Home Page Icon
Home Page
Table of Contents for
Copyright
Close
Copyright
by Jason Gerend, Sharon Crawford, Charlie Russel
Microsoft® Windows Server™ 2003 Administrator's Companion, 2nd Edition
Microsoft® Windows Server™ 2003 Administrator’s Companion, Second Edition
Dedication
A Note Regarding Supplemental Files
Acknowledgments
Introduction
Meet the Family
New in Windows Server 2003
How to Use this Book
What’s in the Book
What’s on the CD?
Talk to Us
System Requirements
I. Preparation
1. Overview of Windows Server 2003
Versions of Windows Server 2003
Deploying Windows Server 2003 and Windows Clients
Network Management
Printer Management
Group Policy
IntelliMirror
Terminal Services
Interoperability
System and Network Security
Availability and Reliability
Active Directory
Storage and File System Support
Communications
Internet Services and .NET Application Services
Scalability
The Need for Planning
Summary
2. Introducing Directory Services
Understanding Directory Services
Active Directory in Microsoft Windows Server 2003
Terminology and Concepts in Active Directory
Namespace and Name Resolution
Attribute
Object
Container
Tree and Subtree
Distinguished Name
Schema
The Active Directory Architecture
The Directory System Agent
Naming Formats
The Data Model
Schema Implementation
The Security Model
Delegation and Inheritance
Naming Contexts and Partitions
The Global Catalog
Summary
3. Planning Namespace and Domains
Analyzing Naming Convention Needs
Trees and Forests
Trees
Forests
Defining a Naming Convention
The Organizational Naming Convention
The Geographical Naming Convention
Mixed Naming Conventions
Determining Name Resolution
Using the Same Internal and External Namespaces
Using Different Internal and External Namespaces
Planning a Domain Structure
Domains vs. Organizational Units
Domains
Organizational Units
Designing a Domain Structure
Designing a Single Domain Tree Structure
Designing a Multiple Domain Tree Structure
Domain Security Guidelines
Creating Organizational Units
Planning Multiple Domains
Planning a Contiguous Namespace
Determining the Need for a Multi-Tree Forest
Creating the Forest
Summary
4. Planning Deployment
How Information Technology Functions
Identifying Business Needs
Getting Specific
Seeing into the Future
Assessing Current Systems
Documenting the Network
The Organizational and Physical Infrastructure
Traffic Patterns
Network Addresses
Operating System Connectivity
External Connectivity
Existing Network Operating Systems
Existing Applications and Services
Making a Roadmap
Defining Goals
Assessing Risk
Summary
II. Installation and Configuration
5. Getting Started
Designing a Deployment Environment
Choosing an Installation Method
Choosing a Setup-Based Installation Method
Choosing an Image-Based Installation Method
Choosing a Preinstallation Environment
Choosing a Software Update Solution
Choosing an Application Deployment Solution
Understanding Licensing and Product Activation
Licensing Modes
Product Activation
Designing a Test Lab
Planning Server Configurations
Planning Server Roles
Assessing System Requirements
Planning Partitions
Planning Server Security
Creating Your Deployment Plan
Creating Your Deployment Environment
Using Setup Manager
Using Unattended Setup with Windows Server 2003 R2
Creating and Modifying a Distribution Share
Creating a Distribution Share
Applying Service Packs to a Distribution Share
Installing Software Updates with an Answer File
Installing Plug and Play Drivers in the Distribution Share
Installing OEM Drivers in Remote Installation Preparation Images
Installing Mass Storage Drivers
Converting Short Filenames Back to Long Filenames
Using Sysprep with Disk Imaging
Installing Windows
Preparing the System
Performing a Manual Installation of Windows
Initiating Windows Setup Using an Answer File
Initiating Setup Using Command-Line Parameters
Troubleshooting Installations
Setup Freezes or Locks Up
Setup Stops During File Copying
Previous Operating System Will Not Boot
Changing the Default Operating System and Boot Times
Restoring the MBR of the Previous Operating System
Summary
6. Upgrading to Windows Server 2003
Architectural Changes Since Windows NT 4.0
Domain Controllers and Server Roles
Server Roles in Windows NT 4.0
Server Roles in Windows 2000 and Windows Server 2003
Active Directory
Active Directory Domains
Sites and Organizational Units
Forest Root Domains
Trust Relationships
Trust Relationships in Windows NT 4.0
Trust Relationships in Active Directory
Hardware Support
Software Support
Planning a Windows NT Domain Upgrade
Choosing Whether to Upgrade or Migrate
Documenting the Existing Network
The Existing Domain Model
Existing Trust Relationships
Account Domains and Resource Domains
DNS Namespaces
Server Software and Compatibility Issues
Planning the Active Directory Forest
Designing the Active Directory Domain Structure
Single-Domain Model
Single-Master–Domain Model
Multiple-Master–Domain Model
Complete-Trust Model
Choosing DNS Names
Planning the Site Topology
Making a Recovery Plan
Make Sure All Domains Have at Least One BDC
Back Up Each Computer Before Upgrading
Synchronize All BDCs with the PDC
Take a BDC Offline for Backup
Relax
Developing an Upgrade Strategy
Upgrading or Replacing Windows NT RAS Servers
Making Sure the PDC Is Sufficiently Powerful
Creating the Dedicated Forest Root Domain Before Upgrading the PDC
Upgrading or Retiring Any Incompatible Clients and Servers
Upgrading the PDC First
Upgrading or Replacing the BDCs Quickly
Upgrading Member Servers and Clients Independently
Scheduling the Domain Upgrade Appropriately
Creating a Testing Criteria
Preparing Domains and Computers
Reviewing Server Upgrade Requirements
Preparing Windows NT Domains
Preparing the Computers
Updating the Active Directory Schema
Testing Active Directory Functionality in Active Directory Domains
Updating the Active Directory Forest Schema
Verifying the Forest Schema Update
Updating the Active Directory Domain Schema
Upgrading Clients to Windows XP
