will need a decoder for video DVDs (data DVDs are OK)
  • DVD+RW and DVD-RW are not supported, need manufacturer's driver
[2.3] Access needed to install new hardware
  • You will need to be a member of the Administrators group or have 'load and unload device drivers' user privelage to install new hardware, unless
    • Driver the the hardware uses is signed or has the Designed for Windows Logo
    • No further action is required to install the device, no requirement for Windows to display a user interface. No need to use 'Add Hardware Wizard'
    • Device driver is already on the system
    • No network policy settings are preventing you from installing hardware.
  • This way ordinary users can for example connect a USB pen drive to the PC without beeing member of the administrators group
[2.4] Device Manager can be accessed in 4 ways
  • By going to start -> all programs -> administrative tools -> computer managment-> device manager tree selection
  • Control panel -> system -> hardware tab -> device manager button
  • R-click on 'My computer' and select properties ->hardware tab -> device manager button
  • Custom made MMC snap-in
[2.5] Device Manager views
  • Devices by type - when you use this view all network adapters present will be listed under 'network adapters', all disk drives under 'disk drives' etc. This is the default view.
  • Devices by connection - you can for example see what devices are connected to the motherboard on the PCI slot by expanding Standard PC node and expanding PCI bus node.
  • Resources by type - sorts devices by type, i.e. DMA devices, I/O devices, IRQ devices and memory devices. Good for IRQ conflict troubleshooting.
  • Resources by connection - sorts devices by connection instead of type
  • Show hidden devices - shows the non plug and play devices that have been removed from the PC but have installed drivers.
[2.6] Device properties tab
  • General - for example manufacturer and device status
  • Advanced settings - optional, not every device has them. For example, for a network card we could have card link speed selector.
  • Resources tab - shows things like IRQ assignments. You can only edit IRQ if there is a conflict. Also the device has to be plug and play capable.
  • Power managment - not applicable to servers
  • Hardware profiles - good mostly for laptops, when say you have different hardware connected to your PC at the office and at home office. Also can be used for troubleshooting, you can limit the hardware in each profile.
[2.7] Driver properties
  • Details of installed driver
  • Update driver
  • Roll back driver (new in Windows 2003)
  • Uninistall driver
  • Driver signing:
    • Harmful driver install prevention
    • HCL - Hardware compatabilty list, to be replaced by Windows catalog
    • Run d:\i386\winnt32 /checkupgradeonly from Windows 2003 CD to check hardware compatability
    • Command line sigverif.exe is used to check drivers from command line
    • By default system is set to warn user if he or she is installing unsigned driver (other options are: ignore and block)
    • Unsigned driver means that the driver was not tested by Microsoft and is not supported by Microsoft. For most part these drivers are still OK
    • When driver is signed by Microsoft it and the hardware are tested by Microsoft
  • Some older devices (like CD-ROM etc.) plug into LPT port on the PC. You will need to set LPT port to "Legacy plug and play support" on port settings tab for older devices to work.
  • The easiest way to solve embedded device conflict with an add on device is to disable the onboard device. For example, to use add on music card, you will need to disable onboard music card
  • Many problems are caused by incorrect drivers, for example graphic card that displays only 800x600 resolution. Update driver to solve these problems.
[2.8] HAL - hardware abstraction layer
  • Computer driver which is the interface to BIOS, kernel is build on top of this driver
  • You can choose HAL during install by pressing F5
  • Multiple processors - when installing a 2nd processor in a single processor system (UP - uni processor) you will need to update HAL for the CPU from single CPU to multiple CPU (SMP - symmetric multi processor driver)
  • Do not upgrade from standard HAL to ACPI (advanced configuration and power interface) HAL and vice versa
[2.9] Windows update & automatic update
  • 1st appeared in Windows 98
  • Windows 2003 adds scheduling of updates capability
  • To access follow: control panel -> system -> system properties -> automatic update button
  • Can set up Windows update properties via GP settings
    • Specify Intranet Microsoft Update service location
    • Configure automatic updates
    • Reschedule Automatic updates scheduled installations
    • No auto-restart for scheduled automatic updates
[2.10] Printers
  • Printer - this is how we call a piece of software on your PC
  • Print device - this is the actual hardware printer
  • Print server - PC to which a local printer is connected - any Windows PC. It is the computer that sends print jobs to the print device. For a network printer you send jobs to the server as well.
  • Print spooler - also referred to as print queue this is a directory on print server where jobs are being stored prior to being printed
  • Print processor - also known as rendering is the process that determines whatever a print job needs further processing once job has been sent to the spooler
  • Printer pool - configuration that allows to use one printer for multiple print devices
  • Print driver - piece of software that understands your print device codes
  • Physical port - port through which a printer is directly connected to the computer, COM or LPT
  • Logical port - port through which a printer with a network card is attached to network, much faster than a physical port
  • Local printer - printer that uses a physical port and has not been shared
  • Network printer - printer that is available to local and network users, can use either physical or logical port
  • Windows server 2003 can be in a "print server" role. In this role the server is set to manage network printers (this includes local printers connected to other PCs which are shared)
  • You can use UNIX (LPR) protocol, for this you will need to add LPR port. LPR is included in "print services" for UNIX, which is installed as a separate component of Windows Server 2003
  • You can also have print services for Macintosh and for Netware
  • Whenever you hear anything that deals with: LPR, LPD, LPQ think UNIX
  • You can load into your Windows 2003 server in "print server" role additional drivers for other Windows versions (Windows 95/98/NT4/2000/XP)
  • You can set printer priority (1-99) as well as printer avability (which means when the printer will be available timewise) to different user groups as well as access to the print device itself to different user groups and individual users.
  • For network printers that are attached using ethernet cable to the network and use TCP/IP for communication any Windows 2003 server can be a print server provided that it is connected to the same network
    • To implement above you need to create a new TCP/IP port
    • To create a port you will also need IP of the network printer or its share name (so IP can be pulled from active directory)
  • You can print from Windows XP clients to print server computers running a Windows 2003 by using a Uniform Resource Locator (URL). Internet printing uses Internet Printing Protocol (IPP).
  • For example to use different print priority for two groups you need to setup two print devices, restrict their use and set priority on them
  • If you want to know printer utilization track print queue object in system monitor
  • %systemdir%\system32\spool\printers\ is the default location of the spool folder. You should change it if your server serves many printers.
  • A port is defined as the interface that allows the PC to communicate with the print device. Local ports are for print devices attached to the PC directly.
  • Separator pages are used in multi user environments, sample files are found in %systemroot/system32/ folder with .sep ending
  • Print.exe - sends a text file to a printer
  • Net Print - displays information about a specified printer queue, displays information about a specified print job, or controls a specified print job
[2.11] Printer Poling
  • One printer, multiple print devices
  • Think of it as load balancing for printers, used in larger enterprises
  • Need to use the same driver for all print devices that are member of the pool. Many newer printer devices will work with older driver, use driver that is the newest for the oldest printer.
[2.12] Management of printers using print server role of Windows 2003 server
  • Surf to http://printserver/printers/ where 'printserver' is the name (or IP) of your print server PC
  • Can restrict access to this web interface using group policy
  • For above to work you will need to install IIS 6
[2.13] Redirecting print jobs
  • You can redirect print jobs provided both printers use the same driver
  • When user placed into a queue a request to print a document on a print device which failed to print BEFORE comencment of printing you can redirect printing to another printer
  • To redirect a print job select print device you want jobs redirected from
  • If the new printer is on this print server, just select new port to which the new printer is attached, otherwise
  • Click on 'ports' tab
  • Click on 'add port', select local printer and click on 'new port'
  • Type in UNC share name of the printer you want the job redirected to, in format \\other_print_server\share_name
  • Check the check box next to the port you just created
[2.14] Disk drives
  • SCSI 15000RPM, 20Mbps transfer
  • IDE 7200RPM, 16.7Mbps transfer
  • SATA (similar to IDE)
  • Both SCSI and SATA support up to 15 drives on a single controller
  • IDE drives have 'cable select' option on them which automatically determines master and slave. It is best practice to manually set jumpers for master and slave.
[2.15] ARC path designation (Advanced RISC computing)
  • ARC dates back to NT 3.5 days (in the form presented here, otherwise NT 3.1)
  • The file boot.ini is used to find '\windows\' directory
  • Bootcfg.exe configures, queries, or changes Boot.ini file settings
  • Boot.ini switches:
    • /debug - for debugging (/nodebug)
    • /bootlog - enable boot logging
    • /sos - display driver names while they are being loaded during the Windows boot
  • Please note that Microsoft has changed the default install directory from WINNT to WINDOWS for Windows server 2003. For upgrades we will still use WINNT directory.
  • Multi
    • Identifies the controller physical disk is on
    • Multi(x) syntax of the ARC path is only used on x86-based computers
    • For IDE or pure SCSI disks when OS is on the 1st or 2nd SCSI drive
    • The Multi(x) syntax indicates to Windows NT that it should rely on the computers BIOS to load system files. This means that the operating system will be using interrupt (INT) 13 BIOS calls to find and load NTOSKRNL.EXE and any other files needed to boot Windows NT.
    • Numbering starts at 0, for example Multi(0), due to technical reasons it should always be 0
    • In a pure IDE system, the Multi(x) syntax will work for up to the 4 drives on the primary and secondary channels of a dual-channel controller
    • In a pure SCSI system, the Multi(x) syntax will work for the first 2 drives on the first SCSI controller (that is, the controller whose BIOS loads first)
    • In a mixed SCSI and IDE system, the Multi(x) syntax will work only for the IDE drives on the first controller
  • SCSI
    • Identifies the controller physical disk is on
    • The SCSI(x) syntax is used on both RISC and x86-based computers
    • Using SCSI() notation indicates that Windows NT will load a boot device driver and use that driver to access the boot partition
    • On an x86-based computer, the device driver used is NTBOOTDD.SYS, on a RISC computer, the driver is built into the firmware
    • Numbering starts at 0, for example SCSI(0)
    • Windows NT Setup always uses Multi(x) syntax for these first two drives
  • Disk
    • Identifies the physical disk attached to controller
    • 0 if Multi(x) present, Disk is only for SCSI
    • For SCSI value of Disk(x) is the SCSI ID and can be 0-15 Note: one channel is always reserved for the controller itself
    • Numbering starts at 0, for example Disk(0)
  • Rdisk
    • Identifies the physical disk attached to controller
    • Almost always 0 if SCSI(x) is present, Rdisk is for Multi(x), ordinal for the disk, usually number 0-3
    • Numbering starts at 0, for example Rdisk(0)
  • Partition
    • Refers to the partition on the hard disk where Windows system folder is located on
    • All partitions receive a number except for type 5 (MS-DOS Extended) and type 0 (unused) partitions, with primary partitions being numbered first and then logical drives
    • A partition is a logical definition of hard drive space
    • Numbering starts at 1, for example Partition(1)
  • Signature
    • Used when system BIOS or controller hosting the boot partition cannot use INT-13 Extensions
    • The signature() syntax is equivalent to the scsi() syntax
    • Using the signature() syntax instructs Ntldr to locate the drive whose disk signature matches the value in the parentheses, no matter which SCSI controller number the drive is connected to
    • The signature() value is extracted from the physical disk's Master Boot Record (MBR)
[2.16] Easy way to memorize ARC
  • There are 5 letters in the word 'Multi' and 5 letters in the word 'Rdisk'
  • There are 4 letters in the word 'SCSI' and 4 letters in the word 'Disk'
  • 'SCSI' works together with 'Disk' while 'Multi' works together with 'Rdisk'
  • When system uses Multi(x) it uses BIOS INT-13 Extensions, so on board BIOS has to be enabled
[2.17] Disk Managment MMC snap-in
  • To activate: start -> all programs -> administrative tools -> computer managment -> disk managment tree node
  • Another ways is to r-click on My computer and select 'manage' from the list
  • Finally you can just create a custom MMC snap in
  • Using disk managment, among other things, you can:
    • Initialize new disks
    • Create new volumes and partitions
  • If you r-click and select properties -> general tab you can see location heading with a number. That number is the ARC number of the HD.
  • If you need a disk formatted in FAT or FAT32 you cannot do it from disk manager, you need to use: format x: /fs:FAT32 Note Windows can format FAT 32 disks up to maximum of 32Gb but can read higher capacity drives
  • DiskPart.exe - you can create scripts to automate tasks, such as creating volumes or converting disks to dynamic.
  • Fsutil.exe - perform many NTFS file system related tasks, such as managing disk quotas, dismounting a volume, or querying volume information.
  • Mountvol.exe to mount a volume at an NTFS folder or unmount the volume from the NTFS folder.
[2.18] Remote managment
  • Computer managment is not just for the local machine, you can also manage other PCs, to activate r-click on computer managment (local) and select 'connect to another pc'
  • By default Domain Admins are part of local administrators group and you need these right to connect and administer remote PCs
  • If you cannot access Device Manager from the Computer Management extension snap-ins on a remote computer, ensure that the Remote Registry service is started on the remote computer.
  • Computer Management does not support remote access to computers that are running Windows 95.
  • In remote managment 'Device Manager' is in read only mode
[2.19] Basic Disks
  • Primary partition is the only one that is bootable and there is a maximum of 4 primary partitions
  • Extended partitions are not bootable
  • Logical drives are created in extended partitions. There are no limits as to the number of logical drives each extended partition may have.
  • Primary partitions and logical drives are assigned drive letters
  • Basic Disk FAT is located on the first sector of the hard disk; space is shared with the MBR
[2.20] Dynamic disks
  • Fault tolerance better than basic disks, due to multiple storage places for information. 1Mb database is placed at the end of each physical hard disk containing information about all dynamic disk located in this particular system, this creates multiple storage spaces of the same data.
  • Can be one of the following:
    • Simple volume:
      • Single disk
      • No fault tolerance
      • Can be NTFS or FAT
    • Spanned volume:
      • maximum of 32 disks
      • Cannot extend spanned volumes, need to delete and recreate
      • No fault tolerance
    • Extended simple volume:
      • Similar to spanned volume but uses the same physical HD with simple volume
      • You can extend a simple volume only if it does not have a file system or if it is formatted using the NTFS file system. You also need free space on HD and the volume could not have been originally a basic disk partition.
      • You cannot extend volumes formatted using FAT or FAT32
      • You cannot extend a system volume, boot volume, striped volume, mirrored volume, or RAID-5 volume
    • Mirror volume:
      • Also known as RAID 1
      • The only volume besides simple volume in Windows 2003 which can boot and system partitions can both reside on
      • Can be NTFS or FAT
      • Fault tolerance, data is the same on both disks
      • To replace the failed mirror in a mirrored volume, right-click the failed mirror and then click Remove Mirror, and then right-click the other volume and click Add Mirror to create a new mirror on another disk
      • Variation of mirroring called duplexing uses HD connected to different controllers for even more fault tolerance
    • Striped volume:
      • Also known as RAID 0
      • Maximum of 32 disks
      • Breaks data into 64Kb chunks for writing to different disks that make up the stripe
      • It is recommended to use same type of hard drives for member drive
      • Windows 2003 cannot be installed on software RAID 0
      • You cannot extend striped volume, need to recreate it
      • No fault tolerance
    • RAID 5:
      • Made up of three disks with each storing parity information
      • Fault tolerance when one disk fails
      • Maximum of 32 disks, minimum of 3
      • Not available in Windows XP professional
      • To replace the failed disk region in a RAID-5 volume, right-click the RAID-5 volume and then click Repair Volume
  • Only in Windows XP Professional, windows 2000 Professional and Windows 2003 Server (all editions) you can use dynamic disks
  • Note: if disk fails for which ARC path is in boot.ini system will not boot. You should have a disk with modified boot.ini
  • Mounted volumes - can mount HD as a NTFS folder
  • Uninstall disks prior to moving them, Re-scan disk when you attach it
  • Dynamic disks can be re-configured without re-boot
  • When your boot disk is also a dynamic disk, then you will not be able to dual boot into OS that is not dynamic disk capable
  • Dynamic disks are not supported on laptops due to luck of advantage over basic disks in this scenario
  • Dynamic disk partition table types:
    • dynamic GUID partition table (GPT) disks, for 64bit editions of Windows
    • dynamic MBR disks, for 32 and 64bit editions of Windows
  • The Foreign status occurs when you move a dynamic disk to the local computer from another computer
  • You can have a maximum of 2000 volumes on a dynamic disk, recommended maximum is 32
  • Volumes created after the 26th drive letter has been used must be accessed using volume mount points
  • Hard drives that are connected to the Pc using USB or IEEE 1394 can not be converted to dynamic volumes
  • Volume status descriptions
    • Failed - basic or dynamic volume cannot be started automatically or the disk is damaged
    • Failed Redundancy - data on a mirrored or RAID-5 volume is no longer fault tolerant because one of the underlying disks is not online, has substatuses
    • Formatting - occurs only while a volume is being formatted with a file system
    • Healthy - normal volume status on both basic and dynamic volumes, no known problems, has substatuses
    • Regenerating - occurs when a missing disk in a RAID-5 volume is reactivated
    • Resynching - occurs when creating a mirror or restarting a computer with a mirrored volume
    • Unknown - occurs when the boot sector for the volume is corrupted
    • Data Incomplete - displayed in the Foreign Disk Volumes dialog box, and occurs when data spans multiple disks, but not all of the disks were moved.
    • Data Not Redundant - displayed in the Foreign Disk Volumes dialog box when you import all but one of the disks in a mirrored or RAID-5 volume
    • Stale Data - displayed in the Foreign Disk Volumes dialog box, and occurs when a mirrored or RAID-5 volume has stale mirror information, stale parity information, or I/O errors
[2.21] Converting to dynamic disk and back to basic disk
  • If you convert a boot disk, or if a volume or partition is in use on the disk you attempt to convert, you must restart the computer for the conversion to succeed.
  • The conversion may fail if you change the disk layout of a disk to be converted or if the disk has I/O errors during the conversion.
  • After you convert a basic disk into a dynamic disk, any existing partitions on the basic disk become (dynamic) simple volumes.
  • If you are using shadow copies and they are stored on a different disk then original you must first dismount and take offline the volume containing the original files before you convert the disk containing shadow copies to a dynamic disk.
  • If you are converting disks form dynamic to basic the disk being converted must not have any volumes on it nor contain any data before you can change it back to a basic disk. If you want to keep your data, back it up before you convert the disk to a basic disk.
[2.22] File systems
  • FAT 16 bit (File Allocation Table)
  • FAT 32 bit
  • NTFS (New Technology File System)
  • To convert from FAT to NTFS use: convert x: /fs:NTFS
[2.23] Folder compression (zipped)
  • Create new compressed folder (zipped)
  • All new items added to that folder will be compressed (zipped)
  • For command line operations use compress.exe, which acts like winzip
[2.24] Compression (NTFS)
  • When you compress a whole folder:
    • All files are compressed automatically when added but not current folder occupants
    • OR
    • Compression can also be applied to current files and subfolders
  • Decompression is a reverse process of compression
  • Moving a file on the same volume means that the file location is moved in MFT only, not the physical file itself.
  • When you copy a file, no matter whatever on the same volume or not, the destination file will inherit the destination folder's permissions
  • When you move a file on the same volume, it keeps its original permissions (explicit permissions only). When you move a file to another volume, the move is treated as a copy operation and the file permissions are inherited from the destination folder.
  • All file attributes behave in the same way with the exception of encryption
  • File compression is supported only on NTFS volumes with cluster sizes 4 KB and smaller
  • For command line use compact.exe, it can display and modify compression attributes but it works only on NTFS
[2.25] Encryption:
  • Only users who created the files, users whom owner gave access to view the file (new in Windows 2003, additional users need to already be issued certificates) and recovery agents can decrypt the file
  • When moving encrypted file from one volume to another volume, it stays encrypted. When copying file it also stays encrypted. This behaviour is unique for encryption!
  • Note that user which has NTFS permissions to an encrypted file can delete that file, even if he/she cannot view that file
  • Cannot encrypt and compress at the same time (due to encryption process using pseudo random salt which cannot be further compressed due to its nature)
  • You can zip 1st then encrypt to get encrypted and compressed file
  • Executable file cipher.exe is a command line encryption utility
  • By default, the recovery agent is the Administrator account on the 1st DC, there is no default for stand alone server
  • For encryption property, moving/copying a file to a FAT system decrypts file without warning
  • It is recommended to store recovery agent certificate on a floppy disk in secured location. It is also recommended to copy their file to be recovered to the recovery agent PC where it will be recovered.
[2.26] How EFS (encrypted file system) works
  • When the user chooses to encrypt a file, a file encryption key is generated
  • This encryption key, together with encryption algorithm is used to encrypt the contents of the file
  • The file encryption key is encrypted itself using user's public key and stored together with the encrypted file. The file encryption key is also protected by the public key of each additional EFS user that has been authorized to decrypt the file and each recovery agent.
  • File can only be decrypted by using user's private key, by using private key of users given permission to view the file and private key of recovery agent
  • Private/public pair is created using user's certificate
  • On stand alone machines user's certificate is created the 1st time he or she tries to encrypt a file
  • For domain user certificate is issued by the certification authority - user needs permission to get a certificate
  • Files marked with the System attribute cannot be encrypted, nor can files in the systemroot directory structure.
  • Before users can encrypt or decrypt files and folders that reside on a remote server, an administrator must designate the remote server as trusted for delegation.
  • If you open the encrypted file over the network, the data that is transmitted over the network by this process is not encrypted.
  • Users can use EFS remotely only when both computers are members of the same Windows Server 2003 family forest
  • Encrypted files are not accessible from Macintosh clients
  • Encrypting File System (EFS) no longer requires a recovery agent

Part 3: Managing users, computers and groups

[3.1] User accounts
  • User account consist of:
    • Name and password
    • SID (security identifier) - consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain. SIDs are unique in the network.
    • Can have other attributes, like group membership
  • User accounts and computer accounts (as well as groups) are also referred to as security principals
  • Security principals are directory objects that are automatically assigned security IDs (SIDs)
  • Can be either local or domain
  • All local user accounts are stored in local database that every PC has except the domain controller.
  • Local accounts cannot be used to grant access to network resources
  • At logon time user select whatever he wants to logon into a domain or local PC. depending on his or her selection system uses local or AD user database
  • Username must be unique, for pre-2000 maximum of 20 characters, spaces and period are OK, but no special characters. Usernames are not case sensitive while passwords are.
  • InetOrgPerson is used in several non-MS LDAP and X.500 directory services to represent people within an organization, in AD for compatibility
  • In order to interactively log in to DC user needs to be member of Domain admins, Enterprise admins, Account Operators, Administrators, Backup Operators, Print Operators, and Server Operators or explicitly granted permission to logon
[3.2] Build in local user accounts
  • Administrator - even when the Administrator account has been disabled, it can still be used to gain access to a computer using Safe Mode
  • Guest (by default in disabled state)
  • Support account (Support_388945a0)
[3.3] Build in local groups
  • Administrators - full control, by default it's member is the Administrator account. This account cannot be removed. When joined to a domain, Domains Admin global group is also added to local administrators group.
  • Backup Operators - can backup and restore files on the server ignoring security settings that protect these files. Can access server from the network,logon locally and shout down the system.
  • DHCP Administrators (installed with the DHCP Server service) - have administrative access to the Dynamic Host Configuration Protocol (DHCP) Server service.
  • DHCP Users (installed with the DHCP Server service) - have read-only access to the DHCP Server service.
  • Guests - temporary profile created at the logon time, deleted at log off. Member of the Guest group, no default user rights.
  • Help service group - used to set up right common to all support applications, only member is Support_388945a0, do not add users
  • Network configuration operators - can make changes to TCP/IP
  • Performance log users - can manage performance counters, logs and alerts locally or remotely
  • Performance monitor users - can monitor performance counters only, locally or remotely
  • Power users - they can add users/shares/groups. The power users cannot: change Administrators group membership, take ownership of files, load or unload device drivers and manage security logs.
  • Print operators - can manage printers and print queue
  • Remote Desktop Users - can remotely logon to the server
  • Replicator - the only member should be domain user account used to logon the replicator service on a DC. Do not add users to this group
  • Terminal Server Users - users who are currently logged on to the system using Terminal Server
  • Users - can do common task such as running programs and printing stuff. Can access locally or through network, all user accounts are members of the Users group by default.
  • WINS Users (installed with WINS service) - permitted read-only access to Windows Internet Name Service (WINS)
[3.4] Complex passwords
  • Complex password needs to be at least 6 characters long
  • Cannot use any part (or all of) of user account name
  • A complex password need to consist of 3 out of these 4:
    • English uppercase characters
    • English lowercase characters
    • Base 10 digits
    • A special character, such as [,),^
  • By default, complex passwords are enabled on DC, disabled on stand alone servers
  • Windows 2003 passwords can be up to 127 characters long. Windows 95/98 passwords can be up to 14 characters long.
  • Password reset disks are used on stand alone servers to recover user password, otherwise users will loose encrypted data
[3.5] Organization
  • On DC on Windows 2000 local users & groups display red X, on Windows 2003 there is no local users & groups
  • When installing AD local user accounts and groups are moved to the AD and local DB is deleted
  • Data that is allowed to be stored in the active directory is defined in the active directory "schema".
  • OU (organizational units) are acting as a container for groups, users and other OU
  • You can limit users to logon only on certain computers (but not exclude them from certain PCs). You can also limit users login hours.
[3.6] Using profile for local PC
  • Local profile is located in 'documents and settings' directory on local PC
  • You can use network share for profile location (can be used for backup)
  • Mandatory profile - users cannot save changes (they can delete, but it comes back!)
  • Home folders - where you automatically go after you hit 'save as'
  • Folder redirection - allows Administrators to redirect personal folders for all users to a single location
  • All user settings and preferences are stored in a file ntuser.dat
[3.7] Roaming profile
  • User sees the same thing on every PC (network profile)
  • Enebled on user properties screen in Active Directory Users and Computers; Cannot be modified using GPO.
  • ntuser.dat is stored on network share
  • Local profile on local PC is used if network connection cannot be established
  • Network problems can occur (network congestion) if large files are saved to the desktop or 'My Computer'. To resolve this issue use GPO - set file processing only if user wants to use given file
  • Only files that have been changed since the profile was last loaded are saved
[3.8] Other profile information
  • To create a mandatory profile rename ntuser.dat to ntuser.man
  • Terminal service profile - different look and feel when connecting through terminal server. This may be needed if regular profile could have adverse effect on the network (contains options that for example use a lot of bandwidth)
[3.9] Account and password options
  • Available options are:
  • User must change password at the next logon
  • User cannot change password
  • Password never expires
  • Store password using reversible encryption
  • Account is disabled
  • Smart card required for interactive logon
  • Account is trusted for delegation
  • Account is sensitive and cannot be delegated
  • Use DES encryption for this account
  • Do not require kerberos for preauthentication
[3.10] Terminal services
  • Thin clients are like good old dumb terminals
  • Terminal services are part of user settings
  • Remote control: user in terminal services application mode, similar to remote assistance
  • Use Terminal services Configuration to set session timeouts
[3.11] Remote access (VPN/Dial-in)
  • Remote access is denied by default
  • Remote access policy which can use either RRAS or IAS (RADIUS)
  • Remote access policy is much more flexible than user Dial-in properties (which in turn override remote access policy)
  • For traveling executive, set 'callback' option to 'set by caller'
  • Dial-in
    • Dial-in properties allow you to assign a specific IP to user
    • This is the only way in Windows 2003 that you can assign a specific IP to a user
  • Routing and remote access protocols
    • MS-chap (Microsoft Challenge Handshake Authentication Protocol) still supports NTLM (but not by default) Same encryption key is used for all connections, both authentication and connection data are encrypted
    • MS-chap v2 no NTLM and stronger encryption (like salting passed encrypted password strings) both MS-chap protocols are the only ones that can change passwords during the authentication process. New key is used for each connection and direction.
    • Chap - need to enable storage of a reversibly encrypted user passwords, encryption of authentication data through MD5 hashing. No encryption of connection data.
    • PAP (Password Authentication Protocol) passwords are unencrypted as well as connection data
    • SPAP (Shiva Password Authentication Protocol) - less secure than CHAP or MS-CHAP, no encryption of connection data
    • EAP-TLS (Extensible Authentication Protocol - transport level security) - certification based authentication (EAP) used with smart cards, both authentication and connection data are encrypted, not supported on stand alone servers - only for domains.
    • EAP-MD5 CHAP (Extensible Authentication Protocol - Message Digest 5 Challenge Handshake Authentication protocol) - this is a version of Chap that was ported to EAP framework. Encrypts only authentication data, not connection data, same like Chap.
    • Unauthenticated access - connections without credentials, good for testing
[3.12] DC/OU/CN example

Here is how DC/OU/CN work. User is CN - canonical name, DN - distinguished name. For example, energyshop.com/IT/John Doe DC - energyshop DC - com OU - IT CN - John Doe

[3.13] UPN - user principal name
  • User principal name in e-mail format which can be used when logging in and not using dropdown, example joe@.... UPN must be unique in the forest.
[3.14] Dealing with user passwords
  • Do not delete user accounts, disable them instead
  • Rename users as a quick way to set up new accounts
  • To move users to a different domain in the same forest use movetree.exe (initiated on the RID master of the domain where object lives). For different forest need ADMT (AD migration tool).
[3.15] Password policy
  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Complexity requirement
  • Store passwords using reversible encryption
[3.16] Account lockout policy
  • Account lockout duration
  • Account lockout threshold
  • Reset account lockout counter after X minutes
[3.17] Computer accounts
  • Managed PCs are computers whose OS was installed using RIS service (remotely)
  • For RIS to work you need a network card that is PXE (pre-execution environment) enabled
  • If you network card is non-PXE but is PCI based you can use Rbfg.exe to create remote boot disk
  • No computer account for Windows 98 systems, Windows 98 can still log in to the domain, provided that AD client is installed and SMB signing is disabled
  • To create computer accounts you need to have 'create computer accounts' permission
  • You can set up common attributes on several user accounts at once using the multiselect option, you can set: Profile, Organization, Account Tab, Address, General Tab
[3.18] RIS - remote installation service
  • Each PC has a GUID (globally unique identifier) sometimes called UUID
  • You can get PC's GUID from
    • From DHCP discovery pockets PC sends when it wants to get IP address from DHCP server
    • PC documentation
    • PC startup screen (BIOS)
  • RIS options
    • Respond to client PCs requesting service
    • Do not respond to unknown PCs (unknown PCs are not found in the AD)
  • For RIS following must be available on the network
    • Active Directory
    • DNS
    • DHCP
[3.19] Contacts
  • These are not user accounts
  • They are used to add people that are outside of your domain
[3.20] Automation
  • Bulk import data into active directory using csvde.exe (comma separated value directory exchange), using CSV format. It is easier to modify spreadsheet to confirm to csvde than ldifde.
  • Executable file ldifde.exe stands for: LDAP data interexchange format directory exchange
  • Executable file ldifde is used to import AND modify active directory, csvde can only import
  • Import creates accounts with blank passwords, best to create accounts in disabled state by specifying user control value of 514
[3.21] Build in domain user accounts
  • Administrator - when the Administrator account is disabled, it can still be used to gain access to a domain controller using Safe Mode
  • Guest (in disabled state by default)
  • Support
  • krbtgt
[3.22] Domain Groups
  • Security - can have object permissions (but also works just for e-mail distribution)
  • Distribution - only for e-mail
  • Group scopes:
    • Domain local
    • Global
    • Universal
[3.23] Built in domain local groups
  • Domain local groups can contain users and groups from any trusted domain.
  • Account operators - can create and administer domain user accounts and groups
  • Administrators - full control over domain
  • Backup operators - ignores security in order to backup or restore files
  • Guests - has same access as domain users group
  • Incoming forest trust builders - can create incoming, one way trusts to this forest
  • Network configuration operators - can modify network settings like TCP/IP
  • Performance log users - can remotely configure and view performance logs
  • Performance monitor users - can remotely view performance logs
  • Pre-Windows 2000 computer access (for win NT) - has read permission to all users and groups in the domain and the right to access DC from network
  • Print operators - administrator for printers
  • Remote desktop users - can logon into any PC in the domain remotely (only logon ability, nothing else)
  • Replicators - supports file replication in the domain
  • Server operators - can manage DC, shout down, create shares, manage disks and more
  • Terminal server license servers - local group for Terminal Server license servers
  • Users - cannot install new applications, can run applications that already exist, cannot logon to DC
[3.24] Global groups
  • Used to organize users but only from its own domain
  • Create by job function or job description
  • DNS update proxy - can preform updates to the DNS on behalf of other clients. When secure dynamic updates are enabled on DNS, the DHCP servers must be made members of this group to be able to update clients.
  • Domain admins - complete administrative rights in the domain. Member of Administrators domain local group (as well as local Administrators group on all PCs)
  • Domain computers - all PCs that are joined to the domain
  • Domain controllers - all DC are members of this group
  • Domain guests - used to grant access to users that don't have valid user account in the domain. Member of domain local guest group by default
  • Domain users - all users are members of this group. Normal access to workstations. When new share gets created, they get 'read' access
  • Group policy creator owner - members can create and mange GP. Administrator account is a member of this group by default.
[3.25] Universal groups
  • Used for many to many relationships, like many users that need to access resources in many domains
  • Can contain users, global groups, local groups from any domain in the forest
  • Cannot contain users from domains that are outside the forest
  • Universal groups are used to organize users across domains
  • It is recommended to place only global groups inside universal groups
  • You need to have domain functional level set to at least Windows 2000 native
  • Build in (admin in root domain is the only member) :
    • Enterprise admins - have access to all domains in the forest
    • Schema admins
[3.26] Access between domains
  • We trust in the authentication of another DC
  • Automatic trusts between parent and child domains are set in Windows 2000 native or above
  • Types:
    • 2 way trusts (NT4 domains) - need to be set up at both sides (i.e. from domain A to B 1 setup and 1 from B to A == no automation)
    • 2 way transitive trusts (Windows 2000)
    • Forest trust (Windows 2003)
[3.27] Remember the acronym AGLP
  • Accounts - create users accounts
  • Global groups - place users in global groups
  • Local groups - place global group into local group
  • Permissions - assign permissions to the local group
[3.28] Windows 2000/Windows 2003 domain vis mixed mode
  • Universal group is added in Windows 2000 native mode
  • Group nesting - same type of group in same type
  • Changing of group types (distribution vis security) is enabled in Windows 2000 native mode
  • For Windows 2000/ Windows 2003 domain we are going to use AGULP
  • U stands for universal group
  • We place global groups into universal group and universal groups into local groups
[3.29] MMC
  • Access control
    • Author mode - full customization of the MMC console
    • User mode-full access - as author mode, except that users cannot add or remove snap-ins, change console options, create Favorites, or create taskpads
    • User mode-limited access, multiple windows - access only to those parts of the console tree that were visible when the console file was saved. Users can create new windows but cannot close any existing windows.
    • User mode-limited access, single window - as 'user mode limited access, multiple windows' but users cannot create new windows
[3.30] Special groups (special identities)
  • Anonymous Logon - users and services that access a computer and its resources through the network without using an account name, password, or domain name
  • Everyone - all current network users
  • Network - users currently accessing a given resource over the network
  • Interactive - all users currently logged on to a particular computer and accessing a given resource located on that computer
  • Special groups can be assigned rights and permissions to resources but their memberships cannot be modified or viewed and scopes do not apply. Users are added automatically.
[3.31] Other points
  • Home folder can be on local PC or a network share
  • Rename Guest and Administrator accounts, for local accounts use GPO
  • PC and DC use a secure channel to communicate password changes every 30 days. If they are out of synchronization you will need to reset the PC (message is: 'Domain member failed to authenticate'). This is by going to the computer account and clicking on 'reset account'.

