Syngress - MCSA_MCSE Exam 70-290. Managing and

Syngress - MCSA_MCSE Exam 70-290. Managing and

274_70-290_FM.qxd 8/12/03 12:03 PM Page i

Syngress knows what passing the exam means to you and to your career. And we know that you are often financing your own training and certification; therefore, you need a system that is comprehensive, affordable, and effective.

Boasting one-of-a-kind integration of text, DVD-quality instructor-led training, and Web-based exam simulation, the

Syngress Study Guide & DVD Training System guarantees 100% coverage of exam objectives.

The Syngress Study Guide & DVD Training System includes:

Study Guide with 100% coverage of exam objectives By reading this study guide and following the corresponding objective list, you can be sure that you have studied 100% of the exam objectives.

Instructor-led DVD This DVD provides almost two hours of virtual classroom instruction.

Web-based practice exams Just visit us at www.syngress.com/

certification to access a complete exam simulation.

Thank you for giving us the opportunity to serve your certification needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening.

www.syngress.com/certification

274_70-290_FM.qxd 8/12/03 12:03 PM Page ii

274_70-290_FM.qxd 8/12/03 12:03 PM Page iii

MCSA/MCSE

Exam 70-290: Managing and Maintaining a Windows Server 2003 Environment

Deborah Littlejohn Shinder

Dr. Thomas W. Shinder

Laura E. Hunter

Technical Reviewer

Will Schmied

DVD Presenter

274_70-290_FM.qxd 8/12/03 12:03 PM Page iv

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

KEY

001

002

003

004

005

006

007

008

009

010

Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author

UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Mission

Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress

Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

SERIAL NUMBER

PV43SLUGGY

Q2TQRGN7VA

8C38A9R7FF

Z6TDAVAN9Y

P33JEET8MS

3SHX6SN$RK

CH3W7E42AK

9EU6V4DER7

SUPACM4NFH

5BVF3MEV2Z

PUBLISHED BY

Syngress Publishing, Inc.

800 Hingham Street

Rockland, MA 02370

Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System

Copyright © 2003 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of

America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-932266-60-7

Technical Editor:Deborah Littlejohn Shinder Cover Designer: Patricia Lupien and Thomas W. Shinder M.D

Page Layout and Art by: Patricia Lupien

Technical Reviewer: Laura Hunter

Acquisitions Editor: Jonathan Babcock

DVD Production: Michael Donovan

Copy Editors: Beth Roberts, Michelle Melani

Indexer: Rich Carlson

DVD Presenter:Will Schmied

274_70-290_FM.qxd 8/12/03 12:03 PM Page v

Acknowledgments

We would like to acknowledge the following people for their kindness and support in making this book possible.

Karen Cross, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent

Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty

Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Andrea Tetrick, Jennifer Pascal,

Doug Reil, David Dahl, Janis Carpenter, and Susan Fryer of Publishers Group West for sharing their incredible marketing experience and expertise.

Duncan Enright, AnnHelen Lindeholm, David Burton, Febea Marinetti, and Rosie Moss of Elsevier Science for making certain that our vision remains worldwide in scope.

David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,

Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books.

Kwon Sung June at Acorn Publishing for his support.

Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow,

Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada.

Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at

Jaguar Book Group for their help with distribution of Syngress books in Canada.

David Scott, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of

Woodslane for distributing our books throughout Australia, New Zealand, Papua New

Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands.

Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines.

A special thanks to Deb and Tom Shinder for going the extra mile on our core four

MCSE 2003 guides.Thank you both for all your work.

And to Will Schmied, thank you for being a trooper on the DVD part of this project!

274_70-290_FM.qxd 8/12/03 12:03 PM Page vi

Technical Editors

Debra Littlejohn Shinder

(MCSE) is a technology consultant, trainer, and writer who has authored a number of books on networking, including Scene of the

Cybercrime: Computer Forensics Handbook, published by Syngress Publishing (ISBN:

1-931836-65-5), and Computer Networking Essentials, published by Cisco Press. She is co-author, with her husband, Dr.Thomas Shinder, of Troubleshooting Windows

2000 TCP/IP (ISBN: 1-928994-11-3), the best-selling Configuring ISA Server 2000

(ISBN: 1-928994-29-6), and ISA Server and Beyond (ISBN: 1-931836-66-3). Deb is also a technical editor and contributor to books on subjects such as the Windows 2000

MCSE exams, the CompTIA Security+ exam, and TruSecure’s ICSA certification. She edits the Brainbuzz A+ Hardware News and Sunbelt Software’s WinXP News and is regularly published in TechRepublic’s TechProGuild and Windowsecurity.com. Deb currently specializes in security issues and Microsoft products. She lives and works in the Dallas-Fort Worth area and can be contacted at [email protected] or via the website at www.shinder.net.

Thomas W. Shinder M.D.

(MVP, MCSE) is a computing industry veteran who has worked as a trainer, writer, and a consultant for Fortune 500 companies including

FINA Oil, Lucent Technologies, and Sealand Container Corporation.Tom was a Series

Editor of the Syngress/Osborne Series of Windows 2000 Certification Study Guides and is author of the best selling books Configuring ISA Server 2000: Building

Firewalls with Windows 2000 (Syngress Publishing, ISBN: 1-928994-29-6) and Dr.

Tom Shinder’s ISA Server and Beyond (ISBN: 1-931836-66-3).Tom is the editor of the Brainbuzz.com Win2k News newsletter and is a regular contributor to

TechProGuild. He is also content editor, contributor and moderator for the World's leading site on ISA Server 2000, www.isaserver.org. Microsoft recognized Tom's leadership in the ISA Server community and awarded him their Most Valued Professional

(MVP) award in December of 2001.

274_70-290_FM.qxd 8/12/03 12:03 PM Page vii

Technical Reviewer

Laura E. Hunter

(CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA, A+,

Network+, iNet+, CNE-4, CNE-5) is a Senior IT Specialist with the University of

Pennsylvania, where she provides network planning, implementation, and troubleshooting services for various business units and schools within the University. Her specialties include Microsoft Windows NT and 2000 design and implementation, troubleshooting and security topics. As an “MCSE Early Achiever” on Windows 2000,

Laura was one of the first in the country to renew her Microsoft credentials under the

Windows 2000 certification structure. Laura’s previous experience includes a position as the Director of Computer Services for the Salvation Army and as the LAN administrator for a medical supply firm. She also operates as an independent consultant for small businesses in the Philadelphia metropolitan area and is a regular contributor to the TechTarget family of websites.

Laura has previously contributed to the Syngress Publishing’s Configuring

Symantec Antivirus, Corporate Edition (ISBN 1-931836-81-7). She has also contributed

to several other exam guides in the Syngress Windows Server 2003 MCSE/MCSA

DVD Guide and Training System series as a DVD presenter, contributing author, and technical reviewer.

Laura holds a bachelor's degree from the University of Pennsylvania and is a member of the Network of Women in Computer Technology, the Information

Systems Security Association, and InfraGard, a cooperative undertaking between the

U.S. Government other participants dedicated to increasing the security of United

States critical infrastructures.

Contributors

Chad Todd

(MCSE: Security, MCSE, MCSA: Security, MCSA, MCP+I, MCT, CNE,

A+, Network+, i-Net+) author of Hack Proofing Windows 2000 Server (Syngress, ISBN:

1-931836-49-3) co-owns a training and integration company (Training Concepts,

LLC) in Columbia, SC. Chad first certified on Windows NT 4.0 and has been training on Windows operating systems ever since. His specialties include Exchange vii

274_70-290_FM.qxd 8/12/03 12:03 PM Page viii viii messaging and Windows security. Chad was awarded MCSE 2000 Charter Member for being one of the first two thousand Windows 2000 MCSEs and MCSA 2002

Charter Member for being one of the first five thousand MCSAs. Chad is a regular contributing author for Microsoft Certified Professional Magazine. Chad has worked for companies such as Fleet Mortgage Group, Ikon Office Solutions, and Netbank.

Chad would like to first thank his wife Sarah.Without her love and support all of the late nights required to write this book would not be possible. He would also like to thank Kirk Vigil and Jim Jones for their support and encouragement. Lastly, Chad would like to thank Olean Rabon and Theresa Johnson for being his greatest fans.

Jeffery A. Martin

(MCSE, MCDBA, MCT, MCP+I, MCP, MCNE, CNE, CNA,

CNI, CCNA, CCNP, CCI, CCA, CTT, A+, Network+, I-Net+, Project+, Linux+,

CIW, ADPM) has been working with computers and computer networks for over 15 years. Jeffery spends most of his time managing several companies that he owns and consulting for large multinational media companies. He also enjoys working as a technical instructor and training others in the use of technology.

Feridun Kadir

(MCP, MCP+I, MCSE, MCT) is a freelance IT consultant and trainer who has worked in the field of IT since 1988. He remembers selling a TRS-80 home PC with 4Kilobytes RAM (yes kilobytes!) in the early 1980s for over $1,000.

His early IT experience was with UNIX systems and local area networks. In more recent years he has worked with Microsoft products. Having discovered that he liked giving presentations he became an MCT and regularly teaches Microsoft technical courses including Windows NT 4.0,Windows 2000,Windows XP,TCP/IP, SQL

Server Administration and Small Business Server. Feridun also provides IT consulting services to all types of businesses. Feridun lives with his wife, Liz and son, Jake in

Stansted, Essex in England.

Colin Bowern

(MCSE, MCAD, MCSD, MCDBA, CCNA, CCDA, Network+) is a Senior Consultant at Microsoft Services in Toronto, Canada.Through his work with enterprise customers and partners, Colin helps information technology professionals and business leaders understand how to leverage and make better decisions about how to use technology in their business to gain competitive advantages. Clients span several industry verticals including financial services, public utilities, and government. In addition to consulting, Colin is also an active presenter, speaking regularly in the Microsoft Developer Network's web casts as well as at a variety of public events including the TechNet Tour series in Canada. Colin's involvement with the industry also includes providing technical review for Addison-Wesley's .NET development series and the Windows Server 2003 series from Microsoft Press. In addition he is also working on a M.Sc. degree from the University of Liverpool, England.

274_70-290_FM.qxd 8/12/03 12:03 PM Page ix

Chris Peiris

(MVP) currently lectures on Distributed Component Architectures

(.NET, J2EE & CORBA) at Monash University, Caulfield,Victoria, Australia. He also works as an independent consultant for .NET and EAI implementations. He is been awarded the title “Microsoft Most Valuable Professional” (MVP) for his contributions to .NET Technologies. He has been designing and developing Microsoft solutions since 1995. His expertise lies in developing scalable, high-performance solutions for financial institutions and media groups. He has written many articles, reviews and columns for various online publications including 15Seconds, Developer Exchange

(www.Devx.com) and Wrox Press (www.wrox.com). He co-authored the book C#

Web Service with .NET Remoting and ASP.NET by Wrox Press. It was followed by C#

for Java Programmers by Syngress Publishing as a primary author. Chris frequently pre-

sents at professional developer conferences on Microsoft technologies.

His core skills are C++, Java, .NET, DNA, MTS, Site Server, Data Warehousing,

WAP, and SQL Server. Chris has a Bachelor of Computing, Bachelor of Business

(Accounting), and a Masters of Information Technology degree. He is currently undertaking a PhD on “Web Service Management Framework.” He lives with his family in Civic, Canberra ACT. Chris dedicates his contributions to this book to the

Tennakoon family. In his own words “to Kusum, Rohan, Fiona & Timothy, Gayathrie

& Lachlan, Ranil & Ranita.This is a token of my gratitude for the friendship, inspiration, acceptance, love and tolerance you have shown me over the years. And most of all, thanks for the curry.”

Michael Cross

(MCSE, MCP+I, CNA, Network+) is an Internet Specialist /

Computer Forensic Analyst with the Niagara Regional Police Service. He performs computer forensic examinations on computers involved in criminal investigations, and has consulted and assisted in cases dealing with computer-related/Internet crimes. In addition to designing and maintaining their Web site at www.nrps.com and Intranet, he has also provided support in the areas of programming, hardware, network administration, and other services. As part of an Information Technology team that provides support to a user base of over 800 civilian and uniform users, his theory is that when the users carry guns, you tend to be more motivated in solving their problems.

Michael also owns KnightWare (www.knightware.ca), which provides computerrelated services like Web page design; and Bookworms (www.bookworms.ca), where you can purchase collectibles and other interesting items online. He has been a freelance writer for several years, and published over three dozen times in numerous books and anthologies. He currently resides in St. Catharines, Ontario Canada with his lovely wife Jennifer and his darling daughter Sara.

ix

274_70-290_FM.qxd 8/12/03 12:03 PM Page x

Eriq Oliver Neale

is an Information Technology manager for a large manufacturing company headquartered in the southwest. His IT career spans 16 years and just about as many systems. He has contributed to a number of technical publications, including several MCSE exam preparation titles. His article on MIDI, still considered one of the seminal works on the topic, has been reprinted in hundreds of publications in multiple languages. Most recently, he has been focusing on electronic data privacy issues in mixed platform environments.When not working in and writing about

Information Technology, Eriq spends time writing and recording music in his home studio for clients of his music publishing company. On clear nights, he can be found gazing at the moon or planets through his telescope, which he also uses for deep-space astrophotography. His PGP public key can be found at http://eriq.neale.com/EriqNeale.asc.

DVD Presenter

Will Schmied

, (BSET, MCSE, CWNA,TICSA, MCSA, Security+, Network+, A+), is the president of Area 51 Partners, Inc., a provider of wired and wireless networking implementation, security and training services to businesses in the Hampton Roads,

Virginia area.Will holds a Bachelor's degree in Mechanical Engineering Technology from Old Dominion University in addition to various IT industry certifications.

Will has previously authored and contributed to several other publications from

Syngress Publishing, including Building DMZs for Enterprise Networks (ISBN: 1-

931836-88-4), Implementing and Administering Security in a Microsoft Windows 2000

Network: Exam 70-214 Study Guide and DVD Training System (ISBN: 1-931836-84-1),

Security+ Study Guide and DVD Training System (ISBN: 1-931836-72-8), and

Configuring and Troubleshooting Windows XP Professional (ISBN: 1-928994-80-6).

Will currently resides in Newport News,Virginia, with his wife, Chris, and their children, Christopher, Austin, Andrea, and Hannah.You can visit Area 51 Partners at www.area51partners.com.

x

274_70-290_map.qxd 8/11/03 4:18 PM Page xi

1.3

1.3.1

1.3.2

1.4

1.4.1

1.4.2

1.4.3

2

2.1

MCSA/MCSE 70-290 Exam Objectives Map and Table of Contents

All of Microsoft’s published objectives for the MCSA/MCSE

70-290 Exam are covered in this book. To help you easily find the sections that directly support particular objectives, we’ve listed all of the exam objectives below, and mapped them to the Chapter number in which they are covered. We’ve also assigned numbers to each objective, which we use in the subsequent Table of Contents and again throughout the book to identify objective coverage. In some chapters, we’ve made the judgment that it is probably easier for the student to cover objectives in a slightly different sequence than the order of the published Microsoft objectives. By reading this study guide and following the corresponding objective list, you can be sure that you have studied 100% of Microsoft’s

MCSA/MCSE 70-290 Exam objectives.

Exam Objective Map

Objective

Number

1

1.1

1.2

Objective

Managing and Maintaining Physical and

Logical Devices.

Manage basic disks and dynamic disks.

Monitor server hardware. Tools might include

Device Manager, the Hardware Troubleshooting

Wizard, and appropriate Control Panel items.

Optimize server disk performance.

Implement a RAID solution.

Defragment volumes and partitions.

Install and configure server hardware devices.

Configure driver signing options.

Configure resource settings for a device.

Configure device properties and settings.

Managing Users, Computers, and Groups.

Manage local, roaming, and mandatory user profiles.

3

3

3

3

2

2

2

4, 5

4

2

3

Chapter Number

2, 3 xi

274_70-290_map.qxd 8/11/03 4:18 PM Page xii

xii

Contents

2.3.5

2.4

2.4.1

2.4.2

2.4.3

2.5

2.5.1

2.5.2

2.6

2.6.1

2.6.2

2.7

3

3.1

3.1.2

3.2

3.2.1

3.2.2

3.3

3.3.1

Objective

Number

2.2

2.3

2.3.1

2.3.2

2.3.3

2.3.4

Objective Chapter Number

Create and manage computer accounts in an

Active Directory environment.

Create and manage groups.

4

4

Identify and modify the scope of a group.

4

Find domain groups in which a user is a member.

4

Manage group membership.

Create and modify groups by using the Active

Directory Users and Computers Microsoft

Management Console (MMC) snap-in.

Create and modify groups by using automation.

Create and manage user accounts.

Create and modify user accounts by using the

Active Directory Users and Computers MMC snap-in.

4

Create and modify user accounts by using automation.

4

4

4

4

4

Import user accounts.

Troubleshoot computer accounts.

Diagnose and resolve issues related to computer 4 accounts by using the Active Directory Users and

Computers MMC snap-in.

Reset computer accounts.

4

4

4

Troubleshoot user accounts.

Diagnose and resolve account lockouts.

Diagnose and resolve issues related to user account properties.

4

4

4

Troubleshoot user authentication issues.

5

Managing and Maintaining Access to Resources. 5, 6

Configure access to shared folders.

Manage Shared folder Permissions.

5

5

6

6

Troubleshoot Terminal Services.

Diagnose and resolve issues related to Terminal

Services security.

Diagnose and resolve issues related to client access to Terminal Services.

Configure file system permissions.

Verify effective permissions when granting permissions.

6

5

5

274_70-290_map.qxd 8/11/03 4:18 PM Page xiii

Contents

xiii

4.2

4.3

4.4

4.4.1

4.4.2

4.4.3

4.5

4.6

4.7

Objective

Number

3.3.2

3.4

4

4.1

4.7.1

4.7.2

4.7.3

4.8

4.8.1

4.8.2

4.8.3

4.8.4

4.9

4.9.1

4.9.2

5

5.1

5.1.1

5.1.2

5.1.3

5.1.4

Objective Chapter Number

Change ownership of files and shared folders.

5

Troubleshoot access to files and shared folders.

5

Managing and maintaining a Server Environment 1, 3, 7, 8, 9

Monitor and analyze events. Tools might include 9

Event Viewer and System monitor.

Manage software update infrastructure

Manage software site licensing.

Manage servers remotely.

Manage a server by using Remote Assistance.

Manage a server by using Terminal Services remote administration mode.

1

1

7

6

6

Manage a server by using available support tools.

7

Troubleshoot print queues.

7

Monitor system performance.

9

Monitor file and print servers. Tools might include 9

Task Manager, Event Viewer, and System Monitor.

Monitor disk quotas.

1

Monitor print queues.

Monitor server hardware for bottlenecks.

Monitor and optimize a server environment for application performance.

Monitor memory performance objects.

Monitor network performance objects.

Monitor process performance objects.

Monitor disk performance objects.

7

3

9

Manage a Web server.

Manage Internet Information Services (IIS).

8

8

Manage security for IIS. 8

Managing and Implementing Disaster Recovery. 10

9

9

9

9

Perform system recovery for a server.

Implement Automated System Recovery (ASR).

Restore data from shadow copy volumes.

Back up files and System State data to media.

Configure security for backup operations.

10

10

10

10

10

274_70-290_map.qxd 8/11/03 4:18 PM Page xiv

Contents

xiv

Objective

Number

5.2

5.2.1

5.2.2

5.3

5.4

5.5

Objective Chapter Number

Manage backup procedures. 10

Verify the successful completion of backup jobs. 10

Manage backup storage media. 10

Recover from server hardware failure.

Restore backup data.

Schedule backup jobs.

10

10

10

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xv

Contents

Foreword xxxv

Chapter 1 Overview of Windows Server 2003 1

Introduction …………………………………………………………2

History of the Windows Operating System Family …………………2

Out of MS-DOS: Where It All Began ……………………………3

Windows as a Graphical Shell …………………………………4

OS/2: an IBM/Microsoft Joint Venture ………………………8

After the “Divorce”: A New Technology Emerges ……………8

Windows 9x versus Windows NT-Based Operating Systems ……9

The NT OS Family Tree ………………………………………10

Windows NT 3.x ………………………………………………10

Windows NT 3.1 ……………………………………………11

Windows NT 3.5 ……………………………………………11

Windows NT 3.51 ……………………………………………11

Windows NT 4.0 ………………………………………………11

Windows NT 4.0 Server ……………………………………12

Windows NT Server 4.0 Enterprise Edition …………………12

Windows NT Server 4.0 Terminal Server Edition …………12

Windows 2000 …………………………………………………12

Windows XP/Windows Server 2003 ……………………………12

Windows XP Home Edition …………………………………14

Windows XP Professional ……………………………………14

Windows XP Professional 64-Bit Edition ……………………15

Windows XP Media Center Edition …………………………15

Windows XP Tablet PC Edition ……………………………16

Windows Server Operating System Basics …………………………16

Client-Server Networking ………………………………………17

Centralized Authentication …………………………………17

Centralized Administration …………………………………17 xv

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xvi

xvi

Contents

Client-Server versus Peer-to-Peer Networking ………………17

The Domain Concept ……………………………………………18

NT Domains …………………………………………………19

Windows 2000/Server 2003 Domains ………………………19

Directory Services ………………………………………………20

What Are Directory Services? ………………………………20

History of Directory Services ………………………………21

Directory Services Standards …………………………………21

NT Directory Services ………………………………………22

Active Directory ……………………………………………22

What’s New in Windows Server 2003? ……………………………23

Why a New Server Operating System? …………………………23

New Features ……………………………………………………23

New Active Directory Features ………………………………24

Improved File and Print Services ……………………………28

Revised IIS Architecture ……………………………………30

Enhanced Clustering Technology ……………………………31

New Networking and Communications Features ……………33

Improved Security ……………………………………………35

Better Storage Management …………………………………38

Improved Terminal Services …………………………………39

New Media Services …………………………………………41

XML Web Services …………………………………………42

The Windows Server 2003 Family …………………………………44

Why Four Different Editions? ……………………………………44

Members of the Family …………………………………………44

Web Edition …………………………………………………45

Standard Edition ……………………………………………45

Enterprise Edition ……………………………………………45

Datacenter Edition ……………………………………………46

4.3

Manage Software Site Licensing ……………………………………47

Product Activation ………………………………………………48

4.2

Manage Software Update Infrastructure ……………………………50

Common Installation Issues ……………………………………51

Common Upgrade Issues ………………………………………52

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xvii

Contents

xvii

Summary of Exam Objectives ………………………………………54

Exam Objectives Fast Track …………………………………………55

Exam Objectives Frequently Asked Questions ………………………58

Self Test ………………………………………………………………60

Self Test Quick Answer Key …………………………………………65

1 Chapter 2 Managing Physical and Logical Disks ………………67

1

1.1

1.1

Introduction …………………………………………………………68

Understanding Disk Terminology and Concepts ……………………68

Microsoft Disk Terminology ……………………………………71

Physical vs Logical Disks ……………………………………71

Basic vs Dynamic Disks ………………………………………71

Partitions vs Volumes …………………………………………74

Partition Types and Logical Drives ……………………………75

Volume Types …………………………………………………78

Using Disk Management Tools ………………………………………84

Using the Disk Management MMC ……………………………85

Using the Command-Line Utilities ……………………………86

Using diskpart.exe ……………………………………………87

Using fsutil.exe ………………………………………………90

Using rss.exe …………………………………………………91

Understanding and Managing Physical and Logical Disks …………91

Manage Basic Disks ………………………………………………92

When to Use Basic Disks ……………………………………92

Creating Partitions and Logical Drives ………………………92

How to Assign a New Drive Letter …………………………100

How to Format a Basic Volume ……………………………102

How to Extend a Basic Volume ……………………………106

Managing Dynamic Disks ………………………………………108

Converting to Dynamic Disk Status ………………………108

Creating and Using Dynamic Volumes ……………………110

1.3

Optimize Server Disk Performance ………………………………128

1.3.2

Defragmenting Volumes and Partitions …………………………128

Understanding Disk Fragmentation …………………………128

Using the Graphical Defragmenter …………………………131

Using defrag.exe ……………………………………………137

Defragmentation Best Practices ……………………………138

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xviii

xviii

Contents

4.7.1

1.3.1

Configuring and Monitoring Disk Quotas ……………………139

Overview of Disk Quotas …………………………………139

Enabling and Configuring Disk Quotas ……………………140

Monitoring Disk Quotas ……………………………………145

Exporting and Importing Quota Settings …………………147

Disk Quota Best Practices …………………………………150

Using fsutil.exe to Manage Disk Quotas ……………………151

Implementing RAID Solutions ………………………………152

Understanding Windows Server 2003 RAID ………………152

Hardware RAID ……………………………………………153

RAID Best Practices ………………………………………154

Understanding and Using Remote Storage ………………………155

Understanding Remote Storage Concepts ……………………155

What is Remote Storage? …………………………………156

Storage Levels ………………………………………………156

Relationship of Remote Storage and Removable Storage …157

Setting Up Remote Storage ……………………………………159

Using Remote Storage ……………………………………166

Remote Storage Best Practices ……………………………170

Troubleshooting Disks and Volumes ………………………………170

Troubleshooting Basic Disks ……………………………………171

New Disks Are Not

Showing Up in the Volume List View ……………………171

Disk Status is Not Initialized or Unknown …………………172

Disk Status is Unreadable ……………………………………173

Disk Status is Failed …………………………………………173

Troubleshooting Dynamic Volumes ……………………………174

Disk Status is Foreign ………………………………………174

Disk Status is Online (Errors) ………………………………175

Disk Status is Offline ………………………………………176

Disk Status is Data Incomplete ……………………………177

Troubleshooting Fragmentation Problems ……………………177

Computer is Operating Slowly ……………………………178

The Analysis and Defragmentation

Reports Do Not Match the Display ………………………178

Volumes Contain Unmovable Files …………………………178

Troubleshooting Disk Quotas …………………………………178

The Quota Tab is Not There ………………………………178

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xix

Contents

xix

Deleting a Quota Entry Gives you Another Window ………179

A User Gets an “Insufficient Disk Space”

Message When Adding Files to a Volume ………………180

Troubleshooting Remote Storage ………………………………180

Remote Storage Will Not Install ……………………………180

Remote Storage Is Not Finding a Valid Media Type ………180

Files Can No Longer Be Recalled from Remote Storage …181

Troubleshooting RAID …………………………………………181

Mirrored or RAID-5 Volume’s

Status is Data Not Redundant ……………………………181

Mirrored or RAID-5 Volume’s

Status is Failed Redundancy ……………………………181

Mirrored or RAID-5 Volume’s Status is Stale Data …………183

Summary of Exam Objectives ………………………………………184

Exam Objectives Fast Track …………………………………………184

Exam Objectives Frequently Asked Questions ……………………187

Self Test ……………………………………………………………189

Self Test Quick Answer Key ………………………………………196

Chapter 3 Configuring, Monitoring, and

Troubleshooting Server Hardware 197

Introduction ………………………………………………………198

Understanding Server Hardware Vulnerabilities ……………………198

Understanding How Windows

Server 2003 Interacts with the Hardware ……………………198

The Hardware Abstraction Layer (HAL) ……………………199

Device Drivers ………………………………………………200

Plug and Play ………………………………………………201

1.4.1

Installing and Configuring Server Hardware Devices ………………203

1.4

Configuring Driver Signing Options …………………………203

Ensuring Your Device Drivers Are Digitally Signed ………206

Using the New Hardware Wizard ……………………………210

1.4.3

Using Device Manager to Configure and Manage Devices ………211

1.4.2

General Device Properties …………………………………213

Advanced Device Properties ………………………………214

Managing the Device Driver ………………………………215

Configuring Resource Settings ……………………………216

Device Installation and Configuration Best Practices …………217

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xx

xx

Contents

1.2

Monitoring Server Hardware ………………………………………218

4.7.3

Using Device Manager …………………………………………218

Using Event Viewer ……………………………………………219

Using Control Panel Applets ……………………………………219

Using Command-Line Utilities ………………………………220

Device Console Utility (devcon.exe) ………………………220

Service Control Utility (sc.exe) ……………………………225

Using Performance Console ……………………………………227

Hardware Monitoring Best Practices …………………………230

Troubleshooting Hardware Devices ………………………………231

Diagnosing and Resolving Issues

Related to Hardware Settings …………………………………234

Diagnosing and Resolving Issues

Related to Drivers and Driver Upgrades ……………………235

Last Known Good Configuration …………………………237

Safe Mode …………………………………………………238

System Configuration Utility ………………………………238

Recovery Console …………………………………………239

Emergency Management Services …………………………241

Automated System Recovery ………………………………241

Repairing the Windows Server 2003 Installation …………242

Hardware Troubleshooting Best Practices ………………………242

Summary of Exam Objectives ………………………………………244

Exam Objectives Fast Track …………………………………………245

Exam Objectives Frequently Asked Questions ……………………247

Self Test ……………………………………………………………249

Self Test Quick Answer Key ………………………………………254

2

Chapter 4 Managing User,

Group, and Computer Accounts 255

Introduction ………………………………………………………256

2.1

Understanding Security Objects ……………………………………256

Understanding the Role of User Accounts ……………………256

Understanding the Role of Group Accounts …………………257

Understanding the Role of Computer Accounts ………………257

Understanding the Role of Active Directory …………………258

Using Management Tools …………………………………………258

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xxi

Contents

xxi

Using the Active Directory Users and Computers (ADUC) Administrative Tool ………………259

Using Command-Line Utilities ………………………………261

Becoming Familiar with Using Command-Line Tools ……262

Using dsadd.exe ……………………………………………264

Using dsmod.exe ……………………………………………265

Using dsget.exe ……………………………………………267

Using dsmove.exe …………………………………………268

Using dsquery.exe …………………………………………269

Using gpresult.exe …………………………………………270

Using whoami.exe …………………………………………274

Using cmdkey.exe …………………………………………275

2.4

Creating and Managing User Accounts ……………………………277

2.4.1

Using the ADUC MMC Snap-In to Create and Manage Users 277

2.6.2/2.6.1/

Managing and Troubleshooting

2.1

User Accounts Via the Properties Tabs ……………………280

Managing User Accounts Via the Pop-Up Menu …………296

Using the Command Line to Create and Manage Users ………300

Using dsadd.exe user ………………………………………300

Using dsmod user …………………………………………303

Using dsquery user …………………………………………306

Using dsget.exe ……………………………………………309

2.3.5/

Automating User and Group Account Creation ………………313

2.4.2

2.4.3

2.3.1

Importing User Accounts ………………………………………315

2.6

Troubleshooting User Accounts ………………………………317

2.3

Creating and Managing Group Accounts …………………………318

Understanding Group Types and Scopes ………………………319

Security and Distribution Groups …………………………319

Local, Domain Local, Global, and Universal Groups ………320

2.3.3/

Using the ADUC MMC

2.3.4

Snap-In to Create and Manage Groups ……………………324

Managing Group Accounts Via the Properties Tabs ………326

Managing Group Accounts Via the Pop-Up Menu ………332

Using the Command Line to Create and Manage Groups ……333

Using dsadd.exe Group ……………………………………333

Using dsmod.exe group ……………………………………335

Using dsquery group ………………………………………337

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xxii

xxii

Contents

2.3.2

Using dsget group …………………………………………340

Group Management Tasks ………………………………………343

Identifying and Modifying the Scope of a Group …………343

Determining to which Groups a User Belongs ……………344

Group Membership Management Best Practices ………………345

Using Domain Local Groups ………………………………345

Using Global Groups ………………………………………346

Using Universal Groups ……………………………………346

Understanding AGUDLP ……………………………………347

Using Groups in a Single Domain …………………………348

Using Groups in a Multiple Domain Forest ………………349

2.2

Creating and Managing Computer Accounts ………………………349

2.5.1

Using the ADUC MMC Snap-In to

2.5.2

2.5

2.5

Create and Manage Computers ………………………………350

Managing Computer Accounts Via the Properties Tabs ……353

Managing Computer Accounts Via the Pop-Up Menu ……359

Using the Command Line to Create,

Manage, and Troubleshoot Computers ………………………362

Using dsadd computer ………………………………………363

Using dsmod computer ……………………………………364

Using dsquery computer ……………………………………365

Using dsget computer ………………………………………368

Creating and Managing Domain Controllers …………………370

Creating a New Domain

Controller for an Existing Domain ………………………370

Creating a Domain Controller for a New Forest …………377

Creating a Domain Controller for a New Child Domain …381

Creating a Domain Controller for a New Domain Tree ……384

Assigning Domain Controller Operations Master Roles ……388

Troubleshooting Computer Accounts …………………………395

Summary of Exam Objectives ………………………………………396

Exam Objectives Fast Track …………………………………………398

Exam Objectives Frequently Asked Questions ……………………400

Self Test ……………………………………………………………402

Self Test Quick Answer Key ………………………………………407

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xxiii

Contents

xxiii

3

Chapter 5 Managing Access to Resources ……………………409

Introduction ………………………………………………………410

Understanding Access Control ……………………………………410

Defining Access Control ………………………………………411

Access Control Terminology ………………………………411

Access Control Process ……………………………………412

3.1

Understanding and Using Access Permissions ………………………412

3.3

Setting File-Level Permissions (NTFS Security) ………………413

3.1.2

3.3.1

NTFS Permissions Defined …………………………………414

Assigning NTFS Permissions ………………………………416

NTFS Special Permissions …………………………………419

Copying or Moving Files and Folders ………………………423

Setting Shared-Folder Permissions ……………………………424

Shared-Folder Permissions Defined …………………………424

Understanding the Interaction of

Share Permissions and NTFS Permissions ………………425

Assigning Share Permissions …………………………………426

Copying or Moving Shared Folders ………………………428

Shared Folders in Active Directory ……………………………429

Creating an Active Directory Share …………………………429

Setting Active Directory Object Permissions ………………430

Understanding How Permissions Are Inherited ………………431

Setting User Rights and Privileges …………………………………439

Understanding the Role of User Rights ………………………439

3.4

Using Group Policy to Set User Rights ……………………442

2.7/

Troubleshooting Access Problems …………………………………444

3.4

Identifying Common Access Problems …………………………445

Basic Troubleshooting Guidelines ………………………………445

Using New Command-Line Utilities ………………………………447

Using where.exe ………………………………………………447

Using takeown.exe ……………………………………………448

Using EFS Encryption ……………………………………………450

Understanding Disk Encryption ………………………………451

Understanding How EFS Works “Under the Hood” …………452

Domain Recovery Policies …………………………………455

Encrypting Files and Folders Using the Graphical Interface …456

Using the cipher.exe

Command to Perform Encryption Tasks ……………………458

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xxiv

xxiv

Contents

Applying EFS Best Practices ……………………………………459

Implementing a Public Key Infrastructure …………………………460

Understanding the Function of a PKI …………………………460

Public Key Cryptography …………………………………461

Digital Certificates …………………………………………463

Certification Authorities ……………………………………464

Installing and Using the

Windows Server 2003 Certificate Services ……………………465

Creating the Certificate Authority Hierarchy …………………466

Applying PKI Best Practices ……………………………………470

Summary of Exam Objectives ………………………………………473

Exam Objectives Fast Track …………………………………………474

Exam Objectives Frequently Asked Questions ……………………477

Self Test ……………………………………………………………479

Self Test Quick Answer Key ………………………………………486

Chapter 6 Managing and

Troubleshooting Terminal Services 487

Introduction ………………………………………………………488

Understanding Windows Terminal Services ………………………488

Terminal Services Terminology and Concepts …………………489

How Terminal Services Works ………………………………489

Thin Client Computing ……………………………………490

Terminal Services Components ………………………………491

Remote Desktop for Administration ………………………492

Remote Assistance …………………………………………492

3.2.2

The Terminal Server Role …………………………………493

4.4.2

Manage a Server by Using

3.2.1

4.4.1

Terminal Services Remote Administration Mode ………………497

Using Remote Desktop for Administration ……………………497

Configuring RDA …………………………………………497

Setting Up Authentication …………………………………498

Advantages of RDA over other Remote Administration Methods …………………498

Diagnose and Resolve Issues

Related to Terminal Services Security ……………………499

Using Remote Assistance ………………………………………500

How Remote Assistance Works ……………………………501

Configuring Remote Assistance for Use ……………………501

Asking for Assistance ………………………………………502

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xxv

Contents

xxv

3.2.2

3.2.2

3.2.2

3.2.2

Downloading, Installing, and Configuring the

Windows Messenger Tool for Use with Remote Assistance …504

Downloading Messenger ……………………………………504

Creating an Account ………………………………………505

Using an Existing Account to Log On ……………………505

Adding Contacts ……………………………………………507

Completing the Connection ………………………………511

Managing Open Invitations …………………………………515

Remote Assistance Security Issues …………………………516

Installing and Configuring the Terminal Server Role ………………517

Installing the Terminal Server Role ……………………………518

Installing Terminal Server Licensing ………………………520

Using Terminal Services Client Tools …………………………521

Installing and Using the Remote

Desktop Connection (RDC) Utility …………………………522

Installing the Remote Desktop Connection Utility ………523

Launching and Using the

Remote Desktop Connection Utility ……………………523

Configuring the Remote Desktop Connection Utility ……525

Installing and Using the Remote Desktops MMC Snap-In ……529

Installing the Remote Desktops MMC Snap-In ……………531

Adding a New Connection …………………………………531

Configuring a Connection’s Properties ……………………533

Connecting and Disconnecting ……………………………534

Installing and Using the

Remote Desktop Web Connection Utility …………………535

Installing Internet Information Services 6 …………………535

Installing the Remote Desktop Web Connection Utility …536

Using the Remote Desktop Web

Connection Utility from a Client ………………………537

Using Terminal Services Administrative Tools ………………………540

Using the Terminal Services Manager …………………………541

Using Terminal Services Manager to Connect to Servers …541

Managing Users with the Terminal Services Manager Tool …542

Managing Sessions with the

Terminal Services Manager Tool …………………………543

Managing Processes with the

Terminal Services Manager Tool …………………………546

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xxvi

xxvi

Contents

3.2.2

3.2.2

Using the Terminal Services Configuration Tool ………………547

Understanding Listener Connections ………………………547

Modifying the Properties of an Existing Connection ………548

Terminal Services Configuration Server Settings ……………558

User Account Extensions ………………………………………560

The Terminal Services Profile Tab …………………………560

The Sessions Tab ……………………………………………561

The Environment Tab ………………………………………562

The Remote Control Tab …………………………………563

Using Group Policies to Control Terminal Services Users ……564

Using the Terminal Services Command-Line Tools ……………565

3.2

Troubleshooting Terminal Services …………………………………567

Not Automatically Logged On …………………………………567

“This Initial Program Cannot Be Started” ……………………568

Clipboard Problems ……………………………………………568

License Problems ………………………………………………569

Summary of Exam Objectives ………………………………………570

Exam Objectives Fast Track …………………………………………571

Exam Objectives Frequently Asked Questions ……………………574

Self Test ……………………………………………………………576

Self Test Quick Answer Key ………………………………………581

Chapter 7 Using Server Management Tools 583

Introduction ………………………………………………………584

4.4.3

Recognizing Types of Management Tools …………………………584

Administrative Tools Menu ……………………………………584

Custom MMC Snap-Ins ………………………………………585

MMC Console Modes ………………………………………586

Command-Line Utilities ………………………………………588

Wizards …………………………………………………………589

Windows Resource Kit …………………………………………589

The Run As Command ………………………………………589

4.4

Managing Your Server Remotely …………………………………589

Remote Assistance ………………………………………………590

Using Web Interface for Remote Administration ………………591

Remote Desktop for Administration …………………………593

Administration Tools Pack (adminpak.msi) ……………………594

Windows Management Instrumentation (WMI) ………………595

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xxvii

Contents

xxvii

Using Computer Management to Manage a Remote Computer ……………………………595

Which Tool To Use? ……………………………………………597

Using Emergency Management Services …………………………598

4.7.2/

Managing Printers and Print Queues ………………………………601

4.5

Using the Graphical Interface …………………………………601

Creating a Printer …………………………………………602

Sharing a Printer ……………………………………………603

Adding Printer Drivers for Earlier Operating Systems ……603

Setting Permissions …………………………………………603

Managing Print Queues ……………………………………605

Managing Printer Pools ……………………………………606

Scheduling Printers …………………………………………606

Setting Printing Priorities …………………………………607

Using New Command-Line Tools ……………………………607

The Printer Spooler Service ……………………………………610

The Internet Printing Protocol …………………………………613

Managing and Troubleshooting Services ……………………………614

Service Configuration …………………………………………614

Service Name ………………………………………………614

Service States ………………………………………………614

Service Startup Type ………………………………………614

Service Logon ………………………………………………615

Service Recovery ……………………………………………615

Dependencies ………………………………………………616

Service Permissions …………………………………………616

Using the Graphical Interface …………………………………616

Using New Command-Line Utilities …………………………619 sc.exe ………………………………………………………619 schtasks.exe …………………………………………………619 setx.exe ………………………………………………………620 shutdown.exe ………………………………………………620 tasklist.exe …………………………………………………621 taskkill.exe …………………………………………………622

Using Wizards to Configure and Manage Your Server ……………623

Using the Configure Your

Server and Manage Your Server Wizards ……………………624

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xxviii

xxviii

Contents

File Server Role ……………………………………………625

Print Server Role ……………………………………………625

Application Server (IIS, ASP.NET) Role ……………………626

Mail Server (POP3/SMTP) Role …………………………627

Terminal Server Role ………………………………………627

Remote Access/VPN Server Role …………………………627

Domain Controller (Active Directory) ……………………628

DNS Server Role …………………………………………629

DHCP Server Role …………………………………………629

Streaming Media Server Role ………………………………629

WINS Server Role …………………………………………629

Summary of Exam Objectives ………………………………………632

Exam Objectives Fast Track …………………………………………633

Exam Objectives Frequently Asked Questions ……………………636

Self Test ……………………………………………………………638

Self Test Quick Answer Key ………………………………………644

4.9

Chapter 8 Managing Web Servers with IIS 6.0 ……………645

Introduction …………………………………………………………646

Installing and Configuring IIS 6.0 …………………………………646

Pre-Installation Checklist ………………………………………646

Internet Connection Firewall ………………………………647

Installation Methods ……………………………………………650

Using the Configure Your Server Wizard …………………650

Using the Add or Remove Programs Applet ………………654

Using Unattended Setup ……………………………………655

Installation Best Practices ………………………………………657

What’s New in IIS 6.0? ……………………………………………657

New Security Features …………………………………………657

Advanced Digest Authentication ……………………………657

Server-Gated Cryptography (SGC) …………………………658

Selectable Cryptographic Service Provider (CSP) …………659

Configurable Worker Process Identity ………………………660

Default Lockdown Status ……………………………………660

New Authorization Framework ……………………………661

New Reliability Features ………………………………………661

Health Detection ……………………………………………662

New Request Processing Architecture:

HTTP.SYS Kernel Mode Driver …………………………662

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xxix

Contents

xxix

Other New Features ……………………………………………663

ASP.NET and IIS Integration ………………………………663

Unicode Transformation Format-8 (UTF-8) ………………664

XML Metabase ……………………………………………664

4.9.1

Managing IIS 6.0 ……………………………………………………666

4.9.2

Performing Common Management Tasks ………………………667

Site Setup ……………………………………………………667

Common Administrative Tasks ………………………………677

Managing IIS Security …………………………………………684

Configuring Authentication Settings ………………………684

Troubleshooting IIS 6.0 ……………………………………………687

Troubleshooting Content Errors ………………………………687

Static Files Return 404 Errors ………………………………687

Dynamic Content Returns a 404 Error ……………………688

Sessions Lost Due to Worker Process Recycling …………688

ASP.NET Pages are Returned as Static Files ………………688

Troubleshooting Connection Errors ……………………………689

503 Errors …………………………………………………689

Clients Cannot Connect to Server …………………………690

401 Error – Sub Authentication Error ………………………690

Client Requests Timing Out ………………………………691

Troubleshooting Other Errors …………………………………691

File Not Found Errors for UNIX and Linux Files …………691

ISAPI Filters Are Not Automatically

Visible as Properties of the Web Site ……………………692

The Scripts and Msadc Virtual

Directories Are Not Found in IIS 6.0 ……………………692

Using New IIS Command-Line Utilities …………………………692 iisweb.vbs ………………………………………………………692 create ………………………………………………………693 start, stop, pause, and delete …………………………………694 query ………………………………………………………696 iisvdir.vbs ………………………………………………………696 create ………………………………………………………696 delete ………………………………………………………697 query ………………………………………………………698 iisftp.vbs …………………………………………………………698 create ………………………………………………………699

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xxx

xxx

Contents start, stop, pause, and delete …………………………………700 query ………………………………………………………700

Active Directory set and get Calls …………………………700 iisftpdr.vbs ………………………………………………………701 create ………………………………………………………701 delete ………………………………………………………702 query ………………………………………………………703 iisback.vbs ………………………………………………………703

Back Up IIS Configuration …………………………………704

Restore IIS Configuration …………………………………704 delete ………………………………………………………705 list ……………………………………………………………705 iiscnfg.vbs ………………………………………………………706 import ………………………………………………………706 export ………………………………………………………707 copy …………………………………………………………708 save …………………………………………………………708

Summary of Exam Objectives ………………………………………710

Exam Objectives Fast Track …………………………………………710

Exam Objectives Frequently Asked Questions ……………………713

Self Test ……………………………………………………………714

Self Test Quick Answer Key ………………………………………719

Chapter 9 Monitoring Performance and Security 721

Introduction ………………………………………………………722

4.6

Monitoring Performance ……………………………………………722

4.7

Using Task Manager to Monitor Performance …………………722

4.1

Using the Performance Utility to Monitor Performance ………725

4.7

Using the System Monitor …………………………………725

Adding Performance Counters ……………………………727

Using Performance Logs and Alerts …………………………733

Using Command-Line Tools ……………………………………738 logman.exe …………………………………………………738 relog.exe ……………………………………………………740 typeperf.exe …………………………………………………742

4.8

Optimizing Servers for Application Performance …………………743

4.8.1

Monitoring Memory Objects …………………………………743

4.8.2

Monitoring Network Objects …………………………………745

4.8.3

Monitoring Process Objects ……………………………………747

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xxxi

Contents

xxxi

4.8.4

Monitoring Disk Objects ………………………………………748

Auditing Security Events ……………………………………………749

Defining and Modifying Auditing Policies for Event Categories 751

Policies for the Local Computer ……………………………751

Policies for Domain Controllers ……………………………752

Policies for a Domain or OU ………………………………753

Enabling Auditing of Object Access ……………………………754

Auditing Settings on Objects ………………………………754

Understanding Operation-Based

Auditing of Files and Folders ……………………………755

Applying and Modifying Audit Policy Settings ……………755

Understanding the Effect of

Inheritance on File and Folder Auditing …………………759

Viewing the Security Log ………………………………………759

Using Event Viewer ………………………………………………760

Event Types ……………………………………………………760

Understanding Event Logs ……………………………………761

Event Log Types ……………………………………………762

Managing Event Logs …………………………………………764

Setting Logging Options ……………………………………764

Configuring Log Size ………………………………………765

Clearing Logs ………………………………………………766

Archiving Logs ………………………………………………767

Troubleshooting Event Logs ……………………………………768

Using Command-Line Tools ………………………………………769 eventcreate.exe …………………………………………………769 eventquery.vbs …………………………………………………770 eventtriggers.exe ………………………………………………771 tracerpt.exe ……………………………………………………774

Using the Shutdown Event Tracker ………………………………775

Shutdown Events Overview ……………………………………775

Configuring the Shutdown Event Tracker ……………………776

Working with the Shutdown Event Tracker ……………………777

Using the Registry to Manage Shutdown Event Tracker ………780

Defining Custom Shutdown Reasons …………………………781

Summary of Exam Objectives ………………………………………784

Exam Objectives Fast Track …………………………………………785

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xxxii

xxxii

Contents

Exam Objectives Frequently Asked Questions ……………………788

Self Test ……………………………………………………………790

Self Test Quick Answer Key ………………………………………795

Chapter 10 Planning and Implementing

Disaster Recovery 797

Introduction ………………………………………………………798

Defining and

Understanding Disaster Recovery ………………………………798

Understanding the Components of Disaster Recovery ………799

Developing Business Continuity Plans ……………………800

Developing the Disaster Recovery Plan ………………………805

Threat Assessment and Prioritizing …………………………806

Legal and Administrative Considerations ……………………806

Asset Evaluation ……………………………………………807

Incident Response Planning ………………………………808

Using Disaster Recovery Best Practices ……………………809

5.2

Creating a Backup Plan ……………………………………………812

5.1.3

5.1.4

5.2.1

5.2.2

5.4

5.5

Backup Concepts ………………………………………………813

Backup Media …………………………………………………814

Types of Tapes ………………………………………………814

Managing Media ……………………………………………816

Offsite Storage ………………………………………………817

Backing Up Data Files with the Backup Utility ………………817

Starting the Backup Utility …………………………………818

Using the Backup Utility in Advanced Mode ………………818

Advanced Backup Settings …………………………………824

Backing Up System State Data …………………………………827

Configuring Security for Backup Operations …………………829

Verifying Successful Completion of Backup Jobs …………830

Managing Backup Media ……………………………………831

Restoring Backed-Up Data ……………………………………833

Scheduling Backup Jobs ………………………………………836

Backup Rotation Schemes …………………………………844

Using the ntbackup Command-Line Utility ………………………845

5.1

Creating a System Recovery Plan …………………………………847

5.1.1

Backing up System State Data …………………………………847

Primary, Nonauthoritative, and Authoritative Restores ……849

Creating an Automated System Recovery Set …………………850

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xxxiii

Contents

xxxiii

Installing and Using the Recovery Console ……………………851

Using Windows Startup Options ………………………………856

Safe Mode …………………………………………………856

Safe Mode with Networking ………………………………856

Safe Mode with Command Prompt ………………………857

Enable Boot Logging ………………………………………857

Enable VGA Mode …………………………………………857

Last Known Good Configuration …………………………857

Directory Service Restore Mode ……………………………858

Debugging Mode ……………………………………………858

5.1.2

Working with Volume Shadow Copies ……………………………859

Making Shadow Copies of Shared Folders ……………………859

Enabling Shadow Copies on the Shared Resource …………860

Changing Settings for Shadow Copies ……………………861

Defining Storage Options for Shadow Copies ……………862

Scheduling Shadow Copies …………………………………863

Deploying the Client Software for Shadow Copies ……………864

Restoring Previous Versions of a File …………………………865

Shadow Copies Best Practices …………………………………866

5.3

Recovering from Server Hardware Failure …………………………867

The Role of Fault-Tolerant Disks ………………………………867

RAID 1 ……………………………………………………867

RAID 5 ……………………………………………………868

The Role of Server Clustering …………………………………868

Summary of Exam Objectives ………………………………………870

Exam Objectives Fast Track …………………………………………870

Exam Objectives Frequently Asked Questions ……………………872

Self Test ……………………………………………………………874

Self Test Quick Answer Key ………………………………………879

Self Test Questions, Answers, and Explanations 881

Index 957

274_70-290_TOC.qxd 8/11/03 4:20 PM Page xxxiv

274_70-290_Fore.qxd 8/11/03 4:16 PM Page xxxv

Foreword

This book’s primary goal is to help you prepare to take and pass Microsoft’s exam number

70-290, Managing and Maintaining a Microsoft Windows Server 2003 Environment. Our secondary purpose in writing this book is to provide exam candidates with knowledge and skills that go beyond the minimum requirements for passing the exam, and help to prepare them to work in the real world of Microsoft computer networking.

What is Exam 70-290?

Exam 70-290 is one of the two core requirements for the Microsoft Certified Systems

Administrator (MCSA) and one of the four core requirements for the Microsoft Certified

Systems Engineer (MCSE) certifications. Microsoft’s stated target audience consists of IT professionals with at least six months of work experience on a medium or large company network.This means a multi-site network with at least three domain controllers, running typical network services such as file and print services, database, firewall services, proxy services, remote access services and Internet connectivity.

However, not everyone who takes Exam 70-290 will have this ideal background. Many people will take this exam after classroom instruction or self-study as an entry into the networking field. Many of those who do have job experience in IT will not have had the opportunity to work with all of the technologies covered by the exam. In this book, our goal is to provide background information that will help you to understand the concepts and procedures described even if you don’t have the requisite experience, while keeping our focus on the exam objectives.

Exam 70-290 covers the basics of managing and maintaining a network environment that is built around Microsoft’s Windows Server 2003. Objectives are task-oriented, and include the following:

Managing and Maintaining Physical and Logical Devices

:This includes managing basic and dynamic disks; monitoring server hardware; optimizing disk performance on the server; troubleshooting hardware devices; and installing and configuring hardware devices.

xxxv

274_70-290_Fore.qxd 8/11/03 4:16 PM Page xxxvi

xxxvi Foreword

Managing Users, Computer and Groups:

This includes managing different types of user profiles; creating and managing computer accounts in the Active Directory environment; creating and managing groups and user accounts; troubleshooting computer and user accounts; and troubleshooting user authentication issues.

Managing and Maintaining Access to Resources:

This includes configuring access to shared folders; troubleshooting Terminal Services; configuring file system permissions; and troubleshooting access to files and shared folders.

Managing and Maintaining the Server Environment:

This includes monitoring and analyzing logged events; planning and managing software updates; managing software site licensing; remote management of servers, using Remote

Assistance,Terminal Services, and available support tools; troubleshooting printing problems; monitoring performance; monitoring disk quotas, print queues, and server hardware; monitoring and optimizing the environment for better application performance; and managing a Web server.

Managing and Implementing Disaster Recovery:

This includes performing a system recovery for a server; managing backup procedures and scheduling backup jobs; restoring backed up data; and recovery from hardware failure.

Path to MCP/MCSA / MCSE

Microsoft certification is recognized throughout the IT industry as a way to demonstrate mastery of basic concepts and skills required to perform the tasks involved in implementing and maintaining Windows-based networks.The certification program is constantly evaluated and improved; the nature of information technology is changing rapidly and this means requirements and specifications for certification can also change rapidly.This book is based on the exam objectives as stated by Microsoft at the time of writing; however, Microsoft reserves the right to make changes to the objectives and to the exam itself at any time. Exam candidates should regularly visit the Certification and Training Web site at www.microsoft.com/traincert for the most updated information on each Microsoft exam.

Microsoft presently offers three basic levels of certification:

Microsoft Certified Professional (MCP)

: to obtain the MCP certification, you must pass one current Microsoft certification exam. For more information on exams that qualify, see www.microsoft.com/traincert/mcp/mcp/requirements.asp.

Microsoft Certified Systems Administrator (MCSA):

to obtain the MCSA certification, you must pass three core exams and one elective exam, for a total of four exams. For more information, see www.microsoft.com/TrainCert/mcp/ mcsa/requirements.asp.

www.syngress.com

274_70-290_Fore.qxd 8/11/03 4:16 PM Page xxxvii

Foreword xxxvii

Microsoft Certified Systems Engineer (MCSE):

to obtain the MCSE certification on Windows Server 2003, you must pass six core exams (including four network operating system exams, one client operating system exam and one design exam) and one elective. For more information, see www.microsoft.com/traincert/mcp/ mcse/windows2003.

Exam 70-290 applies toward all of the above certifications.

N

OTE

Those who already hold the MCSA in Windows 2000 can upgrade their certifications to MCSA 2003 by passing one upgrade exam (70-292). Those who already hold the

MCSE in Windows 2000 can upgrade their certifications to MCSE 2003 by passing two upgrade exams (70-292 and 70-296).

Microsoft also offers a number of specialty certifications for networking professionals and certifications for software developers, including the following:

Microsoft Certified Database Administrator (MCDBA)

Microsoft Certified Solution Developer (MCSD)

Microsoft Certified Application Developer (MCAD)

Exam 70-290 does not apply to any of these specialty and developer certifications.

Prerequisites and Preparation

There are no mandatory prerequisites for taking Exam 70-290, although Microsoft recommends that you meet the target audience profile described earlier. Exam 70-290 is the logical choice for the first step in completing the requirements for MCSA 2003 or MCSE 2003.

Preparation for this exam should include the following:

Visit the web site at www.microsoft.com/traincert/exams/70-290.asp to review the updated exam objectives.

Work your way through this book, studying the material thoroughly and marking any items you don’t understand.

Answer all practice exam questions at the end of each chapter.

Complete all hands-on exercises in each chapter.

Review any topics that you don’t thoroughly understand.

www.syngress.com

274_70-290_Fore.qxd 8/11/03 4:16 PM Page xxxviii

xxxviii Foreword

Consult Microsoft online resources such as TechNet (www.microsoft.com/ technet), white papers on the Microsoft Web site, and so forth, for better understanding of difficult topics.

Participate in Microsoft’s product-specific and training and certification newsgroups if you have specific questions that you still need answered.

Take one or more practice exams, such as the one available at www.syngress.com/certification.

Exam Overview

In this book, we have tried to follow Microsoft’s exam objectives as closely as possible.

However, we have rearranged the order of some topics for a better flow, and included background material to help you understand the concepts and procedures that are included in the objectives. Following is a brief synopsis of the exam topics covered in each chapter:

Overview of Windows Server 2003:

You will learn about the history of the

Windows operating systems and specifically, the family tree of the NT-based operating systems from which Windows Server 2003 evolved.We discuss basic concepts involved in Windows server-based networking, including client-server networking, domains and directory services.We discuss the new features in Windows Server

2003, such as new Active Directory features, improved file and print services, the revised IIS architecture, enhanced clustering technology, new networking and communications features, improved security, better storage management, improvements to Terminal Services, new media services and support for XML Web services.You

will learn about the different members of the Windows Server 2003 family:Web

Edition, Standard Edition, Enterprise Edition and Datacenter Edition, and how each is used.We also discuss changes to licensing, and issues that commonly occur during installation and upgrade.

Managing Physical and Logical Disks:

We begin with an explanation of disk terminology and concepts as they apply to Windows Server 2003, and then discuss the disk management tools included with the operating system.You’ll learn to use both the graphical tools such as the Disk Management MMC and the command-line utilities such as diskpart, fsutil and rss.We discuss how to manage both logical and physical disks, and you learn the difference between basic and dynamic disks and how each type is managed.We also discuss how you can optimize disk performance by defragmenting (using both GUI and command-line tools), configuring and monitoring disk quotas, and implementing RAID solutions.You will learn about remote storage, and you’ll learn how to troubleshoot problems with disks and volumes.

www.syngress.com

274_70-290_Fore.qxd 8/11/03 4:16 PM Page xxxix

Foreword xxxix

Configuring, Monitoring and Troubleshooting Server Hardware:

You’ll learn about common server hardware vulnerabilities and how to address them, and we’ll walk you through the steps of installing and configuring hardware devices.

You’ll learn how to configure driver signing options, resource settings and device properties and settings.You’ll also learn how to use Device Manager, the Hardware

Troubleshooting Wizard, Control Panel applets, and command-line utilities to monitor your server’s hardware.We discuss basic hardware troubleshooting procedures, including diagnosing and resolving issues related to hardware settings and diagnosing and resolving issues related to drivers and driver upgrades.

Managing User, Group and Computer Accounts:

We start with an overview of security objects: users, groups and computers, and how they fit into the

Windows operating system and the Active Directory environment.We talk about the management tools provided with Windows Server 2003, including the Active

Directory Users and Computers (ADUC) admin tool, and the wealth of command line utilities used for managing these objects, such as dsadd, dsget, dsmove, dsquery, gpresult, whoami and cmdkey.We walk you through the process of creating and managing user accounts and show you how to automate account creation and import user accounts.Then we address how to create and manage group accounts.

You’ll learn to identify and modify the scope of a group, find out to which domain groups a user belongs, and manage group membership in the Active Directory domain. Finally, we discuss creating and managing computer accounts.

Managing Access to Resources:

We provide a broad overview of access control to help you understand the concept, and then we get more specific, discussing access permissions (including the role of authentication and file ownership), shared folder permissions, file system permissions, and Active Directory object permissions.

You’ll learn about inheritance of permissions, and we’ll discuss user rights and privileges and how to set them, as well as troubleshooting access problems.You’ll learn to use new command-line utilities provided with Windows Server 2003, such as takeown.exe and where.exe.Then we’ll discuss the Encrypting File System (EFS) and how EFS encryption can be used in conjunction with permissions to provide another layer of security.We also cover how to implement a Public Key

Infrastructure (PKI).

Managing and Troubleshooting Terminal Services:

We discuss the terminology and concepts behind Windows Terminal Services, and you’ll learn how to install and configure it on your server in either Remote Administration or

Application Server mode.We walk you through the steps of configuring the

Terminal Server itself, managing the licensing server, installing client access licenses and installing programs to be used in application server mode.We discuss client software, and show you how to use the Terminal Services administrative tools, including both the graphical and command-line tools.You’ll learn to troubleshoot

Terminal Services and recognize common errors and what to do about them.

www.syngress.com

274_70-290_Fore.qxd 8/11/03 4:16 PM Page xl

xl Foreword

Using Server Management Tools:

We go through the Administrative Tools menu and discuss the use of the provided tools, show you how to build custom MMCs using the available snap-ins, and show you how to use many new command-line utilities.You’ll learn to manage servers remotely in a variety of different ways: using the built in Remote Assistance feature, using the Web interface for remote administration, using Terminal Services in remote admin mode, using the Administration Tools pack

(adminpak.msi) from a client computer, using Windows Management

Instrumentation (WMI) and using the Computer Management console’s remote management capability.We discuss Emergency Management Services, how to manage printers and print queues, and how to manage and troubleshoot services with such utilities as sc, schtasks, setx, shutdown, tasklist and taskkill.

Managing Web Servers with Internet Information Services (IIS):

We take a long look at IIS 6.0, and you’ll learn how to install and configure it and how to use its new features.These include new security features such as advanced digest authentication, server-gated cryptography, selectable CSP, configurable worker process identity, and the new authorization framework.You’ll also learn about new reliability features such as health detection, new request processing architecture and the new HTTP.SYS kernel mode driver. Other new features we cover include

ASP.NET and IIS integration, Unicode Transformation Format-8 (UTF-8) support, and the XML metabase.We walk you through the process of using the Web Server

Security Lockdown Wizard and discuss intrusion prevention.You’ll also learn how to troubleshoot problems with your Web server, and how to use IIS’s new command line utilities.

Monitoring Performance and Security:

You’ll learn how to use Task Manager,

System Monitor and command-line tools to monitor your server’s performance, and we discuss ways to optimize your servers for application performance.You’ll learn about monitoring specific objects, including memory, network, process and disk objects.We then discuss security auditing, and you’ll learn to use the Event

Viewer’s security, system and application logs.We’ll show you how to use command line tools such as eventcreate, eventquery, eventtriggers and tracerpt.You’ll also learn to use the Shutdown Event Tracker.

Planning and Implementing Disaster Recovery:

We start by defining disaster recovery and discussing what is involved in creating a disaster recovery policy.This

includes creating a backup plan, and you will learn about backup concepts, how to choose backup media, and how to back up your data files and system state data.We

discuss how to configure security for backup operations, and you’ll find out how to verify successful completion of backup jobs, how to manage backup media, how to schedule backup jobs, and how to restore backed up data.Then we discuss the use of

Automated System Recovery (ASR) and how you can restore data from shadow copy volumes. Finally, we address how to recover from server hardware failure and you’ll learn about fault tolerant disks and the role of server clustering.

www.syngress.com

274_70-290_Fore.qxd 8/11/03 4:16 PM Page xli

Foreword xli

Software Deployment and Update:

You will learn all about software installation, and how the Windows Installer works.We’ll show you how to use Group

Policy for automated software installation, and you’ll learn to assign applications to computers and assign or publish applications to users.We show you how to set options for Group Policy software installation, and how to use it to upgrade applications.You’ll find out how to set application priorities and remove managed applications.We show you how to use administrative templates and we discuss the use of

Remote Installation Services (RIS).You’ll learn about the Windows Update feature and automatic updates, and you’ll also learn about software restriction policies and how to apply them.

Exam Day Experience

Taking the exam is a relatively straightforward process. Both Vue and Prometric testing centers administer the Microsoft 70-290 exam.You can register for, reschedule or cancel an exam through the Vue Web site at www.vue.com or the Prometric Web site at www.2test.com/index.jsp.You’ll find listings of testing center locations on these sites.

Accommodations are made for those with disabilities; contact the individual testing center for more information.

Exam price varies depending on the country in which you take the exam.

Exam Format

Exams are timed. At the end of the exam, you will find out your score and whether you passed or failed.You will not be allowed to take any notes or other written materials with you into the exam room.You will be provided with a pencil and paper, however, for making notes during the exam or doing calculations.

In addition to the traditional multiple choice questions and the select and drag, simulation and case study questions introduced in the Windows 2000 exams, Microsoft has developed a number of innovative question types for the Windows Server 2003 exams.You might see some or all of the following types of questions:

Hot area questions, in which you are asked to select an element or elements in a graphic to indicate the correct answer.You click an element to select or deselect it.

Active screen questions, in which you change elements in a dialog box (for example, by dragging the appropriate text element into a text box or selecting an option button or checkbox in a dialog box).

Drag and drop questions, in which you arrange various elements in a target area.

You can download a demo sampler of test question types from the Microsoft Web site at www.microsoft.com/traincert/mcpexams/faq/innovations.asp.

www.syngress.com

274_70-290_Fore.qxd 8/11/03 4:16 PM Page xlii

xlii Foreword

Test Taking Tips

Different people work best using different methods. However, there are some common methods of preparation and approach to the exam that are helpful to many test-takers. In this section, we provide some tips that other exam candidates have found useful in preparing for and actually taking the exam.

Exam preparation begins before exam day. Ensure that you know the concepts and terms well and feel confident about each of the exam objectives. Many test-takers find it helpful to make flash cards or review notes to study on the way to the testing center. A sheet listing acronyms and abbreviations can be helpful, as the number of acronyms (and the similarity of different acronyms) when studying IT topics can be overwhelming.The process of writing the material down, rather than just reading it, will help to reinforce your knowledge.

Many test-takers find it especially helpful to take practice exams that are available on the Internet and with books such as this one.Taking the practice exams not only gets you used to the computerized exam-taking experience, but also can be used as a learning tool.The best practice tests include detailed explanations of why the correct answer is correct and why the incorrect answers are wrong.

When preparing and studying, you should try to identify the main points of each objective section. Set aside enough time to focus on the material and lodge it into your memory. On the day of the exam, you be at the point where you don’t have to learn any new facts or concepts, but need simply to review the information already learned.

The value of hands-on experience cannot be stressed enough. Exam questions are based on test-writers’ experiences in the field. Working with the products on a regular basis, whether in your job environment or in a test network that you’ve set up at home, will make you much more comfortable with these questions.

Know your own learning style and use study methods that take advantage of it. If you’re primarily a visual learner, reading, making diagrams, watching video files on

CD, etc. may be your best study methods. If you’re primarily auditory, classroom lectures, audiotapes you can play in the car as you drive, and repeating key concepts to yourself aloud may be more effective. If you’re a kinesthetic learner, you’ll need to actually do the exercises, implement the security measures on your own systems, and otherwise perform hands-on tasks to best absorb the information. Most of us can learn from all of these methods, but have a primary style that works best for us.

Although it may seem obvious, many exam-takers ignore the physical aspects of exam preparation.You are likely to score better if you’ve had sufficient sleep the night before the exam, and if you are not hungry, thirsty, hot/cold or otherwise distracted

www.syngress.com

274_70-290_Fore.qxd 8/11/03 4:16 PM Page xliii

Foreword xliii

■ by physical discomfort. Eat prior to going to the testing center (but don’t indulge in a huge meal that will leave you uncomfortable), stay away from alcohol for 24 hours prior to the test, and dress appropriately for the temperature in the testing center (if you don’t know how hot/cold the testing environment tends to be, you may want to wear light clothes with a sweater or jacket that can be taken off).

Before you go to the testing center to take the exam, be sure to allow time to arrive on time, take care of any physical needs, and step back to take a deep breath and relax.Try to arrive slightly early, but not so far in advance that you spend a lot of time worrying and getting nervous about the testing process.You may want to do a quick last minute review of notes, but don’t try to “cram” everything the morning of the exam. Many test-takers find it helpful to take a short walk or do a few calisthenics shortly before the exam, as this gets oxygen flowing to the brain.

Before beginning to answer questions, use the pencil and paper provided to you to write down terms, concepts and other items that you think you may have difficulty remembering as the exam goes on.Then you can refer back to these notes as you progress through the test.You won’t have to worry about forgetting the concepts and terms you have trouble with later in the exam.

Sometimes the information in a question will remind you of another concept or term that you might need in a later question. Use your pen and paper to make note of this in case it comes up later on the exam.

It is often easier to discern the answer to scenario questions if you can visualize the situation. Use your pen and paper to draw a diagram of the network that is described to help you see the relationships between devices, IP addressing schemes, and so forth.

When appropriate, review the answers you weren’t sure of. However, you should only change your answer if you’re sure that your original answer was incorrect.

Experience has shown that more often than not, when test-takers start secondguessing their answers, they end up changing correct answers to the incorrect.

Don’t “read into” the question (that is, don’t fill in or assume information that isn’t there); this is a frequent cause of incorrect responses.

As you go through this book, pay special attention to the Exam Warnings, as these highlight concepts that are likely to be tested.You may find it useful to go through and copy these into a notebook (remembering that writing something down reinforces your ability to remember it) and/or go through and review the Exam

Warnings in each chapter just prior to taking the exam.

Use as many little mnemonic tricks as possible to help you remember facts and concepts. For example, to remember which of the two IPSec protocols (AH and ESP) encrypts data for confidentiality, you can associate the “E” in encryption with the “E” in ESP.

www.syngress.com

274_70-290_Fore.qxd 8/11/03 4:16 PM Page xliv

xliv Foreword

Pedagogical Elements

In this book, you’ll find a number of different types of sidebars and other elements designed to supplement the main text.These include the following:

Exam Warning

These focus on specific elements on which the reader needs to focus in order to pass the exam (for example, “Be sure you know the difference between symmetric and asymmetric encryption”).

Test Day Tip

These are short tips that will help you in organizing and remembering information for the exam (for example, “When preparing for the exam on test day, it may be helpful to have a sheet with definitions of these abbreviations and acronyms handy for a quick last-minute review”).

Configuring & Implementing

These are sidebars that contain background information that goes beyond what you need to know from the exam, but provide a “deep” foundation for understanding the concepts discussed in the text.

New & Noteworthy

These are sidebars that point out changes in Windows

Server 2003 from the Windows 2000/NT family, as they will apply to readers taking the exam.These may be elements that users of Windows 2000/NT would be very familiar with that have changed significantly in Windows Server 2003, or totally new features that they would not be familiar with at all.

Head of the Class

These are discussions of concepts and facts as they might be presented in the classroom, regarding issues and questions that most commonly are raised by students during study of a particular topic.

The book also includes, in each chapter, hands-on exercises in planning and configuring the features discussed. It is essential that you read through and, if possible, perform the steps of these exercises to familiarize yourself with the processes they cover.

You will find a number of helpful elements at the end of each chapter. For example, each chapter contains a Summary of Exam Objectives that ties the topics discussed in that chapter to the published objectives. Each chapter also contains an Exam Objectives Fast Track, which boils all exam objectives down to manageable summaries that are perfect for last minute review. The Exam Objectives Frequently Asked Questions answers those questions that most often arise from readers and students regarding the topics covered in the chapter.

Finally, in the Self Test section, you will find a set of practice questions written in a multiplechoice form that will assist you in your exam preparation These questions are designed to assess your mastery of the exam objectives and provide thorough remediation, as opposed to simulating the variety of question formats you may encounter in the actual exam.You can use the Self Test Quick Answer Key that follows the Self Test questions to quickly determine what information you need to review again.The Self Test Appendix at the end of the book provides detailed explanations of both the correct and incorrect answers.

www.syngress.com

274_70-290_Fore.qxd 8/11/03 4:16 PM Page xlv

Foreword xlv

Additional Resources

There are two other important exam preparation tools included with this Study Guide. One is the DVD included in the back of this book.The other is the concept review test available from our Web site.

Instructor-led training DVD provides you with almost two hours of virtual classroom instruction.

Sit back and watch as an author and trainer reviews all the key exam concepts from the perspective of someone taking the exam for the first time. Here, you’ll cut through all of the noise to prepare you for exactly what to expect when you take the exam for the first time.You will want to watch this

DVD just before you head out to the testing center!

Web based practice exams.

Just visit us at www.syngress.com/certification to access a complete Windows Server 2003 concept multiple choice review.These

remediation tools are written to test you on all of the published certification objectives.The exam runs in both “live” and “practice” mode. Use “live” mode first to get an accurate gauge of your knowledge and skills, and then use practice mode to launch an extensive review of the questions that gave you trouble.

www.syngress.com

274_70-290_Fore.qxd 8/11/03 4:16 PM Page xlvi

274_70-290_01.qxd 8/11/03 3:43 PM Page 1

Chapter 1

MCSA/MCSE 70-290

Overview of

Windows Server 2003

Exam Objectives in this Chapter:

4.3

4.2

Manage Software Site Licensing.

Manage Software Update Infrastructure.

Summary of Exam Objectives

Exam Objectives Fast Track

Exam Objectives Frequently Asked Questions

Self Test

Self Test Quick Answer Key

1

274_70-290_01.qxd 8/11/03 3:43 PM Page 2

2 Chapter 1 • Overview of Windows Server 2003

Introduction

This chapter provides exam candidates with important background information that is necessary to understand what Windows Server 2003 is, what it does, and how it works. Most of this information is not directly covered on the exam, because the exam is geared toward those with experience in the IT field who have worked with Microsoft products previously. If you are new to Microsoft networking, as many candidates studying for Exam 70-290 are, read this background information carefully. If you have previous experience in Microsoft networking and/or already hold a certification in Windows NT/2000, you might be able to skip the first part of this chapter and start with the section titled What’s New in Windows Server 2003?

We start with a discussion of the NT operating system (OS) family tree because, to fully appreciate the features and capabilities of Microsoft’s new server operating system,

Windows Server 2003, you need to understand its origins. Although vastly more powerful and feature-rich,Windows Server 2003 is based on the same operating system kernel—the core code—as Windows NT.Windows NT Server was Microsoft’s first operating system that was built on the idea of client-server networking, and introduced the idea of domains as administrative units to which computers and users belong.Then, with the release of

Windows Server 2000, Microsoft fully embraced the use of a powerful directory service called Active Directory to provide centralized object-oriented management. In this chapter, we will discuss these important concepts on which a Microsoft enterprise-level network is built.

The latest incarnation of Microsoft’s server product,Windows Server 2003, brings many new features and improvements that make the network administrator’s job easier.This

chapter will briefly summarize what’s new in Windows Server 2003, and introduce you to the four members of the Windows Server 2003 family: the Web Edition, the Standard

Edition, the Enterprise Edition, and the Datacenter Edition.We’ll also discuss how licensing works with Windows Server 2003, and provide a heads up on some of the issues you might encounter when installing the new OS or upgrading from Windows 2000.

History of the Windows

Operating System Family

Microsoft has been in the OS market since the early 1980s. It is amazing how far they (and computers in general) have come in such a short time. Microsoft has two OS family lines,

MS-DOS and Windows NT. Each line is made up of multiple families such as Windows

3.x,Windows 9x,Windows NT 3.x,Windows NT 4.0,Windows 2000,Windows XP, and

Windows Server 2003.This book is about Windows Server 2003, which is a descendant of the NT family.This section will give you an overview of both family lines starting with

MS-DOS and transitioning into Windows NT.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 3

Overview of Windows Server 2003 • Chapter 1

Out of MS-DOS: Where It All Began

In 1980, IBM approached Microsoft about developing a new OS for their personal computers. At that time, Microsoft had never created an OS before, and recommended that

IBM check with Gary Kildall of Digital Research about his “Control Program for

Microcomputers” (CP/M) OS. CP/M had sold over 600,000 copies and was one of the most successful OSs on the market. After trying unsuccessfully to reach an agreement with

Kildall, IBM went back to Microsoft and contracted with them to write the new OS.

The OS created for IBM was based on the “Quick and Dirty Operating System”

(QDOS) created by Tim Paterson. Ironically, Paterson used a CP/M manual (written by

Gary Kildall) as the basis for QDOS. It took him all of six weeks to write the new OS, which he sold to Microsoft for $50,000. Microsoft tweaked QDOS a little, renamed it, and then sold it to IBM under the name Personal Computing Disk Operating System (PC-

DOS). Even though PC-DOS was designed for IBM, Microsoft retained the rights to the

OS.This allowed them to market the OS to vendors other than IBM under the name

Microsoft Disk Operating System (MS-DOS). MS-DOS (commonly just referred to as

DOS) was officially released in 1981. Figure 1.1 shows the MS-DOS family line.

Figure 1.1

Following the MS-DOS Family Line

MS-DOS

3

Windows

1.0

Windows

2.0

Windows

3.

x

Windows 3.1

Windows 9x

Windows 3.11

Windows for

Workgroups 3.1

Windows for

Workgroups 3.11

Windows 95 Windows 98

Windows 98 SE

Windows ME

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 4

4 Chapter 1 • Overview of Windows Server 2003

Windows as a Graphical Shell

MS-DOS was a character-based operating system; it used keyboards and text commands to control the OS.This worked fine for “nerds”; however, it became apparent that if Microsoft wanted more people to buy their OSs, they needed to make them easier to use.The next logical step was to give their OSs a graphical user interface, or GUI (pronounced GOO-

EE), and a pointing device (for example, a mouse). A GUI makes the OS more user friendly (as illustrated by the saying that “a picture is worth a thousand words”).With a

GUI, you don’t have to remember a long list of text commands; instead, you can just use your mouse to point and click on menu items and icons to accomplish the same thing.

N

OTE

Microsoft has created some of the most popular GUIs of all time, but they did not invent the GUI. The Xerox Corporation developed it in the 1970s. Xerox created a computer system called the Alto, which used a three-button mouse, a bitmapped display, and graphical windows. To buy an Alto in the late 1970s would have cost you over $30,000 (that is over $75,000 in today’s dollars).

Even though the GUI was created in the early 1970s, it really didn’t become popular until the early 1980s. Apple released the Lisa in 1983, which was considered the first personal computer with a GUI. The Lisa never did become popular with consumers, partly because of its price ($10,000). Apple struck out again in

1984 when they released the Macintosh. It had a lower price ($2,500) than the Lisa did, but it still wasn’t very popular (although it was more popular than Lisa was).

Microsoft entered the GUI market in 1983 when they introduced Windows

1.0. The first two versions of Windows (1.0 and 2.0) weren’t huge performers.

However, in 1990 Microsoft released Windows 3.0. This GUI was a runaway hit and was immediately embraced by consumers. Since Windows 3.0, Microsoft has created over 20 different versions of Windows, and they don’t appear to be slowing anytime soon.

Microsoft created Windows as a GUI for DOS.When they began work on it in 1981, the GUI was called Interface Manager, but was later renamed Windows. In the early years,

Microsoft named their OSs with version numbers.These numbers incremented as new releases came out (for example,Windows 3.1 was released after Windows 3.0). Starting with

Windows 95, each OS was named after the year in which it was released (for example,

Windows 98 was released in 1998).

In addition to providing a GUI for DOS,Windows overcame the inability to multitask.

DOS only allowed one application to run at a time. If you wanted to go back and forth between applications, you had to exit one application before opening the other.Windows

supported switching between applications without having to shut them down first.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 5

Overview of Windows Server 2003 • Chapter 1

Windows 1.0

Windows 1.0 was Microsoft’s first attempt at a GUI.Windows 1.0 was officially released on

November 10, 1983, although it didn’t appear in retail outlets until November 1985, due to a number of delays in development.Windows 1.0 was not an OS in itself; it was an extension of DOS—a graphical shell that ran on top of DOS. It used bitmap displays and added the mouse as a way to navigate the OS, giving users an alternative to having to type their commands at the command prompt.

Windows 1.0 also allowed users to switch between programs (multitask).This was a huge improvement over DOS, which required that you quit one application before opening another. Since Windows 1.0 was still based on DOS, only one application ran at a time, but users could multitask and switch between paused applications without closing them.

N

OTE

Early versions of Windows used a form of multitasking called cooperative multi-

tasking. This method required that application programs be written to “give up” the processor after a time so that another program could use it. When programs were not written correctly, they could “hog” the processor, denying its use to other applications. This is in contrast to the preemptive multitasking used by Windows

9x and later OSs, in which the OS—not the application—controls the scheduling of processor time.

5

Even with this earliest version of Windows, Microsoft had already begun the tradition of including a number of applications and utilities built into the OS: a calendar, cardfile, clock, text editor (Notepad), and rudimentary word processing and graphics programs

(Windows Write and Paint).

Windows 2.0

Windows 1.0 was not a resounding sales success, but Microsoft was determined to improve on the concept.Windows 2.0 was released in April 1987. It allowed users to control screen layout and overlap windows (Windows 1.0 only supported tiled windows). Icons to represent programs were added and files that made the OS much more appealing to use and boosted its popularity over Window 1.0. Windows 2.0 supported the Video Graphics Array (VGA) display system, which allowed you to use 16 colors at 640x480. Out of the box,Windows 2.0

supported the 286 processor, but to keep up with the changing times, Microsoft released a provisional version of Windows 2.0 called Windows/386 2.03 to support the new 386 processor.The 386 version was able to run more than one MS-DOS application at a time in extended memory in addition to multitasking Windows applications. Many major applications were developed for Windows 2.0, such as Excel and Word for Windows, CorelDraw, and PageMaker.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 6

6 Chapter 1 • Overview of Windows Server 2003

Windows 3.0

Windows 3.0 was released on May 22, 1990, and this was when Windows began to take off in sales. Building upon the success of Windows 2.0’s improved graphics, the GUI in

Windows 3.0 was updated with all new icons. For backward compatibility,Windows 3.0

allowed users to run and multitask older DOS software, but the environment was completely overhauled.Windows 3.0 was able to make use of memory beyond 640K so that much more powerful applications could be developed. One of the driving forces behind the popularity of Windows 3.0 was the Windows Software Development Kit (SDK), which made it easier for developers to write applications for Windows. Prior to this version, a large portion of development time was spent creating device drivers. However,Windows

3.0 supported virtual device drivers (VxDs), which minimized hardware dependencies by adding a virtual device (another software layer) between the devices and the OS.