Upgrading Servers to the Windows Server 2003 Family
Installing Windows Server 2003 R2
Upgrading a Server to Windows Server 2003
Switching Forest and Domain Functional Levels
Choosing a Forest Functional Level
Choosing a Domain Functional Level
Switching Functional Levels
Summary
7. Configuring a New Installation
Installing Updates
Enabling Remote Administration
Checking for Setup Problems
Configuring Devices
Using Device Manager
Working with Device Manager
Working with Device Properties
Troubleshooting Devices
Configuring Storage
Configuring Networking Settings
Changing Your Network Identity
Configuring Network Components
Configuring TCP/IP
Using Dynamic Addressing
Using Static Addressing
Setting Advanced TCP/IP Options
Configuring IP Settings
Configuring DNS Settings
Configuring WINS Settings
Configuring TCP/IP Options
Setting Up Server Roles
Securing Windows
Summary
8. Installing and Managing Printers
Planning Printer Deployment
Establishing Printer Naming Conventions
Creating Location-Naming Conventions
Enabling Printer Location Tracking
Choosing Whether to Upgrade or Migrate Print Servers
Installing Printers
Managing Printers and Print Servers
Using the Print Management Console
Creating Filtered Printers Folders
Deploying Printer Connections
Managing Print Jobs from Windows
Managing Printers from a Web Browser
Managing Printers from a Command Line
Changing Printer Options
Setting Security Options
Changing Printer Availability and Group Priorities
Specifying a Separator Page
Changing Spool Settings
Managing Printer Drivers
Managing Printer Drivers
Creating Printer Pools and Changing Port Settings
Printer Maintenance and Troubleshooting
Optimizing Print Server Performance
Preparing for Print Server Failure
Printing from the Client Machine Experiencing the Problem
Document Prints Incorrectly
Document Fails to Print
Printing from Some Applications Fails
Checking the Print Server Status
Checking the Printer
Deleting Stuck Documents
Troubleshooting Printer Location Tracking
Clients Cannot Locate Some Printers in Active Directory
Naming Scheme Needs to Be Changed
Summary
9. Managing Users and Groups
Understanding Groups
Assigning Group Scopes
Global Scope
Domain Local Scope
Universal Scope
Planning Organizational Units
Creating Organizational Units
Moving Organizational Units
Deleting Organizational Units
Planning a Group Strategy
Determining Group Names
Using Global and Domain Local Groups
Using Universal Groups
Implementing the Group Strategy
Creating Groups
Deleting Groups
Adding Users to a Group
Changing the Group Scope
Creating Local Groups
Managing Built-In Groups and User Rights
Built-In Local Groups
Built-In Domain Local Groups
Built-In Global Groups
Defining User Rights
Assigning User Rights to a Group
Assigning Rights Locally
Creating User Accounts
Naming User Accounts
Account Options
Passwords
Creating a Domain User Account
Creating a Local User Account
Setting User Account Properties
Testing User Accounts
Managing User Accounts
Finding a User Account
Disabling and Enabling a User Account
Deleting a User Account
Moving a User Account
Renaming a User Account
Resetting a User’s Password
Unlocking a User Account
Using Home Folders
Creating Home Folders on a Server
Providing Home Folders to Users
Maintaining User Profiles
Local Profiles
Roaming Profiles
Setting Up Roaming Profiles
Creating Customized Roaming Profiles
Using Mandatory Profiles
Assigning a Logon Script to a User Profile
Summary
10. Managing File Resources
Sharing File Resources
Shared Folders
NFS Shared Folders
Active Directory Shared Folders
DFS Folders
Share Permissions vs. File Permissions
Share Permissions
File Permissions
NTFS Permissions
What Permissions Mean
How Permissions Work
Considering Inheritance
Configuring Folder Permissions
Assigning Permissions to Files
Configuring Special Permissions
Ownership and How It Works
Shared Folders
Using the File Server Management Snap-In
Creating a Shared Folder
Removing a Folder Share
Disconnecting Users
Limiting Simultaneous Connections
Special Shares
The Command Line—Net Share
NFS Shared Folders
Initial Configuration
Specify a User Name Mapping Server
Windows Firewall Configuration
Creating an NFS Share
Deleting or Modifying an NFS Share
Publishing Shares in Active Directory
Summary
11. Administering Group Policy
Components of Group Policy
Group Policy Objects
Group Policy Templates
Group Policy Containers
Default Group Policies
Managing Group Policies
Order of Implementation
Order of Inheritance
Overriding Inheritance
Enforcing a GPO Link in GPMC
Setting No Override
Setting Block Inheritance in GPMC
Blocking Inheritance on Computers Without GPMC
Creating a Group Policy Object
Creating a GPO in GPMC
Creating a GPO on a Computer Without GPMC
Inside the Group Policy Object Editor
Managing Group Policy Links
Linking a GPO Using GPMC
Linking a GPO Without GPMC
Setting the Scope of Group Policy Objects
Using GPMC to Set the Scope for a GPO
Setting the GPO Scope Without GPMC
Delegating Permissions on GPOs
Delegating Group Policy Using GPMC
Delegating Permission to Create
Delegating Permission to Link
Delegating Permission to Edit, Delete, or Modify Security
Delegating Group Policy Without GPMC
Delegating Permission to Create
Delegating Permission to Link, Edit, Delete, or Modify Security
Disabling a Branch of a GPO
Disabling a Node Using GPMC
Disabling a Node without GPMC
Refreshing Group Policy
Backing Up a Group Policy Object
Restoring a Group Policy Object
Using Group Policy for Folder Redirection
Redirecting to One Location
Redirecting by Group Membership
Removing Redirection
Using Resultant Set of Policy (RSoP)
Running an RSoP Query
A Planning RSoP
A Logging RSoP
Summary
III. Network Administration
12. Managing Daily Operations
Using the Microsoft Management Console
Convenience Consoles
Creating an MMC-Based Console with Snap-Ins
Customizing the Layout of a Console
Setting Options for a Console File
Modifying Console Files
Distributing and Using Consoles
