Terminal Services Facts By default, Windows 2003 comes with Remote Desktop enabled.

Using Remote Desktop, you can connect to a server and manage it remotely just as you would if you were sitting at the server console. Remote Desktop uses Terminal Services technology. Terminal Services can also be used by end users to connect to the server and run applications. For example, users can connect to a server to run an application that is not supported on the client system. Keep in mind the following details regarding Remote Desktop.

Remote Desktop is the same as running Terminal Services in administration mode on previous Windows versions. Remote Desktop is limited to two concurrent connections. When using Remote Desktop, the user account used to connect to the server must be assigned a password, and must be given explicit permission for Remote Desktop. Allow users for Remote Desktop through the System applet. Client computers require client software to make the connection. This software is included with Windows XP or Windows Server 2003, but must be installed separately on other Windows versions (Windows 2000, for example).

Keep in mind the following details regarding Terminal Services.

You can support many more clients by installing Terminal Services (also called installing application mode for Terminal Services). Use Add/Remove Windows components to install Terminal Services. Microsoft allows an evaluation period for Terminal Services of 120 days. You must install a licensing server prior to expiration or the server will stop accepting remote connections. Many settings on the RDP-Tcp properties Sessions tab can override individually configured user settings. Use the Msg command to send a message to all connected users of a particular terminal services server. You should know the following facts about Msg: o The syntax is {UserName | SessionName | SessionID} [/server:ServerName] [Message]. o UserName is the name of the user you want to receive the message. o SessionName is the name of the session you want to receive the message. o SessionID is the numeric ID of the session whose user you want to receive a message. o /server:ServerName specifies the terminal server whose session or user you want to receive the message. (If unspecified, /server uses the server to which you are currently logged on.) o Message is the actual message you wish to send. The Query user command-line tool displays the names of any currently logged on users or sessions with Terminal Services.

Remote Assistance Facts Keep in mind the following details regarding Remote Assistance.

Both the novice (person requesting assistance) and the expert (person giving assistance) computers must be running either Windows XP (either Home or Professional) or Windows Server 2003. To initiate a remote assistance session: o Select Ask for Remote Assistance in Windows Messenger. o Send an e-mail through the Help and Support tools (if the infrastructure is configured appropriately). o Create a Remote Assistance file through Help and Support tools and load it to a network share (if the infrastructure is configured appropriately). Generally, the novice must initiate the invitation. If Active Directory is used, the expert can initiate the Remote Assistance connection. Invitations require a password (unless Instant Messaging is used) and have an expiration time. Expired invitations cannot be answered. When sending an invitation, do not include the password in the invitation text. Communicate it in some other way. The helper cannot copy files from a user's computer. The user must explicitly send any files the helper may need. The user can take control the computer at any time by pressing the Esc key, Ctrl+C, or clicking Stop Control.

Installing Windows 2003 Server Command Switches To start the installation, use:

Winnt.exe to start installation from a DOS environment. Winnt32.exe to start installation from within a 32-bit environment.

The following table lists common switches to use with the installation programs. Switch /dudisable /duprepare /dushare /u /udf /s Purpose Disables dynamic updates during installation Prepare downloaded update files for use during installation Start the installation with downloaded update files Indicates use of an unattended answer file Indicates the use of a uniqueness database file Specifies a path to source files

/makelocalsource Copies installation files from the CD-ROM

/checkupgradeonly Verifies upgrade compatibility Troubleshooting Installation Facts Use the /debuglevel:logfile switch to create an installation debug log. The default debug level is 2. The default log file is C:\%systemroot%\Winnt32.log. The log levels are as follows: Level Report 0 1 2 3 4 Severe Errors Errors Warnings Information Detailed information for debugging

You can use System File Checker (Sfc.exe) to verify the integrity of protected system files if an installation appears unstable. You can use the following switches with the Sfc command: Switch /Scannow /Scanboot /Revert /Cachesize = size Function Perform a scan immediately Configures the operating system to perform a scan every time the operating system boots Changes the scan behavior back to the default Configures how much disk space can be used to store cached versions of protected system files

To uninstall a service pack or hotfix from the command line, run Spuninst.exe from the service pack or hot fix uninstall folder. Use the following switches with Spuninst: Switch Function -u -f -z -q Unattended mode Force other apps to close at shutdown Do not reboot when complete Quiet mode (no user interaction)

To isolate a driver causing an installation to fail, add the /Sos switch to the Boot.ini file. This loads the drivers individually, allowing you to isolate the bad driver.

Licensing Facts You should know the following facts about licensing:

The Licensing Logging service is available from the Administrative tools menu. The Licensing Logging service allows you to view, add, and delete installed product licenses. Per-user licensing is more expensive per client workstation than a per-server licensing model, but it becomes much less expensive when many workstations access several servers. Cpl.cfg is the purchasing history file. Llsuser.lls is the user information file. Llsmap.lls is the license group information.

Automated Installation Facts Windows provides the ability to perform an unattended installation from a CD-ROM. To perform an unattended installation from a CD-ROM, the following conditions must be met:

The computer must support booting from a CD-ROM, and must adhere to the ElTorito non-emulation specification. The unattended answer file must be renamed to Winnt.sif and copied to a floppy disk so Setup can access it. When Setup displays the message that it is examining the hardware configuration, insert the floppy disk containing the Winnt.sif file. The answer file must contain a valid [Data] section with the following entries to the unattended answer file: o UnattendedInstall=Yes - Value must be set to "yes". o MSDosInitiated=No - Value must be set to "no" or Setup will stop during the graphical portion of Setup. o AutoPartition=1 - If the value is set to 1, the installation partition is automatically selected. If the value is set to 0 (zero), you are prompted for the installation partition during the text portion of Setup.

You can also automate installation by preparing a disk image. You then duplicate the disk image to a new hard drive and boot the system. Use the following files to prepare an automated installation using an image: File Function Sysprep.exe Prepares a system for duplication Setupcl.exe Runs a mini-setup wizard when the duplicated drive is booted Sysprep.inf An optional answer file that automates the mini-setup wizard. Can be copied to a floppy disk.

Note: These files belong in the Sysprep folder at the root of the system drive. 4

Network Installation Facts You should know the following facts about Remote Installation Services:

An RIS server must have the following components installed on it: o DHCP o DNS o RIS o Active Directory Use the Rbfg.exe (Remote Boot Disk Generator) file to create a boot disk for nonPXE compliant network adapters. The boot disk simulates the PXE boot process. The file is located in the RemoteInstall\admin\i386 folder on the RIS server. On the workstation, be sure to enable network boot in the BIOS. Use the Riprep.exe file to create the image of the reference computer.

To perform a network installation without RIS: 1. Copy the source installation files to a shared network drive. 2. If necessary, update the installation files with service packs or hotfixes. 3. Execute Winnt or Winnt32 from the network share. To use dynamic updates during an installation, download the updates to a network share. Use the following switches with the Winnt or Winnt32 command to apply dynamic updates during the installation: Switch /Duprepare:[path to downloaded updates] /Dushare:[path to downloaded updates] /Dudisable Function Prepares the updates for use during installation. Starts the installation with the downloaded update files. Prevents the dynamic update from occurring.

To apply a service pack to the source installation files, use the Update.exe s:[network_share] command and switch. This applies the service pack changes to the installation files in the network share. Domain User Account Facts You should know the following facts about domain (or global) user accounts:

Domain user accounts let users log on to the network, and allow access to domain resources. Active Directory stores these accounts for the entire domain (users have to log on only once to access domain resources).

Domain user accounts have a variety of properties, such as user information, group membership, user profiles, and dial-in settings. A user account can be renamed when users change jobs or need previously assigned permissions to resources. Use Active Directory Users and Computers from a domain controller (or workstation with Administrative Tools installed) to configure domain accounts When a new account is created, it is replicated to all of the domain controllers in the domain, so any domain controller in the domain can authenticate user logons. Each user account has a unique security identifier (SID) to identify the user to the Windows server. A user can log on to the domain from any computer that is a member of the domain and can access resources on that computer or on other computers for which the domain user account has permissions. Logon restrictions apply to users, not groups.