Part 4: Managing and monitoring access to resources

[4.1] ACL - access control list
  • Every object in AD has ACL
  • ACE - access control entries
  • ACL is a list of ACEs. Each ACE has deny or accept action and an associated SID (security identifier).
  • The process of checking user access is preformed in this way:
    • User SID is checked against ACE on ACL list of the resource user wants to access
    • Also groups that the user belongs to (group SID) is checked against ACE in ACL
    • If there is no entry, then access is denied
    • Accept if ACE = SIDs in ACL and associated ACE action is accept
    • Windows resolves SID and presents name as ACE
    • Deny right takes precedence over allow right in group and user security context. This is true even for Administrator and object owner.
[4.2] General NTFS permissions for files
  • Read - also allows for viewing of file attributes
  • Write
  • Read and execute
  • Modify = read + write + delete + execute
  • Full control
[4.3] General NTFS permissions for folders
  • Read - also allows to view folder attributes
  • Write
  • Read and execute
  • Modify = read, execute, write, delete
  • List folder contents, includes subfolders
  • Full control = all of above permissions plus permission change permission plus ownership change permission
[4.4] Share permissions
  • Only applicable for folders, no share permissions for files
  • Read = read file data, file names and subfolder names + execute (default assigned to everyone group)
  • Change = read permission + delete files and subfolders + write
  • Full control = all of above permissions + change of share permissions right only
  • Share permissions do not apply to users that are logged into the OS interactively (i.e. locally)
  • NTFS general permissions always apply, even for a share i.e. user needs two read permissions in order to access a file over the network
  • Use NTFS permissions to tighten security
  • To add share form command prompt: net share 'folder name'='path'
  • To delete share form command prompt: net delete 'folder name'
  • When a share name ends in $ it is hidden and cannot be browsed to, full name needs to be typed in
  • Share permissions are not included in a backup or restore of a data volume
  • Share permissions do not replicate through the File Replication service
[4.5] Special permissions
  • In Windows 2003 object ownership can be given to another user, not just taken by the current user as in Windows 2000
  • When user is in multiple groups the least restrictive permissions are chosen
  • Special permissions:
    • Traverse folder/ execute file
    • List folder/ read data
    • Read attributes
    • Read extended attributes (created by program)
    • Create file/write data
    • Create folders/append data
    • Write attribute
    • Write extended attribute
    • Delete subfolders and files
    • Delete
    • Read permissions
    • Change permissions
    • Take ownership
    • Synchronize (not users and groups)
  • Everyone group is no longer granted full control (it is granted read and execute only). The built-in Everyone group includes Authenticated Users and Guests, but no longer includes members of the Anonymous logon group.
  • A quick way to see the permission structure is to click on 'view effective permissions'
  • The Effective Permissions tool only produces an approximation of the permissions that a user has. The actual permissions the user has may be different, since permissions can be granted or denied based on how a user logs on. This logon-specific information cannot be determined by the Effective Permissions tool, since the user is not logged on; therefore, the effective permissions it displays reflect only those permissions specified by the user or group and not the permissions specified by the logon.
[4.6] Explicit permissions and inherited permissions for files and folders
  • There are two types of permissions: explicit permissions and inherited permissions.
  • Explicit permissions are those that are set by default when the object is created, by user action.
  • Inherited permissions are those that are propagated to an object from a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.
  • Explicit permissions take precedence over inherited permissions, even inherited Deny permissions. This has nothing to do with user and group security context.
[4.7] Inherited permissions (file and folders)
  • All files and folders inherit their permissions from the parent folder by default
  • There are three ways to make changes to inherited permissions:
    • Make the changes to the parent folder, and then the file or folder will inherit these permissions. Remember this is not related to user and group security!
    • Select the opposite permission (Allow or Deny) to override the inherited permission.
    • Clear the 'Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here' check box. You can then make changes to the permissions or remove the user or group from the permissions list. However, the file or folder will no longer inherit permissions from the parent folder. You be presented with a confirmation dialog that has these options
      • You can 'copy' permission entries making all entries explicit (convert inherited entries into explicit)
      • Or you can remove all inherited permissions and keep only the current explicit permissions
  • You cannot change parent permissions inside a child object - they show as grayed out if inheritance is on.
  • If the object is inheriting conflicting settings from different parents then the setting inherited from the parent closest to the object in the subtree will have precedence.
  • Only inheritable permissions are inherited by child objects. When setting permissions on the parent object, you can decide whether folders or subfolders can inherit them with Apply onto.
[4.8] Ownership
  • Ownership general points:
    • To decrypt a file owner still needs correct private/public key pair
    • File owner always has 'change permissions' permission
    • An administrator who needs to repair or change permissions on a file must begin by taking ownership of the file.
    • Every object has an owner, whether in an NTFS volume or Active Directory. By default, in the Windows Server 2003 family, the owner is the Administrators group.
    • Transferring ownership (new in Windows 2003) is preferred to giving users 'take ownership right'.
  • Ownership can be taken by:
    • An administrator. By default, the Administrators group is given the Take ownership of files or other objects user right.
    • Anyone or any group who has the Take ownership permission on the object in question.
    • A user who has the Restore files and directories privilege.
  • Ownership can be transferred in the following ways:
    • The current owner can grant the Take ownership permission to another user, allowing that user to take ownership at any time. The user must actually take ownership to complete the transfer. Or transfer ownership by using 'Other users or groups' button.
    • An administrator can take ownership.
    • A user who has the Restore files and directories privilege can use 'Other users or groups' button and choose any user or group to assign ownership to.
[4.9] Ways to create shares in Windows 2003
  • Using MMC
  • Server roles (file server role)
  • Using explorer
[4.10] Share options
  • Offline caching occurs when users have local copies of network files
  • Offline caching is also controled by the use of group policy
  • Offline caching is turned on by default when a share is created on the server
  • The following settings are available on the client
    • Use of the offline feature
    • Synchronize when logging on
    • Encrypt offline files cache
    • Prohibit making available file and folders offline
    • Configure slow link speed
  • Windows XP computer can allow a maximum of 10 simultaneous connections to a shared folder
  • Share permissions are managed like NTFS permissions but you cannot block inheritance and there are no special permissions
[4.11] Special shares
  • drive letter$ - shared resource that enables administrators to connect to the root directory of a drive
  • ADMIN$ - resource that is used during remote administration of a computer. The path of this resource is always the path to the system root (ex. c:\windows)
  • IPC$ - resource that shares the named pipes that are essential for communication between programs. You use IPC$ during remote administration of a computer and when you view a computer's shared resources. You cannot delete this resource.
  • NETLOGON - required resource that is used on domain controllers
  • SYSVOL - required resource that is used on domain controllers
  • PRINT$ - resource that is used during remote administration of printers
  • FAX$ - shared folder on a server that is used by fax clients in the process of sending a fax
  • You cannot browse to $ shares (cannot see them in Explorer)
[4.12] Web sharing
  • You can share your folders online, web sharing of folders - viewed using IE
  • You need to install IIS on the server
  • You will need to allow directory browsing permission for files other then .htm and .asp to be accessible
[4.13] Shadow copies (new in Windows 2003)
  • Accidental deletions
  • Accidental overwrites
  • File corruption
  • Need to run VSS - volume shadow copy service
  • Snapshot are taken at default or user defined intervals
  • There can be at any time maximum of 64 different snapshots stored on the system
  • Windows XP and 2000 need installation of client software, twcli32.msi
  • Information is stored in the hidden system folder 'system volume information'
  • Form command prompt: vssadmin create shadow /for=volume
  • If you need to restore a file using shadow copies that has been deleted you will need to restore the whole folder
  • Shadow copies can be accessed from:
    • Windows explorer
    • Shared folders snap-in
    • Command prompt
  • If you want to move shadow copy storage location you need to destroy and recreate the shadow
[4.14] Distributed file system (DFS)
  • DFS exposes shared folders without explicitly starting where it is located
  • DFS is like an index for shares on the network
  • Domain based root (preferred) or standalone root
  • Replication fault tolerance (for domain only)
  • Stored in active directory (DFS root - domain based)
  • To access distributed file system go to start -> all programs -> Administrative tools -> Distributed file system
  • DFS on the Windows 2003 can only be used with the NTFS file system
  • Set replication policy for DFS
  • Do not create FRS replica sets on a volume that is managed by Remote Storage (performance hit)
  • Automatic file replication through the File Replication service (FRS) is only available with domain DFS
  • Dfsutil.exe and dfscmd.exe are command line tools used to administer DFS
[4.15] Enabling auditing for files, folders and printers
  • You will need to enable auditing for object access policy
  • And you also need to enable auditing for individual files and folders through NTFS security or through printer security
[4.16] Auditing
  • Account logon events - success or failure of domain logon
  • Account logon management - events such as resetting passwords and modifying user properties
  • Directory services - any time user access AD an event is generated
  • Logon events - success or failure of local logon or logon to a share
  • Object access - file, folder or printer access
  • Policy change - success or failure of change of security options, user rights, account policies and audit policies. Both domain and local PC changes are tracked.
  • Process tracking - useful for applications
  • System - system events such as shutting down PC or clearing the logs
[4.17] Terminal services
  • Any Windows PC with client installed can connect to the terminal server
  • There is no need to install terminal services if one intends only to use it for administrative purposes
  • Terminal server can be transparent to users (for example thin clients)
  • In order for the user to connect to the terminal server he or she needs local logon right
  • All clients need a CAL (Windows 2000 and XP have one build in)
  • You need to have terminal services licensing installed on DC in a single domain environment, it will need to connect to Microsoft. If it cannot connect to Microsoft clearing house it will still issue temporary licenses. It can also connect to the clearing house by fax or phone.
  • Licensing server can issue temporary CAL (non-renewable) for 120 days
  • Terminal server client connection uses RDP protocol
  • There is an option of remote control of user if server is in application server role
  • Terminal services are not installed by default
  • Before users can use terminal services you will need to grant users access to RDP in Terminal Services configuration
  • Tscc.msc - terminal services clients and connections MMC, you can override AD user account settings
  • To install Terminal Services programs use 'Add & remove programs' when all user sessions are disconnected
  • There are compatability scripts available for many popular programs
  • Use Terminal Services GP to configure one or more terminal servers, or to manage Terminal Server user settings
[4.18] Remote desktop
  • Remote desktop connection = terminal services client
  • Remote desktop is installed and activated by default. For multiple remote desktop connections try Remote Desktops MMC.
  • Remote desktop depends on terminal services service
[4.19] Remote assistance
  • For Windows 2003 and XP
  • Concurrent session with logged in user
  • Logged in user has to authorize access
  • You can send invitation from 'Help and Support' menu. You can send invitations through e-mail or Microsoft messanger. You also need to supply a connection password.
  • You can also offer remote assistance to others (disabled in GP by default)
[4.20] User rights
  • Administrators can assign specific rights to group accounts or to individual user accounts. If a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than one set of rights. The only time that rights assigned to one group might conflict with those assigned to another is in the case of certain logon rights.
  • There are two types of user rights:
    • Privileges, such as the right to back up files and directories
    • Logon rights, such as the right to logon to a system locally
[4.21] Security best practices
  • Use Deny permission to exclude users
  • Use security templates rather than individual permissions
  • Avoid changing default permission on system objects (including AD objects)
  • Never deny Everyone group access to an object. Instead just remove Everyone group.
  • Assign permissions as high as possible up the inheritance tree
  • Privileges can sometimes override permissions
  • Assign permissions to groups rather than single users
  • Avoid giving 'Full control' permission, give users what they need to do their work
  • Minimize the number of ACEs that apply to children (are inheritable)
  • Assign the same permissions to multiple objects, this way the AD will only have to store one copy of ACL
  • When possible, assign access rights on a broad level rather then specific

Part 5: Managing and maintaining a server environment

[5.1] Performance and system events
  • Task manager
  • Event viewer
  • System monitor (to activate you can run prefmon.exe from command line)
  • Performance logs and alerts
  • Network monitor
[5.2] Performance
  • To set process priority at run time, go use start "process name" /"priority value"
  • Another way is to: cmd /c start /"priority setting""application name" -- you cannot use this from the run menu
  • Priority types:
    • Real time (you will need Administrator access to set this priority level)
    • High
    • Above normal
    • Normal
    • Below normal
    • Low
  • Relog - extracts performance counters from performance counter logs into other formats, such as text-TSV, text-CSV, binary-BIN, or SQL
  • Logman - manages and schedules performance counter and event trace log collections on local and remote systems
[5.3] Performance indicators
  • Memory: pages faults/sec - data not found in CPU cache creates a fault, most processors can handle large amounts of soft page faults, compare with memory: pages/sec
  • Available memory in bytes - need more if less than 10% available (could be an application memory leak)
  • Memory: pages/sec - hard drive access to page file, a rate of 20 or more indicates a need for more RAM
  • Page file percent close to 100, need more space on file or more RAM
  • Physical disk: percentage disk time above 70% - is too high, if paging file usage is excessive as well it indicates more RAM is needed otherwise a disk is the bottleneck
  • Physical disk average queue length above 2 - check paging file and physical memory
  • Physical disk current queue length - a value above 2 indicates a problem
  • CPU close to 100% - need more CPU power if situation continues for excessive amounts of time
  • Number of open files indicates how busy the server is, compare to baseline
  • Server: bytes total/sec - indicates network throughput
  • Baselining is the process of determining average/normal system performance. Should be done over a period of 3 to 4 weeks using counter logs.
  • Performance logs and alerts are used to perform long term analysis:
    • Using the default Windows 2003 data provider or another application provider, trace logs record detailed system application events when certain activities, such as a disk I/O operation occurs. When the event occurs, your OS logs the system data to a file. A parsing tool is required to interpret the trace log output, like Tracerpt
    • When counter logs are in use, the service obtains data from the system when the update interval has elapsed, rather than waiting for a specific event.
[5.4] Log file settings
  • Maximum log size
  • Overwrite log events as needed
  • Overwrite log events older than X days
  • Do not overwrite events (clear log manually)
  • Microsoft recommends keeping 7 day logs
[5.5] Log files
  • DefaultDefalut log files:
    • Application
    • Security
    • System
  • Active directory adds:
    • Directory service log
    • File replication service log
  • DNS adds: DNS service log
  • Log file extension is .evt (files with this extension can be viewed by event viewer)
  • Tracerpt - processes event trace logs or real-time data from instrumented event trace providers
[5.6] Log filtering
  • Event type
  • Event source
  • Event ID
  • User
  • Computer
  • Date range
[5.7] Event information
  • Eventvwr - used to lunch event viewer
  • Eventtriggers.exe - displays and configures event triggers on local or remote machines.
  • Eventcreate.exe - enables an administrator to create a custom event in a specified event log
  • Eventquery.vbs - lists the events and event properties from one or more event logs
[5.8] Page file
  • Page file size should be at least 1-1.5 times the size of physical RAM
  • Don't let system manage the size of the page file (fragmentation of page file due to constant resizes)
  • Set minimum=maximum size of the page file in order to prevent any page file resizes
  • If you move page file from the system drive you will no longer get any memory dumps
  • You will need to restart your PC once you make changes to the page file
[5.9] Disk quotas
  • Disk quota applies to everyone using the volume except administrators
  • Remember that every user needs few Mb (min 2) for storage of the profile which is needed for logging in
  • Quota entry can be created per user but not per group, only volumes and users have quota entries
  • Quota limit is calculated using the uncompressed file size, thus compressing files will not create more space
  • The default quota entry is for all users of given volume. You can add additional quota entries on per user basis only.
  • Once again, quota entries are per user per volume, no groups are allowed.
  • Remember that once a user uses a volume with quota set on it an entry is automatically added. Thus, if you had a general entry for all users and later on some users run out of space and need more you modify quota entries not add new ones.
  • Disk quota is only applied to the files that are being added after the quota entry got created, it doesn't apply to files that were already there
  • Each file can contain up to 64kb of metadata that is not applied towards users quota limit
  • Fsutil is used to manage quota from command line
  • To free some space run disk cleanup, from command prompt: cleanmgr.exe (note it doesn't clear internet temporary files)
[5.10] Defragmenting
  • You will need at least 15% of free HD space in order to defragment
  • You may need to repeat the process several times in order to achieve planned results
  • Defragmenting should be done on every volume every 1 to 2 months
  • You cannot schedule defragmenting task (unless you use custom scripts)
  • Windows defragmenter works with FAT16, FAT32 and NTFS
  • On modern computer systems that use NTFS and don't use the file system extensively (desktops) the benefits of defragmenting a hard drive are measurable but not noticable for the end user. Thus defragmenting is only significant performance tool for file servers.
[5.11] Internet Information server 6 (IIS.6)
  • Can server files from local/network/redirected URL
  • IIS runs as w3wp.exe process
  • You can run multiple sites using one of these methods:
    • Different IP per site
    • Use headers, not preferred method, no SSL/HTTPS, need HTTP 1.1 compliant browser
    • Different port per site
  • Front page extensions are to be used with front page only
  • To create Virtual directory you can use regular wizard or web share a folder
  • IIS 6 is not installed by default in Windows 2003 (it was in Windows 2000)
  • For anonymous access IIS6 uses IUSR_computerName account
  • IWAM_computerName account is for IIS to start out of process applications
  • All users of the website have to authorize to the domain, even anonymous users (by default users are anonymous)
  • You can backup just IIS using the IIS manager or isbackup.vbs. Backup copies store only the metabase configuration and schema. (not site content)
  • Custom error templates (.htm) are located in %systemroot%\help\iishelp\common\
  • Other:
    • Can change home directory
    • Can change default document name
    • You can limit bandwidth and total connections numbers
    • Different logging options
  • Certificates are used with SSL, can have personal certificates
  • SMTP and e-mail services are not the best, use in emergency, try to avoid
  • ISAPI filters - internet server application programming interface filters
  • Content expiry - this setting tells client browser whatever it should use cached copy or load new data from the website
  • Web service access permission and NTFS permissions work together, more restrictive choosen, recommended to use NTFS
[5.12] Application pools in IIS.6
  • IIS modes of operation
    • Worker process isolation mode, which runs all processes in an isolated environment (needed for application pools)
    • IIS 5.0 isolation mode, in which you can run Web applications that are not compatible with worker process isolation mode
  • Application pools are like separate memory spaces in which sites live. More formally, an application pool is a configuration that links one or more applications to a set of one or more worker processes.
  • Two ways to recycle the assigned worker process
    • By default, the worker process that is to be terminated is kept running until after a new worker process is started up
    • Alternatively, the WWW service can terminate a worker process and then start a new worker process
  • An application pool that uses more than one worker process is called a Web garden
  • When more than one server is used to host a website we have a web farm
[5.13] Authentication methods
  • Integrated Windows authorization, uses kerberos or NTLM depending on client capability, popular on intranets. Uses domain user or local user account information passed hashed over the network. If AD (not required) is installed can use Kerberos if not NTLM.
  • Digest authorization, uses MD5 algorithm transmission, no password are transmitted. Values are compared to AD (user needs account in AD, AD needs to be installed). This is used when integrated Windows authorization is not available. Requires the accounts to store passwords using reversible encryption. Internet Explorer 5.0, HTTP 1.1 at minimum.
  • Basic authorization, uses clear text passwords (base64 encoded), supported by almost any environment, AD or local account
  • .Net authorization - native Windows XP and 2003 support
  • Can restrict access based on IP or/and domain name
  • Kerberos authentication is used by computers that have account in AD and are above Windows NT4.
[5.14] Website Logging
  • Web site logging can be out of synchronization with local time - enable log rollover for local time.
  • Web site logging formats:
    • W3C Extended Log File Format (default)
    • Microsoft IIS Log File Format
    • NCSA Common Log File Format
    • ODBC Logging
[5.15] SUS - software update service
  • SUS - software update service, can distribute updates (need to be approved by the admin before distribution occurs) to clients.
  • Minimum requirements for the clients to connect to SUS are Windows XP SP1, or Win2k SP3 or later.
  • SUS server is really just a webpage with ActiveX functionality that piggybacks on top of IIS.
  • In order for SUS to work you need to point client computers to SUS server using GPO
  • You need to install SUS10SP1.exe on the server
  • Server computer must be running at least version 5 of IIS
  • SUS virtual administrative directory http://yourservername/SUSadmin
  • SUS needs NTFS with at least 100Mb to install package and 6Gb for storing updates, SUS runs from the 'default website' and stores all data there
  • SUS notification is shown for Administrators only
  • If you have P III 700, 512Mb RAM SUS server can handle up to 15000 clients
  • SUS server is not set to synchronize with Windows update site by defalut, administrator must do that or manually synchronize
[5.16] Services
  • HTTP - hypertext transfer protocol TCP port 80
  • SSL - Secure socket layers TCP port 443
  • SMTP - TCP port 25. Files stored in LocalDrive:\Inetpub\Mailroot
  • SNMP - simple network management protocol used to provide information about TCP/IP hosts, UDP port 161.
  • FTP - only basic authentication allowed, TCP port 20 (data) TCP port 21 (control). Files stored in LocalDrive:\Inetpub\Ftproot
  • POP - TCP port 110
  • DNS - UDP port 53 (query) TCP port 53 (zone transfer)
  • NNTP - TCP port 119. Files stored in LocalDrive:\Inetpub\Nntpfile\Root
  • PPTP - Point to point tuneling protocol TCP port 1723
  • L2TP/IPSec - UDP ports 500, 1701 and 4500
[5.17] Other points
  • By default Windows 2003 Server uses 25% of RAM for system cache (Windows 2003 server assumes it will be a file server)
  • Dos and 16bit programs run as NTVDM processes. Windows 64bit editions cannot run 16bit programs.
  • You should assign more RAM for the system cache if server is a file server

Part 6: Managing and implementing disaster recovery

[6.1] Overview
  • Document everything in your plan, test your plan
  • Posses a 'recovery toolkit' with stuff like backup utilities/system utilities etc.
  • Make sure you backup:
    • User data
    • Critical system files
    • Critical applications
  • Recovery point - how much data can we loose? Most medium size companies are OK with loosing up to 24h - thus daily backup is OK.
  • Time frame for recovery - how long does it take to recover affected systems
  • Hot sites are ultimate backup solution (a hot site can take on all functions of the current site, is kept synchronized and is in a different physical location)
  • Backup files have .bkf extension
  • When files are backed up they retain all of their original attributes including encryption
  • File attributes are lost when you restore backup to a FAT volume
[6.2] Backup types
  • Normal (full) - Clears archive bit, backs up all data on volume that is beeing baced up.
  • Incremental - backs up only these files that have their archive bit set to 1 (since last full or incremental backup). Clears archive bit. Restore process will have to chain multiple incremental backups. This backup is fastest when combined with normal backup.
  • Differential - backs up only these files whose archive bit is set to 1. Does not clear archive bit, no chaining of backups during restore process
  • Copy - only backup type that can back up registry and other critical system files. Like full backup, but does not clear or set any archive bits. This type of backup is used for archiving or when backing up between incremental and normal backup routine.
  • Daily - backs up only these files that were modified today. Does not clear archive bit.
  • You can exclude files from being backed up
  • System state - boot and system files, AD (if DC), SYSVOL directory (if DC), COM+ Class Registration database, registry, Cluster service information (if server is part of a cluster), IIS Metadirectory (if installed) - only for local system!
  • All backed up files keep their file attributes, unless you are restoring to FAT
  • For command prompt use: ntbackup.exe
  • Backup cannot be preformed to CD-R and DVD-R
  • When NTBackup creates a backup set it also creates a listing of files and folders included on the set, called a catalog. It is stored on both the disk of the server and the backup set itself.
[6.3] Backup log
  • By default 10 backup logs are kept on the server
  • There are three logging options:
    • No log
    • Summary log (default)
    • Detailed log
[6.4] Restore options
  • Do not replace files (default)
  • Replace only if the file on disk is older
  • Always replace files
  • Options do you have to restore the files to
    • Restore to alternate location
    • Restore to single folder
    • Restore to original location
[6.5] Authorative vis normal (non-authorative restore) vis primary restore
  • DC use Universal sequence numbers (USN) to keep track of state
  • Authorative restore makes sure that the current DC is the one with master copy
  • Authorative restore is used in situations when you accidentally deleted something in AD and now want it undeleted
  • To run restore, use: ntdsutil.exe
  • Use ntdsutil.exe utility is used to mark specific objects as authorative
  • A primary restore is used to rebuild a domain from backup when the only DC in domain or all domain controllers have failed.
  • Select primary restore only when restoring the first replica set to the network.
[6.6] Running normal (non-authorative restore) steps
  • Boot the DC into Directory Services restore mode and enter restore password
  • Run ntbackup.exe and restore system state backup. After restore completes you need to restart the PC
[6.7] Running authorative restore steps
  • Preform steps like in 5.6 except the reboot in step 2
  • Start ntdsutil.exe utility and type 'authorative restore'
  • At the ntdsutil prompt type 'restore database'
  • When restore completes reboot your DC
[6.8] Running primary restore steps
  • Proceed as in normal (non-authorative) restore, but when restoring replicated data sets, mark the 'restored data as the primary data for all replicas' box
[6.9] Boot problems
  • Hit F8 for boot menu during startup
  • Last known good configuration is the control set in the registry (current settings, like used drivers)
  • Last known good configuration is still good choice only if user has not logged on since problem arouse
  • Safe mode does not backup the 'Last known good configuration'
  • To access recovery console: 'winnt32.exe /cmdcons' - this places recovery console option into boot.ini
  • Recovery console is good for missing boot files
  • Can run recovery console from Windows 2003 CD, to run console from CD boot from CD and press R (repair installation)
  • When boot files are missing you will have to copy new ones from installation CD
  • Directory services restore mode:
    • This is like a safe mode for a domain controller
    • Active directory is not started
[6.10] Advanced boot options
  • Safe mode - in boot.ini /safeboot:minimal /sos /bootlog /noguiboot
  • Safe mode with networking - in boot.ini /safeboot:network /sos /bootlog /noguiboot
  • Safe mode with command prompt - in boot.ini /safeboot:minimal(alternateshell) /sos /bootlog /noguiboot
  • Enable boot logging - in boot.ini /bootlog
  • Enable VGA mode - in boot.ini /basevideo
  • Last known good configuration - in boot.ini
  • Directory services restore mode (Windows domain controllers only) - in boot.ini /safeboot:dsrepair /sos
  • Debugging mode - in boot.ini /debug
[6.11] ASR - Automated system recovery
  • Replaces ERD (emergency repair disk)
  • Stores system state data
  • Need Windows 2003 CD and ASR floppy to do a clean install and apply system settings
  • ASR is needed to recover from boot failures
  • To create ASR disk either run ntbackup.exe from command prompt or go to: start -> all programs -> accessories -> system tools ->backup
  • Using ASR recovers the system up to the point ASR was created
  • If you create ASR for system without floppy files are saved to the %systemroot%\repair folder on the server. ASR restore will not work without a floppy drive and the floppy disk.
  • To preform ASR recovery you need:
    • ASR floppy disk
    • ASR Backup set
    • Windows 2003 setup CDROM
[6.12] Best practices for backup
  • Develop backup and restore strategies and test them; train people.
  • Always create an Automated System Recovery (ASR) backup set when the operating system changes
  • Always choose to create a backup log for each backup
  • Keep at least three copies of the backup media. Secure both the storage device and the backup media.
  • Perform a trial restoration periodically to verify that your files were properly backed up
  • Use volume shadow copies when performing a backup (default setting)
[6.13] Other points
  • System state data can only be restored and backed up locally (there are 3rd party software utilities that can restore and backup over the network)
  • Using 'last known good configuration' can be used to recover from most stop errors if the user has not logged in BUT server must be able to boot, i.e. if ntldr error need to use ASR or recovery console
  • For major hardware failures such as motherboard replacement you will need to reinstall Windows Server 2003. However, you will still need to restore system state prior to full Windows boot in order to preserve original SID.
  • Recovery password can be different than administrator password
  • For problems with boot files use recovery console and copy needed files over from the CD

Part 7: Active directory primer

[7.1] The operations master roles (FSMO (Flexible Single Master Operations) roles)
  • Every forest must have the following roles: Schema master and Domain naming master
  • Every domain in the forest must have the following roles: PDC emulator master, RID master and Infrastructure master
  • At any time, there can be only one DC acting out his role in his respective scope
  • Domain naming master - addition or removal of domains in the forest
  • Infrastructure master
    • Responsible for updating references from objects in its domain to objects in other domains
    • Compares its data with that of a global catalog
    • Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog.
  • Primary domain controller (PDC) emulator master
    • Needed for computers operating without Windows 2000 or Windows XP Pro client software or if domain contains Windows NT BDCs
    • PDC is responsible for synchronizing the time on all DCs throughout the domain
    • External time source net time \\ServerName /setsntp:TimeSource
    • If a logon authentication fails at another DC due to a bad password, that DC will forward the authentication request to the PDC emulator before rejecting the logon attempt since PDC emulator gets preferential treatment
    • Supports both NTLM and Kerberos authentication
  • Relative ID (RID) master - allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain
  • Schema master - all updates and modifications to the schema, need additional DLL to be registered if transferred
[7.2] AD troubleshooting and seizing a FSMO role
  • Use ntdsutil.exe to transfer FSMO roles
  • Use ntdsutil.exe utility for AD related tasks
  • Do not seize the FSMO role if you can transfer it instead. Seizing the FSMO role is a drastic step that should be considered only if the current operations master will never be available again.
  • Before seizing the chosen FSMO role, use the repadmin utility to verify whether the new operations master has received any updates performed by the previous role holder, and then remove the current operations master from the network.
[7.3] Other AD information
  • Dcpromo.exe is used to promote member service to DC and to demote DC back to member service
  • A global catalog is a DC that stores a copy of all AD objects in a forest. It stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest. It is managed from 'Active Directory Sites and Services'.
  • Netdom - This command-line tool enables administrators to manage Windows 2003 and Windows 2000 domains and trust relationships from the command line (need support tools suptools.msi)
  • The DS*.exe family of tools
    • Dsadd - adds a computer, contact, group, organization unit, or user to a directory
    • Dsmove - moves any object from its current location in the directory to a new location, as long as the move can be accommodated within a single domain controller, and renames an object without moving it in the directory tree
    • Dsquery - queries and finds a list of computers, groups, organizational units, servers, or users in the directory by using specified search criterion
    • Dsrm - deletes an object of a specific type or any general object from the directory
    • Dsget - displays selected attributes of a computer, contact, group, organizational unit, server or user in a directory
    • Dsmod - modifies an existing object of a specific type in the directory
[7.4] Other GP information
  • GPUpdate - refreshes local GP settings and GP settings that are stored in AD, including security settings
  • Order in which Group Policies get applied: Local computer, Site, Domain, OU. This means that Site GP are more relevant than Local, Domain more relevant than Site and OU the most relevant.
  • OU is the smallest scope to which you can delegate authority or apply GP against
  • RSoP.msc - Resultant set of Policies is a GP tool that can be loaded as a Management Console snap-in. Resultant set of policies is the final set of policies that is applied to the user and computer.
  • Gpedit.msc - GP editor MMC
[7.5] DHCP
  • Dhcploc.exe - displays the DHCP servers active on the subnet including unauthorized servers
  • DHCP server must be authorized in the AD before it can give out addresses
  • IP autoconfiguration - when PC does not get IP address from DHCP it by default autoconfigures itself to address in range 169.254.x.x
[7.6] Other points
  • Whoami - returns domain name, computer name, user name, group names, logon identifier, and privileges for the user who is currently logged on
  • Removable Storage makes it easy for you to track your removable storage media (tapes and optical disks). Use rss or rsm utilities
  • Media pool description:
    • Blank or Foreign tape - unrecognized
    • Newly formatted tape - free
    • Tapes previously used by NTBackup - backup
    • Tapes not cataloged - import
  • Windows File Protection (WFP) - prevents the replacement of protected system files such as .sys, .dll, .ocx, .ttf, .fon, and .exe files. Turned on by default. Original files are stored in %SYSTEMROOT%\system32\dllcache
  • Systeminfo.exe or msinfo32 (has to be executed from Run window NOT command line) - can be used to display system information
  • MBSA Microsoft Baseline Security Analyzer
    • mbsacli.exe for command line, mbsa.exe for GUI
    • Windows NT 4.0 Service Pack 4 (SP4) and later (remote scan only), Windows 2000, XP, 2003
    • IIS 4.0, 5.0, 5.1 or 6.0 are supported by scan
    • Internet Explorer 5.01 or later are supported by scan
    • SQL 7.0, 2000 are supported by scan
    • Office 2000, Office XP, or Office 2003 are supported by scan
    • Security update checks, password checks, Windows system check
  • Regedit.exe - used to edit registry (only one editor in 2003)
  • Runas is also known as secondary logon, you need to have Secondary Logon service running to use it. This command line utility is used to run programs within different user's security context. For example, network administrator is logged on as a regular user and needs to run system utility that requires administrative privelages. Instead of loging out and back in as an administrator, the user could use runas command which uses the following syntax: runas /user:ComputerName\UserName "program name"
  • qchain.exe is used for multiple hot fixes (so as not to have to restart server multiple times)

#927 From: Testking_Mcse@yahoogroups.com
Date: Sun Nov 15, 2009 9:10 am
Subject: File - Microsoft exam 70-291 preparation guide.html
Testking_Mcse@yahoogroups.com
Send Email Send Email
 

Microsoft exam 70-291 preparation guide

Contents:

Part 1: Understanding Windows networks and TCP/IP
Part 2: Troubleshooting and monitoring TCP/IP
Part 3: Implementing, configuring and troubleshooting DNS servers
Part 4: Implementing, configuring and troubleshooting DHCP servers
Part 5: Implementing, configuring and troubleshooting routing and remote access in Windows networks
Part 6: Managing network infrastructure and security

Preface

I have written this short preparation guide as a way for myself to ease studying for the Mcirosoft 70-291 exam titled: "Implementing, managing and maintaining a Microsoft Windows Server 2003 network infrastructure". I provide this guide as is, without any guarantees, explicit or implied, as to its contents. You may use the information contained herein in your computer career, however I take no responsibility for any damages you may incur as a result of following this guide. You may use this document freely and share it with anybody as long as you provide the whole document in one piece and do not charge any money for it. If you find any mistakes, please feel free to inform me about them Tom Kitta. Legal stuff aside, let us start.

Guide version 0.006 last updated on 17/06/2004

Part 1: Understanding Windows networks and TCP/IP

[1.1] Basic networking definitions
  • Network infrastructure - set of physical and logical components that allow for, among other futures, security, management and connectivity
  • Physical infrastructure - is also known as network's topology, the physical layout of hardware components and the type of hardware as well as the technology used with hardware for data transmission.
  • Logical infrastructure - is the software that allows for communication over physical infrastructure, it includes services that run on the network like DNS
  • Network connection - is a logical interface between software and hardware layers
  • Network protocol - is the language used for communication between networked computers
  • Network service - is a program that provides features to hosts or protocols on the network
  • Network client - is a program that allows a computer to connect to a network operating system
  • Addressing - is the practice of maintaining a coherent system of addresses within organization's network that allow all computer to communicate
  • Name resolution - is the process of translating a computer name into an address and the other way around
  • Workgroup - is a simple grouping of resources which by default uses NetBIOS naming system. NetBIOS is used together with Common Internet File System (CIFS), an extension of Server Message Block (SMB) protocol, to provide file sharing. There is no centralized security in a workgroup environment. The default workgroup name is WORKGROUP. In the absence of a WINS server the NetBIOS names are resolved using broadcasts to local network segment.
  • Domain - is a collection of computers that share a common directory, security policies and relationships with other domains. The name 'domain' is used both by grouping of computers in AD and as names in DNS, they are different things.
  • Active directory - is a distributed database that provides directory service
  • Remote access - is a connection that is configured for users that want to access resources from non-local site. There are two types, VPN and dial-up.
  • Network Address Translation (NAT) - is the system which allows computers with private addresses to communicate with computers on the internet
  • NWLink - Microsoft implementation of Novell IPX/SPX protocol used by NetWare networks
  • Certificate - is used for public key cryptography
  • NetBT - NetBIOS over TCP/IP, provides for higher level communications such as SMB (Server Message Blocks) and CIFS
  • CIFS - an extension of the SMB protocol that is used with basic file sharing. One of the advantages of CIFS over SMB is the ability to operate directly over DNS without the use of NetBIOS.
  • TCP/IP - most popular, scalable, routable and based on open standards protocol.
  • Redirector - client component that decides whatever the request is to be serviced locally or remotely. In Windows the redirector is called Client for Microsoft Networks. It uses SMB/CIFS for communication.
[1.2] Network connection
  • Components that make up a connection: network clients, services and protocols
  • Connections by themselves don't provide communication, it occurs through components bound to the connection
  • Client for Microsoft Networks is by default bound to all local area connections, it allows client computers to perform CIFS related tasks
  • TCP/IP protocol is bound to all connections by default
  • File and printer sharing for Microsoft Windows is installed and bound to all connections by default
  • Advanced connection settings allow administrator to change the priority of each connection
  • Provider order tab in advanced settings dialog box allows administrator to change the network providers order. This setting is for all connections. By default, Microsoft Terminal Services is given priority over the Microsoft Network because Terminal Services are meant to be used in place of all other connections.
  • In the provider tab one also finds print provider order, by default LanMan Print Services is given priority over HTTP Print Services
[1.3] Default TCP/IP Settings, APIPA
  • APIPA stands for automatic private IP addressing
  • By default the IP address and DNS servers are to be obtained automatically from the DHCP server
  • If the computer cannot get address automatically it uses APIPA to assign itself one
  • APIPA assigns PC address from the range 169.241.0.1 to 169.254.255.254, in use since Windows 98
  • Administrators can combine APIPA with alternate configuration, when IP can be obtained from DHCP, APIPA turns itself off - no one can override DHCP obtained address with APIPA
  • To disable APIPA administrator can either configure alternative IP address or edit registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\interface registry entry IPAutoconfigurationEnabled set to 0 and reboot
  • An all zero address might indicate that the IP has been released and never renewed
  • When a computer fails to obtain APIPA address in the absence of DHCP server and static address, the administrator should look for a hardware problem
[1.4] Management and monitoring tools
  • Connection Manager - allows creation of customized remote access connections
  • Connection Point Services - Phone Book Service that needs IIS
  • Network Monitor - pocket analyzer
  • SNMP - Simple network management protocol, agents that monitor activity in network devices and report to network management console. For use with both Windows and UNIX, works with almost any network device.
  • WMI SNMP Provider - lets client applications to access static and dynamic SNMP information through WMI
[1.5] TCP/IP model
  • The TCP/IP model is the newer networking model, OSI Open System Interconnection model is an older model
  • Network interface - is the layer in the communications process that describes standards for physical media, for example ethernet. In OSI model it is both Physical layer and Data link layer.
  • Internet - is the layer in the communications process during which information is packaged, addressed and routed to other network destinations. ARP is used for address resolution, IP for addressing and routing data and ICMP for reporting errors and exchanging limited control/status information. In OSI model this layer is called the Network layer.
  • Transport - is the layer in the communications process during which the standards of data transport are determined. TCP protocol with its guarantees of delivery and connectionless unguaranteed but fast UDP protocol. This layer has the same name in the OSI model.
  • Application - is the layer in the communications process during which end user data is changed, packaged and sent to and from transport layer, for example telenet. In OSI we have three layers, Session, Presentation and Application.
[1.6] OSI model
  • OSI stands for Open System Interconnection model, it is an older networking model
  • 7 Application layer
  • 6 Presentation layer
  • 5 Session layer
  • 4 Transport layer
  • 3 Network layer
  • 2 Data link layer
  • 1 Physical layer
  • Layers 7, 6, and 5 correspond to Application layer in TCP/IP model
  • Layer 4 correspond to Transport layer in TCP/IP model
  • Layer 3 corresponds to Internet layer in TCP/IP model
  • Layer 2 and 1 correspond to Network Interface layer in TCP/IP model
  • Protocols that were not originally part of the TCP/IP specifications are referred not by position in TCP/IP model but by OSI model. For example NetBT is a session (or layer 5) protocol.
[1.7] Protocols, their port numbers and layers in TCP/IP model they are in
  • Protocol number - is used to define a stream of data associated with a specific service
  • The transport is provided by TCP and UDP protocols
  • Internet layer protocols are ARP, IP and ICMP
  • HTTP - hypertext transfer protocol TCP port 80 (application layer)
  • SSL - Secure socket layers TCP port 443
  • SMTP - TCP port 25. Files stored in LocalDrive:\Inetpub\Mailroot
  • SNMP - simple network management protocol used to provide information about TCP/IP hosts, UDP port 161.
  • FTP - only basic authentication allowed, TCP port 20 (data) TCP port 21 (control). Files stored in LocalDrive:\Inetpub\Ftproot (application layer)
  • POP - TCP port 110
  • DNS - UDP port 53 (query) TCP port 53 (zone transfer)
  • NNTP - TCP port 119. Files stored in LocalDrive:\Inetpub\Nntpfile\Root
  • PPTP - Point to point tunneling protocol TCP port 1723; protocol number 47
  • L2TP/IPSec - UDP ports 500, 1701 and 4500; protocol number 50
  • ARP, ICMP and IP (internet layer)
[1.8] IP addressing
  • Internet Assigned Numbers Authority (IANA) divides up non reserved portions of IP address space
  • IANA gives address blocks to local authorities such as ARIN which in turn give it to large ISP
  • Private addresses are in ranges 10.0.0.0 - 10.255.255.254, 172.16.0.0 - 172.31.255.254, 192.168.0.0 - 192.168.255.254
  • IP addresses are just a representation of a 32 bit number broken into 8 bit parts for ease of visualization by the administrator
  • IP address is made up of two parts, network address and host address. Network prefix is the number of bits in network id.
  • IP class assignments
    • Class A 1-126.x.x.x, hosts supported 16777214, with mask 255.0.0.0
    • Class B 128-191.x.x.x, hosts supported 65534, with mask 255.255.0.0
    • Class C 192-223.x.x.x, hosts supported 254, with mask 255.255.255.0
    • Class D 224-239.x.x.x, reserved for multicast addressing
    • Class E 240-254.x.x.x, reserved for experimental use
  • Subnet mask is used to determine whatever the packet is destined for the current network or not. It does that by masking the network part of the IP address. The PC proceeds by finding his own network address using his IP and subnet mask in a bitwise AND operation. Then the PC does a bitwise AND operation on the destination IP and his subnet mask to determine foreign network address. If the addresses match then the packet is to travel on the local network, if the don't then the packet is destined to a foreign address.
  • CIDR - this is a shorthand notation for a subnet mask, classless interdomain routing notation. It counts the number of 1's in the subnet masks binary representation and is displayed after the ip address, for example 192.168.2.12/24 means that the subnet mask is 255.255.255.0 since we have 24 1's in the subnet mask. It is not compatible with RIP v.1. It is the name administrators commonly refer to when talking about supernetting since CIDR is used to shorten routing tables.
  • Default gateway is the IP address of a routing device that accepts packets destined to other networks. Other networks are subnets that are not within the broadcast range of the PC that contacts default gateway (itself it is within broadcast range).
  • Follow these simple steps to spot an IP address that is invalid:
    • Host without a subnet mask
    • No unique network ID (per WAN) or no unique host name per LAN
    • Neither network ID nor host ID can be all 1 (since that is the broadcast address)
[1.9] Subnetting and supernetting IP networks
  • Subnetting - occurs when one needs to divide default A,B or C class address space into smaller spaces. The logical division is accomplished by extending the string of 1's in the subnet mask.
  • Subnetting is used for: accommodating security needs, physical topology, limitation of broadcasting
  • Number of hosts on a subnet = 2^(32-subnets # of 1's)-2. We subtract 2 since one address is needed for network ID and one for network broadcast
  • Host ID with all 0's is the network ID and host ID with all 1's is broadcast address
  • Supernetting - occurs when one wants to combine default A, B or C class address spaces into one large space. This method allows for more efficient allocation of network address space.
  • In supernetting's major difference from subnetting is the removal of 1's from the network address. Thus one might have /23 /22 /21 /20 supernet masks.
  • Conversion from binary to decimal and back is based on the power each system uses, 2 for binary 10 for decimal and so on. The position of a digit in a number, starting from zero, determines to which power the base is raised. The value of the digit is the number by which the base to the power is multiplied by. Sum all the digits to get the number in decimal. For example number 123 in base 8 is 1*8^2+2*8^1+3*8^0 = 83 in decimal. To minimize errors it is best to use a calculator.
  • Variable length subnet masks (VLSMs) - allow for subnets to be subnetted themselves making the use in large organizations of network address space more efficient. They allow administrators to create subnets of varying sizes.
  • Classless Inter-Domain Routing (CIDR - defined in RFC 1519) using variable length subnet masks (VLSM) was created to allow for greater flexibility with routed IP networks, to allow for the accelerating expansion of the Internet.
  • VLSMs use Subnet IDs to create subnets of different sizes, they are not compatible with old routing protocols like RIP 1
[1.10] Other points
  • Administrator can install on a computer file and print services for Macintosh but only print services for Unix
  • TCP/IP is installed by default by Windows setup
  • The following are installed as part of simple TCP/IP services: Character Generator, Daytime, Discard, Echo, Quote of the day
  • The MAC address cache on a computer can be cleared manually (it refreshes itself every 2 minutes) by issuing arp -d command
  • Most computers on the network use DHCP for addressing as it produces less human error than static addressing. Static addressing is used by servers.