Using MMC for Remote Administration
Using the Secondary Logon
Opening Programs Using Run As
Making Shortcuts to Run As
Using Runas for Printers or Control Panel
Administrative Tools
Installing Administrative Tools Locally
Making Administrative Tools Available Remotely
Support Tools
Automating Chores with Scripts
Auditing Events
Audit Settings for Objects
Viewing Event Logs
Searching Event Logs
Filtering Event Logs
Setting the Size of Event Logs
Archiving Event Logs
Delegating Control
Using Task Scheduler
Changing a Schedule
Tracking Task Scheduler
Viewing Tasks on a Remote Computer
Using the AT Command
Using cron
Summary
13. Using Scripts for Consistent Administration
Scripting on Windows Server 2003
Windows Server 2003 Scripting Infrastructure
Command Shell
Active Scripting
COM Interfaces
Extending the Infrastructure
What’s New in Windows Server 2003 Scripting
The Windows Command Shell—Cmd.exe
Windows Scripting Host
Distributed COM
ADSI and WMI
Scripting Practices
Think from the Command Prompt
Write WSH Scripts as Console Tools
Credentials and Scripting
Use RunAs and Scheduled Tasks
Avoid Specifying Passwords on the Command Line
Use Obfuscated Password Entry
Path Management Practices
How Command Discovery Works
Making Changes to the Shell Working Directory
Use Fully Qualified Command Paths
Monitor the %PATHEXT% Variable
Add a Tools Directory to Your Path
Input and Output Handling
WSH: Use Text Streams for Input and Output
Limit MsgBox Use
WScript.Echo: Flexible but Suppressed in Batch Mode
Use the WScript.Shell LogEvent for Critical Information Logging
Use Good Error Management
Use VBScript’s On Error Resume Next Carefully
Console Scripts Should Handle Most Errors as Normal Events
Return Error Information to the Shell
Log Errors in Noninteractive Scripts
WMI Scripting Issues
Use Scriptomatic to Explore WMI
Use WMIC for Interactive Exploration and One-Shot WMI Calls
Avoid Authentication and Impersonation Settings
Translating Script Languages
Creating and Getting
VBScript
JScript
Perl
Noninteractive Scripts: Remote and Scheduled Use
The Future of Windows Scripting
Summary
14. Installing and Configuring Active Directory
Using the Active Directory Installation Wizard
Preparing for Installation
NTFS
DNS Server
Promoting Your First Server to a Domain Controller
Launching the Active Directory Installation Wizard
Creating a New Domain
Specifying Domain Names
Choosing Installation Options
Creating Additional (Replica) Domain Controllers
Creating a Child Domain in an Existing Tree
Creating a New Tree in an Existing Forest
Creating a New Forest
Upgrading Windows NT 4 Domain Controllers
Demoting a Domain Controller
Changing a Domain Controller Identification
Setting a Global Catalog Server
Using Active Directory Domains and Trusts
Launching Active Directory Domains and Trusts
Domain and Forest Functionality
Changing the Domain Functionality Levels
Changing the Forest Functionality Levels
Managing Domain Trust Relationships
Specifying the Domain Manager
Configuring User Principal Name Suffixes for a Forest
Managing Domains
Using Active Directory Users and Computers
Launching Active Directory Users and Computers
Viewing Active Directory Objects
Active Directory Object Types
Normal Mode vs. Advanced Mode
Changing the Domain
Using Filters to Simplify the Display
Finding Objects
Default Active Directory Objects
Creating an Organizational Unit
Configuring OU Objects
Delegating Object Control
Creating a User Object
Using the Command Line to Add a User
Configuring User Objects
The General Tab
The Address Tab
The Account Tab
The Profile Tab
The Telephones Tab
The Organization Tab
The Member Of Tab
The Dial-In Tab
The Environment Tab
The Sessions Tab
The Remote Control Tab
The Terminal Services Profile Tab
The COM+ Tab
The Published Certificates Tab
The Object Tab
The Security Tab
Creating a Group
Configuring Group Objects
The General Tab
The Members Tab
The Member Of Tab
The Managed By Tab
The Object Tab
The Security Tab
Creating a Computer Object
Configuring Computer Objects
Using Remote Computer Management
Publishing a Shared Folder
Publishing a Printer
Moving, Renaming, and Deleting Objects
Renaming a Domain Controller or a Whole Domain
Renaming a Domain Controller
Renaming Domains
Using Active Directory Federation Services
Summary
15. Managing Active Directory
Using Active Directory Sites and Services
Defining Site Objects
Subnet Objects
Server Objects
Understanding Domain Replication
Intrasite Replication
Intersite Replication
Launching Sites and Services
Viewing Replication Objects
Creating Site Objects
Creating Server and Connection Objects
Creating Subnet Objects
Creating Site Link Objects
Configuring Site Links
Creating Site Link Bridge Objects
Using Active Directory Schema
Examining Schema Security
Schema Administrator Permissions
Flexible Single-Master Operations
Read-Only Schema Access
Launching Active Directory Schema
Modifying the Schema
Creating Attributes
Creating Object Classes
Adding Attributes to a Class
Adding an Auxiliary Class to a Structural Class
Modifying Display Specifiers
Performing Batch Importing and Exporting
Using the Ldifde.exe Utility
Exporting Objects
Importing Objects
Modifying Objects
Understanding Operations Master Roles
Primary Domain Controller Emulator
Transferring the PDC Emulator
Seizing the PDC Emulator
Schema Master
Transferring the Schema Master
Seizing the Schema Master
Domain Naming Master
Transferring the Domain Naming Master
Seizing the Domain Naming Master
Relative Identifier Master
Transferring the RID Master
Seizing the RID Master
Infrastructure Master
Transferring the Infrastructure Master
Seizing the Infrastructure Master
Summary
16. Understanding TCP/IP
The TCP/IP Protocol Suite
Internet Protocol
Transmission Control Protocol
User Datagram Protocol
Windows Sockets
NetBIOS
Requests for Comments
IP Addresses and What They Mean
Class A Networks
Class B Networks
Class C Networks
Class D and Class E Addresses
Routers and Subnets
What Is a Subnet?