Windows 3.1

Windows 3.1 was released on April 6, 1992 and became the best-selling GUI in the history of computing. It added multimedia functionality, which included support for connecting to external musical instruments and MIDI devices.TrueType font support was added to provide

Windows with a WYSIWYG (pronounced “wizzy wig”) or “What You See Is What You Get” interface.Windows 3.1 added the ability to close applications by pressing Ctrl+Alt+Del and terminating hung applications from the list of running programs. Drag-and-drop functionality provided a new way to use the GUI, and support for Object Linking and Embedding (OLE) was added. OLE allowed embedding elements from different applications into one document.

Windows 3.11

Windows 3.11 was released on November 8, 1993. It did not add any feature improvements over Windows 3.1; it only corrected problems, most of which were network problems.

Microsoft replaced all new retail versions of Windows 3.1 with Windows 3.11 and provided a free upgrade via their Web site to anyone who currently owned Windows 3.1 (although at that time, many Windows users did not have access to the Internet).

Windows for Workgroups 3.1

Windows for Workgroups (WFW) 3.1 was released in April 1992. It was the first Microsoft

OS to provide native support for peer-to-peer networks. It supported file and printer sharing and made it easy to specify which files should be shared with other computers running DOS or Windows.WFW also included Microsoft Mail (an e-mail client) and

Schedule+ (a workgroup scheduler).

Windows for Workgroups 3.11

Windows for Workgroups (WFW) 3.11 was released in February 1994 and was geared toward local area networking.This made it a hit for corporations wanting to increase productivity by sharing information.The default networking protocol was NetBEUI, which

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 7

Overview of Windows Server 2003 • Chapter 1

does not support routing across internetworks, but TCP/IP or IPX/SPX could be added.

WFW 3.11 clients could connect to both workgroups and domains (these are explained later in this chapter), and it provided built-in support for Novell NetWare Networks.This

was a strategic move, because in 1993 Novell held the majority of the market share for server OSs.WFW 3.11 also improved support for remote access services.

Windows 95

Windows 95 was released on August 24, 1995 and it changed the face of Windows forever.

Windows 95 was designed with the end user in mind, with features such as Plug-and-Play to make hardware installations easier, and dial-up networking for connecting to the Internet or another network via a modem.Windows 95 was the first Microsoft OS that supported long filenames (earlier OSs required compliance with the “eight-dot-three” naming convention).Windows 95 also supported preemptive multitasking. Perhaps the most drastic change was that Windows 95 was a “real” OS; unlike it predecessors, it did not require DOS to be installed first.

Windows 95b (also called OSR2) was an improved version that was never offered for sale to the public; it was only available to Original Equipment Manufacturers (OEMs) to install on new computers that they were offering for sale.Windows 95b added support for universal serial bus (USB) devices and the FAT32 file system that allowed for larger partitions, better disk space usage, and better performance.

Windows 98

Windows 98 was released on June 25, 1998. It was the retail upgrade to Windows 95 that provided support for reading DVDs and using USB devices. Applications in Windows 98 opened and closed more quickly. Like 95b,Windows 98 included a FAT32 converter, which allowed you to use hard drives over the 2GB limit imposed by DOS.The backup program was revamped to support more backup devices (including SCSI devices) and Microsoft added the Disk Cleanup utility to help find and delete old unused files.Windows 98 also included Internet Explorer 4.0 and the Active Desktop.

Windows 98 Second Edition

Windows 98 Second Edition (SE) was released on June 25, 1998 as an incremental update to Windows 98.Windows 98 SE improved the home multimedia experience, home networking and Internet browsing.Windows 98 SE introduced Internet Connection Sharing

(ICS), which allowed a Windows 98 SE machine to function as a Network Address

Translation (NAT) server for other machines on the home network. In other words, you could have multiple machines connected to the Internet at the same time using only a single ISP account and a single public IP address, and all Internet traffic would go through the Windows 98 SE machine running ICS.Windows 98 SE also included NetMeeting conferencing software and Internet Explorer 5.0.Windows 98 SE was the first consumer OS capable of using the same drivers as Windows NT 4.0.

7 www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 8

8 Chapter 1 • Overview of Windows Server 2003

Windows ME

Windows Millennium Edition (ME) was the last OS built on the MS-DOS kernel. It was released on September 14, 2000, and added improved support for digital media through applications such as Image Acquisition, Movie Maker, and Windows Media Player. Image

Acquisition was added to simplify downloading images from digital cameras. Movie Maker was included to ease editing and recording digital video media files. Media Player was used to organize and play music and video files.

To enhance reliability,Windows ME added the system restore feature, which could be used to restore any deleted system files to fix problems. Another important feature was system file protection, which prevented important OS files from being changed by applications. ME also included a new home networking wizard to ease adding peripherals and computers to a home network.

OS/2: an IBM/Microsoft Joint Venture

All of the versions of Windows (Windows 1.0—Windows ME) discussed previously are built on the MS-DOS kernel. In the mid to late 1980s, around the Windows 2.0 timeframe,

Microsoft and IBM decided to work together to create a replacement for the MS-DOS kernel.This replacement was called OS/2. It supported multitasking, used up to 16MB of memory (which wasa lot at the time), and was backward compatible with DOS applications.

OS/2 1.0 was released in December 1987. It was the first OS to provide for multitasking based on hardware support. It was a text-based OS that ran on 80286 systems, but version 1.1 of OS/2 added a GUI named Presentation Manager.Version 1.20 improved the

Presentation Manager and introduced the High Performance File System (HPFS), which provided many of the features later offered by Microsoft in NTFS.

Microsoft and IBM were working together on the first 32-bit OS, which was to be

OS/2 2.0, when the two companies parted ways.

After the “Divorce”: A New Technology Emerges

Working together on the same OS proved to be too much of a burden for both Microsoft and IBM.This was exacerbated by the success of Microsoft’s Windows, to which they were devoting more and more of their time.The companies agreed to split the work. Each company would still have access to each other’s source code, but IBM would create OS/2 2.0

and Microsoft would create OS/2 3.0. OS/2 2.0 was meant to be the replacement for

OS/2 1.3 and Windows 3.0, whereas OS/2 3.0 would be the replacement for OS/2 2.0.

OS/2 2.0 was released in 1992, and was a 32-bit OS that ran DOS and Windows 3.1

programs (using Virtual DOS Machines, or VDMs) as well as native OS/2 applications.This

version also introduced the Workplace Shell, which was an object-oriented user interface that was integrated with the OS and file system.

Microsoft made a strategic business decision at that time.They decided that instead of focusing their attention on OS/2, they should create a new 32-bit version of Windows.This

new version of Windows (Windows NT) was a huge hit. Developers liked it because it used

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 9

Overview of Windows Server 2003 • Chapter 1

the same programming model they were used to. Unlike OS/2, which used a completely different programming model,Windows NT made it very easy to move applications from the 16-bit Windows platform to the 32-bit Windows NT platform. Consumers liked it because it used an interface similar to Windows 3.0, with which they were already familiar.

After IBM caught wind of Microsoft’s new product, the ties were severed between IBM and Microsoft. Each would maintain the rights for everything co-developed up to that point, but there would be no more joint development. IBM continued working on OS/2

(and went on to develop OS/2 Warp, still in use in some niche business sectors today), and

Microsoft scrapped OS/2 in favor of Windows NT.

Windows 9x versus Windows

NT-Based Operating Systems

Windows 9x and Windows NT support peer-to-peer and domain-based networks.

Windows 9x supports logging on to a domain, but does not support being “joined to a domain.”This means that Windows 9x machines cannot have a machine account on the domain and cannot be managed with domain tools such as Active Directory Users and

Computers.Windows 9x can function as a client and/or server in a workgroup environment, but Windows NT comes in two distinct versions:

A workstation version designed to be used primarily as a client operating system

A server version that can operate as a standalone file/print server or as a centralized authentication server (called a domain controller in Microsoft networking terminology)

Unlike 9x, NT is multithreaded and can support symmetric multiprocessing (SMP), which allows you to increase the performance of an application by adding more processors

(if the application was written to support multiple processors).

Windows 9x is based on the MS-DOS kernel and is meant to be backward compatible with older DOS and Windows 3.x applications.This is great for consumers who need to run older applications, but compatibility does come at a cost. Older 16-bit apps all run in the same memory address space, which means that if one 16-bit app fails, it can bring down the entire OS.

Windows NT was built with stability and security in mind. 32-bit applications run in their own separate memory spaces, and older Windows 3.x and DOS applications run in virtual machines.Thus, the failure of an application cannot bring down the entire OS—the reason why 9x machines crashed more frequently and had to be rebooted more often than

NT machines did. One of the means by which NT remains more stable is by restricting applications from directly accessing the hardware. Applications must interact with the hardware through the Hardware Abstraction Layer (HAL) of the OS. As usual, there is a catch; this extra stability sacrifices compatibility. NT does not work with as many applications and drivers as 9x does.

9 www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 10

10 Chapter 1 • Overview of Windows Server 2003

The NT OS Family Tree

Windows NT was focused on business users, and was built new from the ground up to provide the stability, reliability, and security features needed in the business environment.

Until Microsoft comes up with a completely new kernel, all future versions of Windows will be descendants of the NT family line. Just as with the MS-DOS family line, Microsoft started off naming Windows NT with version numbers. Starting with Windows 2000,

Windows was named after the year it was released, and the letters NT were removed from the name (although the tag line “built on NT technology” remained on the splash screen).

Figure 1.2 shows the structure of the NT family line.

Figure 1.2

Following the Windows NT Family Line

Windows NT

Windows

NT 3.x

NT 3.5

Windows

NT 4.0

Workstation

Windows

2000

Professional

NT 3.1

NT 3.51

Workstation

Workstation

Advanced

Server

Server

Workstation

Server

Server

Enterprise

Edition

Terminal Server

Edition

Windows

Server 2003

Web Edition Standard Edition

Enterprise Edition

32-Bit / 64-Bit

Datacenter

Edition

32-Bit / 64-Bit

Server

Advanced

Server

Datacenter

Edition

Windows

XP

Home Edition

Professional

32-Bit / 64-Bit

Media Center

Edition

Tablet PC

Edition

Windows NT 3.x

The Windows NT 3.x family was in production from 1993 to 1996.There were three releases within the 3.x family:Windows NT 3.1,Windows NT 3.5, and Windows NT 3.51.

The Window NT 3.x GUI was similar to the Windows 3.x GUI, which made for an easy transition from the consumer line (Windows 3.x) to the business line (Windows NT 3.x).

Each release of Windows NT 3.x had two versions, a desktop version called Workstation

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 11

Overview of Windows Server 2003 • Chapter 1

and a server version called Server in NT 3.1 or Advanced Server in NT 3.51. As we discuss the versions of NT 3.x, we will be referring to the server version.

Windows NT 3.1

Windows NT 3.1 was released on July 27, 1993. Even though this was the first version of

NT, Microsoft chose to name it version 3.1, to build on the success of Windows 3.1. NT was created with a client/server networking model in mind.Windows NT 3.1 supported

Microsoft’s domain concept by functioning as a domain controller. It was also commonly used as an application server running applications such as Microsoft SQL Server (database application), Microsoft SNA Server (gateway application), and Microsoft Mail (e-mail application).Windows NT 3.1 was more scalable, fault tolerant, and secure than anything else

Microsoft had produced up to that point. It provided centralized server management and centralized logons. NT 3.1 introduced NTFS, multiprocessor support, and the Win32 application programming interface (API).Win32 API was a big hit with developers because it made it easy to port over existing 16-bit apps, while making them more secure and stable.

Windows NT 3.5

Windows NT 3.5 was released in 1994. It kept the stability of Windows NT 3.1, but improved upon connectivity with other OSs. It was designed to work well in UNIX and

Novell NetWare networks.To aid with server management, Microsoft added new administration tools and automatic reboot capabilities. NT 3.5 supported filenames up to 255 characters and supported high-end applications via the OpenGL graphics standard.This version also introduced new accessibility features for users with physical disabilities.

Windows NT 3.51

Windows NT 3.51 was an incremental update to Windows NT 3.5. It added a utility to assist customers with managing Client Access Licenses (CALs) for the BackOffice suite and a tool to enable over-the-network installations of Window 95. It also supported remote booting and PCMCIA (PC Card) devices.

Windows NT 4.0

The Windows NT 4.0 family was in production from 1996 to 2000.There were four releases within the 4.0 family:Windows NT 4.0 Workstation,Windows NT 4.0 Server,

Windows NT 4.0 Server Enterprise Edition, and Windows NT 4.0 Terminal Server

Edition. Like NT 3.x, the Workstation version of NT 4.0 was a desktop OS.The NT 4.0

GUI was similar to the Windows 95 GUI, just as Windows NT 3.x was similar to Windows

3.x. Once again, this made it easy to transition from the consumer line (Windows 9x) to the business line (Windows NT 4.0).

11 www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 12

12 Chapter 1 • Overview of Windows Server 2003

Windows NT 4.0 Server

Windows NT 4.0 Server shipped in 1996.This was the first version of NT to be truly 32bit. It provided higher network throughput and made for quicker file and print services.

NT 4.0 was bundled with Internet Information Server (IIS), Microsoft’s Web server product, along with a suite of tools for managing and developing intranets.

Windows NT Server 4.0 Enterprise Edition

Windows NT 4.0 Enterprise Edition was released in 1997.This release was geared toward large companies that needed more than NT Server could offer. Enterprise Edition provided higher availability due to the built-in support for the Microsoft Cluster Service (MSCS) and for Windows Load Balancing (WLB). Enterprise Edition also supported more memory and more processors (up to eight) than Server, making it the most scalable Windows platform thus far. Enterprise Edition allowed applications to communicate at different times with systems on heterogeneous networks via Microsoft Message Queue Server (MSMQ).

Windows NT Server 4.0 Terminal Server Edition

Windows NT Server 4.0 Terminal Server Edition was released in 1998 and was based on technology developed by Citrix. It was a multiuser server OS that allowed multiple desktop machines to simultaneously run sessions on the Terminal Server via client software.

Desktops would run the Terminal Server client software, but all processing took place on the server, thus the desktop machines could be low powered, inexpensive “thin clients.”

Microsoft provided client software for all Windows, UNIX, and Macintosh platforms, as well as the embedded OS in Windows-based terminal devices, thereby allowing almost any personal computer to run Windows-based applications via a Terminal Server desktop.

Windows 2000

Windows 2000 was released in February 2000, and put an end to the NT name forever.

Even though it was built on the same NT kernel, it no longer bears the name.Windows

2000 shipped with four versions: Professional, Server, Advanced Server, and Datacenter

Server. Professional was the replacement for NT 4.0 Workstation and was used as a desktop/client OS.Windows 2000 added many of the features on every NT 4.0 user’s wish list, such as a disk defragmenter, device manager, and Plug-and-Play support.There is no separate version of Windows 2000 for Terminal Services; instead, all three server products include the ability to install Terminal Server services as part of the OS.

Windows XP/Windows Server 2003

Windows XP and Windows Server 2003 are based on the same code and are the client and server editions of the same OS, with the same relationship to one another as Windows 2000

Professional and Windows 2000 Server. In the early beta stage, both bore the code name

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 13

Overview of Windows Server 2003 • Chapter 1

Whistler; however, Microsoft decided to release the desktop version before the server version was completed, and changed the names.

Windows XP is available in four 32-bit editions:

Windows XP Home Edition

Windows XP Professional

Windows XP Media Center Edition

Windows XP Tablet PC Edition

There is also a 64-bit version of XP, designed to run on the Itanium processor.

With XP, for the first time ever, Microsoft merged the consumer OS and business OS into the same family. No more 9x versus NT. Now everyone is using XP. Although the

Home Edition and Media Center Edition are targeted toward consumers, while

Professional and Tablet PC are targeted to business users, all are built on the same NT kernel.

Windows Server 2003 comes in four editions (discussed later in this chapter):

Windows Server 2003 Web Edition

Standard Edition

Enterprise Edition

Datacenter Server

Windows Server 2003 comes in both 32-bit and 64-bit versions.

Windows XP introduced a new variation to the 9x style GUI.The new interface is called LUNA and is also used by Windows Server 2003 (see Figure 1.3).The idea behind

LUNA is to clean up your desktop and access everything that you need from the Start menu. If you don’t care for LUNA, both XP and Windows Server 2003 also support the classic Windows 9x/NT 4.0 style GUI (see Figure 1.4).

Figure 1.3

Using the New LUNA Interface in Windows Server 2003

13 www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 14

14 Chapter 1 • Overview of Windows Server 2003

Figure 1.4

Using the Classic Start Menu in Windows Server 2003

Windows XP Home Edition

Windows XP Home Edition was released in 2001. It is the first consumer OS based on the

NT code, which makes it the most stable and secure Microsoft consumer OS to date.

Home Edition supports the Internet Connection Firewall (ICF), which protects your computer while you are connected to the Internet. Multiple users sharing a machine is easier than ever, thanks to Fast User Switching, which allows you to switch between users’ desktops without having to log off first. Home networking and multimedia capabilities have been enhanced in Home Edition. Remote Assistance is a new feature that lets you ask someone for help.The helper can then remotely control your desktop and chat with you online. Also included are features that are familiar to Windows 2000 Professional users, but were missing from the 9x line, such as Task Manager and System Monitor, and brand new features such as the Desktop Cleanup Wizard and taskbar grouping.

N

OTE

For a full list of Windows XP Home Edition’s features, see the Microsoft Home

Edition Web site at www.microsoft.com/windowsxp/home/evaluation/features.asp.

Windows XP Professional

Windows XP Professional includes all of the features of Home Edition, and many new features geared toward business uses. Some of the new features include:

Remote desktop, which allows XP Pro to act as a mini Terminal Server, hosting one remote session.

Encrypting File System (EFS), which allows you to encrypt files stored on disk.

EFS was included with Windows 2000 Professional, but XP Professional adds the ability to share encrypted files with other users.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 15

Overview of Windows Server 2003 • Chapter 1

Internet Protocol Security (IPSec), which allows you to encrypt data that travels across the network to protect it from “sniffers.”

Integrated smart card support, which allows you to use smart card authentication to log on to the network, including Windows Server 2003 terminal sessions.

Recovery console, which provides a command-line interface that administrators can use to perform repair tasks if the computer won’t boot.

The ability to join a Windows domain (domains are discussed later in the chapter).While users who have a domain account can log onto the domain from an XP Home computer, the Home computer cannot have a computer account in the domain. XP Professional computers have computer accounts, allowing the administrator to manage them centrally.

Windows XP Professional is Microsoft’s current business desktop OS in use today.

Windows XP Professional 64-Bit Edition

Windows XP Professional 64-Bit Edition runs on the Itanium 2 processor and takes full advantage of its floating-point capabilities. Per Microsoft, “Windows XP 64-Bit Edition was designed to meet the demands of technical workstation users who require large amounts of memory and floating-point performance in areas such as mechanical design and analysis,

3D animation, video editing and composition, and scientific and high-performance computing applications.” 64-Bit Edition supports up to 16GB of RAM and will run 32-bit applications designed for Windows XP Professional (in addition to 64-bit applications), allowing your power users to use one workstation for everything.

However, 64-bit Windows is not for everyone.The 64-bit edition of XP does not support many of the multimedia features found in 32-bit XP, such as CD recording, some of the Windows Media technologies, NetMeeting, and IEEE 1394 (FireWire) audio. It also doesn’t support old subsystems and protocols such as the MS-DOS and 16-bit subsystems,

IPX/SPX, AppleTalk, DLC, NetBEUI, and Services for Macintosh. System Restore is not included, and laptop features such as PC Card, IrDA, hot docking, and power management are not supported. Other features not included are Windows Messenger Service, Internet

Locator Service (ILS) and SharePoint Team Services. Finally, there are a number of system administration and miscellaneous features that are not supported, including Windows

Installer, Remote Assistance,Windows Product Activation (WPA), the File and Settings

Transfer Wizard, and speech recognition.

Windows XP Media Center Edition

Windows XP Media Center Edition is built on Windows XP technology and comes preinstalled on Media Center PCs. Media Center Edition combines home entertainment and personal computing. It puts all of your media in one place and allows you to control it via remote control. Some of the features of Windows XP Media Center Edition include:

15 www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 16

16 Chapter 1 • Overview of Windows Server 2003

Watching live TV

Personal Video Recording (PVR)

Electronic Program Guide (Guide)

Playing DVDs

Listening to music

Watching videos

The Media Center Remote Control

Windows XP Tablet PC Edition

Windows XP Tablet PC Edition was designed to run on tablet PCs.Tablet PCs look and function like laptops; however, you can swivel the screen around and write on them like a personal data assistant (PDA).Tablet PC Edition builds on Windows XP Professional, making it compatible with Windows XP applications, such as Office XP.Tablet PC Editions offers the following features:

Windows Journal, which is used to take handwritten notes.

Tablet PC Input Panel, which is used when you do not want to use your keyboard for inputting data.

InkBall, a game that improves your skills with writing on a tablet PC.

Sticky Notes, which are the electronic equivalent to yellow paper sticky notes.

Windows Server Operating System Basics

After discussing the timeline of the development of Windows family operating systems, we can see how Windows evolved over the years.Windows started off as a stand-alone product, with each machine independent of other machines. Next, the computer industry responded to the needs of users to share resources between machines over a network, and peer-to-peer networks were born. As networks grew larger, peer-to-peer networks started losing their appeal because of the difficulty of administration, and Microsoft moved to a client-server networking model, in which they introduced their domain concept. Eventually, as with peer-to-peer networks, companies started to outgrow their domains, and multidomain environments needed a better way for computers to interact across domains. Consequently,

Microsoft introduced a new directory service called Active Directory to make it easier to locate resources within a large, complex network. Microsoft’s latest server product,Windows

Server 2003, still supports all of these concepts.You can use Windows Server 2003 in any network model, from peer-to-peer to Active Directory domain.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 17

Overview of Windows Server 2003 • Chapter 1

Client-Server Networking

Client-server networking is based on the idea of centralized sharing and centralized control.

Think of it this way: if you had five children, you could buy each his or her own box of crayons, or you could buy one larger box that they all would share (if only it were that easy). For less than what you would pay for five individual boxes of 20 crayons, you could buy one large 100-piece box of crayons.This would allow each of the children to have more colors available and would save you some money in the process.

Client-server networking does something similar for computers. Instead of sharing resources from each other’s machines, users attach to dedicated servers where all the network resources are stored.This allows you to use less powerful machines for desktops and put your money where it really matters, into your servers. As with the crayons, you are getting more for less. Users get better performance out of the higher end servers, and administrators get the benefits of centralized authentication and control.This makes for a more secure environment.

Centralized Authentication

A good rule of thumb when working with end users is to keep it simple. Most users want to log on to their PCs and work.They do not want to remember five different user account names and passwords, as is often the case when accessing resources on different workstations in a peer-to-peer network. Client-server networking makes things simple, because all shared files and printers are stored on the server. Users authenticate once to the server and they are done.They don’t have to remember one password for printing and another for accessing files. One account does it all. In fact, once authenticated to the domain, they can also access resources on other workstations in the domain (to which they have permission) without needing to have local accounts on those workstations.

Centralized Administration

For an administrator, client-server networking is the only way to go. Because everything is centralized, you will find it easier to manage shared files and printers, create and manage accounts, back up and restore data, and secure the network. If you have more than 5 to 10 machines, client-server networking is much more efficient than peer-to-peer networking.

Client-Server versus Peer-to-Peer Networking

Peer-to-peer networking is networking in its simplest form.When you link two or more computers together without a centralized authentication server, you have a peer-to-peer network (also called a workgroup). Peer-to-peer networks allow file and printer sharing, but unlike client-server networking, authentication is not centralized. In a peer-to-peer network, every machine has its own local user accounts that can access files as shown in Figure 1.5. If you want to access data on four machines, then you must have an account on each of the four machines.This is fine if there are only a few machines on the network, but when there are,

17 www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 18

18 Chapter 1 • Overview of Windows Server 2003

for example, 50 machines, you have to use 50 different accounts.This means that you have to remember the passwords for all 50 and keep them synchronized (if possible).

Figure 1.5

Using Peer-to-Peer Networking

Mathew

Roger

Database

Reagen

Duncan

Client PC

Shared Folder

Mathew

Roger

Database

Mathew

Database

Roger

Shared Folder

Client PC

Duncan

Reagen

Mathew

Reagen

Duncan

Client PC

Shared Folder

Database

Roger

Shared Folder

Client PC

Duncan

Reagen

Client-server networking puts all shared objects on a centralized server, allowing everyone who has been granted permission to access them (as shown in Figure 1.6). Now, instead of having four user accounts to remember, you only have one. As discussed previously, this provides centralized administration and centralized authentication, which make it easier for administrators to manage and easier for users to understand. Microsoft used the concepts of client-server networking when they created the domain model for Windows NT.

The Domain Concept

The dictionary definition of domain is “a territory over which rule or control is exercised.”

In other words, a domain is a control boundary.You can control objects within a domain together, as if they were one. In Microsoft computing terminology, a domain is a logical group of computers with a common database of accounts. All of these accounts are managed and secured together in a central location (on the domain controller). Domains provide centralized authentication and centralized account management.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 19

Overview of Windows Server 2003 • Chapter 1

Figure 1.6

Using Client-Server Networking

19

Client PC

Mathew

Database

Roger

Shared Folder

Server

Duncan

Reagen

Client PC

Client PC Client PC

NT Domains

The idea of domains was introduced to Windows in 1993 when Windows NT 3.1 was released. Prior to the advent of Windows NT 3.1 and Windows for Workgroups, all machines were configured in a peer-to-peer network. As previously discussed, this is an inefficient way of doing things once the network grows beyond a few computers.

An NT domain consists of one or more domain controllers, member servers, workstations, users, and groups. All domain controllers share a common database called the Security

Account Manager (SAM) database. Each domain controller holds its own copy of the SAM database, but there is only one writeable copy of the SAM database that is stored on the

Primary Domain Controller (PDC), which is the first domian controller created in the domain. All other domain controllers are considered backup domain controllers (BDCs) and hold a read-only copy of the SAM.Whenever changes to the SAM database are made, they are made to the PDC and then replicated to the BDCs.This design is called a single master

replication model. Member servers and workstations can be “joined to the domain,” which means they have accounts in the SAM database and can be centrally managed. User and group accounts are also created within the domain, which allows centralized account management and the ability for users to use one user account to access everything they need.

Windows 2000/Server 2003 Domains

Windows 2000 and Windows Server 2003 also use the concept of domains, but with some changes. As in NT, domains provide centralized account management and centralized signon capabilities.The domain database is still contained on domain controllers.Workstations

and servers can still be joined to the domain, and users and groups (there are more group types now) can still be created in the domain.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 20

20 Chapter 1 • Overview of Windows Server 2003

However, there are several differences between NT and Windows 2000/Server 2003 domains. In the latter, domains no longer use a single master replication model.There are no more PDCs and BDCs. Now, all domain controllers are equal and are just referred to as domain controllers (DCs), although there are several different operations master roles that can be assigned to different DCs.Windows 2000/Server 2003 domains use a multimaster replica-

tion model, in which all DCs can read and write to their copies of the database.This eliminates the PDC as a single point of failure.

Another important difference is where the authentication credentials are stored. Instead of the SAM database,Windows 2000/Server 2003 domains store this information in the

Active Directory, which we’ll discuss in the next section.

Directory Services

Directory services has been a popular buzzword since the development of directory services standards, especially since Novell implemented their Novell Directory Service (NDS) for

NetWare. It seems as if everyone is talking about or using some type of directory service.

OSs even have their own directory services; Novell currently has eDirectory, and Microsoft has Active Directory. One of the first network operating system directories was Banyan

VINES’ StreetTalk, which could be added onto Windows NT to provide a full fledged directory service.

Directory services can be used to store all types of information, including account authentication information. If you work in the computer networking field, it is likely that you will eventually implement some sort of directory service.

What Are Directory Services?

In its simplest form, a directory service is a way of storing information in a directory so it can easily be retrieved and used later. Directories predate electronic data; think of the telephone directory, product catalogs, and other directories published in print form. A directory service should include a set of rules to follow for naming its objects (the items entered in the directory), and a set of rules on how to store those objects.You should be able to add to and remove from a directory service as things change.

In computer networking, a directory service is a networkwide database that stores information including (but not limited to) information on people, files, printers, and applications.

The directory service functions as a central point of management for the network OS in use, and assists in locating information or objects on the network.The directory can store authentication credentials, user preferences and profiles, network configuration information, and so forth. Directories differ from other databases in that they are more often read than written to.

The rules that govern information format and how it is stored are located in a schema, which can be modified to meet the needs of your particular organization.

The basic components of a directory service include:

■ A schema that defines the types of objects stored in the directory (object classes) and the attributes that can be assigned to them.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 21

Overview of Windows Server 2003 • Chapter 1

Objects, which are representations of users, printers, applications, computers, and other entities, information about which is stored in the directory.

Object classes, which are specific types of entities that can be stored in the directory.

Attributes, which are the properties of an object (for example, user attributes would include the user’s full name, account name, address, telephone number, and so forth.).

A way to search the directory for information about the objects stored there.

21

History of Directory Services

The first directories were paper directories like the telephone book or TV guides. Some of the first electronic directories were DNS and WHOIS. Later, application directory services appeared in e-mail products such as Microsoft Exchange, Novell GroupWise, Lotus cc:Mail, and in online directory services functioning as electronic phonebooks such as Four11,

Switchboard, and BigFoot.

It might be difficult to think of an electronic telephone book as a directory service, but it does match our definition. It has a set of rules for naming its objects (last name, first name) and a set of rules for storing its objects (alphabetically based on function).You can add to and remove from the telephone book as people move and their phone numbers change, and items can easily be retrieved from the phone book when needed.The most recent type of directory services to show up are network operating systems (NOS) directory services such as Novell

Directory Services, Banyan VINES, and Microsoft Active Directory.

Directory Services Standards

Most directories in use today are based on the X.500 standards.The X.500 standards are recommendations published by the International Organization for Standardization (ISO) and

International Telecommunications Union (ITU), that define how to organize a directory.

X.500 is not itself a directory, it is a model that vendors can use to build their own directories. Standards make compatibility between different products possible. If two separate vendors use the same model for their directories, then data sharing between the two directories should be possible. X.500 is to directories what the OSI model is to networking.

X.500 defines standards for (among other things) creating a schema, defining attributes, and organizing data within the directory.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 22

22 Chapter 1 • Overview of Windows Server 2003

N

OTE

The following two links might prove helpful for a more thorough understanding of the X.500 Standards and the OSI model:

See www.isi.salford.ac.uk/staff/dwc/X500.htm for an explanation of the X.500 standards.

See www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.htm

for an explanation of the OSI model.

NT Directory Services

Most people think of Windows 2000 in relation to Microsoft’s directory services. Some people don’t even think of NT as having a directory service. However, based on our definition of a directory service (a way of storing information so it can easily be retrieved and used later), NT does have one, although it is not nearly as structured and full-featured as the

Active Directory. NT’s directory service (NTDS) enables users to be identified and provides access to resources throughout the network. It also allows an administrator to centrally manage the users and the network together.

NTDS was based on the domain concept and provided a means for locating objects and information within the domain. It contained users, groups, and machines; however, it was a flat database, as opposed to the hierarchical structure of more complex directories such as NDS and Active Directory.

Active Directory

Active Directory first appeared in Windows 2000 Server. Active Directory is based on the

X.500 standards. It has been improved and is still in use in Windows Server 2003. Active

Directory does not use the flat structure of NTDS; instead, it is hierarchical in design

(sometimes referred to as a tree structure).This allows logical separation within the directory for organization and management.

Active Directory allows you to customize your directory into an intuitive structure for your environment. It is not a “one size fits all” directory like NT. Active Directory still uses the concepts of domains, but it changes the ways they are organized and connected. In addition to domains, Active Directory uses additional structural elements such as domain trees, forests, and organizational units (OUs) for directory organization.

N

OTE

Interestingly, the NTDS name has been retained for the database file in which the

Windows 2000 Active Directory database is stored, ntds.dit, which is located in the

SystemRoot\NTDS directory and contains the schema, link, and data tables.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 23

Overview of Windows Server 2003 • Chapter 1

What’s New in Windows Server 2003?

Windows Server 2003 improves upon previous versions of Windows in the areas of availability, reliability, security, and scalability.Windows Sever 2003 is designed to allow customers to do more with less. According to Microsoft, companies that have deployed

Windows Server 2003 have been able to operate with up to 30 percent greater efficiency in the areas of application development and administrative overhead.

Why a New Server Operating System?

Microsoft has released a new server OS approximately every three years. Each time, the primary question asked by those charged with making the upgrade decision is, “Why should I switch to this version?”

Upgrading from Windows NT 3.x to Windows NT 4.0 got you the new Windows 9x style interface (among other things). Upgrading from Windows NT 4.0 to Windows 2000 got you Active Directory and Group Policy (also among other things). So, what are the significant differences in Windows Sever 2003 that should convince you to make the switch?

The answer, for many, will be the strong focus on security. For others, new management and networking features might be the deciding factor. In the following sections, we will look at these more closely.

New Features

Microsoft has enhanced most of the features carried over from Windows 2000 Server and has added some brand new features for Windows Server 2003. For example:

Active Directory has been updated to improve replication, management, and migrations.

File and Print services have been updated to make them more dependable and quicker.

The number of nodes supported in clustering has been increased and new tools have been added to aid in cluster management.

Terminal Server better supports using local resources when using the Remote

Desktop Protocol.

IIS 6.0, Media Services 9.0, and XML services have been added to Windows

Server 2003.

New networking technologies and protocols are supported, including Simple

Object Access Protocol (SOAP),Web Distributed Authoring and Versioning

(WebDAV), IPv6, wireless networking, fiber channel, and automatic configuration for multiple networks.

A plethora of new command-line tools have been added for easier administration.

23 www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 24

24 Chapter 1 • Overview of Windows Server 2003

Software Restriction Policies allow administrators to control which applications can be run.

All features of Windows have been updated to reflect Microsoft’s security initiative.

New Active Directory Features

Windows Server 2003 enhances the management of Active Directory.There are more AD management tools now and the tools are easier than ever to use. Microsoft has made it painless to deploy Active Directory in Windows Server 2003.The migration tools have been greatly improved to make way for seamless migrations.

In the corporate world where mergers and acquisitions are common, things change all the time. It is not uncommon for a company to change its name two or three times in one year, which is a real hassle for network administrators in companies running a Windows

2000 Active Directory. Now, with Windows Server 2003, you can rename your domains.

You can change the NetBIOS name, the DNS name, or both.

Another problem with mergers is the need to configure trust relationships.With

Windows 2000, if two companies merge and each has a separate Active Directory, they need to either set up manual nontransitive trusts between all of their domains or collapse one forest into the other. Neither of these is an ideal choice.The trusts are easy enough to set up, but then you lose the benefits of being in a single forest. Collapsing forests can require a lot of work, depending on the environment.

Windows Server 2003 Active Directory now supports forest-level trusts. By setting the trusts at the forest roots, you enable cross-forest authentication and cross-forest authorization. Cross-forest authentication provides a single sign-on experience by allowing users in one forest to access machines in another forest via NTLM or Kerberos. Cross-forest authorization allows assigning permissions for users in one forest to resources in another forest.

Permissions can be assigned to the user ID or through groups.

Renaming Your Domain

The Domain Rename tool allows you to rename any of your domains, as long as all domain controllers in the forest are running Windows Server 2003. It allows you to restructure domains within a tree and create new trees. However, it does not allow you to change which domain is the forest root. In addition, you cannot add and remove domains from the forest; you can only rename them and you can’t reuse names.

You can get the Domain Rename tool (rendom.exe) from the server CD under the Valueadd\Msft\Mgmt\Domren folder, or you can download it from www.

microsoft.com/windowsserver2003/downloads/domainrename.mspx.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 25

Overview of Windows Server 2003 • Chapter 1

Not all improvements have to do with mergers and multiple forests. In the past, it was common practice for companies with many offices spread out geographically to build their domain controllers locally and ship them to the remote offices.This was because of replication issues.When a new domain controller is created, it must pull a full copy of the Active

Directory database from another domain controller.This full replication can easily oversaturate a slow network link. However, with Windows Server 2003, you can create a new domain controller and pull the Active Directory information from your backup media.The newly created domain controller now only has to replicate the changes that have occurred since the backup was made.This usually results in much less traffic than replicating the entire database.

E

XAM

W

ARNING

Active Directory now allows cross-forest authorization through forest-level transitive trusts. This allows every domain in multiple forests to share resources with each other while maintaining single sign-on capabilities. To use forest-level trusts, your forest functionality level must be set to Windows Server 2003 mode (which means you cannot have any NT or Windows 2000 domain controllers in the forest).

Transitivity means that if A trusts B and B trusts C, then A can get to C via the shared trust. It allows you to have multiple domains trust each other, while maintaining a minimal set of trusts. Windows 2000 doesn’t support transitive trusts between forests; this is a new feature for Windows Server 2003.

25

The Active Directory Users and Computers tool (ADUC) has been improved to include a new query feature (see Figure 1.7) that allows you to write filters for the type of objects you want to view.These queries can be saved and used multiple times. For example, you might want to create a query to show you all of the users with mailboxes on a specified Exchange server. By creating a query, you can easily pull up a current list with one click of the mouse. ADUC also now supports the following:

Multi-object selection

Drag-and-drop capabilities

The ability to restore permissions back to the defaults

The ability to view the effective permissions of an object

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 26

26 Chapter 1 • Overview of Windows Server 2003

Figure 1.7

Querying Objects in Active Directory Users and Computers

Using Saved Queries in Active

Directory User and Computers

The ability to create and save queries in ADUC is a convenient feature. It makes it easy to find Active Directory objects that match certain criteria. You can search for such things as:

All printers in a certain location

All users who use Exchange instant messaging

All machines installed via Remote Installation Services (RIS)

All empty groups (groups with no members)

After you create a query, it is automatically saved so you can use it again.

You can even export your query to an XML file in order to export it to another machine. This makes sharing queries very easy.

Group Policy management has also been enhanced in Windows Server 2003.The

Microsoft Group Policy Management Console (GPMC), shown in Figure 1.8, makes it easy to troubleshoot and manage Group Policy. It supports drag-and-drop capabilities, backing up and restoring your Group Policy objects (GPOs), and copying and importing GPOs.Where

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 27

Overview of Windows Server 2003 • Chapter 1

the GPMC really shines is in its reporting function.You now have a graphical, easy-to-use interface that, within a few clicks, will show you all of the settings configured in a GPO.You

can also determine what a user’s effective settings would be if he or she logged on to a certain machine.The only way you could do this in Windows 2000 was to actually log the user on to the machine and run gpresult (a command-line tool for viewing effective GPO settings).

Figure 1.8

Using the Microsoft Group Policy Management Console

27

The schema can now be redefined.This allows you to make changes if you incorrectly enter something into the schema. In Windows 2000, you can deactivate schema attributes and classes, but you can not redefine them.You still need Schema Admin rights to modify the schema, but now it is more forgiving of mistakes.

The way objects are added to and replicated around the directory has been improved as well.The Inter-Site Topology Generator (ISTG) has been improved to support a larger number of sites. Group membership replication is no longer “all or nothing” as it was in

Windows 2000. In Windows Server 2003, as members are added to groups, only those members are replicated to your domain controllers and global catalog (GC) servers, rather than the entire group membership list. No more worrying about the universal group replication to your GC servers.

Every domain controller caches credentials provided by GC servers.This allows users to continue to log on if the GC server goes down. It also speeds up logons for sites that do not have a local GC server. No longer is the GC server a single point of failure. In fact, you no longer are required to have one at each site.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 28

28 Chapter 1 • Overview of Windows Server 2003

E

XAM

W

ARNING

All domain controllers cache the credentials they receive from GC servers. This is new to Windows Server 2003 and removes the GC server as a single point of failure. Users can now log on with cached information instead of having to go through the GC server each time.

Active Directory now supports a new directory partition called the application partition.You can add data to this partition and choose which domain controllers will replicate it.This is useful if you have information you want to replicate to all domain controllers in a certain area, but you do not want to make the information available to all domain controllers in the domain.

E

XAM

W

ARNING

The application partition is only replicated to specified domain controllers. It is up to you, as the administrator, to determine which domain controllers will host a replica. Applications and services can store information in the application partition.

This partition can contain any type of Active Directory object except security principles such as users, groups, computers, or services.

You might want to use the application partition to store your DNS database. This will allow you to have Active Directory Integrated (ADI) zones that replicate between different domains. In Windows 2000, there was no way to replicate ADI zones between domains.

Improved File and Print Services

Practically every organization uses file and print services, as sharing files and printers was the original reason for networking computers together. Microsoft has improved the tools used to manage your file system by making the tools run faster than before; this allows users to get their jobs done in less time and requires less downtime for your servers.The Distributed File

System (DFS) and the File Replication Service (FRS) have also been enhanced for Windows

Server 2003, and Microsoft has made printing faster and easier to manage.

Enhanced File System Features

Windows 2003 supports WebDAV, which was first introduced in Exchange 2000. It allows remote document sharing.Through standard file system calls, clients can access files stored in Web repositories. In other words, clients think they are making requests to their local file systems, but the requests are actually being fulfilled via Web resources.

Microsoft made it easier to manage disks in Windows Server 2003 by including a command-line interface. From the command-line, you can do tasks that were only supported

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 29

Overview of Windows Server 2003 • Chapter 1

from the GUI in Windows 2000, such as managing partitions and volumes, configuring

RAID, and defragmenting your disks.There are also command-line tools for extending basic disk, file system tuning, and shadow copy management.

Disk fragmentation is a problem that commonly plagues file servers. This occurs when data is constantly written to and removed from a drive. Fragmented drives do not perform as well as defragmented drives. Although Windows 2000 (unlike NT) included a disk defragmentation tool, it was notoriously slow.To address this, Microsoft beefed up the defragmenter tool in Windows Server 2003 so that it is much faster than before. In addition, the new tool is not limited to only specific cluster sizes that it can defrag, and it can perform an online defragmentation of the Master Fat Table.

The venerable CHKDSK (pronounced “check disk”) tool, which is used to find errors on Windows volumes, has been revamped as well. Microsoft studies show that Windows

Server 2003 runs CHKDSK 20 to 35 percent faster than Windows 2000. However, since

Windows Server 2003 (like Window 2000) uses NTFS—which is less prone to errors than

FAT file systems—you shouldn’t have to run CHKDSK often.

T

EST

D

AY

T

IP

As you are learning about the enhancements made to the tools in Windows Server

2003, don’t worry about remembering how much faster they are. Focus instead on learning how the tools work. For example, you will not need to know that CHKDSK is 30 percent faster than in Windows 2000, but you might be expected to know how to use CHKDSK. We discuss using CHKDSK in Chapter 2, “Managing Physical and Logical Disks.”

29

Both the DFS and the FRS have been improved. DFS allows you to create a single logical tree view for multiple servers, so that all directories appear to be on the same server.

However, they are actually on separate servers. DFS works hand in hand with Active

Directory to determine site locations for clients requesting data, thereby allowing clients to be directed to a server closest to them in physical proximity. FRS is used to replicate DFS file share data. FRS now allows administrators to configure its replication topology and compress replication traffic.

One of the best file system improvements in Windows Server 2003 (in our opinion) is shadow copies. After you enable shadow copies on the server and install the shadow copy client software on the desktop computer, end users can right-click on a file and view previous versions that were backed up via shadow copies.They can then keep the current version of the file or roll back to an early version.This will remove the burden (to some extent) of simple file restores from your IT staff and allow the users to handle it themselves.

Improved Printing Features

Even though we are constantly moving toward a paperless society, printing is still an important requirement for most companies. One of the more common reasons for small

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 30

30 Chapter 1 • Overview of Windows Server 2003

companies to put in a network is for the purpose of sharing printers (a shared Internet connection and e-mail are two other reasons). Microsoft has taken many steps to improve the printing experience in Windows Server 2003. Users who print long documents should notice a performance boost over Windows 2000, because Windows Server 2003 does a better job of file spooling. In other words, print jobs should get to the printer faster.

Microsoft has also made printing easier to manage than ever before.Windows Server

2003 has command-line utilities for managing printer configuration, including print queues, print jobs, and driver management. System Monitor even has counters for managing print performance.

Installing printers is a snap in Windows Server 2003 because of Plug-and-Play (PnP) functionality.This allows you to physically connect the printer to the machine and have

Windows set it up for you automatically (as long as the printer itself supports PnP).

Windows Server 2003 supports over 3800 new print drivers.

Revised IIS Architecture

Internet Information Services (IIS) is Microsoft’s Web server product. IIS 6.0 is included with all versions of Windows Server 2003.With this new version, Microsoft has made great leaps in the area of IIS reliability, availability, management, and security.

IIS 6.0 was designed so a problem with one application won’t cause the server or other applications running on the server to crash. It provides health monitoring and disables Web sites and applications that fail too frequently within a defined period of time. IIS 6.0 can stop and restart Web sites and applications based on customized criteria (such as disk, CPU, or memory utilization). IIS 6.0 allows changing the configuration of your Web server without having to restart it. It is the most scalable version of IIS to date, supporting more

Web sites on a single server than IIS 5.0.The actual IIS services stop and start much faster than before, helping to decrease Web site downtime.

Management of your Web server is easier in Windows Server 2003, thanks to commandline scripting.The metabase is now stored in a plain-text XML configuration file.This

improves backing up, restoring, recovering, troubleshooting, and directly editing the metabase.

IIS 6.0 supports ASP .NET, .NET Framework, and a wide variety of languages. Since the

.NET Framework doesn’t depend on a specific language, almost any programming language will do.

One common complaint about Windows 2000 was that IIS installed by default; thereby creating an instant vulnerability on servers that were never intended to be Web servers.

Microsoft recommends that you only install IIS when needed and lock it down so it only offers the services that your organization requires. In Windows Server 2003, IIS is not installed by default and is locked down by default when you do install it.This means that it will only deliver static content, unless you specifically configure it for dynamic content. IIS

6.0 requires an administrator to add necessary dynamic extensions to the Web services extensions list. Until they are added to this list, IIS will not support them; this will stop attackers from calling unsecured dynamic pages.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 31

Overview of Windows Server 2003 • Chapter 1

E

XAM

W

ARNING

Microsoft has changed their approach to IIS in Windows Server 2003. No longer is

IIS installed by default. When you do install IIS, it runs the IIS Lockdown tool automatically and secures your Web server. Basically, your Web server is set to only offer the services you select. It discards all other requests.

31

Enhanced Clustering Technology

A cluster is a group of servers that work together like one computer. Clusters can be used for performance reasons (to balance the load across two or more computers) or for fault tolerance reasons (to provide failover if one computer fails).

Microsoft added clustering support to its OS line in 1997 with Windows NT 4.0

Enterprise Edition. At that time, clustering was not commonly used. Only the really big IT shops could afford to put in clustered solutions because of the cost of the extra servers.

Now that hardware has dropped in price, more and more customers are choosing to cluster their mission-critical systems. As Storage Area Networking (SAN) technology becomes more widespread, clusters are becoming fairly easy to set up. Like Windows 2000,Windows

Server 2003 supports two types of clustering: Microsoft Cluster Service (MSCS) and

Network Load Balancing (NLB).

Microsoft Cluster Service

MSCS uses two or more physically connected servers, called nodes, that communicate with each other constantly. If a node detects that another node is offline, it will take over the services provided by the offline node. However, this happens behind the scenes, and end users are unaware of the process (other than experiencing a small initial delay).

MSCS is traditionally used with mail servers, database servers, and file and print servers.

MSCS is supported in Windows Server 2003 Enterprise Edition and Windows Server 2003

Datacenter Edition. Some of the new features of Windows Server 2003 clustering include:

The support of more nodes in a cluster. Enterprise Edition and Datacenter

Edition both support eight nodes.

Clustering now integrates with Active Directory and creates a computer account for the virtual cluster name.

Clustered applications can now use Kerberos authentication.

E

XAM

W

ARNING

Microsoft has increased the numbers of nodes supported in clustering. Both

Enterprise Edition and Datacenter Edition now support eight nodes. Windows

2000 Advanced Server supports two node clusters, and Windows 2000 Datacenter

Edition supports four node clusters. Be sure not to confuse these on the test.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 32

32 Chapter 1 • Overview of Windows Server 2003

Network Load Balancing

NLB is available in all versions of Windows Server 2003. Unlike MSCS, where only one server offers the services at a time, NLB nodes all offer services at the same time.The NLB cluster is accessed via a virtual name (a name that represents the group of servers as an entity), and whichever server is least busy answers the request (there is a little more to it, but this is good enough for now).

If one server goes offline, there is no transferring of services because all servers offer the services already.When a server goes offline, it is removed from the rotation of servicing requests until it comes back online. NLB is generally used with Web servers, application servers, terminal servers, and streaming media servers. NLB Manager is a new tool in

Windows Server 2003 (see Figure 1.9) that provides a central point for managing and configuring NLB clusters.

Figure 1.9

Using the Network Load Balancing Manager

There are many new features for NLB in Windows Server 2003. NLB now supports multiple network interface cards (NICs), allowing a single server to host multiple NLB clusters.You can use virtual clusters to set up different port rules for each cluster IP address, so that each IP address represents a different resource (Web page, application, and so forth).

The Internet Group Management Protocol (IGMP) is now supported when NLB is configured in multicast mode. Using IGMP limits cluster traffic on the switch to the ports that have NLB server connected to them.This helps prevent switch flooding. (Switch flooding occurs when every server in an NLB cluster sees every packet addressed to the cluster.)

NLB now supports IPSec traffic.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 33

Overview of Windows Server 2003 • Chapter 1

T

EST

D

AY

T

IP

Do not confuse the Microsoft Clustering Service (MSCS) with Network Load

Balancing (NLB). MSCS machines actually share hardware (storage), whereas machines using NLB do not. When using MSCS, only one machine at a time is actually functioning as the server and responding to requests. It owns the resources being offered. If that machine fails, then those resources failover to another machine in the MSCS cluster. With NLB, all machines offer the resources at the same time. The NLB service routes the request to the next available machine in the

NLB cluster. MSCS is implemented for fault tolerance, whereas NLB is implemented to increase performance.

33

New Networking and Communications Features

Windows Server 2003 adds a number of new networking technologies that enable it to grow with the needs of your business. For example:

It supports IPv6, which was created to overcome the limited number of addresses in IPv4 (previous versions of NT use IPv4).Windows Server 2003 supports

IPv4/IPv6 coexistence through technologies such as Intra-site Automatic Tunnel

Addressing Protocol (ISATAP) and 6to4. Internet and remote access functionality have been enhanced in Windows Server 2003.

Point-to-Point Protocol over Ethernet (PPPoE) allows making broadband connections to an Internet Service Provider (ISP) without having to load any software.

Windows can now use IPSec over NAT.

Remote Authentication Dial-In User Service (RADIUS) has been improved to provide better control over network access and easier troubleshooting of authentication problems.

Microsoft’s implementation of RADIUS, Internet Authentication Service (IAS), can send its logs to a Microsoft SQL Server and it now supports 802.1X authentication and cross-forest authentication.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 34

34 Chapter 1 • Overview of Windows Server 2003

Using L2TP over NAT

In Windows 2000, IPSec was not supported through a NAT server. This was a serious drawback for some companies, as it meant they could not VPN through the

NAT server using IPSec or the Layer Two Tunneling Protocol (L2TP), which uses IPSec for encryption. This restriction has been removed in Windows Server 2003. Both

IPSec connections and L2TP connections using IPSec are supported over NAT when you have a Windows Server 2003 VPN server. This is done using a technology called

NAT traversal, or NAT-T. On the client end, the Microsoft L2TP/IPSec VPN client supports NAT-T. It can be downloaded at www.microsoft.com/windows2000/server/ evaluation/news/bulletins/l2tpclient.asp and can be installed on Windows 98, ME, and NT 4.0 Workstation.

The Internet Connection Firewall (ICF) functions as a personal software-based firewall and provides protection for computers connected to the Internet or unsecured networks.

ICF (see Figure 1.10) protects LAN,VPN, dial-up, and PPPoE connections by making it easier to secure your server against attacks.With ICF, only the services that you need to offer are exposed. For example, you can use ICF to filter the network connection of your

DNS server so that only DNS requests are passed through.

Figure 1.10

Using the Internet Connection Firewall

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 35

Overview of Windows Server 2003 • Chapter 1

ICF is included with the 32-bit versions of the Standard and Enterprise Editions of

Windows Server 2003. It is not included with the Web and Datacenter Editions, or with any of the 64-bit versions.

Improved Security

You might have noticed in the previous sections that Microsoft is paying more attention to customers’ concerns about security. Many of the new features discussed thus far relate in one way or another to security. One of the key components of Windows Server 2003 security is the Common Language Runtime (CLR) software engine. It reduces the number of security vulnerabilities due to programming mistakes, and makes sure that applications have appropriate permissions to run and that they can run without any errors.

N

OTE

For more information about CLR, see the article About the Common Language

Runtime (CLR) on the .NET framework community Web site at www.gotdotnet.

com/team/clr/about_clr.aspx.

35

EFS encrypts files that are stored on NTFS-formatted partitions so that they can only be decrypted by the person who encrypted the file, those with whom he or she shares the file, or a designated recovery agent.The sharing of encrypted files, as shown in Exercise

1.01, is new to Windows XP/Server 2003. In Windows 2000, this was not possible because only the person who encrypted the file had the correct keys to decrypt it. Now, the person who encrypts the file can choose to give other people the ability to decrypt the file as well, and the file encryption key (FEK) is protected by the public key of each additional person who is given authorization. Encrypted files appear just like normal files in Windows

Explorer. However, only authorized users can access them. Anyone else will be denied access. EFS now supports encrypting offline files and storing encrypted files in Web folders.

E

XERCISE

1.01

C

ONFIGURING

M

ULTIPLE

U

SERS

TO

S

HARE

EFS E

NCRYPTED

F

ILES

One of the new features of Windows Server 2003 (and Windows XP) is the ability for multiple users to share encrypted data. In Windows 2000, only the user who encrypted the data or a designated recovery agent could decrypt the data. This exercise walks you through the steps of encrypting your data and then sharing it with someone else.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 36

36 Chapter 1 • Overview of Windows Server 2003

To encrypt your data with EFS:

1. Right-click on the file or folder you want to encrypt. Note that

Microsoft recommends encrypting at the folder level for ease of management.

2. From the General tab, click Advanced.

3. Check the box next to Encrypt contents to secure data.

4. Click OK.

N

OTE

Another way to encrypt a file or folder is to use the cipher tool at the command-line.

Now, to share your encrypted data with other users, follow these steps:

1. Right-click on the file or folder you want to share.

2. From the General tab, click Advanced.

3. Click Details.

4. Click Add.

5. Click Find User.

6. Select the user from list.

7. Click OK to save your changes.

Microsoft provides a single sign-on environment for users via Credential Manager (see

Figure 1.11). Credential Manager provides a secure place for users to store their passwords and X.509 certificates.When a resource is accessed, the correct credentials will be pulled from Credential Manager without prompting the user for action. In large complex environments in which you can have three or four user accounts, this is a great benefit. No longer do you have to key in your domain, username, and password each time; you set it up once and then Credential Manager does all of the work.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 37

Overview of Windows Server 2003 • Chapter 1

Figure 1.11

Using Credential Manager to Provide a Single Sign-On Environment

37

You can now control which software can run on a machine via software restriction policies.These policies can be applied at the domain, site, OU, or locally.You define a default security level that either allows or disallows software to run via the Group Policy

Object Editor Snap-in. Among other things, software restriction policies can be used to prevent viruses and other harmful programs from running on your PC, and can also be used to limit end users to only running the programs needed for their job.

Windows Server 2003 supports the IEEE 802.1X protocols.This standard allows authorization and authentication of users connecting to Ethernet and wireless local area networks

(WLANs). Windows Server 2003 supports authentication via Extensible Authentication

Protocol (EAP) methods, such as smart cards.

Autoenrollment and autorenewal of certificates makes it easier to quickly deploy smart cards. Certificate Services now supports incremental (a.k.a. delta) Certificate Revocation

Lists (CRLs), which means that the server can just push down the changes to the client and not have to push the entire CRL every time.

A couple of other new security features of Windows Server 2003 are Passport

Integration and Cross-Forest Trusts. Passport is integrated with Active Directory and supports mapping Active Directory user accounts to Passport accounts. Users can use Passport for a single sign-on to all of the supported systems. In Windows 2000, trusts are set up between domains only.This means that if you have two forests, each with three domains, then you must set up trusts between all six domains.With Cross-Forest Trusts, you can set up a trust between the forests, and all domains can access each other.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 38

38 Chapter 1 • Overview of Windows Server 2003

N

OTE

Passport is a service provided by Microsoft that lets you access a variety of services and Web sites that are Passport-enabled, using your e-mail address as your account name. The account also stores personal information in a profile, and encrypts this information to protect it.

Better Storage Management

In an effort to keep up with the changing times, Microsoft has greatly increased the level of built-in SAN support in Windows Server 2003.The Virtual Disk Service (VDS) provides a unified interface for multivendor storage devices.VDS discovers the storage devices in your network and gives you a single place to manage them.

You can now create and mount a SAN volume from within Windows. In previous versions of Windows, you had to do this from within your SAN application. Also included in

Windows Server 2003, via the driver development kit, is multipathing input/output

(MPIO). MPIO allows up to 32 different paths to external storage (for example, SAN).

Understanding Storage Area Networks

A SAN is a high-speed dedicated network of storage devices. SANs contain a bank of hard drives, optical drives, or other storage devices that can be divided and shared. SANs waste less storage space because you can share the disks between all of your servers. SANs provide high bandwidth with zero latency, and they eliminate

I/O bottlenecks from networks.

SANs have their own private optical fiber or fibre channel network that connects them to the servers. All backing up and restoring takes place over this private fiber network, rather than going over your production Ethernet network. This saves traffic over your Ethernet network, and tremendously speeds up your backups.

Ethernet networks typically run at 10 to100MB per second., whereas fiber networks run at 1 to 2GB per second.

Microsoft has put a lot of work into the backup features of Windows Server 2003.The

Volume Shadow Copy Services allows you to create a snapshot (an exact copy) of volumes on your SAN. Clients can then perform shadow copy restores on their own. In other words, clients can look at a list of shadow copies performed on their data and choose to restore their own data from a given snapshot. NTBackup also uses shadow copies to make sure that all open files are backed up.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 39

Overview of Windows Server 2003 • Chapter 1

Improved Terminal Services

Terminal Server allows client workstations to function as terminal emulators.Terminal

Services client software is installed on the local workstation, allowing it to connect to the terminal server and receive its own desktop session. Multiple clients can run sessions simultaneously. All processing takes place on the server.The client machine is only responsible for managing the keystrokes and mouse clicks, which are passed over the network to the

Terminal Server via the Remote Desktop Protocol (RDP).

N

OTE

Although RDP is the native protocol for Microsoft Terminal Server and is used with clients running the Windows 2000 Terminal Services client or the XP/2003 Remote

Desktop Connection (RDC) client, the Windows Server 2003 terminal server can also be configured to accept connections from Citrix clients using the ICA protocol.

39

The first version of Terminal Server was a separate server OS called Windows NT

Server 4.0 Terminal Server Edition.When Microsoft released Windows 2000, they included

Terminal Server in the standard OS. It was a feature that could be added or removed as needed.Windows 2003 also includes Terminal Server with the OS (all editions except the

Web Edition), but it has changed a little since Windows 2000.

In Windows 2000, there are two modes in which Terminal Server can run: Remote

Administration mode and Application Server mode. Neither one of these is installed by default.Terminal Services in Remote Administration mode only allows two simultaneous connections, but it doesn’t require any Terminal Server License. Only members of the

Administrators group can connect to a terminal session.Terminal Services in Application

Server mode allows unlimited connections, and sessions are not limited to administrators, but you are required to have a license for each connection and a licensing server to manage all of the connections.

N

OTE

Clients connecting to a Windows 2000 terminal server from a Windows 2000

Professional computer are not required to purchase a license, as Windows 2000 Pro includes a Terminal Services CAL. However, you still must set up a licensing server.

In Windows Server 2003, Remote Administration mode has been renamed to Remote

Desktop for Administration and it is installed by default.This works like the Remote

Desktop feature in Windows XP. As in Windows 2000, you are still limited to two simultaneous remote desktops at a time. However, there is one improvement: you can now take over the local console session.Terminal Services in Application Server mode is now simply called Terminal Server.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 40

40 Chapter 1 • Overview of Windows Server 2003

The Windows Server 2003 Terminal Server and Remote Desktop for Administration support more local client devices than in Windows 2000. Now the local client file system, audio output, printers, serial ports, smart cards, and clipboard are supported (see Figure 1.12), making it easier for clients to use their local resources while connected to the terminal server.

RDP 5.1 is a much more robust client than RDP 5.0 (Windows 2000). It supports display configurations up to 24-bit color at up to 1600x1200 resolution. It also allows customizing the client experience based on available bandwidth. In other words, unnecessary features can be turned off to optimize performance when connecting over a slow link.

Figure 1.12

Configuring the Remote Desktop Connection

Using the Remote Desktop Connection.

Terminal Server is one of the most used features of Windows 2000. It allows users to connect from their local machines and run desktop sessions off of the server.

The local workstation at this point is functioning as a “thin client” because all processing is taking place on the server. One common complaint about Terminal

Server in Windows 2000 is a lack of support for local resources.

This has been improved in Windows Server 2003. You can now share information easily between your local disk and the server. You no longer must map a drive back to your local workstation. You can print to locally attached printers and use locally attached serial devices. You can redirect the sound from the terminal server to come out of your local speakers. All of these things make using

Terminal Server an even more transparent process to the end user.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 41

Overview of Windows Server 2003 • Chapter 1

New Media Services

Microsoft has redesigned Media Services.The version of Media Services in Windows Server

2003 is version 9.0. It is managed via the Windows Media Services Microsoft Management

Console (MMC) as shown in Figure 1.13. Media Services provides audio and video content to clients via the Web (Internet or intranet). According to Microsoft, Media Services has been improved in four areas:

Fast streaming

Dynamic content

Extensibility

Industrial strength

41

Figure 1.13

Getting Started with Windows Media Services

Fast Streaming

Media Services supports fast streaming to ensure the highest quality streaming experience possible even over unreliable networks (for example, wireless networks). Streaming refers to sending video and/or audio in compressed form over the network and playing the data as it arrives.There are four parts that make up fast streaming:

Fast start

Supplies instant-on playback without a buffering delay.

Fast cache

Supplies always-on playback by streaming to cache as quickly as the network will support and by playing back the stream to the client from cache.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 42

42 Chapter 1 • Overview of Windows Server 2003

Fast recovery

Sends redundant packets to wireless clients to ensure that no data is lost due to connectivity problems.

Fast reconnect

Supplies undisturbed playback by restoring connections if the client is disconnected during a broadcast.

Dynamic Content

Media Services supports advertisements and server-side playlists. Advertising support is very flexible, in that ads can be placed anywhere and used as often as wanted in the playlist.You

can even use data gathering tools such as cookies to personalize your ads, and all ad data can be logged for further analysis. Server-side playlists are great for clients that don’t support client-side playlists. Server-side playlists can contain live data or preexisting content.

They allow you to customize the way your content is presented to clients and to make changes quickly and easily without any delay in service.

Extensibility

Microsoft has exposed over 60 Media Services interfaces and their properties, making

Media Services a very open platform. Customization can be achieved by using the

Microsoft supplied plug-ins or by using the SDK to create your own plug-ins.You can use scripting languages you already know (such as Perl,Visual Basic,Visual Basic Scripting

Edition, C,Visual C++, and Microsoft JScript) to customize Media Services.

Industrial Strength

Microsoft boasts that Media Services is the most scalable, reliable, and secure solution on the market today. Media Services in Windows Server 2003 supports twice as many users per server as Windows 2000. It supports HTTP 1.0/1.1, RTP, RPSP, HTML v3.2, FEC,

IPv4/6, IGMPv3, SNMP,WEBM/WMI, SMIL 2.0, SML, SML-DOM, and

COM/DCOM. All Media Services plug-ins run in protected memory to guarantee reliability. Many common authorization and authentication methods are supported, such as digital rights management and HTTP Digest. Microsoft provides a Web-based interface, an

MMC snap-in interface, and command-line support for administering your media servers.

XML Web Services

XML Web Services are building-block applications that connect together via the Internet.

These services provide reusable components that call functions from other applications. It doesn’t matter how these applications were built, the types of devices used, or the OS on the devices used, because XML is an industry standard. XML Web Services are made available in Windows Server 2003 because of the .NET framework. XML Web Services help provide effective business-to-business (b2b) and business-to-consumer (b2c) solutions.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 43

Overview of Windows Server 2003 • Chapter 1 43

What Is XML?

XML (the Extensible Markup Language) is the latest cross-platform standard for sharing formatted data on the Internet, intranets, and elsewhere. XML is a markup language, rather than a programming language. Markup languages generally use symbols or character sequences inserted into text documents to indicate the formatting, or how the document should look when displayed (for example, in a Web browser) or printed. These markup symbols are also called tags.

The most well-known markup language is HTML, the HyperText Markup

Language in which most Web documents are constructed. HTML is an SGMLbased language. SGML, the Standard Generalized Markup Language, is a standard for how markup languages are specified. SGML is not itself a document markup language, but a basis for standardization of markup languages. It is known as a metalanguage for this reason.

XML is also modeled on SGML, and is also metalanguage. XML gives users a standardized way of describing data. XML differs from HTML in that the latter’s tags merely describe how the data is to be displayed. For example, the tag <b> indicates that the characters following it should be in bold type.

XML tags can describe the actual contents of the data. For example, the tag

<zipcode> indicates that the characters following it constitute a postal zip code. This data can then be processed by applications as a zip code. Many

XML conventions will be familiar to those who have worked with HTML. For example, a slash mark (/) is used to turn the tag “off.” That is, the zip code

75336 would be designated in XML as <zipcode> 75336 </zipcode>. XML and HTML can be (and are) used together in the same document. XML is called “extensible” because its markup symbols are unlimited; you can create your own tags to describe document content.

XML is important because, like HTML, it allows users to exchange data across platforms. It is not OS or network-architecture dependent. Unlike

HTML, it allows applications to process the data intelligently. For example, if you search HTML documents for the word “Rob,” you might get returns for pages pertaining to a man named Rob and pages instructing you on how to rob banks. With XML, “Rob” can be identified as a particular type of content using the <first-name> tag, and your search will be narrowed.

The Microsoft .NET server products are built on XML, so understanding its function is important to Windows 2000 enterprise-level administrators who will be integrating these products into their networks.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 44

44 Chapter 1 • Overview of Windows Server 2003

The Windows Server 2003 Family

The Windows Server 2003 family is built on the Windows 2000 Server technology. It takes the best of Windows 2000 and improves upon it.Windows Server 2003 is easier to manage and deploy than any previous versions of Windows.Windows Server 2003 is the most reliable and most secure Microsoft OS to date. It comes in four different editions, and in both

32-bit and 64-bit versions.

Why Four Different Editions?

All organizations are different. Most organizations would fall into one of three categories: small, medium, and large.The networking needs of organizations in each of these categories are different.

Typically, small organizations are concerned with performance versus cost.They want good performance, but it can’t cost a fortune. Large companies want the best performance possible.They aren’t as concerned with cost, as long as the product performs as expected.

Medium-sized companies fall somewhere in the middle.They sometimes need a little more out of an OS than what a small company will settle for, but they don’t need the high-end equipment and features used by very large companies.

Microsoft has tried to create a different edition of Windows for each type of organization, so that all companies can use Windows Server 2003 without overpaying or sacrificing performance. Companies should buy the minimum version of Windows that provides all of the needed features.

Members of the Family

As noted, there are four editions of Windows Server 2003:Web Edition, Standard Edition,

Enterprise Edition, and Datacenter Edition. Each edition has its own benefits:

Web Edition is the least expensive and least functional version. However, if your server is only used for hosting Web pages, then it is a perfect choice.

Standard Edition is the next step up from Web Edition. Most of the features in

Windows Server 2003 are supported in Standard Edition.

If you need features not provided by Standard Edition or hardware not supported on Standard Edition, then Enterprise Edition would be the next logical choice.

Almost every feature in Windows Server 2003 is supported in Enterprise Edition.

If you need to use Windows System Resource Manager or you need super powerful hardware, then Datacenter Edition is your only choice.

Be sure to pick the version that most closely matches your needs.There are huge differences in price as your work your way up the chain.There is no reason to pay for more than what you need.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 45

Overview of Windows Server 2003 • Chapter 1

Web Edition

Prior to the release of Windows Server 2003, if you wanted to have a Windows server function only as a Web server, you would have to buy a copy of Windows 2000 Server and use

IIS.This was a waste of money and functionality, because most of the features of Server would never be used. Now there is a version of Windows designed to function exclusively as a Web server,Windows Server 2003 Web Edition.This will save companies a great deal of money and possibly give Microsoft a larger share of the Web server market.There is a difference in price (list price) of around $700 to $800 between Web Edition and Standard

Edition Server.

Web Edition is meant to host Web pages,Web applications, and XML services. It supports IIS 6.0, ASP.NET, and the .NET Framework.Web Edition supports up to two processors and 2GB of RAM. Client access licenses (discussed later in the chapter) are not required when connecting to Web Edition. However, you are only allowed 10 inbound simultaneous SMB connections, to be used for content publishing (this limit does not apply to Web connections).Web Edition allows you to install third-party Web server software such as Apache,Web availability management software such as Microsoft Application Center, and database engine software such as Microsoft SQL Server 2000 Desktop Engine (MSDE).

Web Edition does not support the following functions:

Internet Authentication Services (IAS)

Microsoft Metadirectory Services

Domain controller functionality

Universal Description, Discovery, and Integration Services (UDDI)

Remote Installation Services

Standard Edition

Windows Server 2003 Standard Edition is the replacement for Windows 2000 Server. It is meant for small to medium-sized businesses and contains most of the features discussed thus far in the book. It is not limited in functionality like Web Edition and it supports up to four

CPUs and 4GB of RAM. Standard Edition is a great choice for file and print servers,Web servers, and application servers that don’t need to be clustered. It can also function as a domain controller. Microsoft expects Standard Edition to be the most widely used version of Windows Server 2003.

Enterprise Edition

Windows Server 2003 Enterprise Edition is the replacement for Windows 2000 Advanced

Server. Enterprise Edition is meant for any sized business, but includes features most often desired by enterprise-level organizations. It provides high performance and reliability. All of the features supported in Standard Edition are supported in Enterprise Edition, as well as

45 www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 46

46 Chapter 1 • Overview of Windows Server 2003

support for clustering up to eight nodes. It supports more powerful hardware than Standard

Edition, and can use up to eight processors and up to 32GB of memory.There is a 64-bit version of Enterprise Edition for Intel Itanium machines.The 64-bit version supports up to eight processors and up to 64GB of RAM. Enterprise Edition is good for companies that need features or hardware not supported in Standard Edition.

Datacenter Edition

Datacenter Edition is Microsoft’s high-end OS. It is meant for companies that need the most reliable and scalable platform available.You cannot buy the Datacenter Edition software and install it yourself; only approved equipment vendors can buy it and they must install it onto approved hardware. Datacenter Edition contains all of the features found in both Standard Edition and Enterprise Edition; in addition, it adds the Windows System

Resource Manager to aid in system management. Datacenter Edition supports up to 32 processors and 64GB of memory in the 32-bit version.The 64-bit version supports up to

64 processors and 512GB of memory. If performance and reliability are at the top of your list (and cost is near the bottom), then Datacenter Edition is an excellent choice.

E

XAM

W

ARNING

You need to know the maximum hardware supported in each version of Windows

Server 2003:

Web Edition supports two processors and 2GB of RAM.

Standard Edition supports four processors and 4GB of RAM.

Enterprise Edition supports eight processors and 32GB of RAM.

Datacenter 32-Bit Edition supports 32 processors and 64GB of RAM.

Datacenter 64-Bit edition supports 64 processors and 512GB of RAM.

T

EST

D

AY

T

IP

It is sometimes difficult to determine when to use each version of Windows Server

2003. You might be asked to identify which edition is the most appropriate in a given situation or scenario. Remember that Web Edition is for Web services only.

Enterprise Edition is the starting point for clusters, while Datacenter Edition is used for high-end clusters. Unless you require Enterprise Edition or Datacenter Edition because you need the specific services offered (for example, clustering) or hardware supported (for example, 16 processors needed), you should use Standard

Edition.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 47

Overview of Windows Server 2003 • Chapter 1

EXAM

70-290

OBJECTIVE

4.3

Manage Software Site Licensing

Microsoft based the Windows Server 2003 licensing structure on Windows 2000’s structure.

However, they have changed some things.This section is not the “end all be all” when it comes to Microsoft licensing.This section is meant to serve as a guide on the basics of

Windows Server 2003 licensing.To order licenses, contact your Microsoft Software Advisor.

In the United States, call (800) 426-9400, or visit the Microsoft Licensing Program Reseller

Web page (http://shop.microsoft.com/helpdesk/mvlref.asp). In Canada, call the Microsoft

Resource Centre at (877) 568-2495. Outside of the United States and Canada, please review the Worldwide Microsoft Licensing Web site (www.microsoft.com/worldwide).

There are a few rules that you need to know about Microsoft’s licensing schemes:

You have to purchase a product license for every copy of the OS you are going to install.

Every network connection that is authenticated requires a Windows CAL.

Anonymous connections do not require a CAL (for example, anonymous access to a Web page).Windows CALs are not required for Windows Server 2003 Web

Edition, as it is meant to serve Web content only.

Every Terminal Server session made by a user or device requires a Terminal Server

Client Access License (TS CAL).TS CALs are not required for Windows Server

2003 Web Edition, as it is meant to serve Web content only.

47

E

XAM

W

ARNING

CALs are required every time a machine connects to a Windows Server 2003 machine. The only exception to this is an unauthenticated request (such as Web request), which does not require a CAL. TS CALs are required for every user running a Terminal Server session.

The product license allows you to install the OS onto a machine.The CAL allows devices or users to connect to that machine. Microsoft’s reasoning behind this is that everyone pays the same price for the base OS, but companies with more connections pay more than companies with fewer connections.This allows them to price according to usage.

There are two licensing modes supported in Windows Server 2003:

Per Server mode

Requires a Windows CAL for each connection.These are assigned to each server and cannot be shared between servers.You are allowed one

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 48

48 Chapter 1 • Overview of Windows Server 2003

■ connection for each CAL assigned to the server. Once the maximum number has been reached, no more connections are allowed.

Per Device or Per User mode (formerly called “Per Seat” mode)

Requires that each device or user have its own Windows CAL.These allow the device or user to connect to an unlimited number of servers.With Per Device or

Per User mode, the server will not limit the number of connections made as it does in Per Server mode.

Generally, Per Server mode will be most cost effective if you have only one or two servers, and clients that don’t always connect at the same time. Per Device or Per User mode will be most cost effective if you have many servers to which your clients need to connect.

Microsoft has two types of CALs, User CALs and Device CALs. User CALs are purchased for every user that makes a connection to a Windows Server 2003 server. Device

CALs are purchased for every machine that makes a connection to a Windows Server 2003 server. Microsoft recommends that you use either User CALs or Device CALs, but not both at the same time. User CALs are best when you have more machines than users and your users log on to multiple machines to access the servers. Device CALs are better when you have more employees than machines and your users share machines. User CALs and Device

CALs are available for both Windows and Terminal Server. Device CALs and User CALs cost the same.

Windows 2000 supported the System Equivalency license for Terminal Server.The

System Equivalency license stated that if your client was running the same OS version as the Terminal Server, then you did not have to buy a TS CAL (thus, a Windows 2000

Professional machine connecting to a Windows 2000 Terminal Server did not need a TS

CAL).Windows 2003 no longer supports System Equivalency licenses. However, Microsoft does have a Terminal Server licensing transition plan.You can receive a free TS CAL for every copy of Windows XP that you own at the time of the Windows Server 2003 launch

(April 24, 2003). Check out the Microsoft licensing page for more information

(www.microsoft.com/licensing).

New to Windows Server 2003 is the External Connector (EC) license. ECs enable external users to access your server without requiring that you buy CALs for them.

External users are people who are not employed by your company.Terminal Server also has an EC license called the Terminal Server External Connector (TS-EC). The EC license is replacing the Internet Connector and TS Internet Connector licenses.

Product Activation

Starting with Windows XP, Microsoft requires OSs to be authorized before a specified number of days pass, after which you won’t be able to log on to the OS. Failure to activate only prevents logging on. Services and remote administration are not affected.Windows

Server 2003 allows a 30-day grace period for product activation (for retail and OEM products). Companies that use volume licensing do not have to activate their software.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 49

Overview of Windows Server 2003 • Chapter 1

Windows includes an activation wizard, as shown in Figure 1.14. Exercise 1.02 walks you through the process of activating your software.You can activate over the Internet or by phone. One important thing to remember about product activation is that the activation process keeps track of the hardware in your machine. If the hardware changes dramatically, you will have to reactivate your software within three days in order to continue logging on to the server. Microsoft does this to prevent people from purchasing one copy of the OS, activating it, making an image of it, and deploying that image to many more machines.

N

OTE

Product activation is part of Microsoft’s anti-piracy campaign to ensure that software is actually purchased. It stops people from sharing their CD and CD key with other users. Even if they do share their info, the OS will only work for 30 days.

After that time, users can no longer log onto the server. It must be activated to restore logon functionality. Microsoft keeps track of the keys used and verifies that they are only used by the person(s) who own them.

49

E

XERCISE

1.02

A

CTIVATING

W

INDOWS

S

ERVER

2003

Unless you are using Volume Licensing for Windows Server 2003, you will at some point have to activate a server. You can activate over the Internet or via the phone. Use the following steps to activate over the Internet. These steps are based on using the new LUNA interface of Windows Server 2003. If you are using the classic Start menu, the first steps will differ.

1. Click on the Start menu.

2. Go to All Programs.

3. Click on Activate Windows. This will open the Activate Windows screen as shown in Figure 1.14.

4. Select Yes, let’s activate Windows over the Internet now.

5. Click Next.

6. The next screen asks if you want to go ahead and register your copy of

Windows. Choose Yes if you want to register, or choose No if you do not want to register. Registration is not a requirement for activation, so for this example, select No, I don’t want to register now; let’s just

activate Windows.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 50

50 Chapter 1 • Overview of Windows Server 2003

7. The wizard will now say You have successfully activated your copy of

Windows. Click OK to close the activation wizard.

Figure 1.14

Activating Windows Server 2003

EXAM

70-290

OBJECTIVE

4.2

Manage Software Update Infrastructure

Unless your company is buying its first Windows server, you are going to have to decide between upgrading and performing a clean install. Each method has advantages and disadvantages:

Upgrading preserves many of your existing settings, such as users and groups, permissions and rights, and applications.

Performing a clean installation can improve the performance of your hard drive, as it will be reformatted during installation.This also gives you a chance to change the partition and volume sizes used on your drives. Clean installs ensure that you don’t carry over any existing problems that you might have with your current OS.

Some administrators (the authors of this book included) prefer clean installs because they have seen many problems related to OS upgrades in the past.There

is something comforting about starting from scratch.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 51

Overview of Windows Server 2003 • Chapter 1

Common Installation Issues

The biggest problems with installing a new OS are hardware and software incompatibilities.

It is important to adhere to the recommended hardware specifications for Windows Server

2003. At a minimum, you need the following hardware configuration:

133MHz processor

128MB of RAM

1.5GB hard drive

Remember that these are the bare minimums on which Windows Server 2003 will run. Obviously, on such old hardware, performance will suffer. Microsoft recommends at least a 550MHz processor and 256MB of RAM.The more RAM the better.

You should always verify hardware compatibility before you start your installation.

There is a system compatibility check you can run from the Windows Server 2003 CD that will check out your hardware for you automatically.The System Compatibility wizard is demonstrated in Exercise 1.03. Even if all of your hardware is supported, you should always update your machine’s BIOS to the most recent version.

E

XERCISE

1.03

C

HECKING

S

YSTEM

C

OMPATIBILITY

You can check your hardware for compatibility two ways. You can look up all of the parts on Microsoft’s site, or you can use the Compatibility wizard from the installation CD. The wizard is obviously the easier of the two. Follow these steps to use the Compatibility Wizard:

1. Put in the Windows Server 2003 CD.

2. Double-click on My Computer.

3. Double click on the CD-ROM. This will bring up the autorun screen shown in Figure 1.15.

4. Click on the Check system compatibility link.

5. Click on the Check my system automatically link. This will start the

Compatibility Wizard.

6. You will now be prompted to get updated setup files. This is not necessary to check out your hardware. Click the radio button for No, skip

this step and continue installing Windows.

51 www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 52

52 Chapter 1 • Overview of Windows Server 2003

7. Click Next. Windows will now check out your system. Once it is finished, it will display any issues that might interfere with installing

Windows. You can click Details to read more about the issues, or click

Save As to save the report to another location.

8. When finished viewing or saving the report, click Finished to end the wizard.

Figure 1.15

Verifying Hardware Compatibility for Windows Server

Common Upgrade Issues

As stated earlier, you should always verify hardware compatibility and BIOS versions.You

should always back up your existing system before you start your upgrade. If you have applications on your server, you should read the release notes on application compatibility.

These are found in the Docs folder on the setup CD (relnotes.htm).

When upgrading servers from NT 4.0 to Windows Server 2003, you must have Service

Pack 5 or higher installed.You can perform upgrades from all server versions of NT 4.0

(Server, Enterprise Edition, and Terminal Server Edition). Upgrading Windows 2000 machines to Windows Server 2003 doesn’t require any service packs to be installed first.