Group Facts Active Directory defines three scopes that describe the domains on the network from which you can assign members to the group; where the group's permissions are valid; and which groups you can nest. Scope Global groups Description Are used to group users from the local domain. Typically, you assign users who perform similar job functions to a global group. A global group can contain user and computer accounts and global groups from the domain in which the global group resides. Global groups can be used to grant permissions to resources in any domain in the forest. Are used to grant access to resources in the local domain. They have open membership, so they may contain user and computer accounts, universal groups, and global groups from any domain in the forest. A domain local group can also contain other domain local groups from its domain. Domain local groups can be used to grant permissions to resources in the domain in which the domain local group resides. Are used to grant access to resources in any domain in the forest. They have open membership, so you can include user and computer accounts, universal groups, and global groups from any domain in the forest. Universal groups can be used to grant permissions to resources in any domain in the forest. Universal groups are available only in Windows 2000 Native or Windows 2003 domain functional level.

Domain local groups

Universal groups

Built-in Groups Windows domain controllers include several built-in domain local groups, each of which has predefined rights. These groups are automatically created on domain controllers, and are placed in the Built-in folder in Active Directory Users and Computers.

Built-in Group Description Full control over the computer, including every available right in the Administrators system (the only built-in account that automatically has all rights), including the Take ownership of files or other objects right. Server Operators Backup Operators Account Operators Share folders and backup files and folders. Back up, copy, and restore files on the computer (regardless of permissions). Log on to and shut down the computer. Cannot change security settings. Create, delete, and modify domain user accounts and groups. Cannot modify the Administrators group or any Operators groups.

The basic best practices for user and group security is:

Create groups based on users' and administrators' needs. Assign user accounts to the appropriate groups. Assign permissions to each group based on the resource needs of the users in the group and the security needs of your network.

Group Strategy Facts To make permission assignments easier, assign permissions to a group, then add the accounts that need to use the group's resources. You can add user accounts, computers, and other groups to groups. You should remember the following when assigning members to groups:

Adding a user account to a group gives that account all the permissions and rights granted to the group (the user must log off and log back on before the change takes effect). The same user account can be included in multiple groups. (This multiple inclusion may lead to permissions conflicts, so be aware of the permissions assigned to each group.) Nesting is the technique of making a group a member of another group. Using hierarchies of nested groups may make administration simpler--as long as you remember what permissions you have assigned at each level.

The following table shows the three basic recommended approaches to managing users, groups, and permissions. Strategy ALP Use Used on workstations and member servers. Description A: Place user Accounts L: Into Local groups Application Best used in a workgroup environment, not in a domain.

P: Assign Permissions to the local groups AGDLP Used in mixed mode domains and in native mode domains (does not use universal groups, which are also not available in mixed mode). A: Place user Accounts G: Into Global groups DL: Into Domain Local groups P: Assign Permissions to domain local groups 1. Identify the users in the domain who use the same resources and perform the same tasks. Group these accounts together in global groups. 2. Create new domain local groups if necessary, or use the built-in groups to control access to resources. 3. Combine all global groups that need access to the same resources into the domain local group that controls those resources. 4. Assign permissions to the resources to the domain local group. Universal groups should be used when you need to grant access to similar groups defined in multiple domains. It is best to add global groups to universal groups, instead of placing user accounts directly in universal groups.

AGUDLP Used in native mode domains, when there is more than one domain, and you need to grant access to similar groups defined in multiple domains.

A: Place user Accounts G: Into Global groups U: Into Universal groups DL: Into Domain Local groups P: Assign Permissions to domain local groups

User Profile Facts You should know the following facts about user profiles:

Roaming user profiles store the profile contents on centrally-managed network servers and allow users to log on to different workstations while maintaining their Windows desktop. Mandatory user profiles allow all users to make changes to their desktops, but those changes are not saved to the profile. Users are forced to start each logon session with the original profile. If a user's roaming Windows profile is unavailable during log on, Windows will use a copy of the locally-cached profile, warn the user of a possible network error, and allow the user to log on. User account profile configuration and network path information is associated with the account and will move with the account. This allows simple moves of user account objects and minimizes the administrative effort.

User Profile Management Tasks The following list describes some common profile management tasks and the recommended method for completing them. To . . . Create a new profile Edit an existing profile Do . . . Log on as a user without a profile. User profiles are created automatically, using the Default Users profile as a template. (You can also set access permissions on a copied profile for use as a new profile.) Log on as the user, then use the Windows interface to modify the desktop, Start Menu, taskbar, and other preferences.

Create Start Menu Copy the desired shortcuts to the appropriate folder within the user or Desktop profile. shortcuts Copy a profile Use the User Profiles tool to copy the profile to a new location. If you simply copy the subfolders to a new location, registry settings and permissions will not be properly modified. Note: You cannot copy the profile of a logged on user.

Make a mandatory Use Explorer to rename the Ntuser.dat file to Ntuser.man. user profile Make a roaming user profile Assign a specific profile Delete a profile Copy the profile to a network share. Use the Profile tab in the user account properties to enter the path to the user's roaming profile. Edit the properties of the user account (either local or domain user) to identify the specific profile (either to a user roaming or otherwise) to use. Use the User Profiles tool. Do not simply delete the folder as registry settings will not be modified appropriately. Note: You cannot delete the profile of a logged on user.

Computer Account Facts You should know the following facts about computer accounts:

To join a computer to a domain: o Create a computer account in Active Directory. o Join the computer to the domain. Members of the Administrators or Account Operators group can join an unlimited number of computers to a domain. By default, domain users can join up to 10 computers to a domain from a workstation. Computers added to the domain from a workstation are added to the built-in Computers container. Because the Computers container cannot be linked to policies, create computer accounts beforehand in an OU for computer accounts. If the organization uses a separate OU for computers, any computer accounts created automatically in the Computers container must be moved to the correct OU. Windows 98 computers cannot use a computer account in a domain. You can use the Dsadd and Netdom utilities to create computer accounts. A computer account must connect to the network before it will display information about OS and Service Pack changes.

Troubleshooting Logon Both users and computers must log on to the domain. User logon is accomplished by supplying a valid username and password combination. If users are having trouble logging on, check the following:

Verify the correct logon name is being used, with the correct UPN suffix. Make sure the corresponding user account exists in Active Directory. Make sure the user account is enabled. If the user has tried many times unsuccessfully, and receives a message stating the user account is locked, unlock the user account. If necessary, change the password for users who might have forgotten the password.

Computer account logon happens automatically in the background. Failure to log on might result in a failure to use network resources or gain access to the local computer. To troubleshoot computer accounts, apply the following steps: 1. If the computer account exists, reset the account in Active Directory. 2. If the account does not exist, create it. 3. If troubles persist, remove the computer from the domain and add it to a workgroup (use a workgroup name not currently in use). Rejoin the domain.

10

Command Prompt Tools Command Description DSAdd Create a new object in Active Directory DSQuery DSGet DSMod DSMove DSRm Movetree Ldifde Find the location of information or the setting of an object (allows a search through the whole forest) Retrieve property information about an object Modify or change an object Move objects from one location to another Remove (delete) objects Move an OU and its contents Create, modify, and delete directory objects on computers running Windows Server 2003. You can also use it to export AD user and group information to other applications and services and populate AD with data from other directory services. Imports and exports data from AD using files that store data in the commaseparated value (CSV) format.

Csvde

Group Policy Facts Group policy is a tool used to implement system configurations that can be deployed from a central location through GPOs (Group Policy Objects). You should know the following Group Policy facts:

GPOs contain hundreds of configuration settings. GPOs can be linked to Active Directory sites, domain, or organizational units (OUs). GPOs include computer and user sections. Computer settings are applied at startup. User settings are applied at logon. A GPO only affects the users and computers beneath the object to which the GPO is linked. Group policy settings take precedence over user profile settings. A local GPO is stored on a local machine. It can be used to define settings even if the computer is not connected to a network. GPOs are applied in the following order: 1. Local 2. Site 3. Domain 4. OU If GPOs conflict, the last GPO to be applied overrides conflicting settings. The Computers container is not an OU, so it cannot have a GPO applied to it.

11

Group policy is not available for Windows 98/NT clients or Windows NT 4.0 domains. You can use a GPO for document redirection, which customizes where user files are saved. (For example, you can redirect the My Documents folder to point to a network drive where regular backups occur. Folder redirection requires Active Directory-based group policy.) Configuring a domain group policy to delete cached copies of roaming user profiles will remove the cached versions of the profile when a user logs off.

To manually refresh group policy settings, use the Gpupdate command with the following switches: Switch No switch /target:user Function Refresh user and computer-related group policy. Refresh user-related group policy.

/target:computer Refresh computer-related group policy. Installing Devices When installing devices:

Begin by adding the device to the system or plugging the device in. Windows automatically detects and installs drivers for Plug and Play devices. For undetected legacy devices, you might need to: o Run the setup program that came with the device. o Use the Add New Hardware wizard to install a device driver manually. o Manually set IRQ, DMA, or I/O addresses o Manually select and install the driver

Device Management Facts You should know the following facts about managing devices:

You can connect to remote computers using the WinMSD utility or Device Manager. Use Device Manager to disable devices that you suspect are causing system problems. Use Control Panel applets to adjust properties for individual devices like modems or video hardware. The Hardware Troubleshooting Wizard steps users through the process of identifying system problems. You can manually assign resources using Device Manager. If problems with a device prevent you from booting or affects system stability, boot into Safe Mode to disable the device or change the device properties.

12

Drivers To update drivers:

Use Windows Update to automatically check for new drivers. Download the new driver and run the program to install it. Download the new driver and use Device Manager to update and install the new driver.

To control how unsigned drivers are installed on the system, use the following settings:

Block (prevents unsigned driver installation) Warn (allows installation, but with an error message) Ignore/Silently Succeed (install)

To protect against unsigned drivers,

Enforce driver signing on the system through the System applet or Group Policy. Use group membership and user rights to prevent normal users from installing drivers (Power Users or Administrators only can install drivers). The Hardware Compatibility List (HCL) includes all devices for which a signed driver is available. Driver Rollback allows you to restore an original driver when a new driver causes system problems.

File Verification Programs The following table summarizes the file verification tools you can do to verify driver signatures and file integrity. Program Sigverif.exe Features GUI-based tool that searches for unsigned files. By default, it searches only the Windows directory (click the Advanced button to search other locations). The program returns a list of files without digital signatures.

Command-line tool that checks the digital signatures of drivers that are in use. Driverquery.exe Use the /si switch to request the signature status of the drivers. /si The report lists each device, the .inf file for the device, and the signed status of the driver. Msinfo32.exe GUI-based tool that displays the list of devices and information about each device (including the driver, driver date, and signature status). The report shows every installed device and the signed status of the drivers.

13

Sfc.exe /scannow

Tool that scans system files to ensure that they have not been replaced or corrupted. Use the /scannow switch to force an immediate check of the system. Use the tool to automatically replace bad files.

File System Facts The following table indicates which file systems support which capabilities. Feature Long file names Larger than 2 GB/4 GB partitions Smaller clusters Enhances file security through permissions Folder and file level encryption Folder and file level compression Disk quotas FAT FAT32 NTFS X X X X X X X X X X X

Use the Convert.exe utility to modify the file system without reformatting and losing data. To convert the C:\ drive to NTFS, use the following command: convert C: /fs:ntfs Basic and Dynamic Disks Keep in mind the following when using basic disks.

A basic disk has a limit of four partitions, only one of which can be an extended partition. One primary partition must be marked active. Most operating systems can recognize only one primary partition. All other primary partitions are invisible. (Windows NT/2000/XP/Server 2003 can recognize multiple primary partitions.) The active primary partition is represented with one drive letter (C:). The extended partition can be divided into multiple logical drives (up to 26).

Keep in mind the following when using dynamic disks.

Windows 2000/XP/Server 2003 recognize dynamic disks. Volumes on dynamic disks are like partitions and logical drives on basic disks. A volume can be made of non-contiguous space on a single drive or space taken from more than one drive.

14

You cannot install the operating system on a dynamic disk. You can, however, upgrade a basic disk containing the operating system to dynamic after installation.

Keep in mind the following points as you plan whether to implement basic or dynamic disks.

A hard disk must be either basic or dynamic; it cannot be both at once. Windows 2000/XP/Server 2003 use basic storage by default. MS-DOS and all versions of Microsoft Windows support basic storage. Dynamic storage was new to Windows 2000 and previous Windows operating systems cannot use it (this is especially important if you plan to multi-boot to other operating systems). Dynamic storage is not supported on portable computers because they normally have only one internal hard drive and cannot take advantage of advanced dynamic storage features.

To convert a basic disk to a dynamic disk, right click the volume in Computer Management and choose Convert to dynamic disk. Or, use the Diskpart command at the command line. Volume Characteristics The following table summarizes volume types and their characteristics. Volume Type Characteristics Simple volume Extended volume Spanned volume Contains a single, contiguous block of space from a single hard disk. Contains space from multiple areas on the disk. An extended volume that spans two disks is a spanned volume. Combines areas from two or more disks into one storage unit. Fills the first area, then the second, and so on. Does not provide fault tolerance. If one hard disk fails, you lose all data. Cannot contain system or boot files.

Note: Only dynamic disks support extended, spanned, striped, mirrored, or RAID volumes. Mirrored and RAID volumes are supported only on server versions of Windows. These volume types provide fault tolerance and improve performance. Redundancy and Fault Tolerance You should know the following facts about RAID volumes:

15

Redundant array of Independent Disks (RAID) combines the use of two or more disks for fault tolerance and performance. Windows supports three RAID levels: 0 (striping), 1 (mirroring), 5 (striping with parity). RAID0 uses data striping but no redundancy for improving performance. RAID1 uses disk mirroring for providing fault tolerance. RAID5 uses disk striping with parity for performance and fault tolerance. The Windows interface uses the term RAID to refer to RAID 5 or striping with parity. Overhead refers to the amount of extra (or "wasted") disk space required to add fault tolerance. o RAID5 volumes use one disk in the set for fault tolerance (a three-disk set has 33% overhead, a four-disk set has 25% overhead). o Mirrored volumes have 50% overhead (meaning one disk in two is used for fault tolerance).

The following table summarizes volumes that provide redundancy and fault tolerance. Volume Type Mirrored volume Characteristics Stores data to two duplicate disks simultaneously. Fault tolerant because if one disk fails, data is preserved on the other. The system switches immediately from the failed disk to the functioning disk to maintain service. Uses storage areas on several different disks. Improves performance by writing to multiple disks simultaneously. Uses disk areas similar in size. The amount of space used on each disk is equal to the smallest area. Saves data from a single file on multiple disks. Is not fault-tolerant. If one hard disk in the set fails, you lose all data on all disks. Cannot contain system or boot files. Contain three or more disks. Like a striped volume, portions of a single file are written to each disk in the set. RAID5 volumes add fault tolerance to striping through a process called parity (where data recovery information is added to each disk). Often called a striped set with parity.

Striped volume

RAID5 Volume

Note: Only dynamic disks support extended, spanned, striped, mirrored, or RAID volumes. Disk Management Facts Use the following command line commands to manage disks:

16

Command Description DiskPart Defrag Cscript Manage disks, partitions, and volumes by using scripts or direct input from the command prompt Locates and consolidates fragmented boot files, data files, and folders on local volumes Allows you to run scripts from the command-line-based script host.

You should also know the following facts about disk management:

When you move a disk that has been installed and used in another computer, you might need to import the disk. In Disk Management, right-click the disk and choose Import Foreign Disks. Using Disk Management, you can analyze a disk for defragmentation before using the defragmentation utility. Use Disk Management to reactivate volumes in a RAID-5 configuration. This improves performance after a disk in the configuration has been replaced.

You should know the following facts about recovering failed disks:

To recover a failed disk in a mirror configuration: 1. Break the mirror. 2. Delete the failed disk. 3. Recreate the mirror to a new disk (make sure the disk is upgraded to a dynamic disk first). To recover a failed disk in a RAID5 configuration: 1. Repair the volume on a new dynamic disk. 2. Delete the old disk. To recover a volume in a failed operating system: 1. Move the disk to a new machine. 2. Import the foreign disk on the new system.

Volume Mount Points A volume mount point allows you to use another partition in the computer and represent it as a folder in an existing partition. This allows you a great deal of flexibility when you need to expand storage requirements. You should know the following facts about volume mount points:

Both partitions must be formatted with NTFS. You can use either partitions on basic disks or volumes on dynamic disks for volume mount points. The folder on the source partition must be empty. The target partition must not have a drive letter. Multiple folders can reference the same target partition.

17

Boot.ini Facts The Boot.ini file is responsible for the following operations:

Launching the menu for operating system selection during startup Pointing to the system files for the selected operating system Identifying the controller, hard disk, and partition where the system files are located

The ARC path locates the system file and contains the following elements: Entry MULTI(x) or SCSI(x) Meaning and Use Identifies the controller location. Use multi(x) if the disk controller is a SCSI device with its BIOS enabled or is a non-SCSI device. Use scsi(x) only if the disk controller is a SCSI device with BIOS disabled. The value for x begins at 0. Identifies the disk location. If the first component of the ARC name is scsi, disk(x) indicates which SCSI disk the operating system is located on. The x value begins with 0. If the first component of the ARC name is multi, this component is always disk(0), and the disk containing the operating system is indicated by the rdisk(x) component. The value for x begins at 0. Identifies the disk location. If the first component of the ARC name is multi, rdisk(x) indicates which physical disk the operating system is located on. The x value begins at 0. If the first component of the ARC name is scsi, the rdisk component is always rdisk(0) and the disk containing the operating system is indicated by the disk(x) component. The value for x begins at 0. Identifies which partition holds the boot files. The value for y begins at 1.

DISK(x)

RDISK(x)

PARTITION(y)

18

Backup Facts Most backup methods use the archive bit on a file to identify files that need to be backed up. When a file is modified, the system automatically flags the file as needing to be archived. When the file is backed up, the backup method may reset (clear) the archive bit to indicate it has been backed up. The following table shows the type of data backed up using each backup method. Backup Type Backs Up Full Incremental Differential Copy Backs up all files regardless of the archive bit. Backs up files on which the archive bit is set. Backs up files on which the archived bit is set. Resets Archive Bit? Yes Yes No

Backs up all files regardless of the archive bit status. No

Most of the time, you will perform backups using a strategy that combines backup types. The following table compares common backup strategies. Strategy Full Backup Full + Incremental Backup Characteristics Requires large tapes for each backup. Takes a long time to perform each backup. Incremental backups are quick to perform. This is the fastest backup method. Restore Characteristics To restore, restore only the last backup. To restore, restore the full backup and every subsequent incremental backup.

Full + Differential

To restore, restore the last full Differential backups take progressively backup and the last differential longer to complete as time elapses since backup. the last full backup. Next to a full backup, this is the fastest restore method.

Note: Do not combine incremental and differential backups. Keep in mind the following facts about doing backups:

Back up user data more often than system state data (it changes more frequently). Back up system state data whenever you make a system change. System state data includes the registry, COM+ Class Registration database, system files, boot files, files under Windows File Protection, and the Certificate Services database. During a system data backup, all system data is backed up (system data cannot be backed up selectively in portions).

19

Files backed up from one system might not restore to another system. Restore to a system running the same OS. Be sure to test your back up and restore strategy. It does no good to back up your data if you can't restore it. A normal Directory Services restore refers to a process wherein you restart the domain controller in Directory Services Restore Mode and restore system state data. Using the Services snap-in, Windows Backup, or the Scheduled Tasks window, you can start the Task Scheduler service. You must have the Task Scheduler service running before you can schedule a backup. In order for a scheduled task to run, you must specify a local service account and password.

Backup Devices Facts Terms and definitions:

Removable storage: Storage media (tape) that can be removed from the device. Media pool: The space on the removable storage where the backup is performed, and where the backed up files will be physically located.

To configure a backup device, begin by installing the device and making sure it is recognized and configured in Device Manager.

To install devices, you must be a member of the Power Users or Administrators group. For parallel backup devices with bi-directional control, enable enhanced parallel port (EPP) in the BIOS.

After configuring the device, enable the media (the tape) in Computer Management to see the tape itself. There are two modes for viewing media:

Full mode allows you to see the media pool as well as all the nodes inside the media pool. This lets you select exactly what you want to restore or backup. Simple mode lets you see only the media pool.

Make users members of the Backup Operators group to enable them to back up and restore files.

Backup Operators cannot view, edit, or delete files. To allow Backup Operators to eject the backup media, assign the Eject media user right to the Backup Operators group.

20

NTFS Permission Facts The following table summarizes the permissions for folders and files. Permission Read Write List Folder Contents Allowed Actions View folder details and attributes. View file attributes; open a file. Change folder or file data and attributes. Includes all Read actions and adds the ability to view a folder's contents. Includes all Read & Execute and Write actions and adds the ability to add or delete files. Includes all other actions and adds the ability to take ownership of and change permissions on the folder.

Read & Execute Includes all Read actions and adds the ability to run programs. Modify Full Control

Use these suggestions to help you plan NTFS permissions.

Identify the users and their access needs (i.e., the actions they need to be able to perform). Based on the types of users you identify, create groups for multiple users with similar needs, and then make users members of groups. Assign each group (not user) the permissions appropriate to the group's data access needs. (Grant only the permissions that are necessary.) As you assign permissions, take inheritance into account. Set permissions as high as possible on the parent container and allow each child container to inherit the permissions. When necessary, you can override inheritance on a case by case basis. Deny always overrides Allow, so be careful when you use it.

Shared Folder Facts The following table lists the share permissions and the level of access the permission allows. Permission Actions Read Browse the shared folder and its files Open files in the shared folder and its subfolders Copy files from the shared folder Run programs All Read actions (browse, open files, copy files from the folder, run programs) Write to files and change file attributes Create new files and subfolders

Change

21

Copy files to the shared folder Delete files or subfolders Full Control All Read and Change actions Configure share permissions

Here are some additional facts you should know:

You can publish a share in Active Directory to allow users to access it more easily. If a program in a shared folder crashes and refuses to run on the client computer, terminate the user session using the Shared Folders option in Device Manager.

Share Access Facts Use both share and NTFS permissions to secure network resources. (When used in combination, remember that the most restrictive set of permissions will apply.) Here is a common strategy for administering resources with share and NTFS permissions: 1. Secure the folder with NTFS permissions. 2. Share the folder using Allow Full Control for Everyone. An administrative share is a share hidden from browsing. Keep in mind the following facts about Administrative shares.

Administrative shares are hidden by following the sharename with a $. Default Administrative shares are accessible to only members of the Administrators group. Any share can be hidden by appending the $ to the sharename. A hidden share can only be accessed through the UNC path (they do not appear when you browse).

Disk Quota Facts Keep the following in mind as you work with disk quotas.

Quotas can only be set on NTFS volumes. The Quota tab will not be shown for FAT volumes. Every file and folder that users create, copy, save, or take ownership of on a volume or partition counts toward their disk quota. The space available for applications to save files to is equal to the amount of space left in a user's quota. Each NTFS volume or partition on a hard disk has its own set of disk quotas, even if they are on the same hard disk. System and application files count toward disk quotas, so the user account which installs software needs a higher limit.

22

You cannot set a quota limit on the built-in Administrator account. You cannot delete a user's account quota until you remove or take ownership of all of that user's files on the volume. You can use the Fsutil.exe command to manage quotas from the command prompt.

Quota configurations: Configuration State Disabled File usage data is not collected and storage space is not limited. Tracked Enforced File usage data is collected, but storage space is not limited. Users can exceed their quota limit. Warning levels and restrictions are enforced to prevent users from exceeding disk space limitations.

If a user exceeds the quota limit, take one of the following actions:

Delete files owned by the user. Change ownership of files (quota limits are enforced based on owned files). Move files to other volumes (quota limits are enforced on a volume or partition basis). Increase the quota limit.

You cannot reduce the amount of space used by files by compressing them. Quotas count the uncompressed size of a file toward the quota limit. Encryption Facts Keep the following information in mind as you work with EFS.

You must have Write permission to a folder or file to encrypt it. Windows transparently unencrypts and encrypts folders and files as users use them. You cannot encrypt System or Read-only files. Encryption and compression cannot be used on folders or files at the same time. If you are having trouble opening encrypted folders or files, make sure you are logged in to the user account that encrypted the folder or file and that you still have permissions for the file. In a workgroup, the local Administrator user account is the default recovery agent. In a domain, the domain Administrator account is the default recovery agent. To recover encrypted files, the files and recovery key need to be on the same computer.

23

Without the private key or recovery key, you cannot copy or move an encrypted file. You can however, back up the files and restore them to the computer where a recovery key is located. You can also export the recovery key and import it onto the computer storing the files you want to recover. You can add additional authorized users to files (not folders) who will be able to open encrypted files. Implement encryption through the file or folder properties. Or, use the Cipher command to encrypt files and folders.

Copying and moving files might change the encrypted state of the file. To determine the final state of a file, remember the following rules.

If you copy or move an encrypted file or folder to a non-NTFS partition, the file or folder is unencrypted (other file systems do not support encryption). If you copy or move an encrypted file to an NTFS partition (either to the same one or to a different one), the file remains encrypted. If you copy an unencrypted file to an encrypted folder, the file is encrypted. If you move an unencrypted file into an encrypted folder, the file remains unencrypted. Encryption is preserved when the file is backed up.

Normally, encrypted files are meant to be stored and read on the local computer only. When saving encrypted files on a remote computer, be aware of the following:

You can only encrypt files stored on remote computers if the computer is trusted for delegation in Active Directory (how to do this is beyond the scope of the course). When moving files encrypted on your local system to another computer (for use on that computer), make sure your certificate and private key are available on the other computer. Otherwise, you might be unable to open the file. When moving encrypted files to another computer over the network, files are not encrypted while they are in transit. Files might be intercepted as they are transferred. Use IPSec to secure network communications.

File Compression Facts Keep the following information in mind when working with folder and file compression.

When you compress a file, Windows makes a copy of the file, compresses it, then replaces the original file with the compressed one. When you open a compressed file, Windows decompresses the file. The decompressed file is used by the application. You cannot save or copy a compressed folder or file to a disk containing less free space than the folder or file would be uncompressed. Compression and encryption cannot be used on folders or files at the same time.

24

Apply data compression to files that change size dramatically. For example, bitmap and spreadsheet files compress by a much larger percentage than application or word-processing files. Do not compress files that are already compressed using another compression utility. Use zipped folders to share compressed files with other computers. NTFS compression on volumes with cluster sizes larger than 4 KB is not supported.

Copying and moving files and folders can affect their compressed state. To determine the final state of a file or folder, remember the following rules.

If you copy or move a compressed file or folder to a non-NTFS partition, the file or folder is uncompressed (other file systems do not support NTFS compression). If you copy a compressed file or folder, it inherits the compressed state of the destination folder. If you move a compressed file or folder to the same NTFS partition, it retains its compressed state. If you move a compressed file or folder to another NTFS partition, it inherits the compressed state of the destination folder. If you copy or move a zipped folder, it always remains zipped (regardless of the destination file system).

Compact.exe is a command prompt tool that you can use to set and manage compression. The following table summarizes some options for the Compact.exe command. Option Action Compresses the specified files. Folders are marked with the compressed /C attribute. /S /U Compresses all subfolders of the specified folder. Uncompresses the specified files. Folders are marked with the uncompressed attribute.

For example, the following command will compress all files in the C:\Documents\Transfer folder, including all subfolders: Compact /C C:\Documents\Transfer\*.* /S

Offline Settings The following table summarizes the offline files settings that can be configured on a shared folder.

25

Setting

Description

Only the files and programs that Users designate and control which files are available users specify will be available offline. offline All files users open from the share are available offline. All files and programs that users If Optimized for performance is selected, all open from the share will be programs will be automatically cached so that they will automatically available offline be available locally. Files or programs from the share Users will not be able to store files from the share will not be available offline offline. Internet Information Services (IIS) Use IIS to enable:

Active Desktop Internet Printing Remote Desktop Share folders (Web folders) for access through IE

You should know the following facts about IIS:

When you install IIS, a default Web site is automatically created. By default, all Web content is stored in the \inetpub\wwwroot directory. A virtual directory is used to make content outside of the default directory path available through the Web site.

To make content available on your Web site:

Place content in the \inetpub\wwwroot directory. Web share a folder. This creates a virtual directory in the Web site.

IIS Security Facts You should know the following facts about securing IIS:

Anonymous access allows Internet users to access public content on a Web site. Windows Authentication allows only authorized users to access protected content. Users are logged into a site automatically and transparently while outside connections are blocked. Basic authentication sends user credentials in clear text. Digest authentication requires users to have a domain user account. Blocking access to a web site by domain name, single computer, or IP network number ensures that only desired connections get through.

26

IP address restrictions can be configured which either allow all access except for listed addresses, or block all access except listed addresses.

The following table describes the different authentication methods: Method Anonymous Authentication Basic Authentication Description Users can access public portions of the site without user names or passwords. Uses the IUSR_computername local user account. Best Use To give public access to resources that require no security.

Requires a local or domain user account Use for non-Windows hosts (user name and password is sent in clear and clients running any text) HTTP 1.0 browser Functions like Basic Authentication Authenticates using domain accounts with passwords stored using reversible encryption Passwords are secured Requires IE 5.0 or higher IIS must be running on a domain member

Digest Authentication

To grant access to resources from public networks.

Is available for user accounts that are part of Active Directory. Advanced Digest User names and passwords are stored on Authentication a domain controller. Requires IE 5 or better and HTTP 1.1 protocol.

To grant access to resources from public networks that require more security than given through Digest Authentication.

Integrated Windows Authentication

User information is collected through a challenge/response process during which the user name and password are hashed before being sent across the network To grant access to resources Authenticates using Windows on an intranet. authentication methods (NTLM or Kerberos) Requires Internet Explorer 2.0 or higher (IE 5.0 for Kerberos) Cannot be used through a proxy server Uses SSL (Secure Sockets Layer) security through user or server certificates or both. (Available only with Certificate Services.) To allow secure business transactions over the Internet.

Certificate Authentication .NET Passport Authentication

Allows the use of a single sign-in To grant access to various service through SSL, HTTP redirects, resources over the Internet. cookies, MS JScript, and symmetric key

27

encryption. Authentication methods can be applied to the following:

Server Web site FTP site Virtual Directory File

In addition to authentication, you can secure Web content with Web permissions. The following table describes the IIS permissions you can set for Web sites or Web folders: Permission Read Write Description View file content and properties Modify, delete, or add files or directories Modify file and directory attributes Typically only enabled on intranets or private sites Users can access the source code for files (requires either Read or Write permissions) Combined with Read permissions, users can view the source code Combined with Write permissions, users can write to the source code Typically only enabled on developer intranets View directory contents When enabled, the Web server returns a listing of the directory contents when it cannot find a default home page to display Use with Read permission Controls how scripts and executables run from the Web site You can allow scripts only, scripts and executables, or prevent either from running

Script Source Access

Directory Browsing Execute Permissions

If Web content is on an NTFS partition, you can also use NTFS permissions to secure content. Keep in mind the following when using NTFS permissions for Web content:

IIS uses the user account to identify the end user and their permissions. To restrict access for users other than the anonymous user, you must choose an authentication method that uses Windows user accounts. When both Web and NTFS permissions are used, the most restrictive permissions take effect.

Web Site Identification You should know the following facts about managing IIS:

28

The default Web site is assigned to All Unassigned IP addresses on port 80. By default, a Web site will respond to HTTP requests directed to any IP address configured for the host computer. When you configure Web site identification, you can configure it to respond to all addresses or to only a specific address. On a server that has multiple IP addresses, each IP address can be used for a different site. You can host multiple sites by using different ports for each site. You can configure a Web site with a host header to enable it to respond to alternate Web site names. A host header solution requires two parts: o Configure the host header on the Web site. o Configure the DNS database to associate the host header name with the IP address.

Printing Facts The following table lists some key definitions with which you should be familiar. Term Print Server Printer Print Device Print Driver Print Queue Printer Port Definition The computer where printing is established. A virtual device inside the print server that can be configured to send output to a printing device. The physical device connected to the print server where print output occurs. The software that allows the printer to communicate with the print device. The portion of the hard drive where print jobs are stored before going to the print device. The means by which a print device connects to a print server (parallel port, serial port, or to the printer's NIC).

When you configure printing, you create a logical printer object that references a print device or points to another logical printer on the network. The following table lists the configuration choices to make to configure each type of printer. Print Device Location Printer Type Port Type LPT, USB, or COM TCP/IP (identify the IP address of the print device NIC)

Connected to the LPT, USB, or COM Local port of the local computer Connected directly to the network through a NIC connected to the printer Local

29

Connected to the LPT, USB, or COM port of a remote computer (with a Network shared printer)

UNC path (\\computername\sharename)

The following table summarizes the permissions that can be assigned to printers. Printer permissions apply to both local and shared printers. Permission Print Manage Printer Allowed Actions Send print jobs and manage your own documents Change configuration settings and permissions

Manage Documents Manage all documents in the queue

Advanced Print Configuration Printer Pooling Printer pooling uses a single printer object to represent multiple print devices. With printer pooling,

Users send print jobs to a single printer The print server decides which print device to send the job to

When creating a printer pool, all print devices in the pool:

Must be the same model (using the same printer driver) Should be in the same physical location (because users won't know which physical device their print job prints on)

Printer pools:

Speed printing by reducing the time that documents spend waiting for a free print device Simplify printer administration because you manage multiple devices through a single printer object

Multiple Printers Configure multiple printer objects for a single print device to control access to the printer based on job roles. To configure multiple printers: 1. Create multiple printer objects, one per group or user with distinct access. 2. For each printer, configure permissions to restrict access. 3. Fine-tune access by editing the Advanced properties for the printer to modify priority (99 is the highest) and restricting printer availability.

30

Managing Printing The following table summarizes the printing component you would use to complete each configuration task. To Configure . . . Edit . . . Printer object properties Additional drivers for a printer Print server properties Job priority Notification Permissions Ports Sharing Spool file location Print Queue, job properties Print server properties Printer object properties Printer object properties Print server properties Printer object properties Print server properties

Troubleshooting Printing Facts You should know the following facts about troubleshooting printing:

You can take an unreliable printer out of service by changing its properties to not shared. Printer queues and the Event Viewer of the assigned print server will offer the best information regarding printer and print job status. By default, print spool files are stored in the C: drive of the server, in \Windows\System32\Spool\Printers. If the C: drive fills up, then users will be unable to add print jobs to the queue, the queues will stop, and the system may become unstable (because the pagefile also defaults to drive C:).

IPP Facts You should know the following facts about IPP:

IPP can be installed after IIS is installed. IPP allows users to access printers and print resources across an intranet or through the Internet. IPP requires the use of Internet Explorer 4.0 or better. Users access printers and print services through a URL (http://servername/printers).

31

Use Internet Explorer 4.0 or better to administer IPP printing from any location.

Installer Package Facts The following table describes the file extensions that are used with installer packages. File Extension .msi .msp .mst Description A Windows Installer package file. Use the Msiexec command to deploy .msi files. Use the /i switch to specify the package file. A patch file. An .msp file can be applied to an .msi, but the .msi must be redeployed after the patch is applied. A transform file. Transform files are applied when a software package is assigned or published. Transform files change .msi files. To apply a .mst to a .msi during deployment, append TRANSFORMS= followed by a list of .mst files to the Msiexec command. A file to reference a Setup.exe file on a network, for example.

.zap

Using Group Policy, you can either assign or publish software. You can also associate software packages with either users or computers.

Applications may be published to users, but not to computers. You can assign applications to either users or computers. When you publish an application, it does not appear in the user's Start menu. Instead, the user goes to Add/Remove Programs to install the program. Assigning software to a computer installs the software when the computer starts up. Users cannot use Add/Remove Programs to remove computer assigned software. Assigning software to a user puts a shortcut on the users Start menu. The software is automatically installed when the shortcut is clicked.

Software Update Services (SUS) Components Software Update Services (SUS) is a client-server application that allows you to use a server on your intranet as a centralized point for updating software. Without SUS, clients must communicate with Microsoft's Web site to download and install patches and other updates. With SUS, you can control which updates are installed on network clients. The following table lists the major SUS components: Component Description

SUS on an Internet This is the server-side component of SUS. It synchronizes update Information Services information and downloads updates prior to deployment. (IIS) server

32

SUS Web site

Administrative tasks are done through the SUS Web site. Other than installation and configuration, administrative tasks consist primarily of verifying successful server synchronization and update approval prior to client distribution. The Automatic Update client downloads updates from the SUS server (or a Windows Update server). It also installs the updates according to the established parameters.

Automatic Updates

By configuring Windows Update policies in a GPO, you can Group Policy settings configure Automatic Updates clients to synchronize with a SUS server rather than a Windows Updates server. SUS offers the following advantages:

You can control which updates clients in your organization receive. Clients receive updates from local servers rather than using Internet links to receive updates. You can enforce the application of updates throughout your organization.

SUS works as follows: 1. The SUS server downloads information about available updates from the Microsoft Windows Update Web site. The server can also be configured to download the update content itself. 2. An administrator approves the updates that should be applied to network clients. 3. Clients contact the local SUS server to identify approved updates. It then downloads the approved updates from the corresponding server. SUS Server Configuration An SUS server manages the updates that clients can install. To install SUS, download the setup software from the Microsoft Website (it is not on the Windows Server 2003 media). Before installing the software, your server must have IIS installed. During installation, you will need to provide the following two paths:

The path to the update files. These are the actual files that will be used to update clients. For example, you can choose to leave the update files on the Microsoft Windows Update Web site. In this case, clients will download updates from the Microsoft Web site. Alternatively, you can choose to place the files on the SUS server. In this case, clients will download content from your SUS server. The path to the update file metadata. The metadata is information about each update file. You will edit the metadata to control how updates are applied to client systems.

The installation program installs the following components:

33

Software Update Synchronization Service (to download content to the SUS server). IIS Web site (to service requests from Automatic Update clients). SUS administration Web site (where you synchronize the SUS server and approve updates).

After installation, use a Web browse and go to http://SUSservername/SUSadmin to manage the SUS server. SUS administration consists of three tasks:

Configuring SUS server settings. Synchronizing updates (downloading updates from the Microsoft update Web site). Approving updates (identifying which updates to deliver to clients and configuring how those updates will be applied.

SUS Client Configuration Each client computer must have the Windows Automatic Updates client software to utilize automatic updates. This software is included automatically with Windows Server 2003, Windows XP Service Pack 1, and Windows 2000 Service Pack 3. It can be added to other operating systems as a special download. Client computers will communicate with an SUS server to identify available updates. You can customize which server the clients use to receive updates. By default, clients contact the Microsoft Web site. For a custom solution, configure clients to contact your SUS server. You can also customize how clients download updates: Download Description Automatic Downloads arrive without user intervention or notification. The system waits for a user with administrator credentials to log on before Notification sending a notification of available update downloads via a balloon above the System Tray. You can also customize what the client does with the updates after they are installed. Installation Description Upon successful download, an event is registered in the system event log. When a user with local administrative privileges logs on, the user can install the updates manually any time before the scheduled installation time. At the scheduled installation time, a local administrator can cancel the installation, delaying it until the next scheduled installation. A user with non-administrator privileges receives a warning message but cannot

Automatic (Scheduled)

34

delay update installation. If no one is logged on, the installation occurs automatically. Notification Upon successful download, an event is registered in the system event log. When a user with local administrative privileges logs on, the user can install the updates manually.

The easiest way to configure client settings is to use Group Policy to distribute the server name and other update parameters. The following table lists the Automatic Update policies: Policy Description There are three options for configuring the behavior of the Automatic Updates client: Configure Automatic Updates

Notify for Download And Notify For Install Auto Download And Notify For Install Auto Download And Schedule The Install

Reschedule Automatic Updates Scheduled Installations

If a client machine is turned off during a scheduled installation, by default the installation occurs at the next scheduled time. However, this policy allows you to set the installation to occur between 1 and 60 minutes after the system starts up.

No Auto-Restart This policy allows Automatic Updates to disregard a required restart For Scheduled when a user is logged on. The user receives a notification about the Automatic Updates required restart but is not required to restart the machine. and Installations Specify Intranet Microsoft Update Service Location This policy allows you to redirect clients from the Microsoft Windows Update server to a SUS server on your network. You can also set logging to occur on any server on the network running IIS. IIS logs are found in %Windir%\System32\Logfiles\W3svc1.

SUS Infrastructure Design Software Update Services (SUS) offers you great flexibility in designing where updates are stored and who controls which updates are approved. You can also configure multiple servers within your organization to distribute the load or customize the list of approved updates. Configuration Approve updates locally, download content from Characteristics The local SUS server downloads update metadata (information about available updates) from Uses Use when all clients have a fast Internet connection and Internet link usage is not a concern.

35

Microsoft

the Windows Update Web site. An administrator approves applicable updates. Clients identify approved updates using the local SUS server, but download content from the Windows Update Web site. The local SUS server downloads update metadata and synchronizes update installation files from the Windows update Web site. An administrator approves applicable updates. Clients identify approved updates using the local SUS server and download the updates from the local server. Place an SUS server in each location. Each SUS server synchronizes content from Windows Update Web site. An administrator at each location approves a list of approved updates for local clients. Clients receive updates from the nearest SUS server.

Approve updates locally, download content locally

Use to minimize downloads through an Internet link (updates are downloaded through the Internet only once). Use when Internet links are slow or unreliable.

Multiple server topology

Use when each location has different approved update needs. Use when your organization has multiple sites with their own Internet connection.

Configure one SUS server to synchronize content with the Windows Update Web site. Configure a list of approved updates on the central server. Centralized Configure additional servers to client/server topology synchronize update content and the list of approved updates with the central server. Clients receive updates from the nearest SUS server. Configure one SUS server to Decentralized synchronize update content with client/server topology the Windows Update Web site. Configure additional servers to

Use in a large organization to enforce consistent update policies (local SUS servers receive a list of approved updates from the central server).

Use to minimize downloading of update content while allowing different sites or organizations to maintain their own list of

36

synchronize update content with approved updates. the central server. Configure a list of approved updates on each SUS server. Clients receive updates from the SUS server that holds approved updates that should apply to the client.

SUS Facts You should know the following facts about SUS facts:

SUS is not available through the Windows Server 2003 installation media. Download the SUS server software from the Microsoft Web site. Software Update Services allows you to configure the distribution of operating system patches for clients, including ones related to security. GPO settings for configuring Windows Automatic Updates are stored in the Wuau.adm template. You must manually copy this template file from the SUS server to the %systemroot%\inf folder of any computer used to configure group policy. To prevent clients from using Windows Update, edit Group Policy settings to prevent users from manually downloading patches. SUS with Service Pack 1 does not support 64-bit versions of Windows. Software Update Services does not support updating drivers, although the Automatic Updates client will detect and report them. You must install drivers manually from Windows Update. Software Update Service only distributes patches for the operating system. You can't use Software Update Services to distribute patches for anything else, including other Microsoft products. However, you can use a software distribution policy (or Systems Management Server) to distribute application updates. The NoAutoRebootWithLoggedOnUsers policy setting will allow logged on users to avoid rebooting after a service pack installation (although the service pack installation won't be completed until the next restart.) The Windows Update Server is responsible for synchronizing and approving updates. Clients of SUS need the Automatic Updates Client (Wuau22.msi) which can be deployed through group policy. Clients also need to be redirected from Windows Update to the SUS server through a GPO.

37

Account Policies Facts Account policies control passwords and login properties. Settings in the local GPO are used if the computer is a member of a workgroup. Settings in the domain GPO are used for computers that are members of a domain. Policy settings are applied to the computer, not the user. The following table describes the password settings. Setting Password history Description This setting requires users to input unique passwords. The system can store up to 24 passwords, so the user can't repeat previous passwords.

Maximum password This setting requires the user to change the password after a given age length of time. Minimum password age Minimum password length This setting keeps users from changing passwords immediately after they've reset their passwords. This prevents users from defying the password history by entering several passwords to get back to a preferred password. This prevents people from using passwords that are too short.

This setting requires users to create a password with a minimum of three of the four types of special characters (e.g., lower case Password complexity letters, upper case letters, numbers, or !, @, #, $, %, ^, &, *). This setting also disallows use of dictionary words or any part of the user login identification. Reversible encryption This setting requires the system to store the password with reversible encryption.

Use account lockout to protect user accounts from guessing and prevent accounts from being used when hacking attempts are detected. The following table describes account lockout settings. Setting Lockout duration Lockout threshold Reset account lockout Description This setting determines the length of time the account will be disabled. When set to 0, an administrator must unlock the account. This setting determines the number of attempts a user can make before the account is locked. This setting determines the amount of time that must pass before the account is enabled.

38

Auditing Facts You can configure the following audit policies in Group Policy. Audit Category Account logon Account management Logon Object access Policy change Privilege use Process tracking System events Trigger Event(s) Audits logon through a user account Recorded by the local computer for the local account, recorded by domain controller for the AD account Add, rename, disable/enable, delete, or change the password for a user account Log on or off of the local system Make a network connection to a local computer File, folder, printer access Change account password or logon settings, user rights, or audit policies User exercises user rights An administrator takes ownership of an object An application performs an action This is used mainly for program debugging and tracking Shutdown, restart, service starts An event affects security or the security log

Keep in mind the following about configuring auditing:

Auditing can be enabled to log successful or failed events (or both). Because auditing consumes system resources and might result in a lot of generated data, enable auditing only on the events you are interested in. View audit entries in the Event Viewer Security log. Set the CrashOnAuditFail registry entry to prevent users from logging on to the system when entries can't be written to the security log. To monitor a domain for unauthorized user access, configure the domain with a group policy to Audit Logon Events. For file auditing to occur, the files must be on NTFS partitions. With auditing configured, clearing the log generates an event identifying when the log was clear and by whose authority.

Security Template Facts Windows provides the following predefined security templates: Template Setup Function Created specifically for each computer during setup

39

Security.inf

Differs depending on whether installation was a clean installation or an upgrade Contains default security settings applied during installation Defines default file permissions for system drive root Used on workstation or servers (not on domain controllers) Should not be applied through group policy Created when server is upgraded to a domain controller Gives default security settings for files, registry, and system service Secures a system without causing application or compatibility issues Securews.inf can be applied to a workstation or a server Securedc.inf can be applied to a domain controller Specifies additional security settings beyond the Secure templates Hisecws.inf can be applied to a workstation or a server Hisecdc.inf can be applied to a domain controller Forces compatibility across Windows platforms Should not be applied to domain controllers

DC Security.inf Secure*.inf

Hisec*.inf Compatws.inf

Use the Security Analysis and Configuration snap-in to manage security templates, analyze current settings, create custom templates, or import an existing template. When working with templates:

Compare an existing system with a template to see how the system compares to the template. Clear current settings before importing a new template. After applying a secure template, you might need to restore group memberships in the Administrators or Power Users group. You can also use the Secedit command to analyze and apply templates.

You should also know the following facts about security analysis:

The Microsoft Baseline Security Analyzer will tell you which patches have been installed on a particular computer. You should also need to verify that patches have not been manually applied. Check the Windows Update log to see if a patch came from the Software Update Server or from the Windows Update website.

40

Event Facts You should know the following facts about events:

The System Log records informational, warning, and error messages. Error and warning messages are the most serious. The default extension for saved logs is .Evt. Shutdown events have an event ID 1074. Event Viewer is the location where most errors and warnings are logged. The File Replication Services log lists errors or events related to the copying of information between domain controllers during a replication cycle. This log is available through Event Viewer on Windows Server 2003 machines that function as domain controllers. Examine the Security Log to find the results for system audits. Additional logs (such as the DNS Log) are added when you install various services.

Monitoring Performance Facts You should know the following facts about monitoring system performance:

Task Manager shows a summary of a system's performance. System Monitor measures the performance of a workstation or other workstations on a network. You can configure an automatic schedule of monitoring. A System Idle process near 100% may indicate a connectivity problem with a server. The Performance tool is capable of monitoring remote computers. Monitoring of server performance should be done from a computer other than the server. If you aren't sure what a specific counter or measure is used for, select it and click the Explain button. The Performance Logs and Alerts console in the Performance tools can be configured to trigger an alert when certain thresholds are reached. The Report View presents counters in a hierarchical display using words, not graphical representations. You can run the WinMSD utility from a command prompt to view such information as Internet security.

Counters and Values to Watch The following table outlines the major objects and critical counter values: Object Processor Purpose Measures the CPU performance Counters % Processor time Optimum < 80% sustained

41

Measures how the individual, physical disks are performing (the read/writes Physicaldisk % Disk time and percentage to be written to the disk) Memory Network WMIC Measures RAM performance Measures the performance of the system on the network Pages/sec Bytes total/sec

> 2 times the number of drives is high 0 pages/sec is a good reading < Network capacity

The Windows Management Interface Command-line (WMIC) gives administrators access to Windows Management Instrumentation (WMI), Microsoft's implementation of Web-Based Enterprise Management (WBEM). The following components make up WMI: Component WMI Object Manager WMI Repository Description The WMI Object Manager receives information about devices, services, applications and other system components from WMI providers. The WMI Object Manager inputs the information it receives into the WMI Repository. The information in the WMI Repository can be used to manage components, monitor events, set properties, and perform other management tasks.

The WMIC can be used to access the WMI Repository. A person can perform local or remote management tasks using WMIC on any system that is running WMI that can authenticate the person using WMIC. WMIC runs in two modes:

Interactive mode begins when the user enter WMIC at the command prompt. Interactive mode is used when commands are entered one at a time. Noninteractive mode allows WMIC to execute a command and return to the command prompt. Noninteractive mode is used to let WMIC run inside a batch file.

WMIC uses aliases to simplify access to WMI information. Using aliases, you don't need to remember complex schema objects and properties. The alias is the first parameter of the WMIC command line. Aliases can perform actions, which are initiated by verbs. Using verbs in combination with aliases, you can control what kinds of information you get from the WMI Repository. You can also control application and system properties.

42

When WMI is running on a computer, a user with sufficient rights can perform monitoring tasks from WMIC. The information can be output to a CSV, text, or HTML file. Use aliases, command, and switches to configure monitoring. To start WMIC, enter WMIC at the command line. To get a list of available aliases, enter /? at the WMIC command line. You can perform the following monitoring tasks using WMIC:

Product Lists the software installed on the local computer.

Ntevent where "eventtype=5 and lofgile='security'" get logfile, sourcename, eventtype, message, timegenerated Lists failure events from the security log data.

Ntevent where "eventtype<3 and logfile='application'" get logfile, sourcename, eventtype, message, timegenerated Lists 0, 1, and 2 event types from the application log of the local computer.

Use the /output:path and filename switch to redirect output from the console to a file.

Volume Shadow Copy Services (VSS) VSS is a component of the backup system that takes a point-in-time snapshot of files on the disk. By enabling VSS, you can recover lost (deleted) files and back up open files. You enable VSS on a volume through Explorer. After VSS is enabled, all shared folders on the volume will be shadow copied. You can customize where files are copied to, the limit that copied files can take up, and the interval at which copies will be made. Through shadow copies, you can recover lost, damaged, or overwritten files by accessing the previous versions of the files cached by the server. The Previous Copies tab in the Properties dialog box of a folder or file lists the previous copies you can access. The Previous Copies tab is available under the following circumstances:

Shadow Copies must be enabled on the server. The client must have the Shadow Copy client software (installed to the %systemroot%\System32\Clients\Twclient\x86 folder on the Windows Server 2003 system).

43

You must access the file's properties through a shared folder (if you access the properties for a file on the local machine, the Previous Copies tab won't be available, even if the file is shared and VSS is running).

System Recovery Facts Windows offers you several different ways to recover from a system failure. Here are some methods you can use to recover from system problems (methods are listed in the general order you would perform when trying to recover the system). Tool Driver Rollback Last Known Good Configuration Safe Mode Use Use this tool to uninstall recent driver changes and revert to a previous version. In Device Manager, edit the properties of the device. This option reboots the system using the last successful hardware profile. However, it can only be used if you have not logged on after the last change. Boots Windows with a limited number of drivers and features enabled. Press F8 during boot to enter Safe Mode. After booting into Safe Mode, you can use Device Manager to rollback drivers, disable devices, uninstall devices, or reinstall or update drivers. This is a command-line interface. Before a problem exists, you must install Recovery Console. Install it by using the winnt32.exe /cmdcons command to install the recovery tools on the system. Use Recovery Console to fix boot sector or master boot record (MBR). You can also remove or update system files and repartition hard disks.

Recovery Console

Automated This restores original Windows 2003 Server drivers and files as well as System Recovery files from the ASR backup set. Keep in mind the following facts about using Automated System Recovery (ASR).

You need an ASR backup tape set and a Windows 2003 Server CD to restore a system. Use the ASR diskette with a valid backup to restore the system. The ASR diskette is a boot diskette that contains limited system configuration information. The rest of the information is on the backup tape. The ASR diskette contains the Asr.sif and Asrpnp.sif files. Copies of these files are placed on the system so you can copy them manually. To restore a system, press the F2 key when prompted and insert the ASR floppy disk. ASR will restore disk configurations and install the original operating system software.

44

Exam Objectives Exam 70-290 Managing and Maintaining a Microsoft Windows Server 2003 Environment This certification exam measures your ability to implement, administer, and troubleshoot information systems that incorporate Microsoft Windows Server 2003. Before taking the exam, you should be proficient in the job skills listed below. # Exam Objective ModuleSection 5.2 5.3 4.2 5.4 5.3

100 Managing and Maintaining Physical and Logical Devices 101 Manage basic disks and dynamic disks. 102 Monitor server hardware. Tools might include Device Manager, the Hardware Troubleshooting Wizard, and appropriate Control Panel items. 103 Optimize server disk performance.

Implement a RAID solution. Defragment volumes and partitions. 4.1 4.2

104 Install and configure server hardware devices.

Configure driver signing options. Configure resource settings for a device. Configure device properties and settings.

200 Managing Users, Computers, and Groups 201 Manage local, roaming, and mandatory user profiles. 202 Create and manage computer accounts in an Active Directory environment. 203 Create and manage groups.

2.4 2.5 2.2 2.3 2.6

Identify and modify the scope of a group. Find domain groups in which a user is a member. Manage group membership. Create and modify groups by using the Active Directory Users and Computers Microsoft Management Console (MMC) snapin. Create and modify groups by using automation.

45

204 Create and manage user accounts.

2.1 2.6

Create and modify user accounts by using the Active Directory Users and Computers MMC snap-in. Create and modify user accounts by using automation. Import user accounts. 2.5

205 Troubleshoot computer accounts.

Diagnose and resolve issues related to computer accounts by using the Active Directory Users and Computers MMC snap-in. Reset computer accounts. 2.1 11.1 11.2

206 Troubleshoot user accounts.

Diagnose and resolve account lockouts. Diagnose and resolve issues related to user account properties.

207 Troubleshoot user authentication issues.

2.5 11.1 11.2 7.2 7.3 7.5 7.6 0.2

300 Managing and Maintaining Access to Resources 301 Configure access to shared folders.

Manage shared folder permissions.

302 Troubleshoot Terminal Services.

Diagnose and resolve issues related to Terminal Services security. Diagnose and resolve issues related to client access to Terminal Services. 5.1 7.2

303 Configure file system permissions.

Verify effective permissions when granting permissions. Change ownership of files and folders. 7.1 7.2 7.3 7.4 7.5

304 Troubleshoot access to files and shared folders.

46

7.6 400 Managing and Maintaining a Server Environment 401 Monitor and analyze events. Tools might include Event Viewer and System Monitor. 402 Manage software update infrastructure. 403 Manage software site licensing. 404 Manage servers remotely.

12.1 10.1 10.2 1.1 0.2

Manage a server by using Remote Assistance. Manage a server by using Terminal Services remote administration mode. Manage a server by using available support tools. 9.2 9.3 9.4 9.5 11.3 12.2 7.4 9.1 9.2 9.3 9.5

405 Troubleshoot print queues.

406 Monitor system performance. 407 Monitor file and print servers. Tools might include Task Manager, Event Viewer, and System Monitor.

Monitor disk quotas. Monitor print queues. Monitor server hardware for bottlenecks.

408 Monitor and optimize a server environment for application performance.

12.2

Monitor memory performance objects. Monitor network performance objects. Monitor process performance objects. Monitor disk performance objects. 8.1 8.2 8.3

409 Manage a Web server.

Manage Internet Information Services (IIS). Manage security for IIS.

500 Managing and Implementing Disaster Recovery

47

501 Perform system recovery for a server.

6.1 12.3

Implement Automated System Recovery (ASR). Restore data from shadow copy volumes. Back up files and System State data to media. Configure security for backup operations. 6.1

502 Manage backup procedures.

Verify the successful completion of backup jobs. Manage backup storage media. 5.4 6.1

503 Recover from server hardware failure.

Restore backup data. Schedule backup jobs.

48