Gateways and Routers
Address Resolution and Routing Protocols
Name Resolution
The Domain Name System
The Domain Namespace
Top Level Domains
How Names Are Resolved into Addresses
Reverse Lookups
Dynamic DNS and Active Directory Integration
Zone Storage and Active Directory
Lightweight Directory Access Protocol
Dynamic Host Configuration Protocol
How DHCP Works
Using Multiple DHCP Servers
Windows Internet Name Service
Single Domain Across a Subnet Boundary
Multiple Domains Within a Subnet Boundary
Multiple Domains Across a Subnet Boundary
IP Version 6
Summary
17. Administering TCP/IP
Using DHCP
Designing DHCP Networks
DHCP Security Considerations
Plan the IP Address Range and Exclusions
Installing the DHCP Service
Creating a New Scope
Authorizing the DHCP Server and Activating Scopes
Adding Address Reservations
Enabling Dynamic Updates to a DNS Server for Earlier Clients
Using Multiple DHCP Servers for Redundancy
Splitting the Address Space Between Two Servers
Setting Up a DHCP Server Cluster
Other DHCP Functions
Modifying Scopes
Enabling Server-Based Conflict Detection
Setting Up a DHCP Relay Agent
Backing Up and Restoring the DHCP Database
Using Ipconfig to Release, Renew, or Verify a Lease
DHCP Command-Line Administration
Using DNS Server
Installing DNS
Using the Configure A DNS Server Wizard
Setting Up a DNS Server
Creating Zones
Creating Subdomains and Delegating Authority
Adding Resource Records
Configuring Zone Transfers
Interoperating with Other DNS Servers
Enabling WINS Resolution
Setting Up a Forwarder
Updating Root Hints
Setting Up a Caching-Only DNS Server
Setting Up a WINS Server
Determining Whether You Need WINS
Configuring the Server to Prepare for WINS
Installing WINS
Adding Replication Partners
Miscellaneous WINS Functions
Compacting the WINS Database
Summary
18. Implementing Disk Management
Understanding Disk Terminology
Overview of Disk Management
Disk Administration Enhancements
Remote Management
Dynamic Disks
Command Line
Disk Management Tasks
Adding a Partition or Volume
Adding a New Disk Using the Initialize And Convert Disk Wizard
Creating a Volume
Creating a Partition
Creating Logical Drives in an Extended Partition
Deleting a Partition, Volume, or Logical Drive
Converting a Disk to a Dynamic Disk
Extending a Volume
Adding a Mirror
Drive Failure in a Mirrored Volume
Removing a Mirror
Breaking a Mirror
Converting a Volume or Partition from FAT to NTFS
Formatting a Partition or Volume
Changing a Drive Letter
Mounting a Volume
NTFS
Encrypting on the File System Level
Disk Quotas, File Screening, and Shadow Copies
Summary
19. Using Clusters
What Is a Cluster?
Network Load Balancing Clusters
Server Clusters
Cluster Scenarios
Intranet or Internet Functionality
Terminal Services
Mission-Critical Availability
Requirements and Planning
Identifying and Addressing Goals
Identifying a Solution
Identifying and Addressing Risks
Making Checklists
Network Load Balancing Clusters
NLB Concepts
Choosing an NLB Cluster Model
Single Network Adapter in Unicast Mode
Single Network Adapter in Multicast Mode
Multiple Network Adapters in Unicast Mode
Multiple Network Adapters in Multicast Mode
Creating an NLB Cluster
New NLB Cluster
Adding a Node to an NLB Cluster
Removing a Host from an NLB Cluster
Planning the Capacity of an NLB Cluster
Providing Fault Tolerance
Optimizing an NLB Cluster
Server Clusters
Server Cluster Concepts
Networks (Interconnects)
Nodes
Groups
Resources
Types of Resources
Physical Disk
DHCP and WINS
Print Spooler
File Share
Internet Protocol Address and Network Name
Local Quorum
Majority Node Set
Generic Application
Generic Script
Generic Service
Volume Shadow Copy Service Task
Defining Failover and Failback
Configuring a Server Cluster
High Availability with Load Balancing
Maximum Availability Without Load Balancing
Partial Failover (Load Shedding)
Virtual Server Only
Planning the Capacity of a Server Cluster
Creating a Server Cluster
New Server Cluster
Creating a Clustered Resource
New Cluster Group
New Physical Disk Resource
New IP Address Resource
New Network Name Resource
New File Share Resource
Compute Clusters
Summary
20. Managing Storage
Using File Server Resource Manager
Setting Global Options
Scheduling Storage Reports
Using Quota Management
Quota Concepts
Creating Quotas and Auto Apply Quotas
Viewing and Managing Quotas
Creating and Editing Quota Templates
Screening Files
Creating File Screens
Creating Exceptions
Creating and Editing File Screen Templates
Working with File Groups
Using Disk Quotas
Enabling Disk Quotas
Setting Quota Entries for Users
Exporting and Importing Disk Quotas
Creating Quota Reports
Distributed File System
What’s New in DFS for Windows Server 2003 R2
Concepts and Terminology
Namespace Roots
Folders
Targets
DFS Replication
Requirements
DFS Clients
DFS Servers
Using DFS Without NetBIOS or WINS
Installing DFS Management and DFS Replication
DFS Namespaces
Creating or Opening a Namespace Root
Adding Namespace Servers
Adding DFS Folders
Changing Advanced Settings
Changing Namespace Referral Settings
Overriding Referral Settings on Individual Folders
Delegating Management Permissions
Changing Namespace Polling Settings
Backing Up and Restoring the DFS Folder Targets
DFS Replication
Creating a Replication Group
Replicating a DFS Folder
Creating a Branch Office Replication Group
Creating a Multipurpose Replication Group
Managing Replication Groups
Overview of Storage Manager For SANs
Concepts and Terminology
Installing Storage Manager For SANs
Using the Storage Manager For SANs Console
Managing Server Connections
Managing iSCSI Targets
Managing iSCSI Security
Logging On to iSCSI Targets
Creating and Deploying Logical Units (LUNs)
Extending a LUN
Removable Storage
Concepts and Terminology
Removable Devices and Libraries
Media Pools
Removable Storage Media Identification
Media States
Physical States
Side States
Use and Management
Managing Libraries