Windows 2000 Server can be upgraded to Windows Server 2003 Standard Edition or

Enterprise Edition. However,Windows 2000 Advanced Server can only be upgraded to

Windows Server 2003 Enterprise Edition, and Windows 2000 Datacenter Server can only be upgraded to Windows Server 2003 Datacenter Edition.You must have at least 2GB of free hard drive space for all upgrades.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 53

Overview of Windows Server 2003 • Chapter 1

T

EST

D

AY

T

IP

Generally, before you begin your test you are allowed to write information down on your scratch paper. You might want to write down the upgrade paths to

Windows Server 2003 so you can refer to them later. Sometimes, writing things down before you start helps you get the facts down while you are still thinking straight, and the time you spend doing this before starting the test doesn’t count against your time allotted for the test.

53

When upgrading Windows NT 4.0 domains to Windows Server 2003 domains, you must first make sure that DNS is installed and properly configured.You don’t have to use a

Microsoft DNS server, but your implementation of DNS must support service (SRV) records.

Optionally, you might want it to support dynamic updates as well. If DNS does not support dynamic updates, you will have to manually create all of the needed SRV records. Before starting the upgrade, you should take one of your BDCs offline.This will allow you to roll back to your existing NT 4.0 environment if you should have problems with the upgrade.

Always start your upgrades with the PDC, followed by the BDCs. After upgrading the PDC, you should set your forest functional level to Windows Server 2003 interim mode.

When upgrading Windows 2000 domains, you must first prepare the forest and the domain for Windows Server 2003 by using the ADPrep tool.You can prepare the forest by running adprep.exe /forestprep on the Schema Master, and you can prepare the domain by running adprep.exe /domainprep on the Infrastructure Master. ADPrep can only be run from the command line; there isn’t an equivalent graphical tool. Unlike when you upgrade from NT 4.0 domains, you do not have to upgrade the PDC (technically the PDC

Emulator) first.You can install a new Window Server 2003 domain controller into an existing Windows 2000 domain.When upgrading your domain controllers, you need to budget a little growing room for the Active Directory database.The database file (ntds.dit) might grow by up to 10 percent.

T

EST

D

AY

T

IP

ADPrep is a new requirement for Windows Server 2003. Think of it this way: NT

4.0 did not have Active Directory, so there is nothing to prepare. When you install your first Windows Server 2003 domain controller, you are creating the Active

Directory for the first time.

However, Windows 2000 already has an Active Directory, but it doesn’t know anything about Windows Server 2003. You must prepare its Active

Directory so it can work with Windows Server 2003. You must prepare the domain (/domainprep) and the forest (/forestprep) before you install your first

Windows Server 2003 domain controller.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 54

54 Chapter 1 • Overview of Windows Server 2003

Summary of Exam Objectives

Windows Server 2003 is Microsoft’s latest server OS. It uses Windows 2000 as its foundation, and then it gets better from there.Windows Server 2003 uses the concepts of clientserver networking, domain-based administration, and Active Directory Services.

There are four different editions of Windows Server 2003:Web Edition, Standard

Edition, Enterprise Edition, and Datacenter Edition.Web Edition functions as a Web server only. Standard Edition supports all features except clustering. Enterprise Edition and

Datacenter Edition support all features, including clustering. Use Datacenter Edition instead of Enterprise Edition if you need more than eight processors or more than 32GB of RAM.

Most of the features in Windows Server 2003 that carried over from Windows 2000 have been updated. Some new features have also been added. Most of the improvements have to do with increasing network performance, improving security, or adding functionality for Windows Server 2003.

Active Directory speeds up domain controller installation times over slow connections by supporting the replication of new domain controllers from tape backup. Company mergers no longer mean starting over with a new AD; you can now rename and restructure domains in Windows Server 2003. Microsoft added the Group Policy Management Console to ease the burden of managing group policy.The GPMC allows you to back up and restore your group policy objects.

Windows Server 2003 enhances file security and maintenance.The Encrypting File

System (EFS) supports multiple users sharing the same encrypted files. Now, departments can encrypt their shared data with built-in Microsoft tools. In the past, this would have required a third-party encryption program. If you ever need to run a repair against your disk, you should be able to do it in about 70 percent of the time expected in Windows

2000.The CHKDSK tool has been revamped to make it run faster.

No longer is IIS an instant security hole on your server. In all editions other than Web

Edition, IIS is not even installed by default. IIS is more stable than ever before. It has been designed to keep applications from crashing each other. If one application fails, it should restart itself without interfering with other running applications. New command-line tools make administering IIS through scripts much easier.

Clustering support has been increased to eight nodes per single cluster. Clusters are now integrated into Active Directory, which means they support Kerberos authentication.

No longer must you support down-level authentication methods just because you have a cluster. Network Load Balancing has been enhanced as well. It now supports multiple loadbalanced NICs on a single server, and it will pass IPSec traffic.

Microsoft has put many convenience features into Windows Server 2003. Credential

Manager provides a secure single sign-on environment for Windows users.You can extend your single sign-on experience even further by integrating your Microsoft Passport account with your Active Directory account. Shadow copies provide a method of versioning the files on your file server. A snapshot is taken of all the files, and users can roll back their files to the ones contained in any available snapshot. Users can log on to a Terminal Server and

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 55

Overview of Windows Server 2003 • Chapter 1

still access most of their local resources.The Remote Desktop client supports the local client file system, audio output, printers, serial ports, smart cards, and a shared clipboard.

Windows Server 2003 can be used to upgrade an existing machine or build a new one from scratch. Either way, you need to verify that your hardware is compatible by running the system compatibility check on the Server CD. If you aren’t concerned with losing the existing settings on your machine, a clean installation is the preferred method.This way, you can ensure that you aren’t bringing over any problems from the old OS. If you need to preserve users, groups, rights, or applications, an upgrade is your only choice. Be sure to back up your data before you start your upgrade. If you are upgrading Windows NT 4.0, you must have at least Service Pack 5 installed.When upgrading 4.0 domains, remember to take an existing BDC offline before you start and upgrade the PDC first. If upgrading a

Windows 2000 domain, you must first run ADPrep to prepare the forest and the domain for Windows 2003.

Microsoft did their homework for Windows Server 2003.They listened to users’ concerns about Windows 2000 problems, and they fixed them.They eased administration by updating all of the administrative tools and providing command-line scriptable tools for most services.They made the upgrade process easier and updated most of the features of

Windows Server 2000.

Exam Objectives Fast Track

History of the Windows Operating System Family

Microsoft’s first OS was MS-DOS. It was text based and did not have a GUI. It was made for IBM to use on their new line of personal computers.

Microsoft’s first version of NT was Windows NT 3.1. It was numbered 3.1 to build on the popularity of Window 3.1. Even though the interface and the name were similar, the underlying technology was different.Windows 3.1 was based on the MS-DOS kernel and was not an OS in itself, but a shell that ran on top of

DOS.Windows NT 3.1 was built on a new NT kernel.

Windows Server 2003 is the latest release of Windows. It builds on the success of

Windows 2000, but has been improved to make it more reliable, stable, scalable, and secure.

55 www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 56

56 Chapter 1 • Overview of Windows Server 2003

Windows Server Operating System Basics

Client-server networking is preferred to peer-to-peer networking in all but the smallest networks, because it provides centralized authentication and centralized administration.

Domains provide centralized authentication and centralized account management.

All domain controllers in the same domain share a common database. As changes are made to the database, all domain controllers replicate their changes to each other.

Windows 2000 and Windows Server 2003 use Active Directory, which provides a hierarchical way to manage your accounts. Active Directory makes it easier to secure and delegate permissions within your domain.

What’s New in Windows Server 2003?

Windows Server 2003 was designed with security in mind. Most of the features carried over from Windows 2000 have been updated to make them more secure.

Active Directory has been enhanced to improve replication, migration, and management. In addition to adding new Active Directory tools, Microsoft also enhanced the existing tools to make them easier to use and increased their functionality.

Windows has been improved in the area of Storage Area Networks (SANs).You

can add a SAN attached drive from within Windows.Windows Server 2003 also provides a unified interface for managing your SANs.

The Windows Server 2003 Family

There are four versions of Windows Server 2003:Web Edition, Standard Edition,

Enterprise Edition, and Datacenter Edition.

Web Edition is used as a Web server only. It supports up to two processors and

2GB of RAM.

Standard Edition is typically used as a domain controller, file and print server, or application server. It supports up to four processors and 4GB of RAM.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 57

Overview of Windows Server 2003 • Chapter 1

Enterprise Edition can fulfill all the same roles as Standard Edition, but it also supports clustering. Use Enterprise Edition when you need more scalability and reliability than what is offered in Standard Edition. Enterprise Edition supports up to eight processors and 32GB of RAM.

Datacenter Edition supports all of the features included with Standard Edition and

Enterprise Edition. However, it supports much more powerful hardware. It supports up to 32 processors and 64GB of RAM. Use Datacenter Edition when you need the most machine power possible.

Licensing Issues

You must purchase a server product license for every machine on which you install Windows Server 2003.

In order to connect over the network to the server, you must have a Client Access

License (CAL).You don’t need CALs if you are making an anonymous connection to a Web page.

Terminal Server sessions require a Terminal Server Client Access License (TS

CAL).

Unless you are using a Volume Licensing version of Windows Server 2003, you must activate each installation. If you do not activate your installation, you will not be able to log on after the grace period has expired.

Installation and Upgrade Issues

You should verify that your hardware is compatible with Windows 2003 before you start your installation.To do this, you can run the system compatibility check from the Server CD.

Windows NT 4.0 machines must be upgraded to at least Service Pack 5 before they can be upgraded to Windows Server 2003.

When upgrading a Windows 2000 domain to Windows Server 2003, you must update the forest first by running adprep /forestprep, and then update the domain by running adprep /domainprep.

57 www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 58

58 Chapter 1 • Overview of Windows Server 2003

Exam Objectives

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com.

Q:

What is the difference between joining my PC to an Active Directory domain and putting it into a workgroup with the same name?

A:

If you do not join your PC to the domain, you will not have a machine account in AD.

You will not be able to manage your PC from the domain. For example, group policy machine settings will not apply to your machine. Additionally, you will not be able to log on with user accounts from the domain. Domain user accounts can only log on to machines that are joined to the domain or joined to trusted domains.

Q:

What does it mean when you say that NT was a flat directory service?

A:

Think of a directory service as a file cabinet.Windows NT is like a file cabinet with only one drawer and no folders. As you add files to the drawer, it will become increasingly difficult to manage.This is a flat file structure because you can only put the files in one place.There is no way to organize them (as you could do if there were folders).

Active Directory is like a file cabinet with three drawers, with each drawer having folders inside it. Now you can organize your data as you file it away.This makes it easier to manage and easier to locate the files later.This is called a hierarchical structure.

Q:

How do I determine how many domain controllers I need in my organization?

A:

There are no “set in stone” rules on how many you need.You should always have at least two for fault tolerance. It is recommended that you have at least one per physical location so users don’t have to authenticate over wide area network (WAN) links. Microsoft provides a tool called the Active Directory Sizer (ADSizer). It serves as a good starting point for determining the number of domain controllers required.You can download ADSizer from http://download.microsoft.com/download/win2000platform/ASsizer/1.0/

NT5/EN-US/setup.exe.

Q:

What is the difference between running CHKDSK and defragmenting my drive?

A:

CHKDSK fixes problems with disks by scanning for errors. Defragmenting fixes performance issues by reorganizing the raw data on your hard drive so that it can be accessed faster.

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 59

Overview of Windows Server 2003 • Chapter 1

Q:

How can I protect my server against being hacked?

A:

Most hacks take place because of vulnerabilities in a service offered by your server.You

can use the Internet Connection Firewall (ICF) to ensure that your server is only allowing connections to the services you want to offer.You can then concentrate on securing that service.

Q:

What type of software do I need to connect my Windows Server 2003 machine to a broadband DSL connection?

A:

You do not need any additional software to use broadband.Windows Server 2003 allows direct connections to broadband via the built-in PPPoE support.

Q:

When should I use Enterprise Edition instead of Standard Edition?

A:

Most of the time, Standard Edition will suffice. If you need to support more than four processors or more than 4GB of RAM, you need to go with Enterprise Edition.

Moreover, if you need to cluster your machines, you will need Enterprise Edition because Standard Edition does not support clustering.

Q:

Why is Web Edition limited to 10 incoming SMB connections at a time?

A:

SMB is used to copy files between machines over the network.Web Edition is limited in the number of such connections to make sure you are using it as a Web server only and not as a file server.

Q:

I can’t seem to find a price for Datacenter Edition. How much does it cost?

A:

You cannot buy Datacenter off of the shelf as with the other versions. Datacenter can only be purchased through Microsoft approved vendors.You buy Datacenter as a package that includes all of the needed hardware. Datacenter must be installed by an approved vendor.

Q:

Why do I have to pay for the OS and then pay again to connect to my server over the network?

A:

Microsoft has chosen to separate the licensing into two parts.This allows them to keep the prices down for the OS. If they didn’t charge for connections (CALs), they would compensate by charging more for the OS.This way, customers who use less pay less.

Q:

How do I decide if I should use Per User or Per Device licensing?

A:

You should always choose the licensing structure that costs less, but still meets your needs. As a general rule, if you have roaming users and you have more users than machines, Per User is better. If you have users who share machines and you have more machines than users, Per Device is better.

59 www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 60

60 Chapter 1 • Overview of Windows Server 2003

Q:

How do companies that host Web pages determine how many CALs to purchase?

A:

Unauthenticated (anonymous) connections to a Web site do not require CALs.

Self Test

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

What’s New in Windows Server 2003?

1. Your company has decided to put in a Windows-based Network Address Translation

(NAT) server.Your boss wants to use Windows 2000 if possible because you already own a license for it.You have been tasked with determining if Window 2000 will suffice, or if you need to go with Windows Server 2003.Which of the following required protocols will help you determine which version of Windows to use?

A. ICMP

B. PPTP

C. L2TP

D. HTTP

2. You work for an online retail company.You have been tasked with creating a Web server farm to support your company’s new e-commerce initiative. All of your Web servers are running IIS 6.0 on Windows Server 2003 Enterprise Edition.You want to spread the traffic across all of your Web servers, while providing the best possible performance.Which of the following features should you use to build your Web farm?

A. Network Load Balancing

B. Microsoft Clustering Service

C. DNS Round Robin

D. Windows Media Services

3. Your company wants to put in two new e-mail servers. E-mail is mission critical for your company, so you want to configure your e-mail servers in the most fault tolerant manner possible.Which of the following features should you use for your e-mail servers?

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 61

Overview of Windows Server 2003 • Chapter 1

A. Network Load Balancing

B. Microsoft Clustering Service

C. DNS Round Robin

D. Windows Media Services

4. You have been hired to restructure a company’s forest.They have merged with another company and changed their name.You have upgraded all of your domain controllers to Windows Server 2003.You plan to use the Domain Rename tool

(rendom.exe) from the server CD.Which of the following cannot be accomplished with this tool?

A. Rename your domains

B. Remove domains

C. Create new trees

D. Rename your domain

5. Your company has decided to migrate from Windows 2000 to Windows Server 2003.

You have migrated all of your printers and file shares from a Windows 2000 server to a Windows Server 2003 server. Everything seems to be working fine after the migration, except that you cannot get to the printers Web page on the print server.This is how you administered your printers before and you would like to continue doing it this way.What could be the cause of your problem?

A. The printers Web page is not included in Windows Server 2003.

B. IIS is not included in Windows Server 2003.

C. IIS is not installed by default.

D. Your desktop doesn’t have Internet Explorer 6.0.

6. You use a Windows Server 2003 machine as one of your file servers. Users are complaining that they cannot get to any shares on the file server.You can telnet to the server from a client’s workstation.You log on to the server and verify that the shares exist and that the users have rights. However, whenever you try to map a drive to the server, it displays the message “network path not found.”What could be the cause of the problem?

A. The Microsoft client has been removed from the server.

B. You do not have administrative rights on the machine.

C. ICF is enabled on the server.

D. The file server was promoted to a domain controller.

61 www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 62

62 Chapter 1 • Overview of Windows Server 2003

The Windows Server 2003 Family

7. Your company has decided to get rid of all their fax machines. Now, instead of each department having its own fax machine, everyone will share the same fax server.This

fax server will allow you to send and receive faxes from within Outlook. Faxing is an important aspect to company business, so you have been tasked with making the

Exchange e-mail servers as fault tolerant as possible.You decide to put in a two-node

Windows Server 2003 cluster. Each node will have four processors and 2GB of RAM.

Which version of Windows Server 2003 should you use?

A. Web Edition

B. Standard Edition

C. Enterprise Edition

D. Enterprise 64-Bit Edition

E. Datacenter Edition

F.

Datacenter 64-Bit Edition

8. You work for a statistical analysis company.You are currently using Windows 2000

Server on a 1.4 GHz XEON machine.You need to upgrade to an Intel Itanium machine to support a new application.You want to use eight processors and 40GB of

RAM.Which version of Windows Server 2003 should you use?

A. Web Edition

B. Standard Edition

C. Enterprise Edition

D. Enterprise 64-Bit Edition

E. Datacenter Edition

F.

Datacenter 64-Bit Edition

Licensing Issues

9. Your company is open 24 hours a day, seven days a week. Everyone works eight-hour shifts and there are three shifts. All three shifts share the same computers. Over the next six months, you will be rolling out Windows Server 2003 and Windows XP.Your

company has 1,500 workstations, 4,500 users, and 50 servers.Which licensing model should you use?

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 63

Overview of Windows Server 2003 • Chapter 1

A. Per User licensing

B. Per Device licensing

C. Per Server licensing

D. External Connector licensing

10. You have been hired as a consultant to assist a company in migrating from Novell

NetWare 5.0 and Windows 95 to Windows Server 2003 and Windows 2000

Professional.There will be 1,200 workstations and 10 servers.There are 600 users, and every user has two machines.Which licensing model should you use?

A. Per User licensing

B. Per Device licensing

C. Per Server licensing

D. External Connector licensing

11. Your company has partnered with another company to develop a new application.

Your partner requires access to one of your company’s terminal servers in order to work on the project.There will be about 1,500 users from the other company who will need to connect.Which of the following licensing models should you use?

A. Terminal Server Per User CALs

B. Terminal Server Per Device CALs

C. Terminal Server External Connector

D. Per Server CALs

Installation and Upgrade Issues

12. You have three Windows 2000 servers that need to be upgraded to Windows Server

2003.Two of your servers are running Windows 2000 Advanced Server, and one is running Windows 2000 Server. All three servers need to be running Windows Server

2003 Standard Edition.Which of the following steps should you perform? (Choose two answers.)

A. Upgrade the servers running Windows 2000 Advanced Server to Windows Server

2003 Standard Edition.

B. Upgrade the server running Windows 2000 Server to Windows Server 2003

Standard Edition.

C. Perform a fresh install of Windows Server 2003 on the machines running

Windows 2000 Advanced Server.

D. Perform a fresh install of Windows Server 2003 on the machine running Windows

2000 Server.

www.syngress.com

63

274_70-290_01.qxd 8/11/03 3:43 PM Page 64

64 Chapter 1 • Overview of Windows Server 2003

13. You are creating a new Windows Server 2003 domain.You have installed DNS on a machine running Windows 2000 Server.You have created the correct zone and configured your soon-to-be domain controller to use the new DNS server for DNS queries. However, when you run dcpromo to create a new domain controller, you get an error message stating that a properly configured DNS server cannot be found.

What should you do to get this working?

A. You need to use a Windows Server 2003 DNS.

B. You need to update your Windows 2000 DNS server to at least Service Pack 2.

C. You need to enable zone transfers on your DNS server.

D. You need to enable dynamic updates on your DNS server.

14. You have decided to upgrade your company’s Windows NT 4.0 domain to a

Windows Server 2003 domain.You install Service Pack 6a on all your NT 4.0

machines and you verify that all of the hardware is compatible with Windows Server

2003.You install and properly configure DNS on a Windows Server 2000 member server.What should you do next?

A. Upgrade the PDC to Windows Server 2003.

B. Upgrade one of your BDCs to Windows Server 2003.

C. Upgrade your DNS server to Windows Server 2003.

D. Install Service Pack 3 on your DNS server.

15. You have a user who is not getting the correct settings when he logs on to his PC.

You are running a Windows Server 2003 domain and the user is using a Windows XP desktop.You want to see which policies are being applied to the user when he logs on to his PC.Which tool should you use?

A. Group Policy Object Editor Snap-in

B. Computer Management

C. Active Directory Users and Computers

D. Group Policy Management Console

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 65

Overview of Windows Server 2003 • Chapter 1

Self Test Quick Answer Key

For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

65

1. C

2. A

3. B

4. B

5. C

6. C

7. C

8. D

9. B

10. A

11. C

12. B, C

13. D

14. A

15. D

www.syngress.com

274_70-290_01.qxd 8/11/03 3:43 PM Page 66

274_70-290_02.qxd 8/11/03 3:49 PM Page 67

Chapter 2

MCSA/MCSE 70-290

EXAM

70-290

OBJECTIVE

1

Managing Physical and Logical Disks

Exam Objectives in this Chapter:

1.1

1.3

Manage basic disks and dynamic disks.

Optimize server disk performance.

1.3.2

Defragment volumes and partitions.

4.7.1

Monitor disk quotas.

1.3.1

Implement a RAID solution.

Summary of Exam Objectives

Exam Objectives Fast Track

Exam Objectives Frequently Asked Questions

Self Test

Self Test Quick Answer Key

67

274_70-290_02.qxd 8/11/03 3:49 PM Page 68

68 Chapter 2 • Managing Physical and Logical Disks

Introduction

Disk management is an important aspect of optimizing and maintaining any PC, and

Windows Server 2003 includes a variety of tools that the administrator can use to format, partition, organize, and optimize disks. In this chapter, we take a look at how the operating system enables you to interface with the physical and logical disks in your machine, and how you can optimize disk performance to increase the overall performance of your server.

Like Windows 2000,Windows Server 2003 supports two disk types: basic and dynamic.

Upgrading your disks to dynamic status enables you to take advantage of the operating system’s software RAID support, so that you can create fault-tolerant volumes. A regular schedule of defragmentation is another way you can enhance disk performance, and in this chapter, we will show you how to use both the graphical interface and command-line tools to defragment your disks and perform other disk management tasks.You will also learn to configure disk quotas for better management of disk space on the file server, and we show you how to use the Remote Storage feature to manage volumes. Finally, we will discuss basic troubleshooting techniques for tracking down problems with disks and volumes.

Understanding Disk

Terminology and Concepts

Computers use hard disks for storing information, but hard disks are not the only place where information is stored. Computers can store information more quickly in cache memory and random access memory (RAM), but this information is lost when we turn off our computers. Because this memory is much more expensive per megabyte than hard disk space, our total storage capacity in memory is limited.We can also store information on portable media such as floppy disks, zip disks, CD-R, CD-RW, tape, or DVD for transferring files or archiving data, but we are limited by the speed at which we can write the information to the media. Hard disks provide a good balance between fast access and lots of storage space.

A hard disk works similarly to an old-fashioned record player. Inside the hard disk casing, there are stacks of round magnetic disks that look somewhat like records.These

stacks of disks are called cylinders (see Figure 2.1). Each individual disk has tracks (see

Figure 2.2) on it like the grooves on a record. Each track is broken down into sectors (see

Figure 2.3) and the sectors are organized into clusters (see Figure 2.4). As the disks spin around, a head (like the stylus on a record player) reads and writes data electromagnetically to the disk, one cluster at a time. Different operating systems format their disks differently, but the way the disk is physically accessed is the same for all operating systems.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 69

Figure 2.1

Understanding Cylinders

Managing Physical and Logical Disks • Chapter 2 69

Head

Figure 2.2

Understanding Tracks

Disk Cylinder

Track

13 %

13 %

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 70

70 Chapter 2 • Managing Physical and Logical Disks

Figure 2.3

Understanding Sectors

13 %

13 %

Sector

Figure 2.4

Understanding Clusters

www.syngress.com

13 %

13 % 13 %

Cluster

274_70-290_02.qxd 8/11/03 3:49 PM Page 71

Managing Physical and Logical Disks • Chapter 2

Microsoft Disk Terminology

It is important for you to know the correct terminology relating to the various disk components in Windows Server 2003.There are two primary components to understand: phys-

ical disks and logical disks. Physical disks can be either basic or dynamic. Logically, they can be separated into either partitions or volumes.This section explains when and how each of these is used.

Physical vs Logical Disks

You must be able to distinguish between a physical disk and a logical disk. Physical refers to the actual, tangible hard disk itself. A physical disk is a piece of hardware, which can be organized into logical disks. A physical disk by itself is of no use to Windows. It is not until you format the physical disk and create a logical disk that it becomes a resource that is accessible from within Windows.

Logical disks enable you to customize your physical disks to best fit your needs.

Depending on the disk type used (basic or dynamic), logical disks consist of either partitions or volumes.These are units made up of all or part of one or more disks. Partitions are divisions of a single disk.Volumes can span multiple physical disks. Conversely, a single physical disk can contain multiple logical disks.The following scenarios illustrate a couple of real-world examples:

You have three physical disks installed in your server, each of which contains

30GB of disk space. However, you don’t want to use them as three separate disks.

In other words, you do not want the operating system to “see” these disks as a C drive, a D: drive, and an E: drive. Instead, you want to access all the space contained in the three disks as if it belonged to one 90GB physical disk.To accomplish this, you can create a spanned volume (covered later in this chapter) and combine all three physical disks into one logical disk.You can now access all the storage via one drive letter (for example, D:).

Maybe you have the opposite scenario.You have one large 100GB physical disk, but you don’t want one large C: drive.You can create two or more partitions or logical drives to divide up the space.You can assign a separate drive letter for each logical disk and access the single physical disk as if it were multiple smaller physical disks.

Basic vs Dynamic Disks

Windows Server 2003 supports two types of physical disk configurations:

Basic disks

Dynamic disks

71 www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 72

72 Chapter 2 • Managing Physical and Logical Disks

By default, disks are initially configured as basic. Basic disks use the same disk structure used in Windows NT 4.0 and previous operating systems all the way back to MS-DOS.

That is, they are divided into primary and extended partitions, and logical drives can be created within extended partitions.

Dynamic disks use a new disk structure that was introduced in Windows 2000.The

basic unit of a dynamic disk is the volume (rather than the partition). Dynamic disks support features that you don’t get with basic disks and give you much more flexibility in structuring your storage space.With dynamic disks, you can extend simple volumes (make them bigger without reformatting and losing data) to any empty space on any dynamic disk, create spanned volumes across multiple physical disks and create fault tolerant (RAID

1 and 5) volumes.

A single computer can contain both basic and dynamic disks. Each physical disk installed in the computer is separately identified as either basic or dynamic. Basic disks and dynamic disks both support the same file systems (FAT16, FAT32, and NTFS).

Basic disks can be upgraded to dynamic status at any time without losing data. Later in the chapter, you will learn how to upgrade your disks.You do not even have to reboot after upgrading to dynamic unless you are upgrading the system disk or the disk being upgraded is currently in use. As mentioned, basic disks are made up of partitions and logical drives.

Basic disks do not support creating volume sets or fault-tolerant volumes. MS-DOS and all versions of Windows can use basic disks.

N

OTE

If you are dual booting Windows Server 2003 with a down-level operating system, such as NT, 9x, or MS-DOS, do not convert a disk to dynamic status if you want to be able to access its data when you are booted into the other OS. We do not recommend dual-boot configurations on production servers for security reasons, but it is common to dual boot a machine that is used for testing or training purposes.

Although dynamic disks (unlike basic disks) support creating volumes that span multiple disks and creating fault-tolerant volumes, dynamic disks are not always the best solution.The following are some limitations of using dynamic disks:

Dynamic disks are currently not supported on laptop computers.

Removable media and disks attached via FireWire (IEEE 1394), Universal Serial

Bus (USB), or shared SCSI buses cannot be converted to dynamic.

You can install Windows Server 2003 only onto a dynamic volume that was converted from a basic boot or system partition.You cannot install onto a dynamic volume that was created from free space.This is because there must be an entry in the partition table for the setup program to recognize the volume, and such an entry does not exist on a newly created dynamic volume.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 73

Managing Physical and Logical Disks • Chapter 2

Even though Windows 2000, XP Professional, and Server 2003 all use dynamic disks, you cannot convert a basic disk that holds multiple instances of these operating systems to dynamic.The operating systems installed on the disk will not start if you do this.

Dynamic disks are not supported by Windows Cluster Service. If you need the features of dynamic disks on a clustered shared disk, you can use a third-party program called Veritas Volume Manager 4.0 to accomplish this.

Booting Your Disk

Two disk sectors are vital to starting your computer, the master boot record (MBR) and the boot sector.The MBR is created when a disk is initially partitioned.The boot sector is created when a partition (or volume) is formatted.

The MBR is located in the first sector on the physical hard disk. It contains the master boot code, the partition table, and the disk signature for the physical disk.The master boot code is responsible for booting the machine.The partition table identifies the type and location of partitions on the physical disk.The disk signature identifies the physical disk to the operating system.

The MBR performs the following operations when a disk boots:

1. It scans the partition table (or disk configuration database) for an active partition.

2. It finds the starting sector for the active partition.

3. It loads a copy of the boot sector of the active partition into memory.

4. It passes control to the boot sector.

There is a boot sector for each partition on your physical disk.The boot sector (like the

MBR) contains code that is required to boot. Among other things, it also contains information required by the file system to access the partition or volume.The boot sectors loads

NTLDR (the Windows startup file) into memory and gives it control of the boot process.

Unlike basic disks, dynamic disks do not use a partition table to store their configuration information. Instead, they use a private database that is stored at the end of the disk, called the Logical Disk Manager (LDM) database.This database is exactly 1MB in size and is replicated to all the dynamic disks within a machine.This addresses the problem of the partition table as a single point of failure.The LDM database includes such information as volume types, offsets, memberships, and drive letters for each volume on the disk.The

LDM replicates and synchronizes the databases across the disks, so that all dynamic disks on the system are aware of one another.There is a unique DiskID in the LDM header of each dynamic disk that enables LDM to identify each disk and distinguish it from the others.

73 www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 74

74 Chapter 2 • Managing Physical and Logical Disks

N

OTE

There can be problems when you have Storage Attached Network (SAN) drives and local disks that are all converted to dynamic status. If the SAN goes offline due to power outage, the databases may become mismatched and cause problems getting some of the disks back online. Microsoft recommends that, if you have a SAN, you make its disks dynamic and the local disks basic, or vice versa, but not make both dynamic.

Upgrading Disk Sets from Windows NT 4.0

Windows NT 4.0 enabled you to create spanned, striped, and fault-tolerant partitions on basic disks, which served the same purpose as the spanned, striped, and fault-tolerant volumes that now can be created only on dynamic disks. Dynamic disks were introduced with Windows 2000, and in order to create spanned, striped, and fault-tolerant volumes, you had to create them on a dynamic disk. However,

Windows 2000 supported any volume sets, mirror sets, stripe sets, and stripe sets with parity that had been created in Windows NT 4.0. Thus, if your 4.0 machine was upgraded to 2000, you could still have these sets on a basic disk.

This is not the case in Windows Server 2003. If you have old NT-based volume sets, mirror sets, or stripe sets on a basic disk when you upgrade to Windows Server

2003 from Windows NT or 2000, these sets must be removed before upgrading to

Windows Server 2003. For mirror sets, you need only to break the mirror before upgrading. For volume sets, stripe sets, and stripe sets with parity, you must follow these steps:

1. Back up the data.

2. Delete the set.

3. Upgrade the OS to Windows Server 2003.

4. Convert the disk to dynamic.

5. Recreate the set.

6. Restore the data.

Partitions vs Volumes

Both partitions and volumes enable us to divide one physical disk into sections so that each section appears as a separate disk. Each section is individually formatted (different sections can be formatted in different file systems) and can have its own drive letter. Basic disks contain partitions. Partitions cannot be configured to span disks and therefore cannot provide any fault tolerance. Dynamic disks contain volumes.Volumes can span disks and can provide fault tolerance.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 75

Managing Physical and Logical Disks • Chapter 2 75

Understanding Disk Fault Tolerance

Fault tolerance refers to the capability of a computer or network to continue to function when some component fails. Disk fault tolerance refers to methods of storing data on the disk in such as way as to create redundancy of the data, so that it can be retrieved or recreated if a disk fails. Fault tolerance is not a substitute for backing up your data, but should be used in conjunction with a regular backup schedule that includes offsite storage. Generally, a fault tolerance solution will enable you to get up and running again more quickly than if you have to restore from backup, but backups are another line of defense in case the entire computer fails or is destroyed by fire, flood, etc.

There are several different ways to achieve disk fault tolerance. The most common implementation is known as RAID, or Redundant Array of Independent (or

Inexpensive) Disks. Multiple disks can be configured in a number of different ways to create a fault-tolerant array. Data can simply be mirrored from one disk to another, or parity information can be stored that will enable the regeneration of lost data.

RAID can be implemented either as a hardware or software solution. There are many different “levels” of RAID: 0, 1, 2, 3, 4, 5, 6, 7, 10, 0+1, and 53 are the most common. Some of these can be implemented only via the hardware. For more information about the different levels of RAID, see the RAID.edu Web site at www.acnc.com/04_01_00.html.

Windows Server 2003 has built-in support for three levels of software-implemented RAID:

■ level 0 (disk striping, no parity) level 1 (disk mirroring) level 5 (striping with parity)

The biggest advantage of hardware RAID is performance; disk access is faster because you don’t have the operating system overhead (the RAID disks appear as one to the operating system). The big advantage of software RAID is cost; you don’t have to buy extra expensive RAID controllers or other additional hardware to use it.

We discuss the different RAID levels in more detail later in this chapter.

Partition Types and Logical Drives

There are two types of partitions:

Primary parititons

Extended partitions

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 76

76 Chapter 2 • Managing Physical and Logical Disks

Primary partitions are assigned drive letters and formatted as a whole; they cannot be subdivided. Extended partitions simply group free space so that it can be subdivided into logical drives, which can be individually formatted and used for storage.

Primary Partitions

After a primary partition is formatted and assigned a drive letter, it appears as a separate disk to the OS. Depending on the disk-partitioning method used, basic disks can have between four and 128 primary partitions.When using the 32-bit editions of Windows Server 2003, basic disks use the Master Boot Record (MBR) for partitioning and can have up to four primary partitions.The 64-bit editions of Windows Server 2003 can use the GUID partition table (GPT) for partitioning.The GPT utilizes primary and backup partitions for redundancy and allows for up to 128 partitions.

64-Bit Windows

The 64-bit editions of Windows Server 2003 can be run only on Itanium-based

(either Itanium or Itanium-2) computers. Itanium is Intel’s processor that supports

64-bit memory addressing. x86 computers can only run the 32-bit editions. When you install Windows Server 2003 on an Itanium-based computer, the OS must be installed on a GPT disk, but you can select either GPT- or MBR-style partitioning for other disks that are installed in the computer.

The GPT disk on which the OS is installed must have an Extensible Firmware

Interface (EFI) system partition. EFI was developed by Intel as a replacement for the

BIOS that is familiar to x86 computer users. It contains the platform-related information, hardware-configuration data, etc., and serves as the interface between the operating system and the platform firmware. EFI creates a standard pre-boot environment for booting an operating system, designed to solve the problems caused by lack of standardization among BIOSs created by different vendors.

While the BIOS is a program, the EFI is more like a limited operating system in its own right. It uses an area of the hard disk (a special partition) instead of being limited to flash memory or EEROM. For more information about EFI, see www.pcquest.com/content/handson/103040306.asp.

The primary partition that is marked as active functions as the system partition for Windows operating systems.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 77

Managing Physical and Logical Disks • Chapter 2 77

System and Boot Partitions

Windows NT-based operating systems (NT/2000/Server 2003) use the following terminology to describe partitions:

System Partition The one on which the boot files (NTLDR, boot.ini,

NTDETECT.COM) are located.

Boot Partition The one on which the systemroot folder (which contains the operating system files) is located. This is the partition to which you select to install the OS during setup.

The system partition must be a primary active partition. The active partition is the one to which the computer looks to start the boot process. Only primary partitions can be made active. This is usually, but not always, designated as the

C: partition.

The boot partition can be the same as the system partition. This occurs generally if you install the OS to the C: partition. The boot partition can also be any other (inactive) primary partition, or it can be a logical drive within an extended partition. It is generally considered best to put the operating system files on a separate partition from the boot files. Then, if something happens to one of these vital partitions, you may be able to restore just the boot files or just the system files, rather than having to restore both.

Extended Partitions

Extended partitions can be created only on an MBR-partitioned disk. Extended partitions enable you to have more than four drives on a basic disk.You can only have one extended partition per basic disk, but it can be divided into multiple logical drives.You do not format the extended partition itself. Creating an extended partition simply pools free space that can then be divided into logical drives. In other words, until you create a logical drive for your extended partition, you cannot access the space on that partition.

N

OTE

You can extend primary partitions or logical drives to add space to them, if they are formatted in NTFS. You can extend basic partitions only to free space contiguous to it on the same disk. Unlike dynamic volumes, basic partitions cannot be extended across multiple physical disks.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 78

78 Chapter 2 • Managing Physical and Logical Disks

Logical Drives

Logical drives are created when you divide up the space contained within an extended partition. Logical drives are formatted and assigned a drive letter just like primary partitions.

An extended partition can contain an unlimited number of logical drives.The Windows system partition cannot be stored on a logical drive.

N

OTE

Although you can create an unlimited number of partitions, there are only 26 drive letters available. A: and B: are traditionally reserved for floppy disk drives, but can be used for other drives if you have no floppy drives or only one floppy drive. If you create more than 26 partitions or volumes, you will need to use volume mount

points instead of drive letters to access the additional ones.

Volume Types

Dynamic disks are made up of volumes. A single dynamic disk can hold up to 2,000 volumes, but Microsoft recommends that you limit the volumes per disk to 32. As with partitions, you can have multiple volumes per disk, but unlike partitions, volumes can span multiple disks. Some volume types are designed to increase performance and some types are designed to provide fault tolerance.Windows Server 2003 supports the following five volume types:

Simple

Spanned

Striped

Mirrored

RAID-5

N

OTE

Volumes can be assigned a descriptive label to make it easier to identify the purpose of each. For example, you could label the E: drive on which the operating system is installed “W2003OS” to identify it as the drive holding the OS files. You might label other drives “DATA” and “PROGRAMS” to identify their purposes.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 79

Managing Physical and Logical Disks • Chapter 2

Simple Volumes

Simple volumes are made up of free space on a single dynamic disk.They function much like primary partitions on a basic disk. If you have only one physical disk, all the volumes you create on it will be simple volumes.

Simple volumes are not fault tolerant. However, you can mirror them (discussed below) to make them fault tolerant, in which case they become mirrored volumes. Simple volumes can be extended on a single disk as long as the disk is not the boot or system disk.

Extending a simple volume involves taking free space on a disk and adding it to the existing volume.You can also extend a simple volume across multiple disks, but then it becomes a spanned volume. Note that you can’t combine these operations (that is, you can’t mirror a spanned volume).

Simple volumes provide almost 100 percent utilization of disk space. In other words, if you purchase two 100GB disks and format them as simple volumes, you have a total of

200GB total storage, minus the 1MB per disk overhead for the LDM database.You are able to use more of the purchased disks’ space than is true with other types of volumes.

E

XAM

W

ARNING

All partitions on basic disks become simple volumes when you upgrade to dynamic.

79

Spanned Volumes

Spanned volumes support two to 32 disks. Each disk can be a different size (as shown in

Figure 2.5). Creating a spanned volume is like extending a simple volume except that it spans multiple disks (hence the name, spanned volume). In fact, if you extend a simple volume across multiple disks, it becomes a spanned volume. Spanned volumes are not fault tolerant and cannot be mirrored. Spanned volumes do not provide any performance improvements over simple volumes.They are used merely to increase the amount of space that can be accessed as a single unit. Like simple volumes, spanned volumes provide 100 percent drive utilization (minus the 1MB used for the LDM database). As data is written to the spanned volume, it is first written to the first disk in the set.When the first disk is full, the data is then written to the second disk, and so on.

E

XAM

W

ARNING

Spanned volumes do not provide fault tolerance or increased performance. They are used to create a single volume out of multiple physical disks of the same or different sizes, without wasting disk space.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 80

80 Chapter 2 • Managing Physical and Logical Disks

Figure 2.5

Understanding Spanning Volumes

Disk 0

100GB

Disk 1

25GB

Disk 2

50GB

7

8

5

6

9

3

4

1

2

13

14

15

16

17

18

19

Data

Drive D:

250GB

Disk 3

75GB

24

25

26

20

21

22

23

You can extend a spanned volume to make it larger (if it is formatted with NTFS).This

consists of adding unallocated space to the volume, like extending a simple volume, except that the unallocated space does not have to be contiguous and can be on any dynamic disk attached to the computer. No data is lost; the new space is formatted without any impact on the existing data.

N

OTE

You cannot delete any part of a spanned volume without deleting all of it. If one of the disks on which a spanned volume resides should fail, you will lose the data on the entire volume.

Striped Volumes

Striped volumes are made up of two to 32 disks. Each disk should be the same size to efficiently use all space. It is possible to use different-sized disks, but the stripe size on every disk will be limited to the amount of free space on the smallest disk, so there will be space wasted on the larger disk(s). In other words, if you created a striped volume with one 5GB drive and two 10GB drives, you would only be able to use 5GB of each drive because that is the maximum amount that is available on all disks.This would create a 15GB striped volume, wasting 10GB of disk space (5GB on each of the 10GB disks). If you use equalsized disks, striped volumes provide 100 percent drive utilization (minus 1MB overhead for the LDM database).

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 81

Managing Physical and Logical Disks • Chapter 2

Striped volumes cannot be mirrored or extended and they are not fault tolerant.

However, striped volumes do provide a performance advantage. Striping increases read and write access to the volume, because all the disks are working at the same time. In fact, striped volumes offer the best performance of all Windows Server 2003 volume types.This

is because of the way data is stored (as shown in Figure 2.6). Data is written evenly across all disks in 64KB chunks.

E

XAM

W

ARNING

Do not confuse striped volumes with RAID-5 volumes (formerly known as stripe

sets with parity). Striped volumes (without parity) do not provide fault tolerance.

Their purpose is to increase the speed of read and write access to a volume.

81

Figure 2.6

Understanding Striped Volumes

Disk 0

100GB

Disk 1

100GB

1 2

Disk 2

100GB

3

5 6 7

9

13

10

14

11

15

Data

Drive D:

400GB

Disk 3

100GB

4

8

12

16

Mirrored Volumes

Mirrored volumes require exactly two disks and these two disks should be identical. Not only should they be the same size, but Microsoft recommends that both disks be the same model, from the same vendor. Mirrored volumes provide fault tolerance by making a duplicate copy of everything that is written to the volume (see Figure 2.7), with one copy on each physical disk. If one disk in the mirrored volume fails, the other disk will take its place. However, when this happens, you no longer have fault tolerance.You need to break the mirror so you can then create a new, mirrored volume with another disk, to restore fault tolerance.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 82

82 Chapter 2 • Managing Physical and Logical Disks

Mirrored volumes cannot be extended, and they provide only 50 percent disk utilization. In other words, every 1 GB of storage space that you buy gets you 500MB of actual storage.The benefit of a mirror is that you have an exact duplicate of everything.With a mirror, you can lose one disk and still have all your data intact. Only if you lost both disks at the same time would you lose your data. Because all the data is there on the duplicate disk, you can get back up and running after a failure much faster than with a RAID-5 volume, where the data must be regenerated from the parity information following a failure before it can be accessed. Mirroring can have a negative impact on system performance, because of the overhead of writing to two disks at the same time.

An even more fault-tolerant form of disk mirroring is called disk duplexing. Disk duplexing is the same as disk mirroring, except that each disk in the mirror is connected to a different disk controller.This eliminates the disk controller as a single point of failure.

Duplexed disks appear to the operating system the same as mirrored disks; if you have duplexed disks, they will be shown as mirrored disks in the Disk Management console.

E

XAM

W

ARNING

Disk mirroring provides only 50 percent disk utilization. If you need fault tolerance with more efficient utilization of disk space, you should use RAID-5.

You can mirror any simple volume, including the boot and system volumes. Microsoft recommends that you use separate controllers (duplexing) if you mirror the system or boot volumes.The controllers should be identical (same model and vendor) to prevent problems with starting from the mirror if the primary disk fails. Always test a mirrored system or boot volume to ensure that the operating system will be able to start from a remaining mirror in case of failure.

There are several conditions that must be met in order for Windows to start from a remaining mirror. If the disks in a mirror are SCSI disks on separate controllers, both controllers must have translation enabled or disabled (one cannot be enabled while the other is disabled). If the disks are SCSI disks on the same controller and there are additional disks on the controller, the controller’s BIOS has to support the capability to choose which device to boot from. If the disks are IDE disks, you must ensure that the remaining disk after a failure has its jumpers set to the “master” position.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 83

Managing Physical and Logical Disks • Chapter 2

Figure 2.7

Understanding Mirrored Volumes

Disk 0

100GB

3

4

5

6

7

1

2

8

9

Disk 1

100GB

3

4

5

6

7

1

2

8

9

83

Drive D:

Data

100GB

RAID-5 Volumes

RAID-5 volumes consist of three to 32 disks. RAID-5 volumes provide increased performance for read operations, as well as fault tolerance.The performance boost is due to the way RAID-5 volumes stripe data across all the disks and the fault tolerance is provided by parity information. As with a striped volume, data is written evenly across all disks in 64KB chunks (see Figure 2.8). Unlike with disk striping, the available space (the stripe) on one disk is used for parity information.To increase performance, the parity information is split across all the disks in the volume, written in stripes like the data.Write performance is lower, because the parity must be calculated during the write operation. If most operations are read-oriented (for instance, users accessing files on a file server), RAID-5 provides significant performance advantages.Windows Server 2003’s RAID-5 volumes cannot be extended or mirrored, and the boot and system partitions cannot be part of a RAID-5 volume.

Disk utilization depends on how many disks are part of the RAID array.The equivalent of one disk is used for writing the parity information. If you have three disks, one-third of the total disk space is used for parity information, so you are able to utilize two-thirds of the space you purchase for data. If you have 10 disks in the array, only one-tenth of the total space is used for parity.Thus, the more disks you have in the set, the more efficient disk usage becomes.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 84

84 Chapter 2 • Managing Physical and Logical Disks

E

XAM

W

ARNING

You can still access a RAID-5 volume if one of the disks fails. However, read access will be slowed as the missing information from the failed disk will have to be created from parity every time that it is requested. Also, if one drive has failed, you no longer have fault tolerance. If another drive fails, you will lose all the data on the

RAID-5 volume.

Figure 2.8

Understanding RAID-5 Volumes

Disk 0

100GB

Disk 1

100GB

1 2

Disk 2

100GB

3

4 5 Parity

7

Parity

Parity

10

8

11

Data

Drive D:

300GB

Disk 3

100GB

Parity

6

9

12

Using Disk Management Tools

Microsoft provides a variety of disk management tools in Windows Server 2003.These

include command-line utilities such as diskpart.exe, fsutil.exe, and rss.exe.These tools support scripting, which enables you to automate many of your disk management responsibilities.You can also manage your disks through the graphical interface via the disk management MMC.This section will teach you to manage disks both from the GUI and from the command prompt.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 85

Managing Physical and Logical Disks • Chapter 2

Using the Disk Management MMC

You can access the disk management MMC, shown in Figure 2.9, in a couple of different ways:

You can get there via Computer Management, by clicking Start | Programs |

Administrative Tools | Computer Management

.

You can right-click the My Computer icon on the desktop or in the Start menu and select Manage from the context menu.

You can create a custom MMC console to use the Disk Management snap-in.

85

Creating the Custom MMC

All MMCs share a common structure. The console pane on the left contains the console “tree,” a hierarchical structure with a node for each snap-in. The details pane on the right displays items contained in the node that is highlighted in the left pane. As you navigate through the console pane by clicking the different snap-ins

(for example, Removable Storage, Disk Defragmenter, Disk Management, and so forth), the details pane changes to show the specifics of that snap-in.

To create a custom MMC, follow these steps:

1. Click Start | Run and type mmc.

2. In the new empty MMC, click File | Add/remove snap-in.

3. On the Standalone tab, click the Add button.

4. Select Disk Management from the list of available snap-ins, and then click Add.

5. On the Select computer page, select This computer to manage the

disks on the local machine, or select The following computer and type or browse to the name of the computer whose disks you want to manage.

6. Click Finish, and then click Close on the Add Standalone page and OK on the Add/Remove snap-ins page.

Now you can use the new MMC to manage disks.

Figure 2.9 shows the default view for the Disk Management MMC. Notice that the details pane is divided into two sections, a top section and a bottom section.There are three different views that you can use for either section:

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 86

86 Chapter 2 • Managing Physical and Logical Disks

Disk list

Volume list

Graphical view

By default, the top section displays the volume list view and the bottom section displays the graphical view.You can change the view by clicking the View menu bar, choosing Top or Bottom, and selecting the view that you want.

In Figure 2.9, the top section is using the default volume list view.This view uses text in a table to show how your volumes and partitions are configured.The bottom section is using the graphical view. As the name implies, it provides a graphical representation of how your disks are configured.The third view (not shown by default) is the disk list view. It uses text to show you how your disks are configured. It looks similar to the volume list view, except it displays information on a per-disk basis instead of volume and partition information.

Most administrators find the default combination volume list and graphical view to be most efficient. Notice that there is a legend on the bottom of the MMC, as shown in

Figure 2.10.The color codes enable you to look at each disk and easily determine what type of volume(s) or partition(s) it contains.You can use the View menu bar to change the colors assigned to each disk region.

Figure 2.9

Using Disk Management from within Computer Management

Using the Command-Line Utilities

Microsoft has increased the number of functions that administrators can perform from the command prompt in Windows Server 2003.This gives you more flexibility in accomplishing administrative tasks.Windows Server 2003 includes the following command-line tools for performing disk-related tasks:

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 87

Managing Physical and Logical Disks • Chapter 2

Figure 2.10

Using the Legend in the Disk Management MMC

87

diskpart.exe:

For managing disks

fsutil.exe:

For managing the file system

rss.exe:

For managing remote storage

In the following sections, we will discuss each of these utilities in detail.

Using diskpart.exe

diskpart.exe enables you to manage disks, partitions, or volumes from the command prompt.You can type the commands directly at the command prompt via interactive mode or you can configure diskpart.exe to use a script for its input.

diskpart.exe scripting is beneficial if you are automating the deployment of Windows

Server 2003 by using unattended setup files. Microsoft recommends that you put all your diskpart.exe commands into a single script to avoid conflicts between multiple scripts. If you must use separate scripts, you must allow at least 15 seconds after each script finishes before the next one starts to execute. Put the command timeout /t 15 at the beginning of each script to force a 15-second delay.

The syntax for using diskpart.exe with scripts is: diskpart [/s <script>]

If you want to use diskpart.exe in interactive mode, type diskpart.exe at the command prompt.This will take you to the DISKPART> prompt, shown in Figure 2.11.Whenever

you see DISKPART>, you are in interactive mode and diskpart.exe is awaiting your input.Typing help in interactive mode will display all the utility’s available commands, as shown in Table 2.1.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 88

88 Chapter 2 • Managing Physical and Logical Disks

Table 2.1

Using Diskpart.exe Commands

CONVERT

CREATE

DELETE

DETAIL

EXIT

EXTEND

GPT

HELP

IMPORT

INACTIVE

LIST

ONLINE

REM

REMOVE

REPAIR

RESCAN

RETAIN

SELECT

Command Description

ADD

ACTIVE

ASSIGN

AUTOMOUNT

BREAK

CLEAN

Adds a mirror to a simple volume.

Marks the current basic partition as active.

Assigns a drive letter or mount point to the selected volume.

Enables and disables automatic mounting of basic volumes.

Breaks a mirror set.

Clears the configuration information, or all information, off the disk.

Converts between different disk formats.

Creates a volume or partition.

Deletes an object.

Provides details about an object.

Exits diskpart.exe.

Extends a volume.

Assigns attributes to the selected GPT partition.

Prints a list of commands.

Imports a disk group.

Marks the current basic partition as inactive.

Prints out a list of objects.

Brings a disk online that is currently marked as offline.

Does nothing. Used to comment scripts.

Removes a drive letter or mount point assignment.

Repairs a RAID array.

Rescans the computer looking for disks and volumes.

Places a retained partition under a simple volume.

Moves the focus to an object.

Figure 2.11

Using diskpart.exe in Interactive Mode

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 89

Managing Physical and Logical Disks • Chapter 2

Before you can use any of these commands, you must list all disk objects and then choose one on which diskpart.exe will carry out the command(s). After you place the focus on a particular object, all commands entered will target that object until you change the focus to a different object. Exercise 2.01 shows you how to use diskpart.exe to place the focus on an object.

E

XERCISE

2.01

S

ELECTING A

D

ISK FOR DISKPART

.

EXE

The steps below walk you through the process of focusing diskpart.exe on a disk. Figure 2.12 shows these commands as entered in the command console.

1. Use the appropriate list command from the table to list the disk, volumes, or partitions on your system. For this exercise we are going to list the disks. Type list disk and press Enter. The output is shown in

Figure 2.12.

2. Now that you know which disks are available, select one for the focus of your commands. For this exercise, we select the first disk (disk 0).

Type select disk 0 and press Enter.

3. You can now type list disk again and press Enter to verify that the correct disk was selected. The disk on which diskpart.exe is focused has an asterisk (*) to the left of it.

Figure 2.12

Focusing Diskpart.exe on Disk 0

89 www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 90

90 Chapter 2 • Managing Physical and Logical Disks

Now you can use the desired command to perform an operation on the selected disk.

For example, to change a basic disk to dynamic, you use the convert command with the following syntax:

DISKPART> convert dynamic

N

OTE

Some diskpart.exe commands change the focus automatically. If you create a new volume or partition, the focus shifts to the newly created object.

Using fsutil.exe

You can use fsutil.exe to manage FAT and NTFS file systems from the command prompt.

Some of the actions you can perform with this utility include the following:

Managing sparse files

Managing reparse points

Mounting and dismounting volumes

Viewing the amount of free space on a volume fsutil.exe supports the commands shown in Table 2.2.

N

OTE

You must have administrative rights to run the fsutil.exe utility.

Table 2.2

Using fsutil.exe Commands

Command

behavior dirty file fsinfo hardlink objectid quota reparsepoint

Description

File system behavior control

Volume dirty bit management

File-specific commands

File system information

Hardlink management

Object ID management

Quota management

Reparse point management

www.syngress.com

Continued

274_70-290_02.qxd 8/11/03 3:49 PM Page 91

Managing Physical and Logical Disks • Chapter 2

Table 2.2

Using fsutil.exe Commands

Command

sparse usn volume

Description

Sparse file control

USN management

Volume management

You can perform many different management tasks with this utility that do not have a

GUI counterpart. For example, you can enable or disable settings for generating 8.3 file names, set the amount of disk space to be reserved for the Master File Table Zone, set a file’s valid data length, and create hard links (directory entries for files).

Experimenting with fsutil.exe can create serious file system problems or even make your system unbootable, so Microsoft recommends that only advanced users run this utility.

Using rss.exe

rss.exe manages Remote Storage from the command prompt.You can use Remote Storage to extend your server’s disk space by moving data off your hard disks and onto magnetic tapes or magneto-optical (MO) disks, with file data cached locally for quick access.We discuss Remote Storage in much more detail in the section titled Understanding and Using

Remote Storage.

The rss.exe utility enables you to run scripts that enable applications to directly access

Remote Storage.You can use rss.exe only after you have set up Remote Storage using the

Remote Storage MMC (covered later in this chapter).The basic syntax for rss.exe is as follows:

RSS [ADMIN | VOLUME | MEDIA | FILE] [SET | SHOW | JOB | MANAGE | UNMANAGE

| DELETE | SYNCHRONIZE | RECREATEMASTER | RECALL] <args> <switches>

91

N

OTE

All of the rss.exe syntax has purposely not been listed here, due to its length. You can view the full list of syntax by typing rss.exe /? at the command prompt.

EXAM

70-290

OBJECTIVE

1

Understanding and

Managing Physical and Logical Disks

We have discussed the differences between physical and logical disks, so you know that physical disks are the actual hardware devices that connect to our servers, while logical disks are units into which we divide physical disks. Physical disks can be structured as basic or dynamic disks. For the exam, you must know when to use basic versus dynamic disks and

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 92

92 Chapter 2 • Managing Physical and Logical Disks

how to convert one to the other.When using basic disks, you need to be proficient at creating and using partitions and logical drives.When using dynamic disks, you need to be proficient at creating and using volumes.

EXAM

70-290

OBJECTIVE

1.1

Manage Basic Disks

It is important to understand the circumstances that make it desirable to use basic disks.You

should not upgrade your disks to dynamic status without knowing all the consequences of that action. If you choose to stick with basic disks, you need to know how to create and delete partitions and logical drives. Basic disks can be managed via the Disk Management

MMC or the diskpart.exe utility, and you can use scripts to automate many management tasks as discussed previously.

In the following sections, we discuss the most important aspects of managing basic disks, including:

When to use basic disks instead of dynamic disks

How to create partitions and logical drives

How to assign a new drive letter

How to format a basic volume

How to extend a basic volume

When to Use Basic Disks

Basic disks are the default for Windows Server 2003.You should always use basic disks if you are going to dual-boot your machine with another operating system. MS-DOS,

Windows 9x,Windows NT 4.0, and Windows XP Home Edition do not support dynamic disks.Windows 2000,Windows XP Professional, and Windows Server 2003 support dynamic disks, but not when dual booting.

Use basic disk if you will be moving your disks between machines.You have to go into

Disk Management and import dynamic disk every time you move them from one PC to another.With basic disks, you just install them and Windows automatically sees them.

Laptop hard disks must be configured as basic disks as most removable storage media.

Creating Partitions and Logical Drives

When you install Windows Server 2003, setup will prompt you to create a primary partition to use as the boot partition for Windows. If you want to create more partitions afterwards, you will need to use the disk management MMC.This section will walk you through creating a primary partition (Exercise 2.02), creating an extended partition

(Exercise 2.03), and creating a logical drive (Exercise 2.04).

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 93

Managing Physical and Logical Disks • Chapter 2 93

E

XERCISE

2.02

C

REATING A

P

RIMARY

P

ARTITION

1. Right-click the unallocated space on the disk on which you want to create a primary partition.

2. Click New partition on the pop-up menu. This will start the New

Partition Wizard, as shown in Figure 2.13.

3. Click Next to continue.

Figure 2.13

Creating a Primary Partition Using the New

Partition Wizard

4. On the Select Partition Type window (Figure 2.14), select Primary

partition.

Figure 2.14

Selecting to Create a Primary Partition

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 94

94 Chapter 2 • Managing Physical and Logical Disks

5. Click Next to continue. You will now be prompted to specify the partition size as shown in Figure 2.15.

6. Specify the Partition size in MB and click Next to continue.

7. Now you need to identify your new partition. Select a drive letter or choose to mount the new volume to an NTFS folder. For this exercise we are assigning our partition the drive letter F, as shown in Figure 2.16.

8. Click Next to continue.

Figure 2.15

Specifying the Partition Size

Figure 2.16

Assigning a Drive Letter or Path

9. You must now format your new partition. You can format partitions as

FAT, FAT32, or NTFS. For this exercise, choose NTFS, as shown in Figure

2.17, and then click Next to continue.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 95

Managing Physical and Logical Disks • Chapter 2

10. You will now see the Completing the New Partition Wizard window, as shown in Figure 2.18. Read over the summary to verify that you made the correct selections and click Finish to complete the process.

Figure 2.17

Formatting the Partition

95

Figure 2.18

Completing the New Partition Wizard

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 96

96 Chapter 2 • Managing Physical and Logical Disks

E

XERCISE

2.03

C

REATING AN

E

XTENDED

P

ARTITION

1. Right-click the unallocated space on the disk on which you want to create an extended partition.

2. Click New partition on the pop-up menu. This will start the New

Partition Wizard as shown in Figure 2.19.

3. Click Next to continue.

Figure 2.19

Creating an Extended Partition with the New

Partition Wizard

4. On the Select Partition Type window (Figure 2.20), select Extended

partition.

5. Click Next to continue. You will now be prompted to specify the partition size as shown in Figure 2.21.

6. Specify the Partition size in MB and click Finish to create the extended partition.

Figure 2.20

Selecting to Create an Extended Partition

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 97

Managing Physical and Logical Disks • Chapter 2

Figure 2.21

Specifying the Partition Size

97

E

XERCISE

2.04

C

REATING A

L

OGICAL

D

RIVE

1. Right-click the Extended partition on the disk on which you want to create a logical drive.

2. Click New Logical Drive on the pop-up menu. This will start the New

Partition Wizard, as shown in Figure 2.22.

3. Click Next to continue.

Figure 2.22

Using the New Partition Wizard to Create a

Logical Partition

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 98

98 Chapter 2 • Managing Physical and Logical Disks

4. On the Select Partition Type window (Figure 2.23), select Logical

drive.

Figure 2.23

Choosing to Create an Extended Partition

5. Click Next to continue. You will now be prompted to specify the partition size as shown in Figure 2.24.

6. Specify the Partition size in MB and click Next to continue.

Figure 2.24

Specifying a Partition Size

7. Now you need to identify your new partition. Select a drive letter or choose to mount the new volume to an NTFS folder. For this exercise we are assigning our partition the drive letter G, as shown in Figure 2.25.

8. Click Next to continue.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 99

Managing Physical and Logical Disks • Chapter 2

Figure 2.25

Assigning a Drive Letter or Path

99

9. You must now format your new partition. You can format partitions as

FAT, FAT32, or NTFS. For this exercise, choose NTFS, as shown in Figure

2.26, and then click Next to continue.

Figure 2.26

Formatting the New Partition

10. You will now see the Completing the New Partition Wizard window, as shown in Figure 2.27. Read over the summary to verify that you made the correct selections and click Finish to complete the process.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 100

100 Chapter 2 • Managing Physical and Logical Disks

Figure 2.27

Completing the New Partition Wizard

How to Assign a New Drive Letter

You are given the option to assign a drive letter when you create a primary partition or a logical drive. If you chose not to assign one then or you wish to change the letter, you can use Disk Management or diskpart.exe to assign a new drive letter. Exercise 2.05 walks you through using Disk Management to assign a new drive letter.

N

OTE

Unless your account has been delegated authority, you must be a member of the

Backup Operators group or Administrators group on the local computer to assign a drive letter.

E

XERCISE

2.05

A

SSIGNING A

D

RIVE

L

ETTER

In this exercise we assign a drive letter to the first partition on Disk 1. This partition is a primary partition and is formatted with NTFS. Look at Figure 2.28

and you can see this partition is missing a drive letter. Here are the steps to assign it one:

1. Open Computer Management by right-clicking My Computer and choosing Manage.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 101

Managing Physical and Logical Disks • Chapter 2 101

2. Expand Storage and click Disk Management. This will give you the window shown in Figure 2.28.

3. Right-click the partition you want to assign a drive letter.

4. Select Change Drive Letter and Paths from the pop-up menu as shown in Figure 2.28. You will now see the window displayed in Figure 2.29.

Figure 2.28

Changing Drive Letter and Paths

Figure 2.29

Adding a Drive Letter

5. Click the Add button to add a drive letter. This will give you the window shown in Figure 2.30.

6. Use the drop-down arrow to select the drive letter you want to assign.

For this exercise we are going to use E.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 102

102 Chapter 2 • Managing Physical and Logical Disks

Figure 2.30

Selecting the Letter to Assign

7. After you select the drive letter, click OK to accept your choice. This will apply your changes. Figure 2.31 shows that our partition now has the drive letter E.

Figure 2.31

Seeing the New Drive Letter

How to Format a Basic Volume

Like assigning a drive letter, you are given the option to format a drive when you create a primary partition or a logical drive. If you do not format the volume during creation, you can use Disk Management or format.exe to format the volume afterwards. Exercise 2.06

walks you through using Disk Management to format a basic volume.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 103

Managing Physical and Logical Disks • Chapter 2 103

N

OTE

Unless your account has been delegated authority, you must be a member of the

Backup Operators group or Administrators group on the local computer to format a volume. Remember, when you format a volume all data is lost.

E

XERCISE

2.06

F

ORMATTING A

V

OLUME

In this exercise, we format the first primary partition on Disk 2. Look at Figure

2.32 and you can see that this partition, unlike the C: and E: drives, has not been formatted. Here are the steps to format it with NTFS:

1. Open Computer Management by right-clicking My Computer and choosing Manage.

2. Expand Storage and click Disk Management. This will give you the window shown in Figure 2.32.

3. Right-click the partition you want to format.

4. Select Format from the pop-up menu, as shown in Figure 2.32. You will now see the window displayed in Figure 2.33.

Figure 2.32

Formatting a Volume

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 104

104 Chapter 2 • Managing Physical and Logical Disks

Figure 2.33

Choosing a Volume Label, File System, and Cluster Size

5. Enter the Volume label for the volume. For this exercise we are using

New Volume.

6. Select the File system to use. In this exercise we are using NTFS.

7. Select the Allocation unit size (file system cluster). For this exercise we are using Default, which is 4 KB.

8. Optionally, you can choose to perform a quick format and to enable file and folder compression. After you make your choices, click OK to continue. You will now be warned that you are going to lose all data, as shown in Figure 2.34.

9. Click OK to start the format process. Figure 2.35 shows the volume being formatted and Figure 2.36 shows the volume after the format has completed.

Figure 2.34

Acknowledging Formatting Warning

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 105

Managing Physical and Logical Disks • Chapter 2 105

Figure 2.35

Watching the Drive Format

Figure 2.36

Seeing the Formatted Drive

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 106

106 Chapter 2 • Managing Physical and Logical Disks

How to Extend a Basic Volume

Extending a basic volume enables you to add more space to an existing volume without losing data.This is a new feature that was not available in Windows 2000.You can extend a basic volume only onto the same disk and only if it is followed by contiguous unallocated space.You cannot use Disk Management to extend a basic volume.The only way to do it is to use diskpart.exe from the command prompt. Exercise 2.07 walks you through using diskpart.exe to extend a basic volume.

N

OTE

Unless your account has been delegated authority, you must be a member of the

Backup Operators group or Administrators group on the local computer to extend a basic volume.

E

XERCISE

2.07

E

XTENDING A

B

ASIC

V

OLUME

Even though you cannot use Disk Management to extend a basic volume, let’s open it anyway so that we can see our volume as it gets extended. We will use diskpart.exe to actually do the extending. For this exercise we will be extending the primary partition (F:) on Disk 2.

1. Open Computer Management by right-clicking My Computer and choosing Manage.

2. Expand Storage and click Disk Management. This will give you the window shown in Figure 2.37. Use this window to see the before and after of extending your volume.

3. Open the command prompt by selecting Start | Run, typing CMD and clicking OK.

4. From within the command prompt, launch diskpart by typing diskpart and pressing Enter. This will put you into diskpart interactive mode, as shown in Figure 2.38.

5. Type list volume and press Enter to display all the available volumes on your system.

6. Focus diskpart onto the volume you wish to extend by typing select

volume 3. For this exercise we choose to extended volume 3.

7. To extend the volume, type extend size=1024. For this exercise we extended the volume by 1MB. To exit disk part, type exit when finished or just close the command prompt. Figure 2.39 shows the volume after it has been extended.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 107

Managing Physical and Logical Disks • Chapter 2 107

Figure 2.37

Extending a Basic Volume

Figure 2.38

Using diskpart.exe

Figure 2.39

Seeing the Extended Volume

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 108

108 Chapter 2 • Managing Physical and Logical Disks

EXAM

70-290

OBJECTIVE

1.1

Managing Dynamic Disks

Dynamic disks are the required disk structure in Windows Server 2003 if you want to create fault-tolerant volumes or increase read and write performance by spanning disks.

Dynamic disks, like basic disks, can be managed via the Disk Management MMC or with the diskpart.exe utility. Managing dynamic disks is a little more complicated than managing basic disks, as you have more options from which to choose.This section discusses converting your disks from basic to dynamic and creating the various types of volumes supported in Windows Server 2003.

Converting to Dynamic Disk Status

By default, all disks are configured as basic disks. It is up to you to convert them to dynamic if you choose to do so. Remember to carefully assess your situation and determine whether you need the features of dynamic disks (and make sure your system is one of those that cannot use dynamic disks, such as a clustered shared disk) before performing the conversion. If you convert a disk that is currently being accessed (such as the boot or system disks) then you must reboot in order to convert. Otherwise, you can convert without rebooting. Converting to dynamic does not erase any data.

W

ARNING

Although you can convert from basic to dynamic disk status without losing data, you cannot go back the other way. There is no mechanism to convert volumes from dynamic to basic. Instead, you must back up your data, and then delete the dynamic volumes. You can then convert the disk back to basic using the disk management MMC or the diskpart utility.

Exercise 2.08 walks you through the process of converting your system disk from basic to dynamic.

E

XERCISE

2.08

C

ONVERTING

Y

OUR

S

YSTEM

D

ISK TO

D

YNAMIC

1. Right-click the disk that you want to upgrade to dynamic.

2. Select Convert to Dynamic Disk from the pop-up menu, as shown in

Figure 2.40. This will give you the Convert to Dynamic Disk selection window, as shown in Figure 2.41.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 109

Managing Physical and Logical Disks • Chapter 2 109

Figure 2.40

Converting to Dynamic Disk

Figure 2.41

Selecting the Disk to Convert

3. The disk you want to upgrade should be checked by default. If not, check its check box and click OK to continue.

4. You are next shown a summary screen (Figure 2.42) that indicates which disk(s) will be converted. Click Convert to continue.

Figure 2.42

Reviewing Disks to be Converted

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 110

110 Chapter 2 • Managing Physical and Logical Disks

5. Windows will warn you that you are about to convert to dynamic. Click

Yes on the warning screen (shown in Figure 2.43) to continue.

6. You are next warned that file systems currently in use on the disk will be dismounted during the upgrade (Figure 2.44). This is your last chance to cancel the conversion operation. If you are sure that you want to convert to dynamic, click Yes to dismount the file system.

7. Click OK on the confirmation window (shown in Figure 2.45) to reboot your PC. The disk(s) you selected will be upgraded when the computer is rebooted.

Figure 2.43

Confirming the Conversion

Figure 2.44

Dismounting Disk to be Converted

Figure 2.45

Completing the Conversion

Creating and Using Dynamic Volumes

After you have converted your disk to dynamic, you can create volumes. Creating volumes is similar to creating partitions, except that there are some additional steps because, unlike partitions, volumes can span multiple disks.The type of volume you create depends on a variety of factors, such as the following:

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 111

Managing Physical and Logical Disks • Chapter 2 111

How many disks do you have in your machine?

Do you want fault tolerance?

Do you want to increase read or write performance?

What is being stored (or will be stored) on the volume (e.g., database, system partition, print spooler, etc.)?

Creating and Using Simple Volumes

Simple volumes are the default volume type on a dynamic disk. Exercise 2.09 walks you through the process of creating a simple volume. Use simple volumes in the following situations:

You only have one disk in a machine.

You are not concerned with fault tolerance.

You want the ability to dynamically extend the space used on a volume.

N

OTE

When you format a dynamic volume using the Disk Management console, NTFS is the only file system choice that is available. However, if you want to format a dynamic volume in FAT or FAT32, you can do so by using the Format command at the command-line.

E

XERCISE

2.09

C

REATING A

S

IMPLE

V

OLUME

1. Right-click the unallocated space on the disk on which you want to create a simple volume.

2. Click New Volume on the context menu. This will start the New

Volume Wizard, shown in Figure 2.46.

3. Click Next to continue.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 112

112 Chapter 2 • Managing Physical and Logical Disks

Figure 2.46

Creating Simple Volumes

4. On the Select Volume Type window (Figure 2.47), select Simple.

5. Click Next to continue.

Figure 2.47

Selecting Volume Type

6. You will next be prompted to select the disk to use for the simple volume, as shown in Figure 2.48. The correct disk should already be selected. If not, select it.

7. Select the amount of space to be used for the simple volume and click

Next to continue.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 113

Managing Physical and Logical Disks • Chapter 2 113

Figure 2.48

Selecting Disks to be Used in a Simple Volume

8. Next you need to identify your new volume. Select a drive letter or choose to mount the new volume to an NTFS folder. For this exercise, we assign the new volume the drive letter D, as shown in Figure 2.49.

Figure 2.49

Assigning a Drive Letter or Path

9. Next, you can format your new volume. You can format the volume as

FAT, FAT32, or NTFS, or you can choose not to format the volume now.

For this example, choose NTFS, as shown in Figure 2.50, and click Next to continue.

10. You will now see the Completing the New Volume Wizard window, as shown in Figure 2.51. Read over the summary to verify that you made the correct selections and click Finish to complete the process.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 114

114 Chapter 2 • Managing Physical and Logical Disks

Figure 2.50

Formatting Your New Volume

Figure 2.51

Finishing the New Volume Wizard

Creating and Using Spanned Volumes

Spanned volumes enable you to group different disks of the same or different sizes and access them as if they were one disk. However, only one disk in the volume is written to at a time. Spanned volumes can be created using two to 32 disks. Spanned volumes provide

100 percent drive utilization (minus the 1MB per disk overhead for the LDM partition).

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 115

Managing Physical and Logical Disks • Chapter 2 115

Exercise 2.10 walks you through the process of creating a spanned volume. Use spanned volumes in the following situations:

You want to access multiple disks as a single volume and you are not concerned about fault tolerance or increased read/write performance.

Your disks are different sizes and you want to achieve 100 percent drive utilization with a single volume.

You have a simple volume that is almost full and you need to expand it across multiple disks.

E

XERCISE

2.10

C

REATING A

S

PANNED

V

OLUME

1. Right-click the unallocated space on the disk on which you want to create a spanned volume.

2. Click New Volume on the context menu. This will start the New

Volume Wizard, as shown in Figure 2.52.

3. Click Next to continue.

Figure 2.52

Creating a Spanned Volume

4. In the Select Volume Type window (Figure 2.53), select Spanned.

5. Click Next to continue.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 116

116 Chapter 2 • Managing Physical and Logical Disks

Figure 2.53

Selecting the Volume Type to be Created

6. You will next be prompted to select the disks to use for the spanned volume, as shown in Figure 2.54. Select the disks you want to use.

7. Select the amount of space to be used for the spanned volume and click Next to continue.

Figure 2.54

Selecting Disks to be Used in Spanned Volume

8. Next you need to identify your new spanned volume. Select a drive letter or choose to mount the new volume to an NTFS folder. For this exercise, we assign the new volume the drive letter D, as shown in

Figure 2.55.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 117

Managing Physical and Logical Disks • Chapter 2 117

Figure 2.55

Assigning a Drive Letter or Path

9. Next you can format your new spanned volume. You can format the volume as FAT, FAT32, or NTFS, or you can choose not to format the volume at this time. For this example, choose NTFS, as shown in Figure

2.56, and then click Next to continue.

10. You will next see the Completing the New Volume Wizard window, as shown in Figure 2.57. Read over the summary to verify that you made the correct selections and click Finish to complete the process.

Figure 2.56

Formatting the New Spanned Volume

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 118

118 Chapter 2 • Managing Physical and Logical Disks

Figure 2.57

Completing the New Volume Wizard

N

OTE

When formatting any of the volumes created with the New Volume Wizard, you can also select the allocation unit size, give the new volume a label to more easily identify it, and/or select to enable file and folder compression (NTFS volumes only, with cluster size of 4KB or less) to save disk space. You can also choose to perform a quick format instead of a standard format. A quick format does not check the disk for bad sectors as a standard format does.

Creating and Using Striped Volumes

Striped volumes require that you use an equal amount of unallocated space on each of the disks that is part of the volume. Ideally, your disks will all be the same size and all space on each will be unallocated. If not, some of the space will be wasted when you create the volume.

Striped volumes increase both read and write performance when accessing the volume by utilizing all the disks at one time. Unlike spanned volumes, striped volumes cannot be extended. Striped volumes can be created using two to 32 disks.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 119

Managing Physical and Logical Disks • Chapter 2 119

Exercise 2.11 walks you through the process of creating a striped volume. Use striped volumes in the following situations:

The primary disk operation will be reading information from a large database such as SQL or Exchange.

The volume will be used to spool large print jobs.

You are not concerned with fault tolerance.

You plan to collect external data on the disk at very fast transfer rates.

E

XERCISE

2.11

C

REATING A

S

TRIPED

V

OLUME

1. Right-click the unallocated space on the disk on which you want to create a striped volume.

2. Click New Volume on the context menu. This will start the New

Volume Wizard, as shown in Figure 2.58.

3. Click Next to continue.

Figure 2.58

Creating a Striped Volume

4. On the Select Volume Type window (Figure 2.59), select Striped.

5. Click Next to continue.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 120

120 Chapter 2 • Managing Physical and Logical Disks

Figure 2.59

Selecting the Volume Type to be Created

6. You will next be prompted to select the disk to use for the striped volume, as shown in Figure 2.60. Select the disks you want to use.

7. Select the amount of space to be used for the striped volume and click

Next to continue.

Figure 2.60

Selecting Disks to be Used in the Striped Volume

8. Next you need to identify your new striped volume. Select a drive letter or choose to mount the new volume to an NTFS folder. For this exercise, we assign the new volume the drive letter E, as shown in Figure 2.61.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 121

Managing Physical and Logical Disks • Chapter 2 121

Figure 2.61

Assigning a Drive Letter or Path

9. Next, you can format your new striped volume. You can format a striped volume as FAT, FAT32, or NTFS, or you can choose not to format the volume at this time. For this example, choose NTFS, as shown in

Figure 2.62, and click Next to continue.

10. You will next see the Completing the New Volume Wizard window, as shown in Figure 2.63. Read the summary to verify that you made the correct selections and click Finish to complete the process.

Figure 2.62

Formatting the New Striped Volume

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 122

122 Chapter 2 • Managing Physical and Logical Disks

Figure 2.63

Ending the New Volume Wizard

Creating and Using Mirrored Volumes

Mirrored volumes require exactly two disks and both disks must be the same size.When

you write information to the mirror, it is written twice – once to each disk.This provides complete redundancy for your data. Should one disk fail, you can use the mirrored copy.

Mirrored volumes provide only 50 percent disk utilization (the least cost efficient of all volume types). However, they provide excellent fault tolerance.

Exercise 2.12 walks you through the process of creating a mirrored volume. Mirrored volumes cannot be extended. Use mirrored volumes in the following situations:

You want to provide fault tolerance for the boot and/or system partition.

You want an easy way to roll back failed operating system upgrades (break the mirror before the upgrade).

You need fault tolerance, but you only have two disks.

You want to be able to get the system up and running quickly after a disk failure.

E

XERCISE

2.12

C

REATING A

M

IRRORED

V

OLUME

1. Right-click the simple volume you wish to mirror, as shown in

Figure 2.64.

2. Choose Add Mirror from the context menu.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 123

Managing Physical and Logical Disks • Chapter 2 123

Figure 2.64

Creating a Mirrored Volume

3. You are next prompted, as shown in Figure 2.65, to select a location to hold a mirror of the selected drive. Select the disk on which you want to create the mirror copy.

Figure 2.65

Selecting a Location for the Mirror

4. Click Add Mirror to continue. You will see your mirror being created, as shown in Figure 2.66.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 124

124 Chapter 2 • Managing Physical and Logical Disks

Figure 2.66

Synchronizing a Mirrored Volume

After the mirror is created, both volumes that make up the two parts of the mirror will appear in the Disk Management console with the same drive letter.

Creating and Using RAID-5 Volumes

RAID-5 volumes can be created using three to 32 disks.They provide fault tolerance by calculating parity information, which can be used to recreate the data on the other disks, and writing it to a block on one disk as part of the striping operation. Data is striped across all the disks in the volume, while parity information is written to one disk in each stripe.

The parity information can be used to regenerate the missing data should one disk fail. If you lose more than one disk, however, all your data will be lost.

As with mirrored volumes, RAID-5 volumes cannot be extended. However, RAID-5 volumes offer more efficient disk utilization than mirrored volumes.You lose the storage space equivalent to one disk in the RAID-5 volume because it is used for parity information. For example, if you have five disks and you lose the storage space of one disk, you operate at 80 percent disk utilization. If you increase the number of disks in your RAID-5 volume, you will get even better disk utilization. For example, if you use 10 disks instead of five, you will operate at 90 percent utilization instead of 80 percent utilization. On the other hand, it takes longer to get your system back up and running after a disk failure with

RAID-5, as opposed to mirrors, because you must go through the process of regenerating the data from parity.

Exercise 2.13 walks you through the process of creating a RAID-5 volume. Use

RAID-5 volumes in the following situations:

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 125

Managing Physical and Logical Disks • Chapter 2 125

You need the boosted read performance of a striped volume, but you must have fault tolerance.

You want fault tolerance with the most efficient level of disk utilization possible.

You need fault tolerance, but you have too many disks to use a mirror.

E

XERCISE

2.13

C

REATING A

RAID-5 V

OLUME

1. Right-click the unallocated space on the disk on which you want to create a RAID-5 volume.

2. Click New Volume on the context menu. This will start the New

Volume Wizard, as shown in Figure 2.67.

Figure 2.67

Using the New Volume Wizard to Create a

RAID-5 Volume

3. Click Next to continue.

4. In the Select Volume Type window (Figure 2.68), select RAID-5.

5. Click Next to continue.

6. You will next be prompted to select the disks to use for the RAID-5 volume, as shown in Figure 2.69. Select the disks you want to use.

7. Select the amount of space to be used for the striped volume and click

Next to continue.

8. Next you need to identify your new RAID-5 volume. Select a drive letter or choose to mount the new volume to an NTFS folder. For this exercise, we assign the new volume the drive letter D, as shown in Figure 2.70.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 126

126 Chapter 2 • Managing Physical and Logical Disks

Figure 2.68

Selecting to Create a RAID-5 Volume

Figure 2.69

Adding Disks to the RAID-5 Volume

Figure 2.70

Assigning a Drive Letter or Path

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 127

Managing Physical and Logical Disks • Chapter 2 127

9. Next, you can format your new RAID-5 volume. You can format a RAID-

5 volume as FAT, FAT32, or NTFS, or you can choose not to format the volume at this time. For this example, choose NTFS, as shown in Figure

2.71, and click Next to continue.