Part 2: Troubleshooting and monitoring TCP/IP

[2.1] Analyzing traffic using network monitor
  • Frame is an encapsulation of network interface layer (layer 2) data. Each frame contains source and destination computer addresses, header of the protocol used to send data and data itself.
  • Packet is an encapsulation of internet layer (layer 3) data
  • There are two versions of Network Monitor, the basic version ships with Windows Server 2003. Network administrator needs to purchase the advanced version from Microsoft. Advanced version can capture data from all devices on a network provided the administrator used hubs not more common switches.
  • Network Monitor is made up of two components, administrative tool called Network Monitor and an agent called Network Monitor Driver
  • Network Monitor Driver can be installed by itself on windows XP/2000/2003 PCs in the same manner as one installs a new protocol
  • The monitor can be used to find NIC's MAC address, computers GUID and many other useful information
  • Parsing is the process of reading, analyzing and describing the contents of frames. Administrator can add new parsers to network monitor by adding parser dll files into %systemroot%\system32\Netmon\Parsers folder and modifying parser.ini file in %systemroot%\system32\Netmon folder. By default network monitor supports over 90 protocols.
[2.2] Problems with TCP/IP connections
  • Network diagnostics is a graphical tool that administrator can access from help and support tools menu. Users can save output to a file for examination by network administrator.
  • Netdiag is a command line tool that is used to run different network tests. Administrator needs to install the tool first from the Windows CD, the support tools file is called suptools.msi.
  • Tracert - shows the path a packet takes to reach given destination, this is done by setting different TTL values in the IP header of ICMP echo requests. Up to 30 hops, tells administrator when connectivity stops.
  • Pathping - as tracert but shows the path that a packet takes to reach a given destination, however it also shows detailed analysis of traffic. Used to troubleshoot erratic network behaviour such as packets being delayed, where tracert is used for network connectivity.
  • Arp - used to show the Arp cache on the PC. Sometimes local network computers can have wrong MAC addresses of each other cached and thus cannot communicate, use arp to check whatever addresses are correct. To cleat arp cache use arp -d command. Arp -a is used to check hardware address mappings, if it checks out look for hardware problem
  • If the administrator is able to ping loopback address, PC own address and the local gateway but no other PCs the problem is most likely with arp cache being corrupted.
  • Troubleshooting steps: loopback, local PC, default gateway, remote host by IP, remote host by name.

Part 3: Implementing, configuring and troubleshooting DNS servers

[3.1] Differences between DNS and NetBIOS
  • NetBIOS (Network Basic Input Output System) is not a naming system, it is an API that provides naming and name resolution services
  • DNS is the preferred name resolution system in Windows, but it needs configuration unlike NetBIOS
  • NetBIOS is used for browsing Microsoft Windows Network through My Network Places and connecting to shares using UNC paths (File and Print for Microsoft Networks)
  • NetBIOS name space is flat, while DNS is hierarchical
  • NetBIOS name - used to identify a NetBIOS service that is listening on the first IP that is bound to the adapter
  • Maximum computer name length in NetBIOS is 15 bytes (characters) while in DNS host name can be up to 63 bytes and FQDN up to 255. When the computer name is longer than 15 characters then the NetBIOS name is the computer name's first 15 characters.
  • To view NetBIOS PC name go to system properties, network identification, properties and more button
  • Host name - the first label of a FQDN, it is just about any network interface with an IP bound to it
  • Primary DNS suffix - also known as primary domain name or the domain name, specified on the computer name tab
  • FQDN - DNS name that uniquely identifies the computer on the network. It is concatenation of the host name, primary DNS suffix and a period. The full computer name is a type of FQDN, the same computer can be identified by more than one FQDN but only the FQDN that concatenates the host name and primary DNS suffix represents the full computer name.
  • NetBIOS resolves names through WINS server, Local NetBIOS cache, NetBIOS broadcast, LMHOSTS file
  • DNS resolves names through DNS server or Hosts file (which is part of client cache). Entries added to the hosts file are immediately loaded into resolver cache.
  • Both LMhosts and hosts files are located in %systemroot%\system32\drivers\etc folder
  • Nbtstat is used to interact with NetBIOS from command line, -c switch lists local cache contents, -R purges the cache, view cache, use nbstat -n
  • DNS is required for Windows 2000/2003 domains (AD) and internet
  • NetBIOS is needed by older Windows operating systems, workgroups in Windows 95/98/Me/NT
  • NetBIOS is enabled by default for all local area connections, administrator can disable NetBIOS to increase security from TCP/IP properties screen, but users will no longer be able to use computer browser service
  • Windows Server 2003 client computer always tries to resolve names using DNS before NetBIOS
[3.2] DNS as part of Windows Network
  • DNS is a hierarchical system based on a tree structure called DNS namespace
  • Each DNS namespace has to have a root that can have unlimited number of subdomains. The root is an empty string
  • Every node in the DNS namespace has a specific address by which it can be identified, called a FQDN
  • The dot is the standard separator between domain lables. The dot also separates the root from the subdomains, but is usually omitted by end-user and automatically added by DNS client service during a query.
  • On the internet the DNS root and top-level domains are under control of Internet Corporation for Assigned Names and Numbers (ICANN)
  • There are three types of internet top-level domains, organizational, geographical and reverse (in-addr.arpa)
  • DNS server can be authorized for one or more zones which contain one or more domains. Server is said to be authorized for a zone if it hosts the zone as primary or secondary server.
  • When client or DNS service are stopped, their caches are cleared
  • DNS client is installed by default, server component is not
  • A forwarder is a DNS server that is used to resolve queries external to the server using it
  • A conditional forwarder is a DNS server that examines the domain name of the query and forwards it (the query) to specific server based on name asked in the query. All forwarder options are set from the forwarders tab on the DNS server properties dialog box.
[3.3] DNS components
  • DNS zone is a portion of a DNS namespace for which DNS server is authorative. A server can be authorative for one or more zones and each zone can contain one or more domains. Zone files store resource records, they are usually text files but on Windows 2000/2003 administrators have an option of active directory integrated zones.
  • DNS resolver is a service that uses DNS protocol to query for information from DNS servers. On Windows 2003 this is done by DNS Client Service
  • The third component is the DNS server itself. Above breakdown hold for any DNS implementation.
[3.4] DNS server query process
  • Each query message contains the following information:
    • DNS domain name as FQDN
    • Query type, resource record by type or specialized type of query operation
    • Specified class for the DNS domain name
  • When user wants to resolve an address the first place DNS client service looks in is user's computer local cache and hosts file
  • If local resources don't resolve the name, DNS client uses server search list to query preferred DNS server, if it is unavailable alternate DNS servers are used according to their positioning on the server preference list
  • The DNS server after receiving a query first checks to see whatever it is authorative for the domain in question, if it is not, it checks local cache for already performed queries. If that doesn't resolve as well, a recursive query is performed.
  • For recursive queries DNS server needs to be configured with Root Hints, which by default are stored in file cache.dns in %systemroot%\system32\dns folder
  • Server asks the appropriate root server for an address of more knowledgeable server, then it asks that server etc. till it gets the answer. It is like walking the namespace tree.
  • The most common responses to the client are: An authorative answer, a positive answer, referral answer and negative answer.
  • If recursion is disabled on the server it will send a referral answer back to the client. The client will need to perform iteration (repeated query to different DNS servers - DNS tree walk) to get the answer it seeks.
  • After a query client gets a positive answer it is frequently authorative the first time around, while consecutive answers are non-authorative. This is due to DNS server caching of the original query.
  • Reverse query - is performed by taking an ip address in the form a.b.c.d and presenting query to the DNS server in the form d.c.b.a.in-addr.arpa. ARPA stands for Advanced Research Projects Agency. Due to luck of vision the first DNS implementation didn't support reverse queries, PTR records are just pointers to A records.
[3.5] DNS client query process timeout
  • DNS client sends a query to preferred DNS server and waits for 1 second for response
  • If no response is received the client sends a query to the first server on all adapters and waits for 2 seconds
  • If there is still no response, client sends a query to all DNS servers on all adapters and waits for 2 seconds
  • If no response continues client sends query to all servers again and waits for 4 seconds, then again and waits for 8 seconds
  • If after performing all of above steps client didn't get any response, it returns time out to the calling process
[3.6] Configuring DNS server
  • Network administrator can create two types of zones, forward or reverse lookup. In forward lookup zone the FQDN is mapped to an IP address, this is a conventional zone. In reverse lookup zone the IP address is mapped to FQDN
  • There are three types of DNS server roles with respect to a zone (i.e. we look at the zone and if our server is primary for that zone we say we have DNS server in primary role, however the same server can be secondary for a different zone (call it B) as well, in which case it is said to be in secondary role for zone B):
    • Primary - provides original data, can be updated
    • Secondary - provides a copy of original data, cannot be updated
    • Stub - copy of a zone containing only those resources records necessary to identify the authorative DNS server for the master zone, enables parent zone to keep updated list of name servers in the child zone
    • Caching only - no zones at all stored on the server
  • When administrator wants to decrease the amount of name resolution traffic while avoiding zone transfer traffic install caching only server
  • When DNS server is installed it is automatically configured to act as a caching only server
  • When a zone is created it automatically has in it SOA and NS records
  • To view the contents of the DNS server cache administrator needs to select 'Advanced' from view menu
  • In the resource record file lines that are blank or start with ; (semi-colon) are ignored by the DNS server
  • Master server is the server from which secondary server got zone information (can be a primary server or another secondary server)
  • When DNS server zone data is stored in AD (AD integrated) all DNS servers become peers
  • In non-Microsoft implementations of DNS server the secondary zone is also known as the slave zone, while the primary zone is also known as the master zone
[3.7] Resource records
  • Resource records have the following syntax: Owner TTL Class Type RDATA
  • Owner - the name of the host or the DNS domain to which this resource record belongs
  • Time to live (TTL) - A 32 bit integer representation of the time the record should be cached
  • Class - protocol family in use, optional field, IN (internet class) for Windows based DNS service
  • Type - for example A or TXT
  • RDATA - this is where actual resource record data is stored
[3.8] Basic resource record types
  • Host (A) - most common record type, used to associate computers to IP addresses. Administrator can add them manually, they can be added by DHCP Client service, updated by proxy for older Windows OS and DHCP on Windows Server 2003.
  • Alias (CNAME) - also known as canonical names. These records allow computers to use an alternative name to point to a host. They are quite often abused. They are recommended for use when a generic service such as ftp needs to resolve to a group of computers or when renaming a host.
  • MX - these are mail exchange records and they point to a mail servers for a given domain, more than one are used for fault tolerance (if the company can afford extra hardware and software needed)
  • PTR - pointer records are used to perform reverse lookup. Reverse lookups are performed in the zones with root in-addr.arpa. Same methods of creation as an A record - they are opposite of each other.
  • SRV - service locator records are used to specify location of services in a domain. Windows Server 2003 AD uses SRV records, all the records needed by AD can be found in Netlogon.dns in %systemroot\System32\Config folder, if the records need fixing use netdiag /fix.
  • NS - name server record is used to indicate which DNS server(s) are designated as authoritative for the zone. Any server specified in the NS record is considered an authoritative source by other servers for given zone. It is able to answer with certainty any queries made for names included in the zone.
  • SOA - start of authority indicates the name of origin for the zone and contains the name of the server that is the primary source for information about the zone. It also indicates other basic properties of the zone like the primary DNS server, responsible person, serial number, refresh interval, retry interval, expire interval and TTL. SOA record is always the first record in any standard zone.
[3.9] Configuring client computers for use of DNS
  • In order to configure DNS on a client system an administrator needs to do three things:
    • Administrator needs to set host name for each computer that is going to use DNS, it can have up to 63 bytes (for NetBIOS compatibility up to 15 bytes (characters)) and can only contain letters numbers and '-', it is not case sensitive
    • Administrator also needs to set primary DNS suffix for each computer, the suffix together with the host name forms a FQDN, it is selected from the system properties -> computer name -> change button -> More, by default it is the same as the AD name in which the PC resides
    • Finally, administrator need to write a list of DNS servers that the clint is to use in order, starting with preferred DNS server
  • Administrator may configure connection specific DNS suffix for each adapter on the DNS client PC, this is done from Advanced TCP/IP settings dialog box, it gives to different FQDN to the same computer so it can communicate on different subnet in addition to its full DNS computer name. For each FQDN and for computer name an A and PTR records are created in appropriate zones and DNS servers.
  • If network administrator configures DNS suffix search list then the computer will be able to resolve single-label unqualified names and multiple label unqualified names. By default, the search is performed using primary domain suffix and, if applicable, connection specific suffixes.
  • The ipconfig /displaydns command shows DNS cache on client, ipconfig /flushdns clears DNS cache
  • When a query is submitted with an unqualified name the client service by default adds to it the primary DNS suffix and checks the query. If that doesn't work the client adds connection specific DNS suffixes and retries. If there is still no positive response, client adds the parent suffix of the primary DNS suffix to the name and does the final check.
  • If the administrator is only able to ping the user computer by IP (from another PC), he can try to use ipconfig /registerdns on Windows XP/2000/2003
[3.10] Updating of client records in the DNS
  • Windows server 2000/2003 and BIND 8.1.2 or later can accept dynamic updates of A and PTR records performed by clients or on behalf of clients by DHCP server.
  • By default, clients with static IP address attempt to update both A and PTR records for all IPs. Registration is based on domain membership settings.
  • Windows 2000/XP/2003 computers with dynamic address (assigned by DHCP) attempt only to update their A records (PTR left for DHCP server to update if needed). The client contacts the server every 24h to update the mapping unless one of the following occurs:
    • Computer name changes
    • Member computer is promoted to the role of DC
    • One of the commands listed is used: ipconfig /release, ipconfig /renew, ipconfig /registerdns
    • When the local IP address changes, including IP address lease from the DHCP server
  • Computers with operating system earlier than Windows 2000 (i.e. 95/98/Me) that use dynamic address have the DHCP server do all the work (both A and PTR records due to client unaware of dynamic update functionality). User can force registration by client using ipconfig /registerdns
[3.11] DNS server properties
  • Interfaces - which IP addresses should server computer listen for requests, by default all IP addresses
  • Forwarders - allows for setting up upstream DNS servers that current DNS server will forward queries to. The process of forwarding selected queries is called conditional forwarding. This tab allows the administrator to disable recursion (on per domain basis) on queries that have been sent to forwarder (by default if forwarder fails to resolve local server tries to resolve using recursion). When DNS server A has forwarder server B set and server A has disabled recursion then server A is called a slave server since it is totally dependant on server B (forwarder) for queries it cannot resolve locally. The default timeout for forwarded query is 5 seconds.
  • Advanced tab - allows enabling and disabling of special futures. If administrator disables recursion then it is disabled for all queries and forwarders are disabled as well.
  • Root hints - this tab contains copy of information found in %systemroot%\system32\dns\cache.dns file. The list of root servers rarely changes, network administrators can get the latest file one from ftp://rs.internic.net/domain/named.cache. Administrator should delete this file if the DNS server is a root server, in which case this screen is disabled.
  • Debug logging - allows network administrator to troubleshoot his DNS server by logging selected incoming and outgoing pockets. Debug logging in processor and resource intensive operation.
  • Event logging - allows network administrator to restrict the events written to the DNS event log
  • Monitoring - basic functionality tests (2) are performed here. The first test is reverse query targeted at self, the second test does reverse query targeted at root DNS server. Administrators are allowed to schedule these tests to be performed between certain time intervals.
  • Security - this tab is available only if the DNS server is also a domain controller and allows one to set the settings for the users that are given permission to view edit and set DNS zones data.
[3.12] Configuring Zone properties
  • General tab - used to configure zone type, zone file name, dynamic updates and aging. Administrators can pause name resolution for a zone. AD integrated zones have replication settings enabled, administrator can select to which servers DNS replication data is being sent. There are three dynamic update settings for AD integrated zones, none, non-secure and secure. Aging is the process of placing a time stamp on a dynamically registered resource record and then tracking record age. Scavenging is the process of deleting outdated records. When aging and scavenging are enabled then the zone files are not compatible with Windows DNS servers that are not at least Windows 2000.
  • Start of authority (SOA) tab - administrator can set a serial number which acts as a revision number, this is used to synchronize zone transfers. Primary server box contains the full name of the server, it must end with a period. Responsible person is the domain mailbox name for the responsible person, should always end with a period. Refresh interval is the amount of time the secondary server will wait before checking the master server for an updated copy of the zone, by default it is 15 minutes. Retry interval is the amount of time, default 10min secondary server waits before re-trying zone transfer. Expires after is the amount of time secondary server without contact with master server continues to answer queries, default is 1 day after that data is unreliable. Minimum (default) TTL this is the time to live applied to all resource records in the zone, default is 1 hour. TTL for this record is the TTL for the SOA resource record, overrides general TTL setting above this box.
  • Name Servers tab - this tab allows administrator to create NS resource records, they can be created only here (unless manually created). Every zone must contain at least one NS record. In Windows Server 2003 for primary zones the zone transfer is allowed by default only to the servers specified in the Name Servers tab.
  • Security tab - ACL that defines who can manage and modify zone file data.
  • WINS tab - used to configure WINS servers to aid in name resolution. When administrator configures WINS, a WINS resource record is added to the zone database. If WINS and DNS servers are set for forward and revers zones, then data is added to both forward and revers zones.
  • Zone transfer tab - allows the system administrator to restrict the servers to which zone data will be transferred. Primary servers have zone transfers either disabled or limited to the NS tab servers. Administrator can also specify the servers they want data to be transferred to by IP address. Secondary servers by default don't allow zone transfers, need to enable them 1st. The 'to any server' setting was enabled on Windows 2000, but was a huge security hole. Administrator can also notify the secondary servers of a zone file change, notification is enabled by default. There is no need for notification in AD integrated zones. If the server to which DNS data is to be transferred has multiple IP addresses on the same subnet, then they all have to be included for transfers to be successful.
[3.13] Configuring Zone properties - AD integration
  • Application directory - is replicated among DC, applicable to DNS application directories are DomainDnsZones and ForestDnsZones. The name of each application directory is the previous name concatenated with the FQDN, for example DomainDnsZone.microsoft.com. The domain application directory is replicated to domain servers, forest application directory is replicated to all servers in the forest. Administrator can add new application directories for the use of DNS server using dnscmd [server] /createdirectorypartition [full partition name (FQDN)] to enlist other DNS servers in the partition, administrator needs to issue command dnscmd [server] /enlistdirectorypartition [full partition name (FQDN)] There are no application directories on Windows 2000 (this is new to Windows 2003) To work with application directories administrator needs to be a member of the enterprise administrators security group.
  • There are four options for zone data replication when the administrator chooses to use AD-integrated zones. On the general tab of zone properties a button is available to change zone replication scope when the zone is AD-integrated. Zone data can be replicated
    • To all DNS servers in the AD forest - broad scope of replication
    • To all DNS servers in the AD domain
    • To all DC in AD domain [domain here] - select if Windows 2000 DNS servers are to load AD zone
    • To all DC specified in the scope of the following application directory - replicates as the application directory specified, if zone is to be stored in specified application directory partition the DNS server hosting the zone must enlist in the application directory partition that contains that zone.
  • Secure dynamic updates can be performed only in AD-integrated zones, they use Kerberos for security. Only computers that have Windows XP/2000/2003 are capable of secure updates.
  • DnsUpdateProxy group - used to solve a problem that occurs with secure dynamic updates. The computer that registered the record becomes its owner and it is the only PC that can update it. Thus, for example if DHCP server registers A record for a PC, it becomes its owner, not the PC to which A record points. When DHCP server is a member of DnsUpdateProxy group it is prevented from taking the ownership of the record - secure less entry exists till the real owner takes its ownership.
  • Only primary zones can be AD-integrated. Secondary zones are always stored as text files, there are no AD-integrated secondary zones since AD-integration makes all servers into peers.
[3.14] Advanced DNS server properties
  • Disable recursion - DNS server uses recursion to resolve client queries if the disabled default state is left as is. When the option is enabled the DNS server does not answer the query for the client but instead provides the client with referrals. When recursion is disabled the DNS server will not be able to use forwarders.
  • BIND Secondaries - DNS server does not use fast transfer format when performing a zone transfer to a secondary server based on BIND. This allows for a compatibility with older versions of BIND, versions 4.9.4 and later support fast zone transfer and this option should be disabled for these. The fast transfer format is efficient, it allows data compression and multiple record transfer per TCP message, it is always used among Windows based DNS servers. This option is enabled by default.
  • Fail on Load if Bad Zone Data - when this option is disabled (default setting) the DNS server will load zone even if errors are found in the database file. Any errors that occur will be logged. When option is enabled damaged zone database does stop load operation dead cold.
  • Enable netmask ordering - when selected (default setting) this option makes sure that when a client query matches multiple A records the one in client's subnet is returned first in a response list that contains all matching records. This option is also sometimes referred to as LocalNetPriority option (this comes from same referral in dnscmd utility).
  • Enable round robin - this setting (enabled by default) ensures that for a query that matches multiple A records the first entries in the returned response list rotate. This method is used as a poor man's network load balancing. Local subnet priority is taken into consideration before round robin is. When round robin is disabled records are returned in the order they are in the zone file.
  • Secure cache against pollution - this setting (enabled by default) prevents the DNS server form accepting referrals that might be polluting its cache or be insecure. The server will cache only these records that have a name that corresponds to the domain for which the original queried name was made, any other are discarded.
  • Name checking - the default setting of Multibyte (UTF8) ensures that the DNS server verifies that all domain names confirm to the Unicode Transformation Format (UTF). Use strict RFC if the server cannot work with UTF, other two options are only for special circumstances (they are: all names and non-RFC).
  • Load zone data on startup - specifies from where initial zone data is to be loaded from, by default it is from active directory and registry. Another storage option is to use the registry or a file. The file is from BIND based DNS servers and is usually named Named.boot in older BIND 4 format (not BIND 8).
  • Enable automatic scavenging of stale records - this option is disabled by default, when enabled DNS server will perform scavenging of stale records automatically in pre-defined time intervals.
[3.15] Creating zone delegations
  • When administrator delegates a zone he assigns a portion of authority over main DNS namespace to subdomains within main namespace. The responsibility is passed from the parent domain to the subdomain.
  • Network administrator should consider delegation when:
    • There is a need for hosts whose names are structured around department affiliation
    • Central company administrative body wants departments to handle their own business
    • Network traffic is creating the need to distribute query load on multiple DNS databases
  • The parent zone will need to contain the A record and the NS record of the child zone, both records are created automatically when new delegation is created. The glue record (A resource record) is hidden from view of the administrator, but it is still there.
  • The NS record is known as the delegation record, it is used for advertising of the name server and performs the actual delegation. The A resource record is known as the glue record, it is needed if the authorized server is also in the delegated zone.
  • Delegation takes precedence over forwarding, i.e. if a server knows of a child that can answer the query it will contact it not do a forwarding query request.
[3.16] Stub Zones
  • Stub zone is a shrunk copy of a zone updated at regular intervals that contains only the NS records belonging to the master zone. As a result of that, the server that hosts the stub zone doesn't answer queries directly, instead it directs queries to name servers specified in stub zone's NS records.
  • Stub zone keeps all NS records from master zone current. When administrator configures a stub zone he needs to specify at least one name server whose IP address doesn't change. Any further name servers added to the zone will be added automatically through zone transfer. The administrator is unable to modify the stub zone data directly, the data is modified automatically when the parent zone changes.
  • When delegating control for a zone to another server the master server will not learn of new servers added to the child zones. Administrator needs to setup a stub zone for the child on the master server to ensure that the master server will learn of the new name servers in the child zone.
  • Stub zones can also be used to provide additional connectivity across domains without redundancy provided by secondary servers. Enhanced connectivity is achieved without increase in replication traffic.
  • A stub zone contains SOA, NS and A glue resource records for authorative DNS servers in the zone. The SOA record points to the master server while NS records point to other name servers, the A record hold IP addresses of authorative servers.
  • The stub zone name resolution process: client queries a server with a stub zone, DNS server uses stub zone resource records in resolution. Authorative servers in the stub zone are contacted , if they cannot be a standard recursion is performed. The response from stub zone's authorative server is not placed in the stub zone but cached with TTL as in stub zone SOA record.
  • Stub zones offer the following advantages
    • Stub zones improve the name resolution by allowing the server to perform recursion without using the root servers
    • Keep foreign zone information current by updating the stub zone at regular intervals the zone keeps an accurate list of the name servers in the child zone.
    • Simplify DNS administration by distributing zone information without the need for secondary zones.
[3.17] Understanding DNS troubleshooting tools
  • Nslookup is a command line tool used in querying the DNS server. In the interactive mode the commands entered are case sensitive. Here is a short description of more advanced options available:
    • The command set q=[recordtype|any] is used to search for specific records
    • To use a different server use "server new_server_name"
    • Network administrator can use the 'ls' command to simulate a zone transfer, all data can be listed. Note that by default on Windows Server 2003 zone transfers are restricted to approved hosts only. The -a switch returns alias and canonical names, -d returns all data, -t filters by type
  • DNS debug log is found in %systemroot%\system32\dns folder and is named Dns.log. Administrator should view this file when the DNS service is stopped. The default file format is RTF, to open it user need WordPad (not notepad or other basic text editor). By default only DNS errors are logged but administrator can change that from the DNS server properties Debug logging tab.
  • The DNS event log logs everything by default, administrator can change that default behaviour by using the Event Logging tab in the DNS server properties. This is a Windows standard log file and all size and filtering options are the same as for any other log.
  • Commands entered into nslookup during interactive mode are case sensitive
  • Support tools include utility called DNSLint which is useful when troubleshooting delegation issues
  • The dnscmd tool includes two useful troubleshooting switches, /clearcache and /info (whose actions are self explanatory)
[3.18] Stale records
  • Stale records (records that are no longer valid) can be left on the server. One common way this can happen if client PC is not allowed to clean after itself, it is improperly disconnected from the network.
  • The following futures of the DNS server in Windows 2003 help system administrators get rid of stale records:
    • Records can have a time stamp attached to them in primary zone (as per DNS server time), manually added records have time stamp value of zero indicating that they don't age
    • Records are aged as per TTL. Secondary zones are scavenged by the primary server.
  • If stale records persists on the system, they may cause following problems:
    • Improper name resolution, a FQDN prevented from being used by another PC
    • Poor server performance, too many records to search and very large zone files to transfer
[3.19] Using DNS monitoring tools
  • To monitor the resource impact of DNS server on the PC use performance monitor, perfmon.exe. The DNS object includes 62 different counters that computer can keep track of.
  • For AD integrated zones there is an option of using AD native monitoring to trace the replication traffic. Replmon.exe from Windows support tool is used to monitor and troubleshoot AD replication.
  • The replication monitor will display 5 or more directory partitions, administrator needs to find out in which one is DNS zone data stored. The command dnscmd /zoneinfo [domain name] can be used to find zone information. Once directory partition is known, administrator can use replication monitor to force zone replication - r-click the directory and choose synchronize with all servers. Any general replication errors are displayed by the replication monitor.
  • For more advanced AD debugging use repadmin utility provided as part of Windows support tools.
[3.20] Improving DNS server performance
  • By installing a caching only server close to the clients the load on the primary and secondary server's is greatly decreased
[3.21] Other points
  • DNS cache is cleared each time DNS service is restarted. DNS cache can also be cleared using dnscmd /clearcache from command line
  • DNS server test consist of a single reverse lookup of loopback device, if it fails make sure you have record named '1' in reverse lookup zone 0.0.127.in-addr.arpa. Another test checks for recursive DNS.
  • Zone transfer can be started if one of the four events occurs:
    • Refresh interval of the primary zone SOA record expires
    • The secondary server boots up (DNS service is restarted)
    • Change occurs in the configuration of the zone records on the primary server and it notifies the secondary of the change
    • DNS console is used at the secondary server for the zone to manually initiate a transfer from its master server
  • When zone transfer occurs it is by default incremental zone transfer (IXFR) which transfers only changed records, it is described in Request for Comments (RFC) 1995. Some older DNS servers that don't support IXFR will use all zone transfer (AXFR) which is also supported by Windows Server 2003. The older standard transfers the whole DNS database.
  • Stub and secondary zone update operations explained
    • Reload - reloads the zone from the local storage of the DNS server hosting it
    • Transfer from Master - the server hosting the zone checks its SOA record for expired data and performs a zone transfer from zones master server
    • Reload from Master - this operation performs a zone transfer from the zone master server regardless of the serial number expire date in the zone's SOA record

Part 4: Implementing, configuring and troubleshooting DHCP servers

[4.1] Configuring DHCP server
  • DHCP server allows system administrator to automatically assign IP addresses, subnet masks and other configuration information like DNS and WINS servers to client computers on local network.
  • Through the use of DHCP server network administrators save time required for configuration and re-configuration of computers.
  • Administrator should install DHCP service on a computer that was assigned a static IP address (this prevents clients to look all over the subnet to get their addresses renewed)
  • You need to have administrative privileges to install and administer DHCP server
  • You need to authorize your DHCP server if it is to be integrated in AD network (Person authorizing the DHCP server needs to be a member of the enterprise administrators security group). Stand alone DHCP servers can still be deployed but they should not share subnet with authorized DHCP servers. Stand alone servers that are deployed together with authorized servers are called rogue servers. The rogue server will automatically stop its DHCP service when it detects authorized server on the subnet.
  • DHCP scope is a pool of IP addresses within a logical subnet which DHCP server assigns to its clients. Scopes provide for IP address management.
  • When an IP is offered for a client it is said that IP address is a lease. When the lease is made it is said to be active. Leases are renewed for different reasons, client will try to renew when 50% of old lease expires.
  • The DHCP server has to have IP address compatible with the scope it is assigned, i.e. the server itself has to be in the scope.
  • The 80/20 rule - to provide for fault tolerance in an environment with two DHCP servers, the first server (A) should have 80% of the addresses for his local subnet, 20% of addresses for the subnet on which another DNS server (B) is present. The same assignment is repeated on server (B) which gets 80% of addresses in its own subnet and 20% of addresses in the subnet on which server (A) is present. This concept is applied when 2 or more DHCP servers are present.
  • Reservations are placements in the scope reserved for specific computers. You reserve IP address for a specific network adapter using its MAC address. To create new reservation open the scope in which you want to create new reservation r-click Reservations and select New Reservation. Reservations cannot be used interchangeably with manual static configurations. Reservations don't work when address is simultaneously reserved and excluded. Reservations are used as an alternative to static addresses for computers that are no essential to network function (i.e. not critical servers).
  • The scope needs to be activated before the server can hand out addresses (for AD integration it also need to be authorized). To activate a scope open the DHCP console, select scope you want to activate, from actions menu select Activate.
  • Exclusion range - group of IP addresses residing in the scope that administrator doesn't wish to be leased to DHCP clients
  • DHCP is na extension of the Boot Protocol (BOOTP). Microsoft DHCP server can assign addresses to BOOTP clients.
[4.2] DHCP scope options
  • DHCP options can be configured on reservation, scope and server level. To configure options for reservation, select it and from the actions menu choose 'Configure options'. To configure options for a scope select scope options folder and then 'Configure options'. To configure server options select server options folder and then 'Configure options'
  • There are more than 60 different options available for the DHCP server, the most common (important ones are):
    • 003 Router - IP addresses of routers on the same as client subnet, used by client for packet forwarding
    • 006 DNS servers - IP addresses of DNS servers
    • 015 DNS domain name - domain name DHCP clients should use when resolving unqualified names during DNS domain name resolution; allows for client dynamic DNS update
    • 044 WINS/NBNS servers - IP addresses of WINS servers
    • 051 Lease - special lease option for remote clients
  • Options set on the DHCP server take effect when clients renew or obtain new lease
[4.3] DHCP scope futures
  • Scope name page - you can give your scope a name
  • IP address range - you can define starting and ending IP address of the scope and the subnet mask. You should choose consecutive address range of the subnet and later exclude the computers with static addresses.
  • Add exclusions - these are the addresses that will not be leased to DHCP clients
  • Lease duration - length of lease
  • Configure DHCP options - whatever to configure DHCP options for the scope through further pages in the wizard or later in the DHCP console, you can configure options at the reservations level, scope level or server level. There are more than 60 different DHCP options.
  • Router (Default Gateway) - optional, which default gateway should be assigned to DHCP clients
  • Domain name and DNS servers - optional, which domain will be assigned as parent and which DNS servers will be given to the DHCP client
  • WINS servers - optional, addresses of WINS servers that are to be assigned to the DHCP client
  • Activate scope - optional, whatever the scope will be activated after the DHCP wizard finishes
[4.4] Managing DHCP server
  • To change the DHCP server status open the DHCP console, go to actions menu and select one of Start, Stop, Pause, Restart and Resume
  • You can also use the Net command to change the status of DHCP server, the command line syntax is Net [operation like start/stop/pause/continue] DHCP_server
  • You can manage DHCP server from command line using netsh command line tool, with dhcp subcommand option.
  • Superscope is an administrative grouping of scopes that is used to support multiple logical subnets also known as multinets on a single network segment. They exist on 1 physical network and work with multiple logical networks. This method is used for DHCP server to provide clients with addresses from multiple scopes. Administrator needs to delete the superscope before deleting any scope that is contained within it. Superscopes group scopes that can be activated together, it doesn't carry any details about the scopes.
  • To move a scope to a new addressing range first create a new scope with new range and then activate it and deactivate the old scope. Either manually or by waiting make sure all clients move to the new scope, delete old scope.
  • If a superscope is not defined on a server then only one scope can be active at a time.
  • In order for the DHCP server to not assign already assigned IP address to a new client DHCP has conflict detection (advanced tab of DHCP server properties) in which the server pings the address it is about to assign in order to check whatever it is free.
  • Multicast scope - regular DHCP scopes to provide client configurations by allocating ranges of IP addresses from the standard classes (A, B, or C). The multicast address range uses an extra address class, D, IP addresses from 224.0.0.0 to 239.255.255.255 for use in IP multicasting. In every TCP/IP network, each host is gets own IP address, from regular address classes. The unicast IP address is assigned before host can support and use secondary IP addresses, such as a multicast IP address. Multiple PCs can share the same multicast IP address. On private networks it is recommended to start with 239.192.0.0 range. When a packet is sent with destination that is a multicast address it gets delivered to all PCs that have it. Multicast scopes are supported through the use of MADCAP (Multicast Address Dynamic Client Allocation Protocol).
  • DHCP server performs backup by itself up every 60 minutes, you can also do manual backup. Manual backup is performed from Backup command in the DHCP console. When the backup is made the whole DHCP database is saved. Some things, like credentials are not saved. The manual backup default location is %systemroot%\system32\dhcp\backup. The following data is backed up: all scope information including superscopes and multicast scopes, reservations, leases, all options. The database backup file is called DHCP.mdb.
    • To change backup behaviour of DHCP server, one needs to edit the following registry keys:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupInterval\
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupDatabasePath\
  • To migrate DHCP server all you need to do is move the database, simply back it up and then restore it on the new computer
  • Jetpack.exe is a tool that allows support for offline compaction and repair of Jet databases such as DHCP or WINS. You can use dynamic compacting of DHCP server database without the need to bring server offline, but offline defragmentation is more efficient. Compacting should be done whenever the database size grows beyond 30 Mb or you get corruption errors.
  • Option class - they way DHCP server manage provided to clients within a scope. When an option class is added, clients of that class can get class specific configuration options. There are two types of classes, Vendor classes and User classes.
    • Vendor class is used to assign vendor specific options to clients that share common vendor
    • User class is used to assign options to clients that share user defined similarities
  • The DHCP server has a default user class called 'Default routing and remote access'. Options in this class apply only to clients that request address while connecting through Routing and Remote access. You can set different options, for example you can assign shorter leases to the clients connected remotely (this is option number 051 Lease).
  • To create your own user or vendor class open DHCP console and r-click the DHCP server and select 'Define User classes'. After defining a new class you need to assign ID to it and options. On the client side you need to make sure that the clients know in what class they are, you do this by executing ipconfig /setclassid. To view all classes allowed by the DHCP server execute ipconfig /showclassid
[4.5] DHCP and DNS working together
  • Windows 2000 and later computers try to register their own A record but they ask DHCP server to register PTR record
  • By default the DHCP server only attempts to update client records if such operation is requested by the client computer
  • You can also configure the DHCP server to attempt to update A and PTR records regardless of clients requests
  • By default the DHCP server discards the A and PTR records when the lease expires (you can set it so they are kept)
  • By default DHCP server will not perform dynamic updates on behalf of older Windows clients that don't request updates to be done
  • The update settings are configured on the DNS tab of DHCP server properties
  • DnsUpdateProxy is a security group that sets records updated/created by its members in security less setting (objects created by members of this group have no security related settings). When a DHCP server that is not a member of the group modifies or creates an entry in the DNS, it becomes the owner of that entry and only it can change the entry. This might create problems when for example, client cannot modify a record because server took ownership of the record. The membership of the DHCP server in this group solves stale record problems.
  • Usage of the DnsUpdateProxy group also might cause some problems if the DHCP service is installed on a DC since all records created are not secure (same holds for the A records of the non-DC DHCP servers, but one can modify these manually giving them an owner). In particular, the records created by DC netlogon service are not secure.
[4.6] Analyzing DHCP server traffic
  • Communication between DHCP server and DHCP client for lease:
    • Client seeking IP address brodcasts on the network DHCPDISCOVER message
    • Any DHCP server that receives the message and has available IP addresses sends a DHCPOFFER for a period of time called lease
    • If no DHCP servers are available, the client can use APIPA or use alternative configuration, older clients fail to initialize and continue to send DHCPDISCOVER messages every 4 times per 5 minutes
    • Client selects one of the offers and brodcasts DHCPREQUEST indicating its selection
    • DHCP server sends DHCPACK message to the client with possible configuration information like DNS server IPs
  • Communication between DHCP server and DHCP client for lease renewal:
    • Client computer sends DHCP Request message to the server that leased it the IP address, it contains the FQDN of the client computer. The DHCP request message is also used by the client to request dynamic updates from the DHCP server.
    • If the DHCP server can be reached, it sends DHCPACK message back indicating renewal of the current lease (or remains silent)
    • If the DHCP server cannot be reached then the client waits until it reaches the rebinding state which usually occurs 7 days after last lease renewal. When the state is reached the clients attempts to renew with any available DHCP server.
    • If the server responds with DHCP offer message the client renews the lease and continues its operation
    • If the lease expires and client doesn't renew it ceases to use the leased IP address. It then tries to obtain new IP address lease.
    • DHCP Server can also issue DHCPNACK response indicating that the requested IP address is unavailable. In this case lease renewal fails and client is forced to initiate new lease request process.
[4.7] DHCP audit logging
  • In its default configuration the DHCP server writes daily audit logs to the folder %systemroot%\system32\dhcp. The text files that are created there are named after the day of the week they were created on. You can modify file location from the advanced tab of the DHCP server properties. The files are in the format DhcpSrvLog-[3-letter day of the week abbreviation].
  • You can turn logging off on the general tab of DHCP server properties. By default, the largest log file is 1Mb and logging stops if the amount of disk drive space falls under 20 Mb.
  • The log file entry contains the ID, date, time, description, IP address, host name and MAC address. A CSV format is used for columns, some may be blank.
  • The log file contains a summary of the event IDs that show up in the main body of the log file up to event ID 50. Event IDs that have number above 50 are used for AD authorization issues.
[4.8] DHCP problem resolution
  • The first step of fixing DHCP related problems is to make sure that there is no problem with the client, use ipconfig command to verify connectivity. If an address conflict occurred you will by warned of this by system tray warning popup as well as address conflict event in system log.
  • Dhcploc.exe can be used to locate DHCP servers including rogue servers, this utility is part of Windows support tools. For AD authorized servers only, use command netsh dhcp show server.
  • The repair button on the remote connection information screen performs these functions:
    • Broadcast DHCP Request message to renew the lease, if this computer is a DHCP client
    • Flush the arp cache, the same thing as arp -d
    • Flush NetBIOS cache, same as nbtstat -R
    • Flush DNS cache, same as ipconfig /flushdns
    • Register computer with WINS server, same as nbtstat -RR
    • Register computer with DNS server, same as ipconfig /registerdns
  • If the computer fails to connect to DHCP server make sure the network medium is up and the DHCP server is operational. Make sure the scope is active and that it still has leases available for its clients.
  • DHCP server knows from which scope to assign address by looking at the address of the 1542 compliant router added to the discovery packet sent out by the client computer (no extra IP added means local subnet)
  • If a client get an IP address from DHCP server, but it is from the wrong scope, verify with dhcploc utility presence of competing DHCP servers. Make sure all authorized servers are leasing from non-overlapping ranges. A single DHCP server can have multiple scopes active on it, scope not native to DHCP server's subnet are used for remote clients. DHCP matches remote clients to their scope when RFC-1542 compliant router or DHCP relay agent is properly configured. The DHCP Request message contains field named 'Giaaddr' which contains originating subnet, when it is empty client is assumed local and assigned address from local scope.
  • For a server to hand out addresses it must be on the same subnet as its clients and DHCP service must be bound to the connection, this is checked from advanced tab in server properties.
  • Make sure scope is active and that scope's network ID matches that of DHCP server. Also, through it sounds trivial, make sure DHCP server has some addresses available for a lease. To accommodate more users you can simply shorten the lease duration. Don't forget static addresses exclusions and reserved addresses
  • If the problem lies within the DHCP database, you will need to reconcile the DHCP data for one or all scopes. The data is stored in detailed and summary form on DHCP server, when reconciling the data in these two forms is compared.
  • You can also use the jetpack utility to perform database compaction or use netsh dhcp server set databaserestoreflag 1
  • When the administrator needs to renew IP addresses on few computers he can issue command ipconfig /renew on each one of them, in the case there are more computers, it is easier to just re-boot them using shutdown /i command line utility (show nice GUI interface).
  • To get a mac address only quickly and of any computer, including remote PCs, use getmac /s /v [server name] command line utility

Part 5: Implementing, configuring and troubleshooting routing and remote access in Windows networks

[5.1] Chapter definitions
  • Routing is the process of transferring data from one local area network to another local area network
  • Bridge is a network connection that connects two or more network segments and shares traffic as necessary according to hardware addresses. A bridge is a layer two device (data link).
  • Router is a device that receives and forwards traffic according to software addresses. A router is a layer three device according to OSI model.
  • Network interface is a software object that connects to a physical device such as modem or network card
  • Demand dial interfaces - these are interfaces such as VPN, persistent dial-up connection and PPPoE connection. New demand dial interfaces are added through Network Interfaces node.
  • Windows includes software router called Routing and Remote access service. This is a multiprotocol router capable of LAN to LAN, LAN to WAN, VPN, NAT routing through IP networks. It also supports routing futures such as IP multicasting, demand-dialing, packet filtering, DHCP relay, build in support for RIP 2 and OSPF.
  • Unnumbered connections - connections in which one or both of the logical interfaces fail to obtain an IP address. The unnumbered connections happen mostly with demand-dial connections when one (or both) routers don't support APIPA
  • NAT stands for network address translation and is a service that is part of a router in which the header information in IP datagrams is modified by the router before being sent out. This allows many computer with private addresses to share a single public IP and still be able to surf the net.
[5.2] Routing with Routing and remote access
  • The server computer needs to be configured with Routing and remote access since it is installed in disabled state. It will detect all installed network adapters and configure them. However, the system administrator will need to setup all additional VPN and dial-up connections since they are not pre-configured during setup.
  • When you add a new network card to already configured Routing and Remote access service, you will need to add a new interface through Routing and Remote access console
  • The number of network segments to which R&R access can act as a router is limited by the number of interfaces installed on the server.
  • Routing and Remote access properties for the IP routing node:
    • The general tab allows the network administrator to configure R&R access service as LAN router, demand dial router or remote access server.
    • The security tab allows the network administrator to configure authentication methods, connection request logging and preshared keys for IPSec protocol. All options set on the security tab are applied to remote access clients and demand dial routers.
    • The IP tab allows the network administrator to configure how IP packets are routed over LAN, remote access or demand-dial connections. You have an option to use DHCP server to assign IP addresses to remote hosts. If the DHCP server is not on the same PC as the R&R access service it must be connected through DHCP relay agent. If you don't have a DHCP server close at hand you can use static address pool, R&R access service will act as a DHCP server. The "Enable Broadcast Name Resolution" check box when checked enables R&R access clients to resolve computer names on all network segments connected to R&R access server without the help of DNS or WINS servers, this option is enabled by default and it works by permitting NetBT broadcasts from remote clients.
    • The PPP tab allows the network administrator to authenticate and negotiate dial-up connections. You can enable or disable following options: Multilink connections, Link control Protocol (LCP) extensions, software compression and Dynamic Bandwidth Control with BAP or BACP, all options are enabled by default.
      • Multilink connections allow multiple physical links to operate as a single logical link increasing the bandwidth
      • Dynamic Bandwidth control with BAP or BACP when bandwidth demands change multilink connections are created or dropped to allow for changes, both protocols work together to provide bandwidth on demand (BOD)
      • Link Control Protocol (LCP) Extensions - support for advanced PPP futures such as callback, disable if client is older and cannot use these advanced futures
      • Software compression - software based compression of data, leave on unless modem used can compress data at hardware level (no need to do idle work at software level)
    • Logging tab allows administrator to select the events to be logged, by default only errors are written to the log file. Log files are located in the %systemroot\tracing directory.
  • IP routing properties, accessed from General Properties dialog box associated with general subnode of IP routing node
    • Logging tab - which IP routing events are to be logged, by default only errors are logged
    • Preference levels tab allows the administrator to assign a priority to routes collected from various sources. When two different sources provide conflicting routing information only one source's data can be entered into the routing table, this data comes from the source with higher priority setting. The highest priority is 120, lowest is 1.
    • Multicast scopes - add/remove multicast scopes (to add new scope provide its name, base IP address and mask)
  • Routing and Remote access server supports SLIP and PPP for serial asynchronous connections. PPP - Point-to-Point Protocol that provides advanced futures (like: IPX, NetBEUI and TCP/IP, encrypted authentication if configured) not found in Serial Line Internet Protocol (SLIP)
[5.3] Routing tables explained
  • There are three types of routes that one finds inside a routing table:
    • Default route - there is a single entry for this route in the table, the address provided is used as a destination for packets whose address doesn't match any other entry in the routing table. This route is indicated by both address and network mask of 0.0.0.0
    • Host route - provides route to a specific host or a broadcast address, this type of routes is marked by network mask of 255.255.255.255
    • Network route - provides route to a specific network, this type of routes can have a subnet mask between 0.0.0.0 and 255.255.255.255
  • To view the routing table of any computer (for any computer has one) from command line type route print
  • Routing tables are organized into five columns, which are in the following order: Network destination, Netmask, Gateway, Interface and Metric
    • Network Destination - router compares entries from this column with destination address of every IP packet. The 0.0.0.0 entry is the default route, 127.0.0.1 is the loopback device. Each entry with 224.0.0.0 refers to multicast route. Entries with last octet of 255 represent broadcast addresses, the 255.255.255.255 is the limited broadcast address which is general for all networks and routers, other broadcast addresses are limited broadcast addresses.
    • Netmask - the value of this column determines which part of the IP address packet's destination is compared to the entries in the Network Destination column. The closest match determines the route that the packet will be given
    • Gateway - the value represents the address the packet will take if this particular route is chosen. The address should be different than the Network Destination value on the same row in the table. The gateway is the direction a packet takes in its voyage to the destination address (network destination). It is logical that the direction one must take to arrive at X is different then X itself.
    • Interface - the value of the local network interface that will be used to transport the packet if this route is chosen
    • Metric - the cost of using a route, lower metric values carry more weight compared to higher values, so value of 1 is higher than 50. RIP uses the number of hops to determine route's metric.
  • By default the computer will preset certain route entries, however to implement smooth communication with hosts that are outside broadcast range one must set up either static or dynamic routing
  • Static routing is when administrator adds new routes to the routing table, routers do not share routing information and tables have to be manually checked for accuracy. This makes static routing difficult in large networked environments. Static routing works best for small single path internetworks with 10 or less subnets. Static routing supports unnumbered connections. Static routes survive server restart since they are persistent.
  • You can add new static routes from the Routing and Remote access console or using the command line, route add [destination address] mask [netmask] [gateway] metric [metric cost] if [interface]. Please note that the static routes added with the command line utility route are not persistent by default. To make them persistent use -p switch. If routes are not persistent they are not listed under the 'static heading in the R&R access console.
  • To delete a route from command line use route delete [destination address]
  • In real life static routes are rarely used since RIP is easy to configure. You might need to use static routes for connections to remote routers that are intermittent since dynamic routing protocols require to much communication over the link.
  • You should avoid placing default route for two or more routers that point to each other since that puts unreachable traffic into an endless loop.
  • Dynamic routing uses RIP 2 or OSPF to share information between routers and ensure that the routing tables are build and kept accurate dynamically
  • There is nothing to be done as far as configuration is concerned by the administrator if the router is physically connected to all network segments
[5.4] Configuring routing protocols
  • Windows Server supports four routing protocols, RIP, OSPF, multicast IGMP and DHCP Relay agent
  • RIP (Routing Information Protocol) uses lowest cost route choosing, routes with cost higher than 15 are discarded, limiting the network size. RIP routers advertise their whole tables to each other every 30 seconds.
  • RIP works best in small to medium sized networks with a maximum of 15 routers, multipath networks with dynamic topology are well suited for RIP.
  • The main advantage of RIP is its ease of use, its disadvantage is its limited hop based cost estimate and 15 hop size limit
  • RIP can use simple password authentication that prevents attacker from polluting the routing tables, unfortunately passwords are plain text. You can configure list of routers (peer filtering) from which your router is to accept RIP announcements (by IP address). You can configure route filters on each RIP interface thus making routes that are reachable from your network the only one's that will be considered for addition to the routing table.
  • By default RIP either uses broadcasts or multicasts (only in RIP 2). To prevent traffic from being sent to nodes that are not RIP routers system administrator can set RIP neighbors.
  • OSPF (open shortest path first) is an efficient protocol which uses shortest path first algorithm to compute routes. OSPF routers don't share routing tables, instead they relay on a map called link state database of the internetwork. Neighboring routers form an adjacency.
  • The OSPF protocol can scale to very large networks due to no hop limit, fast convergence times, little network bandwidth and loop-free routes. Unfortunately it is not supported on the 64bit edition of Windows 2003 server.
  • The changes to the network topology are sent to all routers in the network, which recompute their routing tables
  • The OSPF divides the network into areas (collection of continuous networks) which are connected to each other through backbone. Each router keeps a link state database only for areas to which it is connected. Area border routers connect to the backbone area and other areas. OSPF also supports stub areas which contain only one entry and exit points.
  • DHCP relay agent is a routing protocol that allows client computers to obtain an address from a DHCP server on a remote subnet. DHCP server send their DHCP Discover packets as broadcasts that are blocked by routers, one either needs to deploy RFC 1542 compliant router or a DHCP Relay Agent for these packets to get through to the other subnet. You cannot use DHCP Relay Agent on a computer that is also running DHCP server, the NAT (with automatic addressing turned on) or ICS. You install DHCP relay agent just like any other protocol. Routers that are RFC 1542 compliant use BOOTP (boot protocol) for DHCP packet forwarding.
[5.5] Demand-dial routing
  • You can enable the on demand-dial routing from the general tab of the Routing and Remote Access properties
  • You can set dial credentials, get unreachability reason, set IP demand-dial filters and dial-out hours from the actions menu. These options are only for the demand dial interface.
  • On the properties page of the demand-dial router you can set modem futures such as source phone number, dialing properties such as call frequency, security protocol used - CHAP by default.
  • You can access port and device properties from the ports node. From this dialog box you can configure your modem as to whatever it will be used for inbound or/and outbound connections. You can also set devices phone number.
  • Clicking on General node of IP Routing when demand dial is activated reveals some specific to dial-in commands (when one r-clicks on the demand dial interface):
    • Update routes is used to update routes if RIP is installed. Static routes are updated and are known as autostatic routes. Autostatic routes are used instead of normal RIP router to router communication due to the nature of the connection (demand dial).
    • TCP/IP statistic allows administrator to see information similar to one provided by ipconfig and netstat
    • IP routing interface properties is a shortcut to another dialog box that has General, Multicast boundaries and Multicast heartbeat tabs
      • On the General tab "Enable IP Router Manager" is enabled by default, it is service that is responsible for numerous futures such as ip packet filtering, if you disable it the administrative status of the device changes to disabled. Another option is "Enable Router Discovery Advertisements" check box, off by default, it is a future in which network hosts send out router solicitations to discover routers, it needs to be configured at the host. Pocket filtering is handled by two buttons, Inbound and outbound filters. Part of packet filtering is the "Enable fragmentation checking" check box, off by default.
      • Multicast boundaries tab - administrative barriers for forwarding of IP multicast traffic. If boundaries didn't exist then IP multicast router would forwards all appropriate IP multicast traffic. You can configure the boundary using multicast scope or TTL in the IP header.
      • Multicast heartbeat tab - server listens for a regular multicast notification for a specified group address to verify that IP multicast connectivity is available on the network. You can configure timeout interval and the group address.
  • Demand dial router to router configuration options:
    • Connection endpoint addressing - end point of a connection that goes over a public network must be identified by an endpoint identifier (such as a phone number).
    • Both ends of the demand dial connection must be configured for normal (bi-directional) traffic to flow, they both need R&R access to be running
    • Authentication of the caller router is based on credentials that correspond to user account, authorization of the caller router is based on user permissions.
    • The process of differentiating a router and a user calling is done by matching the user name to the interface being called, it is a router calling if the user name matches exactly the name of the demand dial interface on the answering router.
    • Static routes are to be configured for both connection ends, the check box 'use this route to initiate demand dial connection' should be checked
[5.6] Configuring NAT
  • NAT - network address translation is a service that modifies packet header information before sending them to their destination.
  • The main difference between NAT and ICS is in their configuration options. ICS is simple and pre-configured, while with NAT you can choose any IP range for the private addresses and you can disable both DHCP and DNS proxy capabilities. You can configure multiple external interfaces with NAT and NAT recognizes static addresses within your network. ICS doesn't check for the existance of static addresses in its scope, this can cause problems.
  • NAT needs some configuration to work, ICS is just single checkbox. For NAT you need to configure external interface and make sure you add a route to it. Both DHCP and DNS server should be present.
  • The firewall in ICS is called Internet Connection firewall, while in NAT it is called Basic Firewall
  • For both NAT and ICS the computer running the translation service becomes the default gateway for the client PCs
  • NAT properties include 'Services and ports' tab which can be used to map internal service to external device using protocol and port number that given service uses.
  • ICS is available on computers running Windows 98 and above, while for NAT Windows server 2000 or higher is needed
[5.7] Packet filtering
  • Packet filter - a rule for an interface that restricts or allows traffic based on: direction, protocol, source address and destination address. There are two types of filters, outbound and inbound. Administrator may also choose to add filters through remote access policy.
  • You can set to allow all traffic through except packets administrator specify or discard all traffic except packets allowed by the filters to specific PC (basic firewall block all traffic that is configured as inappropriate)
  • You can create new packet filters through Routing and Remote access console, IP routing node, either General or NAT/Basic firewall node.
  • It is important to define correctly the filter direction and action
[5.8] Configuring remote access authentication
  • Remote access is provided by either VPN or dial-up networking
  • Every computer that is connected to Remote Access server gets an IP assignment
  • The Remote Access server can use existing DHCP server in which case it will lease a block(s) of 10 IP addresses upon startup. If 10 addresses cannot be leased then the Remote Access server doesn't work properly. If a block of 10 addresses is not available APIPA is used to assign IP addresses and its usage signifies problem with addressing as APIPA addresses are not designed for remote access.
  • Alternatively administrator can choose to use static IP address range assignment. In that case the Remote Access server is used for IP address assignment.
  • If the subnet you choose is different then the one on which Remote Access server is, you will need to configure routing on your router (as with any additional subnet)
  • Remote Access server client computers must be authenticated to access the network, you can use Remote Authentication Dial-in User Service (RADIUS) or R&R access.
  • When user places a call to Remote Access server he supplies his user name and password for authentication. For authorization, if the R&R access server is a domain member, domain logon is presented, for stand alone R&R access servers this step is omitted.
  • The authentication method chosen is always the most secure method enabled in the Remote Access server client properties, remote server properties and the remote access policy applied onto the connection in question.
  • If the user is changing his or her password during the authentication phase then the client and server must be using either MS-chap or MS-chap 2 for communication.
  • Remote access protocols
    • MS-chap (Microsoft Challenge Handshake Authentication Protocol) still supports NTLM (but not by default) Same encryption key is used for all connections, both authentication and connection data is encrypted
    • MS-chap v2 no NTLM and stronger encryption (like salting passed encrypted password strings) both MS-chap protocols are the only ones that can change passwords during the authentication process. New key is used for each connection and direction. Not supported by Windows 95. Both authentication and connection data is encrypted.
    • Chap - need to enable storage of a reversibly encrypted user passwords, encryption of authentication data through MD5 hashing. No encryption of connection data.
    • PAP (Password Authentication Protocol) passwords are unencrypted as well as connection data
    • SPAP (Shiva Password Authentication Protocol) - less secure than CHAP or MS-CHAP, no encryption of connection data
    • EAP-TLS (Extensible Authentication Protocol - transport level security) - certification based authentication (EAP) used with smart cards, both authentication and connection data are encrypted, not supported on stand alone servers - only for domains. EAP-TLS is supported only by Windows Server 2003, Windows XP/2000.
    • EAP-MD5 CHAP (Extensible Authentication Protocol - Message Digest 5 Challenge Handshake Authentication protocol) - this is a version of Chap that was ported to EAP framework. Encrypts only authentication data, not connection data, same like Chap. EAP is supported only by Windows Server 2003, Windows XP/2000.
    • Unauthenticated access - connections without credentials, good for testing
  • To modify security settings on the server r-click on the server icon in the Routing and Remote access console and select properties - security tab
  • To modify security settings on the client select connection properties and then the security tab
[5.9] Authorizing remote access
  • After remote connection has been authenticated, i.e. user credentials have been verified, the user has to be granted access to resources, a process known as authorization.
  • User Dial-in properties for both dial-in and VPN connections are accessed from user properties dialog box, Dial-in tab
  • From the dial-in tab administrator can set the following options:
    • Remote access permission can be set to allow, deny or control through Remote Access Policy.
      • Remote Access Policy option is available when the domain functional level is set to Windows 2000 native or higher. The allow access and deny access options override the options set in the remote access policy. However, when the action of allow is set the remote access profile is still read and applied, thus for example the logon hour restrictions set in remote access policy will apply if the action of allow access is set and logon hour restrictions are supplied.
      • The remote access policy option is not available in AD Windows 2000 mixed mode. In this mode the allow access action corresponds to control through access policy. By default, allow permission is set.
    • The caller ID can be verified if the phone system supports it.
    • Callback options can be set to no callback (default), always callback to specified number and set by user. Callback requires Link Control Protocol (LCP) extensions to be enabled, which is default setting. During the initial call to the server only authentication information is passed.
    • You can also assign user a static IP address and define static routes
  • Remote Access Policy is the preferred way to control authorization of users. It is a set of permissions and restrictions that is processed by remote access authenticating server and applies only to remote access connections. It is separate entity from the Group Policy and lives on the Routing and Remote Access server.
  • By default there are two remote access policies created that can be read by either RADIUS or Routing and Remote Access servers and written to the local hard drive
    • Connections to Microsoft Routing and Remote Access Server policy is set to match every connection except non-Microsoft network access server type
    • Connections to Other Access Servers policy matches every connection. Due to ordering the first policy is evaluated first.
  • You can restrict policy to members of a group. Only members of global security groups can serve as remote policy condition, no local or universal groups will do.
  • Each policy has an associated policy profile which administrator can edit. You have dial-in constraints, IP properties, Multilink, Authentication, Encryption and advanced tabs
  • On the dial-in tab you can restrict amount of time connection can last, specific connection phone number, media type and time of day
  • On the IP tab you can set who supplies IP address, client or server, static address assignment and packet filters
  • Multilink tab allows administrator to link multiple modems together, Bandwidth Allocation Protocol (BAP) can be used to when extra lines are connected and when they are dropped
  • On the authentication tab you can specify protocols such as Chap, by default MS-Chap and MS-Chap 2 are enabled
  • On the encryption tab security administrator can choose RSA or DES encryption. There are four different settings:
    • No encryption - no security
    • Basic Encryption (MPPE 40bit) - used for dial-up and PPTP VPN connections, 56bit for L2TP/IPSec
    • Strong Encryption (MPPE 56bit) - used for dial-up and PPTP VPN connections and for L2TP/IPSec VPN 56bit DES is used
    • Strongest Encryption (MPPE 128bit) - used for dial-up and PPTP VPN connections and for L2TP/IPSec VPN 168bit 3DES is used
  • On the advanced tab one sets settings only readable for RADIUS server (not readable by R&R access)
  • To enable remote users to connect to resources outside Remote Access server you need to configure RAS as a router. Make sure routing option is selected in server properties, check that IP Routing is selected in the IP tab of server properties. If you want to use NetBIOS name resolution without WINS, enable it on IP tab as well.
  • When there are no remote access policies (all are deleted) and user is set to use remote access policy user access is denied.
[5.10] Configuring VPN
  • VPN - virtual private network is a logical network that works on the physical layer that spans the internet
  • VPN are used to securely connect users to a remote network or two remote network segments together
  • There are two distinct VPN deployment environments:
    • Basic remote access VPN, client PC connects to the VPN server. On the server remote access policy grants access to a global telecommuters security group (need to create one 1st) and Nas-port-type condition of Virtual VPN. On the client side the end user uses New Connection Wizard.
    • Extranet also know as router to router VPN. Two networks are connected using VPN through servers that run R&R access. The authorization is based on demand dial interfaces not on individual users credentials. Each demand dial interface is configured with user name, password and domain. The user name has to be identical to the demand dial interface name of the other VPN server. The configuration of the access through remote access policy is as above. To allow functional useful extranet connectivity routing has to be established to direct traffic between remote network segments.
  • When an user attempts connection through VPN as network administrator make sure the following conditions are meat:
    • Make sure you have enough ports for the appropriate VPN type
    • Make sure there are no conflicts between remote access policy and remote access server
    • Verify that the client has appropriate permissions and he/she has same protocol as the server enabled, remote access server or RADIUS has to be member of RAS and IAS security groups
    • The encryption strength has to be set the same across the board (remote access policy and remote access server)
    • If MS-Chap is used user password has to be 14 characters or less
  • For router to router VPN connections network administrator must make sure the following conditions are meat in addition to above:
    • The routers have to be set as such on each connection end
    • Make sure IP Routing is enabled and static routes are created
  • By default 128 ports are created of each type if VPN server role is specified, each port enables a single connection. If server role of VPN is not specified, by default there are 5 ports of each type created (PPTP and L2TP). Windows Server 2003 supports 1000 VPN connections of each type, thus this is the maximum number of ports you can specify
  • For routing RIP can be implemented with announcements exceeding default 30s interval, for dial-up connections autostatic routes are a better choice.
[5.11] PPTP and L2TP/IPSec
  • PPTP connections are easier to setup and configure but they are considered to be less secure than L2TP connections, there is a price one pays for more security
  • PPTP connections do not provide any proof that the data was not modified during transfer
  • The only way to distinguish VPN connection is through the NAS-port type of "Virtual (VPN)", you cannot distinguish between PPTP and L2TP
  • PPTP VPNs are good when remote users cannot use certificates for connection establishment
  • In L2TP/IPSec connections the L2TP protocol provides VPN tunneling while Encapsulation Security Protocol (ESP) a future of IPSec provides data encryption.
  • L2TP connections need to authenticate both the user and the computer the user is using. Computer authentication is done first by the means of certificates whose purpose is for client authentication or for IPSec purpose.
  • When both the server and client are Windows Server 2003 computers don't have to use certificates, the authentication can be done using preshared key. This is less secure than certificates because they are passed over the network in plain text and is good for testing only.
  • If EAP-TLS user authentication method is used certificates must be preinstalled on all clients and servers (if RADIUS is used)
  • Administrator can disable L2TP/IPSec connections by setting the number of ports to 0, this cannot be done with PPTP connections
  • PPTP uses MPPE for encryption, link between two network segments is treated as a PPP connection. PPP frame is encrypted and wrapped with Generic Routing Encapsulation (GRE) header.
  • L2TP encryption is provided by Encapsulation Security Payload (ESP) protocol (which is a future of IPSec).
[5.12] Configuring IAS, Microsoft RADIUS
  • Internet authentication service (IAS) is Microsoft's implementation of RADIUS
  • RADIUS is used to centralize remote access authentication, authorization and logging. RADIUS server uses RADIUS protocol for communication. The RADIUS protocol is open standard, thus there is no need to use Microsoft RADIUS solution.
  • RADIUS server group is a group of RADIUS server which network access requests are balanced by RADIUS proxy
  • RADIUS proxy can also be used to route requests to appropriate RADIUS servers based on realm name attribute of connection
  • Administrator needs to configure Routing and Remote Access Server as a client to RADIUS server. This operation is done from properties dialog box security tab of Remote Access server console.
  • To configure a RADIUS client open server properties from R&R access console and select the security tab. On the screen shown administrator can select RADIUS as Authentication and/or Accounting provider
  • When administrator selects the role(s) RADIUS server is to take, he needs to configure it (by clicking the configure button) the following options are available on popup screen:
    • Secret - plain text password
    • Time-out - how long to wait for RADIUS server
    • Initial Score - ordering for query priority of different RADIUS servers
    • Port - default port is UDP 1812 for authentication and UDP 1813 for accounting
    • Always Use Message Authenticator - MD5 hash of the RADIUS message with Secret as key, message without this will be discarded if option is enabled
  • This is the interaction that exists between RADIUS and other servers and/or clients:
    • When VPN, wireless, dial-up clients (all remote) connect to one of multiple network access servers (R&R access servers) they need to be authorized and authenticated.
    • The network access server is configured to use RADIUS for that purpose, it connect to the RADIUS server using RADIUS protocol
    • If the network is large and there are multiple RADIUS servers the network access server first connects to the RADIUS proxy server and asks it for correct RADIUS server based on realm name
    • RADIUS proxy is used for load balancing as well as environments where there are multiple realms with distinct security settings
  • To configure RADIUS on a PC, network administrator needs to do three things:
    • Install IAS networking component
    • Register IAS server in the AD
    • From RADIUS console add new RADIUS clients
  • Administrator needs to register IAS server in the AD, IAS server needs to be member of RAS and IAS security groups
  • Administrator can migrate, restore and backup RADIUS server from command line using netsh and subcommand 'aaaa'
[5.13] Other points
  • AppleTalk routing is supported on Windows server 2003
  • IPX routing was supported on Windows server 2000 but is no longer supported on Windows server 2003
  • To list all running system service use tasklist /svc. User account needs to be granted 'log on as service' user right for services to be run in its context.
  • To configure Remote Access Account lockout, system administrator needs to configure following registry setting:
    • To turn remote access lockout set in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout maxDenails to 1 or greater
    • To reset locked account: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\domain name:user name
  • To set up RAS client, the operator needs to use New Connection Wizard from the control panel

Part 6: Managing network infrastructure and security

[6.1] Network Security protocols
  • Authentication: Kerberos and NTLM (for backward compatibility only)
  • Authorization: Kerberos and NTLM
  • Confidentiality: Encryption parts of Kerberos, IPSec and NTLM
  • Integrity: Parts of Kerberos, IPSec and NTLM
  • Non repudiation: Kerberos and IPSec (who sent and received the message)
[6.2] Using security templates
  • Security Templates snap-in is by default linked to %systemroot%\security\templates folder. More templates are stored in %systemroot%\Inf folder, you can copy them to the security folder to view them with this snap-in.
  • Administrator should create a master template for all PCs and server role based templates. It is a good practice to create rollback templates before applying new templates.
  • These are default templates available with Windows Server 2003:
    • Setup security.inf - default settings applied to current machine on installation
    • Compatws.inf - used for backwards compatibility, so applications not certified for Windows XP can work (not for DC)
    • Secure*.inf - implements recommended security in all areas except files,folders and registry keys
    • Hisec*.inf - high security network communication, Windows XP can communicate only with other XP or 2000 computers (not Windows 95/98/Me due to DC - client communication problem)
    • Rootsec.inf - new root permissions introduced in XP are going to be applied
    • Notssid.inf - removes default permissions granted to terminal server SID
    • DC security - default security settings for DC
    • Iesacls - registry permissions and keys relevant to IE are applied, everyone group gets full control
    • Securedc - limits account policies and applies LAN manager restrictions
    • Defltsv - default server templates used during installation
    • Defltdc - default DC template used during dcpromo execution
  • For security template to take effect you need to apply them using Security configuration and analysis snap-in.
  • Administrator can compare two templates and current security settings of a computer to a baseline template using Security Configuration and Analysis snap-in
  • When applying templates the administrator must choose whatever to 'clear the database' if he does so only the settings in the template he is currently applying will be applied. If he doesn't clear the database, one of three things can happen:
    • If setting is defined in the new template but not the old one, new setting is applied
    • If setting is defined in the old template but not the new one, setting stays as is
    • If setting is both in new and old templates, new setting takes precedence over old one
  • Secedit is a command line tool used to apply security templates, it is a command line version of Security configuration and analysis snap-in
  • It is a part of good practice to never modify default templates, instead use copies of current templates in separate location and modify them
  • Administrator can modify a security template by editing Inf files directly
  • The IP Security and Public Key policies cannot be modified using a security template
[6.3] IPSec protocol
  • IPSec is natively supported on Windows 2000/2003/XP, a legacy client is available for Windows NT4/Me/98
  • IPSec can be used to encrypt traffic, allow traffic to leave or enter PC and block traffic from entering or leaving PC
  • The IPSec protocol can be monitored, if IPSec service is started, using IP security monitor snap-in, in Windows 2000 command line utility ipsecmon.exe - has two modes of operation, quick and main
  • IPSec policies are a set of filters that describe some network protocol action. Filters are organized into filter lists which are part of rules. Each rule defines filter action, which can be one of: Block, allow or negotiate security. IPSec policy can have many rules, but each rule can have only one filter action.
  • IKE is the algorithm used to open first secure channel, master key is derived separately on each PC and never transported over the network
  • Negotiation is the process of determining which IPSec mini-protocol will be used and what specifics are to be used, such as the key strength
  • Offloading of IPSec encryption to NIC is supported for improved server performance
  • Netsh is a command line tool that is used to modify and display local and remote network configuration. This is a tool that administrators can use for scripting. Its subcommand is ipsec, two modes are possible, dynamic and static. To show all IPSec settings use netsh ipsec static show all
  • IP security monitor is used to monitor IPSec traffic, you can see traffic statistics according to many different counters
  • Netcap.exe is a command line utility that is used to capture network traffic to a file. Administrator can run the utility on Windows XP and Network Monitor is not needed as preinstalled component.
  • Routers will pass IPSec traffic through, but firewalls and packet filters need to be configured to allow IPSec to pass through them
[6.4] Kerberos protocol
  • Kerberos protocol is used for authentication. Kerberos is superior to older NTLM protocol, it is preferred protocol in Windows 2000/XP/2003. It is explained RFC 1510.
  • The time difference between server and client is called time skew, by default if the time difference is more than 5 min the authentication will fail (at this time NTLM authentication might be attempted). Client and DC computers synchronize their clocks only if the difference between them is less than 30 minutes.
  • Port 88 UDP is used for Kerberos traffic, ticket granting ticket (TGT) is requested by client from the DC
  • Kerberos service or user ticket is granted in order for the user to use a specific service. Tickets are cached and can be reused and renewed. If a ticket cannot be renewed, new ticket can be issued.
  • TGT is stored in Kerberos ticket cache which can be analysed and viewed using kerbtray.exe found in the support tools
  • To see a list of tickets that are in the cache you can use klist.exe found in the support tools
  • Administrator can use netdiag utility to run network tests one of which is a kerberos test
  • When kerberos is used for logon and administrator wants to see it logged in the event log, auditing must be enabled for logon event and account logon event.
  • Network administrator is unable to turn the NTLM authentication off. For example, NTLM is still used when drivers are mapped by IP address instead of by computer name.
  • Ksetup - command line tool used to configure Kerberos, used to: set up a realm entry, set up computer's password in the kerberos realm and set up local account to kerberos account mappings
  • Ktpass - command line tool used configure a non-Windows Server 2003 kerberos service as a security principal in AD
[6.5] Network performance monitoring
  • The easiest tool to use is task manager's networking tab
  • If one cannot detect problems using task manager, there is always performance monitor with it networking related performance objects. Object include network interface, TCPv4, NBT connection, RAS Port, RAS total.
  • Alerts are created when specific counter(s) go above or below a specific value. When an alert is triggered you can do one of the following:
    • You can log alerts in application log
    • Can send a network message
    • Start performance data log
    • Run a program
  • Performance logs and alerts are used to perform long term analysis:
    • Using the default Windows XP Pro data provider or another application provider, trace logs record detailed system application events when certain activities, such as a disk I/O operation occurs. When the event occurs, your OS logs the system data to a file. A parsing tool is required to interpret the trace log output, like Tracerpt
    • When counter logs are in use, the service obtains data from the system when the update interval has elapsed, rather than waiting for a specific event.
  • Remember that trace logs are event driven and Counter logs are update interval driven
  • Netstat - this is command line tool used to monitor network connection
[6.6] Performance indicators
  • Memory: pages faults/sec - data not found in CPU cache creates a fault, most processors can handle large amounts of soft page faults, compare with memory: pages/sec
  • Available memory in bytes - need more if less than 10% available (could be an application memory leak)
  • Memory: pages/sec - hard drive access to page file, a rate of 20 or more indicates a need for more RAM
  • Page file percent close to 100, need more space on file or more RAM
  • Physical disk: percentage disk time above 70% - is too high, if paging file usage is excessive as well it indicates more RAM is needed otherwise a disk is the bottleneck
  • Physical disk average queue length above 2 - check paging file and physical memory
  • Physical disk current queue length - a value above 2 indicates a problem
  • CPU close to 100% - need more CPU power if situation continues for excessive amounts of time
  • Number of open files indicates how busy the server is, compare to baseline
  • Server: bytes total/sec - indicates network throughput
  • Baselining is the process of determining average/normal system performance. Should be done over a period of 3 to 4 weeks using counter logs.
[6.7] SUS - software update service
  • SUS - software update service, can distribute updates (need to be approved by the admin before distribution occurs) to clients.
  • Minimum requirements for the clients to connect to SUS are Windows XP SP1, or Win2k SP3 or later.
  • SUS server is really just a webpage with ActiveX functionality that piggybacks on top of IIS.
  • In order for SUS to work you need to point client computers to SUS server using GPO
  • You need to install SUS10SP1.exe on the server
  • Server computer must be running at least version 5 of IIS
  • SUS virtual administrative directory http://yourservername/SUSadmin
  • SUS needs NTFS with at least 100Mb to install package and 6Gb for storing updates, SUS runs from the 'default website' and stores all data there
  • SUS notification is shown for Administrators only
  • If you have P III 700, 512Mb RAM SUS server can handle up to 15000 clients
  • SUS server is not set to synchronize with Windows update site by default, administrator must do that or manually synchronize
[6.8] Other points
  • Runas is also known as secondary logon, you need to have Secondary Logon service running to use it. This command line utility is used to run programs within different user's security context. For example, network administrator is logged on as a regular user and needs to run system utility that requires administrative privileges. Instead of logging out and back in as an administrator, the user could use runas command which uses the following syntax: runas /user:ComputerName\UserName "program name"
  • Microsoft Operations Manager (MOM) can be used to archive security logs
  • Services dependency can be shown using GUI program called dependency walker, depends.exe
  • Things that should be audited: Audit both success and failure events in the systems event category. Audit success events in the Policy Change event category for all DC, audit success events in the Account Management event category, audit success events in the Logon event category and audit success events in the account logon event category on DC.

#926 From: Testking_Mcse@yahoogroups.com
Date: Sun Nov 15, 2009 9:10 am
Subject: File - Microsoft exam 70-290 preparation guide.html
Testking_Mcse@yahoogroups.com
Send Email Send Email
 

Microsoft exam 70-290 preparation guide

Contents:

Part 1: Installing and upgrading Windows 2003
Part 2: Managing and Maintaining Physical & logicel drives
Part 3: Managing users, computers and groups
Part 4: Managing and monitoring access to resources
Part 5: Managing and maintaining a server environment
Part 6: Managing and implementing disaster recovery
Part 7: Active directory primer

Preface

I have written this short preparation guide as a way for myself to ease studying for the Mcirosoft 70-290 exam titled: "Managing and maintaining Microsoft Windows 2003 server environment". I provide this guide as is, without any guarantees, explicit or implied, as to its contents. You may use the information contained herein in your computer career, however I take no responsibility for any damages you may incur as a result of following this guide. You may use this document freely and share it with anybody as long as you provide the whole document in one piece and do not charge any money for it. If you find any mistakes, please feel free to inform me about them Tom Kitta. Legal stuff aside, let us start.

Guide version 0.13 last updated on 28/05/2004

Part 1: Installing and upgrading Windows 2003

[1.1] Clean install
  • During installation of Windows 2003 if you need to install special storage adapter that Windows does not have press F6
  • You can install to a dynamic disk that was converted from boot or system volume (MBR presence)
  • Product key
    • Retail/OEM - one key per install, product activation
    • Volume licensing - only one key for multiple instalations
    • Product activation is a proof of ownership that uses 25 character key
    • You have 14 days to activate your product, if you run out of time you can still start the server in safe mode (no network)
  • Windows 2003 is a server software, some modules are disabled by defalut:
    • No audio service (disabled by default)
    • Limited video acceleration (DirectX off by default)
  • Dynamic update that occurs during the installation is for critical updates only (not drivers) and need internet connection
  • You must have the Unattend.txt or Winnt.sif (copy of unattend.txt when using CD for install) files if you want to fully automate the remote installation of a Windows Server 2003 operating system.
[1.2] Windows editions
  • Standard edition
    • Maximum of 4 CPU
    • Maximum of 4GB of RAM
    • Network load balancing
  • Enterprise edition
    • Can be 32 or 64 bit (64bit edition needs Intel Itanium)
    • Has hot add memory capability (on 32bit edition only), clustering
    • Maximum of 32GB RAM, 64GB RAM on 64bit
    • Maximum of 8 CPUs
    • Up to 8 cluster nodes
  • Datacentre edition
    • Needs to be purchased through Microsoft
    • Maximum of 64CPUs, 512GB RAM on 64bit edition
    • Up to 8 cluster nodes
  • Web edition
    • Up to 2 CPUs and maximum of 2GB of RAM
    • Used to host websites, web applications including DNS, no non-web based applications like SQL server
    • OEM or volume licensing, cannot buy retail
  • XP profesional
    • Minimum P233, recommended PII 300
    • Minimum 64Mb RAM, recommended 128Mb
    • Minimum 1.5Gb of free space on HD, recommended 2Gb
[1.3] Hardware requierments
  • CPU minimum 133Mhz (datacentre edition 400Mhz), recommended 550-733Mhz
  • RAM minimum 128Mb (datacentre edition 512Mb), recommended 256Mb
  • HD minimum 1.5Gb
  • Pentium Pro and Pentium II multiprocessor systems have a bug in them, multiprocessor support is disabled
[1.4] Licensing
  • To administer Windows 2003 OS licensing for sites or the enterprise, use Licensing in Administrative Tools.
  • The Licensing option in Control Panel manages licensing requirements for a single computer running a Windows 2003 OS.
  • You must have a Client Access License (CAL) for each device or user that connects to your server.
  • Per Device or Per User licensing mode is the best option if your clients frequently use multiple servers on the network. It is client side licensing used in enterprises. The number of simultaneous connections to any server is unlimited for every client.
  • Per Server licensing mode is the best licensing option when a server product is installed on only one server accessed at any time by no more than a subset of your users. For example if you have 5 CALs 5 clients can connect to your server on first come basis.
  • Use license groups when there is 1 to many, many to 1 or many to many relationship between users and devices
  • License Logging service is needed for license monitoring but not enforcment
  • If a client PC is used by 10 or less users only 1 CAL is required
  • For control panel licensing you got only 1 licensing type change, for enterprise licencing you will loose your licences
  • You can find your licensing server in 'AD Sites and Services'
[1.5] General upgrade points
  • You need at least Windows NT4 SP5 to upgrade to Windows 2003
  • You must upgrade to the same or more powerful edition (i.e. for example from Windows 2000 Advanced Server to Windows 2003 Enterprise, cannot upgrade to Windows 2003 Standard)
  • If the PC you are upgrading will be (or is) a domain controller you will need NTFS (among other things to store SYSVOL folder which stores GPO)
  • Check partition size, you need minimum of 1.5GB for Windows 2003 installation
[1.6] Upgrading from Windows NT4 to Windows 2003
  • You need to upgrade PDC 1st (Windows 2003 will emulate PDC for older clients). Note that Windows 2000 and XP PCs will prefer to use Windows 2003 server over NT4. This can cause network congestion problems. Need to change registry on server to make it look like NT4 PDC.
  • You need to upgrade RAS server before you upgrade last BDC (you want to get rid of the old NTLM authorization method)
  • AD installation wizard will start after OS upgrade completes (if PC was a DC). By default forest functionality level will be set to Windows 2003 interim.
  • NT4 mirror and strip sets will not mount on Windows 2003, you need to
    • Break mirror and\or kill stripe volume
    • If you forget about above, use ftonline utility to mount NT mirror or stripe in read only mode on Windows 2003
[1.7] Upgrading from Windows 2000 to Windows 2003
  • AD was introduced in Windows 2000 to manage authentication
  • You will need to make sure all Windows DC have SP2 or above installed on them
  • Before OS upgrade you need to run utility called adprep on the DC
    • Adprep.exe is located on Windows 2003 CD. Its role is to go through Windows 2000 AD schema and include enchancments needed for Windows 2003 DC to be accepted
    • You will need to run adprep.exe /forestprep first on the schema master. You will need to be a member of both Enterprise admins and Schema admins. It is recommended to take schema master PC offline during utility run.
    • After you have run adprep.exe /forestprep you will need to run adprep.exe /domainprep on the infrastructure master in each domain. You need to be a member of domain admins or enterprise admins. Make sure that before the run all changes from adprep.exe /forestprep replicated down to all DCs.
[1.8] Domain functional levels
  • Forest functional level
    • Effects all domains in the forest
    • Windows 2000 (default) accepts NT4, 2000 and 2003 DC
    • Windows 2003 Interim accepts NT4 and 2003 DC
    • Windows 2003 accepts 2003 DC
  • Domain functional level
    • Effects only one domain
    • Windows 2000 mixed (default) accepts NT4, 2000 and 2003 DC
    • Windows 2000 native accepts 2000 and 2003 DC
    • Windows 2003 interim (you will get this option if you upgraded a totaly NT4 domain) accepts NT4 and 2003 DC
    • Windows 2003 accepts 2003 DC

Part 2: Managing and Maintaining Physical & logicel drives

[2.1] Plug & play
  • For plug & play to operate we need the following:
    • Plug & play BIOS
    • OS that is plug & play capable
    • Device that supports plug & play
  • When Windows finds new hardware but is unable to install it we can go to Device Manager and run troubleshooter as well as look at the error codes
  • Uninstalling the device using 'Device manager' only removes the driver and uninstalls it from the OS (not from the PC!). If the device is not physically removed from the PC, it will be detected the next time PC boots up. To prevent this from happening one must disable the device.
  • When Windows 2003 fails to detect new hardware use 'Add new hardware wizard'
[2.2] Hardware supported
  • Virtual Disk service API for storage systems, SANs (storage area networks)
  • IEEE 1394, RAID, USB 2.0, Video, Sound
  • Wireless supports
    • Wireless and cable network bridging
    • Roaming and autoconfiguration
  • USB 2.0 supports up to 127 devices per root hub and up to 5 deep nested external hubs. You can see power & bandwith usage by checking out root properties.
  • Windows 2003 has the ability to burn CD-R and CD-RW using IMAPI service, however it is disabled by default
  • You will need a decoder for video DVDs (data DVDs are OK)
  • DVD+RW and DVD-RW are not supported, need manufacturer's driver
[2.3] Access needed to install new hardware
  • You will need to be a member of the Administrators group or have 'load and unload device drivers' user privelage to install new hardware, unless
    • Driver the the hardware uses is signed or has the Designed for Windows Logo
    • No further action is required to install the device, no requirement for Windows to display a user interface. No need to use 'Add Hardware Wizard'
    • Device driver is already on the system
    • No network policy settings are preventing you from installing hardware.
  • This way ordinary users can for example connect a USB pen drive to the PC without beeing member of the administrators group
[2.4] Device Manager can be accessed in 4 ways
  • By going to start -> all programs -> administrative tools -> computer managment-> device manager tree selection
  • Control panel -> system -> hardware tab -> device manager button
  • R-click on 'My computer' and select properties ->hardware tab -> device manager button
  • Custom made MMC snap-in
[2.5] Device Manager views
  • Devices by type - when you use this view all network adapters present will be listed under 'network adapters', all disk drives under 'disk drives' etc. This is the default view.
  • Devices by connection - you can for example see what devices are connected to the motherboard on the PCI slot by expanding Standard PC node and expanding PCI bus node.
  • Resources by type - sorts devices by type, i.e. DMA devices, I/O devices, IRQ devices and memory devices. Good for IRQ conflict troubleshooting.
  • Resources by connection - sorts devices by connection instead of type
  • Show hidden devices - shows the non plug and play devices that have been removed from the PC but have installed drivers.
[2.6] Device properties tab
  • General - for example manufacturer and device status
  • Advanced settings - optional, not every device has them. For example, for a network card we could have card link speed selector.
  • Resources tab - shows things like IRQ assignments. You can only edit IRQ if there is a conflict. Also the device has to be plug and play capable.
  • Power managment - not applicable to servers
  • Hardware profiles - good mostly for laptops, when say you have different hardware connected to your PC at the office and at home office. Also can be used for troubleshooting, you can limit the hardware in each profile.
[2.7] Driver properties
  • Details of installed driver
  • Update driver
  • Roll back driver (new in Windows 2003)
  • Uninistall driver
  • Driver signing:
    • Harmful driver install prevention
    • HCL - Hardware compatabilty list, to be replaced by Windows catalog
    • Run d:\i386\winnt32 /checkupgradeonly from Windows 2003 CD to check hardware compatability
    • Command line sigverif.exe is used to check drivers from command line
    • By default system is set to warn user if he or she is installing unsigned driver (other options are: ignore and block)
    • Unsigned driver means that the driver was not tested by Microsoft and is not supported by Microsoft. For most part these drivers are still OK
    • When driver is signed by Microsoft it and the hardware are tested by Microsoft
  • Some older devices (like CD-ROM etc.) plug into LPT port on the PC. You will need to set LPT port to "Legacy plug and play support" on port settings tab for older devices to work.
  • The easiest way to solve embedded device conflict with an add on device is to disable the onboard device. For example, to use add on music card, you will need to disable onboard music card
  • Many problems are caused by incorrect drivers, for example graphic card that displays only 800x600 resolution. Update driver to solve these problems.
[2.8] HAL - hardware abstraction layer
  • Computer driver which is the interface to BIOS, kernel is build on top of this driver
  • You can choose HAL during install by pressing F5
  • Multiple processors - when installing a 2nd processor in a single processor system (UP - uni processor) you will need to update HAL for the CPU from single CPU to multiple CPU (SMP - symmetric multi processor driver)
  • Do not upgrade from standard HAL to ACPI (advanced configuration and power interface) HAL and vice versa
[2.9] Windows update & automatic update
  • 1st appeared in Windows 98
  • Windows 2003 adds scheduling of updates capability
  • To access follow: control panel -> system -> system properties -> automatic update button
  • Can set up Windows update properties via GP settings
    • Specify Intranet Microsoft Update service location
    • Configure automatic updates
    • Reschedule Automatic updates scheduled installations
    • No auto-restart for scheduled automatic updates
[2.10] Printers
  • Printer - this is how we call a piece of software on your PC
  • Print device - this is the actual hardware printer
  • Print server - PC to which a local printer is connected - any Windows PC. It is the computer that sends print jobs to the print device. For a network printer you send jobs to the server as well.
  • Print spooler - also referred to as print queue this is a directory on print server where jobs are being stored prior to being printed
  • Print processor - also known as rendering is the process that determines whatever a print job needs further processing once job has been sent to the spooler
  • Printer pool - configuration that allows to use one printer for multiple print devices
  • Print driver - piece of software that understands your print device codes
  • Physical port - port through which a printer is directly connected to the computer, COM or LPT
  • Logical port - port through which a printer with a network card is attached to network, much faster than a physical port
  • Local printer - printer that uses a physical port and has not been shared
  • Network printer - printer that is available to local and network users, can use either physical or logical port
  • Windows server 2003 can be in a "print server" role. In this role the server is set to manage network printers (this includes local printers connected to other PCs which are shared)
  • You can use UNIX (LPR) protocol, for this you will need to add LPR port. LPR is included in "print services" for UNIX, which is installed as a separate component of Windows Server 2003
  • You can also have print services for Macintosh and for Netware
  • Whenever you hear anything that deals with: LPR, LPD, LPQ think UNIX
  • You can load into your Windows 2003 server in "print server" role additional drivers for other Windows versions (Windows 95/98/NT4/2000/XP)
  • You can set printer priority (1-99) as well as printer avability (which means when the printer will be available timewise) to different user groups as well as access to the print device itself to different user groups and individual users.
  • For network printers that are attached using ethernet cable to the network and use TCP/IP for communication any Windows 2003 server can be a print server provided that it is connected to the same network
    • To implement above you need to create a new TCP/IP port
    • To create a port you will also need IP of the network printer or its share name (so IP can be pulled from active directory)
  • You can print from Windows XP clients to print server computers running a Windows 2003 by using a Uniform Resource Locator (URL). Internet printing uses Internet Printing Protocol (IPP).
  • For example to use different print priority for two groups you need to setup two print devices, restrict their use and set priority on them
  • If you want to know printer utilization track print queue object in system monitor
  • %systemdir%\system32\spool\printers\ is the default location of the spool folder. You should change it if your server serves many printers.
  • A port is defined as the interface that allows the PC to communicate with the print device. Local ports are for print devices attached to the PC directly.
  • Separator pages are used in multi user environments, sample files are found in %systemroot/system32/ folder with .sep ending
  • Print.exe - sends a text file to a printer
  • Net Print - displays information about a specified printer queue, displays information about a specified print job, or controls a specified print job
[2.11] Printer Poling
  • One printer, multiple print devices
  • Think of it as load balancing for printers, used in larger enterprises
  • Need to use the same driver for all print devices that are member of the pool. Many newer printer devices will work with older driver, use driver that is the newest for the oldest printer.
[2.12] Management of printers using print server role of Windows 2003 server
  • Surf to http://printserver/printers/ where 'printserver' is the name (or IP) of your print server PC
  • Can restrict access to this web interface using group policy
  • For above to work you will need to install IIS 6
[2.13] Redirecting print jobs
  • You can redirect print jobs provided both printers use the same driver
  • When user placed into a queue a request to print a document on a print device which failed to print BEFORE comencment of printing you can redirect printing to another printer
  • To redirect a print job select print device you want jobs redirected from
  • If the new printer is on this print server, just select new port to which the new printer is attached, otherwise
  • Click on 'ports' tab
  • Click on 'add port', select local printer and click on 'new port'
  • Type in UNC share name of the printer you want the job redirected to, in format \\other_print_server\share_name
  • Check the check box next to the port you just created
[2.14] Disk drives
  • SCSI 15000RPM, 20Mbps transfer
  • IDE 7200RPM, 16.7Mbps transfer
  • SATA (similar to IDE)
  • Both SCSI and SATA support up to 15 drives on a single controller
  • IDE drives have 'cable select' option on them which automatically determines master and slave. It is best practice to manually set jumpers for master and slave.
[2.15] ARC path designation (Advanced RISC computing)
  • ARC dates back to NT 3.5 days (in the form presented here, otherwise NT 3.1)
  • The file boot.ini is used to find '\windows\' directory
  • Bootcfg.exe configures, queries, or changes Boot.ini file settings
  • Boot.ini switches:
    • /debug - for debugging (/nodebug)
    • /bootlog - enable boot logging
    • /sos - display driver names while they are being loaded during the Windows boot
  • Please note that Microsoft has changed the default install directory from WINNT to WINDOWS for Windows server 2003. For upgrades we will still use WINNT directory.
  • Multi
    • Identifies the controller physical disk is on
    • Multi(x) syntax of the ARC path is only used on x86-based computers
    • For IDE or pure SCSI disks when OS is on the 1st or 2nd SCSI drive
    • The Multi(x) syntax indicates to Windows NT that it should rely on the computers BIOS to load system files. This means that the operating system will be using interrupt (INT) 13 BIOS calls to find and load NTOSKRNL.EXE and any other files needed to boot Windows NT.
    • Numbering starts at 0, for example Multi(0), due to technical reasons it should always be 0
    • In a pure IDE system, the Multi(x) syntax will work for up to the 4 drives on the primary and secondary channels of a dual-channel controller
    • In a pure SCSI system, the Multi(x) syntax will work for the first 2 drives on the first SCSI controller (that is, the controller whose BIOS loads first)
    • In a mixed SCSI and IDE system, the Multi(x) syntax will work only for the IDE drives on the first controller
  • SCSI
    • Identifies the controller physical disk is on
    • The SCSI(x) syntax is used on both RISC and x86-based computers
    • Using SCSI() notation indicates that Windows NT will load a boot device driver and use that driver to access the boot partition
    • On an x86-based computer, the device driver used is NTBOOTDD.SYS, on a RISC computer, the driver is built into the firmware
    • Numbering starts at 0, for example SCSI(0)
    • Windows NT Setup always uses Multi(x) syntax for these first two drives
  • Disk
    • Identifies the physical disk attached to controller
    • 0 if Multi(x) present, Disk is only for SCSI
    • For SCSI value of Disk(x) is the SCSI ID and can be 0-15 Note: one channel is always reserved for the controller itself
    • Numbering starts at 0, for example Disk(0)
  • Rdisk
    • Identifies the physical disk attached to controller
    • Almost always 0 if SCSI(x) is present, Rdisk is for Multi(x), ordinal for the disk, usually number 0-3
    • Numbering starts at 0, for example Rdisk(0)
  • Partition
    • Refers to the partition on the hard disk where Windows system folder is located on
    • All partitions receive a number except for type 5 (MS-DOS Extended) and type 0 (unused) partitions, with primary partitions being numbered first and then logical drives
    • A partition is a logical definition of hard drive space
    • Numbering starts at 1, for example Partition(1)
  • Signature
    • Used when system BIOS or controller hosting the boot partition cannot use INT-13 Extensions
    • The signature() syntax is equivalent to the scsi() syntax
    • Using the signature() syntax instructs Ntldr to locate the drive whose disk signature matches the value in the parentheses, no matter which SCSI controller number the drive is connected to
    • The signature() value is extracted from the physical disk's Master Boot Record (MBR)
[2.16] Easy way to memorize ARC
  • There are 5 letters in the word 'Multi' and 5 letters in the word 'Rdisk'
  • There are 4 letters in the word 'SCSI' and 4 letters in the word 'Disk'
  • 'SCSI' works together with 'Disk' while 'Multi' works together with 'Rdisk'
  • When system uses Multi(x) it uses BIOS INT-13 Extensions, so on board BIOS has to be enabled
[2.17] Disk Managment MMC snap-in
  • To activate: start -> all programs -> administrative tools -> computer managment -> disk managment tree node
  • Another ways is to r-click on My computer and select 'manage' from the list
  • Finally you can just create a custom MMC snap in
  • Using disk managment, among other things, you can:
    • Initialize new disks
    • Create new volumes and partitions
  • If you r-click and select properties -> general tab you can see location heading with a number. That number is the ARC number of the HD.
  • If you need a disk formatted in FAT or FAT32 you cannot do it from disk manager, you need to use: format x: /fs:FAT32 Note Windows can format FAT 32 disks up to maximum of 32Gb but can read higher capacity drives
  • DiskPart.exe - you can create scripts to automate tasks, such as creating volumes or converting disks to dynamic.
  • Fsutil.exe - perform many NTFS file system related tasks, such as managing disk quotas, dismounting a volume, or querying volume information.
  • Mountvol.exe to mount a volume at an NTFS folder or unmount the volume from the NTFS folder.
[2.18] Remote managment
  • Computer managment is not just for the local machine, you can also manage other PCs, to activate r-click on computer managment (local) and select 'connect to another pc'
  • By default Domain Admins are part of local administrators group and you need these right to connect and administer remote PCs
  • If you cannot access Device Manager from the Computer Management extension snap-ins on a remote computer, ensure that the Remote Registry service is started on the remote computer.
  • Computer Management does not support remote access to computers that are running Windows 95.
  • In remote managment 'Device Manager' is in read only mode
[2.19] Basic Disks
  • Primary partition is the only one that is bootable and there is a maximum of 4 primary partitions
  • Extended partitions are not bootable
  • Logical drives are created in extended partitions. There are no limits as to the number of logical drives each extended partition may have.
  • Primary partitions and logical drives are assigned drive letters
  • Basic Disk FAT is located on the first sector of the hard disk; space is shared with the MBR
[2.20] Dynamic disks
  • Fault tolerance better than basic disks, due to multiple storage places for information. 1Mb database is placed at the end of each physical hard disk containing information about all dynamic disk located in this particular system, this creates multiple storage spaces of the same data.
  • Can be one of the following:
    • Simple volume:
      • Single disk
      • No fault tolerance
      • Can be NTFS or FAT
    • Spanned volume:
      • maximum of 32 disks
      • Cannot extend spanned volumes, need to delete and recreate
      • No fault tolerance
    • Extended simple volume:
      • Similar to spanned volume but uses the same physical HD with simple volume
      • You can extend a simple volume only if it does not have a file system or if it is formatted using the NTFS file system. You also need free space on HD and the volume could not have been originally a basic disk partition.
      • You cannot extend volumes formatted using FAT or FAT32
      • You cannot extend a system volume, boot volume, striped volume, mirrored volume, or RAID-5 volume
    • Mirror volume:
      • Also known as RAID 1
      • The only volume besides simple volume in Windows 2003 which can boot and system partitions can both reside on
      • Can be NTFS or FAT
      • Fault tolerance, data is the same on both disks
      • To replace the failed mirror in a mirrored volume, right-click the failed mirror and then click Remove Mirror, and then right-click the other volume and click Add Mirror to create a new mirror on another disk
      • Variation of mirroring called duplexing uses HD connected to different controllers for even more fault tolerance
    • Striped volume:
      • Also known as RAID 0
      • Maximum of 32 disks
      • Breaks data into 64Kb chunks for writing to different disks that make up the stripe
      • It is recommended to use same type of hard drives for member drive
      • Windows 2003 cannot be installed on software RAID 0
      • You cannot extend striped volume, need to recreate it
      • No fault tolerance
    • RAID 5:
      • Made up of three disks with each storing parity information
      • Fault tolerance when one disk fails
      • Maximum of 32 disks, minimum of 3
      • Not available in Windows XP professional
      • To replace the failed disk region in a RAID-5 volume, right-click the RAID-5 volume and then click Repair Volume
  • Only in Windows XP Professional, windows 2000 Professional and Windows 2003 Server (all editions) you can use dynamic disks
  • Note: if disk fails for which ARC path is in boot.ini system will not boot. You should have a disk with modified boot.ini
  • Mounted volumes - can mount HD as a NTFS folder
  • Uninstall disks prior to moving them, Re-scan disk when you attach it
  • Dynamic disks can be re-configured without re-boot
  • When your boot disk is also a dynamic disk, then you will not be able to dual boot into OS that is not dynamic disk capable
  • Dynamic disks are not supported on laptops due to luck of advantage over basic disks in this scenario
  • Dynamic disk partition table types:
    • dynamic GUID partition table (GPT) disks, for 64bit editions of Windows
    • dynamic MBR disks, for 32 and 64bit editions of Windows
  • The Foreign status occurs when you move a dynamic disk to the local computer from another computer
  • You can have a maximum of 2000 volumes on a dynamic disk, recommended maximum is 32
  • Volumes created after the 26th drive letter has been used must be accessed using volume mount points
  • Hard drives that are connected to the Pc using USB or IEEE 1394 can not be converted to dynamic volumes
  • Volume status descriptions
    • Failed - basic or dynamic volume cannot be started automatically or the disk is damaged
    • Failed Redundancy - data on a mirrored or RAID-5 volume is no longer fault tolerant because one of the underlying disks is not online, has substatuses
    • Formatting - occurs only while a volume is being formatted with a file system
    • Healthy - normal volume status on both basic and dynamic volumes, no known problems, has substatuses
    • Regenerating - occurs when a missing disk in a RAID-5 volume is reactivated
    • Resynching - occurs when creating a mirror or restarting a computer with a mirrored volume
    • Unknown - occurs when the boot sector for the volume is corrupted
    • Data Incomplete - displayed in the Foreign Disk Volumes dialog box, and occurs when data spans multiple disks, but not all of the disks were moved.
    • Data Not Redundant - displayed in the Foreign Disk Volumes dialog box when you import all but one of the disks in a mirrored or RAID-5 volume
    • Stale Data - displayed in the Foreign Disk Volumes dialog box, and occurs when a mirrored or RAID-5 volume has stale mirror information, stale parity information, or I/O errors
[2.21] Converting to dynamic disk and back to basic disk
  • If you convert a boot disk, or if a volume or partition is in use on the disk you attempt to convert, you must restart the computer for the conversion to succeed.
  • The conversion may fail if you change the disk layout of a disk to be converted or if the disk has I/O errors during the conversion.
  • After you convert a basic disk into a dynamic disk, any existing partitions on the basic disk become (dynamic) simple volumes.
  • If you are using shadow copies and they are stored on a different disk then original you must first dismount and take offline the volume containing the original files before you convert the disk containing shadow copies to a dynamic disk.
  • If you are converting disks form dynamic to basic the disk being converted must not have any volumes on it nor contain any data before you can change it back to a basic disk. If you want to keep your data, back it up before you convert the disk to a basic disk.
[2.22] File systems
  • FAT 16 bit (File Allocation Table)
  • FAT 32 bit
  • NTFS (New Technology File System)
  • To convert from FAT to NTFS use: convert x: /fs:NTFS
[2.23] Folder compression (zipped)
  • Create new compressed folder (zipped)
  • All new items added to that folder will be compressed (zipped)
  • For command line operations use compress.exe, which acts like winzip
[2.24] Compression (NTFS)
  • When you compress a whole folder:
    • All files are compressed automatically when added but not current folder occupants
    • OR
    • Compression can also be applied to current files and subfolders
  • Decompression is a reverse process of compression
  • Moving a file on the same volume means that the file location is moved in MFT only, not the physical file itself.
  • When you copy a file, no matter whatever on the same volume or not, the destination file will inherit the destination folder's permissions
  • When you move a file on the same volume, it keeps its original permissions (explicit permissions only). When you move a file to another volume, the move is treated as a copy operation and the file permissions are inherited from the destination folder.
  • All file attributes behave in the same way with the exception of encryption
  • File compression is supported only on NTFS volumes with cluster sizes 4 KB and smaller
  • For command line use compact.exe, it can display and modify compression attributes but it works only on NTFS
[2.25] Encryption:
  • Only users who created the files, users whom owner gave access to view the file (new in Windows 2003, additional users need to already be issued certificates) and recovery agents can decrypt the file
  • When moving encrypted file from one volume to another volume, it stays encrypted. When copying file it also stays encrypted. This behaviour is unique for encryption!
  • Note that user which has NTFS permissions to an encrypted file can delete that file, even if he/she cannot view that file
  • Cannot encrypt and compress at the same time (due to encryption process using pseudo random salt which cannot be further compressed due to its nature)
  • You can zip 1st then encrypt to get encrypted and compressed file
  • Executable file cipher.exe is a command line encryption utility
  • By default, the recovery agent is the Administrator account on the 1st DC, there is no default for stand alone server
  • For encryption property, moving/copying a file to a FAT system decrypts file without warning
  • It is recommended to store recovery agent certificate on a floppy disk in secured location. It is also recommended to copy their file to be recovered to the recovery agent PC where it will be recovered.
[2.26] How EFS (encrypted file system) works
  • When the user chooses to encrypt a file, a file encryption key is generated
  • This encryption key, together with encryption algorithm is used to encrypt the contents of the file
  • The file encryption key is encrypted itself using user's public key and stored together with the encrypted file. The file encryption key is also protected by the public key of each additional EFS user that has been authorized to decrypt the file and each recovery agent.
  • File can only be decrypted by using user's private key, by using private key of users given permission to view the file and private key of recovery agent
  • Private/public pair is created using user's certificate
  • On stand alone machines user's certificate is created the 1st time he or she tries to encrypt a file
  • For domain user certificate is issued by the certification authority - user needs permission to get a certificate
  • Files marked with the System attribute cannot be encrypted, nor can files in the systemroot directory structure.
  • Before users can encrypt or decrypt files and folders that reside on a remote server, an administrator must designate the remote server as trusted for delegation.
  • If you open the encrypted file over the network, the data that is transmitted over the network by this process is not encrypted.
  • Users can use EFS remotely only when both computers are members of the same Windows Server 2003 family forest
  • Encrypted files are not accessible from Macintosh clients
  • Encrypting File System (EFS) no longer requires a recovery agent

Part 3: Managing users, computers and groups

[3.1] User accounts
  • User account consist of:
    • Name and password
    • SID (security identifier) - consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain. SIDs are unique in the network.
    • Can have other attributes, like group membership
  • User accounts and computer accounts (as well as groups) are also referred to as security principals
  • Security principals are directory objects that are automatically assigned security IDs (SIDs)
  • Can be either local or domain
  • All local user accounts are stored in local database that every PC has except the domain controller.
  • Local accounts cannot be used to grant access to network resources
  • At logon time user select whatever he wants to logon into a domain or local PC. depending on his or her selection system uses local or AD user database
  • Username must be unique, for pre-2000 maximum of 20 characters, spaces and period are OK, but no special characters. Usernames are not case sensitive while passwords are.
  • InetOrgPerson is used in several non-MS LDAP and X.500 directory services to represent people within an organization, in AD for compatibility
  • In order to interactively log in to DC user needs to be member of Domain admins, Enterprise admins, Account Operators, Administrators, Backup Operators, Print Operators, and Server Operators or explicitly granted permission to logon
[3.2] Build in local user accounts
  • Administrator - even when the Administrator account has been disabled, it can still be used to gain access to a computer using Safe Mode
  • Guest (by default in disabled state)
  • Support account (Support_388945a0)
[3.3] Build in local groups
  • Administrators - full control, by default it's member is the Administrator account. This account cannot be removed. When joined to a domain, Domains Admin global group is also added to local administrators group.
  • Backup Operators - can backup and restore files on the server ignoring security settings that protect these files. Can access server from the network,logon locally and shout down the system.
  • DHCP Administrators (installed with the DHCP Server service) - have administrative access to the Dynamic Host Configuration Protocol (DHCP) Server service.
  • DHCP Users (installed with the DHCP Server service) - have read-only access to the DHCP Server service.
  • Guests - temporary profile created at the logon time, deleted at log off. Member of the Guest group, no default user rights.
  • Help service group - used to set up right common to all support applications, only member is Support_388945a0, do not add users
  • Network configuration operators - can make changes to TCP/IP
  • Performance log users - can manage performance counters, logs and alerts locally or remotely
  • Performance monitor users - can monitor performance counters only, locally or remotely
  • Power users - they can add users/shares/groups. The power users cannot: change Administrators group membership, take ownership of files, load or unload device drivers and manage security logs.
  • Print operators - can manage printers and print queue
  • Remote Desktop Users - can remotely logon to the server
  • Replicator - the only member should be domain user account used to logon the replicator service on a DC. Do not add users to this group
  • Terminal Server Users - users who are currently logged on to the system using Terminal Server
  • Users - can do common task such as running programs and printing stuff. Can access locally or through network, all user accounts are members of the Users group by default.
  • WINS Users (installed with WINS service) - permitted read-only access to Windows Internet Name Service (WINS)
[3.4] Complex passwords
  • Complex password needs to be at least 6 characters long
  • Cannot use any part (or all of) of user account name
  • A complex password need to consist of 3 out of these 4:
    • English uppercase characters
    • English lowercase characters
    • Base 10 digits
    • A special character, such as [,),^
  • By default, complex passwords are enabled on DC, disabled on stand alone servers
  • Windows 2003 passwords can be up to 127 characters long. Windows 95/98 passwords can be up to 14 characters long.
  • Password reset disks are used on stand alone servers to recover user password, otherwise users will loose encrypted data
[3.5] Organization
  • On DC on Windows 2000 local users & groups display red X, on Windows 2003 there is no local users & groups
  • When installing AD local user accounts and groups are moved to the AD and local DB is deleted
  • Data that is allowed to be stored in the active directory is defined in the active directory "schema".
  • OU (organizational units) are acting as a container for groups, users and other OU
  • You can limit users to logon only on certain computers (but not exclude them from certain PCs). You can also limit users login hours.
[3.6] Using profile for local PC
  • Local profile is located in 'documents and settings' directory on local PC
  • You can use network share for profile location (can be used for backup)
  • Mandatory profile - users cannot save changes (they can delete, but it comes back!)
  • Home folders - where you automatically go after you hit 'save as'
  • Folder redirection - allows Administrators to redirect personal folders for all users to a single location
  • All user settings and preferences are stored in a file ntuser.dat
[3.7] Roaming profile
  • User sees the same thing on every PC (network profile)
  • Enebled on user properties screen in Active Directory Users and Computers; Cannot be modified using GPO.
  • ntuser.dat is stored on network share
  • Local profile on local PC is used if network connection cannot be established
  • Network problems can occur (network congestion) if large files are saved to the desktop or 'My Computer'. To resolve this issue use GPO - set file processing only if user wants to use given file
  • Only files that have been changed since the profile was last loaded are saved
[3.8] Other profile information
  • To create a mandatory profile rename ntuser.dat to ntuser.man
  • Terminal service profile - different look and feel when connecting through terminal server. This may be needed if regular profile could have adverse effect on the network (contains options that for example use a lot of bandwidth)
[3.9] Account and password options
  • Available options are:
  • User must change password at the next logon
  • User cannot change password
  • Password never expires
  • Store password using reversible encryption
  • Account is disabled
  • Smart card required for interactive logon
  • Account is trusted for delegation
  • Account is sensitive and cannot be delegated
  • Use DES encryption for this account
  • Do not require kerberos for preauthentication
[3.10] Terminal services
  • Thin clients are like good old dumb terminals
  • Terminal services are part of user settings
  • Remote control: user in terminal services application mode, similar to remote assistance
  • Use Terminal services Configuration to set session timeouts
[3.11] Remote access (VPN/Dial-in)
  • Remote access is denied by default
  • Remote access policy which can use either RRAS or IAS (RADIUS)
  • Remote access policy is much more flexible than user Dial-in properties (which in turn override remote access policy)
  • For traveling executive, set 'callback' option to 'set by caller'
  • Dial-in
    • Dial-in properties allow you to assign a specific IP to user
    • This is the only way in Windows 2003 that you can assign a specific IP to a user
  • Routing and remote access protocols
    • MS-chap (Microsoft Challenge Handshake Authentication Protocol) still supports NTLM (but not by default) Same encryption key is used for all connections, both authentication and connection data are encrypted
    • MS-chap v2 no NTLM and stronger encryption (like salting passed encrypted password strings) both MS-chap protocols are the only ones that can change passwords during the authentication process. New key is used for each connection and direction.
    • Chap - need to enable storage of a reversibly encrypted user passwords, encryption of authentication data through MD5 hashing. No encryption of connection data.
    • PAP (Password Authentication Protocol) passwords are unencrypted as well as connection data
    • SPAP (Shiva Password Authentication Protocol) - less secure than CHAP or MS-CHAP, no encryption of connection data
    • EAP-TLS (Extensible Authentication Protocol - transport level security) - certification based authentication (EAP) used with smart cards, both authentication and connection data are encrypted, not supported on stand alone servers - only for domains.
    • EAP-MD5 CHAP (Extensible Authentication Protocol - Message Digest 5 Challenge Handshake Authentication protocol) - this is a version of Chap that was ported to EAP framework. Encrypts only authentication data, not connection data, same like Chap.
    • Unauthenticated access - connections without credentials, good for testing
[3.12] DC/OU/CN example

Here is how DC/OU/CN work. User is CN - canonical name, DN - distinguished name. For example, energyshop.com/IT/John Doe DC - energyshop DC - com OU - IT CN - John Doe

[3.13] UPN - user principal name
  • User principal name in e-mail format which can be used when logging in and not using dropdown, example joe@.... UPN must be unique in the forest.
[3.14] Dealing with user passwords
  • Do not delete user accounts, disable them instead
  • Rename users as a quick way to set up new accounts
  • To move users to a different domain in the same forest use movetree.exe (initiated on the RID master of the domain where object lives). For different forest need ADMT (AD migration tool).
[3.15] Password policy
  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Complexity requirement
  • Store passwords using reversible encryption
[3.16] Account lockout policy
  • Account lockout duration
  • Account lockout threshold
  • Reset account lockout counter after X minutes
[3.17] Computer accounts
  • Managed PCs are computers whose OS was installed using RIS service (remotely)
  • For RIS to work you need a network card that is PXE (pre-execution environment) enabled
  • If you network card is non-PXE but is PCI based you can use Rbfg.exe to create remote boot disk
  • No computer account for Windows 98 systems, Windows 98 can still log in to the domain, provided that AD client is installed and SMB signing is disabled
  • To create computer accounts you need to have 'create computer accounts' permission
  • You can set up common attributes on several user accounts at once using the multiselect option, you can set: Profile, Organization, Account Tab, Address, General Tab
[3.18] RIS - remote installation service
  • Each PC has a GUID (globally unique identifier) sometimes called UUID
  • You can get PC's GUID from
    • From DHCP discovery pockets PC sends when it wants to get IP address from DHCP server
    • PC documentation
    • PC startup screen (BIOS)
  • RIS options
    • Respond to client PCs requesting service
    • Do not respond to unknown PCs (unknown PCs are not found in the AD)
  • For RIS following must be available on the network
    • Active Directory
    • DNS
    • DHCP
[3.19] Contacts
  • These are not user accounts
  • They are used to add people that are outside of your domain
[3.20] Automation
  • Bulk import data into active directory using csvde.exe (comma separated value directory exchange), using CSV format. It is easier to modify spreadsheet to confirm to csvde than ldifde.
  • Executable file ldifde.exe stands for: LDAP data interexchange format directory exchange
  • Executable file ldifde is used to import AND modify active directory, csvde can only import
  • Import creates accounts with blank passwords, best to create accounts in disabled state by specifying user control value of 514
[3.21] Build in domain user accounts
  • Administrator - when the Administrator account is disabled, it can still be used to gain access to a domain controller using Safe Mode
  • Guest (in disabled state by default)
  • Support
  • krbtgt
[3.22] Domain Groups
  • Security - can have object permissions (but also works just for e-mail distribution)
  • Distribution - only for e-mail
  • Group scopes:
    • Domain local
    • Global
    • Universal
[3.23] Built in domain local groups
  • Domain local groups can contain users and groups from any trusted domain.
  • Account operators - can create and administer domain user accounts and groups
  • Administrators - full control over domain
  • Backup operators - ignores security in order to backup or restore files
  • Guests - has same access as domain users group
  • Incoming forest trust builders - can create incoming, one way trusts to this forest
  • Network configuration operators - can modify network settings like TCP/IP
  • Performance log users - can remotely configure and view performance logs
  • Performance monitor users - can remotely view performance logs
  • Pre-Windows 2000 computer access (for win NT) - has read permission to all users and groups in the domain and the right to access DC from network
  • Print operators - administrator for printers
  • Remote desktop users - can logon into any PC in the domain remotely (only logon ability, nothing else)
  • Replicators - supports file replication in the domain
  • Server operators - can manage DC, shout down, create shares, manage disks and more
  • Terminal server license servers - local group for Terminal Server license servers
  • Users - cannot install new applications, can run applications that already exist, cannot logon to DC
[3.24] Global groups
  • Used to organize users but only from its own domain
  • Create by job function or job description
  • DNS update proxy - can preform updates to the DNS on behalf of other clients. When secure dynamic updates are enabled on DNS, the DHCP servers must be made members of this group to be able to update clients.
  • Domain admins - complete administrative rights in the domain. Member of Administrators domain local group (as well as local Administrators group on all PCs)
  • Domain computers - all PCs that are joined to the domain
  • Domain controllers - all DC are members of this group
  • Domain guests - used to grant access to users that don't have valid user account in the domain. Member of domain local guest group by default
  • Domain users - all users are members of this group. Normal access to workstations. When new share gets created, they get 'read' access
  • Group policy creator owner - members can create and mange GP. Administrator account is a member of this group by default.
[3.25] Universal groups
  • Used for many to many relationships, like many users that need to access resources in many domains
  • Can contain users, global groups, local groups from any domain in the forest
  • Cannot contain users from domains that are outside the forest
  • Universal groups are used to organize users across domains
  • It is recommended to place only global groups inside universal groups
  • You need to have domain functional level set to at least Windows 2000 native
  • Build in (admin in root domain is the only member) :
    • Enterprise admins - have access to all domains in the forest
    • Schema admins
[3.26] Access between domains
  • We trust in the authentication of another DC
  • Automatic trusts between parent and child domains are set in Windows 2000 native or above
  • Types:
    • 2 way trusts (NT4 domains) - need to be set up at both sides (i.e. from domain A to B 1 setup and 1 from B to A == no automation)
    • 2 way transitive trusts (Windows 2000)
    • Forest trust (Windows 2003)
[3.27] Remember the acronym AGLP
  • Accounts - create users accounts
  • Global groups - place users in global groups
  • Local groups - place global group into local group
  • Permissions - assign permissions to the local group
[3.28] Windows 2000/Windows 2003 domain vis mixed mode
  • Universal group is added in Windows 2000 native mode
  • Group nesting - same type of group in same type
  • Changing of group types (distribution vis security) is enabled in Windows 2000 native mode
  • For Windows 2000/ Windows 2003 domain we are going to use AGULP
  • U stands for universal group
  • We place global groups into universal group and universal groups into local groups
[3.29] MMC
  • Access control
    • Author mode - full customization of the MMC console
    • User mode-full access - as author mode, except that users cannot add or remove snap-ins, change console options, create Favorites, or create taskpads
    • User mode-limited access, multiple windows - access only to those parts of the console tree that were visible when the console file was saved. Users can create new windows but cannot close any existing windows.
    • User mode-limited access, single window - as 'user mode limited access, multiple windows' but users cannot create new windows
[3.30] Special groups (special identities)
  • Anonymous Logon - users and services that access a computer and its resources through the network without using an account name, password, or domain name
  • Everyone - all current network users
  • Network - users currently accessing a given resource over the network
  • Interactive - all users currently logged on to a particular computer and accessing a given resource located on that computer
  • Special groups can be assigned rights and permissions to resources but their memberships cannot be modified or viewed and scopes do not apply. Users are added automatically.
[3.31] Other points
  • Home folder can be on local PC or a network share
  • Rename Guest and Administrator accounts, for local accounts use GPO
  • PC and DC use a secure channel to communicate password changes every 30 days. If they are out of synchronization you will need to reset the PC (message is: 'Domain member failed to authenticate'). This is by going to the computer account and clicking on 'reset account'.

Part 4: Managing and monitoring access to resources

[4.1] ACL - access control list
  • Every object in AD has ACL
  • ACE - access control entries
  • ACL is a list of ACEs. Each ACE has deny or accept action and an associated SID (security identifier).
  • The process of checking user access is preformed in this way:
    • User SID is checked against ACE on ACL list of the resource user wants to access
    • Also groups that the user belongs to (group SID) is checked against ACE in ACL
    • If there is no entry, then access is denied
    • Accept if ACE = SIDs in ACL and associated ACE action is accept
    • Windows resolves SID and presents name as ACE
    • Deny right takes precedence over allow right in group and user security context. This is true even for Administrator and object owner.
[4.2] General NTFS permissions for files
  • Read - also allows for viewing of file attributes
  • Write
  • Read and execute
  • Modify = read + write + delete + execute
  • Full control
[4.3] General NTFS permissions for folders
  • Read - also allows to view folder attributes
  • Write
  • Read and execute
  • Modify = read, execute, write, delete
  • List folder contents, includes subfolders
  • Full control = all of above permissions plus permission change permission plus ownership change permission
[4.4] Share permissions
  • Only applicable for folders, no share permissions for files
  • Read = read file data, file names and subfolder names + execute (default assigned to everyone group)
  • Change = read permission + delete files and subfolders + write
  • Full control = all of above permissions + change of share permissions right only
  • Share permissions do not apply to users that are logged into the OS interactively (i.e. locally)
  • NTFS general permissions always apply, even for a share i.e. user needs two read permissions in order to access a file over the network
  • Use NTFS permissions to tighten security
  • To add share form command prompt: net share 'folder name'='path'
  • To delete share form command prompt: net delete 'folder name'
  • When a share name ends in $ it is hidden and cannot be browsed to, full name needs to be typed in
  • Share permissions are not included in a backup or restore of a data volume
  • Share permissions do not replicate through the File Replication service
[4.5] Special permissions
  • In Windows 2003 object ownership can be given to another user, not just taken by the current user as in Windows 2000
  • When user is in multiple groups the least restrictive permissions are chosen
  • Special permissions:
    • Traverse folder/ execute file
    • List folder/ read data
    • Read attributes
    • Read extended attributes (created by program)
    • Create file/write data
    • Create folders/append data
    • Write attribute
    • Write extended attribute
    • Delete subfolders and files
    • Delete
    • Read permissions
    • Change permissions
    • Take ownership
    • Synchronize (not users and groups)
  • Everyone group is no longer granted full control (it is granted read and execute only). The built-in Everyone group includes Authenticated Users and Guests, but no longer includes members of the Anonymous logon group.
  • A quick way to see the permission structure is to click on 'view effective permissions'
  • The Effective Permissions tool only produces an approximation of the permissions that a user has. The actual permissions the user has may be different, since permissions can be granted or denied based on how a user logs on. This logon-specific information cannot be determined by the Effective Permissions tool, since the user is not logged on; therefore, the effective permissions it displays reflect only those permissions specified by the user or group and not the permissions specified by the logon.
[4.6] Explicit permissions and inherited permissions for files and folders
  • There are two types of permissions: explicit permissions and inherited permissions.
  • Explicit permissions are those that are set by default when the object is created, by user action.
  • Inherited permissions are those that are propagated to an object from a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.
  • Explicit permissions take precedence over inherited permissions, even inherited Deny permissions. This has nothing to do with user and group security context.
[4.7] Inherited permissions (file and folders)
  • All files and folders inherit their permissions from the parent folder by default
  • There are three ways to make changes to inherited permissions:
    • Make the changes to the parent folder, and then the file or folder will inherit these permissions. Remember this is not related to user and group security!
    • Select the opposite permission (Allow or Deny) to override the inherited permission.
    • Clear the 'Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here' check box. You can then make changes to the permissions or remove the user or group from the permissions list. However, the file or folder will no longer inherit permissions from the parent folder. You be presented with a confirmation dialog that has these options
      • You can 'copy' permission entries making all entries explicit (convert inherited entries into explicit)
      • Or you can remove all inherited permissions and keep only the current explicit permissions
  • You cannot change parent permissions inside a child object - they show as grayed out if inheritance is on.
  • If the object is inheriting conflicting settings from different parents then the setting inherited from the parent closest to the object in the subtree will have precedence.
  • Only inheritable permissions are inherited by child objects. When setting permissions on the parent object, you can decide whether folders or subfolders can inherit them with Apply onto.
[4.8] Ownership
  • Ownership general points:
    • To decrypt a file owner still needs correct private/public key pair
    • File owner always has 'change permissions' permission
    • An administrator who needs to repair or change permissions on a file must begin by taking ownership of the file.
    • Every object has an owner, whether in an NTFS volume or Active Directory. By default, in the Windows Server 2003 family, the owner is the Administrators group.
    • Transferring ownership (new in Windows 2003) is preferred to giving users 'take ownership right'.
  • Ownership can be taken by:
    • An administrator. By default, the Administrators group is given the Take ownership of files or other objects user right.
    • Anyone or any group who has the Take ownership permission on the object in question.
    • A user who has the Restore files and directories privilege.
  • Ownership can be transferred in the following ways:
    • The current owner can grant the Take ownership permission to another user, allowing that user to take ownership at any time. The user must actually take ownership to complete the transfer. Or transfer ownership by using 'Other users or groups' button.
    • An administrator can take ownership.
    • A user who has the Restore files and directories privilege can use 'Other users or groups' button and choose any user or group to assign ownership to.
[4.9] Ways to create shares in Windows 2003
  • Using MMC
  • Server roles (file server role)
  • Using explorer
[4.10] Share options
  • Offline caching occurs when users have local copies of network files
  • Offline caching is also controled by the use of group policy
  • Offline caching is turned on by default when a share is created on the server
  • The following settings are available on the client
    • Use of the offline feature
    • Synchronize when logging on
    • Encrypt offline files cache
    • Prohibit making available file and folders offline
    • Configure slow link speed
  • Windows XP computer can allow a maximum of 10 simultaneous connections to a shared folder
  • Share permissions are managed like NTFS permissions but you cannot block inheritance and there are no special permissions
[4.11] Special shares
  • drive letter$ - shared resource that enables administrators to connect to the root directory of a drive
  • ADMIN$ - resource that is used during remote administration of a computer. The path of this resource is always the path to the system root (ex. c:\windows)
  • IPC$ - resource that shares the named pipes that are essential for communication between programs. You use IPC$ during remote administration of a computer and when you view a computer's shared resources. You cannot delete this resource.
  • NETLOGON - required resource that is used on domain controllers
  • SYSVOL - required resource that is used on domain controllers
  • PRINT$ - resource that is used during remote administration of printers
  • FAX$ - shared folder on a server that is used by fax clients in the process of sending a fax
  • You cannot browse to $ shares (cannot see them in Explorer)
[4.12] Web sharing
  • You can share your folders online, web sharing of folders - viewed using IE
  • You need to install IIS on the server
  • You will need to allow directory browsing permission for files other then .htm and .asp to be accessible
[4.13] Shadow copies (new in Windows 2003)
  • Accidental deletions
  • Accidental overwrites
  • File corruption
  • Need to run VSS - volume shadow copy service
  • Snapshot are taken at default or user defined intervals
  • There can be at any time maximum of 64 different snapshots stored on the system
  • Windows XP and 2000 need installation of client software, twcli32.msi
  • Information is stored in the hidden system folder 'system volume information'
  • Form command prompt: vssadmin create shadow /for=volume
  • If you need to restore a file using shadow copies that has been deleted you will need to restore the whole folder
  • Shadow copies can be accessed from:
    • Windows explorer
    • Shared folders snap-in
    • Command prompt
  • If you want to move shadow copy storage location you need to destroy and recreate the shadow
[4.14] Distributed file system (DFS)
  • DFS exposes shared folders without explicitly starting where it is located
  • DFS is like an index for shares on the network
  • Domain based root (preferred) or standalone root
  • Replication fault tolerance (for domain only)
  • Stored in active directory (DFS root - domain based)
  • To access distributed file system go to start -> all programs -> Administrative tools -> Distributed file system
  • DFS on the Windows 2003 can only be used with the NTFS file system
  • Set replication policy for DFS
  • Do not create FRS replica sets on a volume that is managed by Remote Storage (performance hit)
  • Automatic file replication through the File Replication service (FRS) is only available with domain DFS
  • Dfsutil.exe and dfscmd.exe are command line tools used to administer DFS
[4.15] Enabling auditing for files, folders and printers
  • You will need to enable auditing for object access policy
  • And you also need to enable auditing for individual files and folders through NTFS security or through printer security
[4.16] Auditing
  • Account logon events - success or failure of domain logon
  • Account logon management - events such as resetting passwords and modifying user properties
  • Directory services - any time user access AD an event is generated
  • Logon events - success or failure of local logon or logon to a share
  • Object access - file, folder or printer access
  • Policy change - success or failure of change of security options, user rights, account policies and audit policies. Both domain and local PC changes are tracked.
  • Process tracking - useful for applications
  • System - system events such as shutting down PC or clearing the logs
[4.17] Terminal services
  • Any Windows PC with client installed can connect to the terminal server
  • There is no need to install terminal services if one intends only to use it for administrative purposes
  • Terminal server can be transparent to users (for example thin clients)
  • In order for the user to connect to the terminal server he or she needs local logon right
  • All clients need a CAL (Windows 2000 and XP have one build in)
  • You need to have terminal services licensing installed on DC in a single domain environment, it will need to connect to Microsoft. If it cannot connect to Microsoft clearing house it will still issue temporary licenses. It can also connect to the clearing house by fax or phone.
  • Licensing server can issue temporary CAL (non-renewable) for 120 days
  • Terminal server client connection uses RDP protocol
  • There is an option of remote control of user if server is in application server role
  • Terminal services are not installed by default
  • Before users can use terminal services you will need to grant users access to RDP in Terminal Services configuration
  • Tscc.msc - terminal services clients and connections MMC, you can override AD user account settings
  • To install Terminal Services programs use 'Add & remove programs' when all user sessions are disconnected
  • There are compatability scripts available for many popular programs
  • Use Terminal Services GP to configure one or more terminal servers, or to manage Terminal Server user settings
[4.18] Remote desktop
  • Remote desktop connection = terminal services client
  • Remote desktop is installed and activated by default. For multiple remote desktop connections try Remote Desktops MMC.
  • Remote desktop depends on terminal services service
[4.19] Remote assistance
  • For Windows 2003 and XP
  • Concurrent session with logged in user
  • Logged in user has to authorize access
  • You can send invitation from 'Help and Support' menu. You can send invitations through e-mail or Microsoft messanger. You also need to supply a connection password.
  • You can also offer remote assistance to others (disabled in GP by default)
[4.20] User rights
  • Administrators can assign specific rights to group accounts or to individual user accounts. If a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than one set of rights. The only time that rights assigned to one group might conflict with those assigned to another is in the case of certain logon rights.
  • There are two types of user rights:
    • Privileges, such as the right to back up files and directories
    • Logon rights, such as the right to logon to a system locally
[4.21] Security best practices
  • Use Deny permission to exclude users
  • Use security templates rather than individual permissions
  • Avoid changing default permission on system objects (including AD objects)
  • Never deny Everyone group access to an object. Instead just remove Everyone group.
  • Assign permissions as high as possible up the inheritance tree
  • Privileges can sometimes override permissions
  • Assign permissions to groups rather than single users
  • Avoid giving 'Full control' permission, give users what they need to do their work
  • Minimize the number of ACEs that apply to children (are inheritable)
  • Assign the same permissions to multiple objects, this way the AD will only have to store one copy of ACL
  • When possible, assign access rights on a broad level rather then specific

Part 5: Managing and maintaining a server environment

[5.1] Performance and system events
  • Task manager
  • Event viewer
  • System monitor (to activate you can run prefmon.exe from command line)
  • Performance logs and alerts
  • Network monitor
[5.2] Performance
  • To set process priority at run time, go use start "process name" /"priority value"
  • Another way is to: cmd /c start /"priority setting""application name" -- you cannot use this from the run menu
  • Priority types:
    • Real time (you will need Administrator access to set this priority level)
    • High
    • Above normal
    • Normal
    • Below normal
    • Low
  • Relog - extracts performance counters from performance counter logs into other formats, such as text-TSV, text-CSV, binary-BIN, or SQL
  • Logman - manages and schedules performance counter and event trace log collections on local and remote systems
[5.3] Performance indicators
  • Memory: pages faults/sec - data not found in CPU cache creates a fault, most processors can handle large amounts of soft page faults, compare with memory: pages/sec
  • Available memory in bytes - need more if less than 10% available (could be an application memory leak)
  • Memory: pages/sec - hard drive access to page file, a rate of 20 or more indicates a need for more RAM
  • Page file percent close to 100, need more space on file or more RAM
  • Physical disk: percentage disk time above 70% - is too high, if paging file usage is excessive as well it indicates more RAM is needed otherwise a disk is the bottleneck
  • Physical disk average queue length above 2 - check paging file and physical memory
  • Physical disk current queue length - a value above 2 indicates a problem
  • CPU close to 100% - need more CPU power if situation continues for excessive amounts of time
  • Number of open files indicates how busy the server is, compare to baseline
  • Server: bytes total/sec - indicates network throughput
  • Baselining is the process of determining average/normal system performance. Should be done over a period of 3 to 4 weeks using counter logs.
  • Performance logs and alerts are used to perform long term analysis:
    • Using the default Windows 2003 data provider or another application provider, trace logs record detailed system application events when certain activities, such as a disk I/O operation occurs. When the event occurs, your OS logs the system data to a file. A parsing tool is required to interpret the trace log output, like Tracerpt
    • When counter logs are in use, the service obtains data from the system when the update interval has elapsed, rather than waiting for a specific event.
[5.4] Log file settings
  • Maximum log size
  • Overwrite log events as needed
  • Overwrite log events older than X days
  • Do not overwrite events (clear log manually)
  • Microsoft recommends keeping 7 day logs
[5.5] Log files
  • DefaultDefalut log files:
    • Application
    • Security
    • System
  • Active directory adds:
    • Directory service log
    • File replication service log
  • DNS adds: DNS service log
  • Log file extension is .evt (files with this extension can be viewed by event viewer)
  • Tracerpt - processes event trace logs or real-time data from instrumented event trace providers
[5.6] Log filtering
  • Event type
  • Event source
  • Event ID
  • User
  • Computer
  • Date range
[5.7] Event information
  • Eventvwr - used to lunch event viewer
  • Eventtriggers.exe - displays and configures event triggers on local or remote machines.
  • Eventcreate.exe - enables an administrator to create a custom event in a specified event log
  • Eventquery.vbs - lists the events and event properties from one or more event logs
[5.8] Page file
  • Page file size should be at least 1-1.5 times the size of physical RAM
  • Don't let system manage the size of the page file (fragmentation of page file due to constant resizes)
  • Set minimum=maximum size of the page file in order to prevent any page file resizes
  • If you move page file from the system drive you will no longer get any memory dumps
  • You will need to restart your PC once you make changes to the page file
[5.9] Disk quotas
  • Disk quota applies to everyone using the volume except administrators
  • Remember that every user needs few Mb (min 2) for storage of the profile which is needed for logging in
  • Quota entry can be created per user but not per group, only volumes and users have quota entries
  • Quota limit is calculated using the uncompressed file size, thus compressing files will not create more space
  • The default quota entry is for all users of given volume. You can add additional quota entries on per user basis only.
  • Once again, quota entries are per user per volume, no groups are allowed.
  • Remember that once a user uses a volume with quota set on it an entry is automatically added. Thus, if you had a general entry for all users and later on some users run out of space and need more you modify quota entries not add new ones.
  • Disk quota is only applied to the files that are being added after the quota entry got created, it doesn't apply to files that were already there
  • Each file can contain up to 64kb of metadata that is not applied towards users quota limit
  • Fsutil is used to manage quota from command line
  • To free some space run disk cleanup, from command prompt: cleanmgr.exe (note it doesn't clear internet temporary files)
[5.10] Defragmenting
  • You will need at least 15% of free HD space in order to defragment
  • You may need to repeat the process several times in order to achieve planned results
  • Defragmenting should be done on every volume every 1 to 2 months
  • You cannot schedule defragmenting task (unless you use custom scripts)
  • Windows defragmenter works with FAT16, FAT32 and NTFS
  • On modern computer systems that use NTFS and don't use the file system extensively (desktops) the benefits of defragmenting a hard drive are measurable but not noticable for the end user. Thus defragmenting is only significant performance tool for file servers.
[5.11] Internet Information server 6 (IIS.6)
  • Can server files from local/network/redirected URL
  • IIS runs as w3wp.exe process
  • You can run multiple sites using one of these methods:
    • Different IP per site
    • Use headers, not preferred method, no SSL/HTTPS, need HTTP 1.1 compliant browser
    • Different port per site
  • Front page extensions are to be used with front page only
  • To create Virtual directory you can use regular wizard or web share a folder
  • IIS 6 is not installed by default in Windows 2003 (it was in Windows 2000)
  • For anonymous access IIS6 uses IUSR_computerName account
  • IWAM_computerName account is for IIS to start out of process applications
  • All users of the website have to authorize to the domain, even anonymous users (by default users are anonymous)
  • You can backup just IIS using the IIS manager or isbackup.vbs. Backup copies store only the metabase configuration and schema. (not site content)
  • Custom error templates (.htm) are located in %systemroot%\help\iishelp\common\
  • Other:
    • Can change home directory
    • Can change default document name
    • You can limit bandwidth and total connections numbers
    • Different logging options
  • Certificates are used with SSL, can have personal certificates
  • SMTP and e-mail services are not the best, use in emergency, try to avoid
  • ISAPI filters - internet server application programming interface filters
  • Content expiry - this setting tells client browser whatever it should use cached copy or load new data from the website
  • Web service access permission and NTFS permissions work together, more restrictive choosen, recommended to use NTFS
[5.12] Application pools in IIS.6
  • IIS modes of operation
    • Worker process isolation mode, which runs all processes in an isolated environment (needed for application pools)
    • IIS 5.0 isolation mode, in which you can run Web applications that are not compatible with worker process isolation mode
  • Application pools are like separate memory spaces in which sites live. More formally, an application pool is a configuration that links one or more applications to a set of one or more worker processes.
  • Two ways to recycle the assigned worker process
    • By default, the worker process that is to be terminated is kept running until after a new worker process is started up
    • Alternatively, the WWW service can terminate a worker process and then start a new worker process
  • An application pool that uses more than one worker process is called a Web garden
  • When more than one server is used to host a website we have a web farm
[5.13] Authentication methods
  • Integrated Windows authorization, uses kerberos or NTLM depending on client capability, popular on intranets. Uses domain user or local user account information passed hashed over the network. If AD (not required) is installed can use Kerberos if not NTLM.
  • Digest authorization, uses MD5 algorithm transmission, no password are transmitted. Values are compared to AD (user needs account in AD, AD needs to be installed). This is used when integrated Windows authorization is not available. Requires the accounts to store passwords using reversible encryption. Internet Explorer 5.0, HTTP 1.1 at minimum.
  • Basic authorization, uses clear text passwords (base64 encoded), supported by almost any environment, AD or local account
  • .Net authorization - native Windows XP and 2003 support
  • Can restrict access based on IP or/and domain name
  • Kerberos authentication is used by computers that have account in AD and are above Windows NT4.
[5.14] Website Logging
  • Web site logging can be out of synchronization with local time - enable log rollover for local time.
  • Web site logging formats:
    • W3C Extended Log File Format (default)
    • Microsoft IIS Log File Format
    • NCSA Common Log File Format
    • ODBC Logging
[5.15] SUS - software update service
  • SUS - software update service, can distribute updates (need to be approved by the admin before distribution occurs) to clients.
  • Minimum requirements for the clients to connect to SUS are Windows XP SP1, or Win2k SP3 or later.
  • SUS server is really just a webpage with ActiveX functionality that piggybacks on top of IIS.
  • In order for SUS to work you need to point client computers to SUS server using GPO
  • You need to install SUS10SP1.exe on the server
  • Server computer must be running at least version 5 of IIS
  • SUS virtual administrative directory http://yourservername/SUSadmin
  • SUS needs NTFS with at least 100Mb to install package and 6Gb for storing updates, SUS runs from the 'default website' and stores all data there
  • SUS notification is shown for Administrators only
  • If you have P III 700, 512Mb RAM SUS server can handle up to 15000 clients
  • SUS server is not set to synchronize with Windows update site by defalut, administrator must do that or manually synchronize
[5.16] Services
  • HTTP - hypertext transfer protocol TCP port 80
  • SSL - Secure socket layers TCP port 443
  • SMTP - TCP port 25. Files stored in LocalDrive:\Inetpub\Mailroot
  • SNMP - simple network management protocol used to provide information about TCP/IP hosts, UDP port 161.
  • FTP - only basic authentication allowed, TCP port 20 (data) TCP port 21 (control). Files stored in LocalDrive:\Inetpub\Ftproot
  • POP - TCP port 110
  • DNS - UDP port 53 (query) TCP port 53 (zone transfer)
  • NNTP - TCP port 119. Files stored in LocalDrive:\Inetpub\Nntpfile\Root
  • PPTP - Point to point tuneling protocol TCP port 1723
  • L2TP/IPSec - UDP ports 500, 1701 and 4500
[5.17] Other points
  • By default Windows 2003 Server uses 25% of RAM for system cache (Windows 2003 server assumes it will be a file server)
  • Dos and 16bit programs run as NTVDM processes. Windows 64bit editions cannot run 16bit programs.
  • You should assign more RAM for the system cache if server is a file server

Part 6: Managing and implementing disaster recovery

[6.1] Overview
  • Document everything in your plan, test your plan
  • Posses a 'recovery toolkit' with stuff like backup utilities/system utilities etc.
  • Make sure you backup:
    • User data
    • Critical system files
    • Critical applications
  • Recovery point - how much data can we loose? Most medium size companies are OK with loosing up to 24h - thus daily backup is OK.
  • Time frame for recovery - how long does it take to recover affected systems
  • Hot sites are ultimate backup solution (a hot site can take on all functions of the current site, is kept synchronized and is in a different physical location)
  • Backup files have .bkf extension
  • When files are backed up they retain all of their original attributes including encryption
  • File attributes are lost when you restore backup to a FAT volume
[6.2] Backup types
  • Normal (full) - Clears archive bit, backs up all data on volume that is beeing baced up.
  • Incremental - backs up only these files that have their archive bit set to 1 (since last full or incremental backup). Clears archive bit. Restore process will have to chain multiple incremental backups. This backup is fastest when combined with normal backup.
  • Differential - backs up only these files whose archive bit is set to 1. Does not clear archive bit, no chaining of backups during restore process
  • Copy - only backup type that can back up registry and other critical system files. Like full backup, but does not clear or set any archive bits. This type of backup is used for archiving or when backing up between incremental and normal backup routine.
  • Daily - backs up only these files that were modified today. Does not clear archive bit.
  • You can exclude files from being backed up
  • System state - boot and system files, AD (if DC), SYSVOL directory (if DC), COM+ Class Registration database, registry, Cluster service information (if server is part of a cluster), IIS Metadirectory (if installed) - only for local system!
  • All backed up files keep their file attributes, unless you are restoring to FAT
  • For command prompt use: ntbackup.exe
  • Backup cannot be preformed to CD-R and DVD-R
  • When NTBackup creates a backup set it also creates a listing of files and folders included on the set, called a catalog. It is stored on both the disk of the server and the backup set itself.
[6.3] Backup log
  • By default 10 backup logs are kept on the server
  • There are three logging options:
    • No log
    • Summary log (default)
    • Detailed log
[6.4] Restore options
  • Do not replace files (default)
  • Replace only if the file on disk is older
  • Always replace files
  • Options do you have to restore the files to
    • Restore to alternate location
    • Restore to single folder
    • Restore to original location
[6.5] Authorative vis normal (non-authorative restore) vis primary restore
  • DC use Universal sequence numbers (USN) to keep track of state
  • Authorative restore makes sure that the current DC is the one with master copy
  • Authorative restore is used in situations when you accidentally deleted something in AD and now want it undeleted
  • To run restore, use: ntdsutil.exe
  • Use ntdsutil.exe utility is used to mark specific objects as authorative
  • A primary restore is used to rebuild a domain from backup when the only DC in domain or all domain controllers have failed.
  • Select primary restore only when restoring the first replica set to the network.
[6.6] Running normal (non-authorative restore) steps
  • Boot the DC into Directory Services restore mode and enter restore password
  • Run ntbackup.exe and restore system state backup. After restore completes you need to restart the PC
[6.7] Running authorative restore steps
  • Preform steps like in 5.6 except the reboot in step 2
  • Start ntdsutil.exe utility and type 'authorative restore'
  • At the ntdsutil prompt type 'restore database'
  • When restore completes reboot your DC
[6.8] Running primary restore steps
  • Proceed as in normal (non-authorative) restore, but when restoring replicated data sets, mark the 'restored data as the primary data for all replicas' box
[6.9] Boot problems
  • Hit F8 for boot menu during startup
  • Last known good configuration is the control set in the registry (current settings, like used drivers)
  • Last known good configuration is still good choice only if user has not logged on since problem arouse
  • Safe mode does not backup the 'Last known good configuration'
  • To access recovery console: 'winnt32.exe /cmdcons' - this places recovery console option into boot.ini
  • Recovery console is good for missing boot files
  • Can run recovery console from Windows 2003 CD, to run console from CD boot from CD and press R (repair installation)
  • When boot files are missing you will have to copy new ones from installation CD
  • Directory services restore mode:
    • This is like a safe mode for a domain controller
    • Active directory is not started
[6.10] Advanced boot options
  • Safe mode - in boot.ini /safeboot:minimal /sos /bootlog /noguiboot
  • Safe mode with networking - in boot.ini /safeboot:network /sos /bootlog /noguiboot
  • Safe mode with command prompt - in boot.ini /safeboot:minimal(alternateshell) /sos /bootlog /noguiboot
  • Enable boot logging - in boot.ini /bootlog
  • Enable VGA mode - in boot.ini /basevideo
  • Last known good configuration - in boot.ini
  • Directory services restore mode (Windows domain controllers only) - in boot.ini /safeboot:dsrepair /sos
  • Debugging mode - in boot.ini /debug
[6.11] ASR - Automated system recovery
  • Replaces ERD (emergency repair disk)
  • Stores system state data
  • Need Windows 2003 CD and ASR floppy to do a clean install and apply system settings
  • ASR is needed to recover from boot failures
  • To create ASR disk either run ntbackup.exe from command prompt or go to: start -> all programs -> accessories -> system tools ->backup
  • Using ASR recovers the system up to the point ASR was created
  • If you create ASR for system without floppy files are saved to the %systemroot%\repair folder on the server. ASR restore will not work without a floppy drive and the floppy disk.
  • To preform ASR recovery you need:
    • ASR floppy disk
    • ASR Backup set
    • Windows 2003 setup CDROM
[6.12] Best practices for backup
  • Develop backup and restore strategies and test them; train people.
  • Always create an Automated System Recovery (ASR) backup set when the operating system changes
  • Always choose to create a backup log for each backup
  • Keep at least three copies of the backup media. Secure both the storage device and the backup media.
  • Perform a trial restoration periodically to verify that your files were properly backed up
  • Use volume shadow copies when performing a backup (default setting)
[6.13] Other points
  • System state data can only be restored and backed up locally (there are 3rd party software utilities that can restore and backup over the network)
  • Using 'last known good configuration' can be used to recover from most stop errors if the user has not logged in BUT server must be able to boot, i.e. if ntldr error need to use ASR or recovery console
  • For major hardware failures such as motherboard replacement you will need to reinstall Windows Server 2003. However, you will still need to restore system state prior to full Windows boot in order to preserve original SID.
  • Recovery password can be different than administrator password
  • For problems with boot files use recovery console and copy needed files over from the CD

Part 7: Active directory primer

[7.1] The operations master roles (FSMO (Flexible Single Master Operations) roles)
  • Every forest must have the following roles: Schema master and Domain naming master
  • Every domain in the forest must have the following roles: PDC emulator master, RID master and Infrastructure master
  • At any time, there can be only one DC acting out his role in his respective scope
  • Domain naming master - addition or removal of domains in the forest
  • Infrastructure master
    • Responsible for updating references from objects in its domain to objects in other domains
    • Compares its data with that of a global catalog
    • Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog.
  • Primary domain controller (PDC) emulator master
    • Needed for computers operating without Windows 2000 or Windows XP Pro client software or if domain contains Windows NT BDCs
    • PDC is responsible for synchronizing the time on all DCs throughout the domain
    • External time source net time \\ServerName /setsntp:TimeSource
    • If a logon authentication fails at another DC due to a bad password, that DC will forward the authentication request to the PDC emulator before rejecting the logon attempt since PDC emulator gets preferential treatment
    • Supports both NTLM and Kerberos authentication
  • Relative ID (RID) master - allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain
  • Schema master - all updates and modifications to the schema, need additional DLL to be registered if transferred
[7.2] AD troubleshooting and seizing a FSMO role
  • Use ntdsutil.exe to transfer FSMO roles
  • Use ntdsutil.exe utility for AD related tasks
  • Do not seize the FSMO role if you can transfer it instead. Seizing the FSMO role is a drastic step that should be considered only if the current operations master will never be available again.
  • Before seizing the chosen FSMO role, use the repadmin utility to verify whether the new operations master has received any updates performed by the previous role holder, and then remove the current operations master from the network.
[7.3] Other AD information
  • Dcpromo.exe is used to promote member service to DC and to demote DC back to member service
  • A global catalog is a DC that stores a copy of all AD objects in a forest. It stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest. It is managed from 'Active Directory Sites and Services'.
  • Netdom - This command-line tool enables administrators to manage Windows 2003 and Windows 2000 domains and trust relationships from the command line (need support tools suptools.msi)
  • The DS*.exe family of tools
    • Dsadd - adds a computer, contact, group, organization unit, or user to a directory
    • Dsmove - moves any object from its current location in the directory to a new location, as long as the move can be accommodated within a single domain controller, and renames an object without moving it in the directory tree
    • Dsquery - queries and finds a list of computers, groups, organizational units, servers, or users in the directory by using specified search criterion
    • Dsrm - deletes an object of a specific type or any general object from the directory
    • Dsget - displays selected attributes of a computer, contact, group, organizational unit, server or user in a directory
    • Dsmod - modifies an existing object of a specific type in the directory
[7.4] Other GP information
  • GPUpdate - refreshes local GP settings and GP settings that are stored in AD, including security settings
  • Order in which Group Policies get applied: Local computer, Site, Domain, OU. This means that Site GP are more relevant than Local, Domain more relevant than Site and OU the most relevant.
  • OU is the smallest scope to which you can delegate authority or apply GP against
  • RSoP.msc - Resultant set of Policies is a GP tool that can be loaded as a Management Console snap-in. Resultant set of policies is the final set of policies that is applied to the user and computer.
  • Gpedit.msc - GP editor MMC
[7.5] DHCP
  • Dhcploc.exe - displays the DHCP servers active on the subnet including unauthorized servers
  • DHCP server must be authorized in the AD before it can give out addresses
  • IP autoconfiguration - when PC does not get IP address from DHCP it by default autoconfigures itself to address in range 169.254.x.x
[7.6] Other points
  • Whoami - returns domain name, computer name, user name, group names, logon identifier, and privileges for the user who is currently logged on
  • Removable Storage makes it easy for you to track your removable storage media (tapes and optical disks). Use rss or rsm utilities
  • Media pool description:
    • Blank or Foreign tape - unrecognized
    • Newly formatted tape - free
    • Tapes previously used by NTBackup - backup
    • Tapes not cataloged - import
  • Windows File Protection (WFP) - prevents the replacement of protected system files such as .sys, .dll, .ocx, .ttf, .fon, and .exe files. Turned on by default. Original files are stored in %SYSTEMROOT%\system32\dllcache
  • Systeminfo.exe or msinfo32 (has to be executed from Run window NOT command line) - can be used to display system information
  • MBSA Microsoft Baseline Security Analyzer
    • mbsacli.exe for command line, mbsa.exe for GUI
    • Windows NT 4.0 Service Pack 4 (SP4) and later (remote scan only), Windows 2000, XP, 2003
    • IIS 4.0, 5.0, 5.1 or 6.0 are supported by scan
    • Internet Explorer 5.01 or later are supported by scan
    • SQL 7.0, 2000 are supported by scan
    • Office 2000, Office XP, or Office 2003 are supported by scan
    • Security update checks, password checks, Windows system check
  • Regedit.exe - used to edit registry (only one editor in 2003)
  • Runas is also known as secondary logon, you need to have Secondary Logon service running to use it. This command line utility is used to run programs within different user's security context. For example, network administrator is logged on as a regular user and needs to run system utility that requires administrative privelages. Instead of loging out and back in as an administrator, the user could use runas command which uses the following syntax: runas /user:ComputerName\UserName "program name"
  • qchain.exe is used for multiple hot fixes (so as not to have to restart server multiple times)

#925 From: Testking_Mcse@yahoogroups.com
Date: Sun Nov 15, 2009 9:10 am
Subject: File - Microsoft exam 70-270 preparation guide.html
Testking_Mcse@yahoogroups.com
Send Email Send Email
 

Microsoft exam 70-270 preparation guide

Contents:

Part 1: Getting started with Windows XP Pro
Part 2: Automating installation
Part 3: Upgrading to Windows XP
Part 4: Configuring Windows XP Pro environment
Part 5: Managing the Desktop
Part 6: Managing users and groups
Part 7: Managing security
Part 8: Managing disks
Part 9: Accessing files and folders
Part 10: Managing network connections
Part 11: Managing printing
Part 12: Dial-up networking and Internet
Part 13: Optimizing Windows XP Pro
Part 14: Performing system recovery

Preface

I have written this short preparation guide as a way for myself to ease studying for the Mcirosoft 70-270 exam titled: "Installing, configuring and administrating Microsoft Windows XP Professional". I provide this guide as is, without any guarantees, explicit or implied, as to its contents. You may use the information contained herein in your computer career, however I take no responsibility for any damages you may incur as a result of following this guide. You may use this document freely and share it with anybody as long as you provide the whole document in one piece and do not charge any money for it. If you find any mistakes, please feel free to inform me about them Tom Kitta. Legal stuff aside, let us start.

Guide version 0.12 last updated on 24/05/2004

Part 1: Getting started with Windows XP Pro

[1.1] Windows XP Professional hardware requirements
  • Processor minimum P233, recommended PII 300
  • RAM minimum 64Mb, recommended 128Mb
  • Disk Space minimum 1.5Gb, recommended 2Gb
  • Network needed if installing using it
  • Display minimum SVGA 800x600 or better
  • Peripheral devices: keyboard and mouse (or other pointing device)
  • CD-ROM or DVD-ROM if installing from CD, recommended 12x or faster
  • Floppy drive if you intend to use ASR (Automated System Recovery)
  • Windows XP Professional supports up to 2 CPUs, while Windows XP Home edition supports only 1 CPU, there are not other hardware requirement differences between Windows editions
[1.2] Windows XP Professional install steps
  • Collecting information
    • Insert Windows XP CD and reboot the PC
    • Setup program starts when you boot from the CD. Press F6 for third party disk driver, F2 for automatic recovery
    • A welcome dialog box appears, press enter to install XP, R for repair of XP installation, F3 to quit
    • Licensing agreement, F8 to accept, ESC to refuse
    • Partitions screen appears
    • Copying of setup files
    • Remove CD and reboot PC
  • Installing Windows
    • Regional settings, choose locale (numbers, currencies, dates and times view options) and keyboard layouts
    • User name and organization screen
    • Product key screen, 25 character key
    • Computer name
      • up to 15 bytes for NetBIOS compatibility
      • 1 byte is 1 character in most languages (2 in say Chinese)
      • FQDN has a limit of 155 bytes for DC in Windows 2000/2003 (255 bytes in NT 4.0)
      • Computer name has a limit of 63 bytes
      • Computer name has to be unique on the network
    • Administrative password
    • If you have a plug and play modem, you set it up now
    • Date and time
    • Network settings
    • Work group name or domain affiliation
    • Automated finishing tasks
[1.3] Install options
  • For clean install/upgrade on computers running win 3.x or DOS (16 bit systems) use winnt.exe
  • For install/upgrade on computers running 32 bit OS use winnt32.exe
[1.4] After installation
  • The default network setup is for the Windows XP to be a DHCP client
  • You need to activate your product within 30 days unless you have corporate licence
  • After 30 days you will not be able to logon to your PC without activation if you log out or restart your PC (you will still be able to access your PC in safe mode without network support)
  • Activation can be done over the phone or online
  • There are three log files created after installation
    • %systemdir%\setupact.log - installation actions log
    • %systemdir%\setuperr.log - errors that occurred during installation
    • %systemdir%\netsetup.log - network related log (like domain joining)
[1.5] Support for multiboot
  • Windows XP will configure multiboot automatically if it detect compatible OS (i.e. Microsoft OS) and you are using clean install option
  • Do not use dynamic disks or NTFS if the other OS doesn't support it
  • Windows XP will not be able to read volumes compressed with Windows NT4 compression
[1.6] Joining a domain
  • You can pre-authorize a computer in the AD
  • Or, you can enter user name and password of the domain user that has 'Add computers to the domain' permission to add computer to the AD
[1.7] Laptop special Windows XP features
  • Credential manager
  • Clear type
  • Hot docking
[1.8] Other points
  • Hardware compatibility list (HCL) http://www.microsoft.com/hcl/ now Windows catalog http://www.microsoft.com/windows/catalog/
  • If hardware is not found in the Windows catalog you will not get any support from Microsoft
  • BIOS is preferred with ACPI (Advanced Configuration and Power Interface) functionality, APM (Advanced Power Management) is the API for ACPI hardware
  • If you are upgrading from Windows 98/Me checks whatever there are drivers for your hardware, since 98/Me drivers are VxDs (virtual device drivers) and don't work on Windows XP
  • You can upgrade from Windows 98/Me/NT4/NT3.51/2000 Pro (due to a bug win95 will qualify as upgrade media but only for clean install)
  • System partition is the location of the files that are needed for Windows XP to boot, vary little space, default is the active partition
  • Boot partition is the location of Windows XP OS (all files)
  • Note that Microsoft changed the default directory for installation from WINNT to WINDOWS
  • Installation files are in \I386 directory on the CD
  • WFP - Windows file protection is used to protect Windows system DLL files from modification, files are stored in %SystemRoot%\System32\Dllcache
  • Sfc.exe - scans and verifies the versions of all protected system files when the computer is booting
  • Dynamic update runs during installation of Windows XP. You can disable it with /dudisable switch of winnt32, /duprepare:pathname to prepare network share for dynamic update files, /dushare:pathname to specify network share with dynamic update files.

Part 2: Automating installation

[2.1] Types of automated installation
  • Remote Installation Service (RIS) introduced in Windows 2000 - for use with multiple PCs for automatic deploy
  • Disk imaging (cloning) which uses reference PC - for use with PCs that have similar hardware
  • Unattended installation - use when you have lots of PCs with network cards that are not PXE-compliant
[2.2] Create answer files with Setup manager
  • Answer files are automated installation scripts used to answer the questions that appear during a normal Windows XP Professional installation
  • Answer files are used with all methods of unattended installations. To create answer files you use Setup manager (setupmgr)
  • To use setup manager you need to extract it from \support\tools\deploy.cab found on installation CD
  • There is a sample answer file on the installation CD, unattend.txt
  • Through answer file you can configure
    • Mass storage devices
    • Plug and Play devices
    • HALs
    • Set passwords
    • Configure language, regional, and time zone settings
    • Display settings
    • Converting to NTFS
    • Installing applications can choose from the following options
      • Use cmdlines.txt to add applications during GUI portion of the setup
      • Within answer file configure [GuiRunOnce] section to install an application the first time a user logs on
      • Create a batch file
      • Use the Windows installer
      • Use sysdiff tool to install applications that don't have automated install procedures
[2.3] Using RIS (Remote Installation Service)
  • You can configure RIS server to distribute 2 types of images:
    • CD based image
      • Contains only Windows XP OS
      • Copies all files to the target PC before commencing installation of the Windows XP OS
      • Created automatically during installation of RIS
    • A Remote Installation Preparation (RIPrep) image
      • Can contain both Windows XP OS and applications
      • This images is based on pre-configured computer
      • Copies only files needed for installation on given PC, thus faster than CD based image which copies everything
      • Can be deployed to the clients that have the same HAL and HD controller
      • Must be created manually, not automatic like CD based image
  • For RIS you need DHCP, DNS and AD configured on your network
  • RIS server uses Boot information negotiation layer (BINL) for initial contact, then TFTP is used to transfer bootstrap image
  • RIS and DHCP server need to be authorized in AD, RIS server is authorized through DHCP manager
  • The following services are run as part of RIS: BINL, SIS, SIS Groveler, TFTP
  • To configure RIS server use risetup.exe
  • NTFS is required to store image files with at least 2Gb free space on separate from OS partition
  • RIS template files are used to specify installation parameters, default file is ristndrd.sif
  • You need following user rights to install images using RIS
    • Create Computer accounts
    • Logon as batch job (Administrator doesn't have this right by default)
  • For non-PXE network cards use rbfg.exe utility to create RIS boot disk (this utility doesn't support all network cards)
[2.4] Using disk images
  • Uses reference computer HD image that needs to prepared first with sysprep which needs to be extracted from deploy.cab found in installation CD
  • Source and target computer must satisfy
    • Both computers must have the same HD controller
    • Both computers must have the same HAL
    • Plug and Play devices may not be the same as long as there are drivers for all of them
  • You will need to extract sysprep utility from the deploy.cab
  • Sysprep strips user personal data from the installation image
  • After you copy the installation image to the destination PC a mini wizard runs (unless you have an answer file)
  • Sysprep modes:
    • Audit: allows for the verification of hardware and software installation by a system builder while running in factory floor mode. Audit boots allow a system builder to reboot after factory floor mode has completed its automated pre-install customization, in order to complete hardware and software installation and verification, if necessary.
    • Factory: allows for the automated customization of a pre-install on the factory floor by using a Bill of Materials file to automate software installations, software, and driver updates, updates to the file system, the registry, and INI files such as Sysprep.inf. This mode is invoked via the "sysprep -factory" command.
    • Reseal: is run after an original equipment manufacturer (OEM) has run Sysprep in factory mode and is ready to prepare the computer for delivery to a customer. This mode is invoked via the "sysprep -reseal" command.
    • Clean: Sysprep will clean the critical device database. The critical device database is a registry listing of devices and services that have to start in order for Windows XP to boot successfully. Upon setup completion, the devices not physically present in the system are cleaned out of the database, and the critical devices present are left in tact. This mode is invoked via the "sysprep -clean" command.
[2.5] Unattended installation
  • With this method you use a distribution server or Windows XP installation CD on it to install Windows XP on target PC
  • The distribution may have answer file
  • The target computer must be able to connect to the distribution server over the network (if used)
  • End user interaction levels:
    • Fully automated installation
    • GUI attended installation
    • Read only installation
    • Hide pages installation
    • Provide defaults installation
[2.6] Installing applications with Windows Installer Packages
  • Microsoft installer (MSI) files - provided by software vendor
  • Repackaged application (MSI) - do not include native Windows installer packages, used to provide applications that can be cleanly installed
  • ZAP files - used when you don't have MSI files and install applications using native setup program
  • MSP files (modification files) - provide paths to installed Microsoft software, must be assigned to MSI file at deployment
  • Windows installed packages work as
    • Published applications - not advertised, can be installed through Add/Remove programs. They can also be installed through opening of a document that uses uninstalled published application.
    • Assigned applications - advertised through programs menu, installed next time user starts the PC, before log on prompt appears
  • Please note that Windows Installer packages cannot be published to computers in Windows XP, all other options are OK, i.e. you can assign applications to computers and assign/publish applications to users
  • You can create your own MSI files using VERITAS Software Console or WinINSTALL LE Discover
  • You create GPO for MSI package which is to be published or assigned. If it is for a user, User Configuration\Software Settings\Software, if it is a computer Computer Configuration\Software Settings\Software
  • Using AD you can uninstall old application, upgrade on top of old application. Computers can accept only mandatory upgrades, users support both optional and mandatory upgrades.
  • If you have multiple versions of the same software, you will need to configure install order and/or whatever it is a mandatory install
  • You need AD to deploy packages which are found on a share on a file server
  • Msiexec.exe - provides the means to install, modify, and perform operations on Windows Installer from the command line. For example you can force end user to enter CD key for the software that is being installed

Part 3: Upgrading to Windows XP

[3.1] Upgrade general points
  • You can upgrade from Windows 98/Me/NT4/NT3.51/2000 Pro (Windows Home edition can upgrade from only 98/Me/2000) There is a bug on the CD allowing a clean install provided Windows 95 CD.
  • Choose upgrade if you want to keep existing applications and preserve current local users and groups
  • Clean install will allow you to multiboot
  • Upgrade from Windows NT/2000 Pro is easier than from 98/Me due to their similarity to XP
  • You can generate Windows XP compatibility report winnt32 /checkupgradeonly
  • Upgrade your BIOS so you can use advanced power futures and device configurations
  • Before the upgrade remove or disable any client software like virus scanners or network services
  • If older applications fail to run on Windows XP due to security issues, use compatws.inf template
  • Upgrade of Windows 98/Me can be undone using osuninst.exe or through add and remove programs control panel
  • For upgrade you have a choice of Express upgrade or Custom upgrade
[3.2] Unsupported by upgrade Windows 9x software properties
  • File system applications
  • Custom plug and play solutions
  • Custom power management solutions
  • Third part disk compression utilities, defragmenters (Windows NT and 2000 as well)
  • Partitions compressed with DriveSpace or DoubleSpace are not supported
[3.3] Migrating user data
  • User state management tool (USMT) is used for migration of users from one computer to another
  • ScanState.exe - collects user data and settings information based on the configuration of the Migapp.inf, Migsys.inf, Miguser.inf, sysFiles.inf
  • LoadState.exe - deposits information collected on the source computer to a PC running copy of Windows XP. Cannot be used on a computer that was upgraded to Windows XP.
  • Supports Windows 95/98/Me/2000 to XP
  • F.A.S.T.
    • Files and Settings Transfer Wizard (F.A.S.T.) It is one of the least known new features in Windows XP.
    • Supports all Windows versions from Windows 95 (with IE4) through Windows XP (XP as destination only)
    • Can be used as poor man's backup utility, creates a backup files that can be stored to HD or CD-RW
    • Can move user accounts one at a time, good for single users

Part 4: Configuring Windows XP Pro environment

[4.1] Windows image acquisition architecture
  • WIA is used to manage images between image capture devices and computer software applications
  • Supported devices
    • IEEE 1394
    • USB
    • SCSI
  • Devices connected through standard COM port or infrared connection are not supported by WIA
[4.2] Support for digital audio and video
  • Multichannel audio output
  • Acoustic echo cancellation (AEC)
  • Global effects (GFX)
[4.3] Microsoft Management Console (MMC)
  • The MMC is an utility used to create, save, and open collections of administrative tools that are called consoles
  • Access control options for MMC
    • Author mode - full customization of the MMC console
    • User mode-full access - as author mode, except that users cannot add or remove snap-ins, change console options, create Favorites, or create taskpads
    • User mode-limited access, multiple windows - access only to those parts of the console tree that were visible when the console file was saved. Users can create new windows but cannot close any existing windows.
    • User mode-limited access, single window - as 'user mode limited access, multiple windows' but users cannot create new windows
[4.4] Installing hardware
  • Plug and Play support
  • Non-plug and play devices can be installed using 'Add hardware wizard'
  • DVDs regional settings can be changed up to 5 times (hardware change, need new DVD-ROM after that)
[4.5] Device drivers
  • Accessed from 'Device manager'
  • You can update drivers
  • You can roll back drivers (new in Windows XP)
  • You can also uninstall driver
  • Driver signing:
    • Harmful driver install prevention
    • HCL - Hardware compatibility list, replaced by Windows catalog
    • Run d:\i386\winnt32 /checkupgradeonly from Windows XP CD to check hardware compatibility
    • Command line sigverif.exe is used to check drivers from command line
    • By default system is set to warn user if he or she is installing unsigned driver (other options are: ignore and block)
    • Driver signing can also be controlled from GP using object settings for local computer (or computer configuration for domain) choices are: Silently succeed, Warn but allow installation and Do not allow installation.
    • Unsigned driver means that the driver was not tested by Microsoft and is not supported by Microsoft. For most part these drivers are still OK
    • When driver is signed by Microsoft it and the hardware are tested by Microsoft
  • Some older devices (like CD-ROM etc.) plug into LPT port on the PC. You will need to set LPT port to "Legacy plug and play support" on port settings tab for older devices to work.
  • The easiest way to solve embedded device conflict with an add on device is to disable the on board device. For example, to use add on music card, you will need to disable on board music card
  • Many problems are caused by incorrect drivers, for example graphic card that displays only 800x600 resolution. Update driver to solve these problems.
  • Driver.cab on Windows XP CD contains all original Windows XP drivers
[4.6] Multiple display support
  • To avoid flickering monitor resolution should be set to at least 72Hz
  • Maximum of 10 monitors per PC
  • When you install 2nd video card the build into the motherboard card gets disabled and new card becomes primary display adapter
  • Secondary adapter has to support multiple-displays
[4.7] Computer power states
  • Complete shutdown of PC
  • Hibernation - saves all of the desktop state into a file which uses as much HD space as there is RAM in the system, to go back to active mode press power button
  • Standby (three levels on ACPI compliant PC)
    • Level one turns off the monitor and hard drives
    • Level two turns off the CPU and cache as well
    • Level three turns off everything but the RAM
  • Fully active PC
  • You configure standby through the Power options in Control panel, Level 2 and 3 of standby are only available if universal power supply (UPS) has been configured
  • Through power options you can also configure alerts when system is running on battery power and behaviour of power button
[4.8] PCMCIA (Personal Computer Memory Card International Association) Cards
  • Type I cards - are up to 3.3mm thick. Used for adding more RAM to the PC
  • Type II cards - are up to 5.5mm thick. Used for modem and network cards
  • Type III cards - are up to 10.5mm thick. Used for portable disk drives
[4.9] Configuring I/O devices
  • Through Keyboard properties you can configure typing delay and cursor behaviour as well as keyboard key layout
  • You need a keyboard in order to install Windows XP
  • Through Mouse properties you can configure mouse properties such as: speed, buttons, wheel and pointers
  • USB 2.0 supports up to 127 devices per root hub, up to 5 deep nested external hubs, transfer speeds up to 12Mbps. You can see power & bandwith usage by checking out root properties.
  • USB supports two speeds, low and high, which use different cables
  • USB controllers require that an IRQ be assigned in the computer BIOS. Make sure you have newest BIOS and/or firmware.
  • Wireless devices, RF - Radio Frequency and IrDA - Infrared Data Association
[4.10] Windows registry
  • Windows registry is a database used by the OS to store system configuration
  • Regedit is used to edit the registry (regedit32 is just a pointer to that file)
  • There are five default keys in the Windows registry:
    • HKEY_CURRENT_USER - for user who is currently logged on the computer
    • HKEY_USERS - configuration data for all users of the PC
    • HKEY_LOCAL_MACHINE - computer hardware and software configuration, devices drivers and startup options
    • HKEY_CLASSES_ROOT - used by Windows explorer for file type to application association, software configuration data and OLE (object linking and embedding) data
    • HKEY_CURRENT_CONFIG - hardware profile that is used during system startup
[4.11] Remote desktop
  • Remote desktop connection = terminal services client
  • In Windows XP terminal services service is limited to single connection only. Service is disabled by default and has to be enabled through system properties Remote tab
  • Remote desktop depends on terminal services service
  • Windows XP Home Edition does not allow connections to it using Remote desktop, XP Pro allows only one connection
[4.12] Remote assistance
  • Remote assistance is available with all editions of Windows server 2003 and Windows XP
  • The person assisting the user has a concurrent session with logged in user
  • Logged in user has to authorize access
  • You can send invitation from 'Help and Support' menu. You can send invitations through e-mail using MAPI enabled client, Microsoft messanger or using a file. You need to supply a connection password.
  • You can also offer remote assistance to others (disabled in GP by default)
  • You can chat using text or voice, you can send and receive files
  • HelpAssistant account is used if help is given by another user, support_XXXX account is used if help is given by Microsoft staff
[4.13] Services
  • A service is a program, routine or a process that performs a specific function
  • Service startup types: automatic, manual and disabled
  • You can choose the account service uses to log on
  • When service fails you can choose the OS to do one of the following options
  • SC.exe used for communication with service control manager
    • Take no action
    • Restart the service
    • Run a file
    • Reboot the computer
[4.14] HAL - hardware abstraction layer
  • Computer driver which is the interface to BIOS, kernel is build on top of this driver
  • You can choose HAL during install by pressing F5
  • Multiple processors - when installing a 2nd processor in a single processor system (UP - uni processor) you will need to update HAL for the CPU from single CPU to multiple CPU (SMP - symmetric multi processor driver)
  • Do not upgrade from standard HAL to ACPI (advanced configuration and power interface) HAL and vice versa
[4.15] Hardware profiles
  • Hardware profile consists of a set of instructions that instruct Windows as to which devices to start when computer starts and/or which settings to use for each device
  • By default you have hardware profile called Profile 1 (for laptops, Docked Profile or Undocked Profile) is created
  • You can designate a default profile. If you want the default hardware profile to load automatically (without showing you the list during startup), enter a 0 in seconds under Hardware profiles selection. If you want to see the list anyway press the SPACEBAR during startup.
  • Windows will ask you which profile to use every time you start your computer if you have more then one profile and you don't specify default profile with 0 wait time
  • You can also use hardware profiles as a debuging tool. For example, you can set up profiles that omit the hardware devices you suspect of being defective.
[4.16] Other hardware
  • Fax service - is used for faxing support, controled through fax applet in control panel when installed
  • Program compatability wizard - accessed from Accessories, used to run programs in Windows 95, 98/Me, NT4, 2000 compatability mode

Part 5: Managing the Desktop

[5.1] Customizing desktop
  • You can configure start menu and taskbar through 'Taskbar and Start menu properties'
  • 'Start menu' modifications are done to Windows XP theme, while 'Classic start menu' modifications are done to Windows 2000 theme
  • Display properties
    • You can select a different theme
    • You can display web page on your desktop or just a picture(s)
    • You can set up a screen saver
    • In appearance you can change many aspect of the choosen theme
    • In settings you can change aspects of video display adapter
  • Default Windows XP theme is also known as 'Luna'
  • Local profile is created when user logs on for the 1st time, consists of following folders: Desktop, NetHood, PrintHood, SendTo, Start Menu, Cookies, Favorites, Application Data
  • Notification area was previously named system trey
[5.2] Multilanguage technology
  • Unicode - internationall standard that allows support for the characters used in world's most common languages
  • National language support API - is used to provide information for locale, character mapping and keyboard layout
  • Multilingual API - used to set up applications to support keyboard input and fonts from various language version of applications
  • Windows XP stores all language specific information in separate files from the OS files
[5.3] Multilanguage support
  • Support for two technologies
    • Multilangual editing and viewing which supports multiple languages while user is viewing, editing and printing documents
    • Multilanguage user interface
  • Localized Windows XP - include fully localized user interface for the language that was selected. This version allows user to view, edit and print documents in more than 60 languages. There is no support for multilangual user interface.
  • Multilanguage Windows XP - provides user interfaces in several different languages. You will need to install the following files
    • Language groups - contain fonts and files needed to process specific language
    • Windows XP multilanguage version files - contain language content required by user interface and help files, can be up to 45Mb in size
  • Use muiseteup.exe to setup default user interface
  • Multilanguage version of Windows XP is not available in retail, need Windows volume licensing
  • On localized version of Windows XP you configure multiple languages through 'Regional and language options'
[5.4] Accessability options
  • Configured through 'Accessability options' in control panel
  • Keyboard settings:
    • StickyKeys - allows user to enter key combinations one key at a time
    • FilterKeys - ignores brief repeated keystrokes
    • ToggleKeys - user hears tones when togling CAPS LOCK/NUM LOCK/SCROLL LOCK
    • MouseKeys - allows you to use the numeric keypad to control the mouse pointer
  • ShowSounds - instructs programs that convey information by sound to also provide information visually
  • SoundSentry - allows you to change settings to generate visual warnings
  • You can also set the time after which options are turned off and when they are turned on (like on user log on)
[5.5] Accessability utilities
  • Accessability wizard - adjust PC based on users vision, hearing and mobility needs
  • Magnifier utility - makes portion of the screen bigger for easier viewing
  • Narrator utility - employes text-to-speech technology to read the contents of the screen
  • On screen keyboard - has three different modes:
    • Clicking mode - user clicks the on-screen keys to type text
    • Scanning mode - on-Screen keyboard highlights areas where you can type characters
    • Hovering mode - use a mouse or joystick to point to a key for period of time to type character
  • Utility manager - start and stop accessability utilities, can start/stop utilities on user log on or when PC is locked

Part 6: Managing users and groups

[6.1] Built-in Accounts
  • Administrator - full control over the PC, even if disabled can be accessed from safe mode, password provided suring setup
  • Guest - for users that don't have username and password on the system, disbled by default
  • Initial user - uses the name of the registered user and exists only if the computer is member of a workgroup not a domain, by default member of the administrative group
  • HelpAssistant - new in Windows XP, used together with remote assistance
  • Support_xxxxxxx - used by Microsoft for help and support services, disabled by default
[6.2] Logging on
  • There are two type of users, local and domain
  • Local user credential are compared to local security database, domain user credentials are checked agains active directory stored on domain controller
  • When user logs onto the system an access token is created
  • Local user credentials cannot be used to access network resources
[6.3] Managing users
  • You manage users through 'Local users and groups' MMC that can be accessed in two ways
    • Custom MMC
    • By right clicking on My computer and selecting 'manage'
  • User account consist of:
    • Name and password
    • SID (security identifier) - consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain. SIDs are unique in the network.
    • Can have other attributes, like group membership
  • User names can be up to 256 bytes (characters) long and must be unique (different than other user names and group names)
  • User names cannot contain *{}\/:;,=|+?"<> and cannot be made of spaces and periods alone
  • User names are not case sensitive but passwords are
  • You can create users using net user
  • You have following user options:
    • User name (required field)
    • Full name (by default same as user name)
    • Description
    • Password textbox (up to 127 bytes (characters), 15 for NTLM)
    • Confirm password textbox
    • User must change password at next logon checkbox
    • User cannot change password checkbox
    • Password never expires checkbox
    • Account is disabled checkbox
  • You can set the following user properties
    • User profile path - stored in 'Documents and settings\%username%' folder, contains user preferences, and file ntuser.dat. In Windows NT 4.0 the path was \%systemdir%\profiles\%username%
    • Logon script - files that are run every time user logs into the PC
    • Home folder - is where users commonly store their personal files and documents
  • Password reset disk - use when user forgot their password. If you just reset the user password access to encrypted data will be lost.
  • Mandatory profiles can only be used with roaming profiles, they don't work with local profiles. Mandatory profiles can only be set up by an administrator
  • You can copy profiles using 'User profiles' tab of 'System properties'
  • UNC path - is in the format //computer_name/share_name
  • Renaming an account maintains all group membership, permissions, and privileges of the account. Copying a user account maintains group membership, permissions, an privileges assigned to its groups, but doing so does not retain permissions associated with the original user account. Deleting and re-creating an account with the same name loses all group membership and permissions.
[6.4] Build-in local groups
  • Administrators - full control over the PC
  • Backup operators - can only access file system through backup utility
  • Network configuration operators (new) - network settings
  • Guests - limited privileges
  • Power users - can add/remove users, create non-administrative shares, manage printers, start and stop services that are not started automatically
  • Remote desktop users (new) - members can logon remotely
  • Replicator - for directory replication used by domain servers
  • Users - run programs, print stuff, nothing special
  • HelpServices (new) - support through Microsoft Help services
[6.5] Special groups
  • Special groups are used by the system. Membership is automatic based on special criteria. You cannot manage these groups.
  • Creator Owner - the account that created or took ownership of an object
  • Creator - the group that created or took ownership of an object
  • Everyone - everyone that can possibly be accessing the PC, doesn't include the anonymous group
  • Interactive - users who use resources interactively (locally)
  • Network - users who access resources over the network
  • Authenticated users - users who access the PC using valid user name and password
  • Anonymous logon - users who access the PC through anonymous logon
  • Batch - user accounts that are only used to run a batch job
  • Dialup - users that logon to the network through dialup connection
  • Service - user accounts that are used only to run a service
  • Local System - a system processes that uses resources as users are members
  • Terminal server users - users who logon through terminal services
[6.6] Managing groups
  • Groups can be up to 256 bytes (characters) long, have to be unique and cannot contain '\'
  • Groups are used to manage and organize users. Add users to a group and then assign permission to the group

Part 7: Managing security

[7.1] Policies
  • Configured through 'Local computer policy' group policy, gpedit.msc MMC
  • Account policies are used to control logon procedures. If you want to control user after logging on, use local policies
  • Local policies are made up of
    • Audit policy - disabled by default
    • User rights assignment - too many to list here, see explanation underneath
    • Security options - also too many to list
  • Local policies are set for all users of the computer, you cannot single users out (you need AD for that)
[7.2] Password policy settings
  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Complexity requirement
  • Store passwords using reversible encryption
[7.3] Account lockout policy
  • Account lockout duration
  • Account lockout threshold
  • Reset account lockout counter after X minutes
[7.4] Enabling auditing for files, folders and printers
  • You will need to enable auditing for object access policy
  • And you also need to enable auditing for individual files and folders through NTFS security or through printer security
  • Auditing data is placed into security log
[7.5] Auditing
  • Account logon events - success or failure of domain logon
  • Account management - events such as resetting passwords and modifying user properties
  • Directory services - any time user access AD an event is generated
  • Logon events - success or failure of local logon or logon to a share
  • Object access - file, folder or printer access
  • Policy change - success or failure of change of security options, user rights, account policies and audit policies. Both domain and local PC changes are tracked.
  • Process tracking - useful for applications
  • System events - system events such as shutting down PC or clearing the logs
[7.6] User rights
  • Administrators can assign specific rights to group accounts or to individual user accounts. If a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than one set of rights. The only time that rights assigned to one group might conflict with those assigned to another is in the case of certain logon rights.
  • There are too many user rights to list
  • There are two types of user rights:
    • Privileges, such as the right to back up files and directories
    • Logon rights, such as the right to logon to a system locally
[7.7] Security options
  • Security option policies are used to configure security for the computer
  • These policies are applied to the computer, not to users and groups
  • Security options are edited through computer part of 'Group policy editor' GP object 'Local computer policy' MMC
  • Security options can also be viewed with secpol.msc
  • There are too many security options to list
[7.8] Security templates
  • secedit.exe is used to compare and analyzes system security by comparing your current configuration to at least one template
  • Security templates are stored in %systemroot%\security\templates folder
  • Setup security.inf - default settings
  • Compatws.inf - used for backwards compatibility, so applications not certified for Windows XP can work
  • Secure*.inf - implements recommended security in all areas except files,folders and registry keys
  • Hisec*.inf - high security network communication, Windows XP can communicate only with other XP or 2000 computers
  • Rootsec.inf - new root permissions introduced in XP are going to be applied
  • Notssid.inf - removes default permissions granted to terminal server SID
[7.9] Using local group policies
  • Normally GP are applied through AD, but they can also be applied locally
  • When you use local group policies there can only be one GP object
  • Policies that have been applied through AD will take precedence over any local group policies
  • You administer local GP through Local group policy object (gpedit.msc)
  • Rsop - resultant set of policies is the final set of policies that is applied to the user and computer. Use gpresult to display Rsop for current user in command line format. Use rsop.msc to start Microsoft management console that displays Rsop.
[7.10] Using group policies with AD
  • When a DC is present you can have GPO in AD, they are stored in %systemroot%/Sysvol folder on every DC by default
  • When user logs into active directory, this is the order of policy application:
    • Local computer
    • Site (group of domains)
    • Domain
    • OU (organizational unit)
  • The following options are available for overriding the default policy application
    • No override - enforce policy inheritance, you force all child policy containers to inherit the parent's policy, even if that policy conflicts with the child's policy and even if Block Inheritance has been set for the child. This option is used by corporations that want to have corporate level security and don't want low level administrators to be able to override it. To set no override option open properties screen of domain or OU in the GPO Links list, r-click the GPO link that you want to enforce, click No Override.
    • Block inheritance - used if you don't want to inherit GP settings from parent containers. You can block policy inheritance at the domain or OU level by opening the properties dialog box for the domain or OU and selecting the 'Block Policy inheritance' check box
  • Group Policy is not inherited from parent to child domains, i.e. blah.boom.com does not inherit from boom.com
  • The smallest unit you can apply GP to is an organizational unit (OU)
[7.11] Other security issues
  • Both Windows XP Pro and Home Edition allow user accounts to utilize blank passwords to log into their local workstations, although in XP Pro, accounts with blank passwords can no longer be used to log on to the computer remotely over the network
  • In XP Home Edition all user accounts have administrative privileges and no password by default
  • Windows XP Home Edition will not allow you to disable the Guest account. When you disable the Guest account via the Control Panel, it only removes the listing of the Guest account from the Fast User Switching Welcome screen, and the Log on Local right. The network credentials will remain intact and guest users will still be able to connect to shared resources.
  • The "Everyone" group has access to Printers assigned by default
  • Remote desktop is not enabled by default on Windows XP Pro