Inventorying Libraries
Setting Door and Inject/Eject Port Timeouts
Enabling and Disabling Individual Drives in a Library
Cleaning Libraries
Managing Media Pools
Creating Media Pools
Deleting Media Pools
Managing Physical Media
Injecting and Ejecting Media
Mounting and Dismounting Media
Using the Work Queue
Working with Operator Requests
Remote Storage
Concepts and System Requirements
Overview
Program Compatibility
Data Safety
System Requirements
Setup and Configuration
Setting Up Remote Storage
Setting Up Additional Volumes with Remote Storage
Changing Include/Exclude Rules
Disabling Remote Storage for a Managed Volume
Performing Tasks Manually
Setting Recall Limits
Data Recovery and Protection
Understanding Data Protection Strategies
Single Drive Strategies
Multiple Drive Strategies
Working with Media Copies
Recovering from Disaster
Summary
IV. Security
21. Planning for Security
Security Basics
Authentication
Proof of Identity
Authentication Protocols
Hardware-Enabled Authentication
Mutual Authentication
Single Sign-On
Data Protection
Data Confidentiality
Data Integrity
Access Control
Auditing
Nonrepudiation
Smart Cards
Public-Key Infrastructures
Public-Key Encryption vs. Symmetric-Key Encryption
Public-Key Certificates and Private Keys
Certificate Authorities
Root and Subordinate Certificate Authorities
Chain Verification and Trust
Cross-Root Certification
Certificate Registration
Certificate Directories
Certificate Templates
Certificate Revocation
Certificate Renewal
Full CRLs and Delta CRLs
Security-Enabled Protocols
Secure Multipurpose Internet Mail Extensions
Signed Messages
Encrypted Messages
Other Content Types
Kerberos Version 5
Windows NT LAN Manager
Secure Sockets Layer
Internet Protocol Security
IPSec Policy Management
How IPSec Works
Virtual Private Networks
Remote Access VPNs
Router-to-Router VPNs
Windows Rights Management Services
Security Modules
Cryptographic Application Programming Interface
Cryptographic Service Providers
CAPICOM
Data Protection API
Summary
22. Implementing Security
The Security Configuration Wizard
Installing the Wizard
Using the Wizard
Deploying the Policy
Using Templates to Implement Security Policies
Examining Template Policies
Using Predefined Templates
Secure Security Templates
Highly Secure Security Templates
Compatible Security Template
Out-of-the-Box Security Templates
Modifying a Predefined Template
Defining New Templates
Applying Templates
Using Security Configuration and Analysis
Opening a Security Database
Importing and Exporting Templates
Analyzing Security and Viewing the Results
Configuring Security
Using Windows Firewall
Enabling Authentication
Obtaining Smart Cards and Certificates
Setting Up an Enrollment Agent
Programming Smart Cards
Obtaining Software-Based Certificates
Logging On with Smart Cards
Enabling Remote Certificate or Smart Card Authentication
Authentication with Certificate on Smart Card
Authentication with Certificate Stored on Local Computer
Configuring Authentication for a Remote Access Server
Implementing Access Control
Establishing Ownership
Assigning Permissions
Managing Certificates
Exporting Certificates and Private Keys
Importing Certificates
Requesting Certificates
Enabling Certificates for Specific Purposes
Using Internet Protocol Security Policies
Defining IPSec Policies
Using Predefined IPSec Policies
Creating an IPSec Policy
Editing an IPSec Policy
IP Filter List
Filter Action
Authentication Methods
Tunnel Setting
Connection Type
Assigning IPSec Policies
Securing Local Data
Creating a Recovery Policy
Encrypting Files and Folders
Decrypting Files and Folders
Sharing Encrypted Files and Folders
Recovering Files
Auditing
Establishing an Audit Policy
Auditing Access to Objects
Viewing the Security Log
Manipulating the Security Log
Security Log Maintenance
Using Microsoft Baseline Security Analyzer
What to Do When Hacked
Summary
23. Patch Management
Why It’s Important
The Patching Cycle
Assess
Identify
Evaluate and Plan
Deploy
Repeat
Deployment Testing
Test Network Deployment
Beta User Deployment
Full Deployment
Obtaining Updates
Automatic Updates
Windows Server Update Services
Installation
Prerequisites
Basic Configuration
Systems Management Server 2003
Third-Party Products
Summary
24. Using Microsoft Certificate Services
More Vocabulary
Policy Modules
Exit Modules
Certificate Publishers
Certificate Templates
Certificate Authority Types
Enterprise CA
Standalone CA
Preinstallation
Understanding Certificate Authority Roles
Enterprise Root CA
Enterprise Subordinate CA
Standalone Root CA
Standalone Subordinate CA
Preparing for Installation
Installation and Configuration
The Certification Authority Snap-In
Managing the Certification Authority Service
Starting and Stopping the CA
Backing Up the CA
Restoring the CA
Renewing the CA Certificate
Configuring the CA’s Properties
The Policy Module Tab
The Exit Module Tab
The Storage Tab
The Security Tab
Working with Certificate Templates
Setting Security Permissions and Delegate Access
Enabling Autoenrollment
Managing Revocation and Trust
Publishing CRLs
Delta CRLs
Changing CRL Distribution Points
Controlling Which Trusted Certificates Are Distributed
Managing Certificate Trust Lists for a Group Policy Object
Managing Standalone CAs
Setting the Default Action for New Requests
Changing Certificate Request Status
The Certificates Snap-In
CAs Linked into a Hierarchy
Requesting a Certificate if Your Root CA Is Online
Requesting a Certificate if Your Root CA Is Offline
Command-Line Utilities
The Certsrv Tool
The Certreq Tool
The Certutil Tool
Summary
25. Connection Services
How Dial-Up Remote Access Works
Understanding Virtual Private Networks
How VPNs Work
Components of a VPN
Common Configurations for Remote Access Servers
Configuring a Server for Dial-Up Clients
Configuring a NAT Server
Setting Remote Access Policies
Understanding the Default Policy
Choosing an Administrative Model for Remote Access Policies