10. You will next see the Completing the New Volume Wizard window, as shown in Figure 2.72. Read the summary to verify that you made the correct selections and click Finish to complete the process.

Figure 2.71

Formatting the RAID-5 Volume

Figure 2.72

Finishing the New Volume Wizard

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 128

128 Chapter 2 • Managing Physical and Logical Disks

EXAM

70-290

OBJECTIVE

1.3

Optimize Server Disk Performance

Optimizing disk performance is an important part of managing a server. Consider the diskoriented tasks that take place on a typical day on the typical server. Users save data to their home directories.They send e-mail back and forth (which is saved in a database on the server).They print documents.They access shared files. All of these tasks require good disk performance.

Two issues you will always run into when managing disks are disk fragmentation and insufficient disk space. Fragmentation problems are not as obvious as disk space problems; when you run out of disk space, you usually find out immediately. However, you may not notice that a disk is fragmented unless you take the time to check or you notice that performance has degraded.With Windows Server 2003, Microsoft provides ways to manage both of these concerns.The disk defragmentation utilities can ensure that your disk is performing at its peak and the disk quotas feature can ensure that you do not run out of disk space. In the following sections, we will discuss how to use these tools to keep your disks at optimum performance levels.

EXAM

70-290

OBJECTIVE

1.3.2

Defragmenting Volumes and Partitions

Defragmenting the disks on all your servers (especially file servers) can ensure optimal performance and enable you to get more use out of your disks. It is not something that you should do every day, but you definitely need to make it part of your server maintenance routine. Microsoft provides two tools for performing defragmentation. Both tools work with basic and dynamic disks that are formatted with the FAT, FAT32, or NTFS file systems.These tools are:

Disk Defragmenter (graphical utility) defrag.exe (command-line tool)

You will learn how to use each of these tools to defragment your disks. First, however, in the next section we discuss how and why disks become fragmented and the effects of fragmentation.

Understanding Disk Fragmentation

To understand disk fragmentation, you have to first understand how data is written to a disk.This was covered briefly in the Understanding Disk Terminology and Concepts section at the beginning of the chapter.The smallest measurable unit on a hard disk is a sector.

Sectors are joined together to make a cluster.When you save a file,Windows breaks the file into small pieces. Each piece is no bigger than the size of one cluster.

For example, if you were to save a 128KB file to disk (see Figure 2.73),Windows would separate the file into 32 clusters (based on a 4KB cluster size). Unfortunately, not all files fill up an entire cluster. If you save a 21KB file to the disk,Windows separates it into six clusters (based on a 4KB cluster size). Every time Windows writes something to disk it

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 129

Managing Physical and Logical Disks • Chapter 2 129

uses an entire cluster.You cannot have parts of two different files in the same cluster. In the case of the 21KB file, this means you have wasted 3KB of space (see Figure 2.74).This happens because Windows must use six clusters to save the file, and six 4KB clusters total 24KB of hard disk space.You really only needed 21KB to save the file, but the cluster size resulted in some space going unused. Remember that clusters are the smallest units that can be written to a disk. Even if you do not have enough data to fill an entire cluster,Windows still uses an entire cluster when it writes to disk.

N

OTE

Cluster size was a source of much wasted disk space with the FAT16 file system.

With FAT16, cluster sizes increase as partition size increases, so that with a 2GB partition, cluster size is 64KB. That made for a lot of wasted space that could add up to a significant portion of the disk. FAT32 helped to alleviate that problem, with cluster sizes of only 4KB for partitions from 512MB to 8GB, 8KB clusters for partitions from 8 to 16GB, and 16KB clusters for partitions up to 32GB. NTFS improves on that further, with 4KB clusters for partitions up to 2TB. For more information about cluster size in Windows file systems, see www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/reskit/prkc_fil_lxty.asp.

Figure 2.73

Writing Data to Your Hard Disk

Creates A File

Regina

128KB Data File

The 128KB file is broken into 32 smaller files (clusters).

C:\

4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB

4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB

4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB

4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB

4KB per Cluster X 32 Clusters = 128KB Data File

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 130

130 Chapter 2 • Managing Physical and Logical Disks

Figure 2.74

Wasting Space by Not Filling an Entire Cluster

Creates A File

Regina

C:\

21KB Data File

4KB 4KB 4KB

4KB 4KB 1KB 3KB

4KB Per Cluster X 6 Clusters =

21KB Needed for File Storage

24KB Used Space

3KB Wasted Space

As data is saved to disk, then,Windows breaks it into clusters and writes each cluster to disk in sequential order (or as close to sequential order as possible). However, as you delete files and make changes to the OS, gaps start to appear in between the filled clusters, representing empty space on the disk. As Windows writes more files to disk, it fills in these gaps

(see Figure 2.75).This means part of a file will be written in one of these gaps, then the rest of it will be written in the next gap, and so forth. Clusters that make up the file are not contiguous, but are spread out across the disk.This causes your disk to become fragmented.

Whenever you have parts of the same file spread all over different areas of the disk, disk access will be slower and overall system performance will be degraded because the disk’s read head has to travel further to access all the different parts of the file.

Defragmentation is the process of reorganizing your disk so that clusters that make up each file are stored together, instead of being spread all over.Windows Server 2003 provides two tools for performing this rearrangement of data on the disk, a graphical defragmenter and a command-prompt defragmenter.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:49 PM Page 131

Managing Physical and Logical Disks • Chapter 2 131

Figure 2.75

Understanding Why Disks Get Defragmented

1

5

9

2

6

10

3

7

11

4

8

12

1

5

9

2

6

10

3

7

11

4

8

12

3

1

2

4

1 2

3

4

Defragmentation

Using the Graphical Defragmenter

You can access the graphical defragmenter in several different ways:

Click Start | All Programs | Accessories | System Tools | Disk

Defragmenter

.

Right-click My Computer, select Manage, and click Disk Defragmenter in the left console pane.

Click Start | All Programs | Administrative Tools | Computer

Management

and click the Disk Defragmenter in the left console pane.

For our examples, we will access the Disk Defragmenter via Computer Management.

Note that anyone can open the Disk Defragmenter tool, but only an administrator, or

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 132

132 Chapter 2 • Managing Physical and Logical Disks

someone with an account that has been delegated the authority, can analyze or defragment a volume.

Exercise 2.14 walks you through the process of using Disk Defragmenter.

W

ARNING

You need to have a minimum of 15 percent of the disk space free to be able to defragment a volume, so the tool can use the free space to sort the file fragments as it rearranges them. You can still run the defragmenter with less free space, but it will not be able to do a complete defragmentation.

E

XERCISE

2.14

U

SING

D

ISK

D

EFRAGMENTER

1. Open Computer Management (click Start | All Programs |

Administrative Tools | Computer Management).

2. Click Disk Defragmenter as shown in Figure 2.76.

3. Click the Analyze button. This will analyze your disks and give you a report of how defragmented they are, as shown in Figure 2.77.

Figure 2.76

Using Disk Defragmenter from the GUI

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 133

Managing Physical and Logical Disks • Chapter 2 133

Figure 2.77

Analyzing Your Hard Disk for Defragmentation

4. Click the View Report button to see the status of your disk. This will give you a report similar to the one shown in Figure 2.78.

Figure 2.78

Viewing the Analysis Report

5. At this point, you can click Close if you do not want to defragment your disk. If you do want to defragment, click the Defragment button to start the process.

N

OTE

You cannot defragment volumes on a remote system, only local volumes. You cannot run the Defragmenter while backing up the volume (the Disk Defragmenter will stop and refuse to run). Unlike with some tools, you cannot have more than one instance of Disk Defragmenter open at a time.

6. You will next see the screen shown in Figure 2.79. You can pause or stop the defragmentation process by clicking Pause or Stop on the

Action menu. When the defragmentation process is complete, you will be given the option to view a defragmentation report, as shown in

Figure 2.80. Click View Report.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 134

134 Chapter 2 • Managing Physical and Logical Disks

N

OTE

It can take quite some time to defragment a disk that is very large and very fragmented. The amount of time it takes depends on the size of the volume, the amount of fragmentation and the overall speed of the disk.

Figure 2.79

Defragmenting Your Hard Disk

Figure 2.80

Completing Defragmentation

7. Compare the defragmentation report in Figure 2.81 with the analysis report in Figure 2.78. You should see a decrease in file fragmentation.

You can print or save your report for later viewing. When finished, click

Close.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 135

Managing Physical and Logical Disks • Chapter 2 135

Figure 2.81

Viewing the Defragmentation Report

Viewing the Analysis Report

You don’t have to really understand the analysis report in order to defragment your disks.

The software is smart enough to let you know whether or not you need to defrag.

However, a lot of good information can be found in the analysis report.This includes the following:

Fragmented files and folders

Displays the paths and names of the most fragmented files on the volume.

Volume size

Amount of free space available

Average number of fragments per file

You can use the average number of fragments per file to gauge how fragmented the volume is.Table 2.3 explains the possible averages.

N

OTE

Microsoft recommends that you analyze disks on a weekly or monthly basis, depending on the usual rate of fragmentation. However, if you delete or add a large number of files, you should run an analysis afterward, as this can cause the volume to become fragmented. It’s also a good idea to analyze the disk after you install new software or upgrade the operating system.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 136

136 Chapter 2 • Managing Physical and Logical Disks

Table 2.3

Describing the Average Number of Fragments per File

Average Number of

Fragments per File

1.00

1.10

1.20

1.30

2.00

Description

Most or all files are contiguous.

Around ten percent of the files are fragmented into two or more sections.

Around twenty percent of the files are fragmented into two or more sections.

Around thirty percent of the files are fragmented into two or more sections.

Most or all of the files are fragmented into two or more sections.

Understanding the Disk Defragmenter Interface

The Disk Defragmenter provides you with analysis reports and defragmentation reports to alert you to the fragmentation status of your disks. However, the graphical interface of the defragmenter tool also provides much of the same information if you know what to look for.The screenshot in Figure 2.82 was taken immediately after running the defragmentation utility as described in Exercise 2.15. Let’s analyze the display to determine the information that is available.

Notice that Disk Defragmenter runs in a standard MMC, which gives it a familiar feel, with the console tree in the left pane and the details pane on the right. On the right side, the pane is split into a top and a bottom section.The top section shows the volumes and partitions on the machine.The bottom section shows a graphical view of the fragmentation status of the selected volume.There are two bars in the bottom pane, which indicate the following:

Estimated disk usage before defragmentation

Estimated disk usage after defragmentation

By examining these bars, you can see the status of the disk before the defragmentation and the changes that have occurred afterward.These bars are obviously too small to list every cluster on the disk, but they do provide an accurate representation of how fragmented the volume is.

Table 2.4 explains the color codes used in these two bars. After running Disk

Defragmenter, the goal is to see most of the red in the top bar replaced with blue.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 137

Managing Physical and Logical Disks • Chapter 2 137

Table 2.4

Understanding the Estimated Disk Usage Bars in Disk Defragmenter

Color

Red

Blue

Green

White

Description

Most of the clusters are fragmented files.

Most of the clusters are contiguous files.

Most of the clusters are files that cannot be moved from their current location. This could include paging files, or files used by the file system.

Most of the clusters are free space.

Figure 2.82

Viewing Your Disk After Defragmentation

Using defrag.exe

If you are comfortable with the Disk Defragmenter tool but prefer a character-based utility, you will feel right at home with defrag.exe. It is the command prompt equivalent of Disk

Defragmenter. defrag.exe does everything that Disk Defragmenter does and in addition, it supports scripting.You can use defrag.exe in a script to schedule analysis and defragmentation of your servers. Scripting is the primary reason to use defrag.exe instead of Disk

Defragmenter.Table 2.5 explains the parameters for defrag.exe. defrag.exe uses the following syntax: defrag <volume> [-a] [-f] [-v] [-?] volume drive letter or mount point (d: or d:\vol\mountpoint)

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 138

138 Chapter 2 • Managing Physical and Logical Disks

F

V

Table 2.5

Understanding defrag.exe Parameters

Parameters

Volume

A

?

Description

The drive letter or mount point to be defragmented.

Analyzes the volume and displays an analysis summary indicating whether you should defragment the volume.

Forces defragmentation of the volume when low on free space.

Displays the complete analysis and defragmentation reports (not just a summary). When used with the /a switch, it displays only the analysis report. When used alone, it displays both the analysis and defragmentation reports.

Displays help.

E

XAM

W

ARNING

Pressing CTRL+C will stop the defragmentation process of defrag.exe.

E

XAM

W

ARNING

You cannot run Disk Defragmenter and defrag.exe at the same time. Whichever you open first locks out the other one.

Defragmentation Best Practices

As discussed, defragmenting your disks is a good thing. It speeds up access to your files and can make more free space available. However, for best results, here is a summary of the guidelines to follow when defragmenting your servers:

Make sure that you have at least 15 percent of your volume’s total space free. Disk

Defragmenter needs to have an area to sort fragments while it is rearranging your volume. If you can’t meet this requirement due to low disk space, you will only get a partial defragmentation.

Always try to schedule your defragmentations during non-production hours.You

don’t want your users accessing files while the volume is being defragmented.This

can cause two problems: users’ performance will suffer because of the resources being consumed by Disk Defragmenter and your defragmentation will take longer.

Always analyze before you defragment to make sure that you actually need to.You

should analyze any time a large number of files are added to your server or after installing software on your server. Both of these actions tend to cause high levels of fragmentation.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 139

Managing Physical and Logical Disks • Chapter 2 139

E

XAM

W

ARNING

If the file system has marked your volume as “dirty,” it cannot be defragmented.

Use fsutil.exe (discussed earlier) to query the volume to determine if it is dirty. If it is dirty, run chkdsk.exe on it first to enable you to defragment it (using chkdsk is covered later in this chapter).

EXAM

70-290

OBJECTIVE

4.7.1

Configuring and Monitoring Disk Quotas

The capability to set disk quotas is a feature that was on the “wish list” of Windows NT administrators for a long time. Users tend to find a way of consuming every bit (and byte) of space that you offer them.Third-party products provided for setting quotas with NT, and built-in support for disk quotas was first introduced in Windows 2000. Disk quota support has been carried over to Windows XP and Windows Server 2003. In the following sections, we discuss how to enable, configure, and monitor disk quotas.

Overview of Disk Quotas

Disk quotas enable you to track and limit disk space usage on NTFS volumes.You can use disk quotas for two purposes:

To audit how much space your users are using (enabling quotas without limiting disk space).

To limit your users to a set amount of space (enabling quotas and setting limits on disk space).

Users are warned when they approach the specified limit.The administrator can set the level at which the warning occurs. After the limit is reached, a user can no longer save data to the volume without first deleting some files to create new space.You can also set the system to log an event to the event log when a user reaches either the warning level or the disk space limit.

Disk quota amounts are calculated based on file ownership.The size of the file is charged against its owner’s limit.The only time this poses a problem is when users share single files. For example, if you have the correct permissions, you can write to a file that someone else owns and it would count against the other user’s limit.

Disk quotas are set at the volume level only.You cannot create different quotas for individual folders within a volume. If you need to set different quotas for the same users on different folders, you can put those folders on separate volumes or purchase third-party software that allows for more granular setting of quotas. Likewise, you cannot set quotas at the physical disk level. If a disk has three volumes on it, each volume is managed separately.

You must have administrative rights to assign quotas.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 140

140 Chapter 2 • Managing Physical and Logical Disks

N

OTE

Quotas can be set on both local and shared network volumes. You can also set quotas on volumes that are on shared removable media. However, you cannot set quotas on a volume unless it is formatted with NTFS.

Use disk quotas in the following situations:

You have limited shared storage available on public servers and need to ensure that the disks don’t become full.

You want to keep a log of how much disk space is being consumed by each user.

E

XAM

W

ARNING

Compressed files are counted against the quota limit based on their uncompressed size. For example, if you have a 100MB file that is compressed to 85MB, 100MB is counted toward your limit. This means a user cannot compress files to “get around” or extend the quota limit.

Enabling and Configuring Disk Quotas

You can enable disk quotas by accessing the Properties sheet for a volume and using the

Quota

tab. If you do not see a Quota tab on the Properties sheet, either you do not have administrative rights on the machine or the volume is formatted with FAT or FAT32.

Remember that disk quotas can only be configured on NTFS volumes.

Exercise 2.15 walks you through the process of enabling disk quotas and configuring limits for users, but before we walk through the steps, we will discuss the details of the Quota tab (Figure 2.83).You need to be familiar with all the options on this tab for the exam.

The first thing you see on the Quota tab is the “stop light.” It indicates the status of disk quotas on the volume:

When the light is red, disk quotas are disabled.

When the light is yellow, the system is rebuilding disk quota information.

When the light is green, disk quotas are enabled and active.

When you select the check box next to Enable quota management, the light goes from red to yellow to green. However, the light may appear to go straight to green.This just means that the quota information was built very quickly and didn’t register on the light.

After you enable disk quotas, you must configure how they will be used. By default, users are not denied disk space or warned about the amount of disk space they are using.

This is the proper setting if you are only using disk quotas to track how much space each

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 141

Managing Physical and Logical Disks • Chapter 2 141

user is using, but if you want to limit the amount of space available to users, you must further configure the quotas feature.This is where the Deny disk space to users exceeding

quota limit

check box comes into play.When you check this checkbox,Windows will deny additional disk space to anyone who exceeds his or her limit.

You can either set limits for users individually by using the Quota Entries button or you can configure a default limit that will apply to everyone.You can also import quota settings from another volume.This is useful if you want to set the quotas identically on a number of different volumes.

N

OTE

You can set individual quota settings based on user accounts, but you cannot set quotas based on group accounts. Also note that you cannot set a limit on disk usage for members of the built-in administrators group. You can, however, specify a warning level.

There are two settings to configure for each user (or for all users as the default): a limit level and a warning level:

Next to Limit disk space to, there are two boxes.The first box is a text field into which you can type a number.The second box is a drop-down box that contains a disk measurement unit (KB, MB, GB,TB, PB, EB). By entering a number in the first box and choosing a measurement from the second box, you can restrict each user to a disk space limit ranging from 1KB to 6 EB.The default limit is 1KB.

Directly under the limits boxes are identical Set warning level to boxes. Quota warnings are configured in the same ways as quota limits.You should set the warning level to a smaller number than the disk limit so that users will know they are approaching their limits before reaching them.

Table 2.6 explains the different disk measurement options available for setting limits and warnings.

Table 2.6

Understanding Disk Measurements

Measurement

KB

MB

GB

Description

KB stands for kilobyte. One kilobyte equals one thousand bytes (1,024 bytes in decimal).

MB stands for megabyte. One megabyte equals one million bytes (1,048,576 bytes in decimal).

GB stands for gigabit. One gigabit equals one billion bytes (1,073,741,824 bytes in decimal).

Continued www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 142

142 Chapter 2 • Managing Physical and Logical Disks

Table 2.6

Understanding Disk Measurements

Measurement

TB

PB

EB

Description

TB stands for terabyte. One terabyte equals one thousand billion bytes (1,099,511,627,776 bytes in decimal—that is a thousand gigabytes).

PB stands for petabyte. One petabyte equals one thousand terabytes (1,125,899,906,842,624 bytes in decimal).

EB stands for exabyte. One exabyte equals one quintillion bytes (a billion gigabytes—

1,152,921,504,606,846,976 bytes in decimal).

Finally, you can configure the logging options. Under Select the quota logging

options for this volume

you have two options:

Log event when a user exceeds their quota limit

Log event when a user exceeds their warning level

Both options are disabled by default and either or both can be enabled by checking the corresponding check box(es). Both settings log events to the System log of the Event

Viewer. Logging options are set only on a per-volume basis; there is no setting for logging on an individual user’s Quota Settings page.

N

OTE

The limit and warning levels you set on the volume’s Quota properties sheet will apply to each new user unless/until you set an individual quota setting for that user in the Quota Entries console.

Now that you have a good understanding of the Quota tab, go through the steps of setting it up and configuring quotas for a user by completing Exercise 2.15.

E

XAM

W

ARNING

If you convert a volume from FAT or FAT32 to NTFS, ownership of all files in place at the time of the upgrade are automatically assigned to the administrator. This means that users can continue to write to those files without having them count towards their own quota limits.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 143

Managing Physical and Logical Disks • Chapter 2 143

E

XERCISE

2.15

E

NABLING

D

ISK

Q

UOTAS

AND

S

ETTING

Q

UOTA

L

IMITS

1. In Windows Explorer or My Computer, right-click the volume on which you want to set quotas and select Properties from the context menu.

In this exercise, we enable quotas on the C: drive. Note that to manage quotas on a remote computer, you’ll need to first map a network drive for the remote volume on which you want to set or manage quotas.

2. Click the Quota tab, as shown in Figure 2.83.

3. Check the check box next to Enable quota management to enable disk quotas for the C: drive.

4. Check the check box next to Deny disk space to users exceeding

quota limit to enforce limits.

5. Click the Quota Entries button to open the Quota Entries console, as shown in Figure 2.84.

Figure 2.83

Enabling Disk Quotas

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 144

144 Chapter 2 • Managing Physical and Logical Disks

Figure 2.84

Viewing Quota Entries

6. Click the Quota menu bar.

7. Select New Quota Entry from the menu.

8. You are prompted to choose the users for which you want to add quotas, as shown in Figure 2.85. Type the user’s name in the box and click Check Name to verify that the user exists in the account database.

9. If the name is verified, click OK to continue. You next have to customize the quota entry for the user, as shown in Figure 2.86.

Figure 2.85

Choosing Users to Restrict

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 145

Managing Physical and Logical Disks • Chapter 2 145

Figure 2.86

Configuring Limits and Warnings

10. Select Limit disk space to and enter the amount of space you wish to allow the user to use on the volume. Select a unit of measurement.

11. Set the warning level for your user in the same way.

12. Click OK to save the settings and add the user to the Quota Entries list.

Monitoring Disk Quotas

Now that you know how to enable disk quotas, we will discuss how to analyze the quota settings and monitor disk usage. Disk quota settings are accessed and disk usage is monitored via the Quota Entries console, as previously shown in Figure 2.84.

E

XAM

W

ARNING

For the exam, you need to be able to look at this screen and analyze the disk quota entries that are shown.

The Quota Entries console displays seven items in regard to each user.You can sort by the columns by clicking the corresponding section of the column title bar or by using the

View menu (View | Arrange Items | by…). For example, if you want to sort by the amount of disk spaced used, click on the Amount Used bar.This will arrange the user accounts in order of least to greatest space used. Clicking the same column header again will rearrange the accounts in the opposite order (greatest to least).

Status

This indicates how well the user is complying with the quota limit.There

are three possible settings: OK, Warning, or Above Limit. A status of OK indicates that the user hasn’t reached the warning or limit level yet. Warning indicates that the user has reached the warning level, but not the limit level. Above

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 146

146 Chapter 2 • Managing Physical and Logical Disks

Limit

indicates that the user has passed both the warning and limit levels. Sorting by status makes it easy to find all users that have exceeded their limits.

Name

This is the user’s full name as it appears in Local Users and Groups or

Active Directory Users and Computers.

Logon Name

This is the user’s account name as it appears in Local Users and

Groups or Active Directory Users and Computers.

Amount Used

This shows the total amount of disk space currently being used by the user.

Quota Limit

This shows the level at which the user will no longer be allowed to save data to this volume.

Warning Level

This shows the level at which the user will be warned when saving data to this volume.

Percent Used

This displays the percentage of allocated space that has been used by the user. Sorting by Percent Used is a good way to discover which users may run out of space soon.

N

OTE

When you have created a quota entry for an individual user, you won’t be able to delete the entry unless that user no longer owns any files on the volume. You can move the files to a different volume or you, as administrator, can take ownership of the files to enable you to delete the user’s quota entry. If you try to delete an entry when the user still owns files on the volume, you will be shown a list of those files and given the option to 1) permanently delete them, 2) take ownership of them, or 3) move them to a specified location on another volume.

Seeing SIDs in Quota Entries

When you open the Quota Entries console for the first time, you might see long numbers (see Figure 2.87) instead of logon names for some or all users. This is because quota entry information is based on a user’s security identifier (SID), rather than on the username. When Quota Entries is opened for the first time, the system must resolve all the SIDs to logon names. You’ll see a message to that effect (“Retrieving

Name”) in the Name column. After this occurs for the first time, the system caches the information into each user’s profile so it won’t have to be retrieved every time the console is opened. However, this caching can pose a problem if you rename a user account, because the old name might continue to show in quota entries. To rectify this, press F5 on the keyboard or click View | Refresh. This will cause Quota Entries to re-associate all the SIDs with their current names.

Continued www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 147

Managing Physical and Logical Disks • Chapter 2 147

Figure 2.87

Resolving SIDs to Logon Names

Exporting and Importing Quota Settings

If you have multiple volumes that contain users’ data then you will probably want to apply the same quota settings to all volumes. Also, if you migrate your users’ data from one volume to another, then you need an easy way to reapply all the disk quotas.

There are a few different ways to copy disk quotas from one volume to another. If you open the Quota Entries window (as shown in Figure 2.88) for both volumes, you can drag and drop quota limits between the two windows.You can also export all quota settings to a file and import them to another volume. Exercise 2.16 walks you through exporting quota settings, and Exercise 2.17 walks you through importing quota settings.

N

OTE

Unless your user account has been delegated the appropriate authority, you must be a member of the Administrators group on the local computer to export and import disk quotas.

E

XERCISE

2.16

E

XPORTING

Q

UOTA

S

ETTINGS

1. Open My Computer.

2. Right-click the volume you want to manage and choose Properties from the pop-up menu.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 148

148 Chapter 2 • Managing Physical and Logical Disks

3. Click the Quota tab.

4. Click the Quota Entries button. This will give you a window similar to

Figure 2.88.

5. Click the Quota menu bar and choose Export from the drop-down list.

You will now be asked where to save the quota settings, as shown in

Figure 2.89.

6. Type in a name and click the Save button to finish the export.

Figure 2.88

Choosing to Export Quota Settings

Figure 2.89

Exporting Quota Settings

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 149

Managing Physical and Logical Disks • Chapter 2 149

E

XERCISE

2.17

I

MPORTING

Q

UOTA

S

ETTINGS

The steps for importing quota settings are very similar to the steps for exporting quota settings.

1. Open My Computer.

2. Right-click the volume you want to manage and choose Properties from the pop-up menu.

3. Click the Quota tab.

4. Click the Quota Entries button. This will give you a window similar to

Figure 2.90.

Figure 2.90

Choosing to Import Disk Quotas

5. Click the Quota menu bar and choose Import from the drop-down list. You will now be asked which quota settings file to import, as shown in Figure 2.91.

6. Navigate to the quota settings file and click Open to import the settings.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 150

150 Chapter 2 • Managing Physical and Logical Disks

Figure 2.91

Importing Disk Quotas

Disk Quota Best Practices

Disk quotas are a powerful feature that gives Windows Server 2003 administrators flexible control over disk usage. However, using them incorrectly can be disastrous. Don’t let this keep you from using disk quotas — just learn to use them intelligently. Here are few guidelines that will ensure that enabling disk quotas makes your job as an administrator easier, not more difficult:

Set default limits so that all users are restricted in the amount of space they can use by default. Always make your default settings as restrictive as possible, while still providing users with enough space to do their work. It is easier to give users more space if needed than to take space away. Remember that this is only a default setting. It is not a mandatory setting for all your users; it only applies to those user accounts that do not have specific individual settings configured.

Use reasonable quota limits. Don’t just take the amount of space available and divide it equally among your users. Sit down and calculate a fair limit based on user needs. Not everyone needs the same amount of disk space. Power users may need more than standard users.Those who work with and save large graphic or video files need more space than those who work primarily with plain text files.

Be realistic in setting the quotas and stick to them unless or until there is a real need to change them. If you set the default limit at 50MB when you know most users are using 200MB, you are setting yourself up for trouble.Try not to get into

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 151

Managing Physical and Logical Disks • Chapter 2 151

■ the habit of setting quotas excessively low and then increasing them when users complain. It is better to give users the right amount of space up front, and be less flexible about increasing the amount. If users know they can easily get their allocations increased by complaining, they will be less motivated to properly manage their files.

Delete quota entries for users who no longer need to store files on the volume.

Delete or move their files to another volume to free space for those who need to store data on the volume.

When calculating the amount of disk space available for allocating quotas, remember to take into account NTFS overhead. Files can contain up to 64KB of metadata (information about the file) that is not counted against a user’s quota, but does take up space on the disk.

E

XAM

W

ARNING

Each user must have at least 2MB of disk space to log on and load his or her profile. Make sure the default limit is always set to 2MB or higher.

Using fsutil.exe to Manage Disk Quotas

If you prefer using a command-line tool instead of the graphical interface, you can perform many of the tasks involved in managing disk quotas with the command-line utility fsutil.exe. Use the command fsutil quota with one of the following parameters to perform quota-related tasks:

fsutil quota disable <volumepathname>

To disable quotas on the volume.

fsutil quota enforce <volumepathname >

To enable quota enforcement on the volume.

fsutil quota modify <volumepathname

> To create a new quota or change an existing one.

fsutil quota query <volumepathname>

To list existing quota entries.

fsutil quota track <volumepathname

> To track disk usage on the volume.

fsutil quota violations

To display detected quota violations.

The fsutil commands can be used in a script to automate quota tasks (for example, to set a specified quota limit each time you add a new user).

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 152

152 Chapter 2 • Managing Physical and Logical Disks

EXAM

70-290

OBJECTIVE

1.3.1

Implementing RAID Solutions

There are several options for setting up a RAID environment.You can use either softwarebased RAID or hardware-based RAID. Software-based RAID is more cost effective because you don’t have to purchase anything extra, but it works only in certain situations and performance is not as good.You cannot easily change from one RAID type to another.

If you want to change you must do the following:

1. Back up your data.

2. Erase your existing RAID configuration.

3. Create a new RAID configuration.

4. Restore your data from backup.

For the exam, you will need to be able to determine which RAID solution is best for a given environment.This section covers the differences between hardware and software

RAID and when it is best to use one instead of the other.

Understanding Windows Server 2003 RAID

Windows Server 2003 RAID is software-based RAID.With software-based RAID, all the physical disks are presented to the operating system as they are and the operating system manages them in a RAID configuration.The benefit is that software-based RAID is built into the operating system.The drawback is that the operating system incurs the entire overhead for maintaining the RAID volume. Additionally, there are limitations that apply to software-based

RAID that do not apply to hardware-based RAID.You do not have as many RAID options with software-based RAID.Windows Server 2003 supports only three levels of RAID: RAID

0, RAID 1, and RAID 5. In the next sections, we discuss each in more detail.

RAID Level 0

RAID level 0 utilizes disk striping. A RAID level 0 volume in Windows Server 2003 is called a striped volume.This version of RAID does not provide any fault tolerance. It is sometimes said that RAID 0 is really “AID” rather than “RAID” because there is no redundancy of data provided. It does, however, provide the best performance of any single RAID level, and that is its purpose. Level 0 can be implemented as either a software or hardware solution and is supported by all controllers.

Because the operating system must be loaded before the striped volume is initialized and made available, a level 0 array cannot be used for the boot or system partitions. RAID level 0 should be used when you are trying to get maximum performance from your drives. Level 0 is best for data that is not mission-critical or that is backed up regularly. It is good for audio/video streaming, gaming and other applications where performance is important.Windows Server 2003’s RAID level 0 works with a minimum of two disks up to a maximum of 32 disks.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 153

Managing Physical and Logical Disks • Chapter 2 153

RAID Level 1

RAID level 1 utilizes disk mirroring. A RAID level 1 volume in Windows Server 2003 is called a mirrored volume, and consists of two identical disks. An exact duplicate of the data is written to each disk.This version of RAID does provide fault tolerance and is the only one of Windows Server 2003’s software-based RAID levels that can be used for the boot and system partitions. Level 1 is the simplest RAID implementation and can be implemented as either a software or hardware RAID solution.

RAID level 1 should be used when you want to provide fault tolerance for the boot and/or system partitions or if you need fault tolerance and have only two disks available.

Level 1 is the most expensive form of Windows Server 2003 RAID because only 50 percent of the disk space that must be purchased is used for data.

RAID Level 5

RAID level 5 utilizes disk striping with parity. A RAID level 5 volume in Windows Server

2003 is called a RAID-5 volume. As with disk striping, a RAID-5 volume cannot be used for the boot or system partition because the operating system must be loaded first to initialize the volume and make it available.The parity information is distributed across multiple disks and the parity for a given block of data is always on a different disk from the disks on which the data itself is stored.This provides the fault tolerance and enables the data to be regenerated if a single disk in the array fails.

RAID-5 volumes require a minimum of three disks and work with up to 32 disks.You

should use RAID level 5 when you need fault tolerance with better performance and drive utilization than RAID level 1 can provide. RAID 5 is one of the most popular RAID implementations. However, software RAID 5 is considerably slower than its hardware counterpart, because of the overhead involved in calculating the parity information. It is better for read-intensive applications as opposed to write-intensive ones.

Hardware RAID

As the name implies, hardware-based RAID uses special hardware to create RAID volumes.

A RAID controller is added to your server.The controller handles the overhead of managing the RAID volumes, and this improves performance by removing the processing burden from the operating system.This also removes many of the restrictions imposed by software-based RAID.

Because the RAID controller presents the RAID volume to the OS as one disk, you can use hardware-based RAID 0 and RAID 5 volumes for the boot and system partitions.

Hardware-based RAID provides you with many more RAID levels to choose from, including the following:

RAID 2

Splits data at the bit level and spreads it across two types of disks: data disks and redundancy disks, with redundant bits calculated with Hamming codes

(a type of Error Correcting Code or ECC). Not often used due to cost and complexity. Requires a special RAID controller card.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 154

154 Chapter 2 • Managing Physical and Logical Disks

RAID 3

Splits data at the byte level and stripes it across several disks, with one disk as a dedicated parity disk. Requires a RAID hardware controller; good for editing very large files.

RAID 4

Stripes data across multiple disks in blocks (instead of bits or bytes) and uses a dedicated parity disk. Requires a RAID hardware controller; used for the same applications as RAID 3 and 5.

RAID 6

Stripes data across multiple disks in blocks like RAID 4 and 5, but creates duplicate sets of parity for each data stripe. More fault tolerant than RAID 5 because it can recover the data if two disks in the array fail, but performance is not as good in write operations. Requires a special hardware controller; used for data that is especially critical and requires the extra fault tolerance.

RAID 7

Proprietary RAID implementation of Storage Computer Corporation.

Uses multi-level cache and a special processor to manage the array. Requires special proprietary hardware; provides very high performance.

Nested RAID levels

Arrays that use a combination of the single levels. For example, RAID level 0+1 and 1+0 (also called 01 and 10) use “mirrored stripes” and “striped mirrors” respectively. Level 0+1 creates a stripe set and then creates a mirror of it, so you have two identical stripe sets. Level 1+0 stripes data across mirror sets.This enables you to have the performance advantages of level 0 along with the fault tolerance of level 1. Other nested RAID levels include 5+3 (also called 53), 3+0 (30), 0+5 (05), 5+0 (50), 1+5 (15) and 5+1 (51).

The only real drawback to hardware-based RAID is the price. Server-grade RAID controllers typically cost $750 and up.This can add up quickly when you have a large number of servers.

RAID Best Practices

After you have made the decision to use a RAID volume, you need to determine which solution best fits your needs.Will it be hardware RAID or software RAID? Disk striping or disk mirroring? How should you set it up? There are no hard, fast rules, only recommendations, but the following provide some general guidelines to follow when setting up your

RAID volumes:

■ Using Hardware RAID

■ Use hardware RAID whenever possible because it offers the best performance.

Try to use identical hardware for all your servers.This makes it easier to recover if you have a disaster.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 155

Managing Physical and Logical Disks • Chapter 2 155

Always keep spare disks on hand.When you lose one drive (with most RAID levels), you no longer have any fault tolerance.You need to be able to replace failed hardware as quickly as possible. (This also applies to software RAID.)

Keep RAID controllers updated with the current firmware revision.

Always back up your data before updating the firmware on RAID controllers.

Using Software RAID

■ Use mirrored volumes for the boot and system partitions.

Use RAID-5 volumes for database disks (e.g., Exchange and SQL servers).

Use striped volumes on database servers’ disks that contain transaction logs

(for example, Exchange and SQL servers).

Use striped volumes for disks that are used for printer spooling.

T

EST

D

AY

T

IP

When Microsoft refers to RAID on the test, always assume they are talking about software-based RAID unless they specifically refer to hardware-based RAID.

Understanding and Using Remote Storage

There are two ways to store files, on disks or on backup media.The benefit of disks is that you can get to the data rather quickly.The drawback is that disks cost more than backup media. On the flip side, although backup media is less expensive than disks, it doesn’t lend itself as well to the purposes of end users because the data is not immediately available to them; they have to request to get their data restored from backup.This slows down the process for both users and administrators. Remote Storage is Microsoft’s solution to this dilemma.

Understanding Remote Storage Concepts

Remote Storage gives you the best of both worlds. It provides fast access to data stored on disks and archival capabilities for data that isn’t frequently used, and best of all, it handles switching between the two. It automates the archival process and makes accessing archived data easy for the end user.

Consider your personal data. How much of it do you use on a daily basis? Could you back up the files you only use occasionally to tape? Most people would say, “I see the benefit in backing up my files to tape to save space on the server. I just do not want to have to go through the restoration process if I need a file. I would prefer to leave everything on disk to eliminate the hassle factor.”

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 156

156 Chapter 2 • Managing Physical and Logical Disks

With Remote Storage, that hassle factor is eliminated because the server backs up seldom-used files for you automatically, and then automatically restores them when you attempt to access them.

What is Remote Storage?

Remote Storage provides a means of extending the disk space on your servers without having to buy more hard disks. Instead, you use a tape or a magneto-optical (MO) disk library to archive less-frequently used files. It costs significantly less per megabyte to buy a library full of tapes compared to equivalent storage space on hard disks.

After it is set up, Remote Storage runs on autopilot.You tell Remote Storage which volume(s) to manage and you specify how much free space you want to remain available on your managed volume.When the amount of free space drops below that level, Remote

Storage kicks in and moves enough files to the media library to bring the disk back within your predefined parameters. A managed volume refers to a disk volume in Windows whose files are monitored and managed by Remote Storage.

One big advantage of Remote Storage is that all the files on the server look the same to the end user.When a user needs to open a file, he simply double-clicks it. If the file has not yet been moved to tape, it is opened immediately. If the file has been moved to tape,

Remote Storage retrieves it from storage and puts a copy on the local disk (this is called a cached copy). Users might notice a delay while this takes place, but they do not have to take any extra steps to retrieve the file. After the file is cached, it will be automatically opened for the user.

E

XAM

W

ARNING

Remote Storage is not the same thing as a backup. Backups should still be part of your daily routine. You should regularly back up the server’s local volumes as well as the Removable Storage database and the Remote Storage database.

Storage Levels

Remote storage has two defined storage levels.The levels exist in a hierarchical structure:

Local storage is the top level. It contains the NTFS disks of the computer that is running Remote Storage.

Remote storage is the bottom level.This is the library that is connected to the server running Remote Storage.

Remote Storage keeps as much information as possible in the top level for faster access.

Only when this level is reaching its storage limit is the data moved to the bottom level.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 157

Managing Physical and Logical Disks • Chapter 2 157

Understanding Libraries

Libraries hold the data used by Remote Storage. There are two main types of libraries, jukeboxes and stand-alone.

Jukebox libraries hold multiple disks or tapes and automatically switch to the correct one as needed. There are all sizes of jukeboxes ranging from a few disks or tapes to thousands of disks or tapes. The benefit of jukeboxes is that you do not have to manually load the correct media. The jukebox does it for you.

Stand-alone libraries hold one disk or tape at a time. You must manually add the media required by Remote Storage. If your data is spread across three tapes then you must manually load all three tapes one at a time into the library. The benefit of stand-alone libraries is the price. Stand-alones are a lot cheaper than jukeboxes. The drawback is that they require manual interaction when storing data on multiple disks or tapes.

If most of your data will fit on a single disk or tape, then stand-alone libraries are a good choice. If you are using multiple disks or tapes, a jukebox is a better option.

T

EST

D

AY

T

IP

The terminology for Remote Storage can be confusing. Remote Storage (in uppercase) refers to a feature of Windows Server 2003 that integrates backup library storage with local file storage. Do not confuse this with remote storage (in lowercase), which refers to the bottom storage level for Remote Storage. When reading exam questions, pay attention to the context in which “remote storage” is used.

Relationship of Remote Storage and Removable Storage

Removable Storage is a feature of Windows Server 2003 that enables multiple programs to share the same storage media. It organizes all your available media into separate media pools.

Microsoft defines a media pool as a logical collection of removable media that shares the same management policies. Applications use media pools to control access to specific media within the library. Removable Storage requires that all data-management programs run on the computer connected to the library.

In other words, Removable Storage provides a standard way for applications to access a media library. By having all applications access the library through Remote Storage,

Microsoft has provided a level of compatibility between applications, including Remote

Storage. Remote Storage uses Removable Storage to access the media stored in the library.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 158

158 Chapter 2 • Managing Physical and Logical Disks

Media Pools

Media pools contain either media or other media pools. Using the capability to nest media pools inside each other enables you to create a hierarchical media pool structure for

Removable Storage.You can group media pools together and manage them as a single unit.

Media pools can span multiple libraries.There are two main types of media pools: system media pools and application media pools.

System media pools hold media not currently being used by an application. Removable

Storage creates one of each of the following system media pools (as shown in Figure 2.92) for each media type in your system:

Free media pools

These pools hold media not currently in use by applications.

This media is readily available for use.

Unrecognized media pools

Blank media and media not recognized by

Removable Storage go into the unrecognized media pool and are unusable until they are moved into a free media pool.

Import media pools

These pools are recognized by Removable Storage, but they have not been used by Remote Storage before. After they have been catalogued they can be used.

Application media pools contain media created and controlled by applications. For example, Backup and Remote Storage use application media pools for storage. Application media pools dictate which media can be accessed by any given application. An application can use more multiple media pools, and more than one application can use a single media pool.

Figure 2.92

Understanding How Media Pools Work Together

www.syngress.com

Unrecognized

Media Pool

Get From

Free Pool

New Media

Import Media

Pool

Free Media

Pool

Application

Media Pool

Return to

Free Pool

274_70-290_02.qxd 8/11/03 3:50 PM Page 159

Managing Physical and Logical Disks • Chapter 2 159

T

EST

D

AY

T

IP

When selecting answers on the exam, be sure not to confuse Removable Storage with Remote Storage.

N

OTE

Microsoft states that “Remote Storage supports all SCSI class 4mm, 8mm, DLT, and magneto-optical devices that are supported by Removable Storage. Using Remote

Storage with Exabyte 8200 tape libraries is not recommended. Remote Storage does not support QIC tape libraries or rewritable compact disc and DVD formats.”

Setting Up Remote Storage

Remote Storage is not installed by default.You add it via the Add or Remove Programs applet in Control Panel. Before starting the installation, you must verify that enough tapes or disks have been moved to a free media pool in Removable Storage to hold all the files you wish to move to Remote Storage and that the local disks being managed are running

Windows 2000’s or Windows Server 2003’s versions of NTFS (NTFS version 5). If you want compression and indexing on local disks, enable these before starting setup.You must be logged on with administrative rights to install Remote Storage.You cannot install

Remote Storage into a clustered environment. Remote Storage will not fail over. Also,

Remote Storage will not work with shared cluster disks but it will work with local disks that are not shared.

Exercise 2.18 walks you through the process of installing Remote Storage and Exercise

2.19 walks you through the steps involved in configuring Remote Storage after it is installed.

N

OTE

Remote Storage is not a new feature for Windows Server 2003. Both Windows

2000 Server and Advanced Server included the Remote Storage feature. However,

Windows Server 2003 Standard Edition does not support Remote Storage. Thus, if you are planning to upgrade a machine running Windows 2000 Server to Windows

Server 2003 and you want to continue running Remote Storage, then you must upgrade it to Enterprise Edition rather than Standard Edition.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 160

160 Chapter 2 • Managing Physical and Logical Disks

E

XERCISE

2.18

I

NSTALLING

R

EMOTE

S

TORAGE

1. Open Control Panel by clicking Start | Control Panel. This will display a screen similar to that shown in Figure 2.93.

2. Double-click Add or Remove Programs. This will display the screen shown in Figure 2.94.

Figure 2.93

Opening Control Panel

Figure 2.94

Using Add or Remove Programs

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 161

Managing Physical and Logical Disks • Chapter 2 161

3. From the Add or Remove Programs window, click Add/Remove

Windows Components. You should see a “Please wait…” message, as shown in Figure 2.95.

4. You will next be presented with the Windows Components Wizard, as shown in Figure 2.96.

Figure 2.95

Waiting on Windows Setup

Figure 2.96

Adding Windows Components

5. Scroll down and click the check box next to Remote Storage.

6. Click Next to continue.

7. Windows will now configure the newly installed components, as shown in Figure 2.97.

8. Next you will see the Completing the Windows Components Wizard, as shown in Figure 2.98. Click Finish to close the wizard.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 162

162 Chapter 2 • Managing Physical and Logical Disks

Figure 2.97

Waiting While Windows Configures Components

Figure 2.98

Completing the Components Wizard

E

XERCISE

2.19

C

ONFIGURING

R

EMOTE

S

TORAGE

1. Open the Remote Storage MMC by clicking Start | All Programs |

Administrative Tools | Remote Storage.

2. Because this is the first time you have opened the Remote Storage

MMC, the Remote Storage Setup Wizard will automatically start, as shown in Figure 2.99. Click Next to continue.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 163

Managing Physical and Logical Disks • Chapter 2 163

Figure 2.99

Running the Remote Storage Setup Wizard

3. You will next be asked which volumes you want Remote Storage to manage, as shown in Figure 2.100. For this exercise, we select the C drive. Select the disk(s) that you want to manage and click Next to continue.

Figure 2.100

Selecting the Volumes to be Managed

4. Set the criteria for managing free space on the volume with the

Volume Settings dialog box shown in Figure 2.101. Click Next to continue.

5. Next you will be asked to choose which media type to use, as shown in

Figure 2.102. For this exercise, select Removable media and click Next to continue.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 164

164 Chapter 2 • Managing Physical and Logical Disks

Figure 2.101

Managing Free Space on Your Volumes

Figure 2.102

Selecting a Media Type

6. The last item to configure is the schedule for copying files, as shown in

Figure 2.103. To accept the defaults, click Next and skip to step 9. To customize the schedule, click the Change Schedule button. This will display the Schedule window shown in Figure 2.104.

7. Set the schedule to copy files at a time that is least busy in your environment and click OK.

8. You will be returned to the screen shown in Figure 2.103. Click Next to continue.

9. On the Completing the Remote Storage Setup Wizard screen (Figure

2.105), review the settings to make sure they are correct, and then click

Finish to complete the configuration of Remote Storage.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 165

Managing Physical and Logical Disks • Chapter 2 165

Figure 2.103

Verifying the Schedule for Copying Files

Figure 2.104

Customizing the Schedule for Copying Files

Figure 2.105

Completing the Remote Storage Setup Wizard

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 166

166 Chapter 2 • Managing Physical and Logical Disks

Using Remote Storage

Now that you have installed Remote Storage, you need to know how to administer it. Like

Microsoft’s other administrative tools, Remote Storage is managed through an MMC snapin.The Remote Storage MMC has two panes: the console pane on the left is used to navigate the various components of Remote Storage and the details pane on the right displays specifics of whichever component is selected in the left console pane.

The Remote Storage MMC (see Figure 2.106) that is accessed from the

Administrative Tools

menu also contains the snap-ins for Removable Storage and Event

Viewer. However, Remote Storage itself has only two containers to manage: the Managed

Volumes container and the Media container.We previously discussed storage levels within

Remote Storage.We said the top level was for local storage and the bottom level was for remote storage.The Managed Volumes container is the top level of storage and is used for managing local storage.The Media container is the bottom level and is used for managing remote storage.

The Managed Volumes container is used to perform the following tasks:

Set the desired free space.

Specify file-selection criteria and rules.

Change the file-copy schedule.

Set the maximum number of drives to access simultaneously.

Set the runaway recall limit.

Validate files.

Discontinue volume management.

Modify files on managed volumes.

The Media container is used to perform the following tasks:

Create media copies.

Synchronize media copies.

Recreate the media master.

Setting the Desired Free Space

You can configure how much free space you want available on your managed volume. If the volume falls below your specified threshold, then Remote Storage deletes cached files until the volume is back within acceptable limits.You can also tell Remote Storage to delete all cached files from the volume to create a large amount of available free space.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 167

Managing Physical and Logical Disks • Chapter 2 167

Figure 2.106

Using the Remote Storage MMC

Specifying File-Selection Criteria and Rules

You tell Remote Storage which files to manage on your volume.You set criteria that must be met in order for the file to be copied to remote storage. After the criteria have been met, the files are copied. Minimum files size and elapsed time since last use are the common criteria used by Remote Storage.

In addition to using criteria to control which files get copied to Remote Storage, you can also create rules.There are two types of rules, inclusion and exclusion. Inclusion rules control which files are copied to Remote Storage and exclusion rules control which files are not copied to Remote Storage. Rules are processed in order and the first rule that matches is applied. Change the order of your rules to set their priority.

Remote Storage has a predefined list of rules available for use.You cannot modify these rules or change their order.You can create your own rules and order them however you see fit. By default, all system, hidden, encrypted, extended attribute, and sparse files are excluded from the file rule list as these files cannot be copied to remote storage.

Both types of rules are built on the same options:

A specified folder, including subfolders

A specified folder, excluding subfolders

File name extension

File name

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 168

168 Chapter 2 • Managing Physical and Logical Disks

Changing the File-Copy Schedule

The file copy schedule tells Remote Storage when to copy files from the managed volume to the library.This is set during the initial setup, but it can be changed after the fact.You should always try to copy files into storage during low periods of activity (preferably during nonbusiness hours).You can manually copy files into storage without waiting until the scheduled time by right-clicking the managed volume and choosing Copy Files to Remote Storage.

Setting the Maximum Number of Drives to Access Simultaneously

If you have a multiple-drive device, then you need to tell Remote Storage how many drives to utilize at once. If you have multiple users trying at once to access files on different media, then you may want to increase the number of drives that can be accessed simultaneously to increase your performance. Conversely, if you have an application that accesses

Removable Storage, you may want to decrease the amount of disk utilized at once by

Remote Storage so that Remote Storage doesn’t access all the disks at once and prevent your application from working.

N

OTE

Remember, Removable Storage can be used by many different applications. For example, both Backup and Remote Storage can use Removable Storage at the same time. Limiting the number of drives used simultaneously within Remote

Storage can help prevent Remote Storage conflicts.

Setting the Runaway Recall Limit

The Runaway call limit defines the number of file recalls a user can make on a file within a single session. It stops Remote Storage from copying the same file from the library to the managed volume over and over. If a user recalls a file within 10 seconds of the original file recall, the runaway recall count is increased by one. After the runaway recall limit is reached, the file is still accessible, it just will be accessed from storage and not cached on the managed volume.

Validating Files

Validation is the process of verifying that the data in Remote Storage points to the correct file on the managed volume.Validation can determine if a file has been moved between volumes.You can manually perform file validation by right-clicking the managed volume, selecting All Tasks, and choosing Validate Files.Two hours after a backup program restores a file, Remote Storage automatically forces a file validation.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 169

Managing Physical and Logical Disks • Chapter 2 169

Discontinuing Volume Management

You can easily tell Remote Storage to stop managing a volume by right-clicking a managed volume and choosing Remove. If you do so, you have to decide if you want to leave the files on the library or if you want to copy them back to the original volume. If you leave the files in Remote Storage, it will recall them as normal. However, no new files created on the volume will be copied to Remote Storage.

Modifying Files on Managed Volumes

There are special considerations to be aware of when deleting files on managed volumes and moving files between managed volumes. If files on a managed volume are deleted, you must restore the file from backup. Do not think that because the file is stored in the library that it can be restored from there.When you delete a file from the managed volume it is also deleted from the library. If you move or copy files between managed volumes, the files are recalled. If you want to move files back and forth without causing a recall, then you must back up and restore the data to the new location and then run a volume validation.

Creating and Synchronizing Media Copies

You can create copies of your media to provide fault tolerance.These copies are called

media copy sets and they provide redundancy for your data. If there is a problem with the master media set, the media copy set will be used. In order for Remote Storage to create media copy sets, there must be two or more drives in the library.When using media copy sets, you must make sure that the master set and the copies are in sync.To synchronize the media copies, right-click Media and select Synchronize Copies Now.

Recreating the Media Master

The media master is the tape that holds all the files required for Remote Storage. If the media master were to fail, you could create another one from a media copy set. However, you may lose any data that was created since the last time you synchronized the media copy set with the media master. Recreate the media master only if you get errors when recalling files. Follow the steps below to recreate the media master:

1. Select Media.

2. Right-click the media you would like to recreate.

3. Select Properties.

4. Click the Recovery tab.

5. Click Recreate Master.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 170

170 Chapter 2 • Managing Physical and Logical Disks

E

XAM

W

ARNING

If you have more data than will fit on one tape, you must have multiple media masters. A group of media masters is referred to as a master set.

Remote Storage Best Practices

Microsoft provides some guidelines for you to follow when using Remote Storage.You

should try to adhere to these best practices whenever possible:

Make multiple copies of your remote storage tapes and always keep a copy offsite.

Always configure Remote Storage through the GUI before using rss.exe to manage it.

Do not create File Replication service (FRS) replicas on a Remote Storage volume.

Regularly validate your managed volumes.

Stop managing all volumes before you uninstall Remote Storage.

Do not manage full volumes.

Do not format a managed volume.

Schedule your tasks to run during periods of low activity.

Do not change the drive letter of a managed volume.

Run a system state backup as an administrator to back up the Remote Storage database files.

Do not install Remote Storage on shared cluster disks.

Troubleshooting Disks and Volumes

Thus far in this chapter, we have focused on how to enable and configure various diskrelated features of Windows Server 2003. However, a large part of any administrator’s job is dealing with problems and knowing what to do when things go wrong. In this section, we address some of the most common disk-related troubleshooting scenarios.The Microsoft exams focus heavily on troubleshooting skills, so you will be expected to know how to troubleshoot disks and volumes when you take the test.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 171

Managing Physical and Logical Disks • Chapter 2 171

Troubleshooting Basic Disks

Many basic disk-troubleshooting scenarios involve a disk not being recognized by the operating system (and thus not showing up in the Disk Management console) or showing up in a problematic state. Remember the basic rules of troubleshooting any computer/network problem: begin at the physical level.This means you should always check the hardware first to make sure that it is functional.

In the following sections, we will cover these common situations:

New disks don’t show up in the volume list view.

Disk status is not initialized.

Disk status is unknown.

Disk status is unreadable.

Disk status is failed.

New Disks Are Not Showing

Up in the Volume List View

New disks that fail to show up in the volume list view are a common concern.This is usually because there are no designators (drive letters) associated with the disk.

N

OTE

By design, if you’re using Windows Server 2003 Enterprise or Datacenter edition, drive letters will not be assigned by default when a new disk is installed, and the disk will not be mounted until you do it manually. This is to make it easier to use the disks in a Storage Area Network (SAN) environment.

If the disk is not mounted, you will need to use the diskpart and mountvol commands or use the Disk Management console to mount the volume and assign drive letters.The

mountvol command enables you to mount a volume without a drive letter.This is useful if you have run out of drive letters.

You have to manually assign drive letters to each volume or partition on the disk before you can format them and use them for storage. Notice in Figure 2.107 that there are three disks shown online in the graphical view (bottom pane), but they do not have drive letters associated with them. Until they do, they will not show up in the volume list view

(top pane).

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 172

172 Chapter 2 • Managing Physical and Logical Disks

Figure 2.107

Understanding the Default State of Drives

Disk Status is Not Initialized or Unknown

If your disks are showing up as unknown and not initialized, as shown in Figure 2.108, this is generally because no signature has been written to the disk by which Windows can identify it.You need to write a signature to a new disk when you install it, before you can use it.When Windows writes a signature to the disk, it also creates the master boot record

(MBR) or GUID partition table.When you add a new disk and start Disk Management, the system automatically starts a wizard that prompts you to write a signature to the new disk. If you cancel the wizard, however, the disk will not have a signature and will be left in an uninitialized state.

To initialize a disk after the wizard has been cancelled, follow these steps:

1. Right-click the disk that needs to be initialized in the bottom graphical pane of the Disk Management console, and then select Initialize Disk from the context menu.

2. You will be prompted to select one or more disks to initialize. Ensure that the check box(es) of the appropriate disk(s) is checked and click OK.

3. The disk status in the graphical view will change from Unknown to Basic.

After the disk is initialized, you can create partitions.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 173

Managing Physical and Logical Disks • Chapter 2 173

Figure 2.108

Troubleshooting Disks That Do Not Have a Signature

Disk Status is Unreadable

An unreadable disk indicates that you may have a hardware failure or corruption of the disk’s copy of the disk configuration database. Unfortunately, there is generally no way to fix failed hardware other than to replace it. Sometimes you will get the “unreadable” message if the disks are still spinning up while you are viewing the Disk Management console. If this is the case, rescanning the computer for disks usually solves the problem.To rescan, click Action |

Rescan Disks

. If rescanning doesn’t solve the problem, try rebooting the machine.

Disk Status is Failed

A failed disk indicates that the file system is corrupt, the disk is damaged, or for some other reason the volume could not start. Remember another rule of troubleshooting: always try the easy solutions first. Make sure that the disk has power and is plugged into the server. If your hardware is faulty, you will have to replace it and restore your data from backup. One of the most common causes of disk problems is a loose or bad IDE or SCSI cable.Try

tightening or swapping out cables if you suspect this is the problem.

If the hardware is not faulty, we move on to troubleshooting the software. One possibility is that the file system is corrupt. If you can still access the volume, run chkdsk.exe

(pronounce “check disk”) against it. chkdsk.exe may not be able to recover any lost data, but it can usually bring the file system back to a consistent state. chkdsk.exe uses the following syntax.

CHKDSK [volume[[path]filename]]] [/F] [/V] [/R] [/X] [/I] [/C]

[/L[:size]]

Table 2.7 explains chkdsk.exe parameters.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 174

174 Chapter 2 • Managing Physical and Logical Disks

Table 2.7

Understanding Chkdsk.exe Parameters

Parameter

volume filename

/F

/V

/R

/L:size

/X

/I

/C

Desription

Specifies the drive letter (followed by a colon), mount point, or volume name.

Specifies the files to check for fragmentation. Used on FAT and FAT32 volumes only.

Fixes errors on the disk.

Displays the full path and name of every file on the disk. Used on FAT and FAT32 volumes only.

Locates bad sectors and recovers readable information (implies /F).

Changes the log file size to the specified number of kilobytes. If size is not specified, displays current size. Used on NTFS volumes only.

All opened handles to the volume would then be invalid (implies /F).

Performs a less vigorous check of index entries. Used on NTFS volumes only.

Skips checking of cycles within the folder structure. Used on NTFS volumes only.

Troubleshooting Dynamic Volumes

Dynamic disks can have the same problems as basic disk (discussed above).When troubleshooting dynamic disks, you should always run through the scenarios given for basic disks as well. In addition to these problems that are common to both disk types, dynamic disks can have additional problems that do not apply to basic disks. In the following section, we will discuss troubleshooting scenarios that are unique to dynamic disks:

Disk status is foreign.

Disk status is online (errors).

Disk status is offline or missing.

Disk status is data incomplete.

Disk status is Stale Data.

Disk status is Failed or Failed Redundancy.

Disk Status is Foreign

A disk status of Foreign as shown in Figure 2.109 occurs when you move a dynamic disk from one machine to another.This happens because Windows stores all dynamic disk configurations in a private database in the last 1MB of disk space.This database is associated with the machine in which the disk is installed and is replicated to all the dynamic disks

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 175

Managing Physical and Logical Disks • Chapter 2 175

installed in that machine. If you connect the disk to a different machine, the second machine will detect that the database doesn’t match anything in its database and the disk will be marked as foreign.

To make the new computer recognize the dynamic disk, you must import it.To do so, right-click the foreign disk and select Import Foreign Disks from the content menu.

This will make the volume visible and incorporate it into the new machine’s dynamic disks database.

N

OTE

If all the dynamic disks in a system fail, the configuration database will be lost. In this case, a disk that was initialized on the system might still be marked as foreign.

Figure 2.109

Importing a Foreign Disk

Disk Status is Online (Errors)

A disk status of Online (Errors) indicates that the disk is working, but is having problems.

I/O errors are being detected somewhere on the disk. If this problem persists, you should replace the hardware. If the problem is temporary, you might be able to reactivate your volume to bring it back online.To do so, right-click the volume and choose Reactivate

Disk

from the content menu. If the reactivation works, the disk will be marked as Online.

You can also use the diskpart command with the online parameter to reactivate a disk

(remember to first select the disk so that it is the focus).

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 176

176 Chapter 2 • Managing Physical and Logical Disks

Disk Status is Offline

A disk status of Offline, where the disk name field indicates Missing (as shown in Figure

2.110) usually means that the disk is no longer physically connected to the server. Check to make sure that the disk is powered on and correctly connected to the server. After fixing a physical connectivity problem, right-click the volume and choose Reactivate Disk.This

will bring the disk back online and make it usable by Windows again.

If this does not fix the problem, it is possible that your disk is corrupt beyond repair. If so, you must remove it from the server. Right-click the volume(s) contained on the disk and choose Remove Volume from the context menu. After all volumes have been removed, right-click the disk and choose Remove Disk. At this point, all data is lost and the disk has been removed from your system. Do not do this unless you are sure that the disk is irreparably damaged.

N

OTE

If the disk you need to remove is part of a mirrored volume, remove the mirror instead of the entire volume. This will preserve the data on the other member of the mirror.

Figure 2.110

Troubleshooting Missing Disks

If the disk status shows Offline, but the disk name still shows as Disk 0, Disk 1, etc.

(instead of “Missing”), you should be able to simply right-click and select Reactivate to bring the disk back online.Volumes should be returned to Healthy status after the disk comes back online.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 177

Managing Physical and Logical Disks • Chapter 2 177

Disk Status is Data Incomplete

As discussed earlier, when you move dynamic volumes between servers they are marked as foreign.You must import them in order for Windows to use them. If you have a volume that spans multiple disks (e.g., a spanned volume, striped volume, or RAID 5 volume) and you only import some of the disks, you will see the error message Data Incomplete as shown in Figure 2.111. If this happens, cancel the import process until you can move all the disks in the volume at the same time.When all the disks have been physically installed in the new machine, import them together and Windows will recognize them as being part of the same volume.

Figure 2.111

Importing Part of a Spanned Volume

N

OTE

If you don’t need to use the multi-disk volume in the new computer and you only want to move one or some of the disks, you can import the disk and then delete the volume and create a new volume.

Troubleshooting Fragmentation Problems

Disk fragmentation is inevitable if you ever delete files, install programs, or otherwise use the computer for normal tasks.To optimize disk performance, you should defragment your disks as often as needed.This section covers some of the common problems that you might encounter related to disk fragmentation and the defragmentation process, including the following:

Computer is operating slowly.

The Analysis and Defragmentation reports do not match the display.

Volumes contain unmovable files.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 178

178 Chapter 2 • Managing Physical and Logical Disks

Computer is Operating Slowly

This is a common complaint from computer users. Programs seem to drag and everything goes very slowly.This is often a sign of a highly fragmented disk and commonly occurs when applications are installed or removed or many new files are created.The solution is simple: use defrag.exe or Disk Defragmenter to defragment your disks.

The Analysis and Defragmentation

Reports Do Not Match the Display

The graphical display is designed to provide a quick look at the level of fragmentation of the volumes on your hard disk.The graphical representation is too small in scale to give a

100 percent accurate representation.The reports created by the defragmentation tools are much more detailed and are very accurate.When there are discrepancies between the display and reports, the information in the reports should be considered more reliable.

Volumes Contain Unmovable Files

This is normal. Certain files cannot be moved during the defragmentation process.The

pagefile is one of these files. Every volume containing a pagefile will appear as having files that cannot be moved. Also, on NTFS-formatted volumes, the NTFS Change journal and the NTFS log file cannot be moved.

Troubleshooting Disk Quotas

Disk quotas are a great feature. However, they can lead to trouble if they are improperly configured or not managed properly.This section covers some of the more common issues that appear when using disk quotas. Issues such as the following:

The Quota tab is not there.

Deleting a Quota entry gives you another window.

A user gets an “Insufficient Disk Space” message when adding files to a volume.

The Quota Tab is Not There

Disk quotas are set via the quotas tab on the properties of a volume. If the tab does not appear (Figure 2.112), then one of three things is the cause. Either you do not have administrative rights on the machine, the volume is formatted as FAT or FAT32 and not as

NTFS, or the volume is not shared from the volume’s root directory.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 179

Figure 2.112

Missing the Quota Tab

Managing Physical and Logical Disks • Chapter 2 179

Deleting a Quota Entry Gives you Another Window

Whenever you try to delete a quota entry for a user that still retains ownership of files, you are presented with the Disk Quota window shown in Figure 2.113.This is because you cannot delete a quota entry if the user still owns files.This keeps you from having files on your server that are not being managed by disk quotas because the owner is no longer around.You have three choices:

Permanently delete all the files.

Take ownership of the files.

Move the files to another volume.

After doing so, you will be able to delete the quota entry for your user.

Figure 2.113

Cleaning Up Disk Quotas

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 180

180 Chapter 2 • Managing Physical and Logical Disks

A User Gets an “Insufficient Disk Space”

Message When Adding Files to a Volume

The insufficient disk space message (see Figure 2.114) is to be expected for any of your users that are over their quota limit. Usually this is a good thing because it means that disk quotas are working.The only way around it is to increase your users’ quota limit or to stop denying users who exceed their disk space. If this is happening unexpectedly, verify that your users’ limits are set correctly. A common error is to forget to change the quota measurement from KB to MB.You may think that your users have 150MB of available space when they only have 150KB of space.

Figure 2.114

Exceeding Your Quota Limit

Troubleshooting Remote Storage

Remember when you are troubleshooting Remote Storage that you are writing data to backup media.This is going to be slower than writing to disks.This is not to say that your performance should be terrible. Just be realistic with your expectations. Here are some common Remote Storage troubleshooting issues:

Remote Storage will not install.

Remote Storage is not finding a valid media type.

Files can no longer be recalled from Remote Storage.

Remote Storage Will Not Install

Remote Storage is not installed by default.You must add it through Control Panel | Add

or Remove Programs

.You must have administrative rights on the machine on which you are installing Remote Storage.Without administrative rights, setup will not continue.

Remote Storage Is Not Finding a Valid Media Type

During initial setup, Remote Storage searches for an available media type. If Remote

Storage is not finding one on your machine, you either have not waited long enough for

Remote Storage to finish searching or you do not have a compatible library.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 181

Managing Physical and Logical Disks • Chapter 2 181

N

OTE

Per Microsoft, “Remote Storage supports all SCSI class 4mm, 8mm, DLT, and magneto-optical devices that are supported by Removable Storage. Using Remote

Storage with Exabyte 8200 tape libraries is not recommended. Remote Storage does not support QIC tape libraries or rewritable compact disc and DVD formats.”

Files Can No Longer Be Recalled from Remote Storage

Remote Storage has a runaway recall limit to deny recalling files from storage more than a specified number of times in a row. It is possible that you have an application that is making too many recalls. Once this threshold is crossed, future recalls are denied. If the recalls are legitimate, you can increase the threshold for the runaway recall limit. If they are not valid, then you need to terminate the application making the request.

Troubleshooting RAID

When troubleshooting RAID volumes, you must first troubleshoot the disk itself, so always start with the basic disk and dynamic disk checklist. However, there are times when the problem is with the RAID volume itself and not the underlying disk.This section covers the following:

Mirrored or RAID-5 volume’s status is Data Not Redundant.

Mirrored or RAID-5 volume’s status is Failed Redundancy.

Mirrored or RAID-5 volume’s status is Stale Data.

Mirrored or RAID-5 Volume’s

Status is Data Not Redundant

A Data Not Redundant status indicates that your volume is not intact.This is due to moving disks from one machine to another without moving all the disks in the volume.

Wait to import your disk until you have all the disks in the volume physically connected to the server.Then when you import them,Windows will see them as a complete volume and retain their configuration.

Mirrored or RAID-5 Volume’s

Status is Failed Redundancy

Failed Redundancy, as shown in Figures 2.115 and 2.116, occurs when one of the disks in a fault-tolerant volume fails.Your volume will continue to work, but it is no longer fault tolerant. If another disk fails, you will lose all your data on that volume.You should repair the failed disk as quickly as possible.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 182

182 Chapter 2 • Managing Physical and Logical Disks

Your mirrored volume will need to be recreated after replacing the disk. Right-click the defective disk and select Remove Mirror.Then right-click the working disk and select

Add Mirror

, selecting the new disk as the mirror.To repair the RAID-5 volume, put in the disk and right-click the volume and choose Repair RAID-5 Volume.

Figure 2.115

Recovering a Failed Mirrored Volume

Figure 2.116

Recovering a Failed RAID-5 Volume

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 183

Managing Physical and Logical Disks • Chapter 2 183

Mirrored or RAID-5 Volume’s Status is Stale Data

Stale data occurs when a volume’s fault-tolerant information is not completely up to date.

This happens in a mirrored volume if something has been written to the primary disk, but for whatever reason it hasn’t made it to the mirror disk yet.This occurs in a RAID-5 volume when the parity information isn’t up to date.

If you try to move a volume while it contains stale information, you will get a status of

Stale Data

when you try to import the disk. Move the disk back to the machine it was originally in and rescan the machine for the new disk. After all the disks are discovered, wait until they say Online and Healthy before you try to move them again.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 184

184 Chapter 2 • Managing Physical and Logical Disks

Summary of Exam Objectives

Disk management is vital to maintaining a stable server environment. Disk management encompasses different areas.

First you must determine the type of disk structure you are going to use.Windows

Server 2003 supports basic and dynamic disks. Basic disks are backwards compatible with older operating systems, but they do not offer as much flexibility as dynamic disks.

Dynamic disks provide better reliability due to the way they are structured and due to their support of fault-tolerant volumes.

Your partitioning method is going to depend on your disk structure. Basic disks use primary and extended partitions. Dynamic disks use simple, spanned, striped, and RAID-5 volumes. Primary partitions are the only option for booting to basic disks. Simple volumes and mirrored volumes are the only options for booting to dynamic disks. All other partition and volume types are used for storage disks only. Use Disk Management or diskpart.exe to manage your disk, partitions, and volumes.

Creating partitions and volumes is half the battle. Using your disks efficiently is the other half.You must take precautions to avoid disk fragmentation. Fragmented disks do not perform at their peak. Use Disk Defragmenter or defrag.exe on a regular basis to keep your drives defragmented and performing well.You need to also keep a close eye on disk space utilization. Running out of disk space will bring your server to a screeching halt. Use Disk

Quotas on NTFS volumes to limit disk space usage or to at least track disk space usage.

Sometimes you just do not have enough disk space. Use Remote Storage to archive your least frequently used files to backup tape or disk media.When files are needed from backup, Remote Storage copies them to hard disks making them available for your users.

Other than a small delay when accessing archived files, Remote Storage provides a transparent archival solution.

By using the disk features of Windows Server 2003 and the built-in disk management tools, you can ensure that your servers’ disks are being used to the best of their ability.

Exam Objectives Fast Track

Disk Terminology and Concepts

Basic disks are the default disk type in Windows Server 2003.

Basic disks consist of primary partitions, extended partitions, and logical drives.

Primary partitions are required for booting Windows. Logical drives cannot be used for booting.

Dynamic disks are the preferred disk type in Windows Server 2003.

Dynamic disks consist of volumes such as simple, spanned, striped, mirrored, and

RAID-5.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 185

Managing Physical and Logical Disks • Chapter 2 185

Simple volumes are the default volume type on dynamic disks. All partitions become simple volumes when upgraded to dynamic.

Only mirrored and RAID-5 volumes provide fault tolerance.

Using Disk Management Tools

The Disk Management Microsoft Management Console (MMC) provides a graphical way to manage your disks, partitions, logical drives, and volumes.

diskpart.exe manages disks, partitions, logical drives, and volumes from the command prompt.

fsutil.exe manages FAT and NTFS file systems from the command prompt.

rss.exe manages Remote Storage from the command prompt.

Understanding and Managing Physical and Logical Disks

Use basic disks whenever you are dual booting Windows Server 2003 with another operating system.

You must have at least 1MB of unallocated space to upgrade a disk from basic to dynamic.

You do not lose data when you convert from basic to dynamic, but you do lose all data when you convert back to basic from dynamic.

Use the disk management MMC to create partitions, logical drives, and volumes.

Mirrored volumes work with two disks and provide fault tolerance by writing duplicate copies of the data to both disks.

Mirrored volumes provide 50 percent disk utilization.

Spanned volumes work with two to 32 disks.They enable you to group differentsized disks into a single volume.They do not provide fault tolerance.

Striped volumes offer the best performance of all volume types, but they do not provide fault tolerance.They work with two to 32 disks.

RAID-5 volumes offer the improved performance of striping with fault tolerance.

They do not perform as well as striped volumes, but they do out perform mirrored volumes. RAID-5 volumes work with three to 32 disks.

Optimizing Disk Performance

Disk fragmentation slows disk performance.

We can defragment our disk by using the Disk Defragmenter or defrag.exe.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 186

186 Chapter 2 • Managing Physical and Logical Disks

Disk Defragmenter and defrag.exe cannot be used at the same time.

Disk quotas enable us to limit how much space a user can use on a volume.

Disk quotas work only with volumes formatted with the NTFS file system.

Disk quotas are based on the uncompressed size of a file.

Disk quotas are tracked based on file ownership.

Understanding and Using Remote Storage

Remote Storage is not installed by default.

You must be an administrator to install Remote Storage.

Local disks to be managed by Remote Storage must be formatted with NTFS version 5.

You can use rss.exe to manage Remote Storage after it is installed and configured.

Troubleshooting Disks and Volumes

Always check the hardware first. If it is faulty, replace it before you continue troubleshooting.

Most basic disk problems are due to faulty hardware or a corrupt disk.

Dynamic disks can suffer from the same problems as basic disks, but they also have volume problems.

Whenever importing a foreign disk into a machine, make sure that you have all the disks that form a single volume.Without all the disks, you are going to have errors and possibly lose data.

When a disk fails in a fault-tolerant volume, you need to replace it as quickly as possible and repair the volume to restore fault tolerance.

Page files and NTFS journal and log files are unmovable during the defragmentation process.

The reports are more accurate than the graphical view for determining disk utilization before and after a defragmentation.

You cannot delete a quota limit for a user that still retains ownership to files.You

must first take ownership of the files, delete the files, or move the files to another volume.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 187

Managing Physical and Logical Disks • Chapter 2 187

Exam Objectives

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com.

Q:

Why do I have to reboot my machine when I upgrade my system drive to dynamic?

A:

Any time you try to upgrade a disk that has files that are currently in use, you will have to reboot. During the upgrade process the file system must be dismounted.This cannot occur if files are in use.

Q:

Why isn’t dynamic disk supported on my portable USB hard disk?

A:

Dynamic disk contain a hidden database that holds (among other things) the disk partitioning information.This database is tied to whatever machine created the dynamic disk. If your portable hard disk were configured as dynamic, it would only work with

Windows 2000 and Windows Server 2003 machines. Also, you would have to recreate the hidden database every time you moved it between machines.

Q:

Why don’t laptops support dynamic disks?

A:

One of the main reasons for switching to dynamic disks is to be able to have volumes that span disks. Since laptops only have one disk, dynamic disks are not needed.

Q:

Why do I have to wait 15 seconds between running diskpart.exe scripts?

A:

You must give diskpart.exe a chance to finalize the changes currently in process before you instruct it to make more changes. Otherwise, changes may start to conflict with each other and your scripts will fail.

Q:

Why would I want to use diskpart.exe when I can click my way through the disk management MMC?

A:

The disk management MMC is definitely more intuitive for day-to-day disk management. However, it will not let you script activities.This is the true power of diskpart.exe.You can write scripts to automate disk management. For example, you may want to create a D: drive on all freshly built servers.You could make building a server completely automated by using an unattended file for the installation and a diskpart.exe

script for creating the D: drive.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 188

188 Chapter 2 • Managing Physical and Logical Disks

Q:

How can I have my server search for new disks without rebooting?

A:

From within the disk management MMC, right-click Disk Management and choose

Rescan Disks

.

Q:

How can I switch from one volume type to another without losing data?

A:

You can switch from a simple volume to a spanned volume.When you extend a simple volume to span multiple disks, it automatically becomes a spanned volume.You can also switch from a mirrored volume to a simple volume by breaking the mirror.To switch any other volumes, you would have to delete the volume and restore the data from backup.

Q:

Is there a limit to the number of volumes that I can create on a single disk?

A:

Windows Server 2003 supports up to 2,000 volumes per disk, but Microsoft recommends limiting yourself to 32 volumes per disk.

Q:

How would you access 2,000 volumes? Aren’t you limited to 24 drive letters?

A:

Yes.You are limited to 24 drive letters as A: and B: are reserved for the floppy drives.

However, you can get around this limit by mounting a volume to an NTFS folder. For example you could have a “data” folder on your C: drive that actually pointed to another volume. It would appear as if you were writing information to the C: drive, but it would actually be written to the mounted volume.

Q:

Why can’t I use defrag.exe and Disk Defragmenter at the same time?

A:

They are both trying to do the same thing.Think of how defragmentation works.The

defragmenter shuffles files around on disk to make them in contiguous clusters.

Imagine how unorganized this would be if two programs tried to do it at the same time.

Q:

Why don’t I see a disk Quota tab when I go to the Properties of my volume?

A:

Either you don’t have administrative rights or your volume is not formatted with

NTFS.

Q:

How often should I defragment my servers?

A:

This depends on your environment.You should do a weekly analysis to see if your volumes need to be defragmented. If you determine that weekly is too often, then drop your analysis back to monthly. Defragment only when the tools suggest that you do so.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 189

Managing Physical and Logical Disks • Chapter 2 189

Q:

I just installed Remote Storage.Why can’t I use rss.exe?

A:

Rss.exe is used to manage Remote Storage. It cannot be used to set it up. If you just installed Remote Storage, then you must go into the Remote Storage MMC and set it up before rss.exe will work.

Q:

Why do I get an error message when I try to install Remote Storage from Add or

Remove Programs?

A:

You are not logged on as an administrator. If you do not have administrative rights on the local machine, you cannot install Remote Storage.

Q:

Remote Storage setup never finds my backup media.What could be the problem?

A:

Make sure you are giving setup enough time to finish searching for media and verify that you are using a compatible media. Remote Storage supports all SCSI class 4mm,

8mm, DLT, and magneto-optical devices that are supported by Removable Storage, but it does not support QIC tape libraries, rewritable compact disc, or DVD formats.

Q:

Why don’t basic disks show up as foreign when you move them between machines like dynamic disks?

A:

Dynamic disks store their configuration in a hidden database.This database is associated with the machine that created the dynamic disk.When you move it, the machines can see the disk is from somewhere else and they mark the disk as foreign. Basic disks store their configuration in the MBR and boot sector of the disk.This is tied to the disk and not to the machine. Machines see basic disks as new disks, but they cannot tell if they are from another machine so they do not mark them as foreign.

Self Test

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

Understanding Disk Terminology and Concepts

1. Your domain controller currently has one 36GB dynamic disk.You want to add another disk and configure both disks into a mirror to provide fault tolerance for your domain controller.You shut down your sever and add the disk. After starting

Windows, you go into the disk management MMC and verify that the disk is there. It shows up as unallocated space.You right-click on the C: drive, but Add Mirror is grayed out.You cannot select it.What could be the cause of your problem?

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 190

190 Chapter 2 • Managing Physical and Logical Disks

A. You need to format the drive with the FAT32 file system first.

B. You need to format the drive with the NTFS file system first.

C. You need to upgrade the new disk to dynamic.

D. You need to revert the C drive back to basic.

2. Your server currently has one drive that is used for the boot and system partition.You

want to add a RAID-5 volume to use for storing user data.You shut down the server and add two new drives. After starting the machine back up, you go into the disk management MMC and convert both disks to dynamic.You then right-click on one of the drives and select new volume. However, the RAID-5 option is greyed out.

What can you do to enable the creation of a RAID-5 volume?

A. Format both disks as NTFS.

B. Format one disk as NTFS.

C. Add another disk to the server.

D. Revert both disks back to basic.

Using Disk Management Tools

3. You add two new SCSI drives to your test server.You decide that you want to use diskpart.exe to create a new volume on each drive. Every time you type a command you get a message back saying that no disk is selected.What is the cause of your problem?

A. You need to set diskpart.exe to focus on a disk.

B. You need to go into the disk management MMC and enable the ability to use diskpart.exe.

C. You are having hardware problems with your new disks.

D. Diskpart.exe does not work with SCSI disks.

4. You have three servers that you manage offsite.You use a remote console command prompt to manage them.This enables you to open a command prompt on your local machine and have the commands sent to the remote servers.You want to mange disk quotas on the server using remote consoles.Which tool should you use?

A. diskpart.exe

B. rss.exe

C. fsutil.exe

D. quoata.exe

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 191

Managing Physical and Logical Disks • Chapter 2 191

Understanding and Managing Physical and Logical Disks

5. Users have been complaining that printing is slow.Your print server is currently using basic disk. All spooling takes place on a primary partition.You want to create a dynamic volume to see if it increases your performance.Which of the following volume types should you create?

A. Simple

B. Spanned

C. Striped

D. Mirrored

E. RAID-5

6. You have an old server that is no longer in production.You want to make it into an

MP3 server to hold all your music. It has four drives in it.Two of the drives are 20GB in size and the other two are 5GB in size.You want to structure the disks to give the maximum storage space possible so you can store all your MP3s on one share.You are not concerned with data loss because you still have all the CDs.Which of the following volume types should you create?

A. Simple

B. Spanned

C. Striped

D. Mirrored

E. RAID-5

7. You just bought a new server to use as a streaming media server.You want to configure it to get the best performance possible.The server has two identical 50GB drives.Which of the following volume types should you create?

A. Simple

B. Spanned

C. Striped

D. Mirrored

E. RAID-5

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 192

192 Chapter 2 • Managing Physical and Logical Disks

Optimizing Disk Performance

8. You use Disk Defragmenter to run an analysis at lunch to determine if you need to defragment your servers.The report states that your disk is extremely fragmented and suggests that you run a defragmentation.You don’t want to do it during the day due to performance reasons.You come in after hours to run your defragmentation, but you get the error message shown in Figure 2.117 every time you open Disk

Defragmenter.What could be the cause of your problem?

Figure 2.117

Running Disk Defragmenter

A. You are not logged in with administrative rights.

B. You installed this version of Disk Defragmenter on another machine and now you need another license.

C. You have defrag.exe running in the background.

D. You server has two disks in it. Disk Defragmenter only supports machines with one disk.

9. One of your coworkers complains that he cannot set quota limits on the file server.

You check and find out that he is not in the local administrators group.You add him to the group and tell him to log off the server and back on again.When he logs on, the Quota tab is still missing.What could be the cause of the problem?

A. The volume is formatted as FAT32.

B. The volume is formatted as NTFS.

C. He is not a member of the quota admins group.

D. He is over his quota limit.

10. You have a machine with two disks. Both disks are formatted as FAT32.When you defragment both disks, they report having unmovable files.You would like to be able to completely defragment the second disk.What should you do?

A. Convert the second disk to NTFS.

B. Remove the page file from the second disk.

C. Use Disk Defragmenter to defragment the second disk instead of defrag.exe.

D. Use defrag.exe to defragment the second disk instead of Disk Defragmenter.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 193

Managing Physical and Logical Disks • Chapter 2 193

Understanding and Using Remote Storage

11. You have a server running Remote Storage on Windows 2000 Server.You need to upgrade the server to Windows Server 2003.You want it to continue to run Remote

Storage after the upgrade.Which version of Windows Server 2003 should you upgrade to?

A. Web Edition

B. Standard Edition

C. Enterprise Edition

D. Datacenter Edition

12. You have a Windows Server 2003 machine running Remote Storage.You go into the

Remote Storage MMC and try to add another local disk to be managed, but Remote

Storage cannot find the disk.What could be the cause of the problem?

A. The disk is a SCSI disk.

B. The disk is an IDE disk.

C. The disk is formatted with FAT32.

D. The disk is attached to a Storage Area Network.

Troubleshooting Disks and Volumes

13. Your company has recently merged with another company named Novig. As part of the merger you are responsible for migrating all of Novig’s e-mail to your Exchange servers.You do not want to migrate the mail across the WAN link, because it would be very slow.You send someone to pick up Novig’s Exchange server and bring it to you so you can do the migration locally. However, when you turn on the server it has problems starting Exchange.You look in Disk Management (Figure 2.118) and see that some disks are labeled as missing. How can you fix this problem?

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 194

194 Chapter 2 • Managing Physical and Logical Disks

Figure 2.118

Troubleshooting Missing Disk

A. Format the drive as NTFS.

B. Verify that the disks are connected correctly.

C. Import the disks.

D. Assign the disks drive letters.

14. You come in to work Monday morning to find that your file server crashed over the weekend and no one can access his or her files. All user data is stored on a single disk.

To get things up and running quickly you have a spare machine that you are going to rename to match the name of the crashed file server.You put the data disk from the crashed file server into the new file server, but the disk does not appear in My

Computer.When you look in Disk Management (Figure 2.119), you see the disk is labeled as foreign. How do you overcome this?

Figure 2.119

Troubleshooting Foreign Disk

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 195

Managing Physical and Logical Disks • Chapter 2 195

A. Format the drive as NTFS.

B. Verify that the disk is connected correctly.

C. Import the disk.

D. Assign the disk a drive letter.

15. You add four new disks to your server to use for storage. However, when you go into

My Computer, the disks do not appear.You guess that the OS just isn’t seeing the disks, so you reboot your server. Still they do not appear in My Computer.You open Disk

Management and the disks are there as shown in Figure 2.120.Which of the following must you do to get these disks to show up in My Computer? (Choose all that apply.)

Figure 2.120

Installing New Disks

A. Format the drive as NTFS.

B. Verify that the disks are connected correctly.

C. Import the disks.

D. Assign the disks a drive letter.

www.syngress.com

274_70-290_02.qxd 8/11/03 3:50 PM Page 196

196 Chapter 2 • Managing Physical and Logical Disks

Self Test Quick Answer Key

For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

1. C

2. C

3. A

4. C

5. C

6. B

7. C

8. C

9. A

10. B

11. C

12. C

13. B

14. C

15. A, D

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 197

Chapter 3

MCSA/MCSE 70-290

Configuring, Monitoring, and Troubleshooting

Server Hardware

Exam Objectives in this Chapter:

1.4

Install and configure server hardware devices.

1.4.1

Configure driver signing options.

1.4.3

Configure device properties and settings.

1.4.2

Configure resource settings for a device.

1.2

Monitor server hardware. Tools might include Device

Manager, the Hardware Troubleshooting Wizard, and appropriate Control Panel items.

4.7.3

Monitor server hardware for bottlenecks.

Summary of Exam Objectives

Exam Objectives Fast Track

Exam Objectives Frequently Asked Questions

Self Test

Self Test Quick Answer Key

197

274_70-290_03.qxd 8/11/03 3:53 PM Page 198

198 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Introduction

Your server hardware is the foundation on which Windows Server 2003 runs.Thus, the hardware configuration and its compatibility and interaction with the operating system play an important role in how well your Windows network operates. Even though Plug-and-Play makes working with hardware easier, it is important for the network administrator to understand how the hardware components are installed and configured, and how to manually assign resource settings (such as IRQs) and modify device properties and settings when necessary.

Device drivers are the software programs that act as liaison between the hardware and the operating system. Driver signing is a mechanism for ensuring that the driver files have been tested and have not been modified since they were tested, to prevent problems that can be caused by bad drivers. In this chapter, you will learn about driver signing and how to configure driver-signing options.

Inevitably, problems with hardware crop up from time to time.When those problems occur on a mission-critical server, it is essential that you be able to recognize and fix them as quickly as possible. Monitoring for problems helps you to “head them off at the pass.”We will show you how to use Device Manager, the Hardware Troubleshooting Wizard, Control

Panel applets, and included command-line utilities to monitor your server hardware, and we will provide some basic troubleshooting guidelines with specifics on how to diagnose and resolve issues related to hardware settings, drivers, and driver updates.

Understanding Server

Hardware Vulnerabilities

Server hardware is a collection of devices.The operating system is the primary consumer of the services provided by the devices that you attach to your server environment running

Windows Server 2003. Microsoft has developed a standardized framework for device vendors to develop the software necessary to leverage these devices.With the large number of possible combinations of devices, it is important to ensure that not only are the correct drivers installed, but that they are also configured correctly. Understanding how drivers interact with the operating system will go a long way to helping you understand and troubleshoot issues resulting from driver errors, failure, or misconfiguration. In this first section we cover the core principles that you should know and understand when it comes to installing, configuring, monitoring, and troubleshooting server hardware.

Understanding How Windows

Server 2003 Interacts with the Hardware

The Windows Server 2003 operating system is built on a robust and mature foundation. From a high level, not much has changed in the past few releases of Windows NT/2000/XP/

Server 2003. From an infrastructure perspective, knowing how components of the operating system interact with each other and with the hardware will go a long way to helping you diagnose and resolve issues that may arise.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 199

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 199

The operating system architecture is split up into two regions known as user-mode and kernel-mode (see Figure 3.1).The two modes function as follows:

User mode is the mode in which most of the applications that you are familiar with (e.g., Microsoft Office) function. It protects the applications from performing illegal operations that could cause overall system instability.When these applications need to interact with the hardware, for example, draw items on the screen, they do so through drivers in kernel mode.

Processes that run in kernel mode operate without the protection mechanisms associated with user mode.This gives these processes direct access to the underlying hardware using the hardware abstraction layer (HAL).The device drivers you install to enable Windows Server 2003 to utilize the devices you attach operate at this level.These drivers include, but are not limited to, video drivers, storage drivers, and network interface card drivers.

The whole concept of having these separate layers helps ensure system stability and enables users to mix and match hardware and devices while still enabling applications to work across the myriad of configurations.

Figure 3.1

High-Level Architecture of Windows Server 2003

Applications

User-Mode Drivers Win32 API

User-Mode

Kernel-Mode Drivers

Hardware Abstraction Layer

Hardware

Kernel-Mode

The Hardware Abstraction Layer (HAL)

The Hardware Abstraction Layer (HAL) provides a generic interface for kernel-mode drivers and processes to interact with the underlying hardware.This is a modular component that can be interchanged depending on your hardware configuration.When you deploy Windows Server 2003, it is important to ensure that you use the proper hardware abstraction layer.There are several types of HALs that ship with Windows Server 2003:

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 200

200 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Standard PC

MPS Uniprocessor PC

MPS Multiprocessor PC

Advanced Configuration and Power Interface (ACPI) PC

ACPI Uniprocessor PC

ACPI Multiprocessor PC

Windows Server 2003 detects the appropriate HAL automatically during the setup process. It does this through a combination of detection of the number of processors and the presence of certain features offered by the system (e.g., Advanced Configuration and Power

Interface) using information obtained from the BIOS, as well as referencing a list of known

“bad BIOS” in the TXTSETUP.SIF file on the Windows CD.

After you deploy a machine with Windows Server 2003, it is likely that you will need to change the HAL only if you go from a single-processor machine to a multi-processor machine. If you do need to change the hardware abstraction layer, you can do so through

Device Manager by performing the following steps:

1. Expand the Computer section in Device Manager.

2. Right-click the existing computer model and choose Update Driver.

3. On the Welcome to the Hardware Update Wizard page, choose Install

from a list or specific location

, and then click Next.

4. On the Please choose your search and installation options page, click

Don’t search. I will choose the driver to install

, and then click Next.

5. On the Select a Device Driver page, click the appropriate computer type from the Models list.

6. Click Next twice, and then click Finish.

Device Drivers

With the HAL providing a generic interface or communications mechanisms to the core system components, device-specific functionality is provided via device drivers.While some device drivers are supplied with Windows (e.g., most IDE disk controllers), manufacturers often provide more specific device drivers that are optimized with the specific model of the device in mind and offer access to model-specific functionality.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 201

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 201

Sound Drivers Disabled by Default

In the spirit of stabilizing the platform and removing unnecessary components, you will notice that sound drivers are not enabled by default in Windows Server 2003.

This is a first step towards a division between client- and server-oriented operating systems. In future releases, expect other client-focused functionality to be disabled by default to allow for the server platforms to focus on what they are meant for: being a server.

If necessary, you can re-enable audio devices by performing the following steps:

1. Expand the Sound, video and game controllers section in Device

Manager.

2. Verify that your sound device is listed in the section. If your device is listed and appears to be working, continue to the next step. Otherwise, do the following:

If you see a generic device placeholder device name, install an updated driver from the device vendor or from Windows Update.

If no related devices are listed, use the Add New Hardware Wizard to install the device driver (described in the “Using the New

Hardware Wizard” section).

3. From the Services console, locate the Windows Audio service.

4. Right-click the service entry and select Properties.

5. Change the Startup type to Automatic and click the Start button.

Click OK to close the Properties dialog box.

If you are using Windows Server 2003 as a Terminal Services machine, you are still able to re-direct sound. For more information, refer to Microsoft Support

Knowledge Base article 818465 HOW TO: Use Group Policy to Permit Users to

Redirect and Play Audio in a Remote Desktop Session to Terminal Services in

Windows Server 2003 at http://support.microsoft.com/?id=818465.

Plug and Play

When you install a device into a system via an expansion slot or peripheral interface (e.g., serial, parallel, USB, 1394 FireWire port), it might detect the device automatically and try to install the appropriate device driver.These devices are known as Plug-and-Play (PNP) devices.The PNP specifications were developed by Intel Corporation to ensure the device installation experience is one that is possibly automatic, or if not, at least intelligent enough to ensure the appropriate driver is installed.

When a device is installed in the computer,Windows Server 2003 retrieves its PNP identification number from the hardware device via the device firmware or the system BIOS.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 202

202 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

With this identification number, it searches all the .INF files in the device driver search path as defined in the registry, in the HKLM\Software\Microsoft\Windows\CurrentVersion key’s

DevicePath value. After collecting all the matches, it then ranks the matches and assigns a value from the following categories:

0x0000 – 0x0FFF: Exact match of the device’s hardware identification number matched a hardware identification number listed in one of the .INF files.

0x1000 – 0x1FFF: Compatible match of the device’s hardware identification number matched a compatible hardware identification number listed in one of the

.INF files.

0x2000 – 0x2FFF: Compatible match of one of the device’s compatible hardware identification numbers matched a hardware identification number listed in one of the .INF files.

0x3000 – 0x3FFF: Compatible match of one of the device’s compatible hardware identification numbers matched a compatible hardware identification number listed in one of the .INF files.

0x8000 – 0x8FFF:The hardware identification match is made with an unsigned driver.

0x9000 – 0x9FFF:The compatible hardware identification match is made with an unsigned driver.

0xFFFF: All other non-matches.

As you can see, preferential treatment is given to signed drivers (for more information on signed drivers, see the section later in this chapter). If no full or partial match is found, the hardware is identified as an unknown device.You may see it listed in Device Manager with a generic name.

N

OTE

With each new generation of the Windows operating system, the PNP capabilities and setup processes are streamlined. With the release of Windows Server 2003, there are no device driver installation sections during the graphical setup process.

During text-mode setup, you have the option to add mass storage device drivers to the detection process. For more information, refer to the Microsoft Support

Knowledge Base article 220845 Adding Third-Party or Updated Driver during

Windows Setup at http://support.microsoft.com/?id=220845

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 203

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 203

If the device driver is a match, it will automatically install upon detection of the device if both of the following conditions are met:

Digitally signed (see the “Driver Signing Options” section later in the chapter for more information).

The driver is already pre-installed on the server.

If the device driver installation process requires user interaction or is not digitally signed, the user who is logged on when the device is plugged in will require the following rights (otherwise it will be deferred until someone with the appropriate rights can perform the operation):

“Load and unload device drivers” privilege (the local Administrators group has this privilege by default).

Permissions to copy files to the SYSTEM32\DRIVERS directory.

Permissions to write settings to the registry.

EXAM

70-290

OBJECTIVE

1.4

Installing and Configuring

Server Hardware Devices

As noted previously, when you install a device that complies with the PNP specifications, it automatically attempts to install and configure the device driver for that device. For non-

PNP devices, you need to manually install the device. As part of the installation process,

Windows automatically allocates the appropriate resources required for the device.This section outlines some of the ways you can control the installation process, including digitally signed driver options, manual driver installations, and configuring options associated with the drivers.

EXAM

70-290

OBJECTIVE

1.4.1

Configuring Driver Signing Options

Devices drivers play a critical role in the operation of your system, but they are also one of the major components to run in the kernel where it is not protected to the level that applications are from impacting the system stability.With the large number of devices available on the market, it is impossible to test every single combination of hardware devices and their device driver revisions.

Microsoft has put in place a program to advance the stability of systems and provide a better overall user experience through the Windows Hardware Compatibility Test (HCT) process. Hardware and software vendors work with a third-party testing firm contracted by

Microsoft to ensure that rigorous functional test processes are followed.The resulting device drivers that pass the tests are signed with the Windows Hardware Quality Labs digital signature.These drivers are known as WHQL digitally signed drivers (or WHQLsigned drivers).

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 204

204 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

New to Windows Server 2003 is the concept of vendor-supplied Authenticode digital signatures for drivers. During the device driver installation process, there is a check for both a WHQL and a vendor-supplied Authenticode digital signature.

As the administrator, you can control how Windows Server 2003 responds to the presence of WHQL and vendor-supplied Authenticode digital signatures.This is done via the

Driver Signing Options

dialog box, which is available under the System Properties

Hardware

tab in the Control Panel, as shown in Figure 3.2.

Figure 3.2

System Properties Control Panel – Hardware Tab

The Driver Signing Options dialog box, shown in Figure 3.3, gives you the capability to set three different levels of compliance:

Ignore

Warn

Block

Figure 3.3

Driver Signing Options Dialog Box

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 205

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 205

By default, it is set to Warn and in most environments should never be set to Ignore, because that can allow for unstable device drivers to enter the environment.

Depending on the validity or presence of the digital signatures and how the Driver

Signing Options are configured, the installation process might respond in different ways.

These can include the following:

If the WHQL digital signature is valid, the installation process installs the driver without issue.

If the WHQL digital signature is not valid, the installation process completes as per the option selected in the Driver Signing Options dialog box.

If there is no WHQL digital signature and there is no valid vendor-supplied

Authenticode digital signature, the installation process is completed as per the option selected in the Driver Signing Options dialog box.

If there is no WHQL digital signature but there is a valid vendor-supplied

Authenticode digital signature, the installation process checks to see if the vendorsupplied Authenticode digital signature exists in the Trusted Publishers Certificate

Store. If it is and the Driver Signing Options dialog box is set to Warn, then it informs the user who published the driver that is signed with a valid

Authenticode digital signature, but that it has not been certified by the Windows

Hardware Quality Labs.The dialog box then gives the user the option of canceling the installation.The rest of the options operate as expected.

If there is no WHQL digital signature but there is a valid vendor-supplied

Authenticode digital signature and it is listed in the Trusted Publish Certificate

Store, the driver installs silently as if it had a WHQL digital signature.

The trusted publisher certificate store contains all the trusted publisher certificates for that particular machine.You can install vendor-supplier Authenticode certificates to the store using one of the following methods:

Drivers installed through the interactive user interface with a vendor-supplied

Authenticode digital signature will have the certificate added to the trusted publisher certificates store automatically.

Vendor-supplied Authenticode certificates can be deployed to machines on the network, leveraging Active Directory’s Group Policy functionality.

Vendor-supplied Authenticode certificates can be included during the unattended installation process by adding an entry in the Unattended section called

TrustedPublisherCertificates

.This entry specifies the path to locate the appropriate certificate store on the hard drive.

[Unattended]

TrustedPublisherCertificates = mycerts

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 206

206 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

This tells Windows Server 2003 to look in the mycerts directory on the root of the system drive for Trusted Publisher Certificates.

N

OTE

If you are not sure about whether or not a product has been properly certified before purchasing it, check out Microsoft’s Hardware Compatibility List online at www.microsoft.com/whdc/hcl.

After you have installed a device driver, you can check who signed it through Device

Manager

in the device Properties dialog box’s Driver tab (see the “Using Device Manager

to Configure and Manage Devices” section later in this chapter).

Ensuring Your Device Drivers Are Digitally Signed

Ongoing changes to the server environment bring the risk of critical system files being replaced. One of the advantages of using digitally signed device drivers is that there are several tools to help ensure that they remain intact on a continuous and on-demand basis.

These tools include the following:

Windows File Protection

System File Checker

File Signature Verification tool

Windows File Protection (WFP)

Windows File Protection (WFP) helps protect critical system files from being replaced or corrupted by other processes. Protecting these files helps the system remains reliable and available.

WFP works by monitoring for change notifications from protected directories (e.g.,

%SystemRoot%\SYSTEM32). Because this process runs within the core operating system, it cannot be circumvented. If the file is changed, the following will happen:

1. WFP checks the digital signature of the changed file against the version stored in the cache (by default, %SystemRoot%\SYSTEM32\DLLCACHE) or in the digitally signed component’s information file (also known as the catalog file).

2. If the file is different, it attempts to locate the correct version of the file in the following places:

The cache folder (by default, %SystemRoot%\SYSTEM32\DLLCACHE)

The original installation path (if different from the Windows Server 2003 installation media)

The Windows Server 2003 installation media

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 207

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 207

If WTP cannot locate it using the above locations and the person who is logged on has the appropriate rights, it prompts for the Windows CD or original installation media. Otherwise, it prompts the next time someone with the appropriate rights logs on.

3. After it locates the file, it silently replaces the file.

4. WFP creates an entry in the System event log noting the file that was replaced and the version it was replaced with.

When you do need to update a protected system file, the following processes are the only supported mechanisms:

Windows Service Pack installations using Update.exe

Hotfixes installed using Hotfix.exe or Update.exe

Operating system upgrades

Windows Update

WHQL digitally signed driver installations.

WFP caches verified versions of these files in the cache folder. By default, this folder is located in %SystemRoot%\SYSTEM32\DLLCACHE; however, it can be modified by adding the SFCDllCacheDir registry value as a REG_EXPAND_SZ type in the

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.This

cache continues to grow until it reaches any defined quota. By default, this quota is not set to a specific value (0xFFFFFFFF).You can define a quota by modifying the SFCQuota registry value in the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.

N

OTE

Windows File Protection (WFP) will stop populating the cache folder when disk space is less than 600MB plus the maximum size of the page file on the system volume.

E

XERCISE

3.01

V

ERIFYING THAT

W

INDOWS

F

ILE

P

ROTECTION IS

R

UNNING

1. Open the SYSTEM32 folder using Windows Explorer.

2. Find calc.exe in the list, right-click the entry, and then select Delete.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 208

208 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

3. Wait a few moments and Windows File Protection will replace the file.

After the file has been replaced, you will notice a new entry in your

System event log similar to the one shown in Figure 3.4.

Figure 3.4

Windows File Protection Event Log Entry

System File Checker

With Windows File Protection running on an ongoing basis, you might still want to check the critical system files on an on-demand basis.The System File Checker (sfc.exe) is a command-line tool that can be used for initiating on-demand and boot-time scans, as well as managing the contents of the Windows File Protection cache folder.To run System File

Checker, you must be logged on with a user account that is a member of the

Administrators group.

The System File Checker (sfc.exe) has several command-line options:

/Scannow Initiates an immediate scan of the protected files.

/Scanonce Schedules a one-time scan of the protected files the next time the computer is restarted.This option is equivalent to setting the SfcScan registry value to 2 in the HKLM\Software\Microsoft\Windows NT\CurrentVersion\

Winlogon registry key.

/Scanboot Configures the system to scan the protected files every time the computer is restarted.This option is equivalent to setting the SfcScan registry value to

1 in the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 209

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 209

/Revert Resets the system to not scan for protected files during boot time.This is equivalent to the /Enable command-line option under Windows 2000.This

option is equivalent to setting the SfcScan registry value to 0 in the

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.

/Purgecache Purges the contents of the cache folder and initiate a scan immediately.

/Cachesize=x Sets the maximum size of the cache folder in megabytes (MB). For this command to take effect, you need to restart the computer and run the

/PurgeCache command to adjust the size of the cache folder.This option is equivalent to setting the SfcQuota registry value in the HKLM\Software\Microsoft\

Windows NT\CurrentVersion\Winlogon registry key.

File Signature Verification Tool

sigverif.exe is a wizard-driven tool , which scans the system for the presence of unsigned drivers and critical system files. It also creates a report that lists all the files scanned along with relevant version and digital signature information.The report is stored in your

Windows directory and is called sigverif.txt.

If you want to run the process without user interaction, use the /DEFSCAN command-line option: sigverif.exe /defscan.

E

XERCISE

3.02

S

CANNING FOR

U

NSIGNED

D

RIVERS

1. From the Start menu, select Run.

2. In the Run dialog box, type sigverif.exe and click OK.

3. In the File Signature Verification dialog box, click Advanced.

4. In the Advanced File Signature Verification Settings dialog box, select the Look for other files that are not digitally signed option.

5. In the Look in this folder text box, type the full path to

SYSTEM32\DRIVERS (e.g., C:\WINDOWS\SYSTEM32\DRIVERS).

6. Select the logging option and ensure that the Save the file signature

verification results to a log file check box is checked, and then click

OK.

7. In the File Signature Verification dialog box, click Start.

8. After the scanning process is complete, it displays a list of unsigned drivers. A report is also created called sigverif.txt and stored by default in the Windows directory.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 210

210 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

9. When you are done, click Close to close the report and then click Close to exit the tool.

Using the New Hardware Wizard

The New Hardware Wizard is used to install device drivers for non-PNP devices.You can also use the wizard to install drivers for any PNP device for which you did not have the suitable device driver at the time it was connected to the system.The latter scenario is actually handled by the Hardware Update Wizard, which is invoked from within the New

Hardware Wizard.

You need the following rights to use the New Hardware Wizard (by default, members of the local Administrators group hold these privileges):

“Load and unload device drivers” privilege (the local Administrators group has this privilege by default)

Permissions to copy files to the SYSTEM32\DRIVERS directory

Permissions to write settings to the registry

You can access the New Hardware Wizard via the Control Panel’s Add Hardware option, and from the Hardware tab of the System applet in Control Panel.

E

XERCISE

3.03

I

NSTALLING A

N

ON

-PNP D

RIVER

1. From the Start menu, select Control Panel.

2. Select the Add Hardware option from the list.

3. On the Welcome to the Add New Hardware Wizard page, click Next.

4. When asked Is the hardware connected?, select Yes, I already have

connected the hardware and click Next.

5. From the Installed hardware list, select Add a new hardware device and click Next.

6. On the next page, select Install the hardware that I manually select

from a list (Advanced) and click Next.

7. Under the Common hardware types list, select Network Adapters and click Next.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 211

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 211

8. From the list of network adapters, choose Microsoft Loopback

Adapter. Notice that it is digitally signed as indicated by the icon to the left of it. Click Next twice, and then click Finish.

EXAM

70-290

OBJECTIVE

1.4.3

Using Device Manager to

Configure and Manage Devices

After you have installed the device driver for your hardware, you might need to perform additional configurations, or make changes to the current configuration during maintenance or troubleshooting. Device Manager provides a graphical mechanism for managing devices, drivers, settings, and troubleshooting issues with devices.You can access Device Manager through one of three methods.The first is via the System control panel:

1. From the Start menu, select Control Panel, and then select System from the list. Or, from the Start menu or on the Desktop, right-click My Computer and select Properties from the context menu.

2. Select the System option from the list.

3. In the System Properties dialog box, select the Hardware tab.

4. On the Hardware tab, click Device Manager.

The second method is via the Computer Management console:

1. From the Start menu or the desktop icon, right-click My Computer and select

Manage

.

2. Select Device Manager from the left-hand pane of the Computer

Management

console.

The third method is via the command prompt or Run option on the Start menu.To

do this, you simply go to the command prompt or Run option on the Start menu and type devmgmt.msc and press Enter.

After you open the Device Manager, you can view devices in four different ways. As shown in Figure 3.5, Device Manager defaults to the Devices by type view, which categorizes devices by the generic type (e.g., Display adapters, Network adapters, etc.).

In the Devices by connection view, shown in Figure 3.6, a hierarchy is built based on how the device is connected to the computer (e.g., your network adapter might be plugged into the PCI bus, which is connected to the computer system).

In the Resources by type view, shown in Figure 3.7, the four main types of resources—direct memory access (DMA) channels, input/output ports (I/O ports), interrupt request (IRQ), and memory addresses—are shown along with which device is using which resource.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 212

212 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Figure 3.5

Device Manager, Devices by Type

Figure 3.6

Device Manager, Devices by Connection

Figure 3.7

Device Manager, Resources By Type

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 213

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 213

The Resources by connection view, shown in Figure 3.8, is similar to the Resource

by type

view, but instead of displaying the resource user directly under the type, it builds a hierarchy similar to the Devices by connection view. Devices that are using subsets of resources of other devices are shown as part of a hierarchy (e.g., an IDE disk controller uses a subset of the IO ports used by the PCI bus).

Figure 3.8

Device Manager, Resources by Type

Some devices are not shown in Device Manager by default.These include some non-

PNP devices, “phantom devices” (ones that have been removed but the drivers are still waiting for them—USB devices often fall under this class), and system devices.To view these devices, choose Show hidden devices from the View menu.

Before looking at how to manage device properties, there are two more items to note.

From Device Manager, you can initiate a scan for new PNP devices by choosing the

Scan for Hardware Changes

option from the Action menu.You can also print a list of devices on the system along with summary information by choosing the Print option from the Action menu.

To view the properties of a device, right-click the entry in Device Manager and choose the Properties option from the context menu.

General Device Properties

When you first open the Properties dialog box for a device, you are placed into the

General

tab, as shown in Figure 3.9. In this area you can get basic information about device properties and the current status, the option to enable/disable the device, and the option to troubleshoot any device issues (we will cover this particular function later in this chapter).

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 214

214 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Figure 3.9

Device Properties, General Tab

E

XERCISE

3.04

D

ISABLING THE

M

ICROSOFT

L

OOPBACK

A

DAPTER

1. Open Device Manager using one of the methods described earlier in the chapter.

2. Locate the Microsoft Loopback Adapter in the list and right-click it.

3. Select Properties.

4. In the Microsoft Loopback Adapter Properties dialog box, choose Do

not use this device (disable) from the Device usage list.

5. Click OK. (Alternatively, you can select Disable. When asked Do you

really want to disable it?, click Yes.)

Advanced Device Properties

Some devices have advanced properties that can be set to help tune their functionality for your particular usage or to assist in troubleshooting the device.These properties vary from device driver to device driver. If the device has no advanced properties exposed, there will be no Advanced tab in the device Properties dialog box, as shown in Figure 3.10.

Before changing the settings in the Advanced tab, refer to the device documentation to ensure that it will not cause any malfunction or instability within your system.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 215

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 215

Figure 3.10

Device Properties, Advanced Tab

Managing the Device Driver

The Driver tab of the device Properties dialog box, shown in Figure 3.11, manages the specific version of the driver that is being used to control the device. On this tab you will find information about who wrote the driver and when, the version, and whether or not it is digitally signed.

Figure 3.11

Device Properties, Driver Tab

By clicking the Driver Details button, you can see a list of files associated with the driver currently installed as shown in Figure 3.12.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 216

216 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Figure 3.12

Device Properties – Driver Tab – Driver Details

If you have a new version of the driver, you can update it by clicking the Update

Driver

button and following the Hardware Update Wizard. If there are problems associated with the driver you just updated, you can roll back to the previous version by clicking the Roll Back Driver button. Finally, if you need to uninstall the driver, you can do so with the Uninstall button.

N

OTE

When updating drivers with WHQL-signed versions, in rare cases, you might experience other drivers being affected because the setup process overwrites files with the same name. It does not compare versions, file dates, or other driver details. If you have such a conflict, it is recommended that you contact the device vendor(s) to let them know. There is no simple way to rename the file and guarantee that it will still function. The device vendor(s) will need to provide a package without the conflicting filenames. For more information on this issue, refer to the Microsoft

Support Knowledge Base article 815364 Signed Driver Install Overwrites Newer

Versions of Shared Driver Files at http://support.microsoft.com/?id=815364.

EXAM

70-290

OBJECTIVE

1.4.2

Configuring Resource Settings

Devices either exclusively or cooperatively share resources such as DMA, interrupt request

(IRQ), input/output (I/O) port, and memory address resources. From time to time you might experience a conflict, or need to change which part of that resource the device uses to function.You can make these changes and check the status of any conflicts through the

Resources

tab in the device Properties dialog box, as shown in Figure 3.13.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 217

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 217

Figure 3.13

Device Properties – Resources Tab

Most systems today allocate the resources appropriately for you. If you need to configure resources manually and the system bus supports it (e.g., for ISA-based devices), you can uncheck Use automatic settings and change the settings using the Change Setting button.The device might also have some pre-built resource configuration profiles that you can select through the Settings based on drop-down list.

Changing resource settings can disable your hardware or cause your system to malfunction, so make sure to consult your device documentation before making changes. In the case of devices that require exclusive use of resources, ensure there are no conflicts listed in the Conflicting device list text box.

Device Installation and

Configuration Best Practices

When installing and managing devices in your system, there are a few best practices that you should consider following:

Always use signed drivers.

When working in a server environment, it is highly recommended that you make it a policy to use only those drivers that have been digitally signed with a Windows Hardware Quality Labs X.509 digital certificate.

When you obtain the drivers from your hardware vendor, look for the Designed for

Microsoft Windows Server 2003 logo on the packaging, on the vendor’s Web site, or on the device itself. If you are unable to obtain WHQL-signed drivers, at a minimum ensure that they are digitally signed by the vendor or obtained from a trusted source. Drivers operate in unprotected areas of the operating system and can cause severe system instability or expose security vulnerabilities if they are written improperly.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 218

218 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Check for device resource conflicts and issues.

After installing a new device, ensure that there are no resource conflicts by checking the Resource tab.

Also check the General tab to ensure the device is working properly.

Manage drivers with minimum privileges.

With the advent of Windows

Server 2003, there is a new emphasis to ensure that not only is the technology secure, but the processes associated with administering a system are done in a secure fashion.This section noted the minimum rights required to manage the average device driver. Consider delegating privileges to the person(s) responsible for managing server hardware instead of giving them full local Administrator access.

EXAM

70-290

OBJECTIVE

1.2

Monitoring Server Hardware

After you have installed and configured your device, you should monitor it on a regular basis to ensure that it is functioning as expected. Monitoring can help you be pro-active about device issues, including device failures, drivers or capacity issues, before users experience the problems first-hand. In this section we take a look at the essential tools used for monitoring the overall health of the devices, including capacity planning.

Using Device Manager

Earlier in the chapter we discussed Device Manager as a tool that can be used to manage device properties. In order to be able to manage the properties, Device Manager presents a list of devices installed in the system. Choose Show hidden devices from the View menu.

These include some non-PNP devices,“phantom devices” (ones that have been removed but the drivers are still waiting for them—USB devices often fall under this class), and system devices.To view these devices, choose Show hidden devices from the View menu.

For devices that are disabled or have issues, you will see them automatically called out by having their sections expanded in the default view and an icon with an ‘X’ (disabled) or exclamation point (error) in the icon. If the device has an issue or is disabled without cause, you should investigate it by opening the device Properties dialog box by right-clicking the device entry and selecting Properties from the context menu to get access to the

Device status

section of the device Properties, as shown in Figure 3.14.

The Device status text box gives you basic information on why that device is having an issue.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 219

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 219

Figure 3.14

Device Properties, General Tab (Device Status Error Shown)

Using Event Viewer

Found under the Administrative Tools | Event Viewer is one of the essential tools for monitoring system health. It records information, warning, and error events raised by various components of the system, including device drivers and the device management services. As you navigate Event Viewer, you might see events that are generated by various devices.

Figure 3.15 shows an example of an information message generated by the TCP/IP driver.

Figure 3.15

Event Properties

Using Control Panel Applets

Certain Control Panel applets expose hardware status information as you work with the functional properties that involve those devices.When it comes to actually managing the hardware side, these applets often bring you back to Device Manager’s Properties dialog

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 220

220 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

boxes to do actual management. Applets that involve this sort of functionality include

Network Connections, Mouse

(shown in Figure 3.16), Keyboard, Sounds and Audio

Devices,

and more.

Figure 3.16

Mouse Control Panel – Hardware Tab

Using Command-Line Utilities

One of the management objectives that the Windows Server team had when developing

Windows Server 2003 was to make all administrative functionality in the graphical interface accessible via the command-line.There are two notable command-line utilities that ship with Windows Server 2003:

Device Console Utility (devcon.exe)

Service Control Utility (sc.exe)

Device Console Utility (devcon.exe)

The Device Console Utility (devcon.exe) is a command-line utility that can be used as an alternative to Device Manager. It provides a level of detail that is not available in Device

Manager.This tool is installed as part of the Windows Support Tools.

N

OTE

The Windows Support Tools can assist you in managing systems and troubleshooting problems. They are not installed by default with Windows Server 2003.

To install them, you need to run the installation process separately by executing

SUPTOOLS.MSI from the SUPPORT\TOOLS folder on the Windows Server 2003 installation media.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 221

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 221

There are four modes of operations in the Device Console Utility:

Display the following properties of devices and their drivers on local and remote computers:

Hardware identification numbers, compatible hardware identification numbers, device instance identification strings

Categories in which devices are grouped, also known as device setup classes

Devices in a particular device setup class

Components of a driver package (e.g., driver files, installation files, etc.)

Hardware resources (e.g., direct memory access (DMA) channels, input/output ports (I/O ports), interrupt request (IRQ), and memory addresses)

Current device status

Device driver and service dependencies (also known as the driver stack)

Search for devices (whether or not they have drivers installed) on local and remote computers by hardware identification numbers, device instance identification strings, or device setup class.

Change the status or configuration of devices on the local computer, including the following:

Enable or disable the device.

Install or remove device drivers.

Update existing device drivers (both interactive and non-interactive installations).

Initiate a rescan for Plug and Play devices.

Add, delete, and reorder the hardware IDs of devices.

■ Change the device driver and service dependencies for a device setup class.

Restart devices or the system on the local computer.

The high-level command-line operations are discussed in the following section.

Display-Related Commands

Table 3.1 displays information about display-related commands.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 222

222 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Table 3.1

Display-Related Commands

Command Description

Classes

DriverFiles

Lists all the known device setup classes, including the ones not in use.

Displays the full path and filename of the installed device installation information files (.INF files) and the associated device driver files.

DriverNodes Lists all the compatible driver packages for a particular device along with the version and ranking of the package. (For more information on the ranking, see the earlier Plug and Play section.)

HwIDs Displays the hardware identification numbers, compatible hardware identification numbers, device instance identification strings.

ListClass

Resources

Stack

Status

Lists all devices in the specified device setup classes.

Lists the system resources (e.g., DMA channels, I/O ports, IRQ, and memory addresses) allocation to a specified device.

Displays the device driver and service dependencies (also known as the driver stack) for a specified device, including the unique identifier and the name of the device setup class for each device.

Displays the current status (running, stopped, or disabled) of device drivers on the computer.

The following is an example of using Device Console Utility to list all the IDE devices within the system:

C:\> devcon driverfiles *IDE*

IDE\DISKIC25N040ATCS05-0--------------------------------------------

CS4OA61A\5&D235F77&0&0.0.0

Name: IC25N040ATCS05-0

Driver installed from c:\windows\inf\disk.inf [disk--install]. 1 file(s) used by driver:

C:\WINDOWS\System32\DRIVERS\disk.sys

PCIIDE\IDECHANNEL\4&6401B72&0&0

Name: Primary IDE Channel

Driver installed from c:\windows\inf\mshdc.inf [atapi--Inst--primary].

2 file(s) used by driver:

C:\WINDOWS\System32\DRIVERS\atapi.sys

C:\WINDOWS\System32\storprop.dll

PCIIDE\IDECHANNEL\4&6401B72&0&1

Name: Secondary IDE Channel

Driver installed from c:\windows\inf\mshdc.inf [atapi--Inst--secondary].

2 file(s) used by driver:

C:\WINDOWS\System32\DRIVERS\atapi.sys

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 223

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 223

C:\WINDOWS\System32\storprop.dll

3 matching device(s) found.

Search-Related Commands

The operations shown in Table 3.2 search for information about devices on the computer.

Table 3.2

Search-Related Commands

Command Description

Find

FindAll

Locates and displays all the devices attached to the computer that match the specified search pattern.

Locates and displays all the devices attached to the computer along with devices that have been detached or moved (known as non-present or phantom devices) that match the specified search pattern.

The following is an example of using Device Console Utility to find all devices from the media device class:

C:\> devcon find @root\media*

ROOT\MEDIA\MS_MMACM : Audio Codecs

ROOT\MEDIA\MS_MMDRV : Legacy Audio Drivers

ROOT\MEDIA\MS_MMMCI : Media Control Devices

ROOT\MEDIA\MS_MMVCD : Legacy Video Capture

Devices

ROOT\MEDIA\MS_MMVID : Video Codecs

5 matching device(s) found.

Change-Related Commands

Table 3.3 shows operations that manipulate the device or change its configuration.

Table 3.3

Change-Related Commands

Command Description

Enable

Disable

Update

UpdateNI

Install

Enables a specified device driver on the system.

Disables a specified device driver on the system.

Replaces a specified device driver on the system with one specified by the updated driver’s INF file.

Replaces a specified device driver on the system with one specified by the updated driver’s INF file without any user interaction.

Installs a new device driver on the system.

Continued www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 224

224 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Table 3.3

Change-Related Commands

Command Description

Remove

Rescan

SetHwID

ClassFilter

Removes a specified device driver from the system.

Initiates the Plug and Play service to scan the system for new devices.

Adds, deletes, or modifies the order of hardware identification numbers.

Adds, displays, deletes, or modifies the order of filter drivers.

The following is an example of using Device Console Utility to disable and then reenable all USB devices attached to the system:

C:\> devcon disable USB*

USB\ROOT_HUB\4&1F4031C5&0 : Disabled

USB\ROOT_HUB\4&31F9E26A&0 : Disabled

USB\ROOT_HUB20\4&7D3C0D5&0 : Disabled

3 device(s) disabled.

C:\> devcon enable USB*

USB\ROOT_HUB\4&1F4031C5&0 : Enabled

USB\ROOT_HUB\4&31F9E26A&0 : Enabled

USB\ROOT_HUB20\4&7D3C0D5&0 : Enabled

3 device(s) enabled.

Restart-Related Commands

Table 3.4 shows operations that restart the device or reboot the system.

Table 3.4

Restart-Related Commands

Command Description

Restart

Reboot

Stop and restart a specified device.

Restart the system.

The following is an example of using Device Console Utility to restart the Microsoft

Loopback Adapter:

C:\> devcon restart *MSLOOP*

ROOT\NET\0000 : Restarted

1 device(s) restarted.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 225

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 225

For additional information, refer to the Device Console Utility reference in the

Windows Support Tools help.

Service Control Utility (sc.exe)

The Service Control utility is used to communicate with both services and with device drivers.The functionality provided is only a subset of the Device Console utility focused on device drivers themselves; however, unlike the Device Control Utility, the Service Control

Utility is installed with Windows Server 2003.

Display-Related Commands

Table 3.5 lists operations that display information about devices.

Table 3.5

Display-Related Commands

Command

Enumdepend

Getdisplayname

Getkeyname

Qc

Qdescription

Qfailure

Query

Queryex

Querylock

Sdshow

Description

Displays the dependencies of a specified service or device driver.

Displays the associated display name of a specified service or device driver.

Displays the associated key name of a specified service or device driver display name.

Displays configuration information for a specified service or device driver.

Displays the associated description of a specified service or device driver.

Displays the actions that the Service Control Manager will execute if the specified service or device driver fails.

Displays the current state information of all or specified service or device driver.

Displays the current extended state information of all or specified service or device driver.

Displays the current lock status of the Service Control Manager database.

Displays the security descriptor using SDDL for a service or device driver.

The following is an example of using the Service Control Utility to retrieve the status of all active network interface drivers:

C:\> sc queryex type= driver group= NDIS

SERVICE_NAME: E100B

DISPLAY_NAME: Intel(R) PRO Adapter Driver

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 226

226 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

SERVICE_NAME: Ndisuio

DISPLAY_NAME: NDIS Usermode I/O Protocol

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

Change-Related Commands

The following operations shown in Table 3.6 change the state of the machine, service control manager, or the service/device driver.

Table 3.6

Change-Related Commands

Command

Boot

Config

Continue

Control

Create

Delete

Description

Description

Specifies whether or not the last boot should be saved as the last known good configuration.

Modifies the basic configuration information for a specified service.

Resumes a paused service.

Sends a control code to the service.

Creates a service entry in the Service Control Manager’s database.

Removes a service entry in the Service Control Manager’s database.

Sets the description for a specified service or device driver.

Continued www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 227

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 227

Table 3.6

Change-Related Commands

Command

Failure

Interrogate

Lock

Pause

Sdset

Start

Stop

Description

Specifies what action to take upon failure of the service.

Sends an interrogate control code to the service.

Locks the Service Control Manager’s database.

Pauses a service.

Sets the security descriptor using SDDL for a service or device driver.

Starts a specified service or device driver.

Stops a specified service or device driver.

EXAM

70-290

OBJECTIVE

4.7.3

Using Performance Console

Monitoring the key metrics of system performance is an important part of ensuring that you are maintaining a healthy system. Performance data is extremely useful for understanding when a system has surpassed certain thresholds, spotting trends in system usage, and helping to evaluate performance tuning of your system.

The Performance console hosts System Monitor and Performance Logs and

Alerts

. System Monitor, shown in Figure 3.17, delivers a real-time graphical view of what is happening in the system in various forms (graph, histogram, and report). Reports can be exported in HTML format as well. System Monitor is often used in production environments for viewing data logged with Performance Logs and Alerts.

Figure 3.17

Performance Console – System Monitor

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 228

228 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Performance Logs and Alerts

, shown in Figure 3.18, is a low-overhead collection tool used to capture specified metrics for later analysis. It runs as a background service in

Windows Server 2003, continuously collecting data. Performance Logs and Alerts also allows for collection to occur under alternative credentials as well as a variety of log formats, including comma- and tab-separated value files as well as an SQL Server database.

Figure 3.18

Performance Console – Performance Logs and Alerts – Counter Logs

System Monitor and Performance Logs and Alerts Security

As part of the Security by Design initiative, the Windows Server product group made some fundamental changes to security around the performance monitoring tools in Windows Server 2003. If you are not a member (explicitly or through inheritance) of the local Administrators, you cannot access the performance monitoring tools or data unless you are a member of one of the following groups:

Performance Monitor Users Monitor performance counters locally or from a remote computer.

Performance Log Users Manage performance counters, logs, and alerts locally or from a remote computer.

If you are coming from Windows 2000 you will notice that the ability to configure logging using Performance Logs and Alerts under alternative credentials is a new feature.

E

XERCISE

3.05

C

APTURING

D

ISK

P

ERFORMANCE

M

ETRICS FOR

L

ATER

A

NALYSIS

1. From the Start menu, select Administrative tools.

2. Select the Performance option from the list.

3. In the Performance console, expand Performance Logs and Alerts in the left pane.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 229

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 229

4. Right-click Counter Logs and select New Log Settings from the context menu.

5. In the New Log Settings window, give the log settings a name and click OK.

6. In the Properties dialog box, click Add Counters.

7. In the Add Counters dialog box, select PhysicalDisk from the

Performance object list.

8. Select Current Disk Queue Length from the Counters list, as shown in

Figure 3.19.

Figure 3.19

Selecting Current Disk Queue Length

9. Select the All instances option, click Add, and then click Close, which results in a dialog box that looks similar to Figure 3.20.

Figure 3.20

Performance Logs and Alerts

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 230

230 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

10. You are prompted with a question to create the log file; click Yes.

Performance Logs and Alerts starts capturing data automatically. You need to create some activity on the disk to capture some data that can be viewed. Run something like Disk Defragmenter on your system to generate disk activity.

11. After you have generated some disk activity for a period of time, rightclick the log entry in the right pane of the Counter Logs section of

Performance Logs and Alerts and select Stop from the context menu.

12. Now it’s time to view the data. Start by selecting System Monitor from the left pane.

13. Click the View Log Data button on the toolbar in the right pane.

14. In the Data Source section of the dialog box, select Log files and click the Add button.

15. Locate the log file to which you captured the performance data, select it, and click Open; then click OK.

16. Click the Add button on the toolbar in the right pane.

17. In the Add Counters dialog box, the one counter you added should be highlighted. Click the Add button and then click Close. This draws a graph for that counter. For the counter you added above, the suggested threshold is the number of spindles on the hard disk plus 2. As you add and explore other counters, check the documentation from your device vendor as well as information available on Microsoft’s TechNet site

(www.microsoft.com/technet) and other third-party sources.

Hardware Monitoring Best Practices

When monitoring devices on your system, there are a few best practices that you should consider following:

Create and maintain a performance baseline.

Consider capturing a baseline of key performance metrics on your system during an “average” timeframe using the Performance Logs feature of the Performance console.When it comes to troubleshooting issues or doing capacity planning, this data will go a long way toward helping you make informed decisions.

Monitor the event logs for unusual device-related messages and performance counters to ensure acceptable thresholds have not been exceeded.

Management tools such as Microsoft Operations Manager (MOM) assist you in automatically identifying new and unusual messages in the event logs

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 231

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 231

■ as well as watching performance counters for items that violate set thresholds.

These tools do this by accessing the system through the Simple Network

Management Protocol (SNMP) or by querying Windows Management

Instrumentation (WMI). Some devices expose additional proprietary counters and details, so be sure to investigate that with your device documentation.

Leverage device vendor’s tools where appropriate.

Some devices come with management software to enable access to more advanced monitoring.When

you add a new device to your system, test the software to see if it provides any additional value. If it does not, keep your system as simple as possible and uninstall it. If you do plan to use the tool, you should ensure that the management tool also carries the Designed for Microsoft Windows Server 2003 logo software certification when installing it in a server environment.

Troubleshooting Hardware Devices

When it comes to troubleshooting hardware devices, there are two scenarios that you will encounter. Either a device will not work or will cause the system to become unstable immediately after installation, or a device fails at a later date.Troubleshooting the first scenario can be somewhat easier because you know what has changed in the system recently.

If you are troubleshooting device failure at a later date, it can often be more difficult unless you have maintained good change management documentation that records the operations that have been performed on the system.

The basic process of troubleshooting any issue is as follows:

1. Collect relevant data on the problem.This includes error messages, event log entries, and performance metrics.

2. Using past experience and research, analyze the symptoms.

3. Establish a set of potential causes that can lead to possible workarounds and/or resolutions.

4. Execute the most likely workaround and/or resolution to recover the system in a timely manner.

5. Document the problem, symptoms, and resolutions for future reference.

Windows Server 2003 provides a comprehensive set of tools to assist you in troubleshooting resource allocation issues as well as device-driver-related issues. In addition to the tools that ship with Windows Server 2003, new tools and resources are being made available online over time. Some of the notable online resources available through http://support.microsoft.com include the following:

Windows Server 2003 Support Center

Knowledge Base Search

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 232

232 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Windows Server 2003 Events and Errors Search

Windows Server 2003 Support WebCasts

Windows Server 2003 Newsgroups

Help & Support Troubleshooting Tools

Through extensive usability research, the Windows Server product group decided to move away from the Hardware Troubleshooting Wizard in favor of a more detailed and context-specific troubleshooting tool. Windows Server 2003 leverages a series of

Troubleshooters, which first appeared in Windows XP, that walk you through a problem. This includes asking for details on the symptoms, suggesting resolutions and linking to more information on the problem. Currently, there are 17 built-in troubleshooters that cover a variety of areas, including the following:

System setup

Startup/Shutdown

Display (shown in Figure 3.21)

Home networking

Hardware

Multimedia and games

Digital Video Discs (DVDs)

Input Devices

Drives and Network Adapters

USB

Sound

Modem

Internet Connection Sharing

Internet Explorer

Outlook Express (Messaging)

File and Print Sharing

Printing

Continued www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 233

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 233

Figure 3.21

Help and Support Center – Display Troubleshooter Step 3

The first stop for device status is to use Device Manager. As mentioned earlier the chapter, Device Manager can give you a high-level indication of whether or not the device is having issues through the icon in the Device Manager console, as well as through the Device status text box in the device Properties dialog box, as shown in

Figure 3.22.

Figure 3.22

Device Properties – General Tab (Drivers Not Installed)

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 234

234 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

A variety of status messages could appear in the Device status text box. An example of a message you might see is as follows:

This device is either not present, not working properly, or does not have all the drivers installed. (Code 13)

To have Windows detect whether this device is present or not, click

Detect Hardware.

Unlike previous generations of the operating system where error messages might be somewhat cryptic, you can see that this message is self-explanatory. In this particular case the system attempted to load the device driver and was unable to complete the operation because the device driver did not find the associated hardware.The dialog box dynamically changes the button on the device Properties dialog box to a context-specific button that mirrors the recommended solution. In the case of the previous message, the button would change to Detect Hardware.

For more information on other device status codes, refer to Microsoft Support

Knowledge Base article 125174, Explanation of Error Codes Generated by Device Manager at http://support.microsoft.com/?id=125174.

Diagnosing and Resolving Issues

Related to Hardware Settings

If your device is not functioning because of resource conflicts, you can use either Device

Manager or System Information to identify the conflicts by the particular type of resource.

In Device Manager, you can view the properties of any of the devices. Under the

Resources

tab is a text box named Conflicting device list.This text box shows all the devices that are using conflicting resources. If your BIOS and/or device supports changing these values, you can also change the settings until you find a combination of DMA, IRQ,

I/O port, and memory address resources that does not cause a conflict.

Another way to view conflicts within the system is through the System Information tool.This provides a summary view of all device resource conflicts throughout the system, as shown in Figure 3.23.To access this tool, at the command prompt or Run option on the

Start

menu, type msinfo32.exe and press Enter.

N

OTE

The USB class of devices has a specific resource to note: power. If you are using non-powered hubs there might be issues with power allocation across the devices attached to a USB hub. You can view the power allocation for USB hubs in Device

Manager by locating the hub (you might need to choose Show Hidden Devices), opening the device Properties dialog box, and selecting the Power tab.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 235

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 235

Figure 3.23

System Information – Conflicts/Sharing Option

Diagnosing and Resolving Issues

Related to Drivers and Driver Upgrades

When drivers cause problems within a system, you might experience two levels of severity.

The first is the device simply not being enabled on system startup or installation. A more severe level will result in the system not starting up due to a bug check (also known as a blue screen or STOP error).

If the problem is caused during a driver upgrade, you can leverage the capability to roll back a driver.To roll back a driver from a previous version, open the device Properties dialog box in Device Manager and select the Driver tab. In that tab is a button called

Rollback

that you can select to roll back the driver to the previous version.

If the problem is caused during installation, you might have an incorrect driver or no driver installed.You can view the status of the driver with Device Manager and/or check for any startup messages with Event Viewer. Beyond being unable to start, the messages are usually specific to the device driver, so we recommend that you check with your device vendor’s support services for assistance when troubleshooting these types of issues.

N

OTE

Not only is a complete memory dump large and increases system recovery time, it also might expose some sensitive data because it dumps the entire contents of system memory to disk. It is recommended that you use a small or kernel memory dump unless instructed by your device vendor or Microsoft’s support organization.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 236

236 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Reading and Understanding Bug Checks

(Also Known as Blue Screens or STOP Errors)

Bug checks occur when the system encounters a condition that compromises safe operations. As a result, the system is halted and the “blue screen” with the bug check information or STOP error is displayed. These types of errors can occur for several reasons:

Software defects in drivers or core system services cause an invalid instruction to be sent to the processor.

Defective hardware causes unhandled messages to be sent to the operating system.

Core system services have been terminated (e.g., Local Security

Authority or Client/Server Runtime Subsystem).

Bug checks provide diagnostic information such as STOP codes and driver names that can help lead to problem resolution. Because of the volatile state of the system, this information cannot always be recorded when the event occurs. It is important that you record the information associated with the bug check and driver information sections. Many of the bug check messages have relevant information that you should read and understand if they apply to your situation. Finally, if you have enabled memory dumps, wait until the dump is complete before restarting the computer (if you do not have automatic restart enabled). Your device vendor and/or Microsoft use the memory dumps to help understand the state of the system at the time that the bug check occurred. You can change the memory dump settings through the Startup and Recovery button in the System

Properties’ Advanced tab, as shown in Figure 3.24.

Figure 3.24

Startup and Recovery Properties

Continued www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 237

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 237

While the STOP messages might not always indicate the root cause of the problem, in combination with other sources of data, it can help direct a trained support technician to track down the root cause of the problem.

There are two sources of bug check information that you can use as a reference:

Windows XP Professional Resource Kit: Appendix C – Common Stop

Messages at www.microsoft.com/technet/prodtechnol/winxppro/ reskit/prmd_stp_tnvo.asp.

MSDN Library – Device Development Kit: Bug Check Codes at http://msdn.microsoft.com/library/en-us/ddtools/hh/ddtools/ bcintro_3dkj.asp.

If you cannot get Windows fully started, chances are you are encountering either hardware failure, an improperly configured driver, or a bad driver. In these cases,Windows

Server 2003 has several facilities to help you troubleshoot these startup issues:

Last Known Good Configuration

Safe Mode

System Configuration Utility

Recovery Console

Emergency Management Services

Automated System Recovery

Installation Repair

In the following sections, we look at each of these in detail.

Last Known Good Configuration

If the system is unable to start up correctly after you have installed a new device or made a configuration change, this option should be the first tool you use. It will restore the

HKEY_LOCAL_MACHINE\System\CurrentControlSet registry key to a copy of the one that was used during the last successful system startup. Note that this tool does not solve any issues with corrupt or missing driver files.To access this tool, perform the following steps:

1. Press F8 during startup when you see the Please select the operating system to start message. (Note: to see this you need to have a timeout value of greater than 0 set in the System Control Panel applet, under the Advanced tab, in the

Startup/Recovery

options.)

2. In the Windows Advanced Option Menu (as shown in Figure 3.25), select

Last Known Good Configuration

and press Enter.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 238

238 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Figure 3.25

Windows Advanced Options Menu

After you are able to recover, you can then use Event Viewer, Device Manager, and/or System Information to identify any problematic devices.

Safe Mode

Starting your system in Safe Mode causes Windows Server 2003 to load the minimum set of drivers and services that the operating system needs to function.This option can be used to help identify and resolve problems created by corrupt or incorrect drivers, a corrupt registry, or system services that might prevent the system from starting. After you have started in Safe mode, you can disable or remove devices and services that might be preventing the system from starting, using Device Manager and/or the Registry Editor.To access this tool, perform the following steps:

1. Pres F8 during startup when you see the Please select the operating system to start message.

2. In the Windows Advanced Option Menu, select Safe Mode and press Enter.

After you are able to recover, you can use Event Viewer, Device Manager, and/or

System Information

to identify any problematic devices. If the problem occurred late enough in the startup process, it might have also been captured as part of the Safe Mode log file, ntbtlog.txt, which is located in the System Root directory (by default, the WIN-

DOWS folder).The log file contains a list of devices and services that were loaded along with whether or not each was successful.

System Configuration Utility

The System Configuration Utility helps you diagnose services that are related to startup and that can cause issues. It is geared more towards system services as opposed to device

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 239

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 239

drivers, but can be useful because some devices include services as well as more traditional device drivers.To access this tool, at the command prompt or Run option on the Start menu, type msconfig.exe and press Enter.

After you open the tool, you will notice a variety of options that can be used to configure the startup process, as shown in Figure 3.26. After you make the necessary changes, restart Windows Server 2003 for the settings to take effect.

Figure 3.26

System Configuration Utility – General Tab

Recovery Console

When you start the Recovery Console, it looks very much like being in a commandprompt environment.The Recovery Console is used when Last Known Good

Configuration and Safe Mode tools are not successful. It is recommended that you use this tool only if you are an advanced user and comfortable with a command-line interface to navigate and manipulate files.With the Recovery Console you can perform the following tasks:

Enable or disable device drivers or system services.

Copy files from the installation media for the operating system.

Create a new boot sector and new master boot record (MBR).

To access this tool:

1. Insert the Windows Server 2003 CD into the CD/DVD-ROM drive.

2. When prompted, press a key to enter setup.

3. At the Welcome to Setup screen, press R to start the Recovery Console.

The Recovery Console gives you access to a command prompt-like environment with access to the following commands shown in Table 3.7.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 240

240 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Table 3.7

Commands Available from the Recovery Console

Command

Attrib

Batch

Bootcfg

Chdir (CD)

Chkdsk

Cls

Copy

Delete (DEL)

Dir

Disable

Diskpart

Enable

Exit

Expand

Fixboot

Fixmbr

Format

Help

Listsvc

Logon

Map

Mkdir (MD)

More (TYPE)

Rename (REN)

Rmdir (RD)

Set

Systemroot

Description

Modifies the attributes of a file or directory.

Executes the commands in a specified file.

Displays and modifies the boot configuration.

Changes the current directory or displays the name of the current directory.

Checks the disk for logical errors and display a status report.

Clears the screen

Copies a file to a specified location.

Deletes one or more files that match a given mask.

Displays the files and subdirectories in the current directory.

Disables a device driver or system service.

Manages the logical partitions on your hard drive (similar to

FDISK).

Enables a device driver or system service.

Exits the Recovery Console and triggers a system reboot.

Extracts a file from a compressed cabinet file.

Writes a new partition boot sector.

Repairs the master boot record of the partition boot sector.

Formats a logical partition.

Displays a list of commands you can use inside the Recovery

Console.

Lists the device drivers and services on the system along with their startup state (Auto, Boot, Disabled, Manual, or System).

Switches the Windows Server 2003 installation you are logged onto with the Recovery Console.

Displays a list of drive letter mappings

Creates a new directory.

Displays the contents of a file. If you use More, it will pause after every screen full of content.

Renames a specified file.

Removes a specified directory.

Sets an environment variable. If used without parameters, it displays a list of all environment variables currently set.

Sets the current directory to the Windows system root.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 241

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 241

Installing the Recovery Console

Instead of scrambling to locate your Windows CD when you need to access the

Recovery Console, you can install it ahead of time on the server. The process is easy:

1. Insert your Windows Server 2003 CD into the CD/DVD-ROM drive.

2. At the command prompt or Run option on the Start menu, type

<driveletter>:\i386\winnt32.exe /cmdcons (<driveletter> is the letter of your CD/DVD-ROM drive) and press Enter.

3. A setup dialog appears to confirm whether or not you want to install the

Recovery Console. Click Yes. The setup process installs the Recovery

Console. The next time you restart the computer, the Recovery Console will be available in the Windows Advanced Option Menu.

Emergency Management Services

Emergency Management Services (EMS) was introduced in Windows Server 2003 to facilitate out-of-band management of servers when they are not running correctly. EMS works over a range of out-of-band communications media including serial connections and terminal concentrators/emulators.The features of EMS are available during startup when the operating system is loading.Through EMS you can, for example, diagnose items as serious as a bug check or troubleshoot in situations where resource utilization is extremely heavy.

EMS works in conjunction with hardware-based out-of-band management services as well as providong management during all phases of startup. If you do not have the proper hardware available, you can gain access to the console as soon as the operating system or setup process loads.

For more information, refer to the Windows Server 2003 product documentation or the Windows Server 2003 Resource Kit sections on EMS.

Automated System Recovery

If you are using the Automated System Recovery (ASR) feature in Windows Server 2003, you can perform an ASR restore for system state data and services, which includes configuration information for devices.To access this tool, perform the following steps:

1. Insert the Windows Server 2003 CD into the CD/DVD-ROM drive.

2. When prompted, press F2 to start Automated System Recovery.

For more information, refer to the Windows Server 2003 product documentation and/or the Windows Server 2003 Resource Kit sections on ASR.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 242

242 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Repairing the Windows Server 2003 Installation

The Windows Server 2003 setup process includes the option to repair the installation.The

repair process has three main tasks:

Inspect the Startup Environment

Checks the boot.ini file to ensure that all the contents are correct.

Inspect the Boot Sector

Checks to see if the active system partition’s boot sector is valid. If not, it reinstalls the boot loader functionality.

Recopy Windows system files

The selected installation of Windows Server

2003 has its core files re-copied to the partition.

To access this tool, perform the following steps:

1. Insert the Windows Server 2003 CD into the CD/DVD-ROM drive.

2. When prompted, press a key to enter Setup.

3. At the Welcome to Setup screen, press Enter.

4. When prompted to accept the licensing agreement, press F8.

5. If Setup is able to successfully find your installation, select the appropriate installation and press R to initiate repair. If it is unable to locate your installation, you will need to recover by using a backup or a new installation of Windows Server 2003.

Hardware Troubleshooting Best Practices

When troubleshooting devices in your system, there are a few best practices that you should consider following:

Record error messages and symptoms in detail.

It is especially useful when researching to have exact error messages to use with search facilities.The details also help if you need to contact your support organization, a device vendor’s support services, or Microsoft’s Product Support Services.

Keep accurate change logs.

Keeping a history of what has changed in the system, software or hardware, helps you understand where potential conflicts might arise based on previous experience or research into problem symptoms.

Leverage device vendor’s and third-party tools where appropriate.

Some devices come with management software to enable access to more advanced troubleshooting.When you get a new device, test the software to see if it provides any additional value. If it does not, keep your system as simple as possible and uninstall it. If you do plan to use the tool, ensure that the management tool also carries the

Designed for Microsoft Windows Server 2003 logo software certification when installing it in a server environment.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 243

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 243

Ensure drivers are signed and critical system files are intact.

Use tools such as the System File Checker and File Signature Verification tool to help locate and repair corrupt drivers or identify unsigned drivers. Unsigned drivers can be the source of system instability because they have not undergone the level of testing prescribed by the Windows Hardware Quality Labs team.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 244

244 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Summary of Exam Objectives

Components of the server need to be installed and configured for users to be able to leverage their services.When choosing devices for your server, it is important to find ones that have drivers that are compatible; if possible, use devices that have the Designed for

Windows Server 2003 logo certification and WHQL-signed drivers. Device drivers often operate at the kernel mode of the operating system, which is an unprotected area of the operating system designed to give the device drivers rapid access to the peripherals that they control using the Hardware Abstraction Layer (HAL).Windows Server 2003 enables you to set policy to enforce whether or not drivers should be WHQL signed before they are installed on the system. Plug and Play drivers automatically configure their resource settings, whereas non-PNP drivers require a little more manual work to get them installed in the system.

After you install the device driver through Plug and Play or the New Hardware

Wizard

, you can manage its configuration using Device Manager.Through this management console you can see the status of the device and configure various options for the particular device.

Monitoring devices on a regular basis is important to maintaining a healthy system.

Windows Server 2003 provides several tools to help you monitor and investigate device issues.These tools include Device Manager, Event Viewer, Performance console, Device

Console Utility (devcon), and various Control Panel applets.With Event Viewer you should watch for unusual warnings or errors produced by device drivers. Using the tools in the

Performance console, you can establish a performance baseline to help you understand when devices are unable to keep up with the utilization of the system. In mid- to largesized environments, consider the use of enterprise management tools such as Microsoft

Operations Manager (MOM) to monitor devices across multiple systems.

Troubleshooting device issues is much like troubleshooting any other system issue.You

need to collect the symptoms, research the issue using the symptoms to come up with some potential causes, and rule out the causes until you get to a set of workarounds or resolutions to the problem that meet your needs.When it comes to troubleshooting device issues, resource conflicts can be detected using Device Manager or the System

Information

tool. Device driver issues can cause more severe problems with the system, including not being able to start the system.Windows Server 2003 has several tools to help you recover from serious driver-related issues, including Last Known Good Configuration,

Safe Mode, System Configuration Utility, Recovery Console, Emergency Management

Services, Automated System Recovery and Installation Repair.The first is the least potentially destructive to the system, while the last is the most destructive to the existing system configuration.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 245

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 245

Exam Objectives Fast Track

Understanding Server Hardware Vulnerabilities

Device drivers usually operate in kernel mode and access peripherals through the

Hardware Abstraction Layer, whereas applications operate in user mode.

Windows Server 2003 supports Plug and Play and non-PNP device drivers. Most new devices ship with PNP drivers. Sound drivers are disabled by default.

Installing and Configuring Server Hardware Devices

To install device drivers, you need to be a member of the local Administrators group or have equivalent rights.

When installing devices, you can set policy as to whether or not to allow

WHQL-signed drivers.The policy options include Block, Warn, and Ignore. By default,Windows Server 2003 is set to Warn.

Several operating system tools help you maintain integrity and detect unsigned drivers:Windows File Protection, System File Check, and File Signature

Verification.

Non-PNP drivers are installed using the New Hardware Wizard.

Device Manager

is used to configure driver resources and settings as well as monitor device status. From a driver perspective, you can see the files associated with the driver, uninstall, upgrade, and roll back to the previously installed version.

Device Manager

enables you to view the system from a device or resourcecentric view. Each view is further divided into a hierarchy based on type or connectivity.

Monitoring Server Hardware

Use Device Manager and Event Viewer as the primary tools for monitoring.

Other tools include Performance console, Device Console Utility (devcon), and various Control Panel applets.

Watch for abnormal warnings or errors in the event log from device drivers, because this is usually the first sign of trouble.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:53 PM Page 246

246 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Use Performance Logs and Alerts to establish a baseline of key performance metrics on your system.You can store the data in textor binary files or in an SQL

Server database.

System Monitor

can be used to view real-time metric data in a graphical fashion, or logged data resulting from Performance Logs and Alerts.

Performance

Console tools are secured to prevent anyone who is not part of the local Administrators group from accessing them.You can add users to the

Performance Monitor Users group to enables them to monitor counters or the

Performance Log Users group to enable them to manager counters, logs, and alerts.

Troubleshooting Hardware Devices

Collect the symptoms, research the issue using the symptoms to come up with some potential causes, and rule out the causes until you get to a set of workarounds or resolutions to the problem that meet your needs.

Resource conflicts can be detected using Device Manager or the System

Information tool.

Last Known Good Configuration restores the HKLM\System\CurrentControlSet registry key from a copy of the one that was last used to successfully boot the system.

Safe Mode starts the system with the minimum number of services and drivers to operate.

System Configuration Utility enables you to configure settings related to startup.

It is more service-centric than device-centric.

Recovery Console gives you access to a command prompt-like environment where you can replace files, enable/disable drivers and services, and work with partitions.

Emergency Management Services is an out-of-band management tool that enables you to control the system remotely from when the operating system starts to load.

Automated System Recovery leverages the backup of the system state data and your backup media to restore critical system configuration information.

Installation Repair is a potentially destructive re-installation of the core operating system files that might overwrite any third-party drivers.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:54 PM Page 247

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 247

Exam Objectives

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com.

Q:

What’s the difference between the kernel mode and user mode?

A:

Components that run in kernel mode do not benefit from the same level of protection against software defects (e.g., illegal function calls, accessing areas of memory that are not allocated to that process).To facilitate this protection, user mode components (such as the typical Windows application) do not interface with the hardware directly. Instead, they use an abstracted interface using the Windows (Win32) APIs and user-mode drivers, which interact with kernel-mode counterparts.

Q:

I’m trying to play some audio files on Windows Server 2003 and Windows Media

Player is telling me that I do not have a sound device available. I know there is a sound card; how do I get it working?

A:

Windows Server 2003 does not install sound device drivers by default.You should contact your device vendor for Windows Server 2003-compatible drivers and install them.

Q:

I plugged in my new device and I can’t see the functionality in my applications.What

should I do?

A:

Check to see that the driver was installed and the device is working correctly. Refer to the device documentation to ensure that the device supports Plug and Play. If not, install the device driver manually with the New Hardware Wizard.

Q:

I’m installing Windows Server 2003 Enterprise Edition (64-bit) on my Itanium-based computer. Can I use my 32-bit drivers?

A:

It is recommended that you obtain 64-bit drivers from your device vendor.This will ensure the driver can take full advantage of the 64-bit platform.

Q:

I’ve recently installed a multiprocessor main board in my system and Windows Server

2003 uses only the first processor. How can I take advantage of the additional processors?

A:

You might need to upgrade the Hardware Abstraction Layer to a multiprocessor version.You can do this by locating the computer in the Computers section of Device

Manager

and running the process to update the driver.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:54 PM Page 248

248 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Q:

Plug and Play detects several compatible devices.Which one should I use?

A:

Some devices are listed with multiple compatible drivers because they are based on a generic chipset.You should choose the one that the system recommends (usually the first one highlighted) or the one that is closest in name of make/model to the device that you are installing. If you are still unsure, you should contact your device vendor for guidance on the proper driver to install.

Q:

When installing Windows Server 2003, Setup is unable to locate my mass storage device to install the operating system on.What should I do?

A:

During text-mode Setup, you will be prompted to press F6 to include additional mass storage devices in the setup process. Make sure to have a copy of your mass storage device drivers on hand for Setup to use.

Q:

My device is not operating as efficiently as it was six months ago. How can I tell what is wrong?

A:

If you need immediate insight, use System Monitor to view the counters associated with the device functionality to see if the system is experiencing a higher than normal volume of usage. Consider monitoring it over a period of time using Performance

Logs and Alerts

to ensure that you have some data to compare the current performance level with a period of time that you considered the system to be operating in a healthy state.

Q:

How do I know if my system is healthy?

A:

Develop a regular routine of monitoring Event Manager for any device-related error messages.You can also use Device Manager to look for devices that have been disabled or are experiencing issues.

Q:

Can I use drivers from Windows 2000 or earlier with Windows Server 2003?

A:

Although the driver specifications are somewhat similar between Windows 2000,

Windows XP, and Windows Server 2003, it is recommended that you obtain drivers that were designed for Windows Server 2003.With the changes in the kernel, support for 64-bit processors, and security model changes, an older driver might not run properly in Windows Server 2003.

Q:

A particular device on my system is not functioning.What should I do?

A:

The first step is to check with Device Manager and Event Viewer to see if there are any messages relating to that device. If everything appears to be working, consult your device documentation and vendor for troubleshooting steps focused on the device itself.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:54 PM Page 249

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 249

Q:

I recently installed a device and now Windows Server 2003 will not start. I am getting bug checks (blue screens or STOP errors) when I try to start the server.What should

I do?

A:

Faulty or incorrectly configured device drivers can be the source of the bug checks that you are experiencing.Windows Server 2003 has several tools to help you recover from serious driver-related issues, including Last Known Good Configuration, Safe Mode,

System Configuration Utility, Recovery Console, Emergency Management Services,

Automated System Recovery, and Installation Repair.The first step is to record the information, examine the root cause of the error using the resources noted we’ve discussed in the chapter, and then leverage one of the tools mentioned to recover the system back to an operational state.

Self Test

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

Understanding Server Hardware Vulnerabilities

1. You are attempting to play an audio file using Windows Media Player on a server running Windows Server 2003.Windows Media Player tells you that the sound device is not working.What could be the cause of the problem?

A. Your audio file is the incorrect format.

B. The speakers attached to the system are not turned on.

C. Sound devices are not enabled by default.

D. You need to upgrade the version of Windows Media Player

2. What two conditions must exist for a device driver to be installed when someone who is a member of the local Users group attached a new device to a system?

A. The drivers must be digitally signed by WHQL and require no user interaction.

B. The drivers must be digitally signed by the vendor and require no user interaction.

C. The drivers must reside anywhere on the hard disk.

D. The drivers must be located in the device driver search path.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:54 PM Page 250

250 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Installing and Configuring Server Hardware Devices

3. You have recently installed a new device into the system.You cannot locate an entry for the device in Device Manager, nor have you been prompted to install device drivers at any point.What should you do?

A. Use Windows Update to locate and install an updated version of the device driver.

B. Copy the device drivers to a directory in the device driver search path.

C. Use the Add New Hardware Wizard to install the device drivers.

D. Change the Driver Signing Policy options from Ignore to Warn.

4. A server in your company has recently been upgraded to Windows Server 2003. One of the technicians installs a new device using an older Windows NT 4.0 driver he found on the hard drive from prior to the installation. Now when the system boots you experience a bug check (also known as the blue screen or STOP error).You have disabled the driver using the Recovery Console.What should you do?

A. Reconfigure the device resource settings to use another I/O port.

B. Contact the vendor for a Windows Server 2003-compatible driver.

C. Install the device into a different peripheral interface connection.

D. Replace the device with a new one.

5. Your company has recently set a policy that all servers will use WHQL-signed drivers.

You need to enforce this policy on the server.Which Driver Signing options setting should you use?

A. Ignore

B. Warn

C. Block

D. Use the setup default

Monitoring Server Hardware

6. You have recently installed a new non-PNP device using the Add New Hardware

Wizard.You need to configure some resource settings in the device driver but you are unable to find it in Device Manager.You verify that the device is attached and working.You need to complete this task with the least administrative effort. How can you gain access to the device properties?

www.syngress.com

274_70-290_03.qxd 8/11/03 3:54 PM Page 251

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 251

A. Restart the system with the Recovery Console.

B. Restart the system in Safe Mode.

C. Select Resources by Type in Device Manager.

D. Select Show Hidden Devices in Device Manager.

7. Your server is reporting that the AFD Networking Support Environment driver is unable to start because of dependencies failing to start.You need to find the status of these dependencies.What should you do?

A. Use the Service Control utility to enumerate dependencies of the driver.

B. Locate the device driver entry in the HKLM\System\CurrentControlSet\Services registry hive and inspect the Enum key.

C. Launch the System Information utility and export a report of the system drivers.

D. Restart the system and enable Boot Logging.

8. You have been asked to make sure that the critical system files are intact on a server.

What tool would you use?

A. File Signature Verification tool

B. System File Checker tool

C. Device Console utility

D. System Configuration utility

9. You have installed a new device into the system, however the drivers that you were given with the device are not being accepted by the system as compatible. How can you determine if you have the correct device drivers?

A. Check the Event Viewer for the hardware identification number and cross-reference that with the device driver’s INF file.

B. Use the System File Checker to initiate an on-demand scan of the critical system files.

C. Use the Device Console utility to list the hardware identification number and cross-reference that with the device driver’s INF file.

D. Use the Recovery Console to install the device driver.

10. Your company has recently merged with another company.You have been put in charge of assessing the servers from the other company to see if they meet your company policies.You need to check to see if there are any unsigned drivers running on the system.You need to complete this task with the least administrative effort.What

should you do?

www.syngress.com

274_70-290_03.qxd 8/11/03 3:54 PM Page 252

252 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

A. Launch the File Signature Verification tool on the servers to generate reports.

B. Look in the event log message detail for entries from the Service Control

Manager

on startup.

C. Check the contents of the Trusted Publishers certificate store and create a list of its contents to compare against the servers in your original environment.

D. Compare the contents of the SYSTEM32\DRIVERS directory with the ones on the original environment.

Troubleshooting Hardware Devices

11. You have recently installed an additional network card into your server for users on a new network segment to access the resources. One of the support analysts calls you several weeks later to tell you that users on that network segment cannot access the server.You use Remote Desktop to access the console from one of the other segments. Opening the command prompt you run ipconfig to see that the device is not listed.What should you do?

A. Configure the network interface to use static instead of dynamic IP addressing.

B. Enable the network interface card using Device Manager.

C. Replace the network cable attached to the network interface card.

D. Plug the network cable into another switch/hub port.

12. You have recently made some changes to the resources on one of the devices in your system. Since those changes, you have restarted the server and it now locks up before it is able to get to the logon prompt.What should you do?

A. Disable support for Plug and Play operating systems in the BIOS.

B. Boot the system with the Recovery Console and create a new Master Boot

Record (MBR)

.

C. On startup in the Windows Advanced Option Menu, select the Last Known

Good Configuration

.

D. On startup in the Windows Advanced Option Menu, select Debugging

Mode

.

13. You have connected a new device to the system.You go to use the device and find that you cannot access it. In Device Manager you see an entry for the device with the following Device status message: “This device is either not present, not working properly, or does not have all the drivers installed. (Code 13)”What should you do?

www.syngress.com

274_70-290_03.qxd 8/11/03 3:54 PM Page 253

Configuring, Monitoring, and Troubleshooting Server Hardware • Chapter 3 253

A. Copy the driver to the SYSTEM32 directory and restart the computer.

B. Use the Add New Hardware Wizard to install the driver.

C. Launch Device Manager and enable the device.

D. Change the resource settings on the driver to point to a different memory address.

14. You have acquired a new device for your system. After installing the new device drivers and restarting the computer several times, you are still unable to access the device.You look to the Device status in Device Manager to find the following message: “Windows is in the process of setting up this device. (Code 26)”.What should you do to resolve this error?

A. Unplug and re-plug in the device.

B. Restart the computer once more.

C. Launch the File Signature Verification and initiate a scan for unsigned drivers.

D. Launch Device Manager to remove the driver, and then run the Add New

Hardware Wizard

.

15. When you start your server you notice that the keyboard stops working when you reach graphical mode.You connect to the server using Remote Desktop and open Device

Manager to find that the keyboard device entry has a yellow exclamation mark beside it. Under Device status you see the following message:“The device is not working properly because Windows cannot load the drivers required for this device (Code 31).”

You need to get the keyboard at the console working.What should you do?

A. On startup in the Windows Advanced Option Menu, select Debugging

Mode

.

B. Replace the keyboard.

C. Launch Device Manager, locate the device entry and disable and then re-enable the device.

D. Launch Device Manager, locate the device entry and uninstall and re-install the keyboard driver.

www.syngress.com

274_70-290_03.qxd 8/11/03 3:54 PM Page 254

254 Chapter 3 • Configuring, Monitoring, and Troubleshooting Server Hardware

Self Test Quick Answer Key

For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

1. C

2. A, D

3. C

4. B

5. C

6. D

7. A

8. B

9. C

10. A

11. B

12. C

13. B

14. D

15. D

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 255

Chapter 4

MCSA/MCSE 70-290

EXAM

70-290

OBJECTIVE

2

Managing User, Group, and Computer Accounts

Exam Objectives in this Chapter:

2.1

2.4

Manage local, roaming, and mandatory user profiles.

Create and manage user accounts.

2.4.1

Create and modify user accounts by using the Active

Directory Users and

Computers MMC snap-in.

2.6.2

Diagnose and resolve issues related to user account properties.

2.6.1

Diagnose and resolve account lockouts.

2.3.5

Create and modify groups by using automation.

2.4.2

Create and modify user accounts by using automation.

2.4.3

Import user accounts.

2.6

2.3

Troubleshoot user accounts.

Create and manage groups.

2.3.1

Identify and modify the scope of a group.

2.3.3

Manage group membership.

2.3.4

Create and modify groups by using the Active Directory

Users and Computers

Microsoft Management

Console (MMC) snap-in.

2.3.2

Find domain groups in which a user is a member.

2.2

Create and manage computer accounts in an Active Directory environment.

2.5.1

Diagnose and resolve issues related to computer accounts by using the Active Directory

Users and Computers MMC snap-in.

2.5.2

Reset computer accounts.

2.5

Troubleshoot computer accounts.

255

274_70-290_04.qxd 8/11/03 3:56 PM Page 256

256 Chapter 4 • Managing User, Group, and Computer Accounts

Introduction

In a Windows Server 2003 Active Directory domain, security object—users, groups, and computers—are represented as account objects that exist within the directory hierarchy and can be created, modified, moved, and removed. Managing these security objects is an important part of the network administrator’s job. Luckily, Microsoft has included many administrative tools, both graphical and command-line, with which you can manipulate and manage these accounts.

In this chapter, you will learn about how Windows Server 2003 treats users, groups, and computers in the Active Directory environment, and we will walk you through the process of using the common management tools, including Active Directory Users and Computers

(ADUC) and other useful utilities.We will show you how to create and modify user, group, and computer accounts with ADUC, and you’ll learn to automate account creation and import user accounts.

Groups are special objects that contain users, and security groups are used to simplify management of multiple user accounts by enabling you to apply permissions, user rights, and so forth to an entire group of users in a single operation instead of having to apply them to individual user accounts.You’ll learn to identify and modify the scope of a group, manage group memberships, and find out to which domain groups a user belongs.

EXAM

70-290

OBJECTIVE

2.1

Understanding Security Objects

A security object is an object in Active Directory that can be assigned permissions to other objects.When security objects are created, they are given a security identifier (SID).This

number identifies the objects to Windows. Objects have friendly names to make it easier for us to remember them. Humans use names to reference accounts, but Windows uses SIDs.

This section will focus on user, group, and machine security objects.

Understanding the Role of User Accounts

User Accounts represent people and are used by people to log on to a Windows machine.

Windows NT,Windows 2000,Windows XP, and Windows Server 2003 require mandatory logon. By default, unless you press CTL+ALT+DEL and log on to the machine you cannot interact with the desktop. User accounts are also used as service accounts for applications.This enables programs to utilize the permissions assigned to its service account.

User accounts are used for the following:

Authentication

This is the process of proving your identity. User accounts and passwords are used to authenticate users to a domain.

Authorization

This is the process of being granted permissions to a resource.

Authorization is different from authentication.

Auditing

By requiring all your users to use a unique user account, you can easily audit access to resources.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 257

Managing User, Group, and Computer Accounts • Chapter 4 257

Active Directory contains three user accounts by default.These accounts are created when you create the domain (creating domains is discussed at the end of this chapter).The

default user accounts are as follows:

Administrator

This account has full control over Active Directory. It is a member of the Administrators, Domain Admins, Enterprise Admins, Group Policy

Creator Owners, and Schema Admins groups. By default the administrator account is enabled. It can be disabled, but not deleted. It is a good idea to rename the Administrator account for security purposes.

Guest

This account is meant to be a shared account by people who do not have an account in the domain.The Guest account is disabled by default. Most companies leave it disabled and do not use it. It is a member of the built-in Guests group and the Domain Guests global group.

HelpAssistant

This account is used to make a Remote Assistance Connection. It has limited access to the computer. It is created and deleted dynamically when

Remote Assistance requests are pending and in progress.

N

OTE

Remote Assistance is a new feature of Windows Server 2003 (and Windows XP). It enables remotely assisting with computer problems. A remote user can view and control the screen of the machine having problems. Remote Assistance also has a chat window for communicating while working on the computer.

Understanding the Role of Group Accounts

Without groups, you would have to manually assign all permissions to individual user accounts. Groups enable you to organize your users.You can group user accounts and assign permissions to everyone in the group at once. Any permissions assigned to a group are automatically granted to members of that group. Groups can also be used for e-mail distribution. By putting users into a group and assigning an e-mail address to that group, you can e-mail everyone in the group at once.

Understanding the Role of Computer Accounts

Just like user accounts represent people, computer accounts represent machines. Computer accounts provide authentication and auditing for machines. Computer accounts are created for all computers that run Windows NT,Windows 2000,Windows XP, and Windows Server

2003 if the computer is joined to a domain. Computers running Windows 3.x,Windows

9x, or Windows ME do not have computer accounts and can’t be members of a domain, although a user who has an account in the domain can use it to log on to the domain.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 258

258 Chapter 4 • Managing User, Group, and Computer Accounts

Understanding the Role of Active Directory

Active Directory (AD) first appeared in Windows 2000. If you are going to support

Windows Server 2003, you will eventually have to understand AD. Microsoft has multiple certification tests devoted to AD alone.This book is not meant to prepare you for those tests, because its focus is on preparing you for the Server test. However, there is a lot of overlap between the tests. Microsoft expects you to be familiar with AD and you should expect to see it in one way or another of all your tests.

Active Directory is the directory service for Windows Server 2003 (and Windows

2000). A directory service in its simplest form is a way of storing information in a directory so it can easily be retrieved and used later. Active Directory functions as a central repository for information such as user accounts, groups, and machine accounts. AD provides centralized authentication and centralized administration. AD contains many components, including the following:

Domains

Forest

Trees

Figure 4.1 illustrates the layout of AD. It starts off with the tc.org domain. For this example, assume that tc.org was the first domain created.This makes it the forest root domain.

Underneath tc.org are two sub-domains (also called child domains).These three domains (tc.org, columbia.tc.org, and charleston.tc.org) form the tc.org tree.The training.ads has two subdomains (microsoft.training.ads and win2003.microsoft.training.ads) and forms another tree.

Lastly, the consulting.net domain is a third tree. Notice that a domain does not need subdomains in order to be considered a tree. All these domains make up the tc.org forest.

You need to remember a few things here. A forest is always named after the first domain created in the forest (tc.org). A tree is always named after the first domain created in a given tree (tc.org, training.ads, and consulting.net). Child domains always share the naming scheme of their parent (training.ads, microsoft.training.ads and win2003.microsoft.training.ads).

Using Management Tools

In Windows Server 2003, Microsoft gives us multiple ways to accomplish the same thing.

We can use the graphical user interface or GUI (pronounced Goo-E) or we can use command-line utilities. Each has its own advantages and disadvantages.Typically, the GUI is easier to use.You do not have to worry about syntax.You just click your way around and get everything done.The command prompt is usually better when you need to make changes in bulk. It can be more complex than the GUI, but it supports scripting, which opens up a whole realm of possibilities.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 259

Managing User, Group, and Computer Accounts • Chapter 4 259

Figure 4.1

Understanding the Structure of Active Directory tc.org

training.ads

consulting.net

columbia.tc.org

charleston.tc.org

microsoft.training.ads

Forest = 1

Trees = 3

Domains = 7 win2003.microsoft.training.ads

Using the Active Directory Users and Computers (ADUC) Administrative Tool

The tool most commonly used to manage user, group, and computer accounts is Active

Directory Users and Computers (ADUC). ADUC is found in the Administrative Tools folder (Start | Programs | Administrative Tools | Active Directory Users and

Computers

). In this chapter we will cover the details of using ADUC to create and manage users, groups, and computers. First, familiarize yourself with the layout of ADUC as shown in Figure 4.2.

Figure 4.2

Getting Familiar with Active Directory Users and Computers

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 260

260 Chapter 4 • Managing User, Group, and Computer Accounts

Like all of Microsoft’s administrative tools in Windows Server 2003 (and Windows

2000), ADUC is built from a Microsoft Management Console (MMC).This gives all the tools a similar look and feel.The MMC is broken into two panes: the console pane on the left and the details pane on the right.The console pane is used for navigating through the domain and organizational unit (OU) structure.When you select an object in the console pane, its members appear in the details pane. For example, in Figure 4.2, the Users container is selected and all its members are listed on the right. Figure 4.3 shows the most common objects in ADUC.

ADUC has a query feature that is new to Windows Server 2003.You can use the saved queries folder to create and save XML queries that can later be reused. For example, you may want to query AD daily for members of the Domain Admins group.

Right-clicking an object (OU, user, group, etc.) gives you a pop-up menu. A lot of your administration can be accomplished directly from this menu. Everything else is accomplished by going to the properties of an object.We discuss this in more detail throughout the chapter.

T

EST

D

AY

T

IP

Your machine may not have ADUC installed. By default, it is installed on all domain controllers. ADUC is installed as part of the adminpak. Run adminpak.msi from the

I386 directory on the Windows Server 2003 server.

Figure 4.3

Recognizing Objects in Active Directory

Domain

User

Container

Group

Compter

www.syngress.com

Organizational Unit

274_70-290_04.qxd 8/11/03 3:56 PM Page 261

Managing User, Group, and Computer Accounts • Chapter 4 261

N

OTE

Organizational unit containers and default containers serve the same purpose.

They organize objects within a domain. Default containers appear as folders in

ADUC. OU containers appear as folders, but they have the picture of a gray book on them as shown in Figure 4.3. The difference between OU containers and default containers is that you can assign group policy to an OU container, but not to a default container. People commonly refer to the default containers as OUs, but technically there is a difference between the two.

Using Command-Line Utilities

Sometimes you need the capability to script changes to Active Directory.This is where command-line utilities come in handy. Microsoft has increased the number of things that can be done from the command line. Some of the command-line tools are so easy to use you may find yourself using them regularly and not even going into ADUC.This chapter covers the following command-line tools:

■ dsadd.exe

dsget.exe

dsmove.exe

dsquery.exe

gpresult.exe

whoami.exe

cmdkey.exe

All these tools are described in the following sections.The basic commands and syntax for each tool is listed. Some tools are covered more in the chapter later and are not given as much detail right now. Some tools contain a table of all the supported options for the given tool.These tables are here for reference; you do not need to memorize them for the test.

Reading switches and help files from the command prompt can sometimes be confusing, so we have summarized that information into tables to make it easier to understand. Each tool is followed with examples.The purpose of the examples is to make sense of the syntax and to give you some easy-to-understand commands that you can use right away.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 262

262 Chapter 4 • Managing User, Group, and Computer Accounts

N

OTE

The syntax for all these commands is available by typing the particular command followed by a question mark. For example, to see the syntax for modifying group membership, type

dsmod.exe group /?.

Additional steps and syntax for each command is listed throughout the chapter under the Using the Command Line to

Create and Manage Users, Using the Command Line to Create and Manage

Groups, and Using the Command Line to Create and Manage Machine sections.

Becoming Familiar with Using Command-Line Tools

Before we dive into the various commands, we’ll cover command-line syntax in general. If you are a pro at using command-line tools, you may want to skip ahead to the next section

(Using dsadd.exe), because you may find this section fairly basic. For the rest of you, we hope this will make using command-line tools a joy instead of a burden.

Using command-line tools can be difficult at times.The sticking point for most people isn’t figuring out which tool to use.The problem is making sense of the syntax for the tool.

Syntax refers to the structure of the command and the ordering and relationship of the structural elements.You can view the available syntax for a tool by typing the tool name followed by /?. For this section, we are going to analyze the NET USE command.You use this command to map drives to network resources. After you are familiar with reading the syntax for this tool, you are ready to tackle all other tools because they all use the same format.To view the syntax for the NET USE command, type the following:

NET USE /?

After typing this command and pressing Enter (always press Enter at the end of your command), you are given the syntax for the NET USE command. (There is more syntax than this, but this is where we are going to focus):

NET USE [devicename | *] [\\computername\sharename[\volume] [password

| *]]

[/USER:[domainname\]username]

[/USER:[dotted domain name\]username]

[/USER:[[email protected] domain name]

At first glance, this can seem intimidating.The syntax is spread across multiple lines.

However, all the commands are used on a single line at the command prompt (your line may wrap around, but it is still one continuous command).When you are reading help, remember that the commands wrap around because they won’t all fit on one line, but this does not mean that you enter the commands in multiple parts.

Look at each component of the net use syntax, starting with the following:

NET USE [devicename | *] [\\computername\sharename[\volume] [password

| *]]

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 263

Managing User, Group, and Computer Accounts • Chapter 4 263

NET USE

is the command and all the other words are the options for the command.

Brackets [ ] are used to separate the options. Everything in one set of brackets goes together.The first set of brackets [devicename | *] tells us to pick a device name (a drive letter such as x:) or to key in an * (asterisk). If you key in an *, NET USE will pick the next available drive letter.

The second set of brackets [\\computername\sharename[\volume] [password |

*]]

actually contains brackets within brackets.This tells you that this section is made up of two smaller sections, but both smaller sections should be used together.

The first section within the second set of brackets

\\computername\sharename[\volume] tells you to put in the network path to the share you want to map to.You can either map to a share by using

\\computername\sharename

or you can map to a folder within the share by using the optional [\volume] option.The second section within the second set of brackets [pass-

word | *]

tells you to key in your password or key in an * to have NET USE prompt you for your password. Now that you know how this works, look at some examples:

The following example maps a G: drive to a share named data on a machine called server03:

NET USE G: \\server03\data

If you wanted to do the same thing but have NET USE pick a drive letter for you, you could key in an * instead of G:

NET USE * : \\server03\data

To take it a step further, you could use the [\volume] option and have NET USE map you to a folder inside the share:

NET USE * : \\server03\data\excel

So far you haven’t used the password option. If you leave this option blank, net use will use the password of the user you are currently logged on as.To tell NET USE to use the password syngress, you the following command.

NET USE * : \\server03\data\excel syngress

The problem with keying in the password is that the password is exposed for someone to see. If we use the * options, NET USE prompts you for your password and it will not display it on the screen as you key it in:

NET USE * : \\server03\data\excel *

Now that you have an idea of how all the options fit together, look at the third set of brackets.This section specifies the username to be used when mapping a drive. It comes in three varieties:

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 264

264 Chapter 4 • Managing User, Group, and Computer Accounts

[/USER:[domainname\]username]

[/USER:[dotted domain name\]username]

[/USER:[[email protected] domain name]

The first one [/USER:[domainname\]username] tells you to specify the username in the format of domain name followed by the username.This format uses the one-word

NetBIOS-compatible domain name.The second one tells you to specify the username in the format of fully qualified domain name followed by the username.This is the hierarchical Active Directory domain name.The third one tells you to specify the username by using the user principal name (UPN).This format uses the @ sign between the user account name and the domain name, like an Internet e-mail address.

Add this to what you learned earlier and finish up by putting all the pieces together.

The following example uses NET USE to map a drive using the next available drive letter to a folder named excel within a share named data on a server named server03. Use the password syngress for the user account ctodd in the childdom.w2k3doma.ads domain.

First, use the domainname\username format:

NET USE * : \\server03\data\excel syngress /user:childom\ctodd

Now, try the same thing with the fully qualified domain name format:

NET USE * : \\server03\data\excel syngress /user:childom.

w2k3doma.ads\ctodd

Lastly, try it with the user principal name:

NET USE * : \\server03\data\excel syngress /user:[email protected]

w2k3dom.ads

T

EST

D

AY

T

IP

Do not get discouraged if you cannot remember all the syntax for all the tools in this chapter. What you need to focus on is what each tool is capable of doing and becoming familiar with reading and understanding the syntax.

Using dsadd.exe

As the name implies, dsadd.exe adds objects to Active Directory. dsadd.exe can add computer, contact, group, organization unit, or user objects. dsadd.exe supports the following commands:

dsadd computer

Adds a computer to the directory.

dsadd contact

Adds a contact to the directory.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 265

Managing User, Group, and Computer Accounts • Chapter 4 265

dsadd group

Adds a group to the directory.

dsadd ou

Adds an organizational unit to the directory.

dsadd user

Adds a user to the directory.

dsadd quota

Adds a quota specification to a directory partition.

Examples

To add a contact, use the following syntax: dsadd contact <ContactDN> [-fn <FirstName>] [-mi <Initial>]

[-ln <LastName>] [-display <DisplayName>] [-desc <Description>]

[-office <Office>] [-tel <Phone#>] [-email <Email>]

[-hometel <HomePhone#>] [-pager <Pager#>] [-mobile <CellPhone#>]

[-fax <Fax#>] [-iptel <IPPhone#>] [-title <Title>]

[-dept <Department>] [-company <Company>]

[{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

Here is an example that adds a contact for Chad Todd.The company is set for Training

Concepts, LLC and the e-mail address set to [email protected]

dsadd contact "CN=Chad Todd,OU=contacts,DC=trainingconcepts,DC=org" – fn Chad

–ln Todd –company "Training Concepts, LLC" –email [email protected]

org

To add an OU, use the following syntax: dsadd ou <OrganizationalUnitDN> [-desc <Description>]

[{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

Here is an example that adds an OU called Trainers in the trainingconcepts.org domain with the description “This OU contains all trainer user accounts.” dsadd ou "OU=Trainers,DC=trainingconcepts,DC=org" –fn –desc "This OU contains all trainer user accounts."

Using dsmod.exe

dsmod.exe modifies attributes of objects in Active Directory. dsmod.exe can modify computers, contacts, groups, servers, organization units, users, quotas, and partitions. dsmod.exe

supports the following commands:

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 266

266 Chapter 4 • Managing User, Group, and Computer Accounts

dsmod computer

Modifies attributes of one or more computers in the directory.

ddsmod contact

Modifies attributes of one or more contacts in the directory.

dsmod group

Modifies attributes of one or more groups in the directory.

dsmod server

Modifies attributes of one or more servers in the directory.

dsmod ou

Modifies attributes of one or more OUs in the directory.

dsmod user

Modifies attributes of one or more users in the directory.

dsmod quota

Modifies attributes of one or more quotas in the directory.

dsmod partition

Modifies attributes of one or more partitions in the directory.

Examples

To modify a contact, use the following syntax: dsmod contact ContactDN [-fn FirstName] [-mi Initial] [-ln LastName] [display DisplayName] [-desc Description] [-office Office] [-tel

PhoneNumber] [-email Email] [-hometel HomePhoneNumber] [-pager

PagerNumber] [-mobile CellPhoneNumber] [-fax FaxNumber] [-iptel

IPPhoneNumber] [-title Title] [-dept Department] [-company

Company] [{-s Server | -d Domain}] [-u UserName] [-p

{Password | *}] [-c] [-q]

Here is an example that modifies the description and e-mail address for the contact for

Chad Todd.The description is set to Microsoft Trainer and the e-mail address set to [email protected]

dsmod contact "CN=Chad Todd,OU=Contacts,DC=trainingconcepts,DC=org" –desc

"Microsoft Trainer" -email [email protected]

To modify an OU, use the following syntax: dsmod ou OrganizationalUnitDN [-desc Description] [{-s Server | -d

Domain}] [-u UserName] [-p {Password | *}] [-c] [-q] [{-uc | -uco | uci}]

Here is an example that changes the description of the trainers OU.

dsmod ou "OU=Trainers,DC=trainingconcepts,DC=org" –fn –desc "This OU contains all trainer user accounts."

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 267

Managing User, Group, and Computer Accounts • Chapter 4 267

Using dsget.exe

dsget.exe is used to see the properties of objects in Active Directory. It shows selected attributes of computers, contacts, groups, organizational units, servers, or users.You input objects into dsget.exe and it outputs a list of properties for those objects. dsget.exe supports the following commands:

dsget computer

Displays properties of computers in the directory.

dsget contact

Displays properties of contacts in the directory.

dsget subnet

Displays properties of subnets in the directory.

dsget group

Displays properties of groups in the directory.

dsget ou

Displays properties of OUs in the directory.

dsget server

Displays properties of servers in the directory.

dsget site

Displays properties of sites in the directory.

dsget user

Displays properties of users in the directory.

dsget quota

Displays properties of quotas in the directory.

dsget partition

Displays properties of partitions in the directory.

Examples

To get information about a contact, use the following syntax: dsget contact ContactDN ... [-dn] [-fn] [-mi] [-ln] [-display] [-desc] [office] [-tel] [-email] [-hometel] [-pager] [-mobile] [-fax] [-iptel]

[-title] [-dept] [-company] [{-s Server | -d Domain}] [-u UserName]

[-p {Password | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

Here is an example that gets the e-mail address for the Chad Todd contact: dsget contact "CN=Chad Todd,OU=Contacts,DC=trainingconcepts,DC=org" -email

To get information about an OU, use the following syntax: dsget ou OrganizationalUnitDN ... [-dn] [-desc] [{-s Server | -d Domain}]

[-u UserName] [-p {Password | *}] [-c] [-q] [-l] [{-uc | -uco |

-uci}]

Here is an example that gets the description for the trainers OU: dsadd ou "OU=Trainers,DC=trainingconcepts,DC=org" –desc

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 268

268 Chapter 4 • Managing User, Group, and Computer Accounts

Using dsmove.exe

The name dsmove.exe implies that it moves objects within the directory service.This is, however, only part of what it does. dsmove.exe moves a single object to a new location in the same domain. However, it will also rename a single object without moving it.

dsmove.exe uses the following syntax. (Table 4.1 explains all the syntax in detail.) dsmove <ObjectDN>

[-newparent <ParentDN>]

[-newname <NewName>]

[{-s <Server> | -d <Domain>}]

[-u <UserName>]

[-p {<Password> | *}]

[-q]

[{-uc | -uco | -uci}]

N

OTE

Every Active Directory object has a relative distinguished name (RDN) and a distinguished name (DN). The RDN identifies an object within its parent container. The

DN identifies the object within the entire directory. The DN consists of the RDN and its entire parent container objects.

For example, the RDN for the Chad user account in the Authors organizational unit in the trainingconcepts.org domain is CN=chad. The DN for the same object is CN=chad, OU=authors, DC=trainingconcepts, DC=org. As you read through this chapter, remember that DN is the distinguished name of an object.

Table 4.1

Understanding dsmove.exe

Value

<ObjectDN>

-newparent <ParentDN>

-newname <NewName>

{-s <Server> |

-d <Domain>}

Description

Distinguished name (DN) of object to move or rename.

DN of the new parent location where the object should be moved.

New relative distinguished name (RDN) value that the object should be renamed to.

-s <Server> connects to the domain controller (DC) with name <Server>.

-d <Domain> connects to a DC in domain <Domain>.

Default: a DC in the logon domain.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 269

Managing User, Group, and Computer Accounts • Chapter 4 269

Table 4.1

Understanding dsmove.exe

Value

-u <UserName>

-p <Password>

-q

{-uc | -uco | -uci}

Description

Connect as <UserName>. Default: the logged-on user.

Username can be: username, domain\username, or user principal name (UPN).

Password for the user <UserName>. If * is used, then the command prompts for a password.

Quiet mode: suppress all output to standard output.

-uc Specifies that input from or output to pipe is formatted in Unicode.

-uco Specifies that output to pipe or file is formatted in

Unicode.

-uci Specifies that input from pipe or file is formatted in

Unicode.

Examples

The following examples move the Chad Todd user from one OU to another and rename the Sarah Smith user account.

To move the user object Chad Todd from the Training OU to the Consulting OU, type the following command: dsmove "cn=Chad Todd,ou=training,dc=trainingconcepts,dc=org" -newparent ou=consulting,dc=trainingconcepts,dc=org

To rename the Sarah Smith user object to Sarah Todd, type the following command: dsmove "cn=Sarah Smith Doe,ou=sales,dc=trainingconcepts,dc=org" –newname

"Sarah Todd"

Using dsquery.exe

dsquery.exe enables you to query Active Directory for objects that match a specified criterion.This is useful if you need to search all of AD for objects that have similar characteristics. For example, you may want to search for all disabled user accounts or for all groups that do not have a description. dsquery.exe supports the following command:

dsquery computer

Finds computers in the directory.

dsquery contact

Finds contacts in the directory.

dsquery subnet

Finds subnets in the directory.

dsquery group

Finds groups in the directory.

dsquery ou

Finds organizational units in the directory.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 270

270 Chapter 4 • Managing User, Group, and Computer Accounts

dsquery site

Finds sites in the directory.

dsquery server

Finds domain controllers in the directory.

dsquery user

Finds users in the directory.

dsquery quota

Finds quota specifications in the directory.

dsquery partition

Finds partitions in the directory.

dsquery *

Finds any object in the directory by using a generic LDAP query.

Examples

You can pipe results from dsquery.exe into dsget.exe. In other words, you can use dsquery.exe to find objects in Active Directory and have dsget.exe show their properties.

To find all users with names starting with “Chad” and display their office numbers, type the following command: dsquery user -name Chad* | dsget user –office

To find all servers that have been inactive for the past six weeks, type the following command: dsquery computer -inactive 6

To find all users in the organizational unit “ou=training,dc=trainingconcepts,dc=org”, type the following command: dsquery user ou=training,dc=trainingconcepts,dc=org

Using gpresult.exe

gpresult.exe displays the Resultant Set of Policy (RSoP) information for a target user and computer. RSoP is a tool that can show the effective policy applied to a user or computer or what the policy would be, for planning purposes.This tool is very helpful for troubleshooting Group Policy, because it shows you all the policy applied and the effective policy. gpresult.exe uses the following syntax (Table 4.2 explains the syntax in detail):

GPRESULT [/S system [/U username [/P [password]]]] [/SCOPE scope]

[/USER targetusername] [/V | /Z]

Table 4.2

Understanding gpresult.exe

Value

/S System

/U [domain\]user

Description

Specifies the remote system to connect to.

Specifies the user context under which the command should execute.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 271

Managing User, Group, and Computer Accounts • Chapter 4 271

Table 4.2

Understanding gpresult.exe

Value

/P [password]

/SCOPE scope

/USER [domain\]user

/V

/Z

/?

Description

Specifies the password for the given user context. Prompts for input if omitted.

Specifies whether the user or the computer settings needs to be displayed. Valid values: “USER,” “COMPUTER.”

Specifies the username for which the RSOP data is to be displayed.

Specifies that verbose information should be displayed.

Verbose information provides additional detailed settings that have been applied with a precedence of 1.

Specifies that the super-verbose information should be displayed. Super-verbose information provides additional detailed settings that have been applied with a precedence of

1 and higher. This enables you to see if a setting was set in multiple places. See the Group Policy online help topic for more information.

Displays this help message.

Examples

To show the RSoP data for the current logged-on user, type gpresult without any parameters, as shown in the following example:

GPRESULT

This gives you input similar to the following (Titles have been bolded to make them stand out):

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0

Copyright (C) Microsoft Corp. 1981-2001

Created On 6/28/2003 at 1:18:01 AM

RSOP data for W2K3DOMA\chad on W2K3_DC : Logging Mode

------------------------------------------------------

OS Type: Microsoft(R) Windows(R) Server 2003,

Enterprise Edition

OS Configuration: Primary Domain Controller

OS Version: 5.2.3790

Terminal Server Mode: Application Server

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 272

272 Chapter 4 • Managing User, Group, and Computer Accounts

Site Name: Default-First-Site-Name

Roaming Profile: c:\profiles\Chad

Local Profile: C:\Documents and Settings\Administrator

Connected over a slow link?: No

COMPUTER SETTINGS

------------------

CN=W2K3_DC,OU=Domain Controllers,DC=w2k3doma,DC=ads

Last time Group Policy was applied: 6/28/2003 at 1:13:28 AM

Group Policy was applied from: w2k3_dc.w2k3doma.ads

Group Policy slow link threshold: 500 kbps

Domain Name: W2K3DOMA

Domain Type: Windows 2000

Applied Group Policy Objects

-----------------------------

Default Domain Controllers Policy

Default Domain Policy

Local Group Policy

The following GPOs were not applied because they were filtered out

-------------------------------------------------------------------

GPO Demo

Filtering: Not Applied (Empty)

The computer is a part of the following security groups

-------------------------------------------------------

BUILTIN\Administrators

Everyone

BUILTIN\Pre-Windows 2000 Compatible Access

BUILTIN\Users

Windows Authorization Access Group

NT AUTHORITY\NETWORK

NT AUTHORITY\Authenticated Users

This Organization

W2K3_DC$

Domain Controllers

NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 273

Managing User, Group, and Computer Accounts • Chapter 4 273

USER SETTINGS

--------------

CN=Chad,CN=Users,DC=w2k3doma,DC=ads

Last time Group Policy was applied: 6/28/2003 at 12:38:02 AM

Group Policy was applied from: w2k3_dc.w2k3doma.ads

Group Policy slow link threshold: 500 kbps

Domain Name: W2K3DOMA

Domain Type: Windows 2000

Applied Group Policy Objects

-----------------------------

Default Domain Policy

The following GPOs were not applied because they were filtered out

-------------------------------------------------------------------

GPO Demo

Filtering: Not Applied (Empty)

Local Group Policy

Filtering: Not Applied (Empty)

The user is a part of the following security groups

---------------------------------------------------

Domain Users

Everyone

BUILTIN\Administrators

BUILTIN\Users

BUILTIN\Pre-Windows 2000 Compatible Access

NT AUTHORITY\INTERACTIVE

NT AUTHORITY\Authenticated Users

This Organization

LOCAL

Enterprise Admins

Group Policy Creator Owners

Domain Admins

Schema Admins

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 274

274 Chapter 4 • Managing User, Group, and Computer Accounts

You can target gpresults.exe toward a certain user or machine, as shown in the following examples: gpresult /user chad gpresult /s chadlaptop

Using whoami.exe

whoami.exe displays usernames and group membership information about the currently logged-on user. It can display the security identifier (SID) and all privileges assigned to that

SID.This tool is great if you need to quickly see which groups a user belongs to.

N

OTE

Privileges enable certain tasks to be accomplished on the local machine and in

Active Directory. Examples of AD privileges include act as part of the operating

system, add workstations to a domain, and back up files and directories.

whoami.exe has three variations of syntax, as shown in the following examples (Table 4.3

explains all the syntax in detail):

■ Syntax 1

WHOAMI [/UPN | /FQDN | /LOGONID]

■ Syntax 2

WHOAMI { [/USER] [/GROUPS] [/PRIV] } [/FO format] [/NH]

Syntax 3

WHOAMI /ALL [/FO format] [/NH]

Table 4.3

Understanding whoami.exe

Value

/UPN

/FQDN

/USER

/GROUPS

Description

Displays the username in User Principal Name (UPN) format.

Displays the username in Fully Qualified Distinguished Name (FQDN) format.

Displays information on the current user along with the security identifier (SID).

Displays group membership for current user, type of account, security identifiers (SID), and attributes.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 275

Managing User, Group, and Computer Accounts • Chapter 4 275

Table 4.3

Understanding whoami.exe

Value

/PRIV

/LOGONID

/ALL

/FO format

/NH

/?

Description

Displays security privileges of the current user.

Displays the logon ID of the current user.

Displays the current username, groups belonged to along with the security identifiers (SID), and privileges for the current user access token.

Specifies the output format to be displayed. Valid values are TABLE, LIST,

CSV. Column headings are not displayed with CSV format. Default format is TABLE.

Specifies that the column header should not be displayed in the output.

This is valid only for TABLE and CSV formats.

Displays this help message.

Examples

To display the user principal name of the currently logged-on user, type the following command: whoami /upn

To display the fully qualified name of the currently logged-on user, type the following command: whoami /fqdn

To display the SID of the currently logged-on user, type the following command: whoami /loginid

To display the group membership for the currently logged-on user, type the following command: whoami /groups

To display the username, group membership, SID, and privileges for the currently logged-on user, type the following command: whoami /all

Using cmdkey.exe

cmdkey.exe enables you to manage Stored Usernames and Passwords from the command prompt. It displays, creates, and deletes stored usernames and passwords. cmdkey.exe uses the following syntax. (Table 4.4 displays the syntax for cmdkey.exe in detail.)

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 276

276 Chapter 4 • Managing User, Group, and Computer Accounts

CMDKEY [{/add | /generic}:targetname {/smartcard | /user:username

{/pass{:password}}} | /delete{:targetname | /ras} | /list

{:targetname}]

Table 4.4

Understanding cmdkey.exe Syntax

Value

/add:

/generic

TargetName

/smartcard

/user: username

/pass: password

/delete: targetname

/ras

/list: targetname

/?

Description

Adds a username and password to the list.

Adds generic credentials to the list.

The computer or domain name that this entry will be associated with.

Retrieves the credential from a smart card.

Specifies the user or account name to store with this entry. If

UserName is not supplied, it will be requested.

Specifies the password to store with this entry. If Password is not supplied, it will be requested.

Deletes a username and password from the list. If TargetName is specified, that entry will be deleted.

If /ras is specified, the stored remote access entry will be deleted.

Displays the list of stored usernames and credentials. If

TargetName is not specified, all stored usernames and credentials will be listed.

Displays help at the command prompt.

Examples

To list available credentials for the currently logged-on user, type the following command: cmdkey /list

To list available credentials for the user named ctodd, type the following command: cmdkey /list:ctodd

To display a list of stored credentials with usernames, type the following command: cmdkey /list

To use cmdkey to add a username and password for user ctodd to access the computer win2k3srv with the password syngress, type the following command: cmdkey /add:win2k3srv /user:ctodd /pass:syngress

To delete existing credentials for the user ctodd, type the following command: cmdkey /delete:ctodd

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 277

Managing User, Group, and Computer Accounts • Chapter 4 277

EXAM

70-290

OBJECTIVE

2.4

Creating and Managing User Accounts

User accounts are required to log on to a Windows network. Active Directory only gives us two built-in user accounts (administrator and guest) to log on with by default. All other accounts must be manually created.You can create user accounts through the GUI with

Active Directory Users and Computers (ADUC).You can create them from the command prompt by using tools such as dsadd.exe, csvde.exe, and ldiffde.exe.

EXAM

70-290

OBJECTIVE

2.4.1

Using the ADUC MMC

Snap-In to Create and Manage Users

This section discusses using ADUC to create and manage users. Exercise 4.01 covers creating users. It is important to know how to create users. However, for the test you also need to know how to manage users.This section walks you through all the tabs of an Active

Directory user account with screenshots and explanations.

E

XERCISE

4.01

U

SING

A

CTIVE

D

IRECTORY

U

SERS

AND

C

OMPUTERS TO

C

REATE

U

SERS

1. Open Active Directory Users and Computers (Start | Programs |

Administrative Tools | Active Directory Users and Computers).

2. Right-click the domain or OU where you want to create a user, as shown in Figure 4.4.

3. Click New from the pop-up menu.

4. Click User from the pop-up menu. The New Object – User screen appears, as shown in Figure 4.5.

5. Fill in the new user’s information. For this example, you are creating a user named Sarah Todd with the username stodd. At a minimum, you must fill in the Full name and the User logon name. However, if you fill in the First name and Last name fields, ADUC automatically transfers that information to the Full name field. Typing the User logon name automatically fills in the User logon name (pre-Windows 2000) field as well. When you have filled in all necessary information, click Next to continue. This will bring you to the password window shown in Figure 4.6.

6. The only requirement here is to enter a password for the new user account. By default the user account will be set to force the user to change his or her password at the next logon. You can undo this by clearing the corresponding check box. Optionally, you can set the user’s password to never expire or you can make it so the user cannot change

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 278

278 Chapter 4 • Managing User, Group, and Computer Accounts

Figure 4.4

Creating a New User

Figure 4.5

Naming the New User

Figure 4.6

Setting the Password

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 279

Managing User, Group, and Computer Accounts • Chapter 4 279

the password. If the account is not going to be used for some time, you may want to disable it now so as to avoid it being used until needed. After you have entered a password and made your selections, click Next to continue.

7. The summary screen appears, as shown in Figure 4.7. Verify that the settings are correct and click Finish to create the user. Figure 4.8 shows us that our new user account for Sarah Todd was created.

Figure 4.7

Verifying Settings

Figure 4.8

Viewing the New User Account in the Users Container

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 280

280 Chapter 4 • Managing User, Group, and Computer Accounts

EXAM

70-290

OBJECTIVE

2.6.2

Managing and Troubleshooting

User Accounts Via the Properties Tabs

As you have seen, creating user accounts is fairly simple. Managing user accounts after creation is a little more difficult.There are a lot more options for managing user accounts than for creating them. For the Server test you need to be familiar with the properties of user accounts, including what each tab is used for.This section provides screenshots with explanations for each of these tabs.To access a user’s properties sheet, right-click the user

account name

in the right pane of ADUC and select Properties.

E

XAM

W

ARNING

You need to be familiar with the properties of a user account for the test. This test uses exhibits to test your knowledge of the Active Directory Users and Computers interface. For example, you may see a screenshot of a user’s properties and have to select the tab that manages Terminal Server idle timeouts or you may see a screenshot with the correct tab selected and have to click on the option that is needed for that particular question. KNOW your tabs!

N

OTE

Throughout this chapter we will be looking at the various tabs for users, groups, and machines. To see all of the tabs discussed, you must enable the advanced view within ADUC. To do this, click the View button on the menu bar (Figure 4.8) and select Advanced from the drop-down menu.

Using the General Tab

The General tab, as shown in Figure 4.9, contains descriptive information about the user account.The First name, Last name, and Display name fields are carried over from when you created the user.The other fields must be filled in after account creation. Some companies use the description field as a placeholder for other information so they can search on it later. For example, if you enter everyone’s birthday into the description field, then you can use that field to find everyone with a birthday on a specified day.

Using the Address Tab

The Address tab, as shown in Figure 4.10, is self-explanatory. It contains the user’s address, including the following:

Street Name

P.O. Box

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 281

Managing User, Group, and Computer Accounts • Chapter 4 281

City

State

Zip Code

Country

Figure 4.9

Understanding a User’s General Tab.

Figure 4.10

Understanding a User’s Address Tab

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 282

282 Chapter 4 • Managing User, Group, and Computer Accounts

EXAM

70-290

OBJECTIVE

2.6.1

Using the Account Tab

The Account tab, as shown in Figure 4.11, is where most of the action takes place.This is where you change a user’s logon name, the user principal name (UPN), or a user’s UPN suffix. User accounts are unlocked from the account tab.Whenever a user logs on with an incorrect password a preconfigured number of times, their account is locked.This makes it unusable until an administrator unlocks it.You also set the account to expire after a set date.

This is a good feature if you have contract or temporary employees working for you. If you know they are on a six-month contract, go ahead and set their accounts to expire in six months. Some companies set all temporary employee user accounts to expire monthly as a security precaution. If the temporary user leaves the company without notifying the IT department, the account can only be used (or abused) for 30 days.

Figure 4.11

Understanding a User’s Account Tab

The Account options section of the Account tab has the following options:

User must change password at next logon

This forces a user to change his or her password the next time the user logs on.This is used when someone forgets the password and must have it reset. It resets it to something easy, and the user has to change it upon first logon.This ensures that only the user knows his or her password.This is also the default when you initially create the account, so the user can set a new password that isn’t known to the administrator.

User cannot change password

This prevents users from changing their passwords.This is a good choice for accounts that will be running services (a.k.a. service accounts) or for shared accounts such as classroom or kiosk accounts.

Password never expires

When this is checked, the user’s password will not expire.This option overrides the account policy configured for the domain (in the default domain policy GPO). Use this option sparingly. If a hacker stumbles

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 283

Managing User, Group, and Computer Accounts • Chapter 4 283

■ across an account with the password set to not expire, he has unlimited use of that account until someone decides to change the password.This is a good option to use for service accounts, because you don’t want the quarterly password change to affect the services on your machines.

Store passwords using reversible encryption

This option is required when using Digest Authentication in Internet Information Services (IIS), when logging on to a Windows domain from an Apple computer, and when using Challenge-

Handshake Authentication Protocol (CHAP) authentication through a remote access server.This setting instructs Active Directory to store a plain text copy of the password. Unless explicitly required, you should leave this check box cleared.

Account is disabled

Disabling an account does not change any permissions assigned to or settings configured for the user account. It just disables logging on with the account.This is a good thing to do for accounts that are seldom logged on with, such as test or never as template accounts. It is also a good idea to disable accounts for people that are going on extended leave from the company. If you know they will not need access to their accounts, then disable them. Disable accounts rather than deleting them any time a user leaves but there is a possibility the user might return and need to resume using the account. If you delete the account, you’ll have to recreate it completely (and it won’t have the same SID). If you just disable it, you can easily enable it again when it is needed.

Smart card is required for interactive logon

This option disables logging on without a smart card.The user’s password is randomly changed and set to never expire. Active Directory manages the password for the account.This is good for security, but it can be a problem if a user forgets his or her smart card or needs to log on to a machine that does not have a smart card reader.

N

OTE

Smart cards provide a secure method of logging on to a Windows Server 2003 domain. Smart cards are physical cards that contain a certificate. This certificate identifies a user to Windows. Using smart cards is more secure than standard logons, because users must have possession of their card to logon. Smart cards are protected with a pin code in case of accidental loss or theft. In addition to logging on to a domain, smart cards are used for client authentication to applications and for securing e-mail.

A drawback of smart cards is that if users leave their cards at home, they cannot logon. Also, every machine that users need to log on to must have a smart card reader attached. This can become expensive in a large environment.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 284

284 Chapter 4 • Managing User, Group, and Computer Accounts

Account is trusted for delegation

This tab should be left unchecked most of the time. Selecting it could weaken your network security. Setting an account to be trusted for delegation enables a service running as this account to impersonate a client to get access to resources on another machine running the same service.

N

OTE

Delegation enables services to impersonate a user account or a computer account to access network resources. This can be used in N-tier programs where users authenticate to a middle-tier service and the middle-tier service authenticates to a back-end data server on behalf of the user.

For example, a user accesses a Web page that runs a program. The server running the program is trusted for delegation. That program accesses multiple

SQL databases on various servers. After the user authenticates to the Web server, the server can access all the SQL servers as the user.

Account is sensitive and cannot be delegated

Enables control over a user account, such as for a guest or temporary account.You can use this option if the account cannot be assigned for delegation by another account.

Use DES encryption types for this account

Provides support for the Data

Encryption Standard (DES) such as MPPE Standard (40-bit), MPPE Standard (56bit), MPPE Strong (128-bit), IPSec DES (40-bit), IPSec 56-bit DES, and IPSec

168-bit Triple DES (3DES).

Do not require Kerberos preauthentication

Enables using this account with different implementations of the Kerberos protocol, such as a UNIX Kerberos realm.

The Account tab enables you to configure Logon Hour restrictions (Figure 4.12) and

Machine Log-On restrictions (Figure 4.13).

Use the Logon Hours button to restrict the times that a user can log on to the domain.There are no restrictions by default. A user can log on anytime on any day of the week.To change the times, select the hours that you want to manage by clicking and dragging the mouse over the correct sections and clicking either the Logon Permitted button or the Logon Denied button.You may want to restrict what times users can log on because of security reasons. If they should be working only from 9

AM to 5

PM

, why enable their accounts to be used on weekends?

The Log On To button enables you to restrict a user account to logging on to specified machines. By default, a user account can log on to any machine in its domain or a trusted domain.To use this restriction, you must have the NetBIOS protocol enabled.

Restrictions are based on the NetBIOS name of the machine and without NetBIOS it will not work.This works great for accounts used in a classroom or lab.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 285

Managing User, Group, and Computer Accounts • Chapter 4 285

Figure 4.12

Setting Logon Hours

Figure 4.13

Setting Workstation Restrictions

EXAM

70-290

OBJECTIVE

2.1

Using the Profile Tab

The user’s Profile tab, as shown in Figure 4.14, enables you to configure the user to use a roaming profile and specify the profile’s path. Roaming profiles are stored on a share, and enable a user to log on to any machine and using the same profile (this includes the desktop, Start menu, and application data).To use a roaming profile, configure the Profile path field to point to a share via a universal naming convention (UNC) such as

\\server\users\%username%.The logon script field tells the user account which logon script to run.You enter the name of the logon script (e.g., ntlogon.bat) and make sure that the script is stored in the Netlogon share on your domain controllers.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 286

286 Chapter 4 • Managing User, Group, and Computer Accounts

The Home Folder section has two choices:

Local Path

This points to a local folder on the user’s machine. If this is left blank (which is the default setting), the local user profile folder (%systemdrive%\Documents and Settings\%username%) is used.

Connect

This tells the user account to connect to a network location for its home folder.This option requires picking a drive letter to use and entering in the

UNC of the share used for the home folder.This method will automatically map the corresponding drive letter to the user’s home folder.

Figure 4.14

Understanding a User’s Profile Tab

Using the Telephones Tab

The Telephones tab, shown in Figure 4.15, contains the phone numbers for the specified user. It also holds notes about the user account in the Notes field.You can enter phone numbers for the following:

Home

Pager

Mobile

Fax

IP Phone

If a user has multiple phone numbers in a particular category (for example, two mobile numbers), you can enter them using the Other button.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 287

Managing User, Group, and Computer Accounts • Chapter 4 287

Figure 4.15

Understanding a User’s Telephone Tab

Using the Organization Tab

The Organization tab, shown in Figure 4.16, contains organizational chart type information.This information is useful if you want to find everyone who works in a particular department, or if you want to find everyone that reports to a certain manager.You do not fill in the Direct reports field. It is automatically filled in with the names of user accounts that have this account listed as their manager. In other words, when you fill in the

Manager

tab for a user account, that account is automatically listed as a direct report on the properties of the manager’s account.Thus, if you enter bobsmith in the Manager field on Sarah Todd’s account properties (by clicking the Change button and entering the name), when you open the Organization tab on the properties sheet for the bobsmith account, you see Sarah Todd’s account name under Direct reports.

Using the Environment Tab

The Environment tab, shown in Figure 4.17, configures the Terminal Services startup environment.You can configure a user’s properties so that a specified program is launched every time the user logs onto a Terminal Server.To do so, check the box next to Start the

following program at logon

and enter the program filename and the working directory for the file.The Environment tab also enables you to configure how clients’ local devices are handled when they log onto Terminal Services.You can enable the following options:

Connect client drives at logon

Automatically reconnects to mapped client drives.This option works only with ICA (Citrix) clients.

Connect client printers at logon

Automatically reconnects to all of a client’s mapped printers.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 288

288 Chapter 4 • Managing User, Group, and Computer Accounts

Figure 4.16

Understanding a User’s Organization Tab

Default to main client printer

Automatically prints to the client’s default printer.

Figure 4.17

Understanding a User’s Environment Tab

Using the Sessions Tab

The Sessions tab, shown in Figure 4.18, controls Terminal Services timeout and reconnection settings. It configures the timeouts for the following:

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 289

Managing User, Group, and Computer Accounts • Chapter 4 289

Disconnected sessions

These are sessions that are closed by mistake.This can be due to loss of network connectivity while connected, or by accidentally clicking the

Close

button when using the Remote Desktop Connection client. It is a good idea to enable this one to prevent wasted system resources. If your users disconnect from their Terminal Session but never log off, resources are wasted on the Terminal

Server. Be careful about setting this too low, because you want to give your users time to reconnect if they accidentally lose their connections.

Active session limits

This controls the maximum amount of time that a user can stay connected.

Idle session limits

This controls the maximum amount of time that a session can remain idle without any keyboard or mouse activity.

The possible timeouts for each of these limits are as follows:

Never (no limit)

1 minute

5 minutes

10 minutes

15 minutes

30 minutes

1 hour

2 hours

3 hours

1 day

2 days

The Sessions tab also controls what happens when a client’s Terminal Services session is broken or the limit is reached.The session can either be disconnected or ended. If it is ended, all programs are closed and any unsaved data is lost. If it is set to disconnect, all programs continue to run, and open files are preserved until the user logs back on. However, the session remains available only until the user reaches one of the session limits (if they are defined), at which time the session is ended and all unsaved data is lost.This tab also enables you to decide from what location(s) a client is enabled to reconnect to a disconnected session.The default is to enable the client to reconnect from any client machine.This is good when the reason the user was disconnected was due to hardware failure on the local machine.You can also require that the user reconnect from the same system that initiated the connection.This is more secure, but can lead to problems if the original machine that connected is no longer available.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 290

290 Chapter 4 • Managing User, Group, and Computer Accounts

Figure 4.18

Understanding a User’s Sessions Tab

Using the Remote Control Tab

The Remote control tab, shown in Figure 4.19, controls the level of remote control enabled when a user is connected via Terminal Services.The default is to enable taking remote control and interacting with a session after the user has been granted permission.

You have the following remote control options:

Enable remote control

This enables this user account to remotely control another user’s Terminal Services session.

Require user’s permission

This prompts the user for permission before remote control is granted. If the user declines, remote control is denied for that session.

View the user’s session

This specifies that after the user takes control of another session, that user can only see what the remote user is doing.The first user cannot actually move the mouse or use the keyboard to input to the remote machine.This is good for troubleshooting purposes, because it enables an administrator to watch the steps that a user is taking.

Interact with the session.

This specifies that once the user takes control of another session, he or she can interact with the remote desktop.This includes the capability to move the mouse and use the keyboard to input to the remote machine.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 291

Managing User, Group, and Computer Accounts • Chapter 4 291

Figure 4.19

Understanding a User’s Remote Control Tab

Using the Terminal Services Profile Tab

The Terminal Services Profile tab, shown in Figure 4.20, enables or disables the ability for a user to log on via Terminal Services.You control this by checking or clearing the

Allow logon to terminal server

check box (checked by default). All other settings on this tab are the same as the settings on the Profile tab previously discussed.

Figure 4.20

Understanding a User’s Terminal Services Profile Tab

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 292

292 Chapter 4 • Managing User, Group, and Computer Accounts

Using the COM+ Tab

The COM+ tab, shown in Figure 4.21, lists the COM+ partition sets that can be assigned to this user. COM+ partition sets enable tailoring access of a certain set of domain users to a set of applications. Security is applied to the users in each set. After grouping your COM+ partitions into a COM+ partition set, you use this tab to assign a user to a particular set.

Figure 4.21

Understanding a User’s COM+ Tab

Using the Published Certificates Tab

The Published Certificates tab, shown in Figure 4.22, manages X.509 certificates for the selected user account.You can use this tab to view the details of the user’s certificates.You

can also use it to add, remove, and copy certificates. Certificates can be added from the certificate store or from a file.

Figure 4.22

Understanding a User’s Published Certificates Tab

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 293

Managing User, Group, and Computer Accounts • Chapter 4 293

Using the Member Of Tab

The Member Of tab, shown in Figure 4.23, manages the groups of which the selected user is a member. By using the Add and Remove buttons, you can add and remove this user from groups. If you are using Apple clients or POSIX-compliant applications, you can use this tab to set the primary group as required. If a user account is a member of only one group, that group is automatically configured as the primary group as shown in Figure

4.23. If a user account is a member of multiple groups, click the group you want to make primary and click the Set Primary Group button.

Figure 4.23

Understanding a User’s Member Of Tab

Using the Dial-In Tab

The Dial-in tab, shown in Figure 4.24, controls dial-in and VPN options for the selected user account.This tab contains two main sections, Remote Access Permissions and Callback

Options. Remote Access Permissions determine if a user is allowed to connect to the

Routing and Remote Access Service (RRAS) server for dial-in or VPN capabilities.The

Callback Options controls how the phone call is managed when using a dial-in solution.

The Remote Access Permission section includes the following options:

Allow Access

If remote access conditions are met, setting the user account to enable access will permit connecting to the RRAS server.

Deny Access

Setting the user account to deny access will forbid connecting to the RRAS server.

Control Access through Remote Access Policy

If remote access conditions are met and there is a matching policy that enables access, setting the user account

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 294

294 Chapter 4 • Managing User, Group, and Computer Accounts

to Control Access through Remote Access Policy will enable connecting to the

RAS server. If there is not a matching policy that enables access, connecting to the RRAS server is denied.

Figure 4.24

Understanding a User’s Dial-In Tab

The Callback Options section includes the following options:

No Callback

The RRAS server does not call back the user dialing in.

Set by Caller (Routing and Remote Access Service only)

The RRAS server prompts the dial-in user for a phone number. It then disconnects the user and calls the user back at the number specified.This is a good option if you want the company to pay the long-distance charges when employees use a dial-in solution.

Always Callback to

When the user dials in to the RRAS server, the call disconnects after the user enters his or her credentials and automatically calls back at the number specified here.This is good for security purposes because it enables you to control the location of your dial-in users, and makes it less likely that someone who finds out a user’s account name and password can use it to make an unauthorized connection, because the unauthorized user probably would not be calling from the legitimate user’s location.

In addition to the Remote Access Permissions and the Callback Options, the Dial-in tab has the following options:

Verify Caller-ID

If the number the user is calling from does not match the number specified here, the connection to the RRAS server is dropped.This is different from Always Callback to, because it only verifies the phone number and

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 295

Managing User, Group, and Computer Accounts • Chapter 4 295

■ it doesn’t call the user back.This can be used if you want the caller to bear the long-distance charges.

Assign a Static IP Address

This enables you to assign static IP addresses to your RRAS clients.

Apply Static Routes

This enables you to apply static routes to your RRAS clients.This is useful if you want to use routing rules to limit the machines that your clients can get to once they are connected.

Using the Object Tab

There is nothing to configure on the user’s Object tab, shown in Figure 4.25.This tab shows you the location of the object in Active Directory (the Canonical name). It shows you the type of object you are looking at (Object class). It shows you when the object was created and when it was last modified. For replication purposes, the Object tab also lists the current and original Update Sequence Numbers (USNs).

Active Directory uses USNs to determine what directory changes need to be replicated between domain controllers (DCs). A local counter on each domain controller assigns

USNs. Using local counters ensures that the counters are accurate. However, USNs on one

DC are not used by other DCs; each DC must use its own USNs.

Figure 4.25

Understanding a User’s Object Tab

Using the Security Tab

The Security tab, shown in Figure 4.26, controls the Active Directory permissions for the selected user account.The top portion of this tab shows you what groups or users have

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 296

296 Chapter 4 • Managing User, Group, and Computer Accounts

been assigned permissions. After you select a group or user in the top portion, the bottom portion shows the permissions assigned to the selected group or user.You can add and remove groups and users by using the respective Add and Remove buttons.The

Advanced

tab configures special (and more granular) permissions and advanced settings such as inheritance, auditing, and ownership.

Figure 4.26

Understanding a User’s Security Tab

Managing User Accounts Via the Pop-Up Menu

We just saw in detail how to use ADUC to manage user accounts by going to the properties of the user and working through each tab. Some items can be managed quickly via the pop-up menu when you right-click a user account name in the right details pane, as shown in Figure 4.27.

Figure 4.27

Administering User Accounts

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 297

Managing User, Group, and Computer Accounts • Chapter 4 297

You can perform the following tasks by right-clicking on a user:

Copy

Copy certain properties of the user account to be used when creating a new user.

Add to a group

Add user to a group or groups.

Name Mappings

Configure X.509 certificate and Kerberos mappings.

Disable Account

Disable the user account.

Reset Password

Reset the user’s password.

Move

Move the user to another location within the domain.

Open Home Page

Open the user’s home page as listed on the user’s General tab.

Send Mail

Send mail to a user’s e-mail address if the user has one configured.

Resultant Set Of Policy (Planning)

Create what if scenarios to see what would happen if you configured group policy a certain way.

Resultant Set Of Policy (Logging)

Review existing policy settings that have been applied to computers and users.

Copying a User

It is common practice to create template user accounts for each department or for each position/job description.The template is configured according to the requirements of the specified department.When you need to create a new user account, right-click the template user account and select Copy.This gives you the Copy Object – User window shown in Figure 4.28.When copying a user account, the following attributes are copied:

Password settings

Description

Groups

Profile

Dial-in information

These are attributes that are common to all users in the particular department or position.

When copying a user account, the following attributes are not copied:

Password

Full Name

Username

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 298

298 Chapter 4 • Managing User, Group, and Computer Accounts

These are attributes that are unique to each user and must be configured for each individual account.

Figure 4.28

Copying a User Account in ADUC

Adding a User to a Group

Right-clicking a user account and choosing Add to a group gives you the window shown in Figure 4.29.This window enables you to add the selected user account to a group.Type the name of the group and click the Check Names button to verify that the group exists. If the group exists and you spelled it right, it will be underlined. Click OK to add the user to the selected group.

Figure 4.29

Changing Group Membership

Managing Security Identity Mappings

You can map an Active Directory user account to a Kerberos Name to be used in a trusted non-Windows Kerberos realm. Active Directory also supports mapping user accounts to

X.509 Certificates as shown in Figure 4.30.You have three options when mapping X.509

certificates:

Map the certificate to one account.This is known as a one-to-one mapping.

Map any certificate with the same subject to the user account, regardless of the issuer of the certificate.This is known as a many-to-one mapping.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 299

Managing User, Group, and Computer Accounts • Chapter 4 299

■ Map any certificate with the same issuer to the user account, regardless of the subject of the certificate.This is known as a many-to-one mapping.

By mapping user accounts to certificates, certificates can be used in place of user accounts. For example, certificates can enable or deny access to a Web site. Depending on the certificates mapped, users are automatically granted access to the Web site without having to provide additional authentication information.

Figure 4.30

Mapping User Accounts

Resetting a User’s Password

A common mistake with NT 4.0 administrators transitioning to Windows 2000 or

Windows Server 2003 is going to the Properties page of a user account to reset the password.This is not an option in Windows 2000.The only way to reset the password in the

GUI is to right-click on the user account and select Reset Password. Doing so will display the window shown in Figure 4.31.Type the user’s new password twice and click OK to change it.You can also force the user to change the password the next time he or she logs on by checking the corresponding check box.

Figure 4.31

Resetting Passwords

Moving a User Account

There are two ways to move user accounts in ADUC.The simplest way is to click and hold on the user object that you want to move and drag the account into the correct OU.The

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 300

300 Chapter 4 • Managing User, Group, and Computer Accounts

problem with this method is that you can easily drop the user into the wrong OU. Another way to do it (shown in Figure 4.32) is to right-click the user object and choose Move.

Select the OU that you want to move the user to and click OK to move the user.

Figure 4.32

Moving Users

Using the Command Line to Create and Manage Users

Use the following tools to create and manage users:

■ dsadd.exe

dsmod.exe

dsget.exe

dsquery.exe

Using dsadd.exe User

Adding users from the GUI is fine when you have to add a few users. However, when you have to add a lot of users at the same time, the command line is more efficient. Using dsadd.exe enables you to quickly add multiple users. dsadd.exe has a lot of features.These

are overviewed in the beginning of this chapter. In this section we are going to look at the syntax for dsadd user.This command has many switches. Do not let the complexity of options for this tool deter you from using it because it looks difficult. It is a very powerful tool that can be of great use and save you a lot of time.The syntax and options for dsadd.exe user are as follows, and are explained in detail in Table 4.5.

dsadd user <UserDN> [-samid <SAMName>] [-upn <UPN>] [-fn <FirstName>]

[-mi <Initial>] [-ln <LastName>] [-display <DisplayName>]

[-empid <EmployeeID>] [-pwd {<Password> | *}] [-desc

<Description>]

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 301

Managing User, Group, and Computer Accounts • Chapter 4 301

[-memberof <Group ...>] [-office <Office>] [-tel <Phone#>]

[-email <Email>] [-hometel <HomePhone#>] [-pager <Pager#>]

[-mobile <CellPhone#>] [-fax <Fax#>] [-iptel <IPPhone#>]

[-webpg <WebPage>] [-title <Title>] [-dept <Department>]

[-company <Company>] [-mgr <Manager>] [-hmdir <HomeDir>]

[-hmdrv <DriveLtr:>] [-profile <ProfilePath>] [-loscr

<ScriptPath>]

[-mustchpwd {yes | no}] [-canchpwd {yes | no}]

[-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}]

[-acctexpires <NumDays>] [-disabled {yes | no}]

[{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

Table 4.5

Understanding dsadd.exe user Syntax

Value

<UserDN>

-samid <SAMName>

-upn <UPN>

-fn <FirstName>

-mi <Initial>

-ln <LastName>

-display <DisplayName>

-empid <EmployeeID>

-pwd {<Password> | *}

Description

Required. Distinguished name (DN) of user to add.

Set the SAM account name of user to

<SAMName>. If not specified, dsadd attempts to create SAM account name using up to the first 20 characters from the common name (CN) value of

<UserDN>.

Set the upn value to <UPN>.

Set user first name to <FirstName>.

Set user middle initial to <Initial>.

Set user last name to <LastName>.

Set user display name to <DisplayName>.

Set user employee ID to <EmployeeID>.

Set user password to <Password>. If *, then you are prompted for a password.

Set user description to <Description>.

Make user a member of one or more groups

-desc <Description>

-memberof <Group ...>

<Group ...>.

-office <Office>

-tel <Phone#>

-email <Email>

-hometel <HomePhone#>

-pager <Pager#>

-mobile <CellPhone#>

Set user office location to <Office>.

Set user telephone# to <Phone#>.

Set user e-mail address to <Email>.

Set user home phone# to <HomePhone#>.

Set user pager# to <Pager#>.

Set user mobile# to <CellPhone#>.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 302

302 Chapter 4 • Managing User, Group, and Computer Accounts

Table 4.5

Understanding dsadd.exe user Syntax

Value

-fax <Fax#>

-iptel <IPPhone#>

-webpg <WebPage>

-title <Title>

-dept <Department>

-company <Company>

-mgr <Manager>

-hmdir <HomeDir>

-hmdrv <DriveLtr:>

-profile <ProfilePath>

-loscr <ScriptPath>

-mustchpwd {yes | no}

-canchpwd {yes | no}

-reversiblepwd {yes | no}

-pwdneverexpires {yes | no}

-acctexpires <NumDays>

-disabled {yes | no}

{-s <Server> | -d <Domain>}

-u <UserName>

-p {<Password> | *}

-q

Description

Set user fax# to <Fax#>.

Set user IP phone# to <IPPhone#>.

Set user Web page URL to <WebPage>.

Set user title to <Title>.

Set user department to <Department>.

Set user company info to <Company>.

Set user’s manager to <Manager> (format is DN).

Set user home directory to <HomeDir>. If this is

UNC path, a drive letter that will be mapped to must also be specified through -hmdrv.

Set user home drive letter to <DriveLtr:>.

Set user’s profile path to <ProfilePath>.

Set user’s logon script path to <ScriptPath>.

User must change password at next logon or not.

Default: no.

User can change password or not. This should be

“yes” if the -mustchpwd is “yes”. Default: yes.

Store user password using reversible encryption or not. Default: no.

User password never expires or it does expire.

Default: no.

Set user account to expire in <NumDays> days from today. A value of 0 implies account expires at the end of today; a positive value implies the account expires in the future; a negative value implies the account already expired and sets an expiration date in the past; the string value “never” implies that the account never expires.

User account is disabled or not. Default: no.

-s <Server> connects to the domain controller (DC) with name <Server>.-d <Domain> connects to a

DC in domain <Domain>. Default: a DC in the logon domain.

Connect as <UserName>. Default: the logged in user. Username can be: username, domain\username, or user principal name (UPN).

Password for the user <UserName>. If * is entered, you are prompted for a password.

Quiet mode: suppress all output to standard output.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 303

Managing User, Group, and Computer Accounts • Chapter 4 303

Table 4.5

Understanding dsadd.exe user Syntax

Value

{-uc | -uco | -uci}

Description

-uc specifies that input from or output to pipe is formatted in Unicode. -uco specifies that output to pipe or file is formatted in Unicode. -uci specifies that input from pipe or file is formatted in Unicode.

Adding Users

Use the dsadd command to create a user account. Use the following syntax: dsadd user UserDN [-UPN UPN] [-samid SAMName] -pwd {Password|*}

All the switches are covered in Table 4.5, but they’re summarized here. UserDN is the distinguished name of the user you want to add. UPN specifies the user’s user principal name (UPN). Pwd specifies the user account’s password. If set to * you are prompted to enter the password.

The following example uses the dsadd command to create a new user, Chad Todd, in the Trainers OU: dsadd user "CN=Chad Todd,CN=Users,DC=trainingconcepts,DC=org" -UPN [email protected] -samid chadtodd -pwd *

Using dsmod user

dsmod user modifies the attributes of users in Active Directory. dsmod.exe uses the following syntax. All syntax is explained in detail in Table 4.6.

dsmod user <UserDN ...> [-upn <UPN>] [-fn <FirstName>]

[-mi <Initial>] [-ln <LastName>] [-display <DisplayName>]

[-empid <EmployeeID>] [-pwd {<Password> | *}]

[-desc <Description>] [-office <Office>] [-tel <Phone#>]

[-email <Email>] [-hometel <HomePhone#>] [-pager <Pager#>]

[-mobile <CellPhone#>] [-fax <Fax#>] [-iptel <IPPhone#>]

[-webpg <WebPage>] [-title <Title>] [-dept <Department>]

[-company <Company>] [-mgr <Manager>] [-hmdir <HomeDir>]

[-hmdrv <DriveLtr>:] [-profile <ProfilePath>]

[-loscr <ScriptPath>] [-mustchpwd {yes | no}]

[-canchpwd {yes | no}] [-reversiblepwd {yes | no}]

[-pwdneverexpires {yes | no}]

[-acctexpires <NumDays>] [-disabled {yes | no}]

[{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 304

304 Chapter 4 • Managing User, Group, and Computer Accounts

Table 4.6

Understanding dsmod.exe user Syntax

Value Description

<UserDN>

-upn <UPN>

-fn <FirstName>

-mi <Initial>

-ln <LastName>

Required. Distinguished names (DNs) of one or more users to modify.

Sets the UPN value to <UPN>.

Sets user first name to <FirstName>.

Sets user middle initial to <Initial>.

Sets user last name to <LastName>.

-display <DisplayName> Sets user display name to <DisplayName>.

-empid <EmployeeID> Sets user employee ID to <EmployeeID>.

-pwd {<Password> | *} Resets user password to<Password>. If *, then you are prompted for a password.

-desc <Description>

-office <Office>

-tel <Phone#>

-email <Email>

Sets user description to <Description>.

Sets user office location to <Office>.

Sets user telephone# to <Phone#>.

Sets user e-mail address to <Email>.

-hometel <HomePhone#> Sets user home phone# to <HomePhone#>.

-pager <Pager#> Sets user pager# to <Pager#>.

-mobile <CellPhone#> Sets user mobile# to <CellPhone#>.

-fax <Fax#> Sets user fax# to <Fax#>.

-iptel <IPPhone#>

-webpg <WebPage>

-title <Title>

-dept <Department>

Sets user IP phone# to <IPPhone#>.

Sets user Web page URL to <WebPage>.

Sets user title to <Title>.

Sets user department to <Department>.

-company <Company>

-mgr <Manager>

-hmdir <HomeDir>

-hmdrv <DriveLtr>:

-profile <ProfilePath>

-loscr <ScriptPath>

-mustchpwd {yes | no}

-canchpwd {yes | no}

Sets user company info to <Company>.

Sets user’s manager to <Manager>.

Sets user home directory to <HomeDir>. If this is UNC path, then a drive letter to be mapped to this path must also be specified through -hmdrv.

Sets user home drive letter to <DriveLtr>:

Sets user’s profile path to <ProfilePath>.

Sets user’s logon script path to <ScriptPath>.

Sets whether the user must change his password (yes) or not (no) at his next logon.

Sets whether the user can change his password (yes) or not

(no). This setting should be “yes” if the -mustchpwd setting is “yes.”

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 305

Managing User, Group, and Computer Accounts • Chapter 4 305

Table 4.6

Understanding dsmod.exe user Syntax

Value Description

-reversiblepwd {yes | no} Sets whether the user password should be stored using reversible encryption (yes) or not (no).

-pwdneverexpires

{yes | no}

Sets whether the user’s password never expires (yes) or does expire (no).

-acctexpires <NumDays> Sets user account to expire in <NumDays> days from today. A value of 0 sets expiration at the end of today. A positive value sets expiration in the future. A negative value sets expiration in the past. A string value of “never” sets the account to never expire.

-disabled {yes | no} Sets whether the user account is disabled (yes) or not (no).

{-s <Server> |

-d <Domain>}

-u <UserName>

-s <Server> connects to the domain controller (DC) with name <Server>. -d <Domain> connects to a DC in domain

<Domain>. Default: a DC in the logon domain.

Connect as <UserName>. Default: the logged-on user.

Username can be: username, domain\username, or user principal name (UPN).

-p <Password>

-c

-q

{-uc | -uco | -uci}

Password for the user <UserName>. If *, then prompt for password.

Continuous operation mode. Reports errors but continues with next object in argument list when multiple target objects are specified. Without this option, the command exits on the first error.

Quiet mode: suppresses all output to standard output.

-uc Specifies that input from or output to pipe is formatted in Unicode. -uco Specifies that output to pipe or file is formatted in Unicode. -uci Specifies that input from pipe or file is formatted in Unicode.

Resetting a User’s Password

Use the dsmod command to reset a user’s password. Use the following syntax: dsmod user UserDN -pwd NewPassword -mustchpwd {yes|no}.

All this syntax and the switches are covered in Table 4.7, but they’re summarized here.

UserDN is the distinguished name of the user account whose password you want to reset.

The –mustchpwd option indicates whether or not the user will be forced to change his or her password upon the next logon attempt.The following example uses the dsmod command to reset the password of user Chad Todd: dsmod user "CN=Chad Todd,CN=Users,DC=trainingconcepts,DC=org" -pwd * mustchpwd yes

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 306

306 Chapter 4 • Managing User, Group, and Computer Accounts

Enabling a User

Use the dsmod command to enable a user account: Use the following syntax: dsmod user UserDN -disabled {yes|no}.

The following example uses the dsmod command to enable the user account of

Chad Todd: dsmod user "CN=Chad Todd,CN=Users,DC=trainingconcepts,DC=org" -disabled no

Disabling a User

Use the dsmod command to disable a user account: Use the following syntax: dsmod user UserDN -disabled {yes|no}.

The following example uses the dsmod command to disable the user account of

Chad Todd: dsmod user "CN=Chad Todd,CN=Users,DC=trainingconcepts,DC=org" -disabled yes

Using dsquery user

dsquer user searches Active Directory for users that match specified credentials.You can use

dsquery to find users and then send a list of those users to another command. For example, you could use dsquery to query AD for all disabled users and have those results imported into dsmod to enable all the users. dsquery uses the following syntax. (Table 4.7 explains all the switches in detail.) dsquery user [{<StartNode> | forestroot | domainroot}]

[-o {dn | rdn | upn | samid}]

[-scope {subtree | onelevel | base}]

[-name <Name>] [-desc <Description>] [-upn <UPN>]

[-samid <SAMName>] [-inactive <NumWeeks>] [-stalepwd <NumDays>]

[-disabled] [{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumObjects>]

[{-uc | -uco | -uci}]

Table 4.7

Understanding dsquery Syntax

Value

{<StartNode> | forestroot | domainroot}

-o {dn | rdn | upn | samid}

Description

The node where the search starts.

Specifies the output format. Default: DN.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 307

Managing User, Group, and Computer Accounts • Chapter 4 307

Table 4.7

Understanding dsquery Syntax

Value

-scope {subtree | onelevel | base}

-name <Name>

-desc <Description>

-upn <UPN>

-samid <SAMName>

-inactive <NumWeeks>

-stalepwd <NumDays>

-disabled

{-s <Server> | -d <Domain>}

-u <UserName>

-p <Password>

-q

-r

-gc

Description

Specifies the scope of the search. Default: subtree.

Finds users whose name matches the filter given by <Name> e.g. “jon*” or “*ith” or

“j*th.”

Finds users whose description matches the filter given by <Description> e.g. “jon*” or

“*ith” or “j*th.”

Finds users whose UPN matches the filter given by <UPN>.

Finds users whose SAM account name matches the filter given by <SAMName>.

Finds users that have been inactive (not logged on) for at least <NumWeeks> number of weeks.

Finds users that have not changed their password for at least <NumDays> number of days.

Finds users whose accounts are disabled.

-s <Server> connects to the domain controller(DC) with name <Server>. -d

<Domain> connects to a DC in domain

<Domain>. Default: a DC in the logon domain.

Connects as <UserName>. Default: the logged-on user. Username can be: username, domain\username or user principal name

(UPN).

Password for the user <UserName>. If * is specified, you are prompted for a password.

Quiet mode: suppresses all output to standard output.

Recurses or follows referrals during search.

Default: do not chase referrals during search.

Searches in the Active Directory global catalog.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 308

308 Chapter 4 • Managing User, Group, and Computer Accounts

Table 4.7

Understanding dsquery Syntax

Value

-limit <NumObjects>

{-uc | -uco | -uci}

Description

Specifies the number of objects matching the given criteria to be returned where

<NumObjects> is the number of objects to be returned. If the value of <NumObjects> is

0, all matching objects are returned. If this parameter is not specified by default, the first

100 results are displayed.

-uc specifies that input from or output to pipe is formatted in Unicode.-uco specifies that output to pipe or file is formatted in Unicode.

-uci specifies that input from pipe or file is formatted in Unicode.

Finding All Users

If you do not specify user credentials or a domain, dsquery uses the credentials of the currently logged-on user and the current logon domain.To view all the users in the default domain, use the following syntax: dsquery user

This will display all the users in the current domain.The following is sample output from the dsquery user command.

"CN=Chad,CN=Users,DC=trainingconcepts,DC=org"

"CN=Guest,CN=Users,DC=trainingconcepts,DC=org"

"CN=SUPPORT_388945a0,CN=Users,DC=trainingconcepts,DC=org"

"CN=ASPNET,CN=Users,DC=trainingconcepts,DC=org"

"CN=krbtgt,CN=Users,DC=trainingconcepts,DC=org"

"CN=Paul,CN=Users,DC=trainingconcepts,DC=org"

"CN=Sarah Todd,CN=Users,DC=trainingconcepts,DC=org"

Finding Disabled Users

To use dsquery to find all disabled users, use the following syntax: dsquery user –disabled

Finding Users by Description

To find all users that match a certain description, use the following syntax: dsquery user –desc <Description>

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 309

Managing User, Group, and Computer Accounts • Chapter 4 309

The following examples list all the user accounts with the description Sales Managers.

Because the description contains spaces, we must put it in quotes.

dsquery user –desc "Sales Manager"

Finding Users by Password Change Date

To search for users based on the last time they changed their passwords, use the following syntax: dsquery user -stalepwd <NumDays>

The following example lists all the user accounts that haven’t changed their password in

60 days: dsquery user –stalepwd 60

Finding Users by Last Logon Date

This command lists users based on how many weeks they have been inactive (in other words, based on the number of weeks since they last logged on).To search for users based on the last time they logged on, use the following syntax.

dsquery user -inactive <NumWeeks>

The following example lists all users that have not logged on for six weeks: dsquery user –inactive 6

Using dsget.exe

dsget displays properties of users in Active Directory.There are two variations of the dsget

user command.The first one shows the properties of multiple users.The second one shows the group memberships of a user. dsquery user uses the following syntax. All switches are explained in detail in Table 4.8.

dsget user <UserDN ...> [-dn] [-samid] [-sid] [-upn] [-fn] [-mi]

[-ln] [-display] [-empid] [-desc] [-office] [-tel] [-email]

[-hometel] [-pager] [-mobile] [-fax] [-iptel] [-webpg]

[-title] [-dept] [-company] [-mgr] [-hmdir] [-hmdrv]

[-profile] [-loscr] [-mustchpwd] [-canchpwd]

[-pwdneverexpires] [-disabled] [-acctexpires]

[-reversiblepwd] [-part <PartitionDN> [-qlimit] [-qused]]

[{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 310

310 Chapter 4 • Managing User, Group, and Computer Accounts

dsget user <UserDN> [-memberof [-expand]]

[{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-c] [-q] [-l]

[{-uc | -uco | -uci}]

-dn

-samid

-sid

-upn

-fn

-mi

-ln

-display

-empid

-desc

-office

-tel

-email

-hometel

-pager

-mobile

-fax

-iptel

-webpg

-title

-dept

-company

-mgr

-hmdir

Table 4.8

Understanding dsquery syntax

Value

<UserDN>

Description

Required/stdin. DNs of one or more users to view. If the target objects are omitted, they are taken from standard input (stdin) to support piping of output from another command to input of this command.

Shows the DN of the user.

Shows the SAM account name of the user.

Shows the user Security ID.

Shows the user principal name of the user.

Shows the first name of the user.

Shows the middle initial of the user.

Shows the last name of the user.

Shows the display name of the user.

Shows the user employee ID.

Shows the description of the user.

Shows the office location of the user.

Shows the telephone number of the user.

Shows the e-mail address of the user.

Shows the home telephone number of the user.

Shows the pager number of the user.

Shows the mobile phone number of the user.

Shows the fax number of the user.

Shows the user IP phone number.

Shows the user Web page URL.

Shows the title of the user.

Shows the department of the user.

Shows the company info of the user.

Shows the user’s manager.

Shows the user home directory. Displays the drive letter to which the home directory of the user is mapped (if the home directory path is a UNC path).

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 311

Managing User, Group, and Computer Accounts • Chapter 4 311

Table 4.8

Understanding dsquery syntax

Value Description

-hmdrv

-profile

-loscr

-mustchpwd

-canchpwd

-pwdneverexpires

-disabled

-acctexpires

-reversiblepwd

<UserDN>

-memberof

-expand

Shows the user’s home drive letter (if home directory is a UNC path).

Shows the user’s profile path.

Shows the user’s logon script path.

Shows if the user must change his/her password at the time of next logon. Displays: yes or no.

Shows if the user can change his/her password. Displays: yes or no.

Shows if the user password never expires. Displays: yes or no.

Shows if the user account is disabled for logon or not. Displays: yes or no.

Shows when the user account expires. Display values: a date when the account expires or the string “never” if the account never expires.

Shows if the user password is allowed to be stored using reversible encryption (yes or no).

Required. DN of group to view.

Displays the groups of which the user is a member.

Displays a recursively expanded list of groups of which the user is a member.

{-s <Server> |

-d <Domain>}

-u <UserName>

-s <Server> connects to the domain controller (DC) with name

<Server>. -d <Domain> connects to a DC in domain

<Domain>. Default: a DC in the logon domain.

Connect as <UserName>. Default: the logged-on user.

Username can be: username, domain\username, or user principal name (UPN).

-p {<Password> | *} Password for the user<UserName>. If *, then prompt for password.

-c

-q

-L

Continuous operation mode: reports errors but continues with next object in argument list when multiple target objects are specified. Without this option, command exits on first error.

Quiet mode: suppresses all output to standard output.

Displays the entries in the search result set in a list format.

Default: table format.

{-uc | -uco | -uci} Specifies that input from or output to pipe is formatted in

Unicode.

-part <PartitionDN> Connects to the directory partition with the distinguished name of <PartitionDN>.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 312

312 Chapter 4 • Managing User, Group, and Computer Accounts

Table 4.8

Understanding dsquery syntax

Value

-qlimit

-qused

Description

Displays the effective quota of the user within the specified directory partition.

Displays how much of the quota the user has used within the specified directory partition.

Getting a User’s Description

To get a user’s description, use the following syntax: dsget user <userDN> -desc

The following example gets the description for the Chad Todd user account in the trainingconcepts.org domain: dsget user "CN=Chad Todd,CN=Users,DC=trainingconcepts,DC=org" -desc

Getting a User’s E-Mail Address

To get a user’s e-mail address, use the following syntax: dsget user <userDN> -email

The following example gets the e-mail address for the Chad Todd user account: dsget user "CN=Chad Todd,CN=Users,DC=trainingconcepts,DC=org" -email

Determining If a User Must Change His or Her Password

To determine if a user must change his or her password upon next logon, use the following syntax: dsget user <userDN> -mustchpwd

The following example determines if the user Chad Todd must reset his password upon next logon: dsget user "CN=Chad Todd,CN=Users,DC=trainingconcepts,DC=org" -mustchpwd

Getting a User’s Group Membership

To determine a user’s group membership, use the following syntax: dsget user <userDN> -memberof

The following example gets the group membership for the Chad Todd user account in the trainingconcepts.org domain: dsget user "CN=Chad Todd,CN=Users,DC=trainingconcepts,DC=org" –memberof

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 313

Managing User, Group, and Computer Accounts • Chapter 4 313

Following is a sample output from using the dsget.exe user <userDN> -memberof command:

"CN=Group Policy Creator Owners,CN=Users,DC=trainingconcepts,DC=org"

"CN=Domain Admins,CN=Users,DC=trainingconcepts,DC=org"

"CN=Enterprise Admins,CN=Users,DC=trainingconcepts,DC=org"

"CN=Schema Admins,CN=Users,DC=trainingconcepts,DC=org"

"CN=Administrators,CN=Builtin,DC=trainingconcepts,DC=org"

"CN=Domain Users,CN=Users,DC=trainingconcepts,DC=org"

EXAM

70-290

OBJECTIVE

2.3.5

EXAM

70-290

OBJECTIVE

2.4.2

Automating User and Group Account Creation

So far we have seen how to create users from within the GUI by using ADUC and how to create users from the command line using dsadd. Both of these work about the same for creating one user at a time. However, when used in a script, the dsadd command can blaze through creating multiple users much faster than ADUC.

Scripts can be created many different ways. Most commonly, it is created as a VB script or as a batch file. In this section you learn how to use the for command to automate the process of creating user accounts, and how to create a batch file to automate the process.

The for command uses the following syntax, which is explained in detail in Table 4.9: for %variable IN (set) DO command [command-parameters]

Table 4.9

Understanding the for Command

Value Description

%variable

(set)

Specifies a single-letter replaceable parameter.

Specifies a set of one or more files. Wildcards may be used.

command Specifies the command to carry out for each file.

command-parameters Specifies parameters or switches for the specified command.

/?

Shows the help for the For command. There are many more options available that are not listed here due to length.

Simply put, the for command enables you to instruct a command such as dsadd to run multiple times, while using different input each time.The For command uses variables and plain text files to accomplish this.The variable is named using a percent sign followed by a single letter (e.g., %f) and is case sensitive.

To parse a line of text, the for command breaks the line into tokens. A token is a portion of an input line delimited by delimiter spaces such as commas or spaces.The tokens are then assigned to the variable and parsed line by line.

The following example uses the command to automate the process of creating users from the command-line.

for /f %I in (c:\test\users.txt) do dsadd user %I -pwd password

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 314

314 Chapter 4 • Managing User, Group, and Computer Accounts

Table 4.9 explains the syntax in detail, but we’ll discuss it here anyway. For is the command.The /f instructs the for command to use file token parsing (explained previously).

The %I is a variable. In (c:\users.txt) instructs the %I variable to use the data stored in the

users.txt

file. Do dsadd user %I –pwd password instructs the for command to do this command (dsadd user –pwd password), but to replace the variable %I with the information stored in the variable file.The For command reads the users.txt file line by line and it processes each line in turn.

Now that you understand what the previous command means, we’ll discuss what it actually does. First, look at the users.txt file.

CN=User1,CN=Users,DC=trainingconcepts,DC=org

CN=User2,CN=Users,DC=trainingconcepts,DC=org

CN=User3,CN=Users,DC=trainingconcepts,DC=org

CN=User4,CN=Users,DC=trainingconcepts,DC=org

CN=User5,CN=Users,DC=trainingconcepts,DC=org

Each line represents the distinguished name of an object we want to create.This

example assumes that you want to create your users in the default Users container in the trainingconcepts.org domain.The For command looks in c:\users.txt file and runs the command dsadd user %I –pwd password for each line; replacing the %I variable with the fully qualified name of the user we want to create.This command creates the user account and assigns it the password of “password.”

You can script this by saving it to a batch file. However, you need to change the %I variable to use double percent signs %%I. Look at the output from placing the line for /f

%%I in (c:\test\users.txt) do dsadd user %%I -pwd password into a batch file and running the batch file.

N

OTE

When using the For command in a script file you must use a double percent sign

(%%) before the variable. If you are typing the command directly into the command prompt, use only one percent sign (%).

N

OTE

To create a batch file, open a blank Notepad document and type the commands you want to run. Save the file as somename.bat (where somename is the name of your file). You can now run the batch file by double-clicking it. This saves you the trouble of having to manually enter everything into the command prompt. You can key it into the batch file once and use that one file over and over.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 315

Managing User, Group, and Computer Accounts • Chapter 4 315

C:\for /F %I in (c:\users.txt) do dsadd user %I -pwd password

C:\>dsadd user CN=User1,CN=Users,DC=trainingconcepts,DC=org -pwd password dsadd succeeded:CN=User1,CN=Users,DC=trainingconcepts,DC=org

C:\>dsadd user CN=User2,CN=Users,DC=trainingconcepts,DC=org -pwd password dsadd succeeded:CN=User2,CN=Users,DC=trainingconcepts,DC=org

C:\>dsadd user CN=User3,CN=Users,DC=trainingconcepts,DC=org -pwd password dsadd succeeded:CN=User3,CN=Users,DC=trainingconcepts,DC=org

C:\>dsadd user CN=User4,CN=Users,DC=trainingconcepts,DC=org -pwd password dsadd succeeded:CN=User4,CN=Users,DC=trainingconcepts,DC=org

C:\>dsadd user CN=User5,CN=Users,DC=trainingconcepts,DC=org -pwd password dsadd succeeded:CN=User5,CN=Users,DC=trainingconcepts,DC=org

Notice that by running your simple batch file, you created five users automatically. As you can see, this makes creating users a snap.You can create 1000 users with the same amount of effort as creating one user.The only real work is setting up the batch file the first time and populating your input text file (e.g., users.txt).

The real beauty of the for command is that it works with any command-line tool. For example, you could automate the process of creating machine and group accounts by simply changing your batch file to use dsadd computer and dsadd group instead of dsadd user. Also, you need to populate your input file with the correct names of your machines and groups.

EXAM

70-290

OBJECTIVE

2.4.3

Importing User Accounts

Realizing that administrators may have the need to import and export data into and out of

Active Directory and other Lightweight Directory Access Protocol (LDAP) directory services, Microsoft has provided two utilities to accomplish just that task.

csvde (CSV Directory Exchange)

csvde uses files formatted in the Microsoft comma-separated value (CSV) format.The advantage of the CSV format, is that it is supported by many other applications, such as Microsoft Excel and Microsoft

Access, thus enabling you to manipulate data in these applications before importing it.The downside to using csvde is that it only enables the addition of new objects—ldifde enables the modification of existing objects.

ldifde (LDAP Data Interchange Format Directory Exchange)

ldifde can be used to extend the Active Directory schema, export data from Active Directory into other LDAP applications and services, and populate the Active Directory database with LDAP data from other directory services. LDIF is an Internet standard file format for performing batch import and export operations that conform to LDAP standards.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 316

316 Chapter 4 • Managing User, Group, and Computer Accounts

csvde and ldifde use the same syntax as follows and explained in Table 4.10.

csvde(or ldifde) [-i] [-f FileName] [-s ServerName] [-c String1 String2]

[-v] [-j Path] [-t PortNumber] [-d BaseDN] [-r LDAPFilter] [-p Scope]

[-l LDAPAttributeList] [-o LDAPAttributeList] [-g] [-m] [-n] [-k]

[-a UserDistinguishedName Password] [-b UserName Domain

Password]

Table 4.10

Understanding csvde.exe and ldifde.exe Syntax

Value

-i

-f FileName

-s ServerName

-c String1 String2

-v

-j Path

-t PortNumber

-d BaseDN

-r LDAPFilter

-p Scope

-l LDAPAttributeList

-o LDAPAttributeList

-g

-m

Description

Specifies import mode. If not specified, the default mode is export.

Identifies the import or export filename.

Specifies the domain controller to perform the import or export operation.

Replaces all occurrences of String1 with String2. This is generally used when importing data from one domain to another and the distinguished name of the export domain

(String1) needs to be replaced with that of the import domain (String2).

Sets verbose mode.

Sets the log file location. The default is the current path.

Specifies an LDAP port number. The default LDAP port is

389. The global catalog port is 3268.

Sets the distinguished name of the search base for data export.

Creates an LDAP search filter for data export.

Sets the search scope. Search scope options are Base,

OneLevel, or SubTree.

Sets the list of attributes to return in the results of an export query. If this parameter is omitted, all attributes are returned.

Sets the list of attributes to omit from the results of an export query. This is typically used when exporting objects from Active Directory and then importing them into another

LDAP-compliant directory. If attributes are not supported by another directory, you can omit the attributes from the result set using this option.

Omits paged searches.

Omits attributes that only apply to Active Directory objects such as the ObjectGUID, objectSID, pwdLastSet and samAccountType attributes.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 317

Managing User, Group, and Computer Accounts • Chapter 4 317

Table 4.10

Understanding csvde.exe and ldifde.exe Syntax

Value Description

-n

-k

Omits export of binary values.

Ignores errors during the import operation and continues processing. The following is a complete list of ignored errors: “Object already exists,” “Constraint violation,” and

“Attribute or value already exists.”

-a UserDistinguishedName Sets the command to run using the supplied

Password UserDistinguishedName and Password. By default, the command runs using the credentials of the user currently logged on to the network.

-b UserName Domain

Password

Sets the command to run as Username Domain Password.

By default, the command runs using the credentials of the user currently logged on to the network.

-? Displays the command menu.

The following is an example of what a CSV file might look like for the addition of five users into Active Directory.

dn,cn,givenName,sn,description,objectClass,SAMAccountname,user

PrincipalName

"CN=Chad Todd,CN=Users,DC=trainingconcepts,DC=org","Chad Todd",Chad,Todd,

"Owner",user,ctodd,[email protected]

"CN=Paul Salas,CN=Users,DC=trainingconcepts,DC=org","Paul Salas",

Paul,Salas,"Owner",user,paul,[email protected]

"CN=Mike Bagley,CN=Users,DC=trainingconcepts,DC=org","Mike Bagley",

Mike,Bagley,"Sales Manager",user,mike,[email protected]

"CN=Gary Landry,CN=Users,DC=trainingconcepts,DC=org","Gary Landry",

Gary,Landry,"Trainer",user,gary,[email protected]

"CN=Tal Lassiter,CN=Users,DC=trainingconcepts,DC=org","Tal Lassiter",

Tal,Lassiter,"Sales Manger",user,tal,[email protected]

EXAM

70-290

OBJECTIVE

2.6

Troubleshooting User Accounts

Let’s look at how some of these techniques are used in real world troubleshooting.The

most common problems with user accounts are due to group membership, password problems, or account lockouts. Group membership problems manifest themselves by users not being able to access resources that are assigned through group membership.This can easily be verified and corrected via Active Directory Users and Computers or from the command line using the dsget.exe and dsmod.exe commands. Password problems are usually due to users forgetting their password and needing it reset.This can be accomplished via Active

Directory Users and Computers or via the dsmod.exe command. Lastly, users often lockout their accounts because they enter in their password incorrectly.This is usually due to them forgetting their password because they just changed it recently, in which case you would

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 318

318 Chapter 4 • Managing User, Group, and Computer Accounts

need to unlock their account and reset their password. Sometimes they just can’t type or

CAPS LOCK is on and they enter in their password incorrectly too many times and lock their account. User accounts can be unlocked by using Active Directory Users and

Computers or by using the dsmod.exe command.

EXAM

70-290

OBJECTIVE

2.3

Creating and Managing Group Accounts

Before you can effectively start working with groups in Windows Server 2003, you need to first understand what groups are and why they are used. A group is a collection of user and/or computer accounts, contacts, and even other groups that are managed as a single object.The users and computers that belong to the group are known as group members. In

Windows, as with most operating systems, groups are used to simplify the administrative process of assigning permissions and rights to a large number of user and computer accounts at the same time, resulting in these groups’ members having inherited (or implicit) permissions from the group.This is contrary to the older and more labor-intensive practice of applying permissions and rights directly to users, which are then known as explicit permissions.

A set of default groups is created during the installation of Windows Server 2003 on a computer and are known as local groups. Computers that are part of an Active Directory domain environment also have a set of default groups, but these are objects that reside within the Active Directory database structure.You can create additional groups as required for both workstation and domain-based computers. For the purposes of this discussion, assume that you are working in an Active Directory environment when creating and management of groups.

When using groups in Active Directory, you are provided with three major benefits:

Security groups enable you to simplify and reduce administrative requirements by assigning permissions and rights for a shared resource (think printer or file share) to the group rather than to each individual user that requires access. In this way, all users (and groups) that are members of the group will receive the configured permissions and rights through inheritance.This is much more efficient and accurate than explicitly assigning these permissions and rights to users on an individual basis.

In addition, this provides you with the capability to move users in and out of groups as their jobs and task requirements dictate.

Security groups enable you to quickly and efficiently delegate administrative responsibilities for performing specific tasks in Active Directory. As an example, you might have a group of six help desk workers to whom you wish to assign the capability to reset user passwords. By placing these six users in a group and then delegating this capability to the group, you can easily enable these users to perform this specific task that might otherwise be above their standard permissions. Again, using groups in this way enables you to move users in and out of the group as required.

Security and distribution groups enable you to quickly create e-mail distribution groups by assigning an e-mail address to the group itself. All members of the group that are mailbox enabled will receive an e-mail when it is sent to the group’s e-mail

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 319

Managing User, Group, and Computer Accounts • Chapter 4 319

address.This is an added capability of security groups and the only usage for distribution groups—which will be discussed later in the “Group Type” section.

When you talk about groups, you need to understand two basic group characteristics: type and scope.These topics are discussed in the next sections.

EXAM

70-290

OBJECTIVE

2.3.1

Understanding Group Types and Scopes

Group type refers to one of two types:

■ distribution security

Group type identifies the purpose of the group. Group scope refers to one of four scopes:

■ local domain local global universal

Group scope refers to how the group is used.

Security and Distribution Groups

Two types of groups can be created in Windows Server 2003:

Distribution groups

Use distribution groups for distributing messages to group members. Use distribution groups with e-mail applications, such as Microsoft

Exchange, to send an e-mail to all members of the group in a rapid and efficient fashion by sending it to the group e-mail address. All members of the distribution group that are mailbox enabled will receive the e-mail message. Distribution groups are not security enabled, and therefore cannot be used to assign permissions to

Windows resources.

Security groups

Use security groups for the distribution of e-mail as described for distribution groups, but also use them to assign permissions to Windows resources.You can also use security groups to assign user rights to group members.

User rights include actions such as Backup files and directories or Restore files and direc-

tories, both of which are assigned to the Backup Operators group by default.You can delegate rights to groups to enable the members of the group to perform a specific administrative function that is not normally allowed by their standard user rights.

You can also assign permissions to security groups to enable them to access network resources, such as printers and file shares.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 320

320 Chapter 4 • Managing User, Group, and Computer Accounts

N

OTE

Permissions, which should not be confused with user rights, determine which users can access specified resources and what they can do (read, write, execute, etc.) to that resource. By assigning these permissions to a group instead of individual users, you can ensure that all members of the group have the required permissions.

Local, Domain Local, Global, and Universal Groups

Unlike group types, which are fairly simple to understand, group scopes can be frustrating to those new to working with Windows Server 2003 and Active Directory.The scope of the group identifies the extent to which the group is applied throughout the domain tree or forest.There are four group scopes:

Local groups

Local groups can contain user accounts from the local machine, user accounts from the domain the local machine is joined to, or user accounts from any trusted domains of the domain the machine is joined to. Only local groups can manage permissions for local resources (local to a single machine).

Domain local groups

Domain local groups can include other groups and user/computer accounts from Windows Server 2003,Windows 2000 Server, and

Windows NT domains. Permissions for only the domain in which the group is defined can be assigned to domain local groups.

Global groups

Global groups can include other groups and user/computer accounts from only the domain in which the group is defined. Permissions for any domain in the forest can be assigned to global groups.

Universal groups

Universal groups can include other groups and user/computer accounts from any domain in the domain tree or forest. Permissions for any domain in the domain tree or forest can be assigned to universal groups. Universal groups are only available if your domain functional level is set to Windows 2000 native mode.

Domain and Forest Functionality

Domain and forest functionality is a new feature introduced in Windows Server

2003. By having differing levels of domain and forest functionality available within your Active Directory implementation, you have different features available to your network.

As an example, if all of your network’s domain controllers are Windows

Server 2003 and the domain functional level is set to Windows Server 2003, all domain features become available. You can make use of the new capability to rename a domain controller only if the domain functional mode is set to

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 321

Managing User, Group, and Computer Accounts • Chapter 4 321

Windows Server 2003. If your entire Active Directory forest is set at the Windows

Server 2003 functional level, you also gain the new capability to rename entire domains—something that administrators have been requesting for many years.

Three domain functional levels are available:

Windows 2000 mixed The default domain functional level; allows for

Windows NT 4.0 backup domain controllers (BDCs), Windows 2000

Server domain controllers, and Windows Server 2003 domain controllers.

Windows 2000 native The minimum domain functional level at which universal groups become available, along with several other Active

Directory features; allows for Windows 2000 Server and Windows

Server 2003 domain controllers.

Windows Server 2003 The highest domain functional level, providing the most features and functionality; allows for only Windows Server

2003 domain controllers.

Be forewarned, however, once you have raised the domain functional level, domain controllers running earlier operating systems cannot be used in that domain. As an example, should you decide to raise domain functional level to

Windows Server 2003, Windows 2000 Server domain controllers cannot be added to that domain.

Nesting Groups

You’ve seen how groups can have other groups as members. This concept is known as group nesting. Groups can be nested to help consolidate large numbers of user and computer accounts to reduce replication traffic. The type of nesting you can perform is determined by the domain functional level of the domain.

If the domain functional level is set to Windows 2000 native or Windows

Server 2003, groups can have the following members:

Domain local groups Other domain local groups in the same domain, global groups from any domain, universal groups from any domain, user accounts from any domain, and computer accounts from any domain.

Global groups Other global groups in the same domain, user accounts in the same domain, and computer accounts in the same domain.

Universal groups Other universal groups from any domain, global groups from any domain, user accounts from any domain, and computer accounts from any domain.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 322

322 Chapter 4 • Managing User, Group, and Computer Accounts

If the domain functional level is set to Windows 2000 mixed, distribution groups can have the same membership as detailed for Windows 2000 native or

Windows Server 2003 functional-level security groups.

If the domain functional level is set to Windows 2000 mixed, security groups can have the following members:

Domain local groups Other global groups from any domain, user accounts from any domain, and computer accounts from any domain.

Global groups User accounts in the same domain and computer accounts in the same domain.

Group nesting is pictured in Figure 4.33. As you can see, nesting makes it easier to change permissions around. For example, if a user moves from a Tier 2 position in Desktop Support to the Windows server team, removing the user from and adding the user to a single group automatically grants membership to the necessary groups. However, nesting groups too deeply can make it difficult to troubleshoot problems, because you have to work your way through the entire group hierarchy to find the problem.

Figure 4.33

Utilizing Group Nesting

IT

Desktop Support

Server Support

Tier 1 Tier2 Tier3

Hardware Software

Windows Netware Unix

User

User

Table 4.11 outlines the behavior and usage of the scopes of domain groups as the domain functional level changes.

www.syngress.com

Table 4.11

Group Scope Behavior versus Domain Functional Level

Domain Status Behavior Universal Group Global Group Domain Local Group

Windows Server 2003 Group membership Members can include Members can include Members can include or Windows 2000 native user accounts, computer user accounts, accounts, and other computer accounts, user accounts, computer accounts, global universal groups from and other global any domain.

groups from the same domain.

groups, and universal groups from the same domain.

Windows 2000 mixed Group membership Universal groups cannot Members can include Members can include be created.

user and computer user accounts, comaccounts from the puter accounts, and same domain.

global groups from any domain.

Windows Server 2003 Group nesting or Windows 2000 native

Group scope changes

Can be added to other Can be added to groups.

other groups.

Can be added to other domain local groups.

Windows Server 2003 Group permissions Can be assigned permis- Can be assigned or Windows 2000 native sions in any domain.

permissions in any

Can be assigned permissions only in the domain.

same domain.

Windows Server 2003 Group scope or Windows 2000 native changes

Can be changed to Can be changed to Can be changed to global groups as long as universal groups as universal groups as no group members are long as the group is long as no group other universal groups. not a member of any members are other

Can be converted to other global group.

domain local groups.

domain local groups with no restrictions.

Windows 2000 mixed Not allowed.

Not allowed.

Not allowed.

274_70-290_04.qxd 8/11/03 3:56 PM Page 324

324 Chapter 4 • Managing User, Group, and Computer Accounts

EXAM

70-290

OBJECTIVE

2.3.3

EXAM

70-290

OBJECTIVE

2.3.4

Using the ADUC MMC Snap-In to Create and Manage Groups

This section discusses using ADUC to create and manage groups. Exercise 4.02 covers creating groups. It is important to know how to create groups. However, for the test, you also need to know how to manage groups.This section walks you through all the tabs of an

Active Directory group account with screenshots and explanations.

E

XERCISE

4.02

U

SING

ADUC

TO

C

REATE

G

ROUPS

1. Open Active Directory Users and Computers (Start | Programs |

Administrative Tools | Active Directory Users and Computers).

2. Right-click the domain or OU where you want to create a group, as shown in Figure 4.34.

3. Click New from the pop-up menu.

4. Click Group from the pop-up menu. This gives you the window shown in Figure 4.35.

Figure 4.34

Creating a New Group

5. Fill in the Group name. This automatically fills in the pre-Windows

2000 group name.

6. Choose the Group scope by clicking the appropriate radio button.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 325

Managing User, Group and Computer Accounts • Chapter 4 325

Figure 4.35

Naming the Group

7. Choose the Group type by clicking the appropriate radio button.

8. Click OK to create the group. Figure 4.36 shows your newly created group (Authors).

N

OTE

By default, when you create a new group the scope is global and the type is security.

Figure 4.36

Seeing the New Group

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 326

326 Chapter 4 • Managing User, Group, and Computer Accounts

Managing Group Accounts Via the Properties Tabs

Managing groups in ADUC is easier than managing users, because there are not as many tabs to configure. For the Server test you need to be familiar with the properties of group accounts, including what each tab is used for.This section provides screenshots with explanations for each of these tabs.To access the properties sheet, right-click the group name in the right pane of ADUC and then select Properties.

E

XAM

W

ARNING

You need to be familiar with the properties of group accounts for the test. This test uses exhibits to test your knowledge of the ADUC interface. For example, you might see a screenshot of a group’s properties and have to select the tab that manages the group’s scope, or you might see a screenshot to click the option that is needed for that particular question.

Using the General Tab

The General tab of a group’s properties is shown in Figure 4.37. Use this tab to change the group’s name and description. Always give your groups a descriptive name and fill in the description. Use the Notes field to key in additional information about the group, such as the group’s point of contact, who created the group, why the group was created, etc. If the group is mail-enabled for Exchange 2000, the E-mail field is automatically populated with the primary e-mail address of the group.The General tab is also where you change a group’s scope

(domain local, global, or universal) and a group’s type (security or distribution).

Figure 4.37

Understanding a Group’s General Tab

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 327

Managing User, Group, and Computer Accounts • Chapter 4 327

Using the Member’s Tab

A group’s Members tab is shown in Figure 4.38.This lists all the members of the group. It shows the members’ names and locations in Active Directory. Click Add to add members to the group.This gives you the window shown in Figure 4.39.Type the name of the

account

(user or group) you want to make a member of the group and click Check

Names

to verify that the user or group exists and that the name is spelled correctly. Click

OK

to add the account to the group.

Figure 4.38

Understanding a Group’s Members Tab

Figure 4.39

Adding Members to a Group

Using the Member Of Tab

Figure 4.40 shows the Member Of tab.This tab looks like and is managed the same as the

Members

tab. It shows the name and Active Directory location of other groups that this group is a member of. Click Add to add this group to other groups.The Member Of tab only shows groups from the local domain, or groups that are stored on the Global

Catalog server.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 328

328 Chapter 4 • Managing User, Group, and Computer Accounts

Figure 4.40

Understanding a Group’s Member Of Tab

Using the Managed By Tab

The group’s Managed by tab is shown in Figure 4.41. It shows who is responsible for managing the group.This gives you a point of contact for making changes to the group.

This tab shows the following about the manager of the group:

Name

Office Location

Street Address

City

State

Country

Telephone Number

Fax Number

You do not have to enter all this information manually. After you enter the username, all the other information is populated from the user’s Telephones and Address tabs.

Clicking the Properties box enables you to customize the user’s information.The Clear button removes the user as the group manager.You can optionally give the user the ability to update the membership of this group by selecting the check box next to Manager can

update membership list

.

Using the Object Tab

There is nothing to configure on the group’s Object tab, shown in Figure 4.42.This tab shows the location of the object in Active Directory (the Canonical name). It shows the

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 329

Managing User, Group, and Computer Accounts • Chapter 4 329

type of object you are looking at (Object class). It shows you when the object was created and when it was last modified. For replication purposes, the Object tab also lists the current and original USNs.

Figure 4.41

Understanding a Group’s Managed By Tab

Figure 4.42

Understanding a Group’s Object Tab

Using the Security Tab

The group’s Security tab is shown in Figure 4.43. Use this tab to add and remove permissions to this group for other accounts (users and groups). Use the Add button to add the accounts, and then use the check boxes at the bottom to select the permissions for the newly added accounts. Read is the default permission assigned when you add an account to the security tab of a group.The Advanced button enables you to manage permissions to the group on a more granular level.This is also where you manage auditing, ownership, as well as view effective permissions.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 330

330 Chapter 4 • Managing User, Group, and Computer Accounts

Figure 4.43

Understanding a Group’s Security Tab

There are four tabs to manage for the advanced security settings of a group:

Permissions

Auditing

Owner

Effective Permissions

The first tab is the advanced Permissions tab, as shown in Figure 4.44.This tab can restore the default permissions to the group, and enable or disable inheritance for the group.The Add, Remove, and Edit buttons manage the permissions for the group.This is different from the permissions shown in Figure 4.43. Figure 4.43 shows permission roles.

Each role is automatically assigned a number of permissions from the advanced tab. For example, the Full Control role is assigned all the permissions on the Advanced tab. If you need more granular control than what is provided by the permission roles shown in Figure

4.43, use the advanced Permissions tab.

Figure 4.44

Understanding the Advanced Permissions Tab

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 331

Managing User, Group, and Computer Accounts • Chapter 4 331

The Auditing tab is shown in Figure 4.45.This tab is self-explanatory: it manages what is audited for the particular group.The Add, Remove, and Edit buttons manage auditing.

Figure 4.45

Understanding the Auditing Tab

The Owner tab is shown in Figure 4.46.This tab shows who owns the group.The

owner of a group has Full Control of the group.Typically, the owner is the person who created the group. As an administrator, you can take ownership of a group by using the Other

Users or Groups

button. By giving yourself ownership of the group, you are effectively giving yourself full control of the group.

Figure 4.46

Understanding the Owner Tab

The Effective Permissions tab, shown in Figure 4.47, is new for Windows Server

2003. It provides a way to calculate a user’s or group’s effective permissions to a group. Use the Select button to choose the user or group that you want to investigate. Select the user and click OK.This shows you all the rights granted to the selected user or group for the group you are managing.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 332

332 Chapter 4 • Managing User, Group, and Computer Accounts

Figure 4.47

Understanding the Effective Permissions Tab

Managing Group Accounts Via the Pop-Up Menu

Like users, groups can be managed by right-clicking on the object, as shown in Figure 4.48, and selecting the desired command from the pop-up menu. However, group management offers fewer options in the context menu than user management.You can move a group to another location, as shown in Figure 4.49, or you can send the group an e-mail (if the group is mail enabled).

Figure 4.48

Using the Pop-Up Menu

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 333

Managing User, Group, and Computer Accounts • Chapter 4 333

Figure 4.49

Moving Groups in Active Directory

Using the Command Line to Create and Manage Groups

Use the following tools to create and manage groups:

■ dsadd.exe

dsmod.exe

dsget.exe

dsquery.exe

Using dsadd.exe Group

dsadd.exe enables you to quickly add multiple groups. In this section, you learn the syntax for dsadd group. Like the other dsadd commands, there is a lot of syntax for this command.

The syntax for dsadd group is as follows, and available switches are explained in detail in

Table 4.12.

dsadd group <GroupDN> [-secgrp {yes | no}] [-scope {l | g | u}]

[-samid <SAMName>] [-desc <Description>] [-memberof <Group ...>]

[-members <Member ...>] [{-s <Server> | -d <Domain>}] [-u UserName>][-p

{<Password> | *}] [-q] [{-uc | -uco | -uci}]

Table 4.12

Understanding dsadd.exe Group

Value

<GroupDN>

-secgrp {yes | no}

Description

Required. DN of group to add.

Sets this group as a security group (yes) or not (no).

Default: yes.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 334

334 Chapter 4 • Managing User, Group, and Computer Accounts

Table 4.12

Understanding dsadd.exe Group

Value

-scope {l | g | u}

-samid <SAMName>

-desc <Description>

-memberof <Group>

-members <Member>

{-s <Server> | -d <Domain>}

-u <UserName>

-p {<Password> | *}

-q

{-uc | -uco | -uci}

Description

Sets the scope of this group: local, global, or universal. If the domain is still in mixed-mode, the universal scope is not supported. Default: global.

Sets the SAM account name of group to

<SAMName> (for example, operators).

Sets group description to <Description>.

Makes the group a member of one or more groups given by the space-separated list of DNs

<Group ...>.

Adds one or more members to this group. Members are set by space-separated list of DNs

<Member ...>.

-s <Server> connects to the domain controller (DC) with name <Server>. -d <Domain> connects to a

DC in domain <Domain>. Default: a DC in the log-on domain.

Connects as <UserName>. Default: the logged-on user. Username can be: username, domain\username, or user principal name (UPN).

Password for the user <UserName>. If * is entered, you are prompted for a password.

Quiet mode: suppresses all output to standard output.

-uc specifies that input from or output to pipe is formatted in Unicode. -uco specifies that output to pipe or file is formatted in Unicode. -uci specifies that input from pipe or file is formatted in Unicode.

Creating Groups

Use dsadd group to create a new universal group with the following syntax: dsadd group <GroupDN> [-secgrp {yes | no}] [-scope {l | g | u}]

[-samid <SAMName>] [-desc <Description>]

The following example creates a universal group named Microsoft Trainers in the trainingconcepts.org domain: dsadd group "CN=Microsoft Trainers,DC=trainingconcepts,DC=org"

-secgrp yes -scope u -samid MicrosoftTrainers -desc "This group contains all of the Microsoft Trainers for Training Concepts"

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 335

Managing User, Group, and Computer Accounts • Chapter 4 335

Using dsmod.exe group

dsmod group modifies the attributes of groups in Active Directory. dsmod group uses the following syntax. All syntax and switches are explained in Table 4.13.

dsmod group <GroupDN ...> [-samid <SAMName>]

[-desc <Description>] [-secgrp {yes | no}] [-scope {l | g | u}]

[{-addmbr | -rmmbr | -chmbr} <Member ...>]

[{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

Table 4.13

Understanding dsmod group Syntax

Value Description

<GroupDN> Required. DNs of one or more groups to modify.

If target objects are omitted, they will be taken from standard input (stdin) to support piping of output from another command to the input of this command. If

-samid <SAMName>

-desc <Description>

-secgrp {yes | no}

-scope {l | g | u}

<GroupDN ...> and <Member ...> are used together, only one parameter can be taken from standard input, requiring that at least one parameter be specified on the command line.

Sets the SAM account name of group to

<SAMName>.

Sets group description to <Description>.

Sets the group type to security (yes) or non-security

(no).

Sets the scope of group to local (l), global (g), or universal (u).

{-addmbr | -rmmbr | -chmbr} -addmbr adds members to the group.

-rmmbr removes members from the group.

-chmbr changes (replaces) the complete list of members in the group.

<Member> Space-separated list of members to add to, delete from, or replace in the group. If target objects are omitted, they will be taken from standard input

(stdin) to support piping of output from another command to the input of this command. The list of members must follow the -addmbr, -rmmbr, and

-chmbr parameters. If <GroupDN ...> and

<Member ...> are used together, only one parameter can be taken from standard input, requiring that at least one parameter be specified on the command line.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 336

336 Chapter 4 • Managing User, Group, and Computer Accounts

Table 4.13

Understanding dsmod group Syntax

Value Description

{-s <Server> | -d <Domain>} -s <Server> connects to the domain controller (DC) with name <Server>. -d <Domain> connects to a DC in domain <Domain>.

Default: a DC in the logon domain.

-u <UserName> connects as <UserName>.

Default: the logged-on user. Username can be: username, domain\username, or user principal name (UPN).

-p <Password>

-c

-q

Password for the user <UserName>. If *, then prompt for password.

Continuous operation mode. Reports errors but continues with next object in argument list when multiple target objects are specified. Without this option, the command exits on first error.

Quiet mode: suppresses all output to standard output.

{-uc | -uco | -uci} -uc specifies that input from or output to pipe is formatted in Unicode.

-uco specifies that output to pipe or file is formatted in Unicode.

-uci specifies that input from pipe or file is formatted in Unicode.

Adding Members to Groups

Use dsmod group to add user accounts to groups with the following syntax: dsmod group GroupDN –addmbr UserDN

The following example uses the dsmod command to add three user accounts to the

Microsoft Trainers group: dsmod.exe group "CN=Microsoft Trainers,DC=trainingconcepts,DC=org"

-addmbr "CN=Chad Todd,CN=Users,DC=trainingconcepts,DC=org" dsmod.exe group "CN=Microsoft Trainers,DC=trainingconcepts,DC=org"

-addmbr "CN=Gary Landry,CN=Users,DC=trainingconcepts,DC=org" dsmod.exe group "CN=Microsoft Trainers,DC=trainingconcepts,DC=org"

-addmbr "CN=Paul Salas,CN=Users,DC=trainingconcepts,DC=org"

Removing Members from Groups

Use dsmod group to remove members from a group with the following syntax:

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 337

Managing User, Group, and Computer Accounts • Chapter 4 337

dsmod group GroupDN –rmmbr UserDN

The following example removes the user Paul Salas from the Microsoft Trainers group: dsmod group "CN=Microsoft Trainers,DC=trainingconcepts,DC=org" -rmmbr

"CN=Paul Salas,CN=Users,DC=trainingconcepts,DC=org"

Converting Group Type

Use dsmod group to convert a group’s type with the following syntax: dsmod group GroupDN [-secgrp {yes | no}]

The following examples convert the Microsoft Trainers group into a distribution group and then back into a security group: dsmod group "CN=Microsoft Trainers,DC=trainingconcepts,DC=org"

-secgrp no dsmod group "CN=Microsoft Trainers,DC=trainingconcepts,DC=org"

-secgrp yes

Using dsquery group

dsquery group searches Active Directory for groups that match specified credentials.You can use dsquery group to find groups and then send a list of those to another command. For example, you could use dsquery group to query AD for all groups without any members and have those results imported into dsmod to delete all the empty groups. Dsquery.exe group uses the following syntax.Table 4.14 explains all the syntax and available switches in detail.

dsquery group [{<StartNode> | forestroot | domainroot}]

[-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}]

[-name <Name>] [-desc <Description>] [-samid <SAMName>]

[{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-q] [-r] [-gc]

[-limit <NumObjects>] [{-uc | -uco | -uci}]

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 338

338 Chapter 4 • Managing User, Group, and Computer Accounts

Table 4.14

Understanding dsquery group Syntax

Value Description

{<StartNode> | forestroot | domainroot}

-o {dn | rdn | samid}

-scope {subtree | onelevel | base}

-name <Name>

-desc <Description>

-samid <SAMName>

{-s <Server> | -d <Domain>}

-u <UserName>

-p <Password>

-q

-r

-gc

The node where the search starts: forest root, domain root, or a node whose DN is

<StartNode>. Can be “forestroot,” “domainroot,” or an object DN. If “forestroot” is specified, the search is done via the global catalog.

Default: domainroot.

Specifies the output format. Default: DN.

Specifies the scope of the search: subtree rooted at start node (subtree); immediate children of start node only (onelevel); the base object represented by start node (base).

Note that subtree and domain scope are essentially the same for any start node unless the start node represents a domain root.

If forestroot is specified as <StartNode>, subtree is the only valid scope. Default: subtree.

Finds groups whose name matches the value given by <Name>; e.g., “jon*” or “*ith” or

“j*th.”

Finds groups whose description matches the value given by <Description>; e.g., “jon*” or

“*ith” or “j*th.”

Finds groups whose SAM account name matches the value given by <SAMName>.

-s <Server> connects to the domain controller(DC) with name <Server>.

-d <Domain> connects to a DC in domain

<Domain>.

Default: a DC in the log-on domain.

Connects as <UserName>. Default: the loggedon user. Username can be: username, domain\username, or user principal name (UPN).

Password for the user <UserName>. If * is specified, you are prompted for a password.

Quiet mode: suppresses all output to standard output.

Recurses or follows referrals during search.

Default: do not chase referrals during search.

Searches in the Active Directory global catalog.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 339

Managing User, Group, and Computer Accounts • Chapter 4 339

Table 4.14

Understanding dsquery group Syntax

Value Description

-limit <NumObjects>

{-uc | -uco | -uci}

Specifies the number of objects matching the given criteria to be returned, where

<NumObjects> is the number of objects to be returned. If the value of <NumObjects> is 0, all matching objects are returned. If this parameter is not specified, by default the first 100 results are displayed.

-uc specifies that input from or output to pipe is formatted in Unicode.

-uco specifies that output to pipe or file is formatted in Unicode.

-uci specifies that input from pipe or file is formatted in Unicode.

Finding Groups Based on Description

To use dsquery group to query Active Directory for groups with a specified description, use the following syntax: dsquery group –desc <Description>

The following example queries Active Directory for all groups with the description

“Microsoft Trainers.” dsquery group –desc "Microsoft Trainers"

You can use wildcards in the name as well.The following example queries Active

Directory for all groups with trainers in the description.

dsquery group –desc *trainers*

Finding Groups Based on Name

To use dsquery group to query Active Directory for groups that match a specified name, use the following syntax: dsquery group –name <Name>

The following example queries Active Directory for the authors group.

dsquery group –name authors

You can use wildcards in the name as well.The following example queries Active

Directory for any group beginning with the letter “a”.

dsquery group –name a*

The following sample output is from querying the trainingconcepts.org domain for all groups that start with the letter “a” (previous example):

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 340

340 Chapter 4 • Managing User, Group, and Computer Accounts

"CN=Administrators,CN=Builtin,DC=w2k3doma,DC=ads"

"CN=Account Operators,CN=Builtin,DC=w2k3doma,DC=ads"

"CN=Authors,CN=Users,DC=w2k3doma,DC=ads"

Finding Groups on the Global Catalog Server

By default, when you use dsquery.exe group to search for groups, only the domain partition of your domain is searched. Use the –gc option to search the global catalog server.The following example shows the previous examples modified to search the global catalog server.

dsquery group –desc "Microsoft Trainers" -gc dsquery group –desc *trainers* -gc dsquery group –name authors -gc dsquery group –name a* -gc

Using dsget group

dsget group displays the properties of groups in Active Directory.There are two variations of this command.The first one displays the properties of multiple groups.The second one displays the group membership information of a single group. dsget group uses the following syntax.Table 4.15 explains all the syntax and switches for dsget group in detail.

dsget group <GroupDN ...> [-dn] [-samid] [-sid] [-desc] [-secgrp]

[-scope] [{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

[-part <PartitionDN> [-qlimit] [-qused]] dsget group <GroupDN> [{-memberof | -members} [-expand]]

[{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

Table 4.15

Understanding dsget group Syntax

Value

<GroupDN>

-dn

-samid

-sid

-desc

Description

Required. DNs of one or more groups to view. If the target objects are omitted, they will be taken from standard input (stdin) to support piping of the output from another command to input of this command.

Displays the group DN.

Displays the group SAM account name.

Displays the group Security ID.

Displays the group description.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 341

Managing User, Group, and Computer Accounts • Chapter 4 341

Table 4.15

Understanding dsget group Syntax

Value Description

-secgrp

-scope

<GroupDN>

{-memberof | -members}

-expand

Displays if the group is a security group or not.

Displays the scope of the group—Local, Global, or

Universal.

Required. DN of group to view.

Displays the groups of which the group is a member

(-memberof), or displays the members of the group

(-members).

For -memberof, displays the recursively expanded list of groups of which the group is a member. This option takes the immediate group membership list of the group and then recursively expands each group in this list to determine its group memberships and arrive at a complete set of the groups. For -members, displays the recursively expanded list of members of the group. This option takes the immediate list of members of the group and then recursively expands each group in this list to determine its group memberships and arrive at a complete set of its members.

{-s <Server> | -d <Domain>} -s <Server> connects to the domain controller (DC) with name <Server>.

-d <Domain> connects to a DC in domain <Domain>.

Default: a DC in the log-on domain.

-u <UserName>

-p {<Password> | *}

-c

-q

-L

Connects as <UserName>. Default: the logged-on user.

Username can be: username, domain\username, or user principal name (UPN).

Password for the user <UserName>. If *, then prompt for password.

Continuous operation mode: reports errors but continues with next object in argument list when multiple target objects are specified. Without this option, command exits on first error.

Quiet mode: suppresses all output to standard output.

Displays the entries in the search result set in a list format. Default: table format.

{-uc | -uco | -uci}

-part <PartitionDN>

Specifies that input from or output to pipe is formatted in Unicode.

-uco specifies that output to pipe or file is formatted in

Unicode.

-uci specifies that input from pipe or file is formatted in Unicode.

Connects to the directory partition with the distinguished name of <PartitionDN>.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 342

342 Chapter 4 • Managing User, Group, and Computer Accounts

Table 4.15

Understanding dsget group Syntax

Value

-qlimit

-qused

Description

Displays the effective quota of the group within the specified directory partition.

Displays how much of its quota the group has used within the specified directory partition.

Determining a Group’s Scope

To use dsget group to determine a group’s scope, use the following syntax: dsget group <GroupDN> –scope

The following example queries Active Directory for the scope (domain local, global, or universal) of the authors group.

dsget group authors –scope

Determining a Group’s Type

To use dsget group to determine a group’s type, use the following syntax: dsget group <GroupDN> –secgrp

The following example queries Active Directory to determine whether the authors group is a security or distribution group.

dsget group authors –secgrp

Determining a Group’s Members

To use dsget group to determine a group’s members, use the following syntax: dsget group <GroupDN> –members

The following example queries Active Directory for the members of the authors group.

dsget group authors –members

Determining a Group’s Membership

To use dsget group to determine a group’s membership, use the following syntax: dsget group <GroupDN> –memberof

The following example queries Active Directory for the groups the authors group is a member of.

dsget group authors –memberof

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 343

Managing User, Group, and Computer Accounts • Chapter 4 343

Group Management Tasks

So far we have discussed the different types and scopes of groups.You have seen how to create these groups from the GUI and from the command line. Now look at some common group management tasks, such as changing group scope and determining group membership.

Identifying and Modifying the Scope of a Group

A group’s scope determines its purpose and where it can be used.There are three group scopes available (if domain functionality is Windows 2000 native or later).

Domain Local

Global

Universal

When to use each group scope was discussed earlier in this chapter. For this section, we focus on determining a group’s current scope and changing the group scope. Both of these tasks can be accomplished via the GUI or from the command line.

Group scope can be found and modified by using ADUC. Figure 4.50 shows how to use ADUC to view a group’s scope.To modify the group’s scope, click the option button next to the scope type you want to convert the group to and click the Apply button.

Groups’ scope can be converted as explained in the following list:

Universal groups can be converted to domain local groups or global groups.

Domain local groups can be converted to universal groups.

Global groups can be converted to universal groups.

Global groups cannot be converted to domain local groups and vice versa.

Figure 4.50

Viewing Group Scope

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 344

344 Chapter 4 • Managing User, Group, and Computer Accounts

Group scope can be found and modified from the command line by using dsget and

dsmod.

Use dsget group with the following syntax to determine a group’s scope: dsget group <GroupDN> -scope

The following example shows the group scope for the authors group in the trainingconcepts.org domain: dsget group "CN=authors,CN=users,DC=trainingconcepts,DC=org" -scope

Use dsmod group with the following syntax to convert a group’s scope: dsmod group GroupDN [-scope {l | g | u}]

The following example converts a group into a global group and then into a universal group: dsmod group "CN=Microsoft Trainers,DC=trainingconcepts,DC=org" -scope g dsmod group "CN=Microsoft Trainers,DC=trainingconcepts,DC=org" -scope u

EXAM

70-290

OBJECTIVE

2.3.2

Determining to which Groups a User Belongs

Determining group membership can be accomplished through the GUI by using ADUC or from the command line by using dsget.exe.There are two ways to find this information in ADUC:

From the properties of a user account (as shown in Figure 4.51)

From the properties of a group account (as shown in Figure 4.52)

Figure 4.51

Finding Group Membership Via a User’s Properties

To determine what groups a user belongs to from the command line, use the dsget user command with the following syntax: dsget user UserDN –memberof

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 345

Managing User, Group, and Computer Accounts • Chapter 4 345

Figure 4.52

Finding Group Membership Via Group Properties

The following example determines the group membership of user Chad Todd: dsget user "CN=Chad Todd,CN=Users,DC=trainingconcepts,DC=org" –memberof

To determine all members of a group from the command line, use the dsget group command with the following syntax: dsget group GroupDN –members

The following example shows the group membership for the Trainers group in the trainingconcepts.org domain: dsget group "CN=Trainers,CN=Users,DC=trainingconcepts,DC=org" –members

Group Membership Management Best Practices

The next few sections explain when to use each group scope and show you how all the groups fit together using the AGUDLP method. AGUDLP is an acronym to make it easier to remember when to use each group. Following the AGUDLP guideline is not a requirement, but it is a best practice recommended by Microsoft.

Using Domain Local Groups

Domain local groups manage access to resources within a domain. Figure 4.53 gives a graphical example of how domain local groups are used in an enterprise. Shares are created and permissions to those shares are assigned to domain local groups. Notice that this happens in each domain.This is the DLP portion of AGUDLP (AGUDLP is discussed in full in the subsection titled “Understanding AGUDLP”). Domain Local (DL) groups are assigned permissions (P).

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 346

346 Chapter 4 • Managing User, Group, and Computer Accounts

Figure 4.53

Assigning Permissions Through Groups

DLP

Server

Share

Server

Share

Permissions

P

DL

Domain

Local

Group

Domain

Local

Group

DL

P

Permissions

P

Domain

Local

Group

DL

Share

Server

Using Global Groups

Global groups should be used to manage objects that are likely to require frequent maintenance and management operations, such as user accounts and computer accounts. Global groups are not replicated beyond the boundaries of their own domains, thus changes can be made to global group members without creating large amounts of replication traffic to the

Global Catalog servers. (This is in direct contrast to universal groups, as is discussed shortly.)

Permissions and user rights that are assigned to global groups are only valid in the domain in which they are assigned.You should use global groups (or universal groups) when you are applying permissions on domain objects that are replicated to the Global Catalog.

Using Universal Groups

Universal groups are best used to consolidate global groups into one location. Since user accounts are added to the global groups, membership changes in the global groups do not have an effect on the universal group. Consider the example shown in Figure 4.54 where you have three domains. User accounts are added to their respective global groups.The

three global groups are added to one universal group.The universal group can be used anywhere within the enterprise and changes that might be made to the global groups do not

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 347

Managing User, Group, and Computer Accounts • Chapter 4 347

cause replication to occur for the universal group – this provides a bandwidth (and cost) savings.This is the AGU portion of AGUDLP. User Accounts (A) go into Global groups

(G) and Global Groups go into Universal groups (U).

N

OTE

Membership in universal groups should not change often, because changes to universal groups are replicated to every Global Catalog server in the forest, a potentially bandwidth-intensive operation.

Figure 4.54

Organizing Users Into Groups

AGU

A

User

G

Global

Group

Universal

Group

U

A

User Global

Group

G G

Global

Group

User

A

Understanding AGUDLP

As mentioned previously, AGUDLP is an acronym to help you remember how the different group scopes fit together. Figure 4.55 shows how this is used in an enterprise. User

Accounts (A) go into Global groups (G) within their domains. Global groups get organized into forest-wide Universal groups (U). Universal groups get placed into Domain Local groups (DL), which have been assigned permissions (P) resources. Look at the following real-world examples.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 348

348 Chapter 4 • Managing User, Group, and Computer Accounts

Figure 4.55

Putting It All Together

AGUDLP

User

A

G

Global

Group

Permissions

Universal

Group

U

Domain

Local

Group

DL

P

Share

Server

Using Groups in a Single Domain

You have a network file share to which you want to configure access for 20 user accounts.

You could manually configure the share permissions to enable each of the 20 user accounts to have the required access. However, if later you need to configure the permissions on a second network file share for the same 20 user accounts, you would need to perform the manual permissions assignment again for all 20 users.

The easier, more accurate, and more secure way to assign the permissions you need is to create a domain local group and assign it the required permissions on the files shares.

After this has been done, create a global group and place the 20 user accounts in the global group. Add the global group to the domain local group; this results in all 20 users inheriting the domain local group’s assigned permissions, which therefore enables them to gain access to the two file shares.

This might seem like a lot of extra work at first, but it saves you a lot of work in the long run.You simply create two groups (domain local and global), configure the required permissions for the domain local group, add the users to the global group, and then add the global group to the domain local group.This is much faster and more accurate than attempting to manually configure permissions for 20 users on two different file shares. Now imagine how this example could be scaled out to include dozens, perhaps hundreds, of shared objects in a network.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 349

Managing User, Group, and Computer Accounts • Chapter 4 349

Using Groups in a Multiple Domain Forest

Use the same example for a multiple domain forest.You have the same network file share.You

want to give 20 users from each domain access to this share.You create a domain local group and assign it the correct permissions to the network share.You create a global group in each domain to hold the users that need permissions.You then add all those global groups to a single universal group. Next, you add the universal group to the domain local group.

EXAM

70-290

OBJECTIVE

2.2

Creating and Managing

Computer Accounts

Computer accounts serve the same basic function as user accounts: they are used to determine the rights and permissions that a computer will have in the domain. Although computer accounts can be created for any Windows computer on your network running

Windows NT or later, only Windows 2000 or later computers will be able to fully participate in Active Directory and receive security and management configuration from Active

Directory.Windows 9x and Windows NT computers require the use of System Policies to configure security and management options. Computers running Windows 3.x,Windows

9x,Windows ME, and Windows XP Home Edition do not have computer accounts and thus are not domain members.

N

OTE

You can learn more about System Policies at www.microsoft.com/technet/ prodtechnol/windowsserver2003/proddocs/server/tattooing.asp.

Computer accounts can be created in one of three ways:

Manually via the Active Directory Users and Computers console

From the command line

Automatically by joining a Windows 2000,Windows XP, or Windows Server 2003 computer to the domain

Each of these methods is examined in more detail in the following sections.

E

XAM

W

ARNING

By default, Authenticated Users are assigned the Add workstations to a domain user right and can create up to 10 computer accounts in the domain. This right can be removed or the number of allowed account creations can be changed from

10 to some other number. This is done by editing the Group Policy Object

(Computer Configuration | Windows Settings | Security Settings | Local

Policies | User Rights Assignment).

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 350

350 Chapter 4 • Managing User, Group, and Computer Accounts

EXAM

70-290

OBJECTIVE

2.5.1

Using the ADUC MMC Snap-In to

Create and Manage Computers

This section discusses using ADUC to create and manage computers. Exercise 4.03 covers creating computers. It is important to know how to create computer accounts. However, for the test you also need to know how to manage computer accounts.This section walks you through all the tabs of an Active Directory computer account with screenshots and explanations.

E

XERCISE

4.03

U

SING

ADUC

TO

C

REATE

C

OMPUTERS

1. Open Active Directory Users and Computers (Start | Programs |

Administrative Tools | Active Directory Users and Computers).

2. Right-click the domain or OU where you want to create a computer account, as shown in Figure 4.56.

Figure 4.56

Creating a New Computer Account

3. Click New from the pop-up menu.

4. Click Computer from the pop-up menu. This gives you the window shown in Figure 4.57.

5. Type the name for the computer account in the Computer name field.

This automatically fills in the pre-Windows 2000 computer name.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 351

Managing User, Group, and Computer Accounts • Chapter 4 351

Figure 4.57

Naming the New Computer Account

6. Select the user or group that can join the PC to the domain. By default, the built-in Domain Admins group has these rights. This option enables you to create computer accounts in advance and enables users without administrative rights to join the machines to the domain.

7. If the computer account is for a machine running a Windows NT operating system, select the check box next to Assign this computer

account to a pre-Windows 2000 computer.

8. If the computer account is for a Windows NT backup domain controller

(BDC), select the check box next to Assign this computer an account

as a backup domain controller.

9. Click Next to continue. This gives you the window shown in Figure 4.58.

Figure 4.58

Managing a Computer Account

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 352

352 Chapter 4 • Managing User, Group, and Computer Accounts

10. If this will be a managed computer, select the check box next to This is

a managed computer and type the GUID of the object in the

Computer’s unique ID field. This setting is used when you are prestaging a machine account to be used by Remote Installation Services

(RIS). Pre-staging prevents RIS from deploying an operating system to unknown client computers.

N

OTE

Remote Installation Services is used to deploy unattended installations to machines over the network. You can learn more about RIS at http://support.microsoft.

com/default.aspx?scid=kb;en-us;325862.

11. Click Next to continue. This gives you the summary window shown in

Figure 4.59. Click Finish to create the object. Figure 4.60 shows the newly created machine account.

Figure 4.59

Verifying Settings

Figure 4.60

Seeing the New Computer Account

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 353

Managing User, Group, and Computer Accounts • Chapter 4 353

Managing Computer Accounts Via the Properties Tabs

For the Server test, you need to be familiar with the properties of machine accounts, including what each tab is used for.This section provides screenshots with explanations for each of these tabs.

E

XAM

W

ARNING

You need to be familiar with the properties of computer accounts for the test. This test uses exhibits to test your knowledge of the ADUC interface. For example, you may see a screenshot of a computer’s properties and have to select the tab that manages the computer’s group membership or you may see a screenshot with the correct tab selected and have to click the option that is needed for that particular question.

Using the General Tab

A computer’s General tab, shown in Figure 4.61, displays the computer’s NetBIOS (pre-

Windows 2000) name and its fully qualified DNS (host) name. It also shows the computer’s role.There are two possible roles:

Workstation or server

Domain controller

The General tab is also where you set the description for the server. It is a good idea to explain the server’s purpose in the Description field.This makes it easier to remember what all of your servers do as your enterprise gets larger. For workstations, it is a good idea to list the owner of the workstation here.This makes it easy to find a particular user’s workstation when browsing through a list of workstations.

Figure 4.61

Understanding a Computer’s General Tab

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 354

354 Chapter 4 • Managing User, Group, and Computer Accounts

Using the Operating System Tab

The Operating System tab, shown in Figure 4.62, lists the operating system name and version. It also lists the current service pack installed.

Figure 4.62

Understanding a Computer’s Operating System Tab

Using the Member Of Tab

The Member Of tab, shown in Figure 4.63, shows the name and location in Active

Directory for all the groups this machine is a member of. Use the Add and Remove buttons to modify which groups this machine belongs to. If you are using POSIX-compliant applications or Macintosh clients, use the Set Primary Group button to set one of the groups as the primary group.

Figure 4.63

Understanding a Computer’s Member Of Tab

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 355

Managing User, Group, and Computer Accounts • Chapter 4 355

Using the Delegation Tab

The Delegation tab, shown in Figure 4.64, enables you to use the computer for delegation.There are three choices for delegation:

Do not trust this computer for delegation

This is the default for Windows

Server 2003 machines.

Trust this computer for delegation to any service (Kerberos only)

This option makes all services under the Local System account trusted for delegation.

In other words, any installed service has the capability to access any network resource by impersonating a user.

Trust this computer for delegation to specified services only

This feature was not available in previous versions of Windows. It enables an administrator to choose the services that are delegated by selecting a specific service or computer account.This is commonly referred to as constrained delegation.

Figure 4.64

Understanding a Computer’s Delegation Tab

Using the Location Tab

Use the Location tab, shown in Figure 4.65, to configure the computer’s location.This

refers to the physical location of the computer. A typical location is in the format Building

Name/Floor Number/Room Number.

Using the Managed By Tab

The computer’s Managed By tab, shown in Figure 4.66, shows who is responsible for managing the computer.This tab shows the following about the manager of the machine:

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 356

356 Chapter 4 • Managing User, Group, and Computer Accounts

Name

Office Location

Street Address

City

State

Country

Telephone Number

Fax Number

Figure 4.65

Understanding a Computer’s Location Tab

You do not have to enter all this information manually. After you enter the username, all the other information is populated from the user’s telephones and address tabs. Clicking the Properties box enables you to customize the user’s information.The Clear button removes the user as the computer manager.

Figure 4.66

Understanding a Computer’s Managed By Tab

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 357

Managing User, Group, and Computer Accounts • Chapter 4 357

Using the Object Tab

There is nothing to configure on the user’s Object tab, shown in Figure 4.67.This tab shows you the location of the object in Active Directory (the Canonical name). It shows you the type of object you are looking at (Object class). It shows you when the object was created and when it was last modified. For replication purposes, the Object tab also lists the current and original USNs.

Figure 4.67

Understanding a Computer’s Object Tab

Using the Security Tab

The Security tab, shown in Figure 4.68, enables you to add and remove permissions to this computer for other accounts (users and groups). Use the Add button to add the accounts and then use the check boxes at the bottom to select the permissions for the newly added accounts. Read is the default permission assigned when you add an account to the security tab of a computer.The Advanced tab enables you to manage permissions to the computer on a more granular level.This is also where you manage auditing, manage ownership, and view effective permissions.

Using the Dial-In Tab

The Dial-in tab, shown in Figure 4.69, controls dial-in and VPN options for the selected computer account.You will recognize this as very similar to the Dial-in tab on a user’s account properties.This tab contains two main sections: Remote Access Permissions and

Callback Options. Remote Access Permissions determine whether a computer is enabled to connect to the Routing and Remote Access Server (RRAS) for dial-in or VPN capabilities.

The Callback Options section controls how the phone call is managed when using a dial-in solution.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 358

358 Chapter 4 • Managing User, Group, and Computer Accounts

Remote Access Permissions include the following:

Allow Access

If remote access conditions are met, setting the computer account to enable access permits connecting to the RRAS server.

Deny Access

Setting the computer account to deny access forbids connecting to the RRAS server.

Control Access through Remote Access Policy

If remote access conditions are met and there is a matching policy that enables access, setting the computer account to Control Access through Remote Access Policy enables connecting to the RAS server. If there is not a matching policy that enables access, connecting to the RRAS server is denied.

Figure 4.68

Understanding a Computer’s Security Tab

Callback Options include the following:

No Callback

The RRAS server does not call back the computer dialing in.

Set by Caller (Routing and Remote Access Service only)

The RRAS server prompts the dial-in user for a phone number. It then disconnects the user and calls back the number specified.This is a good option if you want the company to front the long-distance charges of using a dial-in solution.

Always Callback to

When the computer dials in to the RRAS server, it is disconnected and automatically called back at the number specified here.This is good for security purposes, because it enables you to control the location of your dial-in computers and makes it less likely that an unauthorized user who finds out a legitimate user’s account name and password will be able to access the server or network.

In addition to the Remote Access Permissions and the Callback Options, the Dial-in tab has the following options:

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 359

Managing User, Group, and Computer Accounts • Chapter 4 359

Verify Caller-ID

If the number the computer is calling from does not match the number specified here, the connection to the RRAS server is dropped.This is different from Always Callback to because it only verifies the phone number; it doesn’t call the user back.This is useful if you want the caller to bear the longdistance charges.

Assign a Static IP Address

This enables you to assign static IP addresses to your RRAS clients.

Apply Static Routes

This enables you to apply static routes to your RRAS clients.This is useful if you want to use routing rules to limit the machines that your clients can get to after they are connected.

Figure 4.69

Understanding a Computer’s Dial-In Tab

EXAM

70-290

OBJECTIVE

2.5.2

Managing Computer Accounts Via the Pop-Up Menu

Right-clicking a computer object, as shown in Figure 4.70, enables you to perform the following:

Configure name mappings.

Reset the computer account.

Move the computer account.

Delete the computer account.

View the properties of the computer account.

Figure 4.71 shows how to configure security identity mappings for a machine account.

Like with user accounts, you can map computer accounts to a Kerberos Name to be used in a trusted non-Windows Kerberos realm and to X.509 Certificates.You have three options when mapping X.509 certificates:

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 360

360 Chapter 4 • Managing User, Group, and Computer Accounts

Map the certificate to one account.This is known as a one-to-one mapping.

Map any certificate with the same subject to the machine account, regardless of the issuer of the certificate.This is known as a many-to-one mapping.

Map any certificate with the same issuer to the machine account, regardless of the subject of the certificate.This is known as a many-to-one mapping.

Figure 4.70

Using the Right-Click Pop-UP Menu

Figure 4.71

Mapping Computer Accounts to Certificates

Figures 4.72 and 4.73 show how to reset computer accounts.The dialog box in Figure

4.72 asks you if you are sure that you want to reset the computer account. Clicking No cancels the reset. Clicking Yes resets the account and gives you the confirmation window shown in Figure 4.73.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 361

Managing User, Group, and Computer Accounts • Chapter 4 361

Figure 4.72

Resetting Computer Accounts

Figure 4.73

Acknowledging Reset Computer Accounts

T

EST

D

AY

T

IP

When you join a computer to a domain, a computername$ account is created and a password is shared between the computer and the domain. Computers use this password to authenticate with each other. This password is changed every 30 days by default. Each computer keeps a machine account password history. The history contains the current and previous passwords. When two computers try to authenticate with each other and a change to the current password is not yet received, the previous passwords are used. If the sequence of password changes exceeds two changes, you might receive an error because the two computers might not be able to communicate.

You can move computer objects by right-clicking the object and choosing Move from the pop-up menu, as shown in Figure 4.74. Clicking Cancel aborts the move. Clicking OK moves the computer account to the selected domain, organizational unit (OU), or container.

Figure 4.74

Moving Computer Objects

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 362

362 Chapter 4 • Managing User, Group, and Computer Accounts

Right-clicking a computer object and clicking Manage opens Computer Management and connect it to the selected computer, as shown in Figure 4.75. Using Computer

Management is discussed throughout this book in almost every chapter.The Computer

Management MMC enables you to perform the following tasks:

View the event logs.

Managed shared folders.

Use System Monitor.

Use Device Manager.

Manage Removable Storage.

Defragment Disks.

Manage Disks.

Manage installed services and applications.

Figure 4.75

Using Computer Management

EXAM

70-290

OBJECTIVE

2.5

Using the Command Line to Create,

Manage, and Troubleshoot Computers

Use the following tools to create and manage computers from the command line:

■ dsadd.exe

dsmod.exe

dsquery.exe

dsget.exe

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 363

Managing User, Group, and Computer Accounts • Chapter 4 363

Using dsadd computer

dsadd computer creates computer accounts in Active Directory. dsadd computer uses the following syntax.Table 4.16 explains all the syntax and switches for dsadd computer in detail.

Syntax: dsadd computer <ComputerDN> [-samid <SAMName>] [-desc

<Description>]

[-loc <Location>] [-memberof <Group ...>]

[{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

Table 4.16

Understanding dsadd computer Syntax

Value Description

<ComputerDN>

-samid <SAMName>

-desc <Description>

-loc <Location memberof <Group

Sets the computer location to <Location>.

Makes the computer a member of one or more groups given by the space-separated list of DNs <Group ...>.

{-s <Server> | -d <Domain>} -s <Server> connects to the domain controller (DC) with name <Server>.

-d <Domain> connects to a DC in domain <Domain>.

Default: a DC in the log-on domain.

-u <UserName> Connect as <UserName>. Default: the logged-on user.

Username can be: username, domain\username, or user principal name (UPN).

-p {<Password> | *}

Required. Specifies the DN of the computer you want to add. If the target object is omitted, it will be taken from standard input (stdin).

Sets the computer SAM account name to

<SAMName>. If this parameter is not specified, a SAM account name is derived from the value of the common name (CN) attribute used in <ComputerDN>.

Sets the computer description to <Description>.

-q

{-uc | -uco | -uci}

Password for the user <UserName>. If * is entered, you are prompted for a password.

Quiet mode: suppress all output to standard output.

-uc specifies that input from or output to pipe is formatted in Unicode.

-uco specifies that output to pipe or file is formatted in Unicode.

-uci specifies that input from pipe or file is formatted in Unicode.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 364

364 Chapter 4 • Managing User, Group, and Computer Accounts

Adding Computer Accounts

To add computer accounts to Active Directory, use the following syntax: dsadd computer <ComputerDN>

The following command adds a computer account named chadspc: dsadd computer <ComputerDN>

Using dsmod computer

Dsmod computer modifies attributes for computer objects in Active Directory. dsmod computer uses the following syntax.Table 4.17 explains all the dsmod.exe computer syntax in detail.

dsmod computer <ComputerDN ...> [-desc <Description>]

[-loc <Location>] [-disabled {yes | no}] [-reset]

[{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

Table 4.17

Understanding Dsmod.exe Computer Syntax

Value Description

<ComputerDN>

-desc <Description>

-loc <Location>

-disabled {yes | no}

Required. DNs of one or more computers to modify. If target objects are omitted, they will be taken from standard input (stdin) to support piping of output from another command to input of this command.

Sets computer description to <Description>.

Sets the location of the computer object to <Location>.

Sets whether the computer account is disabled (yes) or not (no).

-reset Resets computer account.

{-s <Server> | -d <Domain>} -s <Server> connects to the domain controller (DC) with name <Server>.

-d <Domain> connects to a DC in domain <Domain>.

Default: a DC in the logon domain.

-u <UserName> Connect as <UserName>. Default: the logged-on user.

Username can be: username, domain\username, or user principal name (UPN).

-p <Password>

-c

Password for the user <UserName>. If *, then prompt for password.

Continuous operation mode. Reports errors but continues with next object in argument list when multiple target objects are specified. Without this option, the command exits on first error.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 365

Managing User, Group, and Computer Accounts • Chapter 4 365

Table 4.17

Understanding Dsmod computer Syntax

Value

-q

{-uc | -uco | -uci}

Description

Quiet mode: suppresses all output to standard output.

-uc specifies that input from or output to pipe is formatted in Unicode.

-uco specifies that output to pipe or file is formatted in Unicode.

-uci specifies that input from pipe or file is formatted in Unicode.

Setting a Computer’s Description

To set a computer’s description, use the following syntax: dsmod computer <ComputerDN> -desc <Description>

The following example sets the description for the chadspc computer account to

Chad’s Laptop.

dsmod computer chadspc –desc "Chad's Laptop"

Resetting a Computer’s Password

To reset a computer’s password, use the following syntax: dsmod computer <ComputerDN> -reset

The following example resets the password for the chadspc computer account: dsmod computer chadspc -reset

Disabling a Computer Account

To disable a computer’s account, use the following syntax: dsmod <ComputerDN> computer -disabled yes

The following example disables the chadspc computer account: dsmod computer chadspc -disabled yes

Using dsquery computer

dsquery computer searches Active Directory for computers that match specified credentials.

You can use dsquery computer to find groups and then send a list of those computers to another command. For example, you can use dsquery computer to query AD for all disabled computer accounts and have those results imported into dsmod to change the computers’ description to disabled. dsquery computer uses the following syntax.Table 4.18 explains all the syntax in detail.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 366

366 Chapter 4 • Managing User, Group, and Computer Accounts

dsquery computer [{<StartNode> | forestroot | domainroot}]

[-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}]

[-name <Name>] [-desc <Description>] [-samid <SAMName>]

[-inactive <NumWeeks>] [-stalepwd <NumDays>] [-disabled]

[{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-q] [-r] [-gc]

[-limit <NumObjects>] [{-uc | -uco | -uci}]

Table 4.18

Understanding the dsquery computer Syntax

Value Description

{<StartNode> | forestroot | The node where the search starts: forest root, domain domainroot} root, or a node whose DN is <StartNode>. Can be

“forestroot,” “domainroot,” or an object DN. If “forestroot” is specified, the search is done via the global catalog. Default: domainroot.

-o {dn | rdn | samid} Specifies the output format. Default: DN.

-scope {subtree | onelevel | base}

Specifies the scope of the search: subtree rooted at start node (subtree); immediate children of start node only

(onelevel); the base object represented by start node

(base). Note that subtree and domain scope are essentially the same for any start node unless the start node represents a domain root. If forestroot is specified as

<StartNode>, subtree is the only valid scope. Default: subtree.

-name <Name>

-desc <Description>

-samid <SAMName>

-inactive <NumWeeks>

Finds computers whose names match the value given by

<Name>; e.g., “jon*” or “*ith” or “j*th.”

Finds computers whose descriptions match the value given by <Description>; e.g., “jon*” or “*ith” or “j*th.”

Finds computers whose SAM account names match the filter given by <SAMName>.

Finds computers that have been inactive (stale) for at least <NumWeeks> number of weeks.

-stalepwd <NumDays>

-disabled

{-s <Server> |

-d <Domain>}

-u <UserName>

Finds computers that have not changed their password for at least <NumDays> number of days.

Finds computers with disabled accounts.

-s <Server> connects to the domain controller(DC) with name <Server>.

-d <Domain> connects to a DC in domain <Domain>.

Default: a DC in the log-on domain.

Connect as <UserName>. Default: the logged-on user.

Username can be: username, domain\username, or user principal name (UPN).

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 367

Managing User, Group, and Computer Accounts • Chapter 4 367

Table 4.18

Understanding the dsquery computer Syntax

Value

-p <Password>

-q

-r

-gc

-limit <NumObjects>

{-uc | -uco | -uci}

Description

Password for the user <UserName>. If *, then prompt for password.

Quiet mode: suppresses all output to standard output.

Recurses or follows referrals during search. Default: do not chase referrals during search.

Searches in the Active Directory global catalog.

Specifies the number of objects matching the given criteria to be returned, where <NumObjects> is the number of objects to be returned. If the value of

<NumObjects> is 0, all matching objects are returned.

If this parameter is not specified, by default the first 100 results are displayed.

-uc specifies that input from or output to pipe is formatted in Unicode.

-uco specifies that output to pipe or file is formatted in Unicode.

-uci specifies that input from pipe or file is formatted in Unicode.

Finding Computers Based on Their Descriptions

To use dsquery computer to query Active Directory for computers with a specified description, use the following syntax: dsquery computer –desc <Description>

The following example queries Active Directory for all computers with the description

“Human Resources.” dsquery computer –desc "Human Resources"

Finding Computers Based on Their Inactivity

To find computers based on inactivity, use the following syntax: dsquery computer -inactive <NumWeeks>

The following example queries Active Directory for all computers that have been inactive for 10 weeks: dsquery computer -inactive 10

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 368

368 Chapter 4 • Managing User, Group, and Computer Accounts

Finding All Disabled Computer Accounts

To find all disabled computers, use the following syntax: dsquery computer -disabled

Using dsget computer

dsget computer displays the properties of computers in Active Directory.There are two variations of this command.The first one displays properties of multiple computers.The second one displays the group membership information of a single computer. Dsget.exe computer uses the following syntax.Table 4.19 explains all the dsget computer syntax in detail.

dsget computer <ComputerDN ...> [-dn] [-samid] [-sid] [-desc]

[-loc] [-disabled] [{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

[-part <PartitionDN> [-qlimit] [-qused]] dsget computer <ComputerDN> [-memberof [-expand]]

[{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]

Table 4.19

Understanding dsget computer Syntax

Value

<ComputerDN>

-dn

-samid

-sid

-desc

-loc

-disabled

-memberof

-expand

Description

Required. DNs of one or more computers to view.

If the target objects are omitted, they will be taken from standard input (stdin) to support piping of output from another command to input of this command.

Displays the computer DN.

Displays the computer SAM account name.

Displays the computer Security ID (SID).

Displays the computer description.

Displays the computer location.

Displays if the computer account is disabled (yes) or not

(no).

Displays the groups of which the computer is a member.

Displays the recursively expanded list of groups of which the computer is a member. This option takes the immediate group membership list of the computer and then recursively expands each group in this list to determine its group memberships and arrive at a complete set of the groups.

Continued www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 369

Managing User, Group, and Computer Accounts • Chapter 4 369

Table 4.19

Understanding dsget computer Syntax

Value

{-s <Server> |

-d <Domain>}

-u <UserName>

-p {<Password> | *}

-c

-q

-l

{-uc | -uco | -uci}

-part <PartitionDN>

-qlimit

-qused

Description

-s <Server> connects to the domain controller (DC) with name <Server>.

-d <Domain> connects to a DC in domain <Domain>.

Default: a DC in the log-on domain.

Connects as <UserName>. Default: the logged-on user.

Username can be: username, domain\username, or user principal name (UPN).

Password for the user <UserName>. If *, then prompt for password.

Continuous operation mode: report errors but continue with next object in argument list when multiple target objects are specified. Without this option, command exits on first error.

Quiet mode: suppresses all output to standard output.

Displays the entries in the search result set in a list format. Default: table format.

-uc specifies that input from or output to pipe is formatted in Unicode.

-uco specifies that output to pipe or file is formatted in Unicode.

-uci specifies that input from pipe or file is formatted in Unicode.

Connects to the directory partition with the distinguished name of <PartitionDN>.

Displays the effective quota of the computer within the specified directory partition.

Displays how much of its quota the computer has used within the specified directory partition.

Getting a Computer’s Description

To use dsget computer to display a computer’s description, use the following syntax: dsget computer <ComputerDN> –desc

The following example displays the description for the computer account name chadspc: dsget computer chadspc –desc

Getting a Computer’s Location

To use dsget computer to display a computer’s location, use the following syntax: dsget computer <ComputerDN> –loc

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 370

370 Chapter 4 • Managing User, Group, and Computer Accounts

The following example displays the description for the computer account name chadspc: dsget computer chadspc –loc

Getting a Computer’s Group Membership

To use dsget computer to display a computer’s group membership, use the following syntax: dsget computer <ComputerDN> –memberof

The following example displays the description for the computer account name chadspc: dsget computer chadspc –memberof

Creating and Managing Domain Controllers

Creating domain controllers is a necessity unless you are going to keep all your computers in a workgroup.The Active Directory (AD) Installation Wizard helps you to create domain controllers.You start the AD Installation Wizard by typing dcpromo in the Run field (on the Start menu). Depending on the choices made during the AD Installation Wizard

(Figure 4.76), you will create one of the following four types of domain controllers (DC).

A replica DC for an existing domain

A DC for a new forest

A DC for a new sub-domain

A DC for a new tree

The following four sections describe each of these scenarios in detail. All the tools you have learned about thus far can be used with DCs in each of these categories.

Creating a New Domain

Controller for an Existing Domain

Creating a new controller for an existing domain (as shown in Figure 4.77) is referred to as creating a replica DC. It is called this because the new DC holds a replica (copy) of the database held on the existing DC.You should never have a production domain with only one DC. By creating a replica DC, you eliminate having a single point of failure. One DC could fail, but your domain would still be intact.

It is also a good idea to create a replica DC for each physical site within your organization.This enables users to log on locally and reduce traffic over your WAN links. Having replica DCs is also good for disaster recovery. If one site were destroyed, you could rebuild it from an offsite DC.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 371

Managing User, Group, and Computer Accounts • Chapter 4 371

Figure 4.76

Understanding the Flow of DCPromo

DCPromo

DC for New

Domain

Domain in a

New Forest

Domain Tree in an Existing

Forest

Child Domain in an Existing

Domain Tree

Exercise 4.04 walks you through creating a replica DC.

DC for Existing

Domain

Figure 4.77

Creating a Replica DC w2k3doma.ads

Existing Domain Controller

DCPromo

New Domain Controller

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 372

372 Chapter 4 • Managing User, Group, and Computer Accounts

E

XERCISE

4.04

C

REATING A

R

EPLICA

D

OMAIN

C

ONTROLLER

1. Select Start | Run and type dcpromo in the Open field.

2. Click OK to start the Active Directory Installation Wizard, as shown in

Figure 4.78.

Figure 4.78

Starting the Active Directory Installation Wizard

3. Click Next to continue.

4. You are warned in the dialog box shown in Figure 4.79 that Windows

95 and Windows NT 4.0 machines not running at least Service Pack 4 will not be able to logon to a domain controller running Windows

Server 2003. Click Next to accept the warning and to continue.

Figure 4.79

Warning About Operating System Compatibility

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 373

Managing User, Group, and Computer Accounts • Chapter 4 373

5. Select the type of domain controller to create, as shown in Figure 4.80.

For this example you are creating a replica domain controller for an existing domain. Select Additional domain controller for an existing

domain and click Next to continue.

Figure 4.80

Selecting Domain Controller Type

6. You are prompted (see Figure 4.81) to supply network credentials with permissions to create a replica domain controller. Enter the User name,

Password, and Domain, and then click Next to continue.

Figure 4.81

Supplying Network Credentials

7. Tell the Active Directory Installation Wizard which domain you want to create a replica domain controller for (see Figure 4.82). Type the fully

qualified DNS domain name and click Next to continue.

8. You are prompted to select a location for the Active Directory database and the Active Directory log files, as shown in Figure 4.83. Microsoft

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 374

374 Chapter 4 • Managing User, Group, and Computer Accounts

recommends that you store the database and log files on separate physical disks. The default location for both is C:\windows\ntds. Choose a location and click Next to continue.

Figure 4.82

Specifying the Domain Name

Figure 4.83

Choosing a Volume for the Database and Log Folders

9. After choosing a location for the database and log files, choose a location for the SYSVOL folder, as shown in Figure 4.84. This volume must be formatted with the NTFS file system. The default location is C:\windows\sysvol. Select a location for SYSVOL and click Next to continue.

10. Figure 4.85 shows the Directory Services Restore Mode

Administrator Password window. The password entered here is used when the domain controller must be booted into Directory Services

Restore mode for Active Directory restoration and maintenance. Type the desired Restore Mode password and click Next to continue.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 375

Managing User, Group, and Computer Accounts • Chapter 4 375

Figure 4.84

Selecting a Volume to Hold Sysvol

Figure 4.85

Setting a Directory Services Restore Mode Administrator

Password

11. The Active Directory Installation Wizard displays the summary screen shown in Figure 4.86. Verify that you have made the correct selections and click Next to start the process of creating a replica domain controller.

Figure 4.86

Verifying Settings

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 376

376 Chapter 4 • Managing User, Group, and Computer Accounts

12. Figure 4.87 shows Active Directory being installed and configured.

After this is complete, you are prompted to end the Active Directory

Installation Wizard, as shown in Figure 4.88. Click Finish.

Figure 4.87

Configuring Active Directory

Figure 4.88

Completing the Active Directory Installation Wizard

13. You are prompted to reboot, as shown in Figure 4.89. Click Restart Now.

Figure 4.89

Restarting Your Computer

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 377

Managing User, Group, and Computer Accounts • Chapter 4 377

Creating a Domain Controller for a New Forest

If you have ever installed Active Directory on the first DC in a domain, you have used

dcpromo to create a new forest, as shown in Figure 4.90. It is common for companies to have multiple forests within their organization. Usually one forest is for development or testing and the other one is for production. By creating a DC as the first DC in a new forest, you are creating a new Active Directory with a unique schema, configuration, and global catalog. Exercise 4.05 walks you through the process of creating a new forest.

Figure 4.90

Understanding Multiple Forest w2k3doma.ads

w2k3newforest.ads

Existing Domain Controller

New Domain Controller

DCPromo

E

XERCISE

4.05

C

REATING A

N

EW

F

OREST

1. Select Start | Run and type dcpromo in the Open field.

2. Click OK to start the Active Directory Installation Wizard, as previously shown in Figure 4.78.

3. Click Next to continue.

4. You are warned (in the dialog box previously shown in Figure 4.79) that

Windows 95 and Windows NT 4.0 machines not running at least

Service Pack 4 will not be able to log on to a domain controller running

Windows Server 2003. Click Next to accept the warning and continue.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 378

378 Chapter 4 • Managing User, Group, and Computer Accounts

5. Select the type of domain controller to create, as shown in Figure 4.91.

For this example you are creating a new forest. Select Domain con-

troller for a new domain and click Next to continue.

Figure 4.91

Selecting Domain Controller Type

6. You are prompted, as shown in Figure 4.92, to select the type of new domain to create. Select Domain in a new forest and click Next to continue.

Figure 4.92

Choosing to Create a New Forest

7. Tell the Active Directory Installation Wizard the name of the new domain you want to create a domain controller for, as shown in Figure

4.93. Type the fully qualified DNS domain name and click Next to continue.

8. Type the NetBIOS name of the new domain you are creating, as shown in Figure 4.94. This name is limited to 15 characters or less due to

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 379

Managing User, Group, and Computer Accounts • Chapter 4 379

NetBIOS restrictions. Type a compatible NetBIOS name and click Next to continue.

Figure 4.93

Specifying the New Domain Name

Figure 4.94

Specifying the Domain Name

9. You are prompted to select a location for the Active Directory database and the Active Directory log files, as previously shown in Figure 4.83.

Microsoft recommends that you store the database and log files on separate physical disks. The default location for both is

C:\windows\ntds. Choose a location and click Next to continue.

10. After choosing a location for the database and log files, choose a location for the SYSVOL folder, as previously shown in Figure 4.84. This volume must be formatted with the NTFS file system. The default location is C:\windows\sysvol. Select a location for SYSVOL and click Next to continue.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 380

380 Chapter 4 • Managing User, Group, and Computer Accounts

11. The Active Directory Installation Wizard now verifies that DNS is properly configured, as shown in Figure 4.95, to support the new domain. If the test fails, you must install and configure, or have the Active

Directory installation wizard install and configure, DNS for the new domain. When DNS is working properly, click Next to continue.

Figure 4.95

Verifying DNS Settings

12. Select the default permissions for user and group objects, as shown in

Figure 4.96. If you need to enable anonymous access for users to read domain information, select Permissions compatible with pre-

Windows 2000 server operating systems. If you do not need to enable anonymous access, select Permissions compatible only with

Windows 2000 or Windows Server 2003 operating systems. Choose the desired setting and click Next to continue.

Figure 4.96

Selecting Default Permissions for User and Group Objects

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 381

Managing User, Group, and Computer Accounts • Chapter 4 381

13. Figure 4.85 (previously shown) displays the Directory Services Restore

Mode Administrator Password window. The password entered here will be used when the domain controller must be booted into Directory

Services Restore mode for Active Directory restores and maintenance.

Type the desired Restore Mode password and click Next to continue.

14. Figure 4.87 (previously shown) displays Active Directory being installed and configured. After this is complete you are prompted to end the

Active Directory Installation Wizard (as previously shown in Figure

4.88). Click Finish.

15. You are prompted to reboot (as shown previously in Figure 4.89). Click

Restart Now.

Creating a Domain Controller for a New Child Domain

Sometimes you need two domains, but you do not want a separate forest.There are a lot of benefits to having domains located in the same forest.These benefits include automatic transitive trusts between domains, a shared schema, a shared configuration, and a shared global catalog.

If you want the new domain to share its parent’s namespace, as shown in Figure 4.97, you need to create the new domain as a sub-domain (child domain) of an existing domain.

Exercise 4.06 walks you through creating a sub-domain.

Figure 4.97

Creating a Child Domain

Existing Domain Controller w2k3doma.ads

DCPromo childdom.w2k3doma.ads

New Domain Controller

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 382

382 Chapter 4 • Managing User, Group, and Computer Accounts

E

XERCISE

4.06

C

REATING A

N

EW

C

HILD

D

OMAIN

1. Select Start | Run and type dcpromo in the Open field.

2. Click OK to start the Active Directory Installation Wizard, as previously shown in Figure 4.78.

3. Click Next to continue.

4. You are warned (in the dialog box previously shown in Figure 4.79) that

Windows 95 and Windows NT 4.0 machines not running at least

Service Pack 4 will not be able to log on to a domain controller running

Windows Server 2003. Click Next to accept the warning and continue.

5. Select the type of domain controller to create (as previously shown in

Figure 4.91). For this example you are creating a new forest. Select

Domain controller for a new domain and click Next to continue.

6. You are prompted, as shown in Figure 4.98, to select the type of new domain to create. Select Child domain in an existing domain tree and click Next to continue.

Figure 4.98

Choosing to Create a Child Domain in an Existing

Domain Tree

7. You are prompted to supply network credentials with permissions to create a new child domain. Enter the User name, Password, and

Domain (as previously shown in Figure 4.81) and click Next to continue.

8. As shown in Figure 4.99, you are prompted to select the parent domain in which you want to create a child domain. Type the name of the

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 383

Managing User, Group, and Computer Accounts • Chapter 4 383

parent domain in the Parent domain field or click Browse to select it from the list of available domains.

Figure 4.99

Specifying the Domain Name

9. Type the name of the child domain in the Child domain field.

10. Click Next to continue.

11. Type the NetBIOS name of the new child domain you are creating (as previously shown in Figure 4.94). This name is limited to 15 characters or less due to NetBIOS restrictions. Type a compatible NetBIOS name and click Next to continue.

12. You are prompted to select a location for the Active Directory database and the Active Directory log files (as previously shown in Figure 4.83).

Microsoft recommends that you store the database and log files on separate physical disks. The default location for both is c:\windows\ntds. Choose a location and click Next to continue.

13. After choosing a location for the database and log files, choose a location for the SYSVOL folder (as previously shown in Figure 4.84). This volume must be formatted with the NTFS file system. The default location is c:\windows\sysvol. Select a location for SYSVOL and click Next to continue.

14. The Active Directory Installation Wizard verifies that DNS is properly configured (as previously shown in Figure 4.95) to support the new child domain. If the test fails, you must install and configure, or have the

Active Directory installation wizard install and configure, DNS for the new child domain. After DNS is working properly, click Next to continue.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 384

384 Chapter 4 • Managing User, Group, and Computer Accounts

15. Select the default permissions for user and group objects (as previously shown in Figure 4.96). If you need to enable anonymous access for users to read domain information, select Permissions compatible with

pre-Windows 2000 server operating systems. If you do not need to enable anonymous access, select Permissions compatible only with

Windows 2000 or Windows Server 2003 operating systems. Choose the desired setting and click Next to continue.

16. The previous Figure 4.85 shows the Directory Services Restore Mode

Administrator Password window. The password entered here is used when the domain controller must be booted into Directory Services

Restore mode for Active Directory restoration and maintenance. Type the desired Restore Mode password and click Next to continue.

17. The Active Directory Installation Wizard displays the summary screen

(previously shown in Figure 4.86). Verify that you have made the correct selections and click Next to start the process of creating a child domain.

18. The previous Figure 4.87 shows Active Directory being installed and configured. After this is complete, you are prompted to end the Active

Directory Installation Wizard (as previously shown in Figure 4.88). Click

Finish.

19. You are prompted to reboot (as previously shown in Figure 4.89). Click

Restart Now.

Creating a Domain Controller for a New Domain Tree

As mentioned previously, sometimes you need two domains, but you do not want a separate forest. If you do not want the new domain to share its parent’s namespace, as shown in

Figure 4.100, you need to create the new domain as a new tree (domain tree) within an existing forest.This method gives you the benefits of a single forest (automatic transitive trusts between domains, a shared schema, a shared configuration, and a shared global catalog, etc.) without having to maintain a contiguous name space for your domains. Exercise

4.07 walks you through the process of creating a new tree.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 385

Managing User, Group, and Computer Accounts • Chapter 4 385

Figure 4.100

Creating a New Tree w2k3doma.ads

w2k3newtree.ads

Existing Domain Controller

DCPromo

New Domain Controller

E

XERCISE

4.07

C

REATING A

N

EW

T

REE

1. Select Start | Run and type dcpromo in the Open field.

2. Click OK to start the Active Directory Installation Wizard, as shown previously in Figure 4.78.

3. Click Next to continue.

4. You are warned (in the dialog box shown previously in Figure 4.79) that

Windows 95 and Windows NT 4.0 machines not running at least

Service Pack 4 will not be able to log on to a domain controller running

Windows Server 2003. Click Next to accept the warning and continue.

5. Select the type of domain controller to create, as shown previously in

Figure 4.91. For this example you are creating a new forest. Select

Domain controller for a new domain and click Next to continue.

6. You are prompted, as shown in Figure 4.101, to select the type of new domain to create. Select Domain tree in an existing forest and click

Next to continue.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 386

386 Chapter 4 • Managing User, Group, and Computer Accounts

Figure 4.101

Selecting to Create a New Forest

7. You are prompted to supply network credentials with permissions to create a new domain tree (as previously shown in Figure 4.81). Enter the User name, Password, and Domain, and then click Next to continue.

8. Tell the Active Directory Installation Wizard the domain name for the new domain tree that you want to create (see Figure 4.102). Type the

fully qualified DNS domain name and click Next to continue.

Figure 4.102

Naming a Domain Tree Name

9. Type the NetBIOS name of the new domain you are creating (as shown previously in Figure 4.94). This name is limited to 15 characters or less due to NetBIOS restrictions. Type a compatible name and click Next to continue.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 387

Managing User, Group, and Computer Accounts • Chapter 4 387

10. You are prompted to select a location for the Active Directory

database and the Active Directory log files (as shown previously in

Figure 4.83). Microsoft recommends that you store the database and log files on separate physical disks. The default location for both is

C:\windows\ntds. Choose a location and click Next to continue.

11. After choosing a location for the database and log files, choose a location for the SYSVOL folder (as shown previously in Figure 4.84). This volume must be formatted with the NTFS file system. The default location is C:\windows\sysvol. Select a location for SYSVOL and click Next to continue.

12. The Active Directory Installation Wizard verifies that DNS is properly configured to support the new domain (as previously shown in Figure

4.95). If the test fails, you must install and configure, or have the Active

Directory installation wizard install and configure, DNS for the new domain. When DNS is working properly, click Next to continue.

13. Select the default permissions for user and group objects (as previously shown in Figure 4.96). If you need to enable anonymous access for users to read domain information, select Permissions compatible with

pre-Windows 2000 server operating systems. If you do not need to enable anonymous access, select Permissions compatible only with

Windows 2000 or Windows Server 2003 operating systems. Choose the desired setting and click Next to continue.

14. The previous Figure 4.85 shows the Directory Services Restore Mode

Administrator Password window. The password entered here is used when the domain controller must be booted into Directory Services

Restore mode for Active Directory restores and maintenance. Type the desired Restore Mode password and click Next to continue.

15. The Active Directory Installation Wizard displays the summary screen previously shown in Figure 4.86. Verify that you have made the correct selections and click Next to start the process of creating a new domain tree.

16. The previous Figure 4.87 shows Active Directory being installed and configured. After this is complete, you are prompted to end the Active

Directory Installation Wizard (as shown previously in Figure 4.88). Click

Finish.

17. You are prompted to reboot (as shown previously in Figure 4.89). Click

Restart Now.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 388

388 Chapter 4 • Managing User, Group, and Computer Accounts

Assigning Domain Controller Operations Master Roles

Active Directory uses a multimaster replication model.The benefit of a multimaster replication model is that it helps eliminate a single point of failure by enabling each domain controller to write to the database. However, a multimaster model doesn’t work well for all situations.

Special roles are assigned to domain controllers to handle changes that don’t work well in a multimaster replication model.These roles are called operations master roles.There are two operations master roles that are forest-wide and three that are domain-wide. Forestwide roles are assigned to only one DC in the forest. Domain-wide roles are assigned to one DC in each domain in the forest.

The forest-wide roles are as follows:

Schema Master

Controls additions and changes to the schema.

Domain Naming Master

Controls the addition or removal of domains in the forest.

The domain-wide roles are as follows:

RID Master

domain.

Allocates relative IDs (RIDs) to each domain controller in a

PDC Emulator

Acts as a Windows NT primary domain controller for downlevel clients.

Infrastructure Master

Updates group-to-user references whenever the members of groups are changed or renamed.

Exercises 4.08 through 4.10 walk you through transferring operations master roles.

E

XAM

W

ARNING

The operations master roles are also referred to as flexible single master operations

(FSMO) roles (pronounced Fiz-Moe). On the test, it is likely that you will see them referred to as operations masters or operations master roles.

T

EST

D

AY

T

IP

When a domain controller creates users, groups, or computers, it assigns a unique security ID (SID) to each object. This SID is the method by which the domain controller identifies domain objects. The SID consists of a domain SID and a RID. The domain SID is the same for all SIDs created in the domain. The RID is unique for each SID created in the domain.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 389

Managing User, Group, and Computer Accounts • Chapter 4 389

E

XERCISE

4.08

U

SING

A

CTIVE

D

IRECTORY

U

SERS AND

C

OMPUTERS TO

T

RANSFER

O

PERATIONS

M

ASTER

R

OLES

You can use ADUC to manage the RID Master, PDC Emulator, and Infrastructure

Master operations master roles. This exercise walks you through the process of transferring these roles from one domain controller to another.

1. Open Active Directory Users and Computers (Start | All Programs |

Administrative Tools | Active Directory Users and Computers). To transfer the selected role to another machine, open Active Directory

Users and Computers on the machine you want transfer the role to.

2. Right-click the domain and choose Operations Masters from the popup menu, as shown in Figure 4.103.

Figure 4.103

Viewing Operations Master Roles

3. The Operations Masters window appears, as shown in Figure 4.104.

Use the tabs to pick the operations master that you want to manage.

Your choices are RID Master, PDC Emulator, and Infrastructure Master.

Click Change to start the transfer process.

4. You are prompted to verify that you want to transfer the roles, as shown in Figure 4.105. Click Yes to transfer the selected role.

5. A confirmation window appears, as shown in Figure 4.106. Click OK to close the window.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 390

390 Chapter 4 • Managing User, Group, and Computer Accounts

Figure 4.104

Viewing the RID Master

Figure 4.105

Verifying Transfer

Figure 4.106

Confirming Transfer

E

XERCISE

4.09

U

SING

A

CTIVE

D

IRECTORY

D

OMAINS AND

T

RUSTS TO

T

RANSFER

O

PERATIONS

M

ASTER

R

OLES

You can use Active Directory Domains and Trusts to manage the Domain

Naming Master operations master role. This exercise walks you through the process of transferring this role from one domain controller to another.

1. Open Active Directory Domains and Trusts (Start | All Programs |

Administrative Tools | Active Directory Domains and Trusts). To transfer the selected role to another machine, open Active Directory

Users and Computers on the machine you want to transfer the role to.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 391

Managing User, Group, and Computer Accounts • Chapter 4 391

2. Right-click the domain and choose Operations Masters from the popup menu, as shown in Figure 4.107.

Figure 4.107

Viewing Operations Master Roles

3. Next, you see the window shown in Figure 4.108. Click Change to start the transfer process.

Figure 4.108

Viewing the Domain Naming Master

4. You are prompted to verify that you want to transfer the roles, as shown in Figure 4.109. Click Yes to transfer the selected role.

5. You are given the confirmation window shown in Figure 4.110. Click

OK to close the window.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 392

392 Chapter 4 • Managing User, Group, and Computer Accounts

Figure 4.109

Verifying Transfer

Figure 4.110

Confirming Transfer

E

XERCISE

4.10

U

SING

A

CTIVE

D

IRECTORY

S

CHEMA TO

T

RANSFER

O

PERATIONS

M

ASTER

R

OLES

You can use the Active Directory Schema MMC to manage the Schema Master operations master role. This exercise walks you through the process of transferring this role from one domain controller to another.

1. Transferring the Schema Master is similar to transferring the other operations master roles, except that the tool used to do so is hidden by default. To enable it you must register a dll file. Type the following in the Run dialog box (Start | Run), as shown in Figure 4.111: regsvr32

schmmgmt.dll.

Figure 4.111

Registering Schmmgmt.dll

2. Click OK to register the DLL. A confirmation window appears, as shown in Figure 4.112.

3. Click OK.

Figure 4.112

Confirming DLL Registration

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 393

Managing User, Group, and Computer Accounts • Chapter 4 393

4. Now that you have registered the dll file, create a custom Microsoft

Management Console (MMC) to transfer the Schema Master operations master role. Open a blank MMC by typing MMC in the Run dialog box and clicking OK. This gives you the window shown in Figure 4.113.

Figure 4.113

Adding Snap-Ins

5. Select File | Add/Remove Snap-in from the menu bar. The screen shown in Figure 4.114 appears.

Figure 4.114

Selecting the Active Directory Schema Snap-In

6. Select Active Directory Schema from the list of available snap-ins and click Add to continue.

7. Click Close. The window shown in Figure 4.115 appears.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 394

394 Chapter 4 • Managing User, Group, and Computer Accounts

Figure 4.115

Saving Snap-Ins to the MMC

8. Click OK. This takes you back to the MMC, but now the Active Directory

Schema snap-in is available, as shown in Figure 4.116.

Figure 4.116

Viewing the Schema Master

9. Right-click the Active Directory Schema and choose Operations

Master from the pop-up menu. The window shown in Figure 4.117

appears.

10. Click Change to transfer the Schema Master role. To transfer the selected role to another machine, open ADUC on the machine to which you want transfer the role.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 395

Managing User, Group, and Computer Accounts • Chapter 4 395

Figure 4.117

Transferring the Schema Master

11. A verification window appears, as shown in Figure 4.118. Click Yes to perform the transfer.

Figure 4.118

Verifying Transfer

12. After the transfer is complete, a confirmation window appears, as shown in Figure 4.119. Click OK to close the window.

Figure 4.119

Confirming Transfer

EXAM

70-290

OBJECTIVE

2.5

Troubleshooting Computer Accounts

Computer accounts do not typically have as many problems as user accounts.The most common problems for computer accounts occur when the computer account is not applying the correct group policy and the computer account domain password gets out of synch.

Machines apply group policy based on the Organization Unit (OU), site and the domain that they are in. If your machine is not getting the correct policy because it is in the wrong OU you can use Active Directory Users and Computers to move the machine to the correct OU by right clicking the machine account and choosing Move from the pop-up menu. If the computer’s password gets out of synch you can right click on it in Active Directory Users and

Computers and choose Reset from the pop-up menu or use the dsmod.exe command.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 396

396 Chapter 4 • Managing User, Group, and Computer Accounts

Summary of Exam Objectives

This chapter talks about creating and managing security objects such as user, group, and machine accounts. Security objects refer to objects in Active Directory that can be assigned permissions to other objects.

Active Directory is the directory service for Windows Server 2003 (and Windows

2000). It provides a way of storing information so it can easily be retrieved and used later. It functions as a central repository for security objects, which allows for centralized authentication and centralized administration.

User accounts represent people and are used by people to log on to Windows machines. User accounts can also be used as application service accounts. User accounts provide authentication, authorization, and auditing.

Groups are objects that contain other objects such as users, other groups, and machines.

Groups simplify management of user accounts by enabling you to apply permissions and user rights to an entire group of users at once instead of having to apply them to individual user accounts.

There are two types of groups (type identifies the purpose of the group):

Distribution

Used for e-mail purposes. An e-mail is sent to the group and all members get a copy.

Security

Used for assigning permissions to resources.

There are three scopes of groups (scope refers to how the group is used):

Domain Local

Includes other groups and user/computer accounts from

Windows Server 2003,Windows 2000 Server, and Windows NT domains.

Permissions for only the domain in which the group is defined can be assigned to domain local groups.

Global

Includes other groups and user/computer accounts from only the domain in which the group is defined. Permissions for any domain in the forest can be assigned to global groups.

Universal

Includes other groups and user/computer accounts from any domain in the domain tree or forest. Permissions for any domain in the domain tree or forest can be assigned to universal groups. Universal groups are only available if your domain functional level is set to Windows 2000 native mode.

Computer accounts serve the same purpose for machines as user accounts do for people.They determine the domain rights and permissions assigned to a machine. All

Windows NT 4.0, 2000, and 2003 machines have computer accounts in the domain.

Computers running Windows 3.x,Windows 9x,Windows ME, and Windows XP Home

Edition do not have computer accounts and cannot be domain members.

Windows Server 2003 provides graphical tools and command-line tools for managing

Active Directory objects. Most people new to managing domain accounts prefer the GUI-

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 397

Managing User, Group, and Computer Accounts • Chapter 4 397

based tool Active Directory Users and Computers (ADUC) because it is easier to use.

However, the command prompt is usually better when you need to make changes in bulk, because it supports scripting.Windows Server 2003 provides the following command-line tools.

dsadd.exe

Adds objects to Active Directory.

dsget.exe

Displays attributes for Active Directory objects.

dsmove.exe

Moves Active Directory objects from one location to another.

dsquery.exe

Queries Active Directory for objects that match the specified criteria.

gpresult.exe

Displays the effective policy applied to a machine or user.

whoami.exe

Displays information about the currently logged-on user.

cmdkey.exe

Manages stored username and password credentials.

Active Directory consists of (among other things) forest, trees, and domains.

dcpromo.exe creates domain controllers for each of these.With dcpromo.exe you can choose to create domain controllers for an existing domain or a new domain.The new domain could be in an existing tree or forest or it could be in a new tree or forest.

Because Active Directory uses a multimaster replication model (meaning all DCs can write to the directory), Microsoft created the operations master roles to overcome the problems inherent with multimaster environments.Two of the roles are unique to the forest and three of the roles are unique to each domain.

The forest-wide roles are as follows:

Schema Master

Controls additions and changes to the schema.

Domain Naming Master

Controls the addition or removal of domains in the forest.

The domain-wide roles are as follows:

RID Master

Allocates relative IDs (RIDs) to each domain controller in a domain.

PDC Emulator

Acts as a Windows NT primary domain controller for downlevel clients.

Infrastructure Master

Updates group-to-user references whenever the members of groups are changed or renamed.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 398

398 Chapter 4 • Managing User, Group, and Computer Accounts

Exam Objectives Fast Track

Understanding Security Objects

User accounts are required for users to access resources in a Windows Server 2003 environment.

Groups enable the assigning of permissions and rights. By assigning permissions to a group, all group members inherit the same permissions.

Machine accounts provide authentication and auditing for machines used in a domain.

Using Management Tools

Active Directory Users and Computers is a graphical tool used to create and manage Active Directory objects such as users, groups, and machines.

dsadd.exe can add computers, contacts, groups, OUs, users, and quotas.

dsget.exe shows the properties of objects in Active Directory. It works with computers, contacts, subnets, groups, OUs, servers, sites, users, quotas, and partitions.

dsmove.exe moves objects within Active Directory.

dsquery.exe enables you to query all Active Directory objects for a set of objects that match a specified criterion.

gpresult.exe displays Resultant Set of Policy (RSoP). RSoP shows the effective policy for a particular user and a specified machine.

whoami.exe displays the username and group membership information about the currently logged-on user.

cmdkey.exe enables you to configure and manage stored usernames and passwords from the command line.

Creating and Managing User Accounts

You can create user accounts from within the GUI using ADUC.

You can create user accounts from the command line using the dsadd command.

You can use ldifde and csvde files to import and export users from Active Directory.

You can use dsmode to manage user account properties from the command prompt.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 399

Managing User, Group, and Computer Accounts • Chapter 4 399

You can manage a user in ADUC by going to the properties of the user or by right-clicking the user and using the pop-up menu options.

Creating and Managing Group Accounts

You can create group accounts from within the GUI using ADUC.

You can create group accounts from the command line using the dsadd.exe command.

You can use ldifde and csvde files to import and export groups from Active Directory.

You can use dsmod.exe to manage group properties from the command prompt.

You can manage groups in ADUC by going to the properties of the group or by right-clicking the group and using the pop-up menu options.

Creating and Managing Computer Accounts

You can create computer accounts from within the GUI using ADUC.

You can create computer accounts from the command line using the dsadd command.

You can use ldifde and csvde files to import and export computers from Active

Directory.

You can use dsmode.exe to manage computer account properties from the command prompt.

You can manage computer accounts in ADUC by going to the properties of the computer account right-clicking the computer object and using the pop-up menu options.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 400

400 Chapter 4 • Managing User, Group, and Computer Accounts

Exam Objectives

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com.

Q:

If I don’t have Active Directory Users and Computers (ADUC) on my machine, where can I get it?

A:

ADUC is automatically installed on domain controllers. For other machines, you need to install the adminpak.msi from the Windows Server 2003 CD (under the i386 folder).

You can install the administrative tools pack on client computers (such as Windows XP

Pro) so that you can manage your domain remotely from the client.

Q:

I understand that user accounts are needed to log on to a Windows Server 2003 environment. I also understand that computer accounts are used to enable machines to authenticate to and be audited by Active Directory. However, I don’t understand what groups are used for?

A:

Groups are used for assigning permissions and organizing users for e-mails. Using groups enables you to assign permissions once to a group and have all of the permissions automatically applied to all group members.

Q:

Can I use a Windows Server 2003 machine if I do not have a user account?

A:

No.You must have a user account to log on to a Windows Server 2003 machine.This can be a unique account for you or it can be a shared account such as the Guest account.

Q:

My corporate policy mandates that everyone use the same screen saver. However, I have a user who is using a different screen saver. I think this user is not receiving the correct policy.Which tools can I use to view a user’s effective group policy?

A:

ADUC and gpresult.exe.

Q:

Which tools can I use to create new Active Directory objects?

A:

ADUC and dsadd.exe.

Q:

Which tools can I use to move objects in Active Directory?

A:

ADUC and dsmove.exe.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 401

Managing User, Group, and Computer Accounts • Chapter 4 401

Q:

I need to reset a user’s password. I want to use the GUI to reset it. How do I reset a user’s password with the GUI?

A:

Open ADUC. Right-click the user account and choose Reset Password.Type the new password twice and click OK.

Q:

If I don’t want to use ADUC to reset user’s passwords, what other choices do I have?

A:

You can use third-party tools such as Hyena or Dameware.You can also use the built-in command-line tool dsmod. Here is an example of using dsmod to reset a user’s password: dsmod user "CN=Chad Todd,CN=Users,DC=trainingconcepts,DC=org" -pwd * mustchpwd yes

Q:

I have recently taken over the responsibility for setting up new users in my company. I have never worked with domains before.What options do I have for creating users?

A:

You can use ADUC to create users with the GUI or dsadd to create users from the command line.To use the GUI, open ADUC. Right-click the domain or OU that you want to create the user in. Choose New | User from the pop-up menu. Fill in the required information in the new user wizard and click Finish. Here is an example of using dsadd to create a user account: dsadd user "CN=Chad Todd,CN=Users,DC=trainingconcepts,DC=org" -UPN [email protected] -samid chadtodd -pwd *

Q:

Which one of the graphical Active Directory tools do I use to create groups?

A:

ADUC is used to create groups. Open ADUC. Right-click the domain or OU that you want to create the group in. Choose New | Group from the pop-up menu. Fill in the required information in the new group wizard and click Finish.

Q:

Can I create groups from the command line?

A:

Yes. Use the dsadd command. Here is an example of using dsadd.exe to create a universal group:

Use dsadd group to create a new universal group with the following syntax: dsadd group "CN=Microsoft Trainers,DC=trainingconcepts,DC=org"

-secgrp yes -scope u -samid MicrosoftTrainers -desc "This group contains all of the Microsoft Trainers for Training

Concepts"

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 402

402 Chapter 4 • Managing User, Group, and Computer Accounts

Q:

How do I add a user to a group with Active Directory Users and Computers?

A:

There are a few different ways to add users to groups from within ADUC. One method is to go to the properties of a group (right-click and select Properties) and click the

Members

tab. Use the Add button to add the required users.

Q:

How do I add a user to a group from the command line?

A:

Use the dsmod.exe command. Here is an example of using dsmod.exe to add a user to a group: dsmod group "CN=Microsoft Trainers,DC=trainingconcepts,DC=org" -addmbr

"CN=Chad Todd,CN=Users,DC=trainingconcepts,DC=org"

Q:

How do I reset the password for a computer account with the GUI?

A:

Open ADUC. Right-click the computer whose password you want to reset and select

Reset Password

. Click Yes in the confirmation dialog box to confirm resetting the password.

Self Test

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

Using Management Tools

1. You are a consultant and you work for several companies at one time.You keep your laptop in a workgroup because you are at a different company every day.You want to use Stored Usernames and Passwords to add credentials for each of the companies’ domains so that you don’t have to manually authenticate every time you map drives and print.Which tool would you use?

A. dsadd.exe

B. dsget.exe

C. dsmod.exe

D. gpresult.exe

E. whoami.exe

F.

cmdkey.exe

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 403

Managing User, Group, and Computer Accounts • Chapter 4 403

2. You have a user who is complaining that he cannot perform certain functions when he is logged on to his workstation.You log in as yourself and it works.You log back in as the user and it does not work.You want to see what privileges are enabled for the user.Which tool should you use?

A. dsquery.exe

B. dsmove.exe

C. gpresult.exe

D. whoami.exe

E. cmdkey.exe

3. You want to create departmental OUs for each department in your company.You

need to create a list of all users who are in the quality control department so you will know which user accounts to place in the Quality Control OU.Which tool should you use?

A. dsadd.exe

B. dsget.exe

C. dsmod.exe

D. dsquery.exe

E. dsmove.exe

4. Your company recently replaced one of its fax lines. Doing so caused the fax machine to have a new number.You need to find everyone who is listed as using the old fax number.Which tool should you use?

A. ADUC.

B. dsget.exe

C. Active Directory Domains and Trusts

D. dsmod.exe

E. dsmove.exe

Creating and Managing User Accounts

5. You have an administrator named Jeff who cannot log on to any of the servers.You

are able to log on to all the servers with no problem. Jeff can log on to his two workstations without any problems.You verify that Jeff has the correct rights to log on to the servers.You think that someone has changed the properties of Jeff ’s user account to play a joke on him.What could be the cause of the problem?

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 404

404 Chapter 4 • Managing User, Group, and Computer Accounts

A. Jeff ’s logon hours have been changed.

B. Jeff ’s logon workstations have been changed.

C. Jeff ’s phone number has been changed.

D. Jeff ’s account has been disabled.

E. Jeff ’s account has been set to expire in two weeks.

6. You want to enable the user account for Will Carver.You decide to use the dsmod.exe tool.Which of the following commands will enable the Will Carver account?

A. dsmod user “CN=Will Carver,CN=Users,DC=trainingconcepts,DC=org”

-disabled no

B. dsmod user “CN=Will Carver,CN=Users,DC=trainingconcepts,DC=org”

-disabled yes

C. dsmod user “CN=Will Carver,CN=Users,DC=trainingconcepts,DC=org”

-enabled no

D. dsmod user “CN=Will Carver,CN=Users,DC=trainingconcepts,DC=org”

-enabled yes

7. You need to reset the password for Sarah Todd.You want to reset it from the command line. For security purposes, you want to be prompted to key in the password manually.Which of the following commands will reset the password?

A. dsmod user “CN=Sarah Todd,CN=Users,DC=trainingconcepts,DC=org”

–password *

B. dsmod user “CN=Sarah Todd,CN=Users,DC=trainingconcepts,DC=org” –pwd *

C. dsadd user “CN=Sarah Todd,CN=Users,DC=trainingconcepts,DC=org”

–password *

D. dsadd user “CN=Sarah Todd,CN=Users,DC=trainingconcepts,DC=org” –pwd *

8. Your security team has requested a report listing all disabled user accounts.You want to write a batch file for them that will give them the information at any time.Which

of the following commands would you put into a batch file?

A. dsquery user –disabled

B. dsquery user –disabled yes

C. dsquery user –enabled no

D. dsquery user –locked

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 405

Managing User, Group, and Computer Accounts • Chapter 4 405

9. You need to change the password for all laptop users. All laptop users have the description “Laptop User.”You need to change their passwords to Password01.To ease the process, you want to write a batch file to do it for you.Which commands should you put into your script file?

A. dsquery user –desc “Laptop User” | dsmod.exe user –pwd Password01

B. dsmod user –pwd Password01 | dsquery.exe user –desc “Laptop User”

C. dsget user –desc “Laptop User” | dsmod.exe user –pwd Password01

D. dsmod user –pwd Password01 | dsquery.exe user –desc “Laptop User”

Creating and Managing Group Accounts

10. You have a multiple domain forest.You want to use groups to assign permissions to shared resources in a single domain to users through the forest.You will then grant permissions to the network resources by adding users or other groups into these groups.Which group scope should you use?

A. Domain Local

B. Global

C. Universal

D. Distribution

11. You have a multiple domain forest.You want to use groups to organize your users.

Users from each domain need to be in the same group.These groups will be used to assign permissions forest wide.Which group scope should you use?

A. Domain Local

B. Global

C. Universal

D. Distribution

12. You want to create three new groups to assign permissions to resources across the forest.

You want these groups to be universal security groups. However, you notice that when you create a group, the option to make it a Universal group is grayed out.You can create domain local and global groups, but not universal.What could be the problem?

A. You are not logged in as a schema administrator.

B. You need to create the group on the global catalog server.

C. Your domain is in Windows 2000 mixed-domain functionality.

D. Your domain contains Windows NT 4.0 member servers.

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 406

406 Chapter 4 • Managing User, Group, and Computer Accounts

13. You have a universal group that you need to convert to a domain local group.You

want to use the dsmod.exe tool to make the change via the command prompt.Which

of the following will convert the universal group to a domain local group?

A. dsmod “CN=Authors,DC=trainingconcepts,DC=org” –scope g

B. dsmod “CN=Authors,DC=trainingconcepts,DC=org” –scope u

C. dsmod “CN=Authors,DC=trainingconcepts,DC=org” –scope dl

D. dsmod “CN=Authors,DC=trainingconcepts,DC=org” –scope l

E. dsmod “CN=Authors,DC=trainingconcepts,DC=org” –scope dlo

Creating and Managing Computer Accounts

14. You have a laptop that you want to join to the domain.Which of the following tools will enable you to create a machine account in Active Directory for your laptop?

(Choose all that apply).

A. dsadd.exe

B. Active Directory Users and Computers

C. Active Directory Domains and Trusts

D. dsmod.exe

15. Your domain consists of a single domain controller and three member servers.You are worried that your only domain controller will fail and you will lose your domain.You

want to make one of the member servers into a domain controller.Which of the following commands should you use?

A. Active Directory Users and Computers

B. dsadd

C. dcpromo

D. Active Directory Domains and Trusts

www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 407

Managing User, Group, and Computer Accounts • Chapter 4 407

Self Test Quick Answer Key

For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

1.

F

2.

D

3.

D

4.

A

5.

B

6.

A

7.

B

8.

A

9.

A

10.

A

11.

C

12.

C

13.

D

14.

A, B

15.

C www.syngress.com

274_70-290_04.qxd 8/11/03 3:56 PM Page 408

274_70-290_05.qxd 8/11/03 4:00 PM Page 409

Chapter 5

MCSA/MCSE 70-290

EXAM

70-290

OBJECTIVE

3

Managing

Access to Resources

Exam Objectives in this Chapter:

3

3.1

Managing and maintaining access to resources.

Configure access to shared folders.

3.3

Configure file system permissions.

3.1.2

Manage Shared folder permissions.

3.3.1

Verify effective permissions when granting permissions.

2.7

3.4

Troubleshoot user authentication issues.

Troubleshoot access to files and shared folders.

3.3.2

Change ownership of files and shared folders.

Summary of Exam Objectives

Exam Objectives Fast Track

Exam Objectives Frequently Asked Questions

Self Test

Self Test Quick Answer Key

409

274_70-290_05.qxd 8/11/03 4:00 PM Page 410

410 Chapter 5 • Managing Access to Resources

Introduction

In today’s business environment, security is a top priority, and controlling access to network resources is a major goal of any network security plan.Windows Server 2003 was designed with security in mind, and provides network administrators with the capability to implement multiple levels of security to protect sensitive data and control the capability of users to perform actions on the computer and network.

In this chapter, we will look at some of the ways you can manage access to files and folders, printers, computers, and other resources on the network.You’ll learn about different types of permissions and user rights that can be configured, how permissions are inherited, and how you can use new command-line utilities such as takeown.exe and where.exe as part of your access control plan.

Although securing your data from unauthorized users is of utmost importance, ensuring that authorized users are able to access the data they need is equally important.

Thus, we will discuss how to troubleshoot common access problems.

Encrypting data is not a substitute for setting permissions, but encryption can be used in conjunction with permissions to add a layer of security.Windows Server 2003 includes the Encrypting File System introduced with Windows 2000, and improvements to EFS now enable users to share encrypted files with other selected users.You will learn how to use

EFS to encrypt files and folders, both through the GUI and using the cipher.exe tool.

Another tool for controlling access is an authentication scheme based on digital certificates and a public key infrastructure.We will provide an overview of how to implement a

PKI using Windows Server 2003’s Certificate Services.

Understanding Access Control

Just about everyone understands the concept of “access control” in non-technology terms.

We have locks on our houses and cars to keep out others that we don’t want to allow inside.Valuable items we want to keep secure we may store in a personal safe or in a safe deposit box.

The same concepts apply to electronic resources that apply to physical ones.The

growth of the Internet over the past few years has even brought technophobes into an understanding of basic electronic access. Parents can now place restrictions on channels their children can access on television and satellite receivers.They can apply “parental controls” to limit the Web sites their children can access.They can block certain channels on their cable boxes or satellite dishes.

When you are responsible for managing a server or a network of servers, it is imperative that you understand access control and how to implement it in your environment.The

remainder of this chapter will help you learn the mechanisms for securing your environment if you are new to the concept. It will also get you up to speed on the security implementations specific to Windows Server 2003 if you are already familiar with the concepts.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 411

Managing Access to Resources • Chapter 5 411

Defining Access Control

Access control is, quite simply, the process of determining who can access resources in an environment. In the Microsoft world, access control is comprised of physical access, logon access, file access, printer access, share access, and so on.This concept is occasionally referred to in general as security, or the lack thereof.

On a Windows 95 or Windows 98 computer, access control is determined by whether you can power on the PC and interact with the keyboard and mouse.The Windows 95 and

98 operating systems do not have any native logon or file access at the local PC. A user could set up file shares on the Windows 95/98 PC that would enable access to portions of the hard drive across the network, but anyone who sat down in front of the PC had full access to any of the data on the hard drive.

Windows NT,Windows 2000, and Windows XP have additional access controls over what was provided with previous Microsoft desktop operating systems. All require logon access before anyone can access the resources of the PC.With NTFS, file access became more limited as well.These security mechanisms available at the desktop mimic the access control that has been available with Microsoft server products for some time.

Access Control Terminology

How does the Microsoft operating system determine who has access to a resource and who does not? First, we will define some of the terms and look at the components that play a part in access control, and then we will examine how the process works in general. In later sections, we will provide specific ways to control access to the various resources of a

Windows Server 2003 system.

The components involved in determining access control are listed in Table 5.1.This list is not complete, but does include those components that will be referred to throughout this chapter.

Table 5.1

Access Control Components

Component Description

Access Control Entry Contains the access permissions for a single object, such as a

(ACE) user account or a group.

Access Control List

(ACL)

Contains any number of ACEs to govern how an access request should be handled. There are two types of ACLs: DACL and

SACL.

Discretionary Access Determines which objects have access to a specific resource,

Control List (DACL) such as a file, folder, or share.

System Access

Control List (SACL)

Determines whether an audit activity should be performed when an object attempts to access a resource.

Security Identifier (SID) A unique identifier associated with a specific resource, such as a user account object or a computer.

Continued www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 412

412 Chapter 5 • Managing Access to Resources

Table 5.1

Access Control Components

Component

Access Token

Description

A package comprised of the SIDs and other security information about an object that is making an access request of the system. For file/folder access, the token will provide at least the user SID, group SID, and computer SID to determine if the user has access.

Access Control Process

Opening a file on a network share seems like a pretty simple task.That’s the way it should appear to the user. But a number of activities are happening in the background to determine if the user should be able to see the file, much less open it or save changes to it

(Figure 5.1).

When the user double-clicks a file listed in the Explorer window, the local PC builds an access token to send off to the server hosting the file.This access token contains the user’s SID from his or her network account, the group SID for each of the groups to which the account belongs, the SID of the computer the user is logged on to, along with other information.When the server receives the request and the access token, it compares information in the token to the ACLs for the object.The server examines each of the ACEs in the DACL for the requested file and compares those ACEs to each of the SIDs in the access token. If no ACEs on the file match up with any of the information in the access token, the user’s request is denied. If one of the ACEs does match with one of the components in the token, access is granted, and the user sees the file open on the screen.

In addition, the server checks the access token against the SACL to determine if any audit events need to be triggered. (See Chapter 9 for more information about auditing and audit event triggers.) If no ACEs in the SACL match any items in the access token, then no audit events will occur.

EXAM

70-290

OBJECTIVE

3.1

Understanding and

Using Access Permissions

Now that you have seen the terms and definitions, take a look at what they mean in the big picture.We will start by setting permissions on various objects and discussing how those permission settings work together or come into conflict with each other. In the following sections, we’ll discuss how to use different types of permissions to provide security:

File-level permissions (NTFS Security)

Shared-folder permissions

Active Directory permissions

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 413

Managing Access to Resources • Chapter 5 413

Figure 5.1

Requesting a File

File requested from Server

Company

Server

Williams’ PC

DACL

Marketing GID

Accounting GID

File DACL compared to user access token

No match

No match

William

Token

William's SID

Everyone GID

MktgMgmt GID

Marketing GID

File sent to computer

Company

Server

Williams’ PC

We will also discuss the inheritance of permissions. Starting with the lowest level and moving upward, we will start with file-level permissions.

EXAM

70-290

OBJECTIVE

3.3

Setting File-Level Permissions (NTFS Security)

The NTFS file system used since Windows NT provides the base framework for file and folder security in Windows Server 2003.These permissions are set on the files and folders stored on the server’s disk system and apply to authenticated users no matter how they access the file system (that is, whether they access it across the network or sitting at the local machine). By default, all users can read and execute files on the disk system, with the exception of certain system areas that are protected by default at installation. Applying

NTFS permissions will control who has access to which areas of the disk system.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 414

414 Chapter 5 • Managing Access to Resources

NTFS Permissions Defined

As an administrator, you can set NTFS permissions on files as well as folders.Table 5.2

describes the permissions available for NTFS folders, and Table 5.3 describes the permissions that can be applied to files. Even though the permissions are similar, there are some key differences when these permissions are applied to files and not to folders.

E

XAM

W

ARNING

Note that with shared-folder permissions, previously called share permissions

(which we’ll discuss later in this section), permissions can be set only at the folder level, not at the file level. Also note that shared-folder permissions apply only when accessing the resources across the network. These are the two most important ways in which NTFS permissions differ from shared-folder permissions.

Table 5.2

NTFS Folder Permissions

Permission Function

Read

Write

List Folder

Contents

Gives objects the same rights as the Read permission, but also enables the object to traverse the folder path beneath the folder where this permission is applied.

Read & Execute Gives objects the same rights as the List Folder Contents permission, but also enables the object to execute program files stored in the folder.

Modify

Enables objects to read the contents of a folder, including file attributes and permissions.

Enables objects to create new files and folders within a folder, write attributes and extended attributes on files and folders, and can read permissions and attributes on files and folders.

Full Control

Gives the object the same permissions as the Read, Write, List Folder

Contents, and Read & Execute permissions, but also enables the object to delete files and folders within the designated folder.

Gives objects full access to the entire contents, including the capability to take ownership of files and change permissions on files and folders.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 415

Managing Access to Resources • Chapter 5 415

Table 5.3

NTFS File/Folder Permissions

Permission Function

Read

Write

Enables objects to read the contents of a file, including file attributes and permissions.

Enables objects to change the contents of or append to an existing file, as well as read the attributes and permissions on the file.

Read & Execute Gives objects the same rights as the Read permission, but also enables the object to execute a program file.

Modify

Full Control

Gives the object the same permissions as the Read, Write, and Read &

Execute permissions, but also enables the object to delete the designated file.

Gives objects full access to the file, including the capability to take ownership of the file and change permissions on the file.

When permissions are applied to a folder, those permissions apply to the files within the folder as well. For instance, if you set the Read permission on a folder, the object (user account or group) to which that permission applies is able to see the files stored in the folder and read the contents of the files within the folder. If you wanted to give a group access to write to a particular file in that folder, but not all files in the folder, you would assign the Write permission to the specific file.

When to Assign Permissions to Folders and Files

To keep file system management reasonable, your best bet is to keep permission assignments as simple as possible. Because permissions assigned to a folder apply to all the files within a folder, you should make permission assignments at the folder level most of the time. A well-planned directory structure enables you to assign folder rights at a high level in the directory structure, keeping subsequent permissions changes further down in the directory structure to a minimum.

In general, you should apply permissions to a specific file only when access to that file is significantly different from the other files in that folder. If you find that you are making file permission assignments to several files within a directory structure, it might be better to relocate those files to a different folder where the appropriate permissions can be assigned to the parent folder and not to the individual files.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 416

416 Chapter 5 • Managing Access to Resources

Assigning NTFS Permissions

NTFS permissions for a file or folder can be assigned to any Active Directory object. Most commonly, user and group objects are assigned permissions. In general, the best way to assign and manage access to files and folders is by assigning rights to group objects, then adjusting membership of the user objects in the group object. One exception to this general principle is for user home directories. In most cases, permissions to a user home directory are assigned directly to the use object and not a group.

Assigning Folder Permissions

Assigning permissions to a folder is fairly straightforward. Right-click the folder and select

Sharing and Security

from the context menu.The folder’s Properties window appears with the Sharing tab selected. Click the Security tab to view the NTFS permissions already set on the folder. Alternatively, you can right-click the folder and select Properties from the list, then click the Security tab. Or you can even select the folder, click File in the Explorer window, choose Sharing and Security from the menu, and then click the

Security

tab. No matter how you bring up the Security tab, it appears like the image in

Figure 5.2. A set of permissions has been assigned to the Accounting global group, which assigns the Modify, Read & Execute, List Folder Contents, Read, and Write permissions to the group.The Administrators global group also has rights to this folder, and the Full

Control permission has been assigned to that group.The CREATOR OWNER and

SYSTEM groups also have permissions to this folder. Like the Administrators group, the

SYSTEM group has full access to the contents of this folder by default.This scenario can be changed, and we will cover that later in this section under NTFS Special Permissions.

Figure 5.2

Setting Security Properties for a Folder

To add a user or group to the access list for the file, click the Add button and specify the user or group object that will be added to the access list.When the object appears in

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 417

Managing Access to Resources • Chapter 5 417

the Group or user names list, you can assign the desired permissions to the object.There

are some shortcuts to assigning permission, fortunately. Since the Modify permission includes all the permissions of Read & Execute, List Folder Contents, Read, and Write, clicking the Modify check box in the Allow column automatically enables the other permissions.The same holds true for clicking the Full Control check box – all the permissions below will be enabled by default. Clicking Read, Write, or List Folder Contents enables only those individual permissions. Clicking Read & Execute enables that permission as well as List Folder Contents and Read.

After you have made the desired changes to the security permissions list, click Apply, then OK, to enable the changes on the network.The changes take effect immediately. If a user is working in a folder where he or she has Write permissions and the security settings are changed so that the user only has Read permissions in the folder, the next time the user attempts to change a file or create a new file, the action will be denied.

Assigning File Permissions

As mentioned previously, you should generally apply security permissions to folders and not to files. In the case where you do need to apply permissions to a specific file, the process differs from assigning permissions to a folder. First, you will notice that if you right-click on a file, there is no Sharing and Security item in the context menu.This is primarily because you cannot share a file.You can still access the security settings by opening the file’s

Properties

window and selecting the Security tab, as shown in Figure 5.3.You will see that the List Folder Contents permission is not displayed, because it does not apply to the file.You will also notice that the CREATOR OWNER system group does not appear.

Plus, the permissions selected for the Accounting group, while the same as shown in the previous figure, are grayed-out here.This indicates that the permissions are inherited from the parent folder and cannot be changed directly.We will discuss permission inheritance and how to make changes to these permissions in the “Understanding How Permissions

Are Inherited” section later in the chapter.

Figure 5.3

Setting Security Permissions for a File

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 418

418 Chapter 5 • Managing Access to Resources

Adding a new object to the security list for the file is the same as described for a folder. Click Add, specify the object name, and then make the appropriate security changes. Similar shortcuts apply when enabling file permissions. Clicking Read or Write enables only those permissions. Clicking Read & Execute enables Read as well. Clicking

Modify

enables all permissions below it, as will clicking Full Control.

Security Permissions Applied in Combination

One concept that is especially important to master in order to be able to manage permissions effectively is that the effects of security permissions are cumulative. If an object is a member of multiple groups (and which user objects aren’t these days?) and two or more of those groups are given different permissions on a specific folder, the user object will have all the permissions assigned in each group.

Say that you have created two groups called Reviewers and Editors. In a particular folder, you assign Read permissions to the Reviewers group and Write permissions to the Editors group. Your goal is to enable the reviewers to read the files in the folder but not make changes to them. Only the editors would be able to make changes. If you accidentally add a user who is in the Reviewers group to the

Editors group, when that user accesses files in the folder, the user will be able to read and make changes to the files in the folder. If this person is not supposed to be able to do this, it may take some time to track down exactly why the access restrictions are not working as expected.

A special consideration occurs when using the Deny permission to restrict access. The Deny permission overrides all other permissions explicitly assigned or applied in cumulative fashion. Suppose you give the Editors group Full Control permission on the folder, and you assign the Deny Write permission to the Reviewers group. This rights assignment will prevent members of the Reviewers group from making changes to the contents of the folder. However, if a user is a member of both the Editors and Reviewers groups, he or she will be unable to make changes to the folder because of the Deny Write permission for the Reviewers group. Even though the user should have Full Control permissions because of the rights assigned to the Editors group, the Deny Write permission on the Reviewers group will override the other settings.

Denying Permissions

Up to this point, we’ve been addressing file and folder security from the standpoint of enabling those permissions.There may be times that you need to specifically deny a permission to a user or group for a particular file or folder.You’ve already seen in previous figures that there are check boxes labeled Allow and Deny for each permission. If a Deny permission is selected, it overrides any Allow permission that may be enabled.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 419

Managing Access to Resources • Chapter 5 419

Suppose you have data in a share that you want to be available to everyone in the organization, but you only want members of the Accounting group to be able to edit.You assign

Modify permissions to the Accounting group and Read permissions to the Everyone group.

Just to make sure that no one else can make changes to the files in the share, you also add the

Deny Write permission to the Everyone group.While this setup may seem to achieve the goal, it really does not. As expected, members of the Everyone group will be able to read files in the share, but they will not be able to write to any files, just like you wanted.The problem comes in when members of the Accounting group try to write to files in the share. Because the members of the Accounting group are also members of the Everyone group, the Deny

Write permission assigned to the Everyone group overrides the Modify permission assigned to the Accounting group, and members of the Accounting group are not able to make changes to the files. A better way to accomplish this goal is to assign Read permissions to the

Everyone group and Modify permissions to the Accounting group. Unless the Everyone group inherits Write permissions from a parent directory, only members of the Accounting group will be able to change the contents of the data in the share.

Again, a well-planned directory structure and folder security approach should minimize the need to use the Deny permission when setting access. In those cases where permissions do need to be denied, make an effort to deny the least restrictive permission necessary. For instance, if you want to restrict a group from writing to files in a specific directory, deny only the Write permission. If you deny the Modify permission, that group will not be able to do any of the functions covered by the Modify permission, including reading files and folders, traversing folder hierarchies, as well as writing to files.

In addition, be extremely careful when altering permissions for the Administrators and

Users groups.While there are times that you may want to restrict access for the

Administrators group, be very careful of using Deny to restrict that access. If you were to deny Full Control to the Administrators group to a folder and no other group had Full

Control access to that folder, you would lose your capability to do any further management on that folder from any level. On the other hand, if you deny permissions to the Users group on any folder, you deny access to every account on the system, including administrators. In the “Understanding How Permissions Are Inherited” section later in the chapter, you will learn better ways of restricting access to certain files and folders.

NTFS Special Permissions

The basic file and folder permissions can actually be broken into smaller, more specific permissions.These are commonly referred to as Special Permissions.Table 5.4 lists the Special

Permissions and their functions.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 420

420 Chapter 5 • Managing Access to Resources

Table 5.4

NTFS Special Permissions

Special Permission

Traverse Folder/Execute File

List Folder/Read Data

Read Attributes

Read Extended Attributes

Create Files/Write Data

Create Folders/Append Data

Write Attributes

Write Extended Attributes

Delete Subfolders and Files

Delete

Description

For folders, enables the object to navigate through the folder structure below the folder where the permission is applied.

For files, enables the object to execute an application program stored in the folder.

For folders, enables the object to see the names of files and subfolders stored in the folder where the permission is applied.

For folders, enables the object to view the contents of files stored in the folder.

Enables the object to view the attributes of a file or folder.

Enables the object to view the extended attributes of a file or folder. Extended attributes are generally defined by an application and vary from program to program.

For folders, enables the object to create new files within the folder.

For files, enables the object to change or replace the contents of an existing file.

For folders, enables the object to create new subfolders within the folder.

For files, enables the object to add data to the end of an existing file without otherwise altering the content of the file, including deleting the file.

Enables the object to change the attributes on an existing file or subfolder within the folder.

Enables the object to change the extended attributes on an existing file or subfolder within the folder. Extended attributes are generally defined by an application and will vary from program to program.

Enables the object to delete a file or subfolder, even if the Delete permission has not been granted to the object.

Enables the object to delete a file or folder.

An object can still delete a file or folder without this permission set if the object has been granted the Delete Subfolders and Files permission.

Continued www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 421

Managing Access to Resources • Chapter 5 421

Table 5.4

NTFS Special Permissions

Special Permission

Read Permissions

Change Permissions

Take Ownership

Full Control

Description

Enables the object to view the security permissions set on files and subfolders within the folder.

Enables the object to change security permissions on files and subfolders within the folder.

Enables the object to change the owner of a file or folder to the object’s user ownership.

Enables the object to perform all Special

Permissions.

In Figure 5.3, you saw an entry for Special Permissions in the File Permissions window that was grayed out.That entry is also present in the Folder Permissions window, but it is not displayed in the window without scrolling down.You cannot access these Special

Permissions from this window, however.To modify any Special Permissions settings, you must click the Advanced button in the Permissions window.

Setting Special Permissions

Figure 5.4 shows the Advanced Security Settings window. In this sample, there are four groups that have permissions listed.These are the same four groups that were assigned permissions at the folder level in Figure 5.2.The difference is that while the Accounting,

Administrators, and SYSTEM groups have been assigned their permissions at the folder level, the CREATOR OWNER group has its permissions assigned in the Advanced

Security Settings window. Looking at the permissions assigned to the CREATOR

OWNER group in the folder properties window seen in Figure 5.4, you can see that the only permissions identified for that group are Special Permissions, and the box is grayed out, meaning that those permissions cannot be set in that window. Like the SYSTEM group, the CREATOR OWNER group is a special system-level group that cannot have members added to or removed from it.The CREATOR OWNER group always has Full

Control special permissions applied unless specifically excluded (Figure 5.5).The CRE-

ATOR OWNER group is discussed in more detail in the next section.

Ownership of Files and Folders

Whenever a file or folder is created, the user object that created the file becomes the owner of the file. No matter what other permissions the user object may have in the folder where the file was created, the user object will have full control over the file it created.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 422

422 Chapter 5 • Managing Access to Resources

Figure 5.4

Viewing Advanced Security Settings for the Accounting Folder

Figure 5.5

Viewing Permissions for the CREATOR OWNER Group on the

N

OTE

Ownership of a file impacts more than just security access. If quotas are enabled on a disk system, file ownership helps determine how much space is used toward a user’s quota.

The file owner’s capability to maintain full control over a file is governed through the

CREATOR OWNER group. By default, the CREATOR OWNER group has full control over certain files through special permissions.The basic rule of thumb is that if you have the capability to create a file somewhere on the volume, then you should be able to have com-

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 423

Managing Access to Resources • Chapter 5 423

plete control over it, which would happen if you have Full Control permissions on the file.

The CREATOR OWNER group is set up for exactly that reason.When looking at the permissions on the folder in Figure 5.5, you see that the CREATOR OWNER group has no permissions explicitly defined, but the Special Permissions box under the Allow column is checked. If you open the Advanced Permissions window for the folder, you will see a listing indicating that the CREATOR OWNER group has Full Control permissions.These permissions apply only to files and folders that the user created. Just because the CREATOR

OWNER group has Full Control permissions identified in a folder, everyone does not have full access to the folder. Users have full access only to files they created in the folder.

In addition, administrators in the domain have the capability to take ownership of files and folders. If an administrator takes ownership of a file, the creator of the file no longer has full control over the file. Changing ownership of the file effectively removes the user that created the file from the CREATOR OWNER group for that file, and that user’s access to the file reverts to the default access he or she has based on the folder permissions.

Copying or Moving Files and Folders

NTFS permissions on files and folders that are moved or copied to other locations do not always stay the same after the move. A number of factors impact the security settings that will be placed on the file in its new location, including the following:

Whether the file is copied or moved

Whether the destination is an NTFS volume or not

Whether the destination is on the same volume as the original location

Files and folders that are moved or copied to non-NTFS volumes lose all permissions.

If the destination is on an NTFS volume, the security permissions the file will have after the transfer will depend on several factors. In the following sections, we’ll discuss copying and moving files and folders.

Copying Files and Folders

When copying files or folders to a location on an NTFS volume, the user must have permission to create files in the destination location.When the file or folder is copied, it is created as a new object in the destination, and the user object that copied the file or folder becomes the owner of the newly created item.

Moving Files and Folders

Just as when copying files or folders, the user moving a file or folder must have permissions to create objects in the new location as well as have permission to delete objects from the original location.The file or folder created in the destination is owned by the user object that moves it, and the original file or folder is deleted from the original location.The

NTFS permissions that will be assigned to the file or folder in the new location are detailed in Table 5.5.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 424

424 Chapter 5 • Managing Access to Resources

Table 5.5

NTFS Permissions Applied to Moved Files and Folders

Destination Permissions

Objects moved within the same

NTFS volume

Objects retain their original NTFS permissions in the new location

Objects moved to a different NTFS volume Objects inherit the permissions of the new location

E

XAM

W

ARNING

Be prepared to answer at least one question on the exam related to NTFS permissions on files and folders copied or moved form one location to another. This has been a favorite topic to address in Microsoft exams, because a lack of understanding of changes in permissions can lead to data access problems.

EXAM

70-290

OBJECTIVE

3.1.2

Setting Shared-Folder Permissions

Setting the NTFS file and folder permissions correctly for the entire server does no good if your users cannot get to the directory structure. Since most users do not log on at the server, the file system must be made available through shares.When a folder is shared, it becomes visible on the network.The permissions on the share also determine the level of access that a user has to the data accessed through the share.The share permissions are applied in conjunction with, not instead of, the NTFS permissions.We will discuss how this works in the section titled “Understanding the Interaction of Share Permissions and NTFS Permissions.”

Shared-Folder Permissions Defined

The permissions that apply to a shared folder differ from the NTFS permissions that can be set on the same folder.There are significant differences in the way the permissions are applied to a share as compared to permissions set on a file or folder.The specific permissions that can be applied to folder shares are listed in Table 5.6. Remember that “object” in this context refers to a user or group account.

Table 5.6

Shared-Folder Permissions

Permission

Read

Description

Enables objects to see file and folder names, open files and programs, and see file and folder attributes.

Continued www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 425

Managing Access to Resources • Chapter 5 425

Table 5.6

Shared-Folder Permissions

Permission

Change

Full Control

Description

Enables objects to perform all actions associated with the Read permission, plus create new files and folders, modify file contents, delete files and folders, and modify file attributes.

Enables objects to perform all actions associated with the Read and Change permissions, plus change permissions on files and take ownership of files.

Effective permissions on a shared folder are calculated in much the same way as with

NTFS permissions. Individual permissions can be allowed or denied, and denied permissions always override allowed permissions, including inherited permissions.When a user object is assigned permissions from multiple sources, the effect is cumulative. For example, say Bob is a member of both the Accounting group and the Accounting Managers group because he is one of the accounting managers for the company. If the Accounting group is assigned Read permissions to a share, and the Accounting Managers group is assigned Change permissions to the same share, Bob’s effective permissions for the share will be Change.

Understanding the Interaction of

Share Permissions and NTFS Permissions

When a user accesses data through a file share, the share permissions and NTFS permissions both impact the level of access the user has to the files and folders in the share.The user access level is determined by the more restrictive access defined by the total cumulative permissions in either the share or NTFS security.This is easy to understand if the NTFS permissions are more limited, but many new system administrators can get confused when the share permissions are more limited.You need to remember that the permissions applied to the share impact not only your ability to access the share itself but also your ability to access the data within the share.

It is easy to get caught in the logic that says “I do not want to give users Full Control access on the share because they might delete the share or make other changes to the share.”This is not the case. Giving uses Full Control on the share means that all security on the data accessed through the share is determined by the NTFS permissions. If you only assign Read permissions on the share, the user accessing data through the share will have read-only access to the entire contents, no matter what the NTFS permissions are.When

setting up a file system, make sure you assign NTFS permissions to control access to the data as if the user were logging on to the machine locally.Then you can assign Full Control permissions on the share and not worry about the users having more access than you want them to have.Table 5.7 shows how share permissions and NTFS permissions combine to generate the effective permissions a user has on a folder accessed through a share.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 426

426 Chapter 5 • Managing Access to Resources

Table 5.7

Share and NTFS Permissions in Combination

Groups

Effective

Share Permissions NTFS Permissions Permissions

Everyone Full Control

Accounting Read

Accounting Managers Change

IT

Administrators

Full Control

Full Control

Read

Modify

Full Control

Modify

Full Control

Read

Read

Modify

Modify

Full Control

E

XAM

W

ARNING

Because many access problems can arise from incorrectly configured Share and

NTFS permissions, you can expect to see at least one exam question related to setting Share and NTFS permissions. When encountering one of these questions, remember that the more restrictive permission (of the cumulative total of each type of permission) is the one that takes precedence in determining access. Look first at the permissions defined on the share before you look at the NTFS permissions defined. If the user only has Read permissions on the share, he or she will only have read access to the contents. If the user has Full Control permissions on the share, then look to the NTFS permissions defined to determine the level of access the user has.

Assigning Share Permissions

You can set share permissions in much the same way you set NTFS permissions. Before you can set permissions on a share, however, you must first create the share.

Creating a Shared Folder

You can create a folder share from the Properties window of a folder. In the Properties window, click the Sharing tab. In the Sharing tab, you can enable and disable the share for the folder and set the permissions on the share. A typical share setup is shown in Figure 5.6.

In this window, you can specify the name and comment for the share, specify whether there should be a limit to the number of users accessing the share, and set the permissions on the share. In addition, you can create multiple shares for a single folder, each one having different permissions.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 427

Figure 5.6

Creating a Shared Folder

Managing Access to Resources • Chapter 5 427

After you have created the share, it appears on the network from the server where the folder resides (a share can be created on a workstation; “server” in this sense means any computer that is sharing its resources over the network and does not refer to only computers running a server operating system). If the server is named CORPADFP1 and the share name is Shared, users with access to the share can map a drive to the share at

\\CORPADFP1\Shared.This UNC name can be used to map drives in logon scripts or to access the share directly from the workstation.

N

OTE

Note that while you can create share names that mirror the folder name, such as

“My Documents” or “Program Files.” If you have Windows 95 or Windows 98 workstations operating in your environment, your share names cannot be longer than eight characters and cannot contain any spaces. If you do have longer share names with spaces, the 95 and 98 workstations will not be able to see the share on the network.

Setting Share Permissions

After you have created the share, you can set permissions on the share.You can set permissions by clicking the Permissions button in the window shown in Figure 5.6.This opens the Permissions window for the folder as shown in Figure 5.7.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 428

428 Chapter 5 • Managing Access to Resources

Figure 5.7

Viewing Permissions of a Shared Folder

E

XAM

W

ARNING

By default, when you create a new share, the Everyone group has Read permissions assigned to it. This is different from the default response in Windows 2000 server where Everyone was granted Full Control by default.

As with NTFS permissions, share permissions can be set for Allow or Deny for multiple groups or users.The same rules apply for share permissions as for NTFS permissions.

Permissions on shares are cumulative. If a user belongs to multiple groups, and two or more of those groups have permissions on a share, the user has all the permissions allowed by all the groups.

Deny permissions override Allow permissions. If a user belongs to multiple groups, and one of those groups has Allow permissions on a share while another has Deny permissions, the user will be denied access to the share based on the

Deny permission.

Note that there are no special permissions related to shares.What you see is what you get!

Copying or Moving Shared Folders

When you copy or move a shared folder to a different location, the way share permissions are affected differs from NTFS permissions.

If you copy or move a folder to a new location, the folder in the new location will not have a share associated with it.

■ If you copy a shared folder to a new location, the original folder will continue to have the original share pointing to it.

■ If you move a folder, the share for the folder is deleted along with the original folder.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 429

Managing Access to Resources • Chapter 5 429

If you do need to move a folder share from one location to another, you have more than just share permissions to take into consideration. Changing the name of a share by changing its location can impact logon scripts that map user drives to the share. Any user that maps a drive to the share from a workstation will get errors when trying to access the drive letter if the share is removed. Relocating a share to a different file path on the same server will not necessarily cause this issue if the share for the new location has the same name as the share for the old location. If you have to relocate a share onto a different server, the share name will change because the share will be accessed from a different server name, which is part of the share’s UNC path name.

Shared Folders in Active Directory

You can avoid several problems related to shares by advertising the share in Active Directory instead of from the server hosting the folder. Advertising a share in Active Directory makes it easier for users to find shares, because they do not need to know the server name where the share is located in order to look for it.The only drawback to advertising shares in Active

Directory is that down-level clients will not be able to see the Active Directory shares. If this is not the case in your environment, then you should strongly consider advertising your shares in the Active Directory.

Creating an Active Directory Share

To create a share in Active Directory, you first need to create the share on the server and configure the permissions accordingly. Set up the share on the server as though your users will be accessing the share directly.When the share is set up, use the Active Directory Users and Computers tool to create the share in the directory. In Active Directory Users and

Computers, select the area where you want the share to advertise, ideally at the root of the directory or in the top level of one of the OUs associated with the share. Select Action |

New | Shared Folder

to open the New Object – Shared Folder window, shown in

Figure 5.8. Enter the name of the share and the network path to the share on the server.

Click OK to create the share.

Figure 5.8

Creating the Share in the Directory

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 430

430 Chapter 5 • Managing Access to Resources

Users can now search for and find the share in the directory. One way they can do this is by opening My Network Places and clicking Search Active Directory.They can then select Shared Folders from the Find drop-down menu and click Find to locate the share. Figure 5.9 displays the Find Shared Folders window after a search is complete.The

user can now right-click the share and map a drive to the share.

Figure 5.9

Searching for a Shared Folder in Active Directory

Setting Active Directory Object Permissions

You can also set permissions on the share object in the Active Directory to control access to the share object in the directory.To set permissions on the Active Directory share, open the properties of the share within Active Directory Users and Groups. Figure 5.10 shows the

Permissions tab of the Shared Folder Properties window. Because you are looking at the permissions on the directory object, they will be different from those on the share itself.

The permissions assigned to the directory share control access to the object in the directory, not the share that it points to.These permissions differ slightly from the permissions available on a standard share. In addition to Read, Change, and Full Control, there is also a

Special Permissions option.

When a shared folder is created in Active Directory, a number of default permissions are assigned directly to the object.The Authenticated Users group is assigned Read rights to the object, the Domain Admins and SYSTEM groups are given Full Control to the object, and the Pre-Windows 2000 Compatible Access group is given no permissions.

Again, the permissions granted to objects for the directory share apply only to the directory share, not the server share. For example, the Read permission granted to the

Authenticated Users group enables every user logged on to the directory to see the share.

However, only users with access to the actual share are able to open it. If a user only has read access to the directory share, but Change access to the server share, and Full Control on the NTFS folder, the user will be able to map a drive to the folder using the directory

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 431

Managing Access to Resources • Chapter 5 431

share and still be able to edit and make changes to the data in the folder.The permissions on the directory share are not considered when determining access to the actual contents of the folder.

Figure 5.10

Setting Permissions on the Active Directory Shared Folder

If you want to limit visibility to the directory share to certain groups, you need to grant Read permissions to the group for the directory share.Then you can go back and remove the Authenticated Users group from the ACL. Now only members of that group, and not the entire organization, are able to view the shared folder in the directory.

Understanding How Permissions Are Inherited

When setting NTFS permissions on a folder, those permissions are automatically transferred to all files and subfolders within the folder.This is by design; otherwise, you would have to set permissions on every folder on the disk to control access, and that would place a huge burden on system administrators who would have to keep up with all the changes they would have to make each time some folder setting was modified.

Say that you create a folder on your server and name it Public.You then assign Modify permissions to the Everyone group for that folder. Anyone who accesses that folder has modify rights on every file and folder beneath that folder, as far down as the directory tree goes. Now suppose that you want to restrict a certain group from accessing a certain set of files or folders beneath the Public folder.You could go in and deny rights to that group and the level where you do not want them to have access, but that could get ugly. How do you go through and set this up?

Fortunately, permission inheritance for a folder can be turned off when needed.This is an action you must handle with care, however.When you turn off inheritance for a folder, you must decide what will happen to the permissions that would otherwise flow down to that

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 432

432 Chapter 5 • Managing Access to Resources

folder.You can choose to keep the permissions intact, and the operating system will automatically create new ACEs for all the groups with permissions assigned in a parent folder. Or you can choose to delete the permissions, and the operating system will remove all access to the folder except for any ACEs that you assigned directly to the folder.

T

EST

D

AY

T

IP

When you take the exam, you will likely see several questions related to inheritance, and not just for file and folder permissions. Just be sure to approach the exam calmly and read the questions carefully. Make sure you fully understand the question before selecting the answer.

Why would you want to keep some of the inherited permissions intact? At the root of every volume, certain groups are assigned specific permissions.The Administrators group, the CREATOR OWNER group, the SYSTEM group, and others have default permissions applied at the root of the volume that pass down through inheritance.You really do not want to change the access for some of theses groups. For instance, if you did not enable the

Administrators group’s permissions to flow down, you might end up cutting off your capability to administer the file structure at that point in the directory and below.

Another group you must be mindful of is the CREATOR OWNER group. As discussed earlier, this special group determines the access that a user has to files and folders he or she has created. By default, the Full Control special permissions assigned to this group automatically apply to every folder created on the volume. If you remove this group from the inheritance list, it is possible that you could set up a situation where a user is able to create a new file in a folder and then not be able to modify it afterward. So, unless there is a really good reason, you should continue to enable the permissions for the CREATOR

OWNER group to pass down to folders when you turn off automatic inheritance.

EXAM

70-290

OBJECTIVE

3.3.1

E

XERCISE

5.01

S

ECURING AND

S

HARING A

D

ATA

F

OLDER

Consider this scenario related to the material that has been covered thus far:

You are a system administrator for a small company that has a Windows Server

2003 system set up for file and print sharing. Each department in the company has a shared directory on the server for that department’s data. One of the managers of the Marketing department contacts you about setting up a secure area for the managers of the Marketing department. She wants to be able to share information such as employee reviews and budget projections with other managers in the department, but not with the entire marketing department.

She asks you to create a new folder in the Marketing area called Management, and she wants the managers in her department to be able to create new files

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 433

Managing Access to Resources • Chapter 5 433

and folders in the Management folder. She also wants a new share created specifically for that folder so that all her managers can access the data quickly.

She would like for the share to be called MktgMgmt, and she wants it available only to the managers in her department. In addition, she would like the share to be created in Active Directory so members of her department can locate it easily.

Before you get started with the steps required to fulfill her request, make a few assumptions. First, you already have Active Directory groups created for both the Marketing team and the Marketing managers. Second, all the departments in the company have a folder that employees can access through a share called Shared. The root of the share is actually located on the server on drive E: in a folder named Shared. OK, now you can get started!

1. Browse to the Marketing folder under E:\Shared and create a new folder called Management. Figure 5.11 shows how this directory structure might look.

Figure 5.11

Viewing the New Management Folder

2. Right-click the folder and select Sharing and Security.

3. Click the Security tab. Figure 5.12 shows the default permissions assigned to the folder when it is created. You can see that the

Marketing permissions boxes are grayed out, indicating that those permissions are inherited from the parent folder.

4. Click the Add button to add a new group to the permissions list.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 434

434 Chapter 5 • Managing Access to Resources

Figure 5.12

Viewing Default Permissions on a Newly Created Folder

5. Type the name of the group, in this case it is Marketing Management, and click Check Names. When the group is located in Active Directory, the name is underlined in the object name window, as shown in

Figure 5.13.

Figure 5.13

Selecting an Object to Add to the Permissions List

6. Click OK. The Select Users, Computers, or Groups window closes, and you can see the default permissions added to the Marketing

Management group, as shown in Figure 5.14.

7. Click the Modify check box under the Allow column to add the remaining permissions for the group to the folder. Unless you want the marketing managers to be able to completely control the folder, do not click the Full Control check box.

8. Now that you’ve set up the management group to be able to access the data in the folder, you need to restrict access to the rest of the

Marketing team. Click the Advanced button to open the Advanced

Security Settings window, shown in Figure 5.15. Note that the

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 435

Managing Access to Resources • Chapter 5 435

Administrators and the Marketing groups have a set of permissions enabled that are inherited from the parent folder. The Marketing

Management group lists permissions that are not inherited from the parent folder, meaning that those permissions have been explicitly assigned to this folder.

Figure 5.14

Adding a New Group to the Folder Permissions

Figure 5.15

Viewing the Advanced Security Settings for the Folder

9. To remove the Marketing group’s access to the folder, you need to disable the permission inheritance for the folder. Uncheck the Allow

inheritable permissions check box. When you do, a security box, shown in Figure 5.16, pops up advising you about removing the

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 436

436 Chapter 5 • Managing Access to Resources

folder’s capability to inherit permissions. If you click Remove, all inheritance will be removed. Since you want to maintain access for the special groups, click Copy instead.

Figure 5.16

Choosing to Copy or Remove Inherited Permissions

10. When the Security box closes, click Apply in the Advanced Security

Settings window, and then click OK.

11. Click the Marketing group in the group list and click Remove.

12. Figure 5.17 shows the resulting Security window. Click Apply to put the new security permissions into effect.

Figure 5.17

Final Security Settings Displayed in the Folder’s

Properties Window

13. Click the Sharing tab to create a new share for this folder.

14. In the Sharing window, click the Share this folder radio button. Enter the requested Share name in the field, as shown in Figure 5.18.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 437

Managing Access to Resources • Chapter 5 437

Figure 5.18

Setting the Name of the New Share

15. Click the Permissions button.

16. Click Add, enter the name of the group, and then click Check Names.

17. Click OK to close the Select Users, Computers, or Groups window.

18. Select Marketing Managers in the group list, and then click the Full

Control check box under the Allow column to assign all rights to the group.

19. Select Everyone in the group list, and then click Remove. Your permissions window now looks similar to Figure 5.19.

Figure 5.19

Viewing Final Settings for Share Permissions

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 438

438 Chapter 5 • Managing Access to Resources

20. Click Apply and then click OK to close the Share Permissions window.

21. In the Folder Permissions window, click Apply and then click OK to close the Permissions dialog box.

22. Open Active Directory Users and Computers.

23. Select the directory root in the left pane of the window.

24. Select Action | New | Shared Folder from the menu.

25. Enter MktgMgmt for the share name and \\CORPADFP1\MktgMgmt for the network path, as shown in Figure 5.20.

Figure 5.20

Setting the Name of the Directory Share

26. Click OK.

27. Double-click the MktgMgmt shared folder to open the Properties window.

28. Click the Security tab.

29. Click the Add button.

30. Enter the Marketing Management as the name of the group and click

Check Names.

31. Click OK to return to the Properties window.

32. Select Authenticated Users from the group list and click Remove.

33. The Properties window now looks like Figure 5.21. Click Apply and then click OK to close the Properties window.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 439

Managing Access to Resources • Chapter 5 439

Figure 5.21

Verifying Correct Permissions on the Directory Share

Now, the Marketing managers are able to access the Management folder through the MktgMgmt share on the network and the rest of the Marketing department cannot. In addition, the directory share is only visible to the members of the Marketing Management group and system administrators.

Setting User Rights and Privileges

Working with file, folder, and share permissions is only one way to grant or restrict access to resources on the Windows Server 2003 server. User rights give you another level of control over use of resources.This section will cover the following topics:

Understanding the role of user rights

Using Group Policy to set user rights

Understanding the Role of User Rights

Every object has a default set of rights governed initially by where the object is created in

Active Directory. User rights are inherited from parent objects just like share and security permissions are inherited.Whereas NTFS and share permissions grant or restrict access to files and folders, user rights can affect how a user logs on to a system, how processes can affect system memory, and who can shut down a server, among other things.

There are a number of user rights that can be configured.Table 5.8 lists a few of the rights, which objects have the rights by default, and a description of the right or privilege.

The items listed in the table refer to roles that can be assigned to user objects.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 440

440 Chapter 5 • Managing Access to Resources

Table 5.8

User Rights and Default Assignments

Privilege Default Assignments Description

Access this computer from the network

Add workstations to domain

Administrators, Authenticated Users, Everyone

Authenticated Users

Users with this right can attach to the server from across the network.

This right does not affect Terminal

Services.

Users with this privilege can add workstations to the Active Directory.

When a workstation is added to

Active Directory, the workstation inherits the network and security settings for the Active Directory.

Allow log on locally Account Operators, AdminUsers with this right can log on to istrators, Backup Operators, the server console interactively.

Print Operators, Server

Operators

Allow log on through Terminal

Services

Administrators Users with this right can log on to the server with the Terminal Services client.

Back up files and Administrators and Backup Users with this privilege can access directories Operators all files and folders on a server for the purpose of backing up the data, despite any access restrictions that have been placed on those files and folders.

Change the system Administrators and Server Users with this privilege can change time Operators the system time and date on the computer.

Deny access to this None computer from network

Deny log on locally None

Users with this right cannot access the server across the network. This right overrides the Access this com-

puter from the network right when an object is assigned both rights.

Users with this right cannot log on interactively to the server. This right overrides any other rights related to local log on. If this right is assigned to the Everyone group, no one will be able to log on interactively at the server console.

Continued www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 441

Managing Access to Resources • Chapter 5 441

Table 5.8

User Rights and Default Assignments

Privilege Default Assignments Description

Deny log on through Terminal

Services

Force shutdown from a remote system

None Users with this right cannot log on to the server with a Terminal Services client. This right overrides the Allow

log on through Terminal Services

right.

Administrators and Server Users with this privilege can shut

Operators down a computer or server without being at the server console.

Restore files and Administrators, Backup directories Operators, Server Operators

Users with this privilege can restore files and directories from a backup device, including restoring the file/folder permissions and ownership of the data. This privilege bypasses any file or folder permissions that would otherwise restrict the user from accessing the data being restored.

Shut down the system

Account Operators,

Administrators, Backup

Operators, Server Operators,

Print Operators

Users with this privilege can shut down a server from the console.

Take ownership of Administrators files or other objects

Users with this privilege can take ownership of any object in the system with owner properties. This includes, but is not limited to, files, folders, printers, and processes.

As you can see from reading the table, these user rights govern a different type of access control than NTFS and share permissions.There is still some overlap between the two areas, specifically related to data backup and restore functions. By default, the Administrators and Backup Operators groups have the Back up files and directories and Restore files and directories privileges.This way, the data on the server can be backed up and restored even if

NTFS permissions have been set to deny access to a particular directory path. So in this instance, the user privileges can override the NTFS security permissions – sort of.The

backup operators still can’t access (open and read) the files and folders to which they’re denied access in the traditional way, but they can bypass permissions to perform specific operations (backup and restore) on them.

N

OTE

To understand the difference between permissions and user rights, think of it this way: permissions control access to specific objects (files, folders). User rights define

tasks that the user or group can or cannot perform on the system.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 442

442 Chapter 5 • Managing Access to Resources

As with security permissions, denying or revoking a privilege or right supercedes the granting of the same. A user object will have only the specific privilege or right if the object belongs to a group that has been granted that right. So only members of the

Administrators group will be allowed to log on to a domain controller via Terminal

Services, because only that group has been granted that right. If you had a subset of accounts that belonged to the Administrators group that you wanted to prohibit from using

Terminal Services to access the domain controller, you could create a new group, add the user objects to that group, then enable the Deny log on through Terminal Services right for that group.That way, only user objects that belonged to Administrators but not to this other group would be able to log on to the domain controller via Terminal Services.

Using Group Policy to Set User Rights

You have read several times in this chapter that you should apply security configurations to groups and not to users.This holds true for user rights as well.Wherever possible, user rights should be granted to a group and not an individual user object.

If you are logged on to a domain controller, the most direct way to assign user rights is through the Domain Controller Security Policy.You can find the link to this in the

Administrative Tools folder, either in the Control Panel folder or in the Programs folder in the Start menu. User rights assignments are in the Local Policy group under User Rights

Assignment.You can access the security editor from Windows XP workstations if you have the Windows Server 2003 Administration Tools Pack installed. Figure 5.22 shows the security policy editor (an MMC with a subset of the Group Policy Object Editor console) with the user rights listed. Next to the listing of each policy is the list of groups that have the policy assigned. If nothing is listed next to the policy name, no groups have been assigned to that policy. In some cases, such as the Create global objects policy, the policy setting is shown as Not Defined.That indicates that the policy has not been enabled and the system will take the default action related to that function if requested.

N

OTE

User rights can be assigned in a domain environment by editing a GPO assigned to the domain. To access the default domain policy and set user rights on its GPO, open Active Directory Users and Computers console from the Administrative Tools menu, right-click the domain name in the left console pane, select Properties.

Click the Group Policy tab, select the GPO, and then click Edit. This opens the

Group Policy Object Editor. Under Computer Configuration in the left pane, expand Windows Settings, expand Security Settings, expand Local Policies, and select User Rights Assignment.

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 443

Managing Access to Resources • Chapter 5 443

Figure 5.22

Viewing the User Rights Assignment Window in Domain Controller

Security Policy Editor

To modify the groups assigned to a particular policy, double-click the policy, and then add the desired group by clicking the Add User or Group button. Figure 5.23 shows what these settings might look like after the configuration was changed. After you have made the desired changes, click Apply, and the new policy setting will take immediate effect.

Figure 5.23

Viewing the Back Up Files and Directories Security Policy Window

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 444

444 Chapter 5 • Managing Access to Resources

E

XERCISE

5.02

A

SSIGNING

U

SER

R

IGHTS

In this exercise, you will go through the steps necessary to assign the capability to log on to a terminal server to an Active Directory group. You have just set up a new Windows Server 2003 computer and configured it to run as a terminal server. Now the employees in the Sales department want to be able to access the terminal server when they are on the road.

1. Open Start | Programs | Administrative Tools | Domain Security

Policy.

2. Expand the Local Policies object in the left pane.

3. Select the User Rights Assignment object under Local Policies.

4. Double-click Allow log on through Terminal Services in the right pane.

5. Enable the Define these policy settings check box.

6. Click the Add User or Group button.

7. Click Browse.

8. Enter the group name (CORPORATE\Sales in this case) and click Check

Names.

9. When done adding groups, click OK.

10. Click OK to return to the Security Policy Setting window.

11. Click Apply and then click OK to close the Security Policy Setting window.

You can go through the same process to enable other groups to log on through Terminal Services, or you can remove groups if needed.

EXAM

70-290

OBJECTIVE

2.7

EXAM

70-290

OBJECTIVE

3.4

Troubleshooting Access Problems

As access control tools become more powerful, they also become more complex, and the number of ways that access problems can arise increases. If you are supporting an organization that has a poorly planned or poorly implemented access structure, then a user calling to say “I can’t get to my files this morning” can pose a major problem. Even if you are supporting a well-designed and maintained system, these calls can still happen and cause you a lot of extra work.This next section is devoted to giving you some pointers for common problems and resolutions. It covers the following topics:

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 445

Managing Access to Resources • Chapter 5 445

Identifying common access problems

Basic troubleshooting guidelines

Identifying Common Access Problems

The most common cause of access problems is a change in permissions or rights.When a user says that the files he or she could work with yesterday are not there today, you know something has changed.What’s most likely is that someone changed something and didn’t check to make sure the change yielded the desired result. But knowing where to start looking for these changes can separate the successful system administrators from the unsuccessful ones. Some of the common access problems are listed here:

Lack of permissions

The user or group does not have permissions assigned to access the data.This could result from the user thinking that he or she already had access when none was given, or for some reason access was removed.

Too many permissions

This can result from resulting from an over-zealous admin not wanting to troubleshoot access problems and assigning Full Control rights in various locations until the apparent problem was resolved.Too many permissions can be more problematic than a lack of permissions.

Permission conflicts

Permission conflicts usually result from denying a permission incorrectly. In most cases, restricting access to a resource can be handled more cleanly by removing the permissions from the ACL of an object rather than specifying Deny permissions in an ACL.

Files or folders moved or copied

If data was copied or moved from one location to another, the permissions on the data in the new location may not have been set correctly.

NTFS and Share permissions in conflict

This is one of the most common problems a new system administrator encounters.When NTFS and share permissions are not set correctly, user access to data will not work as expected.

Basic Troubleshooting Guidelines

Whether the call comes in as “I’m getting this error when mapping a drive” or “I can’t save changes to any of my files,” the troubleshooting process is the same. Rather than promise you a guaranteed, one-size-fits-all troubleshooting process, we will outline some troubleshooting guidelines for access problems. All technicians develop their own troubleshooting mantras based on their own experiences. Here are some general “should do’s” related to access problems:

First and foremost, listen.

Listen to the user and understand exactly what the problem is. Regardless of how good you are technically, if you cannot fully

www.syngress.com

274_70-290_05.qxd 8/11/03 4:00 PM Page 446

446 Chapter 5 • Managing Access to Resources

■ understand the problem the user is encountering, you might take your outstanding troubleshooting skills down the completely wrong path. Listening can usually distinguish between “the server is down” and “your network cable is unplugged.”

Look at the groups to which the user object belongs.

Even though you may not know what groups the user was a member of yesterday, you can tell what group memberships he or she has right now. Look also for obvious problems with group membership. Chances are, a user who is primarily a traveling salesperson for the company should not be a member of the Backup Operators group. Likewise, the user should have some group membership defined, even if it is just Users or

Everyone. A user with no group memberships likely cannot access anything on the network.

Look at the files and folders the user is trying to access.

Start with the actual folders and not the shares. Check the simple things first—is the folder present on the volume? Is the file in the folder? Is the file marked as read only? Then check for the NTFS permissions on the files and folders. If permissions are set on specific files, try to determine why. In general practice, NTFS permissions should only apply to folders, so see if there’s an obvious reason for setting permissions on a file.Then look at the NTFS permissions on the folder. Are there appropriate

ACEs in the ACL? Are the folder permissions inherited from the parent folder?

Do any of the ACEs match group memberships for the user? Is the CREATOR

OWNER group assigned permissions in the folder? Are there any Deny permissions that may be stomping on otherwise correctly-configured ACLs? You might need to go all the way up to the root of the volume to determine if the NTFS permissions are set correctly for the end-level folder and files. Also be on the lookout for any Deny permissions applied. If you find any Deny permissions, work out the way the Deny permission impacts access to the file or folder for all groups, then determine if that impacts the user having the access problem.

Examine the permissions set on the share.

Determine which share the user is accessing, remembering that a folder on disk can have multiple network shares pointing to it with different access permissions. Examine the share ACL and look for access granted to each entity. Does the user belong to a group that has permissions to the share? Are there any Deny permissions on the shar