Part 8: Managing disks

[8.1] File systems
  • FAT 16 bit (File Allocation Table)
  • FAT 32 bit
  • NTFS (New Technology File System)
  • To convert from FAT to NTFS use: convert x: /fs:NTFS. You cannot use convert to convert to other file systems.
[8.2] Disk drives
  • SCSI 15000RPM, 20Mbps transfer
  • IDE 7200RPM, 16.7Mbps transfer
  • SATA (similar to IDE)
  • Both SCSI and SATA support up to 15 drives on a single controller
  • IDE drives have 'cable select' option on them which automatically determines master and slave. It is best practice to manually set jumpers for master and slave.
[8.3] ARC path designation (Advanced RISC computing)
  • ARC dates back to NT 3.5 days (in the form presented here, otherwise NT 3.1)
  • The file boot.ini is used to find '\windows\' directory
  • Bootcfg.exe configures, queries, or changes Boot.ini file settings
  • Msconfig can be used to change system startup options including modification of boot.ini
  • Please note that Microsoft has changed the default install directory from WINNT to WINDOWS for Windows XP. For upgrades we will still use WINNT directory.
  • Multi
    • Identifies the controller physical disk is on
    • Multi(x) syntax of the ARC path is only used on x86-based computers
    • For IDE or pure SCSI disks when OS is on the 1st or 2nd SCSI drive
    • The Multi(x) syntax indicates to Windows NT that it should rely on the computers BIOS to load system files. This means that the operating system will be using interrupt (INT) 13 BIOS calls to find and load NTOSKRNL.EXE and any other files needed to boot Windows NT.
    • Numbering starts at 0, for example Multi(0), due to technical reasons it should always be 0
    • In a pure IDE system, the Multi(x) syntax will work for up to the 4 drives on the primary and secondary channels of a dual-channel controller
    • In a pure SCSI system, the Multi(x) syntax will work for the first 2 drives on the first SCSI controller (that is, the controller whose BIOS loads first)
    • In a mixed SCSI and IDE system, the Multi(x) syntax will work only for the IDE drives on the first controller
  • SCSI
    • Identifies the controller physical disk is on
    • The SCSI(x) syntax is used on both RISC and x86-based computers
    • Using SCSI() notation indicates that Windows NT will load a boot device driver and use that driver to access the boot partition
    • On an x86-based computer, the device driver used is NTBOOTDD.SYS, on a RISC computer, the driver is built into the firmware
    • Numbering starts at 0, for example SCSI(0)
    • Windows NT Setup always uses Multi(x) syntax for the first two drives
  • Disk
    • Identifies the physical disk attached to controller
    • 0 if Multi(x) present, Disk is only for SCSI
    • For SCSI value of Disk(x) is the SCSI ID and can be 0-15 Note: one channel is always reserved for the controller itself
    • Numbering starts at 0, for example Disk(0)
  • Rdisk
    • Identifies the physical disk attached to controller
    • Almost always 0 if SCSI(x) is present, Rdisk is for Multi(x), ordinal for the disk, usually number 0-3
    • Numbering starts at 0, for example Rdisk(0)
  • Partition
    • Refers to the partition on the hard disk where Windows system folder is located on
    • All partitions receive a number except for type 5 (MS-DOS Extended) and type 0 (unused) partitions, with primary partitions being numbered first and then logical drives
    • A partition is a logical definition of hard drive space
    • Numbering starts at 1, for example Partition(1)
  • Signature
    • Used when system BIOS or controller hosting the boot partition cannot use INT-13 Extensions
    • The signature() syntax is equivalent to the scsi() syntax
    • Using the signature() syntax instructs Ntldr to locate the drive whose disk signature matches the value in the parentheses, no matter which SCSI controller number the drive is connected to
    • The signature() value is extracted from the physical disk's Master Boot Record (MBR)
[8.4] Easy way to memorize ARC
  • There are 5 letters in the word 'Multi' and 5 letters in the word 'Rdisk'
  • There are 4 letters in the word 'SCSI' and 4 letters in the word 'Disk'
  • 'SCSI' works together with 'Disk' while 'Multi' works together with 'Rdisk'
  • When system uses Multi(x) it uses BIOS INT-13 Extensions, so on board BIOS has to be enabled
[8.5] Disk Management MMC snap-in
  • To activate: start -> all programs -> administrative tools -> computer management -> disk management tree node
  • Another ways is to r-click on My computer and select 'manage' from the list
  • Finally you can just create a custom MMC snap in
  • Using disk management, among other things, you can:
    • Initialize new disks
    • Create new volumes and partitions
  • If you r-click and select properties -> general tab you can see location heading with a number. That number is the ARC number of the HD.
  • If you need a disk formatted in FAT or FAT32 you cannot do it from disk manager, you need to use: format x: /fs:FAT32 Note Windows can format FAT 32 disks up to maximum of 32Gb but can read higher capacity drives
  • DiskPart.exe - you can create scripts to automate tasks, such as creating volumes or converting disks to dynamic.
  • Fsutil.exe - perform many NTFS file system related tasks, such as managing disk quotas, dismounting a volume, or querying volume information.
  • Mountvol.exe to mount a volume at an NTFS folder or unmount the volume from the NTFS folder.
[8.6] Remote management
  • Computer management is not just for the local machine, you can also manage other PCs, to activate r-click on computer management (local) and select 'connect to another pc'
  • By default Domain Admins are part of local administrators group and you need these right to connect and administer remote PCs
  • If you cannot access Device Manager from the Computer Management extension snap-ins on a remote computer, ensure that the Remote Registry service is started on the remote computer.
  • Computer Management does not support remote access to computers that are running Windows 95.
  • In remote management 'Device Manager' is in read only mode
[8.7] Basic Disks
  • Primary partition is the only one that is bootable and there is a maximum of 4 primary partitions
  • Extended partitions are not bootable
  • Logical drives are created in extended partitions. There are no limits as to the number of logical drives each extended partition may have.
  • Primary partitions and logical drives are assigned drive letters
  • Basic Disk FAT is located on the first sector of the hard disk; space is shared with the MBR
[8.8] Dynamic disks
  • Fault tolerance better than basic disks, due to multiple storage places for information. 1Mb database is placed at the end of each physical hard disk containing information about all dynamic disk located in this particular system, this creates multiple storage spaces of the same data.
  • Can be one of the following:
    • Simple volume:
      • Single disk
      • No fault tolerance
      • Can be NTFS or FAT
    • Spanned volume:
      • maximum of 32 disks
      • Cannot extend spanned volumes, need to delete and recreate
      • No fault tolerance
    • Mirror volume:
      • Also known as RAID 1
      • Windows XP Pro does not support mirror volumes
      • Can be NTFS or FAT
      • Fault tolerance, data is the same on both disks
      • To replace the failed mirror in a mirrored volume, right-click the failed mirror and then click Remove Mirror, and then right-click the other volume and click Add Mirror to create a new mirror on another disk
      • Variation of mirroring called duplexing uses HD connected to different controllers for even more fault tolerance
    • Striped volume:
      • Also known as RAID 0
      • Maximum of 32 disks
      • Breaks data into 64Kb chunks for writing to different disks that make up the stripe
      • It is recommended to use same type of hard drives for member drive
      • Windows XP cannot be installed on software RAID 0
      • You cannot extend striped volume, need to recreate it
      • No fault tolerance
    • RAID 5:
      • Made up of three disks with each storing parity information
      • Fault tolerance when one disk fails
      • Maximum of 32 disks, minimum of 3
      • Not available in Windows XP professional
      • To replace the failed disk region in a RAID-5 volume, right-click the RAID-5 volume and then click Repair Volume
  • Only in Windows XP Professional, Windows 2000 Professional and Windows 2003 server (all editions) you can use dynamic disks
  • Note: if disk fails for which ARC path is in boot.ini system will not boot. You should have a disk with modified boot.ini
  • Mounted volumes - can mount HD as a NTFS folder
  • Uninstall disks prior to moving them, Re-scan disk when you attach it
  • Dynamic disks can be re-configured without re-boot
  • When your boot disk is also a dynamic disk, then you will not be able to dual boot into OS that is not dynamic disk capable
  • Dynamic disks are not supported on laptops due to luck of advantage over basic disks in this scenario
  • Dynamic disk partition table types:
    • dynamic GUID partition table (GPT) disks, for 64bit editions of Windows
    • dynamic MBR disks, for 32 and 64bit editions of Windows
  • The Foreign status occurs when you move a dynamic disk to the local computer from another computer
  • You can have a maximum of 2000 volumes on a dynamic disk, recommended maximum is 32
  • Volumes created after the 26th drive letter has been used must be accessed using volume mount points
  • Hard drives that are connected to the Pc using USB or IEEE 1394 can not be converted to dynamic volumes
  • Extending simple volume:
    • Similar to spanned volume but uses the same physical HD with simple volume
    • You can extend a simple volume only if it does not have a file system or if it is formatted using the NTFS file system. You also need free space on HD and the volume could not have been originally a basic disk partition.
    • You cannot extend volumes formatted using FAT or FAT32
    • You cannot extend a system volume, boot volume, striped volume, mirrored volume, or RAID-5 volume
[8.9] Volume status descriptions
  • Failed - basic or dynamic volume cannot be started automatically or the disk is damaged
  • Failed Redundancy - data on a mirrored or RAID-5 volume is no longer fault tolerant because one of the underlying disks is not online, has substatus information
  • Formatting - occurs only while a volume is being formatted with a file system
  • Healthy - normal volume status on both basic and dynamic volumes, no known problems, has substatus information
  • Regenerating - occurs when a missing disk in a RAID-5 volume is reactivated
  • Resynching - occurs when creating a mirror or restarting a computer with a mirrored volume
  • Unknown - occurs when the boot sector for the volume is corrupted
  • Data Incomplete - displayed in the Foreign Disk Volumes dialog box, and occurs when data spans multiple disks, but not all of the disks were moved.
  • Data Not Redundant - displayed in the Foreign Disk Volumes dialog box when you import all but one of the disks in a mirrored or RAID-5 volume
  • Stale Data - displayed in the Foreign Disk Volumes dialog box, and occurs when a mirrored or RAID-5 volume has stale mirror information, stale parity information, or I/O errors
[8.10] Converting to dynamic disk and back to basic disk
  • If you convert a boot disk, or if a volume or partition is in use on the disk you attempt to convert, you must restart the computer for the conversion to succeed.
  • The conversion may fail if you change the disk layout of a disk to be converted or if the disk has I/O errors during the conversion.
  • After you convert a basic disk into a dynamic disk, any existing partitions on the basic disk become (dynamic) simple volumes.
  • If you are using shadow copies and they are stored on a different disk then original you must first dismount and take offline the volume containing the original files before you convert the disk containing shadow copies to a dynamic disk.
  • If you are converting disks form dynamic to basic the disk being converted must not have any volumes on it nor contain any data before you can change it back to a basic disk. If you want to keep your data, back it up before you convert the disk to a basic disk.
[8.11] Disk quotas
  • Disk quota applies to everyone using the volume except administrators
  • Remember that every user needs few Mb (min 2) for storage of the profile which is needed for logging in
  • Quota entry can be created per user but not per group, only volumes and users have quota entries
  • Quota limit is calculated using the uncompressed file size, thus compressing files will not create more space
  • The default quota entry is for all users of given volume. You can add additional quota entries on per user basis only.
  • Once again, quota entries are per user per volume, no groups are allowed.
  • Remember that once a user uses a volume with quota set on it an entry is automatically added. Thus, if you had a general entry for all users and later on some users run out of space and need more you modify quota entries not add new ones.
  • Disk quota is only applied to the files that are being added after the quota entry got created, it doesn't apply to files that were already there
  • Each file can contain up to 64kb of metadata that is not applied towards users quota limit
  • Fsutil is used to manage quota from command line
  • To free some space run disk cleanup, from command prompt: cleanmgr.exe (note it doesn't clear internet temporary files)
[8.12] Defragmenting
  • You will need at least 15% of free HD space in order to defragment
  • You may need to repeat the process several times in order to achieve planned results
  • Defragmenting should be done on every volume every 1 to 2 months
  • You cannot schedule defragmenting task (unless you use custom scripts)
  • Windows defragmenter works with FAT16, FAT32 and NTFS
  • On modern computer systems that use NTFS and don't use the file system extensively (desktops) the benefits of defragmenting a hard drive are measurable but not noticeable for the end user. Thus defragmenting is only significant performance tool for file servers.
[8.13] Encryption:
  • Only users who created the files, users whom owner gave access to view the file (new in Windows XP, additional users need to already be issued certificates) and recovery agents can decrypt the file
  • When moving encrypted file from one volume to another volume, it stays encrypted. When copying file it also stays encrypted. This behaviour is unique for encryption!
  • Note that user which has NTFS permissions to an encrypted file can delete that file, even if he/she cannot view that file. They can also move the file around on the same NTFS volume (different volume would mean a copy operation and possible decryption).
  • Cannot encrypt and compress at the same time (due to encryption process using pseudo random salt which cannot be further compressed due to its nature)
  • You can zip 1st using winzip or other 3rd party compression tool, then encrypt to get encrypted and compressed file
  • Executable file cipher.exe is a command line encryption utility
  • By default, the recovery agent is the Administrator account on the 1st DC, there is no default for stand alone server/workstation
  • For encryption property, moving/copying a file to a FAT system decrypts file without warning
  • It is recommended to store recovery agent certificate on a floppy disk in secured location. It is also recommended to copy their file to be recovered to the recovery agent PC where it will be recovered.
  • User needs correct certificate to perform action on a file that would result in that file being decrypted
[8.14] How EFS (encrypted file system) works
  • When the user chooses to encrypt a file, a file encryption key is generated
  • This encryption key, together with encryption algorithm is used to encrypt the contents of the file
  • The file encryption key is encrypted itself using user's public key and stored together with the encrypted file. The file encryption key is also protected by the public key of each additional EFS user that has been authorized to decrypt the file and each recovery agent.
  • File can only be decrypted by using user's private key, by using private key of users given permission to view the file and private key of recovery agent
  • Private/public pair is created using user's certificate
  • On stand alone machines user's certificate is created the 1st time he or she tries to encrypt a file
  • For domain user certificate is issued by the certification authority - user needs permission to get a certificate
  • Files marked with the System attribute cannot be encrypted, nor can files in the systemroot directory structure.
  • Before users can encrypt or decrypt files and folders that reside on a remote server, an administrator must designate the remote server as trusted for delegation.
  • If you open the encrypted file over the network, the data that is transmitted over the network by this process is not encrypted.
  • Users can use EFS remotely only when both computers are members of the same Windows Server 2003 family forest
  • Encrypted files are not accessible from Macintosh clients
  • Encrypting File System (EFS) no longer requires a recovery agent
[8.15] Compression (NTFS)
  • When you compress a whole folder:
    • All files are compressed automatically when added but not current folder occupants
    • OR
    • Compression can also be applied to current files and subfolders
  • Decompression is a reverse process of compression
  • Moving a file on the same volume means that the file location is moved in MFT only, not the physical file itself.
  • When you copy a file, no matter whatever on the same volume or not, the destination file will inherit the destination folder's permissions
  • When you move a file on the same volume, it keeps its original permissions. When you move a file to another volume, the move is treated as a copy operation and the file permissions are inherited from the destination folder.
  • All file attributes behave in the same way with the exception of encryption
  • File compression is supported only on NTFS volumes with cluster sizes 4 KB and smaller
  • For command line use compact.exe, it can display and modify compression attributes but it works only on NTFS

Part 9: Accessing files and folders

[9.1] General folder options
  • General folder options:
    • Windows classic or web content in the folders
    • Whatever folders are opened all in the same window or separate windows
    • Opening with single or double mouse click
  • Folder view options:
    • Configure things that you see once you open files and folders
    • There are too many options to list
  • File type options are used to associate file extensions with application file types
[9.2] Offline folder options
  • Offline folder options, you can store network files offline
  • On the client side:
    • The first step is to enable (enabled by default) offline file support on the client under Folder options -> Offline files and is available only on Windows XP and above
    • In the folder options for offline files you can set:
      • You can set synchronization options: manually synchronize, automatic synchronization (log on or log off) and reminder at certain time intervals
      • You can also set up an option for how much disk space will be used for temporary network files and whatever these will be encrypted
    • When offline files are enabled connect to a shared folder, right click it and select 'Make available offline' this will bring settings dialog box and start synchronization
    • When the folder is set up as available offline when you right click on it you will have an option to synchronize
    • Folders that are synchronized appear with a small blue arrow pointing down in the lower left corner of the folder icon
  • On the server side:
    • SMB are used for communication between networked computers, for offline file sharing any SMB PC will do as a server
    • You can disable and enable (default) client's ability to use offline content by changing the options in Share properties -> Caching on the server computer
[9.3] ACL - access control list
  • Every object in AD (and on a stand alone PC) has ACL
  • ACE - access control entries
  • ACL is a list of ACEs. Each ACE has deny or accept action and an associated SID (security identifier).
  • The process of checking user access is preformed in this way:
    • User SID is checked against ACE on ACL list of the resource user wants to access
    • Also groups that the user belongs to (group SID) is checked against ACE in ACL
    • If there is no entry, then access is denied
    • Accept if ACE = SIDs in ACL and associated ACE action is accept
    • Windows resolves SID and presents name as ACE
    • Deny right takes precedence over allow right in group and user security context. This is true even for Administrator and object owner.
[9.4] General NTFS permissions for files
  • Read
    • List files attributes
    • Read data in the file
    • Read permissions
  • Write
    • Change file attributes
    • Create new files and write data to files
    • Append data to files
  • Read and execute = 'Read' + execute file permission
  • Modify = 'Read and Execute' + 'Write' + delete permission
  • Full control = all of above permissions + 'Change Permissions' permission + 'Take Ownership' permission
[9.5] General NTFS permissions for folders
  • Read
    • List folder attributes
    • List folder
    • Read permissions
  • Write
    • Change folder attributes
    • Create folders
  • Read and execute
  • Modify = 'Read and Execute' + 'Write' + delete permission
  • List folder contents (only permission for a folder)
    • Traverse folders
    • List the contents of a folder
    • See folder's or file attribute
  • Full control = all of above permissions + 'Change Permissions' permission + 'Take Ownership' permission
[9.6] Share permissions
  • Only applicable for folders, no share permissions for files
  • Read = read file data, file names and subfolder names + execute (default assigned to everyone group)
  • Change = read permission + delete files and subfolders + write
  • Full control = all of above permissions + change of share permissions right only
  • Share permissions do not apply to users that are logged into the OS interactively (i.e. locally)
  • NTFS general permissions always apply, even for a share i.e. user needs two read permissions in order to access a file over the network
  • Use NTFS permissions to tighten security
  • To add share form command prompt: net share 'folder name'='path'
  • To delete share form command prompt: net delete 'folder name'
  • To connect to a share from command prompt use: net use \\computer_name\share_name
  • When a share name ends in $ it is hidden and cannot be browsed to, full name needs to be typed in
  • Share permissions are not included in a backup or restore of a data volume
  • Share permissions do not replicate through the File Replication service
  • When both NTFS and share permissions are applied to a resource the system looks at the effective permissions for NTFS and share permissions and applies to the object the most restrictive set of cumulative permissions
  • Be default, simple file sharing is enabled in Windows XP if you are not connected to a domain. Therefore, the Security tab and the advanced options for permissions are not available. In Windows XP Home edition you have to use simple file sharing.
  • You can not disable simple file sharing in Microsoft Windows XP Home Edition, in Windows XP Pro you use folder options to disable simple file sharing
[9.7] Explicit permissions and inherited permissions for files and folders
  • There are two types of permissions: explicit permissions and inherited permissions.
  • Explicit permissions are those that are set by default when the object is created, by user action.
  • Inherited permissions are those that are propagated to an object from a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.
  • Explicit permissions take precedence over inherited permissions, even inherited Deny permissions. This has nothing to do with user and group security context.
[9.8] Inherited permissions (file and folders)
  • All files and folders inherit their permissions from the parent folder by default
  • There are three ways to make changes to inherited permissions:
    • Make the changes to the parent folder, and then the file or folder will inherit these permissions. Remember this is not related to user and group security!
    • Select the opposite permission (Allow or Deny) to override the inherited permission.
    • Clear the 'Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here' check box. You can then make changes to the permissions or remove the user or group from the permissions list. However, the file or folder will no longer inherit permissions from the parent folder. You be presented with a confirmation dialog that has these options
      • You can 'copy' permission entries making all entries explicit (convert inherited entries into explicit)
      • Or you can remove all inherited permissions and keep only the current explicit permissions
  • You cannot change parent permissions inside a child object - they show as grayed out if inheritance is on.
  • If the object is inheriting conflicting settings from different parents then the setting inherited from the parent closest to the object in the subtree will have precedence.
  • Only inheritable permissions are inherited by child objects. When setting permissions on the parent object, you can decide whether folders or subfolders can inherit them with Apply onto.
[9.9] Special shares
  • drive letter$ - shared resource that enables administrators to connect to the root directory of a drive
  • ADMIN$ - resource that is used during remote administration of a computer. The path of this resource is always the path to the system root (ex. c:\windows)
  • IPC$ - resource that shares the named pipes that are essential for communication between programs. You use IPC$ during remote administration of a computer and when you view a computer's shared resources. You cannot delete this resource.
  • NETLOGON - required resource that is used on domain controllers
  • SYSVOL - required resource that is used on domain controllers
  • PRINT$ - resource that is used during remote administration of printers
  • FAX$ - shared folder on a server that is used by fax clients in the process of sending a fax
  • You cannot browse to $ shares (cannot see them in Explorer)
[9.10] Moving and copying of files
  • Moving a file on the same volume means that the file location is moved in MFT only, not the physical file itself.
  • When you copy a file, no matter whatever on the same volume or not, the destination file will inherit the destination folder's permissions (destination folder and file permission will be the same)
  • When you move a file on the same volume, it keeps its all of its original permissions, explicit and inherited from original folder. Assign the following names: the file, call it F, new folder call it A, original folder, call it B. When you move F from B to A and then make some permissions changes on folder A, they will be inherited by the file F (unless inheritance is blocked on F), old inherited permissions (the one's from folder B) will be removed. However, the file F will keep all explicit permissions, which is different then copy operation, where explicit permissions are removed after copy.
  • When you move a file to another volume, the move is treated as a copy operation. The file permissions are inherited from the destination folder in the same way regular copy operation permission are inherited.
[9.11] Other points
  • Groups or users granted Full Control on a folder can delete any files in that folder regardless of the permissions protecting the file
  • Every general permission has 'Synchronize' permission
  • Read attributes permission includes 'Read Extended Attributes' permission
  • Everyone group is no longer granted full control by default to shares, only read access (as of service pack 1, original had full access)
  • The Anonymous Logon security group has been removed from the Everyone security group
  • Windows XP and 2000 need installation of client software, twcli32.msi to take advantage of Volume Shadow Service (VSS) that is run on Windows Server 2003 computer

Part 10: Managing network connections

[10.1] Installing a network adapter
  • Make sure you install the latest driver
  • If you have a combo network card (that has two network connectors) make sure you configure speed and cable type
  • 70 to 80 percent of network problems are due to faulty cabling
  • If you have a combo network card make sure that the speed and cable type are configured correctly
[10.2] Configuring TCP/IP
  • TCP/IP (transmission control protocol/internet protocol) developed in 1970's
    • Installed by default on Windows XP, most common protocol supported by almost all OSs
    • TCP/IP is scalable, it is a routed protocol
    • TCP/IP is a fault tolerant protocol that will dynamically reroute pockets if network is down and alternate links exist
    • Companion services such as DNS and DHCP exist
    • This is the most popular protocol and is the basis of the internet
  • IP address uniquely identifies computers on the network, it has 32 bits in it
  • The loopback IP address is 127.0.0.1, this is your localhost address. The first address in your network is for the network itself, the last address is for the network broadcast.
  • IP class assignments
    • Class A 1-126.x.x.x, hosts supported 16777214, with mask 255.0.0.0
    • Class B 128-191.x.x.x, hosts supported 65534, with mask 255.255.0.0
    • Class C 192-223.x.x.x, hosts supported 254, with mask 255.255.255.0
  • Subnet mask is used to specify which part of the IP address is the network address and which part of the address is the host part
  • Default gateway is the location where pockets are sent which are not destined for your network (you need routers). Metrics are used to calculate optimal paths to gateways.
  • Router is a device that connects two or more network segments together
  • Ipconfig is used to show PCs IP configuration
  • Ping is used to send ICMP echo request packets
  • Nbtstat is used to display NetBIOS over TCP/IP connection statistics, also known as NBT
  • Alternate configuration you can specify what happens when there is no DHCP server on the network
    • Automatic Private IP Addressing (APIPA) - assigns PC address from the range 169.241.0.1 to 169.254.255.254, in use since Windows 98
    • Manual configuration of alternative settings
[10.3] DHCP
  • DHCP server is used for automatic IP assignment to hosts, here is the whole process:
    • Client seeking IP address brodcasts on the network DHCPDISCOVER message
    • Any DHCP server that receives the message and has available IP addresses sends a DHCPOFFER for a period of time called lease
    • Client selects one of the offers and brodcasts DHCPREQUEST indicating its selection
    • DHCP server sends DHCPACK message to the client with possible configuration information like DNS server IPs
  • DHCP server must be authorized in AD if part of a domain
  • If there is no DHCP server on your network segment you can use DHCP server on another network segment, provided that the other DHCP server is configured to give out addresses to PC on other segments and the router that joins segments acts as a DHCP relay agent
[10.4] DNS
  • DNS servers are used for name to IP and IP to name (reverse DNS) address resolution
  • HOSTS file is used to resolve nicknames or domain names entries, located in systemroot\System32\Drivers\Etc
  • DNS settings:
    • DNS server addresses, in order of use - which DNS server will be used first to resolve a query
    • Append primary and connection-specific DNS suffixes - specifies how unqualified domain names are resolved by DNS, for example if primary suffix is microsoft.com and you enter blah, DNS will try blah.microsoft.com
    • Append parent suffixes of the primary DNS suffix - whatever name resolution includes the parent suffix for the primary DNS suffix, up to second level of the domain name, for example given primary suffix win.ms.com and you enter blah, DNS will 1st try blah.win.ms.com then blah.ms.com
    • Append these DNS suffixes - additional suffixes that will be used to resolve unqualified name
    • DNS suffix for this connection - DNS suffix for the PC, can override data supplied by DNS server
    • Register this connection's address in DNS - dynamic registration using PC name
    • Use this connection's DNS suffix in DNS registration
[10.5] WINS
  • NetBIOS (Basic Input/Output System) resolution to an IP address can be done in 3 ways
    • WINS servers are used for NetBIOS name to IP address resolution, this server is for backward compatibility with NT4
    • Through broadcast (same network segment)
    • LMHOSTS file is a static mapping if IP addresses to NetBIOS computer names, it is located in %systemroot%\System32\Drivers\Etc folder
  • WINS settings:
    • WINS addresses, in order of use
    • Enable LMHOSTS lookup
    • Enable/Disable NetBIOS over TCP/IP
    • Use NetBIOS settings from the DHCP server
  • NetBEUI - NetBIOS Enhanced User Interface
  • AppleTalk - is not supported by Windows XP (was supported before)
[10.6] TCP/IP filtering
  • Through filtering you can specify for your PC:
    • Which TCP ports are permitted
    • Which UDP ports are permitted
    • Which protocols are permitted
  • This is set for all adapters at once and is separate from firewall
  • It is set up from Network connections -> connection -> TCP/IP properties -> advanced button -> options tab
[10.7] Configuring NWLink IPX/SPX/NetBIOS
  • NWLink IPX/SPX/NetBIOS is Microsoft implementation of Novell IPX/SPX (Internetwork Packet Exchange/Sequenced Packet Exchange)
  • This is just a transport protocol that is routable, if you want to access Novell servers you need to install client software
  • Internal network number - used to identify file servers, normally leave as is
  • Frame type - specifies how the data is packaged for transmission
[10.8] Network access authentication
  • Network access control using IEEE 802.1X - you choose a method, password/certificate/smart card
  • Authenticate as computer when computer information is available
  • Authenticate as guest when user or computer information is unavailable
  • Part of connection properties
[10.9] Advanced options
  • Bindings are used to attach protocols to a network adapter. You can improve performance by binding common protocols higher in binding order

Part 11: Managing printing

[11.1] Printing related definitions
  • Printer - this is how we call a piece of software on your PC
  • Print device - this is the actual hardware printer
  • Print server - PC to which a local printer is connected - any Windows PC. It is the computer that sends print jobs to the print device. For a network printer you send jobs to the server as well.
  • Print spooler - also referred to as print queue this is a directory on print server where jobs are being stored prior to being printed
  • Print processor - also known as rendering is the process that determines whatever a print job needs further processing once job has been sent to the spooler
  • Printer pool - configuration that allows to use one printer for multiple print devices
  • Print driver - piece of software that understands your print device codes
  • Physical port - port through which a printer is directly connected to the computer, COM or LPT
  • Logical port - port through which a printer with a network card is attached to network, much faster than a physical port
  • Local printer - printer that uses a physical port and has not been shared
  • Network printer - printer that is available to local and network users, can use either physical or logical port
[11.2] Printer and print device configurations
  • 1 printer per 1 print device
  • 1 printer for many print devices (print pooling)
  • Many printers for 1 print device - used usually for print scheduling
[11.3] Windows print process
  • When user chooses to print the document, request is sent to Graphics Device Interface (GDI) which calls print driver
  • Print job is sent to a local print spooler which sends the job to the print server
  • The print spooler on the print server saves the job to disk
  • Print processor analyzes the print job to determine whatever extra processing is needed, separator page is called if needed
  • Job is passed to the print manager which directs job to the right port at the right time
  • Print device prints the job
[11.4] Printer information
  • You can use UNIX (LPR) protocol, for this you will need to add LPR port. LPR is included in "print services" for UNIX, which is installed as a separate component of Windows XP
  • You can also have print services for Macintosh and for Netware
  • Whenever you hear anything that deals with: LPR, LPD, LPQ think UNIX
  • You can set printer priority (1-99) as well as printer availability (which means when the printer will be available timewise) to different user groups as well as access to the print device itself to different user groups and individual users.
  • For example to use different print priority for two groups you need to setup two print devices, restrict their use and set priority on them
  • If you want to know printer utilization track print queue object in system monitor
  • %systemdir%\system32\spool\printers\ is the default location of the spool folder. You should change it if your server serves many printers.
  • A port is defined as the interface that allows the PC to communicate with the print device
  • Print.exe - sends a text file to a printer
  • Net Print - displays information about a specified printer queue, displays information about a specified print job, or controls a specified print job
  • Bidirectional support - option on ports tab that allows printer to communicate with the computer, for example print errors
[11.5] Spooling
  • Spooling is the process of saving the jobs to disk in a queue before they are sent to the print device
  • You have the option of:
    • Start printing after the last page is spooled - small jobs that enter the queue after large jobs may print before large jobs finish spooling
    • Start printing immediately - strict order of entry into the queue determines who gets printed 1st
    • Print directly to the printer - good for troubleshooting the print device
  • You can change location of print spooler
[11.6] Print processor
  • There are 5 print processors in Windows XP
    • RAW - makes no change to the job
    • RAW (FF appended) - always adds form feed character
    • RAW (FF auto) - tries to determine whatever form feed character needs to be added
    • NT EMF - for use with other Windows XP clients, multiple versions
    • TEXT - interprets all data as plain text
[11.7] Printer Pooling
  • One printer, multiple print devices
  • Think of it as load balancing for printers, used in larger enterprises
  • Need to use the same driver for all print devices that are member of the pool. Many newer printer devices will work with older driver, use driver that is the newest for the oldest printer.
  • It is enabled with a check box found at the bottom of the ports tab
  • When one print device fails the print job gets redirected to another print device in the pool
[11.8] Redirecting print jobs
  • You can redirect print jobs provided both printers use the same driver
  • When user placed into a queue a request to print a document on a print device which failed to print BEFORE commencement of printing you can redirect printing to another printer
  • To redirect a print job select print device you want jobs redirected from
  • If the new printer is on this print server, just select new port to which the new printer is attached, otherwise
  • Click on 'ports' tab
  • Click on 'add port', select local printer and click on 'new port'
  • Type in UNC share name of the printer you want the job redirected to, in format \\other_print_server\share_name
  • Check the check box next to the port you just created
[11.9] Separator pages
  • Separator pages are used in multi user environments, sample files are found in %systemroot/system32/ folder with .sep ending
  • Pcl.sep - used to send a separator page on printers supporting PCL (Printer Control Language), which is a common standard
  • Pscript.sep - doesn't send a separator page but switches the computer to PostScript printing mode
  • Sysprint.sep - used by PostScript printers to send separator pages
  • Sysprintj.sep - same as sysprint.sep but with support for Japanese characters
[11.10] Managing printers
  • To manage printer, right click it, you have following options:
    • Set as Default Printer - jobs will by default be sent to this printer
    • Printing preferences - settings like page layout
    • Pause printer - jobs can still be submitted, but will not print
    • Use printer offline - pauses the printer and saves the print queue so documents in it are available even after PC reboot
    • Other options: Rename, Sharing, Delete
  • You can also manage documents with following options: Pause,Restart,Resume,Cancel,Properties
[11.11] Sharing
  • When you share a printer it becomes a Network printer
  • If you don't share your printer it is a Local printer
  • You cannot share a Fax printer
  • You can specify print drivers for following systems:
    • Alpha Windows NT 4.0
    • IA64 Windows XP
    • Intel Windows 95/98/Me/NT 4.0/2000/XP
[11.12] Security
  • There are three print related permissions:
    • Print - users can send print jobs to a printer
    • Manage Printers - administration of printer consisting of: can pause,restart printer, change spool settings, share/unshare printer, change print permissions
    • Manage documents - pause/restart/resume and delete queued documents, no control over the printer itself
    • Special permissions - used to customize the print options with allow or deny access with: Print, Manage Printers, Manage Documents, Read Permissions, Change Permissions and Take Ownership
  • Administrators and Power users can do all tasks
  • Creator Owner group can Manage Documents only
  • Everyone group can Print only
  • Advanced security settings:
    • Permissions - list all users, computers and groups that have been given permissions to the printer
    • Auditing - tracks who is using the printer and what type of access is being used
    • Owner - owner of the printer
    • Effective permissions

Part 12: Dial-up networking and Internet

[12.1] Configuring a modem
  • General: speaker volume, maximum port speed, wait for dial tone before dialing check box
  • Selection of country and extra initialization string
  • Advanced port settings allow to set buffer size
  • Hardware settings like Data bits, Parity, Stop bits and Modulation
  • Data connection settings like Port speed, data protocol, compression and flow control
  • You can run diagnostics of your modem
[12.2] Connecting to a Remote access server (RAS)
  • You can connect to a RAS server using a modem, ISDN or a null modem cable
  • Both client and server must use the same connectivity settings
  • RAS security settings
    • Allow unsecured passwords
    • Require secured password
    • Use smart card (you will need EAP)
  • Logon security protocols
    • MS-chap (Microsoft Challenge Handshake Authentication Protocol) still supports NTLM (but not by default) Same encryption key is used for all connections, both authentication and connection data are encrypted
    • MS-chap v2 no NTLM and stronger encryption (like salting passed encrypted password strings) both MS-chap protocols are the only ones that can change passwords during the authentication process. New key is used for each connection and direction.
    • Chap - need to enable storage of a reversibly encrypted user passwords, encryption of authentication data through MD5 hashing. No encryption of connection data.
    • PAP (Password Authentication Protocol) passwords are unencrypted as well as connection data
    • SPAP (Shiva Password Authentication Protocol) - less secure than CHAP or MS-CHAP, no encryption of connection data
    • EAP-TLS (Extensible Authentication Protocol - transport level security) - certification based authentication (EAP) used with smart cards, both authentication and connection data are encrypted, not supported on stand alone servers - only for domains.
    • EAP-MD5 CHAP (Extensible Authentication Protocol - Message Digest 5 Challenge Handshake Authentication protocol) - this is a version of Chap that was ported to EAP framework. Encrypts only authentication data, not connection data, same like Chap.
    • Unauthenticated access - connections without credentials, good for testing
[12.3] Using Virtual Private Networking (VPN)
  • Data that is sent over the network is encrypted, for VPN you just need access to a network while for RAS you need to dial-in
  • VPN supports
    • Single inbound connections
    • Tunneling protocols
    • Callback security
    • Multilink support (chaining of multiple modems)
  • PPTP (Point-to-Point Tunneling Protocol) - build in encryption for IP or IPX protocols inside of PPP datagrams, require IP connectivity between your computer and the server
  • L2TP (Layer Two Tunneling Protocol) - Windows XP implementation of L2TP is designed to run natively over IP networks only, does not support native tunneling over X.25, Frame Relay, or ATM networks. Uses IPsec and certificates for security.
[12.4] Using Internet Connection Sharing (ICS)
  • Internet connection sharing (ICS) allows you to connect a small network to the internet through a single connection
  • Internet connection sharing server gets assigned address 192.168.0.1 and its simple DHCP