Administering Access by User
Granting Access by User
Administering Access by Policy for a Mixed-Mode Domain
Granting or Denying Access by Group Membership for a Mixed Domain
Administering Access by Policy for a Native Domain
Granting or Denying Access by Group Membership for a Native Domain
Configuring a Remote Access Policy
Specifying Conditions of Remote Access Policies
Configuring Profiles in Remote Access Policies
Specifying Dial-In Constraints
Specifying IP Address Policies
Enabling Multilink and the Bandwidth Allocation Protocol
Specifying Authentication Methods
Specifying an Encryption Method
Setting Advanced Attributes
Configuring a Remote Access Server
Configuring a Virtual Private Network
Configuring the Internet Connection
Configuring the Remote Access Server as a Router
Configuring PPTP Ports
Configuring PPTP Filters
Elements of a Router-to-Router VPN Connection
VPN Clients
VPN Servers
LAN and Remote Access Protocols
Tunneling Protocols
Demand-Dial Interfaces
User Accounts
Static Routes or Routing Protocols
Security Options
Adding a Demand-Dial Interface
Setting Up Static Routes and Routing Protocols
Using the Internet Authentication Service
Installing and Configuring IAS
Installing IAS
Configuring IAS
Configuring Clients for IAS
Using RADIUS for Multiple Remote Access Servers
Configuring a Remote Server for RADIUS Authentication
Configuring the Remote Server for RADIUS Accounting
Configuring the IAS Server for RADIUS
Using the RADIUS Proxy
Summary
26. Implementing Wireless Security
Understanding 802.11 Protocols
802.11
802.11a
802.11b
802.11g
802.11h
802.11i
802.11e
802.11n
Encryption and Authentication
WPA and WPA2
Data Encryption
Data Integrity
User Authentication
WPA2
Deployment Scenarios
Enterprise Deployment with 802.1X
Guest Access
Managed Clients
Unauthorized Wireless Access Points
Small and Medium Business Deployment with WPA
Guest Access
Managed Clients
Unauthorized Wireless Access Points
Summary
V. Support Services and Features
27. Interoperability
UNIX Interoperability
Permissions and Security Concepts
A UNIX File Listing
Symbolic Links
Privilege Levels
Basic Connectivity
File Transfer Protocol
Telnet
File Systems
The Network File System
Server Message Block
Printing
Microsoft Services for NFS
Configuring User Name Mapping
Connecting to an NFS Share
Configuring Client for NFS
Creating an NFS Share
Configuring Server for NFS
UNIX Identity Management Services
Windows Subsystem for UNIX-Based Applications
Macintosh Interoperability
Novell Netware Interoperability
Summary
28. Managing Software
Using the Group Policy Software Installation Extension
Finding the Right Mix of Services
Natively Authored Windows Installer Packages
Zap Files
Repackaged Applications
Deciding Whether to Publish or Assign Applications
Updating Applications Deployed via Group Policy
Setting Up the Group Policy Software Installation Extension
Creating a Software Distribution Point
Creating a GPO for Application Deployment
Configuring the Group Policy Software Installation Extension
Setting Software Installation Options
Changing Software Installation Behavior over Slow Links
Working with Packages
Adding a Package to a Group Policy
Changing Application Properties
Applying Package Upgrades
Applying Package Modifications
Removing and Redeploying Packages
Using Software Restriction Policies
How Software Restriction Policies Work
Creating Software Restriction Policies
Remote Installation Services
How RIS Works
RIS Requirements and System Recommendations
Installing RIS
Administering RIS
Changing RIS Settings
Changing Client Group Policy Settings
Managing Operating System Images
Adding CD-Based Images
Adding a Windows Server 2003 R2 Image
Adding Unattended Answer Files to Existing Images
Setting Permissions for Images
Changing Image Properties
Adding RIS Tools
Using Remote Installation Preparation
Performing User Installations
Prestaging a Client
Creating a Remote Boot Disk
Performing a Remote Operating System Installation
Summary
29. Application Compatibility and Virtual Server
Virtual Server Overview
Installing Virtual Server
Installing Internet Information Services for Virtual Server
Performing the Installation
Configuring Virtual Server
Configuring Virtual Networks
Configuring the Internal Network
Configuring External Networks
Configuring Server Properties
Enabling Virtual Machine Remote Control
Setting Search Paths
Creating Virtual Machines
Initial Configuration of a Virtual Machine
Configuring CD/DVD
Starting the Virtual Machine for the First Time
Installing an Operating System
Installing SCSI Shunt Driver
Using Virtual Machine Remote Control
Configuring Virtual Machines
Configuring Running Virtual Machines
Configuring Stopped Virtual Machines
Installing Virtual Machine Additions
Administering Virtual Server
Alternatives to Virtual Server
Virtual PC
VMWare
Summary
30. Deploying Terminal Services
Concepts
Remote Access
Central Management
Requirements
RAM
CPU
Network Utilization
Capacity Planning
Installation
Enabling Remote Desktop for Administration Mode
Installing Programs
Install Mode vs. Execute Mode
Using Add/Remove Programs to Install Applications
The Change Command
Using the Change Command to Install an Application
Administration
Terminal Services Manager
Overview
Finding Servers
Making Connections
Managing Connections
Disconnecting Sessions
Resetting Sessions
Logging Off a Session
Viewing Processes and Other Information About a Session
Managing User Sessions
Sending a Message to a Session
Controlling a Session
Connecting to a Session
Terminal Services Configuration
Connection Properties
Terminal Services Licensing
Installing Terminal Server Licensing
To Install Terminal Services
To Activate the License Server
To Install Windows Terminal Server Client Access Licenses
Remote Desktop Client
Summary
31. Using the Indexing Service
Understanding the Indexing Service
Defining Terms
How Indexing Works
Planning Your Indexing Service
Merging Indexes
Setting the Time to Start a Master Merge
Manually Merging Indexes
Setting Up an Indexing Console
Creating and Configuring Catalogs
Creating a Catalog
Configuring a Catalog
Including or Excluding a Directory
Configuring the Property Cache
Adding a Property
Running a Scan of the Index
Registry Entries for the Indexing Service
Querying the Index
Creating Query Forms
Indexing a New Site
Examining Performance
Modifying the Indexing Service’s Performance
Using Performance Monitor
Troubleshooting the Indexing Service
No Documents Matched the Query
PDF Files Aren’t Indexed
Query Produces Inconsistent Results
Catalog Is Reportedly Corrupted
Indexing Is Slow and Some Documents Aren’t Indexed
Summary
VI. Internet Servers and Services
32. Basics of Internet Information Services
Protocols Supported
HTTP
FTP
SMTP
NNTP
Other Protocols
Administration Tools
Adding the Application Server Role
Internet Information Services
Remote Administration
Administration Scripts
The WWW Publishing Service
The Default Web Site
Connecting to a Web Site
Other Web Sites
Using the Web Site Creation Wizard
Testing the New Web Site
Virtual Directories
Local Virtual Directories vs. Remote Virtual Directories
The Virtual Directory Creation Wizard
Web Sharing
Virtual Directories, Physical Directories, and Icons
The FTP Publishing Service
The Default FTP Site
Other FTP Sites
Using the FTP Site Creation Wizard
Testing the New FTP Site
Virtual Directories
Using the Virtual Directory Creation Wizard
Testing the New Virtual Directory
Basic Administrative Tasks
Configuring Permissions
Understanding IIS 6 Security
Setting Permissions
Stopping, Starting, and Pausing IIS Services
Using FrontPage Server Extensions
Summary
33. Advanced Internet Information Services
Server-Level Administration
Connecting to an IIS Server
Creating Configuration Backups
Backing Up a Server Configuration
Restoring a Server Configuration
Configuring Server Properties
Editing the Metabase
Metabase History
Site-Level Administration
Directory-Level Administration
File-Level Administration
Managing WWW Sites
Web Site Tab
Web Site Identification
Configuring Multiple IP Addresses on the Server’s Network Card
Configuring Only One IP Address for the Server’s Network Card
Configuring One IP Address and Leaving the TCP Port Set to Default
Connections
IIS Logging
Performance Tab
ISAPI Filters Tab
Home Directory Tab
Home Directory
Access Permissions
Application Settings
Documents Tab
Directory Security Tab
Anonymous Access and Authentication Control
IP Address and Domain Name Restrictions
Secure Communications
HTTP Headers Tab
Content Expiration
Custom HTTP Headers
Content Rating
MIME Types
Custom Errors Tab
Managing FTP Sites
Server-Wide FTP Properties
Configuring Individual FTP Site Properties
FTP Site Tab
Identification
Current Sessions
Security Accounts Tab
Messages Tab
Home Directory Tab
Access Permissions
Directory Listing Style
Directory Security Tab
Configuring FTP Directory Properties
Managing NNTP Virtual Servers
What NNTP Service Does
NNTP Service Wizards
New NNTP Virtual Server Wizard
New Virtual Directory Wizard
New Expiration Policy Wizard
New Newsgroup Wizard
Configuring the Default NNTP Virtual Server
The General Tab
Access Tab
Settings Tab
Security Tab
Managing Newsgroups
Connecting to the Default NNTP Virtual Server
Displaying NNTP Sessions
Rebuilding an NNTP Virtual Server
Managing SMTP Virtual Servers
What SMTP Service Does
SMTP Directories
Configuring the Default SMTP Virtual Server
General Tab
Identification
Connections
IIS Logging
Access Tab
Access Control
Secure Communication
Connection Control
Relay Restrictions
Messages Tab
Delivery Tab
LDAP Routing Tab
Security Tab
SMTP Domains
The New Domain Wizard
Web Service Extensions
Remote Administration
Administration Web Site
Enabling Remote Administration
Testing Remote Administration
Summary
34. Internet Security and Acceleration Server 2004
Concepts
Network Address Translation
Packet Filtering and Application Layer Filtering
Caching
Client Types
Installation and Configuration
System Requirements
Installation
Securing Your ISA 2004 Server
Initial Configuration of ISA Server 2004
Defining Your ISA 2004 Network Topology
Create Firewall Policy Rules
Define Caching Rules
Additional Configuration Tasks
Define VPN Access
Setup Monitoring
Publishing Servers (Reverse Proxy)
Additional Configuration
The Toolbox
Defining Network Entities
Defining Users
ISA Firewall Client
Import, Export, Backup, and Restore
Summary
VII. Tuning, Maintenance, and Repair
35. Performance Monitoring and Tuning
Documenting the Network, Policies, and Procedures
Documenting the Network
Evaluating Policies and Procedures
Selecting a Monitoring Method
Determining How Often to Monitor
Monitoring Memory Usage
Monitoring Processor Activity
Monitoring Disk Activity
Monitoring Network Activity
Using Event Viewer
Event Log Files
Components of an Event
The Event Header
The Event Description
Viewing an Event Log on Another Computer
Changing Event Log Settings
Archiving an Event Log
Using the Microsoft Windows Server 2003 Performance Advisor
Overview
Recording and Viewing Data
Monitoring Multiple Servers
Using System Monitor
Adding Counters
Matching Counters to Graph Lines
Modifying the Display
Choosing the Sampling Interval
Changing Grid Lines and Graph Scales
Performance Logs and Alerts
Creating Counter and Trace Logs
Saving Log and Alert File Settings
Using Alerts
Using Network Monitor
Capturing Frames
Viewing the Capture Window
Viewing the Frame Viewer Window
Configuring and Customizing Network Monitor
Modifying the Capture Buffer
Editing the Address Database
Adding a Comment Frame to a Capture
Printing Captured Frames
Designing a Capture Filter
Specifying Capture Filter Protocols
Specifying Address Pairs
Defining Pattern Matches
Designing a Display Filter
Setting a Capture Trigger
Memory and Network Tuning
Changing File System Cache Settings
Optimizing the Page File
Tuning Network Performance
Summary
36. Disaster Planning
Planning for Disaster
Identifying the Risks
Identifying the Resources
Developing the Responses
Standard Operating Procedures
Standard Escalation Procedures
Testing the Responses
Iterating
Preparing for a Disaster
Setting Up a Fault-Tolerant System
Backing Up the System
Creating Automated System Recovery Disks
Creating a Boot Disk
Installing the Recovery Console
Specifying Recovery Options
Creating and Using a Recovery Drive
Summary
37. Using Backup
Selecting a Backup Medium
Using Removable Storage
Backing Up to Files
Using CD-ROMs
Developing a Backup Strategy
The Backup Window
Backup Types
Normal Backup
Incremental Backup
Differential Backup
Daily Backup
Copy Backup
Media Rotation
Backing Up Data
Using Windows Server 2003 Backup
Creating Selection Scripts
Accessing Files and Folders for Backup
Selecting the Storage Medium
Configuring Backup Options
Logging Backups
Excluding Files
Running a Job
Scheduling a Job
Using the Windows Server 2003 Backup Wizard
Executing Jobs from the Command Line
Restoring Data
Selecting Files to Be Restored
Selecting Destinations for Restored Files
Setting Restore Options
Planning for Failure
Backing Up the System State
Handling Backup and Restore Problems
Backing Up Exchange Servers
Backing Up Encrypted Files
Restoring the System State
Directory Services Restore Mode
Authoritative Restore
Ntdsutil
Preserving NTFS Permissions
Third-Party Backup Utilities
Summary
38. Planning Fault Tolerance and Avoidance
Mean Time to Failure and Mean Time to Recover
Protecting the Power Supply
Local Power Supply Failure
Voltage Variations
Spikes
Surges
Sags
Brownouts
Short-Term Power Outages
Long-Term Power Outages
Disk Arrays
Hardware vs. Software
RAID Levels for Fault Tolerance
Intended Use
Fault Tolerance
Availability
Performance
Cost
Hot-Swap and Hot-Spare Disk Systems
Distributed File System
Clustering
Network Load Balancing
Server Clusters
Summary
39. Using the Registry
Introducing the Registry
The Origins of the Registry
What Registry Data Is Used For
Understanding the Registry’s Structure
The Root Keys
Major Subkeys
HKLMHARDWARE
HKLMSAM
HKLMSECURITY
HKLMSOFTWARE
HKLMSoftwareWow6432Node
HKLMSYSTEMCurrentControlSet
HKLMSYSTEMMountedDevices
How Data Is Stored
Useful Data Types
Volatile Keys
Disk-Based Keys
Where Data Goes on Disk
Using the Registry Editors
A Whirlwind Tour of the Registry Editor
Searching for Keys and Values
Editing Value Contents
Adding and Removing Keys and Values
Importing and Exporting Registry Data
Loading and Unloading Hives
Connecting to a Remote Machine’s Registry
Renaming Keys and Values
Managing Security on Registry Keys
A Whirlwind Tour of Reg
Backing Up and Restoring the Registry
Choosing a Backup Method
Backup Utility
Third-Party Products
Do-It-Yourself Backups
Backing Up the Registry
Using the Backup Utility
Automated System Recovery
Summary
40. Troubleshooting and Recovery
Triaging the Situation
Performing a System Recovery
Identifying Possible Causes
Using the Last Known Good Configuration
Using Safe Mode
Using a Boot Disk to Recover the System
Booting from Mirrored Boot Partitions
Performing an In-Place Upgrade
Using the Automated System Recovery Process
Fixing the Underlying Problem
Rolling Back Recently Installed Drivers
Using Help And Support to Gather Basic Information
Using System Information to Gather Advanced Information
Checking Services
Using the System Configuration Utility
Using the System File Checker
Restoring from a Backup
Reinstalling Windows
Emergency Management Services and Headless Servers
EMS Overview
Hardware and Software Requirements
Setting Up EMS
Configuring the Firmware for EMS
Manually Installing Windows on a Headless Server
Installing Windows Using RIS on a Headless Server
Installing Windows Using an Answer File on a Headless Server
Enabling EMS during Windows Upgrades
Enabling EMS after Setup
Using EMS for Out-of-Band Administration
Miscellaneous Challenges
Using the Shutdown Event Tracker
Adding a Processor to the System
Troubleshooting Shutdown Problems
Uninstalling Windows
Summary
VIII. Appendixes
A. Interface Changes from Windows 2000 Server
B. Interface Changes from Windows NT 4
Clipboard Viewer
Compression Agent
Computers Near Me
Devices
Dial-Up Networking
Disk Administrator
Find
MS-DOS Prompt
My Briefcase
My Documents
Network Neighborhood
Personalized Menus
Start Menu
System Information
TCP/IP
User Manager
User Manager for Domains
View Options
Windows NT Explorer
C. Optional Components
Accessories and Utilities
Accessibility Wizard
Accessories
Communications
Active Directory Services
Application Server
Certificate Services
Distributed File System (DFS)
E-mail Services
Fax Services
Indexing Service
Internet Explorer Enhanced Security Configuration
Management and Monitoring Tools
Microsoft .NET Framework 2.0
Networking Services
Other Network File and Print Services
Remote Installation Services
Remote Storage
Security Configuration Wizard
Subsystem for UNIX-Based Applications
Terminal Server
Terminal Server Licensing
UDDI Services
Update Root Certificates
Windows Media Services
Windows SharePoint Services
D. Using the Microsoft Windows Server 2003 Recovery Console
Recovery Console Limitations
Starting the Recovery Console
Using Recovery Console Commands
E. Using the Microsoft Windows Server 2003 Support Tools
Glossary
F. About the Authors
G. Microsoft Press Support Information
H. Additional Windows (R2) Resources for Administrators
I. Additional SQL Server Resources for Administrators
Index
About the Authors
Copyright
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
About the Authors
Microsoft
®
Windows Server™ 2003 Administrator’s Companion, Second Edition
Charlie Russel
Sharon Crawford
Jason Gerend
Copyright © 2010
2012-08-24T12:23:44-07:00
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset