ExamInsight For Windows Server 2003 Certification

For exam 70-290 Managing and Maintaining a Microsoft Windows Server 2003 Environment

Author: Jada Brock-Saldavini, MCSE with the TRP Author Certification Success Team

Published by BFQ Press

Copyright  2004 by TotalRecall Publications, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the United States Copyright Act of 1976, No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic or mechanical or by photocopying, recording, or otherwise without the prior permission of the publisher. The views expressed in this book are solely those of the author, and do not represent the views of any other party or parties. Printed in United States of America Printed and bound by Data Duplicators of Houston Texas Printed and bound by Lightning Source, Inc. in the USA and UK Printed and bound by BookSurge, Inc in the USA and around the world Paper Back ISBN 1-59095-010-0 UPC 6-43977-01290-6 eBook ISBN 1-59095-625-7 UPC 6-43977-06290-1 The sponsoring editor is Bruce Moran and the production supervisor is Corby R. Tate. Author Deborah Timmons, MCT, MCSE This publication is not sponsored by, endorsed by, or affiliated with Microsoft, Inc. The “Windows® Server 2003, MCP™, MCSE™, MCSD™, Microsoft logos are trademarks or registered trademarks of Microsoft, Inc. in the United States and certain other countries. All other trademarks are trademarks of their respective owners. Throughout this book, trademarked names are used. Rather than put a trademark symbol after every occurrence of a trademarked name, we used names in an editorial fashion only and to the benefit of the trademark owner. No intention of infringement on trademarks is intended. Disclaimer Notice: Judgments as to the suitability of the information herein for purchaser's purposes are necessarily the purchaser's responsibility. BeachFront Quizzer, Inc. and TotalRecall Publications, Inc. extend no warranties, make no representations, and assume no responsibility as to the accuracy or suitability of such information for application to the purchaser's intended purposes or for consequences of its use.

I would like to dedicate this book to my husband Michael and children Alyssa, Daniel and Christian. It has been wonderful having you for a family. Thank you for your patience, love and support. I know it has been difficult at times. Also, I would like to extend my love, gratitude, and appreciation to my mother Betty Hite and Grandmother Ruth B. Smith for all of the hard work and sacrifices that were made for me growing up. I would also like to give thanks and appreciation to Alfred and Joan Soldavini who are always there to support me. I could not have done this project without your unwavering love and support. I love you all.

Jada BrockSoldavini

ExamInsight For Windows Server 2003 Certification Examination 70-290 Managing and Maintaining a Microsoft Windows Server 2003 Environment Jada Brock-Saldavini, MCSE with the TRP Author Certification Success Team
About the Author
Jada Brock-Soldavini lives in suburban Atlanta and works for the State of Georgia as a Network Services Administrator. She has co-authored or contributed to other numerous works pertaining to Microsoft Windows technologies. She has an A.S. degree in Computer Information Systems and has been in the Information Technology industry for seven years. She is also married to Michael and the mother of three children Alyssa, Daniel and Christian. In her spare time she enjoys cooking, writing and reading anything that pertains to Network and Security technology.

The TRP Author Certification Success Team
Deborah and Patrick Timmons Deborah Timmons is a Microsoft Certified Trainer and Microsoft Certified Systems Engineer. She came into the Microsoft technical field after six years in the adaptive technology field, providing technology and training for persons with disabilities. She is the President and co-owner of Integrator Systems Inc. Patrick Timmons is a Microsoft Certified Systems Engineer + Internet. He has been working in the IT industry for approximately 15 years, specializing in network engineering and has recently completed his Bachelor of Science, Major in Computer Science. He is currently the CEO of Integrator Systems Inc., a company based in Nepean, Ontario, Canada. Patrick and Deborah have four children--Lauren, Alexander, James and Katherine who take up a lot of their rare spare time. Alan Grayson Alan Grayson has a Masters Degree in Systems Management, is a Microsoft Certified Trainer, a Microsoft Certified Systems Engineer and Microsoft Database Administrator and also holds a dozen other certifications. Patrick Simpson Patrick Simpson is a Microsoft MCSE, MCSE +I, MCT and a Novell Master CNE and Master CNI. He has been a Microsoft Certified Trainer for five years and working in the IT industry for approximately 9 years, specializing in network consulting and technical education. Patrick has written numerous certification study aids for both Microsoft Windows 2000 exams and for Novell certification exams. Pat is married and has three children and is currently working for a technical consulting/education company in Green Bay, WI. David [Darkcat] Smith David Smith is Microsoft Certified Trainer and Microsoft Certified Systems Engineer + Internet. He has been working in the IT industry for approximately 1 year, specializing in network engineering. He came into the Microsoft technical field after six months in the adaptive technology field, providing technology and training for persons with disabilities. He is currently the CEO of nothing Systems Inc., a company based in Outhouse woods, California. Tom McCarty

About the Book
As Microsoft Certified Trainers and practicing IT professionals, we drew on our backgrounds to design this insight manual specifically to help you pass the MCP/MCSE Certification: Managing and Maintaining a Microsoft Windows Server 2003 Environment. Part of the TotalRecall IT ExamInsight Book Series, this manual functions as a “refresher course” by providing short summaries of core exam topics and a pre- and post- assessment quiz for each; is heavily illustrated with figures, diagrams, and photos. Since it also includes lots of real-world material, you can continue to use this Insight Manual as a ready reference on the job. Primarily this Insight Manual is designed to enhance you knowledge and performance, which will enable you to pass the 70-290 exam as easy as a walk on the beach. So, if you are already networking with fellow professionals and just want a quick refresher course along with practice questions, this ExamInsight manual is the book for you.

Introduction
They have done it again, only this time it may be closer to being right. Microsoft’s release of Windows Server 2003 in my opinion (although not perfect nothing ever is) hands down is better than any of its predecessors. They have really made this product function as it should in a networking environment. Most of the functions are easy to navigate and configure by using the Microsoft Management Console. I was around the industry when DOS was running desktop machines, Novell 3.xx was king of the hill and Windows 3.11 was around sometimes. Which, in all honesty was not that long ago but considering what is available today with this release in comparison to 10 years ago it is an incredible display of innovation and technology. I know that many technology professionals working in the field opted to wait out the Windows NT 4.0 migration to Windows 2000 Server and get their hands on the Windows Server 2003 software. If you are one of these people then I believe once you get into the book and also work this out in your test lab you will find that it was worth the wait. It is always helpful (though not necessary) to go through these study guides and try the settings in a test lab environment. Nothing is worse than applying group policy settings on a domain without first testing them out to see what will happen. I hope that this book will assist you with the difficult job of taking the exam for 70-290. It is chocked full of information that will make you perform better and smarter in the Windows networking environment. Happy reading, and good luck with your technical endeavors. I hope this guide gives you valuable insight and helps you pass those tough exams.

Jada BrockSoldavini

A Quick overview of the book chapters:
Chapter 1: Chapter 2: Chapter 3: Chapter 4: Chapter 5: Physical and Logical Devices Users, Computers, and Groups Access to Resources The Server Environment Disaster Recovery 1 117 195 243 353

Windows Server 2003 ix

Table of Contents
About the Author ..............................................................................................4 The TRP Author Certification Success Team ..................................................5 About the Book ................................................................................................6 Introduction ......................................................................................................7 Exam Information and Resources ................................................................ xiv TotalRecall Self-Paced Training Products ..................................................... xv Microsoft Online Resources........................................................................... xv Chapter 1: Physical and Logical Devices 1 Introduction: .....................................................................................................1 Getting Ready Questions 1 Getting Ready Answers 2 1.1 Manage basic disks and dynamic disks ....................................................3 1.2 Monitor server hardware.......................................................................12 1.2 Monitor server hardware.......................................................................18 1.2.1 Tools used to manage hardware ..........................................................48 1.2.2 Device Manager ................................................................................48 1.2.3 The Hardware Troubleshooting Wizard.............................................66 1.3 Optimize server disk performance ...........................................................74 1.2.1 Implement a RAID solution................................................................74 1.2.2 Defragment of volumes and partitions...............................................78 1.4 Troubleshoot server hardware devices....................................................80 1.4 1 Diagnose and resolve issues related to hardware settings ...............81 1.4 2 Diagnose and resolve issues related to server hardware .................81 1.4 3 Diagnose and resolve issues related to hardware driver upgrades ..84 1.5 Install & configure server hardware devices ............................................86 1.5.1 Configure driver signing options ........................................................86 1.5.2 Configure resource settings for a device...........................................91 1.5.3 Configure device properties and settings ..........................................97 Chapter 1: Review Questions ......................................................................100 Chapter 1: Review Answers ........................................................................108 Chapter 2: Users, Computers, and Groups 117 Introduction: .................................................................................................117 Getting Ready Questions 117 Getting Ready Answers 118 2.1 Manage user profiles .............................................................................119 2.1.1 Local user profiles ...........................................................................119 2.1.2 Roaming user profiles......................................................................119 Creating a Roaming user profile ........................................................120 2.1.3 Mandatory user profiles ...................................................................121 Temporary user profiles .....................................................................122 Troubleshooting Damaged Profiles....................................................122 Deleting and Recreating a User Profile that has been damaged ......122 Creating a Custom Default User Profile.............................................123

x Table of Contents 2.2 Create/Manage Computer Accounts in Active Directory Environments 124 2.3 Create and manage groups ...................................................................128 2.3.1 Identify and modify the scope of a group ........................................128 2.3.2 Find domain groups in which a user is a member...........................132 2.3.3 Manage group membership.............................................................133 2.3.4 Modify groups by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in ......................................134 2.3.5 Create and modify groups by using automation..............................138 Binding ...............................................................................................138 Containers and Children ....................................................................139 Getting and Setting Attributes ............................................................140 Creating a Local Group ......................................................................141 Creating a Global Group ....................................................................146 Listing Group Members......................................................................146 Enumerating Groups and their Membership ......................................147 Moving a Group within a Domain.......................................................147 2.4 Create and manage user accounts........................................................149 2.4.1 Create and modify user accounts by using the Active Directory Users and Computers MMC snap-in...................................................................149 Manage User Accounts......................................................................155 2.4.2 Create and modify user accounts by using automation ..................156 2.4.3 Import user accounts .......................................................................156 CSVDE ...............................................................................................161 2.5.1 Diagnose and resolve issues related to computer accounts by using the Active Directory Users and Computers MMC snap-in........................162 2.5.2 Reset computer accounts................................................................164 2.6 Troubleshoot user accounts. .................................................................166 2.6.1 Diagnose and resolve account lockouts ..........................................166 Creating a Password Policy for a Domain .........................................166 Passwords..........................................................................................169 2.6.2 Diagnose and resolve issues related to user account properties....170 2.7 Troubleshoot user authentication issues ...............................................173 2.7.1 Authentication Process....................................................................173 2.7.2 Domain User Accounts using Kerberos ..........................................173 2.7.3 Local Computer Account Policy.......................................................174 2.7.4 Stored user names and passwords .................................................174 Chapter 2: Review Questions ......................................................................176 Chapter 2: Review Answers.........................................................................184 Chapter 3: Access to Resources 195 Introduction: .................................................................................................195 Getting Ready Questions 195 Getting Ready Answers 196 User Right Administration .........................................................................196 3.1 Configure access to shared folders .......................................................198 Sharing Folders using Windows Explorer.................................................198 Sharing Folders using Shared Folder Console ........................................199 Sharing Folders using the Command Line ...............................................200

240 Chapter 4: The Server Environment 243 Introduction: .......................2 Manage software update infrastructure .........258 4....209 Implementing an Audit Policy.......1 Configuring Replication Locally........220 3......................................................1......318 4.........................................8 Monitor & optimize a server environment for application performance .....................2 Troubleshoot Terminal Services ...................................277 4..........322 Memory Performance ................3 Manage a server by using available support tools ...............1 TCP Parameters ........................................285 4.4 Manage servers remotely ....................................243 Getting Ready Questions 243 Getting Ready Answers 244 4.............4........2 License Replication ...............323 ......290 4........246 4.................................................................................................................2 Change ownership of files and folders ............3............................................................1..................1 Verify effective permissions when granting permissions........................................................................................284 4........302 4.............3...........................3......................6...............................Windows Server 2003 xi Security Settings on Files and Folders ....................2.........................4................... ....................4.............................................................246 4...............................................5..............216 3...216 3........1...................1..............................232 4.....................................219 3......2 Using Terminal Services Remote Administration Mode .........314 4........................................200 Shared Folders 207 Auditing Folders and Files........................................................................................................................2 Event Viewer...2.....299 4................1 Components .....1 Manage a server by using Remote Assistance ...................................245 4.............................3...........................2 Diagnose/Resolve issues on Terminal Services Client Access ........................1 Administering Enterprise Licensing ......1 Event Viewer ........218 3.................................280 4....3 Control access with permissions ....6 Monitor system performance ........................7...213 Editing the Security Settings on Group Policy Objects .....................2 Manage printers and print jobs .................2........274 4......5 Troubleshoot print queues .......5.......5........1.......................3 Manage software site licensing...........................1 Monitor and analyze events...................................................................................286 4..........................................284 4...............7 Monitor file and print servers.....................224 Chapter 3: Review Answers ........211 Security Auditing ...............291 4..........................1.......213 Security Configuration and Analysis ..........................................................................2.........................322 Processor Performance...........................................3 Task Manager .........1 Connect to a local print device ..................302 4......................................281 4.................286 Offer Remote Assistance ..4 Troubleshoot access to files and shared folders ......................2 System Monitor ..213 3..................................263 4...........................................2 Configuring Replication for Remote Servers ...................................................................1...320 4....................303 4........2.........................1 Tools might include:..........................................................1 Diagnose/Resolve issues on Terminal Services Security ....................................................3.................................222 Chapter 3: Review Questions .....3.319 4.....................

..................324 4.......................................386 Chapter 5: Review Answers.................................332 Auditing ..................................4Configure security for backup operations ......................................378 5.332 Server-Gated Cryptography ....9........332 Chapter 4: Review Questions .................2Restore data from shadow copy volumes ................................9.........................................................................................325 About Web Site Administration ...1 Perform system recovery for a server..........................................325 Home Directories ...........................................................................................................2.............................................................................1Implement Automated System Recovery (ASR) ..............................394 Appendix A: List of Tables and Figures 404 I Listing of all Tables...1.2 Manage backup storage media ...............3Back up files and System State data to media....................................................................................................................1................................................................................3 Recover from server hardware failure ...........................................331 Encryption ......325 Getting Started ..............381 5.....................................................................................................................................................................404 II Listing of all Figures ...405 Appendix B: Glossary 413 ......329 IIS Installed Locked Down.........323 Application Performance ..............377 5..384 Chapter 5: Review Questions ............xii Table of Contents Network Performance .......................................................356 5............................356 5...................366 5...........................................................333 Chapter 4: Review Answers..........................................................................375 5..........2 Manage security for IIS.................328 4...................................................................................................................................374 5......................................................329 Authentication ...................1.1..............................326 Virtual Directories .329 Access Control .......................................................................5 Schedule backup jobs................................................................................................353 Getting Ready Questions 353 Getting Ready Answers 354 5........................................................................................................................................................9 Manage a Web server..........................................................................................1 Manage Internet Information Services (IIS) ........341 Chapter 5: Disaster Recovery 353 Introduction: ......................2......................327 Reroute Requests with Redirects .............................................325 4.......4 Restore backup data..........................................1 Verify the successful completion of backup jobs.................................................................330 Certificates ...................................................................................2 Manage backup procedures ........375 5..........................................................................................363 5...

Windows Server 2003 xiii .

Managing.asp The course provides a general introductory overview of this task. firewall. 2003. and client computer management Connectivity requirements such as connecting branch offices and individual users in remote locations to the corporate network and connecting corporate networks to the Internet ● Credit Toward Certification When you pass the Implementing. proxy server.xiv Exam Information and Resources Exam Information and Resources Exam News Exam 70-290 is available August 14. http://www. You also earn credit toward the following certifications: ● ● Core credit toward Microsoft Certified Systems Administrator (MCSA) on Microsoft Windows Server 2003 certification Core credit toward Microsoft Certified Systems Engineer (MCSE) on Microsoft Windows Server 2003 certification . You will need to supplement the course with additional lab work. Audience Profile The Microsoft Certified Systems Administrator (MCSA) on Windows Server 2003 credential is intended for IT professionals who work in the typically complex computing environment of medium to large companies. remote access. Internet.com/traincert/exams/70-290.000 or more users Three or more physical locations Three or more domain controllers Network services and resources such as messaging. An MCSA candidate should have 6 to 12 months of experience administering client and network operating systems in environments that have the following characteristics: ● ● ● ● 250 to 5.microsoft. you achieve Microsoft Certified Professional (MCP) status. intranet. database. and Maintaining a Microsoft® Windows® Server 2003 Network Infrastructure exam. file and print.

and much more.coursedetail&catalog_id=306 ● Microsoft Online Resources ● ● TechNet: Designed for IT professionals. books. here's where you could start. best practices. and more.com/index. and Microsoft Web sites. downloads. you take advantage of a unique opportunity to exchange ideas with and ask questions of others. . chats. Recommended: Instructor-led Courses for This Exam Course 2274: Managing a Microsoft Windows Server 2003 Environment Course 2275: Maintaining a Microsoft Windows Server 2003 Environment TotalRecall Self-Paced Training Products Examination 70-290 www. this site includes How-tos. including more than 750 Microsoft Most Valuable Professionals (MVPs) worldwide.cfm?fuseaction=courses. practice tests. including courses.wbtwise. newsgroups. technical chats.wbtwise. ● Training & Certification Newsgroups: A newsgroup exists for every Microsoft certification. By participating in the ongoing dialogue. When you are ready to prepare for this exam. featuring code samples. technical articles. MSDN: The Microsoft Developer Network (MSDN) is a reference for developers.Windows Server 2003 xv Recommended Preparation Tools and Resources We make a wealth of preparation tools and resources are available to you.com Online Training from TotalRecall Publications: http://www.

2.2.5 Install and configure server hardware devices 1.3 Configure device properties and settings .3 Optimize server disk performance 1.4 2 Diagnose and resolve issues related to server hardware 1.5.4 Appropriate Control Panel items 1.2 Configure resource settings for a device 1.2 Defragment of volumes and partitions 1.4 Troubleshoot server hardware devices 1.1 Implement a RAID solution 1.3 The Hardware Troubleshooting Wizard 1.4 1 Diagnose and resolve issues related to hardware settings 1.5.1 Configure driver signing options 1.2 Device Manager 1.2 Monitor server hardware 1.2.5.2.2.4 3 Diagnose and resolve issues related to hardware driver upgrades 1.1 Tools used to manage hardware 1.2 Exam Information and Resources Managing and Maintaining Physical and Logical Devices The objective of this chapter is to provide the reader with an understanding of the following: 1.2.1 Manage basic disks and dynamic disks 1.

Windows Server 2003 1 Chapter 1: Physical and Logical Devices Introduction: Windows Server 2003 gives Administrators various options to use when physical and logical disks need managing. Use the performance logs and alerts console in Windows Server 2003 to configure performance baselines and alerts for your hardware. On what operating systems can you have local dynamic disks? 2. Disks can be managed via the always present command prompt or the Microsoft management console. This chapter is full of information to assist you with the preparation for Microsoft 70-290 exam Managing and Maintaining a Microsoft Windows Server 2003 Environment as well as some real-world solutions for managing your Microsoft Windows Server 2003 disks and hardware devices. and creating partitions and volumes. Configure and troubleshoot your Redundant Array of Inexpensive Disks RAID configuration. For what do you use the FTOnline tool? 5. Under Server 2003. and how to Optimize and troubleshoot your disks. Before you begin to manage you disks you need to understand the different disk types. what type of fault tolerant volumes are available on basic disks? 4. Getting Ready Questions 1. You can perform tasks such as assigning drive letters. Troubleshoot hardware devices using the Control Panel and the Hardware Troubleshooting Wizard. The Windows 2003 Server operating system uses which features to guarantee that the device driver has not been altered? . How can you access Device Manager? 3. This chapter will also show you how you can: ● ● ● ● ● Manage basic and dynamic disks using the command prompt and the Computer Management console Configure shadow copies of volumes.

x. 3. None. You can have local dynamic disks on Windows 2000 Server and Professional. Windows 95/98/ME. The FTOnline command-line tool can be used on Fault Tolerant disks to mount and recover files on Windows Server 2003 systems that have been upgraded. Fault tolerant volumes on basic disks are no longer supported in Windows Server 2003. 2. Windows NT) as well as Windows 2000 Home Edition cannot support dynamic disks locally. 4. There are three ways to access Device Manager – through Administrative Tools | Computer Management. Windows XP and Windows 2003. and through the keyboard shortcut Windows Key | Pause. Once the server has been rebooted the disks are not mounted by FTOnline. 5. Windows 3. The Windows 2003 Server operating system uses three features to guarantee that the device driver has not been altered and is in its original pristine state: • • • File Signature Verification System File Checker Windows File Protection . right-click My Computer | Hardware. Operating systems prior to Windows 2000 (including MS-DOS.2 Physical and Logical Devices Getting Ready Answers 1.

1 below shows some differences between Dynamic and Basic disks. Keep this in mind when you begin to convert your Basic disks to dynamic disks. detachable or removable disks. Firewire. Windows 2000 or Windows XP. Before you decide which type of disk to use you need to understand the difference between basic and dynamic disks. Before you begin understand that once a Basic disk has been converted to a dynamic disk it cannot be undone. Disks that use Universal Serial Bus (USB). Dynamic Disks can also be configured to be fault tolerant by using either RAID-5 volumes. Basic disks partitions cannot span multiple drives it must be converted to a dynamic disk first. Dynamic disks volumes are always referred to as dynamic volumes. or disks on portable computers cannot be converted into dynamic disks. as the conversion is permanent. Note: Dynamic simple volumes cannot be converted back to basic disk partitions.1 Manage basic disks and dynamic disks Administrators have many options that can be used to manage basic and dynamic disks in Windows Server 2003. Disk Type Features This type of disk is accessible by all Windows Operating versions as well as the command prompt. These options have not changed much between versions of Windows 2000 Server and Windows Server 2003.Windows Server 2003 3 1. Basic Dynamic Table 1-1: Differences between Basic and Dynamic Disks Before you begin to convert a basic disk to a dynamic disk make sure that you first close any programs that are running on the disk. If you are converting a boot disk to a dynamic disk remember to reboot the computer for the changes to take effect. After the conversion process has taken place then the basic disk partitions will become dynamic simple volumes. It is not recommended that you convert a basic disk into a dynamic disk if there are more than one installations of Windows Server 2003. . mirrored and also clustered. Up to three primary and one extended partition or four primary partitions can be created on a basic disk. Table 1.

Boot volumes can be converted from basic to dynamic without losing shadow copies. Determine if the disk is a non-boot volume. Windows Server 2003 Enterprise or Windows Server 2003 64-bit Datacenter edition can access dynamic master boot record dynamic disks. This pertains only to on a non-boot volume. make sure your backups are up to date before you begin any changes on your Windows Server 2003.4 Physical and Logical Devices Please remember this before you begin to convert your disks from basic to dynamic. Basic to Dynamic disk conversions for storage areas containing Shadows Copies Before you convert a basic disk to a dynamic disk that contains shadow copies use the following steps so that you do not experience data loss. It is always good policy to try this in a test lab environment before you try to convert your disks. Only shared folders on a dynamic disk can be accessed via a network connection the Dynamic disks cannot be accessed directly by any of the following operating systems: ● ● ● ● ● ● MS-Dos Windows 95 Windows 98 Windows Millennium Edition Windows XP Home Edition Windows NT 4. If you do not bring the volume back online within 20 minutes then data will be lost on the disk that contains the shadow copies. Take the volume that contains the original files dismounted and offline. . Once they are converted from basic to primary the conversion is permanent and the only way to undo this would be to remove the partition and rebuild it again. Determine that the volume is different than where the original files are stored. 64-bit can access. Also. Windows XP Professional or Windows Server 2003 based on x86 or Itanium computers running 64 bit versions of Windows Server 2003.0 Windows 2000.

the File System type. Figure 1-1: The Microsoft Management Console used in Windows Server 2003. By default the screen shows the Volume name. and the capacity of the drives. The type of disk either basic or dynamic. Layout (Partition) Information.2. The Settings options are as follows: ● Top ο Disk List – Lists the Disks information. fault tolerant information on the drives and also overhead information on the disk drives. This console is set to show you the information in the volume layout. If you scroll over to the right depending on your console setup you will also see the free space of the drives. ο Volume List – Lists the disk information in a list by volume ο Graphical View – Lists the disk views in a graphical format . You can change the view of this console by clicking on View in the top menu and selecting which area you wish to change as shown in Figure 1. the status of the drives. The following screen will appear as shown in the figure below.1 below shows the Microsoft Management Console that is used to manage disks in Windows Server 2003. Percent Free. The Disk Management Console shows all information pertaining to the disks installed on the server. It can be accessed by clicking on Start then selecting Administrative Tools and then choosing Computer Management.Windows Server 2003 5 Figure 1.

6 Physical and Logical Devices ● Bottom – ο Disk List . The option to color code disk region information such as RAID 5. The proportions can be set based on capacity using logarithmic scaling (which is the default). ● ● ● Figure 1-2: Changing the View of the Disk Management Console . This option hides the bottom portion of the management screen Settings – ο Appearance – This setting allows you to control how the console displays disk information. Disk Spanning.Lists the Disks information. ο Volume List – Lists the disk information in a list by volume ο Graphical View – Lists the disk views in a graphical format ο Hidden – Only available for the bottom pane. capacity using linear scaling and all the same size. and Free Space available and a myriad of additional information can be set using the Appearance option. ο Scaling – The scaling option can be used to show the display proportions in the details pane of the console for disks and areas located on the disk. Drive Paths – Drive Path settings for volumes Customize – Options that allow you to change or hide screen information.

Rescan Disks – This will allow you to rescan your disks to refresh drive letters. This option is only available for the bottom half of the view.Windows Server 2003 7 For Figure 1. .3 below the top view has been changed using the View | Top | Graphical View settings and the Bottom View has been changed to the Volume List view using the View | Bottom | Volume List option. file system information and volume information. Choosing Action from the top of the console will allow you to do the following tasks: ● ● ● Refresh – This option allows you to refresh the console screen. All Tasks – This will allow you to Configure Shadow Copies. You can also choose to hide the bottom of the screen by choosing the Hide Option from the list. Other options include the Graphical View and Volume List view. Figure 1-3: Changing the Views in the Computer Management Console.

and add or remove the menus and toolbar snap-in menus. task pad navigation bar. and add or remove the menus and toolbar snap-in menus. action and view menus. task pad navigation bar.4 below shows the options that allow you to customize the view of the console screen. standard toolbar. status bar. This allows you to add or remove the console tree.8 Physical and Logical Devices Figure 1. description bar. This allows you to add or remove the console tree. status bar.5 below shows the options that allows you to customize the view of the console screen. Figure 1-5: Customizing your View in the management console. . action and view menus. standard toolbar. Figure 1. description bar. Figure 1-4: Creating Shadow Copies using the disk management console.

This can be changed using this console. Figure 1-6: Enabling Shadow Copies using the Computer management console.Windows Server 2003 9 Once the view has been customized click the OK button.6 if they have been enabled. You can also view the Shadow Copy settings as shown below in Figure 1. Shadow copies by default create two copies of shared folders a day. .

The software will then install on the client machine.msi. To take advantage of this feature software for accessing previous versions has to be installed on the client desktop. The software can be accessed via the following UNC on the Windows Server 2003: \\server\WINDOWS\system32\clients\twclient\ for Intel x86 clients choose x86 folder and double-click twclient. Network Administrators can now take advantage of the Previous Versions software included in Windows Server 2003. By default copies are scheduled to be taken at 7:00 A. .M. The previous version software can be used to allow clients who access shared folders on the network the ability to recover files that have been deleted.10 Physical and Logical Devices Note that to use Shadow Copies the Task scheduler must be running. Try to remember to save your work frequently because by default the copies made of the work are made on the 7:00 AM thru 12:00 noon schedule and if you have worked on the file at 4:00 PM and revert back to the 12:00 noon file your work will be lost. used to compare versions of a current and previous working file. and 12:00 noon Monday through Friday. Microsoft has also introduced the Previous Versions option and it is explained in the box below. Installing software for the new Previous Versions enhancement in Windows Server 2003.

Check the physical properties first then correct any problems if they exist such as controller card and cables.2 below lists common RAID error messages. Repair if necessary. Error Message Cause Solution Online/Errors The dynamic disk has I/O errors on a region of the disk. If this does not work then remove the disk from the system. Volumes on the foreign disk will then be viewable and accessible. The missing disk may be corrupted. If the I/O errors are temporary. or disconnected. check the Event Viewer for any warnings or error messages pertaining to the disk. Also.Windows Server 2003 11 Table 1. Make certain the dynamic disk is not corrupted. the disk is damaged. reactivate the disk to return it to Online status Check to see if a hardware problem exists with the controller or a cable. A warning icon appears on the dynamic disk with errors. the Failed status indicates data loss. . Basic Volume with the Failed Status The basic volume cannot be started automatically. Use the Reactivate Disk command to bring the disk back online. or the file system is corrupt. The volume should automatically if this is successful and the status will return to healthy Missing Offline An Offline dynamic disk might be corrupted or intermittently unavailable. causes and possible solutions. An error icon appears on the offline dynamic disk Foreign The disk has been moved from the local machine to another machine. Add the disk to your computer's system configuration so that you can access data on the disk to the system by selecting the disk and then rightclicking on the Import Foreign Disk option. Unless the disk or file system can be repaired. the disk was recently available on the system but can no longer be located or identified. powered down. If the disks show they are Offline then try to return the disks to the Online status. If the disk status is Offline and the disk's name changes to Missing.

● ● . The counter log can be used to give you a total view of the server performance.2 Monitor server hardware Administrators have several options they can use to monitor server hardware in Windows Server 2003. can use counters to monitor server hardware by creating a baseline.exe from the command prompt Table 1-2: RAID error messages and definitions. But If the dynamic volume is RAID-5 or mirrored you will need to bring them online first or restart the mirrored or RAID-5 volume manually. Reactivate the disk. Data for service level reports – Depending on the type of company you are involved with you can use this information to make certain that systems in the organization meets specific performance and service levels. Those options will be outlined in the following section. Once the baseline has been established you can use the counters to measure performance and give you an idea of how your server hardware is functioning. Microsoft suggests that you collect three types of data on the server to create a counter log. etc. device manager. Data can be compared from newer system performance information to historical information that was previously collected. Do not get these spikes confused with an actual bottleneck. Counters can sometimes spike based on what is occurring on the system such as services starting. General Performance – This is used to identify short term developments such as problems which occur after software has been installed on a system (memory leaks). You can now use these counters to monitor hardware on the server. 1. A baseline is a level of acceptable performance for the server hardware. After a few months you should be able to compute and average for the server’s performance and use that as a measuring tool for future capacity and growth.12 Physical and Logical Devices Error Message Cause Solution Dynamic Volume with the Failed Status Dynamic Disk is online but Dynamic Volume is in the Failed status. The three types of data are: ● Baseline Performance – This is the process of gathering information in a slow manner over time. After this has been done and then run Chkdsk. system was rebooting. Check to see if underlying disks are online. Some of those options include: creating a baseline hardware counters and Performance Logs and Alerts. Dynamic Volume is showing offline Try to manually reactivate the volume.

4 below shows some available resource counters you can use to setup your system for monitoring using the Performance console. Figure 1-7: Opening the Performance Console to access the System Monitor. System uses Counters on objects to collect information pertaining to systems.Windows Server 2003 13 Figure 1. To access the System Monitor click on Start select Administrative Tools then choose Performance as shown in Figure 1. . The Performance console consists of the System Monitor and the Performance Logs and Alerts console.7.

greater than 4 MB n pages/sec per pagefile Above 70% 85% Depends on processor. System Resource Counter Maximum peak Disk Disk Disk Disk Memory Memory Paging file Processor Processor Server Server Server Multiple processors Physical Disk\% Free Space Logical Disk\% Free Space Physical Disk\% Disk Time Logical Disk\% Disk Time Physical Disk\Disk Reads/sec. For larger memory computers. Additional counters are shown in the Table 1. .4 which is shown after this table. Microsoft has numerous counters available to create counter logs obtaining information on counters can be done by the Properties option for the toolbar and is explained in Table 1. Counters and maximum peaks. Physical Disk\Disk Writes/sec Physical Disk\Current Disk Queue Length Memory\Available Bytes Memory\Pages/sec Paging File\% Usage Processor\% Processor Time Processor\Interrupts/sec Server\Work Item Shortages Server \Pool Paged Peak Server WorkQueues\Queue Length System\Processor Queue Length 15% 90% Check with Manufacturer for specifications 2 in addition to the number of spindles.000 interrupts per second is a good starting point 3 Amount of physical RAM 4 2 Table 1-3: System Resources.14 Physical and Logical Devices Once this has opened it will automatically begin to create a counter log by using the default counters in the bottom right of the console.3 below. 1.

The Graph can be customized by using the Toolbar above the graph. Figure 1-8: Adding Counters to System Monitor. Just select the System Monitor from the left console pane and the graph will appear to the right. Also by Right-clicking any blank area in the details pane you can choose to and selecting the Add Counters.Windows Server 2003 15 System Monitor can now be configured to create a baseline.8. Save. . The Add Counters option is shown in Figure 1. and view properties of the graph.

The software will then install on the client machine. Figure 1-9: Scheduling shadow copies on volumes to run at various intervals. Choose the performance object you wish to measure performance on and the select the counters from the Select counters from list box at the bottom left of the screen.16 Physical and Logical Devices If you wish to create counter logs for a computer other than the local computer select the Select counters from computer option and click on the computer. By default copies are scheduled to be taken at 7:00 A. If you are not quite certain what a counter is supposed to measure you can click on the Explain button to obtain an explanation of the counter.msi. Try to remember to save your work frequently because by default the copies made of the work are made on the 7:00 AM thru 12:00 noon schedule and if you have worked on the file at 4:00 PM and revert back to the 12:00 noon file your work will be lost. You could possibly impede a systems performance if you select all counters because every single process and function that occurs on the computer is being measured. Network Administrators can now take advantage of the Previous Versions software included in Windows Server 2003. The previous version software can be used to allow clients who access shared folders on the network the ability to recover files that have been deleted. used to compare versions of a current and previous working file. The software can be accessed via the following UNC on the Windows Server 2003: \\server\WINDOWS\system32\clients\twclient\ for Intel x86 clients choose x86 folder and double-click twclient. Installing software for the new Previous Versions enhancement in Windows Server 2003. To take advantage of this feature software for accessing previous versions has to be installed on the client desktop. Figure 1. After the counter has been added click on the Close button. Always try this out on a test lab machine first. .M.9 below shows the Toolbar from the Performance Counters and alerts console. and 12:00 noon Monday through Friday.

powered down. Volumes on the foreign disk will then be viewable and accessible. Repair if necessary. If this does not work then remove the disk from the system. Unless the disk or file system can be repaired. An Offline dynamic disk might be corrupted or intermittently unavailable. If the disks show they are Offline then try to return the disks to the Online status. Add the disk to your computer's system configuration so that you can access data on the disk to the system by selecting the disk and then right-clicking on the Import Foreign Disk option. the disk is damaged. A warning icon appears on the dynamic disk with errors. If the I/O errors are temporary. Use the Reactivate Disk command to bring the disk back online. the disk was recently available on the system but can no longer be located or identified. check the Event Viewer for any warnings or error messages pertaining to the disk. Check the physical properties first then correct any problems if they exist such as controller card and cables. The volume should automatically if this is successful and the status will return to healthy Try to manually reactivate the volume. . or the file system is corrupt. the Failed status indicates data loss. If the disk status is Offline and the disk's name changes to Missing. Also. Dynamic Volume with the Failed Status Dynamic Volume is showing offline Make certain the dynamic disk is not corrupted. The missing disk may be corrupted. An error icon appears on the offline dynamic disk The disk has been moved from the local machine to another machine. or disconnected. reactivate the disk to return it to Online status Check to see if a hardware problem exists with the controller or a cable. Basic Volume with the Failed Status The basic volume cannot be started automatically.Windows Server 2003 17 Error Message Cause Solution Online/Errors Missing Offline Foreign The dynamic disk has I/O errors on a region of the disk.

After this has been done and then run Chkdsk. Some of those options include: creating baseline hardware counters and Performance Logs and Alerts. etc.18 Physical and Logical Devices Error Message Cause Solution Dynamic Disk is online but Dynamic Volume is in the Failed status. A baseline is a level of acceptable performance for the server hardware.exe from the command prompt Table 1-4: RAID error messages and definitions. After a few months you should be able to compute and average for the server’s performance and use that as a measuring tool for future capacity and growth. Data for service level reports – Depending on the type of company you are involved with you can use this information to make certain that systems in the organization meets specific performance and service levels. Check to see if underlying disks are online. General Performance – This is used to identify short term developments such as problems which occur after software has been installed on a system (memory leaks). ● ● . device manager. Reactivate the disk. can use counters to monitor server hardware by creating a baseline.2 Monitor server hardware Administrators have several options they can use to monitor server hardware in Windows Server 2003. Microsoft suggests that you collect three types of data on the server to create a counter log. Do not get these spikes confused with an actual bottleneck. Data can be compared from newer system performance information to historical information that was previously collected. Once the baseline has been established you can use the counters to measure performance and give you an idea of how your server hardware is functioning. The counter log can be used to give you a total view of the server performance. Those options will be outlined in the following section. But If the dynamic volume is RAID-5 or mirrored you will need to bring them online first or restart the mirrored or RAID-5 volume manually. The three types of data are: ● Baseline Performance – This is the process of gathering information in a slow manner over time. system was rebooting. Counters can sometimes spike based on what is occurring on the system such as services starting. 1.

System Monitor (aka SYSMON in Windows Server 2000) uses Counters on objects to collect information pertaining to systems.Windows Server 2003 19 The Performance console consists of the System Monitor and the Performance Logs and Alerts console. To access the System Monitor click on Start select Administrative Tools then choose Performance as shown in Figure 1. .10 Figure 1-10: Opening the Performance Console to access the System Monitor.

000 interrupts per second is a good starting point 3 Amount of physical RAM 4 2 Table 1-5: System Resources.20 Physical and Logical Devices Once this has opened it will automatically begin to create a counter log by using the default counters in the bottom right of the console. Counters and maximum peaks. Microsoft has numerous counters available to create counter logs obtaining information on counters can be done by the Properties option for the toolbar and is explained in Table 1.5 below. System Resource Counter Maximum peak Disk Disk Disk Disk Memory Memory Paging file Processor Processor Server Server Server Multiple processors Physical Disk\% Free Space Logical Disk\% Free Space Physical Disk\% Disk Time Logical Disk\% Disk Time Physical Disk\Disk Reads/sec. . Additional counters are shown in the Table 1.6. which is shown after this table. 1. greater than 4 MB n pages/sec per pagefile Above 70% 85% Depends on processor. For larger memory computers. Physical Disk\Disk Writes/sec Physical Disk\Current Disk Queue Length Memory\Available Bytes Memory\Pages/sec Paging File\% Usage Processor\% Processor Time Processor\Interrupts/sec Server\Work Item Shortages Server \Pool Paged Peak Server WorkQueues\Queue Length System\Processor Queue Length 15% 90% Check with Manufacturer for specifications 2 in addition to the number of spindles.

Windows Server 2003 21 System Monitor can now be configured to create a baseline. The Add Counters option is shown in Figure 1. Also by Right-clicking any blank area in the details pane you can choose to and selecting the Add Counters. Just select the System Monitor from the left console pane and the graph will appear to the right.11 Figure 1-11: The Performance Monitor Output file pasted into Wordpad. Save. . and view properties of the graph. The Graph can be customized by using the Toolbar above the graph.

Always try this out on a test lab machine first.13 below shows the Toolbar from the Performance Counters and alerts console. Figure 1. If you are not quite certain what a counter is supposed to measure you can click on the Explain button to obtain an explanation of the counter.12 is used to monitor the usage of resources on the operating system. Figure 1-12: Performance Logs and Alerts option If you wish to create counter logs for a computer other than the local computer select the Select counters from computer option and click on the computer.22 Physical and Logical Devices The Performance Logs and Alerts option which is shown in Figure 1. You could possibly impede a systems performance if you select all counters because every single process and function that occurs on the computer is being measured. Choose the performance object you wish to measure performance on and the select the counters from the Select counters from list box at the bottom left of the screen. . Figure 1-13: The Performance Counters and alerts toolbar for System Monitor. After the counter has been added click on the Close button.

Appearances can be changed into 3D or Flat and Borders can also be added. Display elements such as Legend. Histogram or Report. The Data tab shows counter information and colors options. Value bar and Toolbar options. ● ● ● ● . The Graph Tab will allow you to enter Titles. The Appearance Tab allows the Color and Font for the Graph properties to be changed. A Time Range option is also available if needed. Choose the Change option under the Font text to change the Font size and type. and show the vertical grid. Select a Graph option in the Color drop-down menu and then choose the Change button the color wheel will appear allowing you to modify these properties. Vertical Axis information. The Source tab allows for data source information to be shown and Database DSN information can be added. horizontal grid and vertical scale numbers. scale. By Right-clicking on any of these object in addition to changing the properties of the graph you can also choose to add counters by choosing the Add Counters option and also saving the graph by selecting the Save As option.Windows Server 2003 23 All of these options on the toolbar have Properties available that can be accessed by selecting the toolbar option then clicking on Properties from the menu. width and styles can be modified. The maximum and minimum vertical scale numbers can also be entered here. The Properties allow you to do any of the following: ● The General tab allows views to be changed such as: Graph.

It is the same as right clicking the option from the toolbar. . Displays a Report on the counters. This option will paste the information that was copied in a statistical format. This option Updates data and is only available if the display has been frozen. This is a delete option. Allows the view to be changed to a Graph View.6 shows toolbar information pertaining to System Monitor in the Performance console.11 after this table. save the counter log and view the properties of the log. If the display has not been frozen then this option is not accessible. Selecting this allows you to add counters. This option allows you to view log data it can also be accessed via CTRL+L from the keyboard. This is shown in Figure 1. This option allows you to view the current activity of the counters. Optio n Explanation This is the new counter option and allows you to create a new counter log. Table 1-6: The Performance counters and alerts toolbar information. Allows the View to be changed to a histogram.24 Physical and Logical Devices Table 1. This is the highlight option and will highlight the graph when chosen. Opens the Add Counter option to allow you to select other computers and also add counters for various Performance objects. This option will copy to the clipboard the information that was highlighted. This option displays the help files for the System Monitor. This option shows the Properties menu tabs. When selected will remove counters from the graph. This freezes the display and also may be accessed by using CTRL+F. This can also be accessed by selecting CTRL+T from the keyboard. This button can be pressed or you can hit the CTRL+E from your keyboard to open a new counter log.

14 below shows the Output of the System Monitor graph from the Copy and Paste options on the toolbar. Figure 1-14: The Performance Monitor Output file pasted into Wordpad. To Copy items into a file for viewing choose the Highlight option from the toolbar then select Copy command from the toolbar and then open a text editor (this example shows Wordpad) and Right-click in the blank document and click on Paste (alternately you can use CTRL+V from your keyboard) to paste the information into the document.Windows Server 2003 25 Figure 1. .

● ● Do not get Trace Logs confused with Counter Logs. A program can be run. New Counter logs can be created from the console by Double Clicking Performance Logs and Alerts in the pane and selecting Counter Logs Trace Logs. The Performance Logs and Alerts pane tool consists of three parts: ● Counter Logs.These are used to configure performance based data counter logs.These record operating system events such as page faults and disk I/O activities. message can be or an entry into the event log can be made.15. . which are shown in Figure 1. are used to monitor the usage of resources on the operating system. Trace Logs wait for the event to occur and Counter Logs grabs the data from the system as the update interval has finished. Alerts. Figure 1-15: The Performance Logs and Alerts tool.26 Physical and Logical Devices The Performance Logs and Alerts option.These can be set to notify the Administrator in the event that a counter has reached a specific threshold that you have set.

The two new security groups are the Performance Log Users and the Performance Monitor Users.16.csv format as also generate binary log file reports.asp This URL gives you insight to the performance counters that can be used on a Windows 2003 Server system. Performance Monitor Users have the ability to monitor performance counters locally from the server as well as from remote clients and do not need to have Administrative rights. The page is shown below in Figure 1. Figure 1-16: Windows Server 2003 Resource Kit Performance Counters It is also a great reference for the numerous counters that are available for use on Windows 2003 Server systems.asp?url=/ technet/prodtechnol/windowsserver2003/proddocs/deployguide/ counters_overview. Some new features of the Performance Logs and Alerts tool that were not available in earlier operating system versions is the creation of two new security groups that are meant to ensure that trusted users only have access to the performance data for viewing and manipulation.Windows Server 2003 27 The Performance Logs and Alerts information can be exported into a Microsoft Excel file but because Excel needs total access to the information the Performance Logs and Alerts services will have to be stopped.microsoft. Before you begin to access the Performance Logs and Alerts tool you can check out this Microsoft Windows Server 2003 Resource Kit Performance counters at the following url: http://www.com/technet/treeview/default. . • • Performance Log Users can ability to collect data from remote servers or computers using different accounts such as the Administrator account. Transactional based events such as Active Directory and kernel processes can be produces into a report format using the Tracerpt tool which can be downloaded and will allow you to generate reports in the .

Right-click on the Counter Logs to create a new counter log file and choose New Log Settings as shown in Figure 1.17. To use the Performance Logs and Alerts tool expand the Performance Logs and Alerts tool by double clicking. Figure 1-18: New Log Settings .28 Physical and Logical Devices Log files can also now be appended to other log files and can be greater than 1 GB in size.18. Trace Log and Alerts. This is shown in Figure 1. Figure 1-17: Creating a New Counter Log. Three options will appear the Counter Log. Enter a name for the Counter Log. for this example the name of the counter log is testlog.

counter information and also shows gives clients the ability to enter a password to run the counters on remote or the local machine if needed.19 below will appear.Windows Server 2003 29 Click the OK button and the Screen shown in Figure 1. Figure 1-19: The General Tab for counter logs. The General tab shows the current log file name. .

30 Physical and Logical Devices To add object and counters to the log file select Add Objects and the screen shown in Figure 1.20 will appear allowing you to choose to add objects for the local computer counter or you can select the option to add counter objects from other computers from the drop-down menu. If you are not certain what the object counter’s purpose is you can select the Explain button to view the explanation of the object counter as shown in Figure 1. Figure 1-21: Viewing the explanation for the Logical Disk Performance Counter.21. Figure 1-20: Adding Objects to the counter log. . For this example I have selected the Logical Disk object from the list of available objects and then selected the Add button.

Figure 1-22: The newly added Logical Disk Performance object. .Windows Server 2003 31 Once this information has been read you can close the explain text box by clicking on the close button at the top right corner of the dialog box. You will then be back to the General tab for the counter log and you will see the Logical Disk performance object listed as shown in Figure 1.22.

After the Objects have been added to the counter log you can add counters by selecting the Add Counters option the same way the objects were added to the counter log. Figure 1-23: The Log Files settings for the Counter Log. The default unit is second and it can be change using the drop down menu to minutes.32 Physical and Logical Devices You can continue to add more objects by using the same method and you can remove objects by selecting the Remove button. The next tab is the Log Files tab and it is shown in Figure 1. You can also change the seconds for the data sample by changing the Units. .23. If you do not need to set a Run as password leave the box as default then click Apply. hours and days. Once the Objects and Counters have been added you can also change the rate that the data is sampled by entering the time in the Interval box using the up and down arrows.

Windows Server 2003 33 This screen gives you the option of changing the log file type from the default Binary File to either a Comma delimited Text File. This is shown in Figure 1. Tab delimited Text file. . Chose the option for the log file type and select the Configure option/ Figure 1-24: Selecting a log file type for the counter log.24. Binary Circular File or SQL Database.

34 Physical and Logical Devices The configure log file screen will appear and show the default location for the log file which is C:\PerfLogs this can be changed by clicking the Browse button and selecting a new location for the log file. The configure process is not mandatory to use so if you do not wish to make the changes mentioned for the log file location. Once the information has been changed click OK. name and size do not select the configure option from the previous screen. Log files can grow now to over 1 GB in size on Windows 2003 Servers. Figure 1. . The File name for the log file is shown (remember it was set back in step 1) and you also have the ability to change the size of the log file. Figure 1-25: The configure Log File screen.25 shows the configure log file screen.

Windows Server 2003 35 The last option is the Schedule tab and it allows you to set a schedule for the counter log to run. Figure 1-26: Scheduling a time for the logs to begin and end. The Stop option is set to manually by default. The option to set a time for the log to start running can be entered in the Start Log box and the log file can also be set to stop at a certain interval by entering a time and date in the Stop Log box.26. This is shown in Figure 1. . If you do not wish for the logs to begin and end at default intervals which should appear as the time you accessed counter log settings then you can choose the Manually (using the shortcut menu) option and manually start the logs.

. Figure 1-27:The newly created counter log in the Performance Logs and Alerts console. The Browse option will then allow you to select it and browse you may then browse to the program you wish to run once the log file has closed. Click the Apply button once the necessary changes (if any) have been made and you will be back on the main Performance Logs and Alerts console as shown in Figure 1.36 Physical and Logical Devices You can also choose to start a new program when this particular log file closes or you can choose to run a command when the log file closes by placing clicking the Run this command option. As you can see the newly created counter log appears in the console and the default System Overview is still available (unless you change the name of your log file to System Overview).27. If the log has been stopped will be showing. and Stop buttons to control the log file progress. If a log is running a Green icon then a Red icon Click the Start will appear.

Right-click the Trace Logs from the left console and the menu will appear as shown in Figure 1. Before we create the alert let’s look at additional options shown on the trace log shown in Figure 1. Choose the New Log Settings option to create the alert. Figure 1-28: Creating a new trace log.29.Windows Server 2003 37 The next step is to create Trace Logs.28. Figure 1-29: Creating a new trace log. .

If you select the View option as shown in Figure 1.38 Physical and Logical Devices Choose the New Log Settings option to create the alert.31. Figure 1-31: Shows the dialog View option. Before we create the alert let’s look at additional options shown on the trace log.30 you will see the ability to change the pane view as shown in Figure 1. Figure 1-30: Shows the dialog New Log Settings from option. . This will open up to a location such as you’re my Documents folder and allow you to select a file that you can use to retrieve log settings from.

Figure 1.32 shows this screen. . Figure 1-32: Shows the new Taskpad view option.Windows Server 2003 39 We will skip the New Windows option and move straight to the New Taskpad view.

Enter the name and click OK. Now we can go back to the Left side of the pane can right-click on the Alerts option to create a new alert. Choose how you wish to apply these settings and click the Next button. The wizard will apply the settings and the pane’s view will be modified. Figure 1-33: Configuring a new Taskpad view for the Performance Console. Figure 1. Adding Traces is done in the same manner as shown in the Counter Logs section so I will not go into extended detail at this point again and we can jump to creating Alerts which is somewhat different. Our alert will be named testalert.33 shows the second screen on the wizard that is used to configure a different view for the console. This is a neat tool and is often underutilized. The next step is to create Alerts using the Alerts option in the console pane. Right-click the Alerts and choose New Alert Settings from the menu as shown in Figure 1.33. Logman is a command line tool that can be used to schedule performance counter and event trace log collections on local and remote systems Since the other properties are run of the mill I will not list them here and we will move on the creating the Alert.40 Physical and Logical Devices This is the second page of the New Taskpad view wizard and it will allow you to change the styles for the details pane and task description as well as set the size for the list. .

. You cannot use the same name for different Logs and Alerts in the Performance Logs and Alerts console.35. Figure 1-35: Entering a name for the Alert. Enter a name for the new alert as shown in Figure 1.Windows Server 2003 41 The next step is to create Alerts using the Alerts option in the console pane. Right-click the Alerts and choose New Alert Settings from the menu as shown in Figure 1. For this Example I have chosen alertest for the name of the alert. Figure 1-34: Creating new alerts using the Alerts tool in the Performance console. The New Alert Settings console will appear and prompt you to enter a name for the new alert.34.

Figure 1-36: Entering Comments & Counters for Alerts using Alert properties menu.42 Physical and Logical Devices Click OK to close the New Alert Setting Wizard and a screen will appear as shown below in Figure 1.36. .

Windows Server 2003 43 You can enter a comment regarding this alert in the Comment box which is always a great thing to do and you will need to add Counters to the Alert by selecting the Add button. Figure 1.37 shows the screen that appears when you select the Add button.

Figure 1-37: Adding Counters to Alerts.

44 Physical and Logical Devices This screen is literally identical to the one used for the counter logs so I will not go into great detail again. To add a counter, locate the counter in the Select counters from list then click the Add button. As in the earlier section in this chapter, you can choose the Explain button to have a dialog box appear with the explanation to the counter this is shown in Figure 1.21 earlier in the chapter if you need to reference this information. The counter can be applied to All Instances or the Instance can chosen by clicking the Selected from the list option shown on the right side of the pane. Once the counter and instances information has been selected click the Close button. Figure 1.38 shows the screen that appears showing the options you have just entered. For this example, I have chosen the counter for Logical Disk Free Space.

Figure 1-38: The Free Space Alert counter used to configure Alerts.

Windows Server 2003 45 Now you can configure the Alert based on a value of either an Over or Under basis, you also need to enter the Limit in the Limit box. To remove the Counter just select the Remove option on the counter you wish to remove. The Sample Data information is identical to the information shown in previously in the chapter so I will not go into great detail regarding the rest of this information. Review previous. Figures 1:. 2 through 1.26 from pages 31-35 for configuration information for this Alert. The next tab is the Action tab and it is shown in Figure 1.39.

Figure 1-39: The Action Tab for Alert settings. This tab allows you to configure settings to notify the appropriate personnel in the event that an Alert has been triggered. By default an Entry will be logged in the Application event log. You can also configure a net send message to be sent to the appropriate personnel by clicking on the Send a network message to: option and entering the performance data log can be created by clicking on the Start a performance data log.

46 Physical and Logical Devices Figure 1.40 below shows the options that are available when you choose to Run this program. This option is not available if the Run this program option is not chosen. You have to enter an executable file with the path in the Run this program dialog for this to work properly. Executable files could be .bat, exe, or any executable file type. It could be a program that is automatically called to send a page to your pager notifying you of this alert.

Figure 1-40: Command line arguments: Choose to Run this Program option.

Windows Server 2003 47 By default all boxes in the Command Line Arguments screen are checked except the Text Message Box. You can check this box and enter a text message in the dialog box and then click OK for the settings to take effect. Figure 1.41 shows the newly created Alert in the console screen. As stated earlier in the chapter Green beside the Alert means that the alert is running and Red means that the Alert has stopped.

Figure 1-41: A new Alert created in the Performance Management Console. The previous section covers basic information you can use to create baselines, monitors, and alerts on your Windows 2003 Server systems. You can save and close the Performance Management Console by clicking on File then Save As and enter a name for the Performance Console.

48 Physical and Logical Devices

1.2.1 Tools used to manage hardware
Hardware Management can be done by Management Consoles, the Windows Device Manager and the command line. The following section covers the options available for managing hardware on Windows 2003 Server systems.

1.2.2 Device Manager
If you have worked in this field for anytime over 5 or 6 years you probably remember having to install and configure non-plug and play devices on your Windows NT 4.0 or Windows 98/95 systems. Not to sound completely lame but we have all heard the term “plug and pray” which is usually what we had to do when we installed hardware on any system running Microsoft operating systems. More often than not, even if a device would state it was plug and play you would have to do some configuring on the system. Times have definitely changed and installing hardware has gotten much easier as the Microsoft Operating Systems improve their Plug and Play systems. The term plug and play simply means that the Windows OS will automatically configure the device to work with other devices on the computer in a manner that will not conflict with other hardware already installed. A device uses four resources and they are assigned by the Windows Operating System at the time of the installation of the device. The four resources are: ● ● ● ● Interrupt request line numbers or IRQ Direct memory access channels or DMA Input/output port addresses or I/O Memory address ranges

Once the hardware is installed on the Windows 2003 or Windows XP machine it is given a value. There are times that more than one device is assigned the same value, which does, and the devices will conflict. Using the Device Manager you can manually change the settings for the device to correct the problem. It is not advised that you change Plug and Play device settings. Non Plug and Play devices are not configured by Windows by default they usually have to be manually configured. Typically jumpers will be on the hardware, which you can set manually, using the instructions supplied with the device. Non Plug and Play hardware that is manually installed cannot be changed in any way by the Windows Operating system. The next section explains how to use the Graphical Hardware tool the Device Manager. The device manager first appeared way back with the Windows 95 operating system. It still has a similar feel to the original Device Manager and it a great tool to use to configure and monitor hardware devices (for errors). Open the Device Manager by any of the available methods: ● ● ● Click Start select Administrative Tools and choose Computer Management. Right click My Computer click on Hardware then select Device Manager. Use the keyboard shortcut WinKey+Pause (the one with the Windows Logo).

Windows Server 2003 49 Then select the Device Manager tab as shown in Figure 1.42.

Figure 1-42: Selecting the Device Manager from the Systems Properties menu. If you do not have My Computer shown on your desktop although it can be viewed by clicking on the Start button (it is shown in the list) just right-click on My Computer in the menu and select Properties from the drop down menu. You may have the WinKey (it’s the one with the Windows logo) on your keyboard you can hit your WinKey button and the Pause button from your keyboard to open the System Properties screen.

50 Physical and Logical Devices The device manager will open as shown in Figure 1.43.

Figure 1-43: Windows 2003 Server Device Manager.

Windows Server 2003 51 Before we begin it is important to state information pertaining to Plug and Play devices. Devices installed on the system are listed in Alphabetical order. To view additional details you can click on the plus sign to expand the devices. For the next example we will look at the Processor information in the Device Manager. Expand the Processor option as shown in Figure 1.44.

Figure 1-44: Viewing info on the System processor using the Device Manager.

52 Physical and Logical Devices The processor for this system is shown as an Intel Pentium III Processor. On servers with more than one processor they will all be listed under the Processor option. If you Right-click Processor the menu shown in Figure 1.45 will appear.

Figure 1-45: Options for the Processor in the Device Manager interface.

uninstall. Figure 1-46: Updating the driver for the Processor in the Device Manager interface. Scan for hardware changes. when updating certain hardware) the Update Hardware Wizard will appear as shown in Figure 1. or viewing Properties of the hardware. .46.Windows Server 2003 53 Available options for all hardware are the option to Update Driver. If you choose to Update the Driver (which you should take caution on doing.

or if you have the CD-Rom or Floppy disk (which is becoming increasingly rare) for the hardware you can click on the Install from a list or specific location (Advanced) then select the Next option. . Figure 1-47: The hardware update wizard searching for new software. we will install the software automatically. which is recommended.47. The wizard will then begin to search specific locations on your hard drive for the drivers as shown in Figure 1.54 Physical and Logical Devices You have the option to Automatically install the Software. For this example.

Windows Server 2003 55 Once the wizard finishes the search it will either begin to install the new software or you will receive a screen shown in Figure 1. Figure 1-48: Hardware update wizard has finished searching for updated software. .48 that states it cannot locate new software to install.

49. .56 Physical and Logical Devices You can now either select the Back to have the wizard search in a new location or you can click the Finish button to have the wizard finish the search and keep the current software intact. For learning purposes we will select the Back button and have the wizard search in a new location as shown in Figure 1. Figure 1-49: Hardware Update Wizard can search for software in specified folders.

For this example. Figure 1-50: Choose the search & installation options.Windows Server 2003 57 Let’s pretend that you have copied the new software for the processor to a directory on your server named newsoftware under the C:\ drive.50 appears and you can now select the Advanced option to allow the wizard the ability to search for the software in a different location. we have the software under the c:\newsoftware folder and we need to choose the Include this location in the search: option and select the Browse button and browse to the c:\newsoftware folder. Select the Back button and a screen such as the one in Figure 1. The wizard will appear and allow you to enter the search options for the driver or you can choose to install the best driver from a list of drivers already on the system. The software is not in a compressed format and all files are located in the c:\newsoftware folder. .

The Search removable media (floppy. I will choose the driver to install option as shown in Figure 1. CD-ROM or USB Disk on Key (which emulates an additional drive). CDROM) option needs to also be unchecked. If the new software is available in this format you can feel free to insert the removable media into the appropriate hardware and leave the check mark intact. Figure 1-51: Selecting the Driver to be installed instead.51. Before we begin to browse to the folder that contains the new software we need to look at the Don’t search. but if you do have the new software on a floppy diskette. .58 Physical and Logical Devices You can also manually type the location into the Include this location in the search field if you know where the new software is located and you would not need to select the Browse option to browse to the location.

Click on the Don’t Search. we will leave the current driver intact and not select the standard Processor driver. This is done only for the purpose of this example and you would need to browse to the location available on your machine for this to work properly.Windows Server 2003 59 Selecting the Driver to be installed instead of searching media for driver information. for more information you can choose to click on the Tell me why driver signing is important. Additionally. Browse to the location of c:\newsoftware. Figure 1-52: Selecting the driver to install from a pre-supplied list on the system.ini files are not in the location) then the OK button will appear as grayed out and you will not be able to use this option. . The Browse location will appear at the top-level hierarchy of the system typically.52 will appear. Also. you also choose to install the software from the Have Disk option. Since the example used here was a processor and not something simpler like a modem. As shown from the list you have the option to install the Intel Pentium III processor or the standard processor driver. I will choose the driver to install option and a screen like the one in Figure 1. If the software is not in the proper format (specific . although it information on this is in this chapter. You can also see the very important note that the driver is digitally signed.

Once the wizard has finished just click the Finish button. Figure 1-53: Choosing to uninstall Hardware from the device manager.53.60 Physical and Logical Devices Once the folder has been located by selecting My Computer and the specific hard-drive which in this case is the C:\ drive and then drilling down to the c:\newsoftware folder which contains the software files just click on the OK button. Another available option that is shown when the Hardware has been right-clicked on in the device manager is the option to uninstall the object as shown in Figure 1. . The software wizard will begin to install the new software and the process will be completed.

. I am not about to uninstall my Processor it could render my system unstable or unusable especially because I only have one processor installed on the machine that I am currently working on for this review. Also know that you will not get a second warning notice or a wizard once you select the OK button to uninstall.Windows Server 2003 61 If you choose to uninstall a device do so with caution. The object will be removed from the system and only reinstalled if you use the Add New Hardware Wizard option or reboot the Server for Plug and Play devices. For this example. Figure 1-54: The Warning message that appears once you choose to uninstall a device. Click the OK button if you are certain you wish to uninstall the hardware from the system.

55 shows the device manager listing after I uninstall my Lucent WinModem from the system. As you can see from Figure 1. Figure 1-55: The Device Manager after a Modem Uninstall.55 the Modem is not listed in the hardware list as it was in Figure 1.62 Physical and Logical Devices Figure 1. .42 a few pages back.

.56 shows the Scan for Hardware Changes option. It should also reinstall the Lucent WinModem. Figure 1-56: Using the Scan for Hardware Changes option from the Device Manager.Windows Server 2003 63 Once the hardware has been removed you can also scan the system for hardware changes. Figure 1.

64 Physical and Logical Devices Just click on the option and the wizard will begin to search for hardware changes and if the hardware is found then the Wizard will prompt you to install the software for the newly found Hardware as shown in Figure 1. . Figure 1-57: The Scan for Hardware Change Wizard.57.

the Scan for Hardware Change wizard can also be found at the top of the Device Manager under the Action menu as shown in Figure 1. Figure 1-58: Accessing the Scan for Hardware Change Wizard from the Action menu. .58.Windows Server 2003 65 This is the same wizard that was covered in previous pages of this book so you already know how to use this wizard.

It also has the same menu items that can be accessed when you right-click hardware in the Device Manager. 1. The Action menu also will give you the opportunity to print information from the Device Manager by selecting the Print option and it shows a Help option. Figure 1-60: The device has no errors showing in the device manager. Right click My Computer click on Hardware then select Device Manager.2. Open the Device Manager by any of the available methods: ● ● ● Click Start select Administrative Tools and choose Computer Management. Figure 1-59: The reinstalled Lucent WinModem Hardware from the Device Manager. Use the keyboard shortcut WinKey+Pause.3 The Hardware Troubleshooting Wizard The Windows Hardware Troubleshooter is available for you to use to troubleshoot those pesky hardware issues that you are having difficulty correcting.66 Physical and Logical Devices Also.59. as you can see from the list the Scan for hardware changes option found and reinstalled the Lucent WinModem that was uninstalled in the previous step this is shown below in Figure 1. Notice in Figure 1-60 above that the device does not show any hardware problems This may seem redundant but it is extremely important that you understand how the dvice manager lists devices errors. .

61 shows the screen Figure 1-61: The Properties of the COM Port device. Rightclick the COM1 port and select Properties. . Scroll down to the Ports (COM & LPT) and expand by double-clicking the Ports (COM & LPT) listing. Figure 1.Windows Server 2003 67 For this example we will troubleshoot the COM Port hardware.

So you would not need to troubleshoot this device. The hardware can easily be re-enabled by right clicking the device and choosing the Enable option as show below.63 below shows a IBM PC Camera that has been disabled.68 Physical and Logical Devices It is important to know that if the device is not having a configuration problem the General tab above will show you that it is working properly as shown in the Device Status pane. Figure 1-63: Hardware device that has been disabled in the Device Manager. Figure 1-65: The re-enabled device in the Device Manager. in the Device Manager. Figure 1-64: Re-enabling a device. Figure 1-62: Hardware device that has a warning.65. But if the device was not functioning properly you would see it listed in the Device Manager as shown below with a warning icon as shown in Figure 1.62. . Once the device has been enabled the red X will disappear and the device will be listed as normal as shown in Figure 1. The figure 1.

Windows Server 2003 69 If a Yellow exclamation appears over the device this means that the device needs some assistance and you can use the Hardware Troubleshooter to work on the issue. . Figure 1-66: General Tab showing the device needs some technical assistance.

Figure 1-67: The Windows 2003 Server Hardware Troubleshooting guide.67. .70 Physical and Logical Devices Click the Troubleshoot button and the Wizard will begin as shown in Figure 1.

com/windows/catalog/server/. I will contact the manufacturer for further assistance the Wizard will stop. but I still have a problem.68. No. my hardware is on the HCL.Windows Server 2003 71 Click the Next button and the Wizard will open the screen shown in Figure 1.69. I want to skip this step and try something else option the wizard will show the same screen as you get when you select the Yes option shown in Figure 1. my hardware is not on the HCL. Three options are available to you on this screen: ● Yes.69. or I have already contacted the manufacturer and installed updated drivers.microsoft. You have the option of going to the Microsoft Web Site to check the Hardware Compatibility List (HCL) at http://www. Figure 1-68: The Hardware Troubleshooter wizard. ● ● . This will take you to another screen as shown in Figure 1.

I still have a problem. I still have a prompt Figure 1-69: Hardware troubleshooting guide for devices. I do not have an earlier driver to roll back to.72 Physical and Logical Devices For this example we will chose the Yes option taking into consideration that we have checked the HCL and the hardware is listed. I do not have an earlier driver to roll back to option above. Or. ● ● . If you have not installed the driver and are still having an issue you can choose this option. You have three more options: ● No. This screen will prompt you for device driver information. Yes.70 shows this screen. You can also select the No. this solves the problem option can be used when you need to rollback the driver to an earlier version. Use the instructions are listed on the screen. I want to skip this step and try something else will show the same screen as the one shown with the No. I still have a problem. Figure 1. Or.

This is pretty much the end of the road for the wizard. Choose the No option and the wizard will appear as shown in Figure 1. . Figure 1-71: Troubleshooting the device with the Hardware Troubleshooting Wizard. Hopefully you will not have to go this deep into the wizard to troubleshoot the device and installing new drivers will solve the issue. If you are still having a problem the device could be bad.71 that suggests that you contact the Hardware Manufacturer for assistance.Windows Server 2003 73 Figure 1-70: Choosing Device Driver troubleshooting options.

If you do not implement disk drive setup properly your organization could experience data loss. ● ● ● RAID 10 – This RAID type implements RAID 1 arrays as stripes. The following sections explain how to use the software on a Windows 2003 Server to implement and manage disk drives on a Windows 2003 Server.3 Optimize server disk performance Disk Performance plays a very important role in relation to performance on a Windows 2003 Server. The lists are split into most commonly used and less commonly used RAID types. RAID 5 is a low cost solution for data protection. Fault tolerant volumes are disks that use some type of Redundant Array of Inexpensive Disk RAID configuration to increase either performance or reliability. Maintaining and Troubleshooting Disk performance is a skill that needs to be used time and time again on servers within your organization.All data is duplicated from one drive onto another disk drive.2. . RAID-1 –Disk Mirroring . The cost is much higher than a RAID 1 configuration. If either drive fails no data loss will occur. ● RAID-0 Disk Striping – Best to use if performance is needed at an optimal level but no fault tolerance is configured. This means that if one drive fails the data IS NOT redundant across the other disks and you would have to use a restore method (such as backup tapes) to restore your data. Parity is important because if any single drive fails then recovery can occur from any of the other single drives. The main differences between RAID 2 and RAID 3 are that RAID 2 actually uses some of the disk area for error checking and RAID 3 uses one drive to storing only information related to drive parity. RAID 5 – Disk Striping with parity Data is striped at block level across at minimum three drives several drives with parity.1 Implement a RAID solution Redundant Array of Inexpensive Disks or RAID has been in use for years to allow network Administrators the ability to provide fault tolerance or hard drive performance stored on disks. Less Commonly used RAID types.74 Physical and Logical Devices 1. No all RAID configurations provide for redundancy of information. RAID 5 only works with Windows 2003 Servers that have the dynamic disks enabled and it cannot be extended or mirrored. Some RAID configurations such as Striping are to used when performance means more to the network than fault tolerance. 1. This really will help you if you are in a real-word situation and have to rebuild a RAID setup. If you are fortunate enough to have a server in your lab that has the hardware to support RAID you can really learn it well and try the various RAID types in a controlled environment. ● RAID 2 and RAID 3 – These are similar RAID types. Fault tolerant volumes on basic disks are no longer supported in Windows Server 2003. These use striping (no fault tolerance across disks). Implementing.

Windows Server 2003 75 ● ● RAID 4 is used to read information from any drive it has no advantages over RAID 5 because it has write limitations.0 name for a Stripe set with parity is the equivalent to RAID 5 volumes on a dynamic disk in Windows 2003 Server.72.0 for disk sets on a dynamic disk.0 name for a Volume set is the equivalent to a Spanned volume on a dynamic disk in Windows 2003 Server. The cost is high. RAID 53 – Each stripe in the array is a RAID 3 array.0 environment.0 name for a Mirrored volume is the equivalent to a Mirrored volume on a dynamic disk in Windows 2003 Server. Figure 1-72: The Disk Management console. The Windows NT 4. Remember this before you get started in this chapter if you have worked in the Windows NT 4. The controller is embedded with a real time operating system. The Windows NT 4. The Windows NT 4. It is extremely fault tolerant and is not commonly used in networked environments. Also Windows 2003 Server uses different names than its predecessor Windows NT 4. The Windows NT 4. . RAID 6 – Same features as RAID 5 but also has an additional parity scheme that is sent across multiple drives. ● ● ● ● ● ● ● ● Locate the Disk Management console on the left preview pane and double-click to open as shown in Figure 1. RAID 7 – Only one vendor on the market offers this RAID type. The Disk Management console is used by the Windows 2003 Server operating system to manage disks and can be accessed by clicking on Start choose All Programs then click on Computer Management.0 name for a Stripe set is the equivalent to a Striped volume on a dynamic disk in Windows 2003 Server.

73.76 Physical and Logical Devices The right side of the pane is used to show information pertaining to disk drives. . The bottom of the right pane is used to show a graphical layout of the disks and can easily be modified by right-clicking on the drive as shown in Figure 1. Figure 1-73: Modifying a hard drive using the Computer Management console.

Add or Remove Users or Groups from the server. The Tools tab allows for: The Hardware tab allows you to: ● ● The Sharing tab allows you to set options such as: ● ● ● ● ● ● The Security tab is used to: The Shadows Copies tab is new to the Windows 2003 Server.Windows Server 2003 77 The General tab allows you to: ● ● ● ● ● ● ● ● Name the volume View Used and Frees space in a graphical format. View the hard drive hardware type Troubleshoot using the wizard hard disk drives. . Policies. It also has a setting in the lower pane for Administrative access permissions. It also allows Administrators the ability to select a storage area and size limit (if needed) for the shadow copies. Error checking on the drive Defragmenting the drive. Two copies are created per day by default. Set offline settings for access to information while offline. The option to backup the drive. The Shadow Copies tab has the following properties: ● The ability to Enable or Disable shadow copies on Volumes.) Compress the drive contents which will save space Turn on Indexing to allow for faster searches on the drive. The copies may also be scheduled to run at specific times using the Schedule option after the Setting option has been chosen. empty recycle bin. If you select the Properties option for the drive you will have four tabs that show information for: Device status. Cleanup the Disk (remove temp files. Setting user limits on the drive. Volumes and drivers installed. It is used to create copies of shared folders from previous points in time. Set Access Permissions which is covered more in Chapter three of this book. The options are to optimize for safe removal or to optimize for performance. etc. The policies tab should be of special interest to you because it allows you to set optimization options for the disk. If you use Microsoft Exchange 2003 Server on the Windows 2003 Server you have the option to use the backup here to back up an online Exchange 2003 Information store. This is a new feature included in Windows 2003 Server. Sharing the drive for others to access.

You can change drive letters by right clicking the drive in the console and selecting the Change Drive and Path option. Choose the Defragment Now option a new screen will appear as shown in Figure 1. The Quota Entries option opens a new screen and allows you to set Quota limits and warning levels. FTOnline The FTOnline command-line tool can be used on Fault Tolerant disks to mount and recover files on Windows Server 2003 systems that have been upgraded. Quota management is disabled by default and must be enabled for use. You can use this screen to add more quota limits and apply to specific users using the Quota toolbar. Right click the drive you need to defragment and click the Properties button then select the Tools tab. 1.2. Once the server has been rebooted the disks are not mounted by FTOnline. This console is also used to Change Drive letters.74 that allows you to choose the options for defragmenting the drive. You can choose to analyze and not defragment the drive by selecting the Analyze option Figure 1-74: Analyzing a volume using the Disk Defragmenter tool. .78 Physical and Logical Devices ● The final tab is the Quota tab and it is used to set disk quotas of disk drives.2 Defragment of volumes and partitions Defragmenting a hard disk drive can often improve performance and should be used often on the server.

75.Windows Server 2003 79 The Analyzer can be stopped and restarted or paused using the options in the pane. which will enhance the performance of the disk. . Figure 1-75: Defragmenting a volume using the Disk Defragmenter tool. You can use a scheduled task to keep the disk drive in a defragmented state. If you wish to defragment the drive you can use the Defragment option in the pane as shown in Figure 1.

This is great if you need to view multiple programs on the same server. Open the Control Panel Click Display Make certain that the Display type is not VGA by using the Settings option. If the monitor is VGA check with the manufacturer of the card to see if drivers are available for Windows Server 2003. Open the Display settings by Right-clicking your desktop and selecting Properties then Settings. The instructions with the card should have how to make this change on the actual card. This can be done for each Monitor you wish to install. Make sure the Monitors are powered up after they are connected to the server with the power off on the server. This section will cover the advanced troubleshooting skills needed. Make sure that the color depth is set to at least 256 colors or at least 16 BPP or bits per pixel. Select the new monitor and choose the Extend my Windows desktop onto this monitor. The new video card should be detected and the drivers should be installed as long as the video card and monitor are both Plug and Play.microsoft. For troubleshooting tips see the Microsoft Knowledgebase Article 328312 at http://support. Try this in the test lab before you go live in your network environment with this setting.4 Troubleshoot server hardware devices Much of the Troubleshooting of devices was handled previously in the chapter. Install the secondary card into the server and connect the two monitors to the Video cards.com. Power On the server The Primary card is controlling the Monitor you are viewing while the system is booting up into Windows Server 2003.80 Physical and Logical Devices 1. . Power off the computer Check the additional VGA Card to make certain the VGA-disabled setting is selected. Using multiple monitors in Windows Server 2003 Windows Server 2003 supports the use of up to 10 monitors.

If you stick with the parts on the HCL then you should not have many issues when installing your Operating System on the server.4 1 Diagnose and resolve issues related to hardware settings The Device Manager can be your best ally when you are trying to diagnose and resolve hardware issues on your server. The following sections pertain directly to solving hardware issues. Choose the Safe Mode and press the Enter button. System Information tool Use the Event log to check for errors To boot the machine into Safe Mode while the server is booting up just click the F8 key on your keyboard.4 2 Diagnose and resolve issues related to server hardware In certain case where an unknown driver is installed on your Windows 2003 Server you have various methods to troubleshoot unknown drivers showing in the Device Manager such as: ● ● ● Booting the System in the Safe Mode – This should be one of the first things to try. If you are the type of technical person who enjoys building your own servers make certain that you check the Microsoft Hardware Compatibility List (HCL) or have the Windows Logo. If it is try removing it from the list and rebooting then reinstalling the driver software. 1. Check the Device Manage for the unknown device to see if it is still listed. . before you purchase parts for the server.Windows Server 2003 81 1.

76 Figure 1-76: The System Information Tool. As you can see from the right-pane you have to have the Windows Management Instrumentation (WMI) software installed on the server. Type Msinfo32. This is shown in Figure 1.exe press the Enter key.82 Physical and Logical Devices The System Information tool can also be used to troubleshoot driver upgrades and unknown devices on the server. To run the System Information Tool: • • Click Start.com/msdownload/platformsdk/sdkupdate/. WMI takes was formerly known as WBEM. The WMI Software Development Kit can be downloaded at http://www. below. and then click Run. .microsoft. The Hardware portion of the tool will not work without the Windows Management Instrumentation software installed but the Software function of the toll will work fine.

Anyway after you have WMI installed click the Components folder and devices that are installed on the server are shown then click the sub-component and the properties will be shown in the display pane. This can happen if a partial Plug and Play ID is available and interpreted as a serial device. Error Code – Displays the error code associated with the problem. Such as an unknown device error. .Windows Server 2003 83 The Microsoft TechNet site also has a lot of information on WMI and how it can be used to run scripts. Columns listed below are shown: ● ● ● Device – This shows the name for the device and the driver associated to the device. PnP Device ID – Shows the device IDs such as PCI ID. Use the device manager to remove the unknown device and reboot the server. Problem Devices – Will list three types of records can be shown depending on the device in question ● PCI PnP Device ID: Device Name | PCI\VEN_00000&DEV_0000&SUBSYS_00000000&REV_00\0&0000 | Error code ISA PnP ID: Device Name |?\PNP0000\0 Bad or Incompatible Device Driver: Device Name | ROOT\UNKNOWN\0000 The Setupapi.log file can be used to assist you with identifying objects that could have created the Unknown Device in the Device Manager. If software is the problem for the Unknown Device. ISA ID. Using the Device Manager Error code you can determine what created the problem. but not be related to the serial port. Often devices may be listed as serial devices. and ID for unknown or other bus types.

77 below.84 Physical and Logical Devices 1.4 3 Diagnose and resolve issues related to hardware driver upgrades For troubleshooting Unknown Device driver issues you can open the Device Manager. The General tab shows you the error message that the device is not installed correctly and gives you the option to reinstall the driver as shown in Figure 1. . Figure 1-77: The General Tab if the Unknown device. Right click on the device and you will see the General and Driver tab.

Update the driver. Find an updated driver from the Manufacturer if available and choose the Update Driver option to correct the problem. The Uninstall Driver completely uninstalls the driver for the device. At the top of the screen you can also see that the Driver Provider is unknown. Driver Version is not available and the Driver Signer is not digitally signed. Driver date is Not available.78. Figure 1-78: Unknown device Driver details.Windows Server 2003 85 The Driver tab of the Unknown device gives you options to view Driver Details. Rollback the driver or uninstall the driver which is shown in Figure 1. If you try this step and the device still is failing use the Roll Back Driver option to roll back to the previously installed driver. .

If you check the Windows Hardware Compatibility List before you purchase hardware so you can make certain that the hardware is on the list you should have no problems. 1. This means that the hardware has met specific testing level and that it has not been changed by another process on the machine. . The Windows 2003 Server operating system uses three features to guarantee that the device driver has not been altered and is in its original pristine state: ● ● ● File Signature Verification System File Checker Windows File Protection Regardless to whether or not you are a newbie to the industry or if you have worked in the industry for any amount of time you have most likely had to troubleshoot a system for driver problems. Not all hardware is compatible with Windows Server 2003 systems. This section will show you how to configure and troubleshoot the device after the hardware has been installed.86 Physical and Logical Devices 1. you could end up with an extremely unstable server that crashed often.5 Install & configure server hardware devices Installing devices on Windows Serve 2003 systems is easier to do than installing and configuring hardware devices years back before plug and play. When installing hardware always make certain that you use the proper safety precautions. The Digital signature can be described as a type of “approval” for the hardware. Imagine if the check points where not in place and you installed hardware that had not been tested with device drivers that have not been digitally signed. which means that the product has been tested specifically for Windows 2003 Server environments.5. Some hardware manufacturers tout the Designed for Microsoft Windows 2003 Server logo. If you need assistance with installing the hardware into the server you should contact the hardware manufacturer. unless the hardware itself is faulty. This is not to say that all unsigned device drivers and hardware without the Microsoft Logo can cause a system to crash but it is always wise to check the Microsoft site for a listing of compatible hardware to use on a server.1 Configure driver signing options To allow the Microsoft Operating System software to function properly with various manufacturers’ hardware the driver’s for the hardware all include a digital signature.

The System Information tool will process and open then you can select the Tools option and the File Signature Verification Utility from the list shown in Figure 1.79. Once this has been selected you can choose the Advanced option two additional tabs will appear as in Figure 1. Figure 1-80: Shows File Signature Verification wizard. Click on Start then Run and type msinfo32. Figure 1-79: Shows the first screen of the Wizard.Windows Server 2003 87 To check for System compatibility use the msinfo32 tool. .80.

. search options and folders for the wizard to search.88 Physical and Logical Devices Select the Advanced option two additional tabs will appear as shown in Figure 1. Figure 1-82: Logging option for the Advanced File Signature Verification wizard. The logging tab is shown in Figure 1. Select the Search tab and you have options to select for notification.81 Figure 1-81: The Advanced properties of the Signature Verification Wizard.82.

TXT. Figure 1-84: The File Signature Verification is beginning the scan process. Figure 1.Windows Server 2003 89 This tab is used to allow you to save the results of the file to a log file. . After these settings have been selected you can choose the OK button to go back to the main screen of the wizard.82 shows the scan in progress. After the file list has been built the scan will begin. The default log file name is SIGVERIF.83. Click the Start button and the scanning will begin as shown below in Figure 1. Figure 1-83: The File Signature Verification is beginning the file listing process.

After the scan has completed the results are displayed as shown below in Figure 1. . Figure 1-85: The File Signature Verification results.85.90 Physical and Logical Devices You can choose to stop the process at any time by clicking on the Stop button.

modified date. . It is automatically created when you run the signature verification tool.Windows Server 2003 91 The listing shows the files that are on the system and are not digitally signed. You can access the Advanced properties of the tool to change the name of the text file as well as the location of the file. status. For the files not signed above the hardware manufacturer can be contacted or a quick visit to the website should allow a check for updated windows driver files 1.5.2 Configure resource settings for a device Configuring resource settings for devices can be done by opening the Device Manager and selecting the device from the list.86. It lists the File. Figure 1. This text file lists all files that were scanned and has multiple pages. version. Figure 1-87: Hardware device with a conflict in the Device Manager.87 shows a hardware device that has a conflict. The log file looks as the one below in Figure 1. Figure 1-86: The File Signature Verification sigverif. catalog and program it was signed by.txt file.

.92 Physical and Logical Devices Figure 1.88 shows the Resources tab which is accessed by right-clicking the device and choosing the Set configuration manually option . Figure 1-88: The resources tab of the Unknown Device.

Figure 1-89: Changing resources manually on an unknown device.Windows Server 2003 93 After the Set Configuration manually option has been chosen the screen shown in Figure 1.89 will appear allowing you to select the options you wish to change. .

Choose the I/O Range with you mouse (one click) and once it is highlighted choose the Change Setting option and a drop-down menu will appear as shown in Figure 1.94 Physical and Logical Devices Uncheck the Use Automatic Settings option and select the Resource Type with the conflict which in this case is the I/O Range and the IRQ resource.90. Figure 1-90: Forcing a change of settings on the Unknown Device. .

Figure 1-92: Entering a Value for the DMA range. Figure 1-91: The DMA range with a conflict. the Basic Configuration 0001 is chosen. .91. Click the Change Setting option again with the DMA resource chosen shown below.Windows Server 2003 95 For this example. Once it is selected the I/O Range and IRQ show no conflicts but the DMA range still shows a ? meaning it needs additional modification shown in Figure 1.

93 to make the changes you have chosen. Note that until the server is restarted it will still be showing the Warning sign. You will be prompted shown in Figure 1. Once you have chosen to apply the configuration changes you will be prompted to restart the computer. It should be showing without any warning messages. Restart the server and check the Device Manager again for the hardware. Figure 1.96 Physical and Logical Devices Use the up and down arrow keys to select a range for the DMA and in the Conflict Information box make certain it is showing the No Device are conflicting notice and check OK to make the changes. Figure 1-94: Restarting the Server after the Device resources has been modified. . Figure 1-93: Creating a Forced Configuration on hardware.94 shows this dialog box.

Windows Server 2003 97 1.5. Open the Device Manager and select the hardware you wish to modify properties on and remember that most Plug and play devices will not allow to change the settings. The Automatic Setting option will be automatically selected and be grayed out as shown above for the Network Adapter card installed on a server.3 Configure device properties and settings Configuring device property settings can be done by using the Device Manager on the Windows 2003 Server. Figure 195 shows the Resource tab for the Network Adapter Card and how its settings are automatically selected and cannot be changed in this manner. Figure 1-95: Automatic settings for a network adapter card that cannot be modified. .

98 Physical and Logical Devices Figure 1-96 shows resources for a COM port installed on the system that can be modified. Figure 1-96: Modifiying Resources for a COM port. .

Note that the I/O Range has been changed to 03E8 and the IRQ has been changed to IRQ COM4. computers and groups. Figure 1-97 shows the I/O Range and IRQ changes. Once this section has been completed you are ready to move onto the next chapter which will cover how to manage users. Figure 1-97: The new Resource settings for COM1. . As a note most times this is set by the BIOS of the Motherboard and you would have to also go into the Setup properties when the server is restarting on the BIOS and change the Onboard Settings for the COM Port. Check back to this chapter for a reference guide especially when optimizing server performance and installing hardware on the server. The IRQ was set to the default I/O Range of 03F8 and IRQ 4.Windows Server 2003 99 Using the Settings based on option choose a Basic Configuration to use for the COM port. These settings are the default settings for COM3 and would conflict if COM3 was installed on this server.

How can you accomplish this? A. Go into Control Panel and select Computer Management. Right-click free space on an extended partition where you want to create the logical drive. Go into Computer Management and select Disk Management. and then click New Logical Drive.100 Physical and Logical Devices Chapter 1: Review Questions 1. and then click New Logical Drive. D. Right-click free space on an extended partition where you want to create the logical drive. Go into Control Panel and select Disk Management. Right-click free space on an extended partition where you want to create the logical drive. and then click New Logical Drive. Use the New Partition wizard. and then click New Logical Drive. Go into Computer Management and select Disk Management. Right-click used space on an extended partition where you want to create the logical drive. B. You decide to create a logical volume on your Server 2003 machine using Disk Management. Use the New Partition wizard. Use the New Partition wizard. Use the New Partition wizard. C. .

B.Windows Server 2003 101 2. You attempt to access your H: drive. but you find that the status of the G: drive is offline with errors. but you find that the status of the H: drive is missing. Double-click the disk. 3. Partition the disk C. Right-click the disk. and then click Enable Disk to return the disk to regular Online status. Verify that the physical disk is correctly attached to the computer . D. Right-click the disk. Double-click the disk. and then click Reactivate Disk to return the disk to regular Online status. and then click Reactivate Disk to return the disk to regular Online status. What action should you take to change the status of the G: drive to online? A. Check for problems with the hard disk B. Reactivate the disk to Online status D. What action should you take to change the status of the H: drive to online? A. You attempt to access your G: drive. Reformat the disk E. C. and then click Enable Disk to return the disk to regular Online status.

You want to make sure that the junior network associates install only Microsoft signed drivers on the 2003 server that handles file and print services for the network. select the hardware tab. In System properties. How can you do this? A. Set the driver signing option to block when you attempt to install unsigned drivers. Click the driver signing button. Set the driver signing option to warn when you attempt to install unsigned drivers. A NIC card that is set for 10 Mbps when it should be set to 100 Mbps C. An unplugged NIC card B. In System properties. Which of the following situations with a NIC card could produce a bottleneck? A. A fibre channel NIC .unsigned drivers. C. Set the driver signing option to kill when you attempt to install. 5. B. Set the driver signing option to ignore when you attempt to install unsigned drivers. D. Click the driver signing button. In System properties.102 Physical and Logical Devices 4. In System properties. select the hardware tab. Click the driver signing button. An older network card that is installed on a new server D. select the hardware tab. Click the driver signing button. select the hardware tab.

What actions are necessary to configure these cards? A. E. On the View menu. With the ISA card. B. Press CTRL+ALT+DEL.Windows Server 2003 103 6. simply plug in the device. turn off the computer to install the device. D. D. With the ISA card. Press CTRL+ALT+ESC. On the Processes tab. Click the Processes tab to monitor the running processes. C. How can you perform real-time monitoring by using Task Manager? A. . 8. and then click Task Manager. you will have to manually configure the card. C. You need to install two expansion cards in your 2003 Server. you will have to manually configure the card. E. click Select Columns to add counters to the Processes tab. click a column name to sort by that column. Press ALT+SHFT+ESC. One of the cards is a PCI Plug and Play compliant card and one is an ISA Plug and Play compliant card. Click the Applications tab to monitor running applications. and then click Task Manager. B. With the PCI card. With the PCI card. and then click Task Manager. and then restart the computer to initialize the device. simply plug in the device. With the ISA card. Click the column name a second time to reverse sort by that column.

If you need to convert to NTFS B.104 Physical and Logical Devices 7. Create the RAID-5 volume using all dynamic disks 9. Convert Disk 0 to a dynamic disk B. A bad driver was installed D. Disk 0 has 30 percent of its drive space free and Disks 1 and 2 have the entire disk free. If you need to convert to native mode C. Disk 1 and Disk 2. You want to create a RAID-5 volume from free space from Disk O. What steps do you need to take to create the RAID-5 volume? A. Convert Disk 1 back to a basic disk C. Under what circumstances would you need to update a driver in Windows 2003 server? A. . If you have driver signing set to ignore driver updates. Disk 0 is a basic disk and Disks 1 and 2 are dynamic disks and all are formatted with NTFS. Create the RAID-5 volume using all basic disks D.

40 GB C. 80 GB E. Which of the following should you use to check device drivers. to see if they are installed correctly? A. Internet Options 11. 10 GB B. The third drive is a 50 GB drive with the entirety of the drive free. You have three SCSI drives. Device Manager E. My Computer B. 20 GB D. The first drive is a 80 GB drive with 10 GB free.Windows Server 2003 105 10. 60 GB . Event Monitor C. The second drive is a 60 GB drive with 20 GB free. Task Manager D. You want to build a RAID-5 array. How big will it be? A.

restore the RAID 5 array with the normal backup from Monday and the incremental from Tuesday C. Implementing disk mirroring (RAID 1) D. restore the RAID 5 array with the normal backup from Monday B. Three drives in your RAID 5 array fail Wednesday at noon. What should you do to restore the RAID 5 array? A. You store backup tapes both off-site and on-site. Implementing disk striping with parity (RAID 5) C. Using the off-site tapes.106 Physical and Logical Devices 12.m. Implementing disk spanning B. Using the on-site tapes. Implementing disk striping (RAID 0) 13. which methods will work? A. You are presently performing a normal backup every Monday at 5 p. When implementing redundancy in a Windows 2003 server. Using the on-site tapes. D. restore the RAID 5 array with the normal backup from Monday . and incremental backups every work night of the week at 5 p. restore the RAID 5 array with the normal backup from Monday and the incremental from Tuesday.m. Using the off-site tapes.

RAID 5 (Disk Striping with Parity) 15. Half D. Which of the following is a volume that Windows 2003 server does not support? A. Which of the following RAID configurations does not allow for a single disk to fail? A. RAID 0 . Spanned B. RAID 1 (Disk Mirroring) C. Disk Spanning D.Windows Server 2003 107 14. RAID 5 C. RAID 0 (Disk Striping) B. Mirrored E.

How can you accomplish this? A. Use the New Partition wizard. and then click Next. You decide to create a logical volume on your Server 2003 machine using Disk Management. enter a drive letter or drive path. On the Completing the New Partition Wizard page. Go into Control Panel and select Disk Management. and then click Next. Right-click free space on an extended partition where you want to create the logical drive. Right-click free space on an extended partition where you want to create the logical drive. verify that the options that you selected are correct. Go into Computer Management and select Disk Management. and then click New Logical Drive. Use the New Partition wizard. and then click New Logical Drive. Explanation: To create a new partition or logical drive. On the Format Partition page. B. and then click Finish. You can also right-click free space on an extended partition where you want to create the logical drive. Use the New Partition wizard. and then click Next. specify the size in megabytes (MB) of the partition that you want to create. click Next. Right-click free space on an extended partition where you want to create the logical drive. On the Specify Partition Size page. Go into Control Panel and select Computer Management. select the Disk Management option in Computer Management. Go into Computer Management and select Disk Management. and then click New Logical Drive. and then click New Logical Drive. click the type of partition that you want to create. specify the formatting options that you want. On the Select Partition Type page. On the Assign Drive Letter or Path page.108 Physical and Logical Devices Chapter 1: Review Answers 1. and then click Next. and then click New Logical Drive. *C. On the Welcome to the New Partition Wizard page. right-click unallocated space on the basic disk where you want to create the partition. D. and then click New Partition. . Right-click used space on an extended partition where you want to create the logical drive. Use the New Partition wizard. To create a new partition.

right-click the disk. and then click Reactivate Disk to return the disk to regular Online status. What action should you take to change the status of the H: drive to online? *A. Reformat the disk *E. and then click Reactivate Disk to return the disk to Online status). *B. Disk Management displays status descriptions of disks and volumes in the Disk Management window. and then click Enable Disk to return the disk to regular Online status. inaccessible. Double-click the disk. Disk Management displays status descriptions of disks and volumes in the Disk Management window. These descriptions. You attempt to access your G: drive. and then click Reactivate Disk to return the disk to Online status).to resolve this issue. and then click Reactivate Disk to return the disk to regular Online status). . verify that the physical disk is turned on and correctly attached to the computer. D. Double-click the disk. Offline or Missing (displayed when dynamic disks are corrupted. Right-click the disk. You attempt to access your H: drive. right-click the disk. repair any disk. repair any disk.to resolve this issue. or temporarily unavailable to resolve this issue. are as follows: Online. controller. or connection problems. or temporarily unavailable . or connection problems. are as follows: Online. but you find that the status of the H: drive is missing. What action should you take to change the status of the G: drive to online? A.to resolve this issue. and then click Enable Disk to return the disk to regular Online status. Explanation: When a disk or volume fails. Partition the disk *C.Windows Server 2003 109 2. and then click Reactivate Disk to return the disk to regular Online status. inaccessible. C. verify that the physical disk is turned on and correctly attached to the computer. controller. Check for problems with the hard disk B. These descriptions. Healthy (either of these are normal). Reactivate the disk to Online status D. 3. Online with errors (indicative of I/O errors on a dynamic disk . Verify that the physical disk is correctly attached to the computer Explanation: When a disk or volume fails. and then click Reactivate Disk to return the disk to regular Online status). Offline or Missing (displayed when dynamic disks are corrupted. Online with errors (indicative of I/O errors on a dynamic disk . right-click the disk. Right-click the disk. but you find that the status of the G: drive is offline with errors. right-click the disk. Healthy (either of these is normal).

Click the driver signing button. Click the driver signing button. How can you do this? A. In System properties. A NIC card that is set for 10 Mbps when it should be set to 100 Mbps *C.unsigned drivers. *D. select the hardware tab. Which of the following situations with a NIC card could produce a bottleneck? A. Click the driver signing button. select the hardware tab. select the hardware tab. An unplugged NIC card *B. A program that monopolizes a particular resource can be a bootleneck. C. An older network card that is installed on a new server may cause a bottleneck. A fibre channel NIC Explanation: Lack of memory is a major cause of bottlenecks. An older multispeed network card may be configured for 10 megabits per second (Mbps) when it should be set to 100 Mbps and this would produce a bottleneck. Click the driver signing button. Set the driver signing option to kill when you attempt to install. select the hardware tab. In System properties. Click the driver signing button. select the hardware tab. Set the driver signing option to ignore. A failing hard drive may cause a bottleneck. Explanation: In System properties. warn or block when you attempt to install unsigned drivers. You want to make sure that the junior network associates install only Microsoft signed drivers on the 2003 server that handles file and print services for the network. Set the driver signing option to warn when you attempt to install unsigned drivers. An older network card that is installed on a new server D. Set the driver signing option to block when you attempt to install unsigned drivers. 5. Set the driver signing option to ignore when you attempt to install unsigned drivers.110 Physical and Logical Devices 4. In System properties. . B. In System properties.

For other devices. and then click Task Manager. C. turn off the computer to install the device. you will have to manually configure the card. 7. Press CTRL+ALT+ESC. and then restart the computer to initialize the device. Click the column name a second time to reverse sort by that column. Click the Users tab to monitor the names of users who are connected to the computer. click a column name to sort by that column. If the device driver does not support Plug and Play. With the PCI card. click Select Columns to add counters to the Processes tab. C. Press CTRL+ALT+DEL. Click the column name a second time to reverse sort by that column. What actions are necessary to configure these cards? *A. and then restart the computer to initialize the device. . simply plug in the device. you must turn off the computer to install the device. *E. On the Processes tab. Non-Plug and Play devices are not supported by products in the Windows Server 2003 family. and then click Task Manager. Click the Networking tab to monitor network traffic to this computer. E. On the View menu. simply plug in the device. Click the Processes tab to monitor the running processes. With the PCI card. regardless of any hardware Plug and Play support. press CTRL+ALT+DEL. B. Plug and Play support depends on both the hardware device and the device driver. How can you perform real-time monitoring by using Task Manager? *A. Press ALT+SHFT+ESC. and then click Task Manager. With the ISA card. With the ISA card.Windows Server 2003 111 6. You need to install two expansion cards in your 2003 Server. Explanation: To perform real-time monitoring by using Task Manager. click Select Columns to add counters to the Processes tab. Click the Processes tab to monitor the running processes. and then click Task Manager. Most devices manufactured since 1995 are Plug and Play. Click the Applications tab to monitor running applications. its devices behave as non-Plug and Play devices. Click the Applications tab to monitor running applications. Click the Performance tab to monitor CPU and memory usage. On the View menu. you will have to manually configure the card. click a column name to sort by that column. B. One of the cards is a PCI Plug and Play compliant card and one is an ISA Plug and Play compliant card. On the Processes tab. With the ISA card. *D. Explanation: You can install some Plug and Play devices by simply plugging in the device. *D. such as Plug and Play Industry Standard Architecture (ISA) cards.

If you need to convert to NTFS B. Disk 0 has 30 percent of its drive space free and Disks 1 and 2 have the entire disk free.112 Physical and Logical Devices 8. Under what circumstances would you need to update a driver in Windows 2003 server? A. 9. Disk 0 is a basic disk and Disks 1 and 2 are dynamic disks and all are formatted with NTFS. convert Disk 0 to a dynamic disk so that all disks are dynamic. A bad driver was installed *D. Convert Disk 0 to a dynamic disk B. Convert Disk 1 back to a basic disk C. Create the RAID-5 volume using all dynamic disks Explanation: To create a RAID-5 volume. Disk 1 and Disk 2. Then simply right-click the unallocated space and select 'New Volume'. Create the RAID-5 volume using all basic disks *D. If you have driver signing set to ignore driver updates. If you need to convert to native mode *C. You want to create a RAID-5 volume from free space from Disk O. . What steps do you need to take to create the RAID-5 volume? *A. Explanation: You need to update a driver in Windows 2003 server if you have driver signing set to ignore driver updates or if a bad driver was installed.

Task Manager D. Device Manager E. Event Monitor C. The second drive is a 60 GB drive with 20 GB free. 11. You want to build a RAID-5 array. You have three SCSI drives. The third drive is a 50 GB drive with the entirety of the drive free. Since 10 GB is the biggest parity segment we can have. to see if they are installed correctly. So. 80 GB E. 20 GB D. Which of the following should you use to check device drivers. the other portions must be the same size. The first drive is a 80 GB drive with 10 GB free. 10 GB B. . smallest free portion available determines the parity portion of the array (which in this case is 10 GB on the first disk).Windows Server 2003 113 10. How big will it be? A. you will only be able to use 20 GB of that. Internet Options Explanation: Use Device Manager to check device drivers. 40 GB *C. to see if they are installed correctly? *A. the RAID-5 array will use 30 GB (10 GB + 10 GB + 10 GB). but. 60 GB Explanation: With RAID-5. My Computer B.

Implementing disk mirroring (RAID 1) D. You are presently performing a normal backup every Monday at 5 p. restore the RAID 5 array with the normal backup from Monday *B. Using the on-site tapes. You store backup tapes both off-site and on-site. Using the off-site tapes. Using the on-site tapes. restore the RAID 5 array with the normal backup from Monday and the incremental from Tuesday C.114 Physical and Logical Devices 12. which methods will work? A. D. What should you do to restore the RAID 5 array? A. Using the on-site tapes. Implementing disk striping (RAID 0) Explanation: Implementing disk mirroring (RAID 1) and disk striping with parity (RAID 5) addresses the need for redundancy and fault tolerance in a Windows 2003 server. restore the RAID 5 array with the normal backup from Monday and the incremental from Tuesday. Implementing disk striping with parity (RAID 5) *C.m. 13. restore the RAID 5 array with the normal backup from Monday and the incremental from Tuesday.m. Three drives in your RAID 5 array fail Wednesday at noon. and incremental backups every work night of the week at 5 p.m. When implementing redundancy in a Windows 2003 server. You are presently performing a normal backup every Monday at 5 p. Implementing disk spanning *B. Using the off-site tapes. . restore the RAID 5 array with the normal backup from Monday Explanation: You store backup tapes both off-site and on-site.m. Three drives in your RAID 5 array fails Wednesday at noon. and incremental backups every work night of the week at 5 p.

Half D. Spanned B. RAID 0 (Disk Striping) B. RAID 5 *C. RAID 1 (Disk Mirroring) *C. 15. Which of the following is a volume that Windows 2003 server does not support? A. RAID 0 Explanation: Windows 2003 server supports RAID 5. . and mirrored volumes. Mirrored E.Windows Server 2003 115 14. and Disk Spanning does not. spanned. Which of the following RAID configurations does not allow for a single disk to fail? *A. RAID 5 (Disk Striping with Parity) Explanation: RAID 1 (Disk Mirroring) and RAID 5 (Disk Striping with Parity) allow for a single disk to fail. Disk Spanning D. RAID 0 (Disk Striping).

3 Import user accounts 2.6.2 Create and modify user accounts by using automation 2.5.1 Create and modify user accounts by using the Active Directory Users and Computers MMC snap-in 2. and Groups The objective of this chapter is to provide the reader with an understanding of the following: 2.7 Troubleshoot user authentication issues .1 Local user profiles 2.1 Diagnose and resolve issues related to computer accounts by using the Active Directory Users and Computers MMC snap-in 2.5 Troubleshoot computer accounts 2.3.4 Create and modify groups by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in 2.3 Create and manage groups 2.4 Create and manage user accounts 2.3 Manage group membership 2.1 Identify and modify the scope of a group 2.4.4.2 Diagnose and resolve issues related to user account properties 2.2 Create and manage computer accounts in an Active Directory environment 2.3.1.5.2 Find domain groups in which a user is a member 2.3.1.5 Create and modify groups by using automation 2.3.1 Diagnose and resolve account lockouts 2.1.116 Chapter 2: 70-290 Certification Managing Users.2 Reset computer accounts 2.6 Troubleshoot user accounts.6.1 Manage user profiles 2.3.4. Computers.3 Mandatory user profiles 2.2 Roaming user profiles 2. 2.

Computers and Groups in Windows 2003 Server can be performed by using built-in consoles and command line utilities. What is the difference between disabling and resetting an account? 5. The following chapter will give you insight on how to manage these administrative tasks within your organization. What is considered a minimum password length for a strong password implementation? . Getting Ready Questions 1.Windows Server 2003 117 Chapter 2: Users. In Windows 2003 Server. What does the acronym AGGUDLP stand for? 4. do legacy operating systems (such as Windows 95 or Windows 98) now have computer accounts? 3. how can the location for user profile storage be accessed? 2. and Groups Introduction: Managing Users. In a Server 2003 Active Directory environment. Computers.

5. A minimum length of seven characters is considered for password strength. In Server 2003. which are the group scope that is granted resource access ● Permissions. 3. 2. Resetting the account causes it to synchronize to bring it up-to-date. 4. . which in native mode can be members of other Global groups. and Groups Getting Ready Answers 1. Computer accounts are still not assigned to older legacy operating systems such as Windows 95 or Windows 98 machines in a Server 2003 domain. which in native mode can be members of Universal groups. rather than members of. the domain. the location for user profiles storage can now be accessed by rightclicking on My Computer and choosing the Advanced option then User Profiles from the System Properties box. which are in turn members of Domain Local groups.118 Users. Disabling an account renders it unusable. It is also a good idea to have the passwords meet strong password requirements. The acronym AGGUDLP stands for: ● ● ● ● ● Accounts are members of Global groups. Computers. These operating systems still operate as participants in.

Mandatory user profiles are used to allow clients the ability to change desktop settings while they are using the computer but once the user has logged off of the system the changes which were made to the desktop are lost. which are created the first time a user logs onto a computer. video resolution etc.1 Local user profiles Local user profiles are profiles. These profiles are not roaming profiles (stored on a server) and are stored locally on the computer hard drive. This feature can also be used to create mandatory user profiles.1. Any changes in shortcuts. This means that the profile loaded on that specific computer would be local only. Roaming Profiles cannot support encrypted files. . mail settings.2 Roaming user profiles Roaming user profiles are created by a domain administrator and stored server side. display settings. mail settings. Changes made to this profile while a user is logged onto a machine are specific to that computer and will not “roam” with the client. Allow the Domain Administrators to obtain full control over the profile directory that belongs to a user. Roaming User. etc. Prevent users who have roaming profiles configured from obtaining their roaming profile on a specific computer.Windows Server 2003 119 2. From any machine on the domain that a client logs onto this profile will be available for their user. 2. User profiles are used to automatically desktop settings for a user logging into a client machine. Microsoft Windows 2003 Server has added additional functionality for improved use of user profiles. In Windows 2000 the Administrator had no file access right as a default. A good example of this feature’s use would be if more than one user uses the same computer at various times of the day such as morning and afternoon shifts. 2.1. This will allow the two users to have their own customized desktop settings such as shortcuts.1 Manage user profiles Microsoft Windows 2003 Server uses user profiles to allow Network Administrators the ability to create and maintain user desktop settings. would be updated to the profile located on the server. Additional Group Policy functionality: From the Group Policy Microsoft Management Console MMC you can now access User Profile policies. Some of these improved features are: ● The location for user profiles storage can now be accessed by right-clicking on My Computer and choosing the Advanced option then User Profiles from the System Properties box. Mandatory User and Temporary user profiles used in Windows 2003 Server. ● ● ● ● The section below covers the differences between the Local User.

17. 14. . Open the Local Users and Groups console and double-click on the Users button. Enter the Path to the profile. 12. 21. Open the Computer Management console by clicking on Start then choosing Administrative Tools. Click OK then OK then OK again. Computers. Use the steps below to create a test profile. 1. 2. 3. A local user profile has now been created and the next steps are to configure the environment (desktop settings. 4. 20. Log off of the Computer and then log back on as the user name that was previously created in this step. 8. Find the user account that was created in Step 4 and select the Profile option. Select the Change under the Permitted to Use option. 13. Enter the Network Profile Path in the profile path box. Enter a name and password for the user.120 Users. From the server that will store the network profiles create a folder such as the following: \\network_server\profiles\username Click on Start choose Control Panel and select System. Right-click on Users then choose New User. 18. 6. Choose the Profile under the Profiles Stored on this computer option and select the Copy To option. 7. Enter the Name of the user account created in step 4 then select OK. 10. Use the mouse to clear the User must change password at next logon box. Before you begin make certain you are logged onto the machine as an Administrator. Click OK. Choose the Advanced tab and select Settings that are located in System Properties under User Profiles. Select the Create option and then choose close. 15. shortcuts. and Groups Creating a Roaming user profile Creating a roaming user profile is accomplished by following two steps create a test profile and then copy the test profile to the network server. Click on Start choose Administrative Tools and select Computer Management. 9. 11. which was created in Step 8. 16. Click on Local Users and Groups then select Users. 19. 5. appearance) and then copy to the network server. Close the Computer Management console.

Click OK. Right-click on Users then choose New User. Find the user account that was created in Step 4 and select the Profile option. Enter a name and password for the user. From the server that will store the network profiles create a folder such as the following: \\network_server\profiles\username Click on Start choose Control Panel and select System. Use the mouse to clear the User must change password at next logon box. Choose the Profile under the Profiles Stored on this computer option and select the Copy To option. Open the user profile folder and find the Ntuser.dat file. 22. . 18. Select the Create option and then choose close. 10. 15. 9. OK. Close the Computer Management console. Click on Start choose Administrative Tools and select Computer Management. Enter the Path to the profile.1. 21. Open the Local Users and Groups console and double-click on the Users button.Windows Server 2003 121 2. 19. This profile can be applied to entire groups of users or individually. 1. 6. If a user makes changes to this profile once the computer has been rebooted the changes are lost. 2. 17. A local user profile has now been created and the next steps are to configure the environment (desktop settings. Select the Change under the Permitted to Use option. 13. which was created in Step 8. 4. 14. 7. Enter the Name of the user account created in step 4 then select OK. Click OK. Use the steps below to create a mandatory profile. Enter the Network Profile Path in the profile path box. 11. 8. OK. Choose the Advanced tab and select Settings that are located in System Properties under User Profiles. appearance) and then copy to the network server. 20. Open the Computer Management console by clicking on Start then choosing Administrative Tools. shortcuts. 12.3 Mandatory user profiles This is a roaming profile (stored server side) that will only allow the Administrator the ability to make changes. 3. 5. Click on Local Users and Groups then select Users. Log off of the Computer and then log back on as the user name that was previously created in this step. Before you begin make certain you are logged onto the machine as an Administrator. 16.

Select the “damaged” user profile from the Profiles Stored on this computer and choose the copy to option. 8. 7. Open the Control Panel and choose the System option. If the problems disappear then the user account is damaged. If the same error occurs that was occurring before you made these changes then the user profile is damaged. The temporary profile is also deleted once the client has logged off of the machine. 4. Troubleshooting Damaged Profiles There are times when you would need to troubleshoot a user profile for problems to see if the profile has been damaged use the following steps: 1. 5. Choose Yes to confirm then logoff the computer.man. 2. Temporary user profiles The Temporary User Profile is only used in the event that the local user profile or serverside profile cannot be loaded on the client machine. To make this a mandatory profile just rename the Ntuser. 2. Login using the newly created user account. Create a new User account and give it the exact same rights as the profile you are troubleshooting. 6. Choose Browse and locate the newly created user profile then click on OK. A new profile will be automatically created for the user. Login to the computer that contains the damaged user profile. 1. and Groups 23. Click OK again and select Yes to overwrite the contents of the folder. 4. 5. .122 Users. Logon to the machine with the user account that the damaged profile belonged. Select the Advanced option and then choose Settings from User Profiles. You now need to copy the user settings from the “damaged” profile to the profile of the new user account you created in step 1. This profile behaves much like the mandatory user profile in that all changes that are made to a machine are lost after the client has logged off. 3.dat file to Ntuser. 3. Deleting and Recreating a User Profile that has been damaged In the above scenario if the user profile has been damaged you will need to delete the damaged profile and then create a new one. Do a search for the folder that contains the name of the damaged user profile. 6. Click OK again and then once more. Computers. Once the folder has been found press the Delete key.

8.). 3. Create a new local user account. 9. Click on the Yes button to continue with the procedure. 15. Try not to copy large folders such as My Documents in the profile especially when using Roaming Profiles. To replace the default user profile with the newly customized profile click on Start choose Control Panel and select System. Choose the newly created user profile and click Copy to from the Profiles stored on this computer. 7. 2. 13. 5. Make certain you are logged onto the computer as an Administrator. mapped drives. Configure the desktop settings you wish to use as a default (display. Under the Permitted to use option select Change. From the Tools menu select the Folder Options menu item. 6. Type Everyone in the Select user or Group option then click OK and OK again. Log off as Administrator and then log back on as the local user account you just created. etc. 16. Open Windows Explorer. Log off as the local user and log back on as the Administrator. This step will unhide the default user profile so it can be replaced. Select Browse from the Copy Profile to item and find the Default User folder under the Windows directory and Documents and Settings folder and click OK. Select the View tab. .Windows Server 2003 123 Creating a Custom Default User Profile To create a Custom Default user profile use the following steps: 1. 12. Windows will now replace the default local user profile with the newly created user profile. Choose the Advanced tab and select Settings under the User Profiles option. 11. Consider using Folder Redirection via Group Policy to keep large folders on a network share instead of locally on the client machine. 4. 10. You could also run into issues when dealing with user profiles such as the time it can take for a profile to load. 14. Choose the Show hidden files and folders option and click OK.

2 Create/Manage Computer Accounts in Active Directory Environments Computer accounts are unique in the Windows 2003 Server domain and are used by Windows 2003 Server to allow users to login to the domain and authenticate as well as auditing the use of network resources and devices. Computer accounts are not assigned to older legacy operating systems such as Windows 95 or Windows 98 machines. 4. reset or disable computer accounts by using the Active Directory Users and Computers console. Computers. Administrators can add. To create a new computer account just right-click in the OU or Domain and select the New Figure 2-1: Creating a new computer account using the Active Directory Users and Computers console. 3. 2. delete. The Active Directory Users and Computers console can be accessed on a Windows 2003 Server machine running Active Directory by using the following steps: 1. Click on Start Click on Administrative Tools Select Active Directory Users and Computers Open the Organizational unit or domain you wish to manage. 5.124 Users. and Groups 2. .

Windows Server 2003 125 After this you will have the option to enter a computer name for the new computer shown in Figure 2. Figure 2-2: Give the Computer a name. .2.

126 Users. . Select the Next option and a screen as the one shown in Figure 2. Figure 2-3: Entering information for Managed Computers. Computers.3 is shown and it gives you the option of entering managed information if the computer is a managed computer. and Groups Enter a name for the computer and if needed changed the Default User or group that is needed to add the computer to the domain by selecting the Change option.

Windows Server 2003 127 Select Next and the computer will be added to the OU or domain you selected in Step 1. Figure 2-4: Finishing adding a new Computer using the Active Directory Users and Groups console. .

Figure 2-5: Creating a User Group using the Active Directory console. Figure 2: shows the New Object dialog box.3. we now have two types of groups and three different scopes of groups. Computers. there were two group scopes that could be created in User Manager for Domains. and that local group was essentially a shared local group – it could be used on any domain controller.1 Identify and modify the scope of a group With Active Directory. . and Groups 2. 2. but only on a domain controller.3 Create and manage groups Creating and managing groups in Group Scopes in Windows 2003 Server and Active Directory ● ● ● Active Directory group types Active Directory group scopes How to modify the scope of a group In the old days of NT4 domain administration. each with their own advantages and limitations.128 Users. You could either make a global group or a local group.

. The three group scopes in Active Directory are: ● ● ● Universal which Global which Domain which. The two types of group are security and distribution. Each scope has its advantages. There are two ways of identifying the scope of a group in Active Directory Users and Computers. The scopes apply to both security and distribution type groups. as distribution groups are more appropriately covered in an article on Exchange Server 2000. Distribution groups are used in the same way distribution lists are. where you will see the following as shown in Figure 2. for the purpose of this article.6: Figure 2-6: Identifying image scopes using the Active Directory User and Computers console. while security groups are what we use for managing resource access and other security related functions.Windows Server 2003 129 There are three scopes of groups. One is to find the group in its container. as well as having limitations. rather than also discussing the groups that can be created on any non-domain controller. Again. we will only be discussing group scopes in Active Directory. This article will focus on security groups.

and Groups Note that the type column lists both the type and scope for the group. But. if the scope you wish to change is either Domain Local or Global. but also that you can change both scope and type. If the scope of the group is Universal. You can also open the properties for the group. then you will at first only be able to change that to Universal. then you will be able to immediately change to any of the three scopes. Using this method you can also perform various management tasks. Figure 2-7: Entering the Group Properties. . Computers. Note that the radio buttons are on the scope and type for the group.130 Users. Figure 2:7 below shows the general tab of the properties option.

There is an important thing to remember about universal groups. Universal groups are most useful in a multi-domain forest. you need to remember that an Active Directory domain can be in one of three functional modes. Universal groups are very flexible. Figure 2-8: Setting the Description Property for the new group. in terms of when and how it can be used. Universal scope security type groups are only available when an Active Directory domain is in native mode. you will see the following dialogue box shown in Figure 2. and how it is recommended that they be used. and not individual user accounts. that the only difference between the modes is whether there are legacy domain controllers – the operating system running on computers in a domain that are not domain controllers is of no importance in determining whether a domain can operate in native mode. however. and can be used in any domain in the forest. because it is there that you will most likely have business units in each domain that need common access to enterprise resources.Windows Server 2003 131 In addition to changing the scope. It is important to remember. though Universal scope distribution groups are available in either mode. because a universal group can contain members from any domain in the forest. If you change from Security to Distribution. In a single domain model. it is less likely that the need for Universal scope security groups will present itself – though distribution groups are another matter entirely. To do this. it should not be a direct member. and any change to the direct membership of a Universal group will be replicated to every domain controller in the forest. you can also change the type. as well. . lets take a look at how they can be used. Now that we have looked at the scopes in Active Directory Users and Computers. Windows 2000 Native or Windows 2003 Server Native. however – information on the membership of a Universal group is stored on every domain controller in the forest. I emphasize direct. because one recommended practice with regard to Universal groups is that their membership is only global groups. while a user or computer account can be a member of a Universal group.8. however. Lets start by looking at the Universal group scope. So. mixed.

2 Find domain groups in which a user is a member You can use the Properties tab to find which group a user is a member of by using the following instructions.9. and Groups 2. and you can find the groups that a group or account is a direct member of on the Member of tab.3. Computers. Note that these are strictly the direct membership.132 Users. the Members and Member of tabs still only show the direct membership. You can find the direct members of a group on the Members tab. . however. there are four tabs that you can access in the properties for a group. As you can see in the image above Figure 2. Figure 2-9: Setting the Description Property for the new group. If a user is a member of a global group that is a member of a domain local group.

that while resource access permissions should only be granted to Domain Local groups. AGGUDLP.3 Manage group membership Before we dig into Global and Domain Local groups. which are the group scope that is granted resource access Permissions. lets review the recommended practice for granting resource access permissions. and the permission being granted. This acronym stands for: ● ● ● ● ● ● Accounts are members of Global groups. Since this article is discussing Universal groups. One significant advantage to using Domain Local groups over local groups that only exist on a non-domain controller is that you use the same interface – Active Directory Users and Computers – to manage them as you use for Global and Universal groups. Now. you can trim out some of those letters – but only the second G and the U! The workhorse of Active Directory groups is the Global group. They can have members from any trusted domain. Note. All of the direct and indirect members of a group inherit permissions granted to a group. as with any group.3. which I like to call the Permission group – since it is the group that we use for granting resource access permissions. If the domain is in native mode. another one of those acronyms!) to remember what goes where. I recommend that you use a combination of the resource that the Domain Local group will be used for. User and computer accounts should only be direct members of global groups. Global groups are limited in that they can only contain members from the domain where they were created. you want to use a name that will make sense 6 months or 3 years from now. There are many ways to express the acronym we use (yeah. but they can be used in any trusting domain – whether in the forest or not. but can only be used in the domain where they were created. Domain Local groups have essentially the opposite restriction of Global groups. global groups can be a member of other global groups (but still in the domain!). you can use Global groups for other purposes such as delegation of authority and GPO filtering. which in native mode can be members of other Global groups. When naming Domain Local groups. which are in turn members of Domain Local groups. Now we come to the Domain Local group. . I will use the longest of the bunch. if you don’t have nested Global groups or use Universal groups. too. When naming global groups. which in native mode can be members of Universal groups.Windows Server 2003 133 2.

. Computers.3.10 Figure 2-10: Entering General information for Group settings.134 Users. and Groups 2.4 Modify groups by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in Modifying a Group using the Active Directory Users and Computer console is a simple task and can be done by click on Start click Administrative Tools select Active Directory Users and Computers choose the Domain or OU which contains the Group you wish to modify and right-click the Group shown in Figure 2.

Windows Server 2003 135 This tab allows you to enter and select information for Groups such as Group Name. .11 below shows the Member information for the Group Figure 2-11: Member information for the Group. Description and E-mail information. Figure 2. It also will allow you to enter the Group Scope and Type and Notes pertaining to the group.

Figure 2. Computers. and Groups Click the Add button to add additional members to this group then select Apply.136 Users.12 shows the Member of which shows which users or computers belong to this group. . Figure 2-12: The Member of tab for Group settings.

Figure 2-13: Managed By tab for Groups. .Windows Server 2003 137 The last tab is the Managed by tab shown in Figure 2. office information and can also allow you to enable the Manager of the group to have the ability to update the membership list of the group. This screen allows you to enter the Name of the manager for this group.13.

While using the GUI interface remains an available option. Binding Objects must be bound to a computer. user or any other object in the directory structure in order to use ADSI properties and methods. Computers. It is important to note that ADSI client applications can run not only on Windows 2000 and Windows XP clients. such as adding and removing both users and groups. a new method became available for network administrators – scripting using Active Directory Service Interface or ADSI. and methods can be called that are applicable to the object type. ADSI can be used to access directory services’ features and present a single set of directory service interfaces to the administrator for the management of resources on the network. Active Directory was introduced with Windows 2000. but also on Windows 95. You will be interested to know that you can use a method other than the Active Directory Users and Computers console to control these large environments.3. Network Administrators can now use ADSI to automate many of the more common tasks. Before you begin to work with ADSI there are a few basic concepts you should learn such as: Binding Containers and Children.0 (SP6a). etc. if you have the Active Directory Client Extensions installed. Windows 98 and Windows NT4. and Groups 2. setting permissions. being able to develop automated solutions for time consuming and repetitive tasks such as adding users to a new group has given the network administrator the ability to use their time in a costefficient fashion. .138 Users. Getting and Setting Properties. With the advent of Windows 2000. domain controller. users.5 Create and modify groups by using automation If you have a very large network to control with numerous domain controllers. ADSI is a set of COM interfaces that confronts the challenges in a distributed computing environment. After these objects have been bound object properties can be read or changed. and even managing printers across a distributed network. computers. and runs on Windows 2000 and Windows 2003 Server domain controllers. This section will examine the ways that you can automate some of the group management tasks faced by network administrators. printer.

but not necessarily a related ADsPath. the flipside to a member. Notice that “WinNT:” is the provider. have a directly related ADsPath attribute. and access will be allowed to all objects in the enterprise.use r”) Script 2-1: The Set objTarget script. however. global groups or computers. Windows 2000/2003 Active Directory NDS – Novell Directory Services servers NWCOMPAT – Novell Netware servers These provider names are case sensitive. although they may not have associated ADsPath attributes. Windows XP and Windows 2000/2003 not running Active Directory LDAP – LDAP servers. While an object’s member must have the same class. If no path is provided. “/TRPublicComputer” is the computer. a domain is a container because it holds computers as members. such as users. in a sense. object and child – define the two basic ways objects relate to each other in ADSI. The provider is the part of the string that specifies what type of namespace is being bound to. including Exchange 5. A child is. . A domain’s children are objects directly beneath the domain. some or none of the path. For example. With ADSI. will bind to the local computer accounts. While the provider is mandatory. and “. Containers and Children A container is an object that holds a collection of similar objects. A group is a container that holds users as members. It does. and should be written exactly as noted above. “/Deborah” is the object. All objects in a container have the same Class attribute.0 PDCs and BDCs.Windows Server 2003 139 An ADSI ADsPath (or binding string) consists of a provider and a path. Listing just the computer. there are four different types of providers: ● ● ● ● WinNT – Windows NT 4. These two relationships – container and member. object or user. one can list all.x. A child of an object is an item one level below that object in the directory structure. Listing only the domain will bind to the root of the specified domain. “//TotalRecall” is the domain. user” is the class identifier. ADSI will bind to the root of the namespace. Look at the following example of a binding string: Set objTarget = GetObject(“WinNT://TotalRecall/TRPublicComputer/Deborah. an object’s child does not need to have the same Class attribute as another child of the same object. The path is exactly that – the path to a computer. or computer and class identifier.

Getting and Setting Attributes When looking at the ability to automate common network tasks. Any ADSI object (except for the Namespaces object) employs the six properties of the IADs interface.140 Users. Computers. These properties are: ● ● ● ● ● ● ● ● Name – the name of the object Class – the schema class name of the object GUID – the GUID (Globally Unique Identifier) that gives the object a unique identity ADsPath .a case-sensitive string used to uniquely identify the object’s path in directory services Parent – the ADsPath name of the object’s parent container Schema – the ADsPath of the object’s schema class object Get – Retrieves the value of the property Put – Sets the value of the property ● Some of the methods we will be using on these properties are: . The class must be specified. It is through the IADs Container interface. The data is contained in the object properties. Again. Movehere .Creates a new object in the current container. There are some methods that we will be using when working with groups that are specifically tied to the IADs Container interface: ● ● ● ● GetObject .the number of objects in the container. Copyhere .Moves the object from its original location to the current container. the class must be specified. The properties of the IADs Container interface that are supported are: ● ● Filter – When enumerating a container’s contents. for example. that we will accomplish the automation of these tasks.Creates a copy of the object in the current container. The same namespace restrictions apply. The object MUST be in the same directory namespace. the filter restricts the return to objects who’s Class matches the classes listed in the property of the filter. and Groups Two common administrative tasks are creating and deleting groups. Count . or if a filter has been specified. used by all ADSI container objects. you cannot move an object from a WinNT: namespace to a LDAP: namespace. the number of the objects of classes listed in the filter. Delete .Binds the directory item with the specified ADsPath to a named variable.Removes an object from the current container. Create . the most common use for any ADSI object is to be able to read data from it or modify the data contained in it. aside from creation and deletion.

The presumption is made in this sample that TRPublicComputer is the only computer on which local groups are being created. . We will call the script “CreateLocalGroup.Windows Server 2003 141 ● ● GetInfo – Retrieves the values of the object’s properties from directory services and places them in the local property cache SetInfo – Saves the changes made to the object’s properties to directory services Creating a Local Group To create a local group. they are for the second parameter. at the command line. a third argument could be passed using the declared variable strADspath. Area 51. "GroupName") Script 2-2: The Create GroupName script As you can see. the following syntax would be used: wscript CreateLocalGroup. the object representing the computer. To call the script.vbs “Visitors” “Area 51” Script 2-4: Creating a local group called Visitors with a description of Area 51.vbs”. It must be called to commit the change. even when not necessary. is the method of the newly created group. We are going to take a working piece of code -. Visitors. In this case. we are going to create a group called “Visitors” with a description of “Area 51”.Create("group". With a little modification. This code requires two arguments at runtime: the name of the group to create. and the name for the new object (“GroupName”).a Windows Script command line utility – to illustrate how a local group can be created on a machine named “TRPublicComputer”. With that information. When we call the Create method. let’s look at some ways to automate group tasks. we are going to use two IADs methods: “Create” and “SetInfo”.SetInfo Script 2-3 The script used to SetInfo. it is actually the method of the group parent object – in this case. Note that while quotes are not necessary for the first parameter. a binding string (such as WinNT://computername) of the object to which you want to add the group. The syntax is shown in the following example: Set objGroup = objComputer. The SetInfo method. and the new group description. because of the space. objGroup. the Create method takes two arguments: the type of object to create (“group”). It is always good practice to use quotation marks. on the other hand.

The first “objTarget” will contain the object to which you wish to add the group (TRPublicComputer) and the second “objNewGroup” will contain the new group with the description property set. the group name and group description. The script will look as the one below does in Figure 2: Dim strADsPath Dim strGroupName Dim strDescription Dim objTarget Dim objNewGroup Script 2. have been passed. Computers. The other two string variables “strGroupName” and “strDescription” are set to the arguments stated at runtime. strADsPath” is a set variable pointing to the computer “TRPublicComputer”. The first three variables are string variables.5 The script used to declare string variables. b. a. The second set of variables are object variables. If the correct information has not been passed at runtime.142 Users. . the Groups on the machine appeared as in the following illustration: Figure 2-14: Pre-existing local groups on TRPublicComputer To start declare the variables that will be needed in the script. and no more. As we will be passing two arguments. error trapping has been coded to ensure that both arguments. c. and Groups Prior to running the script. messages will be passed to the administrator. On Error Resume Next has been used to trap expected errors in the input arguments.

The error subroutine “AdsiErr()” is outlined later in the code Figure 2:__ shows this below.Echo "description Description of the new Group.9 The SetInfo command commits the change for the user object.7 Assigned Values to the string values previously declared. strGroupName) objNewGroup. We then bind to the computer object. objNewGroup." WScript.vbs <name> <description>" WScript.SetInfo If Err Then AdsiErr() Script 2.10 Setting the Description Property for the new group. to the directory shown in Figure 2:.Quit(1) End If Script 2. Set objTarget = GetObject(strADsPath) If Err Then AdsiErr() Script 2. .Description = strDescription objNewGroup.Echo "Syntax: CreateLocalGroup. strADsPath = "WinNT://TRPublicComputer" strGroupName = WScript.Echo "Wrong number of arguments.8 The error subroutine “AdsiErr” The user object is now created and SetInfo is used to commit the change." WScript.Windows Server 2003 143 The error resume script is shown below in Figure 2:__ On Error Resume Next If WScript.Arguments. Set objNewGroup = objTarget." WScript. The description property is set for the new group. the new group.Count <> 2 Then WScript.Create("group". Values are then assigned to the string variables previously declared as shown in Figure 2: below.SetInfo If Err Then AdsiErr() Script 2. and once again SetInfo is called to commit the description to the directory shown below in Figure 2:.Arguments(0) strDescription = WScript.6 The script to resume to the next script On Error.Arguments(1) Script 2.Echo "name Name for the new group.

The administrator would then be displayed the following message boxes shown below in Figure 2-15 and Figure 2-16: Figure 2-15: and Figure 2-16 Dialog boxes displayed for administrators. Computers. Figure 2: shows the GetInfo command that is called to ensure that the actual values of Name and Description exist.Name strDescription = objNewGroup. and display the name and description of the new group.Description WScript.GetInfo strGroupName = objNewGroup.11 The GetInfo command. . It handles two errors that might occur while creating the new group -." WScript. The last part of the script is the AdsiErr() subroutine. and Groups This code will notify the user that the group has been successfully created.144 Users.if a group of the specified name already exists or if the specified group name is invalid.Echo "Description: " & strDescription Script 2.Echo "New group " & strGroupName & " created. objNewGroup.

The Subroutine AdsiErr. Sub AdsiErr() Dim scriptoutput Dim errornumber ‘if the group name exists If Err.Number = &H80070563 Then scriptoutput = "The group " & strGroupName & " already exists.Quit(1) End Sub Script 2.Number & ")" End If WScript.Number) scriptoutput = "Unexpected Error " & errornumber & "(" & Err.Number = &H800A0408 Then scriptoutput = "The name '" & strGroupName & "' is invalid as a group Name. Figure 2:17 below shows what appears after running this script." ‘other error Else errornumber = Hex(Err. .Echo scriptoutput WScript.1." ‘if the group name is invalid ElseIf Err.Windows Server 2003 145 Any other error is reported as an unexpected error then exits the AdsiErr() subroutine is shown below in Table 2. the Groups on the computer TRPublicComputer: Figure 2-17: The output in the console after running the script.12.

and that the domain components are “TotalRecallPress” and “com”. rather than a local. One of the things that must be considered is the effect this will have on each of the members. dc=com") Set objGroup = objOU. however. "cn=visitors") objGroup. .dc=totalrecallpublications. A few of the name properties with which you should be familiar are: ● ● ● CN – common name DC – domain component OU – organizational unit For example.SetInfo Script 2.13: The Set objOU script. We are working with two variables: ● ● objOU.2 below shows the Set objOU script. Listing Group Members Let’s say that you need to modify the access permissions of a particular group. in the ADsPath in the script sample below. which is the OU in which the group will be contained. "visitors" objGroup. The common name for the group is “visitors”. and objGroup. each could be modified to hold arguments that are passed at runtime.Create("Group". and Groups Most of the samples below are specific to the task at hand. Table 2. which is the new group We are also using Name Properties to specify the path in the binding string for Active Directory. Creating a Global Group The following simple script segment demonstrates how you could modify the script previously described to create a global.Put "sAMAccountName".146 Users. Computers. Set objOU = _ GetObject("LDAP://OU=management. rather than the identified group or ADsPath. based on membership in other groups in the domain. groups. we are using OU to specify that the organizational unit is named “management”.

Moving a Group within a Domain Table 2.Echo objGroup.Echo objMember.MoveHere _ "LDAP://cn=Visitors.14 Script to list Group Members. In this code sample. the group account is being moved from the IT OU to the Visitors container. _ vbNullString Script 2.4 strComputer = "TRPublicComputer” Set colGroups = GetObject("WinNT://" & strComputer & "") colGroups.dc=totalrecallpublications.dc=totalrecallpublications. Set objOU = _ GetObject("LDAP://cn=Visitors.Name Next Script 2.15: Enumerating Groups and their Memberships. using the ADsPath and a simple “for” loop as shown in Table 2. The filter property of the IADsContainer interface was used to specify the Class of group shown in Table 2.Echo vbTab & objUser.5 shows an example of the “MoveHere” method in action is below.16: The MoveHere method script.Name For Each objUser in objGroup.Members Wscript.dc=totalrecallpublications. .Filter = Array("group") For Each objGroup In colGroups Wscript.Name Next Next Script 2.Windows Server 2003 147 Listing the members of a particular group can be easily automated.d c=com") For each objMember in objGroup.dc =com") objOU. TRPublicComputer.dc=com ". The script below demonstrates the way to enumerate the local groups and their membership on a specific computer.3 Set objGroup = GetObject _ ("LDAP://cn=visitors.Members Wscript.ou=public. You should note that the namespace remains the same.ou=IT. Enumerating Groups and their Membership It is almost as simple to enumerate all the groups on a specific computer as well as their membership.

You can successfully add a global group in native mode domain of this group. MORE INFORMATION You may also receive this error message if you try to add a global group with security group type in the same kind of global group in Pre-Windows 2000 mode of your domain. and Groups When dealing with MoveHere. it is important to remember the information given in the Microsoft Knowledge Base Article 326978 Error When Executing the MoveHere Method of an IADSContainer Object. Computers. by default. you may receive the following Error Message: The server is unwilling to process the request. . and the password of the object is preserved. you can move the user from the child domain to the parent domain. SYMPTOMS When you run the MoveHere method of the IADsContainer object. This is by design. and the user is given a new SID. 0x80072035 CAUSE You receive this error when you try to move a user object that is a member of a global group from a parent domain to a child domain.148 Users. Additionally. RESOLUTION Remove the user from all global groups except the user's primary group. In this way. The user's old security identifier (SID) is added to the new user object's SidHistory attribute. Global groups can only contain members from the domain where the global group was made. STATUS This behavior is by design. the user's primary group is set to the parent domain's Domain Users group. A portion of this article is replicated below.

2.4. Figure 2-18: Creating a New user by right clicking on the User object in the Active Directory Users and Computers console. Computers – Holds all computer names in the domain Domain Controllers – Lists all domain controllers in domain Foreign Security Users – Container for all users accounts. You can add a user three ways in this console: Right Click Domain in the left pane choose New and choose user. Right click Users in the left pane | Choose New | Choose User as shown below in Figure 2.4 Create and manage user accounts For this section we will only be using the Users containers.Container that includes all of the builtin accounts such as Administrator. .18 below.1 Create and modify user accounts by using the Active Directory Users and Computers MMC snap-in ● ● ● ● ● Builtin .Windows Server 2003 149 2.

The dialog box is shown below in Figure 2. and Groups Or you can choose the File menu | New | and User option. 19. Know matter which option you choose they will all work in the same manner. Once the new user option has been selected you will see a dialog box. Figure 2-19: The New User Dialog Box in the Active Directory Users and Computers console.150 Users. . Computers.

user initials. user login name. and also the pre-Windows 2000 login name. lowercase or a combination of the two. When creating user names remember the following rules shown in Table 2. user Full Name. Table 2-1: User Name and Rules . user first name. uppercase. This is because they are entirely separate.Windows Server 2003 151 It shows the create in domain and group. Try not to use spaces in user names because if you use command-line utilities or scripting these names have to be enclosed with quotations. domain name. user last name. No “ / \ [ ] : . + * ? < > characters may be used in the user name.6: Username Character Type Special Characters Other special characters Local Account user names Domain Account user names Rule Up to 20 characters. However it cannot entirely consist of spaces or periods. User Name must be unique to the machine for local accounts These can be the same name as a local user account name on a non-domain controller that is a member of the same domain. User name may include periods and spaces. | = .

152 Users. Computers. As you fill in the first name of the user you will notice that the Full Name box and the user logon name box begin to fill as well with what you are typing. and Groups Now that we have covered the basics for user name creation let’s create a user account in our domain. Figure 2-20: Entering the New User information. . The first name of the user is myuser.

● ● . Enter a password for the new user and then choose from the following options: ● ● User must change password at logon. Figure 2-21: Entering a Password and choosing the password options for the new user. When this option is chosen the user cannot change the password. Useful for IUSR_(servername) type accounts. User cannot change password – This is helpful to use when you have user accounts that run server services like SQL Server or Exchange Server.21 will be shown. Account is disabled – This is used in a couple of scenarios.Windows Server 2003 153 Once all of the information has been entered choose the Next button and the page shown in Figure 2. Maybe your company has interns or temporary employees that come back between semesters or every few months. The password will never expire. Instead of deleting and reading the user account each time they leave and return you can just disable the account and enable the account as needed. This will force the user to change their password at the next logon. Password never expires – When this option is chosen the user account ignores any password policy that is in place.

154 Users. Computers. Figure 2-22: New user account object. The object will now be created as shown in Figure 2. and Groups Once you have selected the Password option choose the next button.22. .

dsadd. One great improvement in Windows Server 2003 is that you have additional command line utilities that were not available in previous network operating systems. . csvde. SMS Server and Exchange Server you could see a variety of additional user accounts that are not listed in this user container. dsmod.Windows Server 2003 155 The account will now be viewable in the user account container in the Active Directory Users and Computers console. You can view the user account by double clicking on the user container in the right side of the console as shown in Figure 2. Figure 2-23: The newly added user in the User Container. These slick utilities allow Administrators to add. manage and delete user accounts from the command line. Since some of these command line utilities are currently in beta mode I will not go into great depth with some of these utilities. IIS. and dsrm are available in non-beta and beta mode at the time of this writing. In addition to command line utilities that are already included in the Windows Server 2003 the Support CD-Rom has many as well that can be installed. Manage User Accounts Utilities such as bsa. ldifde.23. Depending on the additional software you install such as Active Directory. As you can see the new user is listed along with additional user accounts that are built-in to Windows 2003 Server.

asp?url=/downloads/sample.01 installed you will have to install and additional XML parser which is located at the following URL http://msdn. Another requirement is Internet Explorer version 5.156 Users. dsadd.asp?url=/msdn -files/027/001/772/msdncompositedoc. and dsrm are available.1 or BSA. 2. It also has the ability to scan Microsoft Office applications for incorrectly configured security zone settings. manage and delete user accounts from the command line. It does not install on older Operating Systems such as Windows 95 and Windows 98. which allows administrators to check for strong passwords.7 below to view what the MBSA v1. and Groups 2.2 Create and modify user accounts by using automation Utilities such as bsa.4. dsmod.com/downloads/default. Since some of these command line utilities are currently in beta.4.1. csvde.xml. ldifde. This is a much more robust tool than the HFNetChk utility that only checks for service pack and security updates on local and remote computers and servers. In addition to command line utilities that are already included in the Windows Server 2003 the Support CD-Rom has many as well that can be installed.1 or as it is commonly referred to MBSA 1. This utility only installs on Windows 2000 and XP machines.01 at a minimum installed and the Workstation service running. Use Table 2.microsoft. These nifty utilities allow Administrators to add. Utility scans for in selected applications and operating systems. One great improvement in Windows Server 2003 is that you have additional command line utilities that were not available in previous network operating systems. Computers.1 s is an excellent graphical utility tool.1 replaces the Microsoft Personal Security Advisor or MPSA and the HFNetChk tool. The MBSA 1. . If you do not have Internet Explorer 5. which were used to scan security on local and remote computers and servers. The MBSA 1. scans IIS servers and SQL servers for security configuration problems.3 Import user accounts In December 2002 Microsoft released the Baseline Analyzer Version 1.

. password same as the machine name. TlntSvr (TELNET). Is the guest account enabled on the computer? Checks for common problems with local account passwords such as a blank password. password with the word admin or administrator used.txt file which lists services such as MSFTP (FTP). These services are the default services listed and more can be added to the service. Is auditing turned on machine Is autologon turned on machine Is this computer a domain controller? Checks to see what file system is in user NTFS or FAT. Checks against the services. W3SVC (WWW) and SMTPSVC (SMTP) for services that should not be running. Check the operating system version Checks to see if shares are located on the computer.1 security scans for Window machines. password set to the word password.txt file for scanning.Windows Server 2003 157 Windows Operating System Flags for security Administrator Group Membership Auditing AutoLogon Domain Controller File System Guest Account Local Account Password Puts up flag if more than two local administrators are on machine. OS Version Shares Unnecessary Services Table 2-2: MBSA v1.

The user_dn is the distinguished username and the new_password is the new password to be used. After the utility has been downloaded and installed open it by clicking on Start | All Programs | Microsoft Baseline Security Analyzer. The utility also can perform check security updates against a local SUS server.asp. manage and delete user accounts . The SUS Administrator may then mark updates approved and the MBSA tool will report the update information. Table 2-3: Command Prompt Syntax to add.microsoft.asp?url=/technet/security/tools/Tools/ mbsaqa. Table 2. Simple syntax that allows you to delete an account from the prompt. This syntax will force a user to change their password at the next logon. dsadd user userdn–pwd password dsmod user user_dn-pwd new_password dsmod user user_dn – mustchpwd yes Delete an account dsmod user_dn Userdn is the distinguished name of the user object you are adding. If this is chosen the utility will look for missing security updates on the SUS server rather than the mssecure. The entire list may be viewed at the URL: http://www. Computers. Command Syntax Explanation Add a user dsadd user userdn –samid sam_name Entering the Password Resetting a User Password Forcing a user to change password at next logon.msi. The MBSA v1.158 Users.com/technet/treeview/default. If a password has not been assigned and they logon with a blank password then a dialog box will appear and tell them they are required to change their password.8 listed below shows some of the numerous commands and the syntax that may be used to manage user accounts. and Groups This table just shows scans for Window machines and does not include the information for IIS.com/download/e/5/7/e57f498f-2468-4905-aa5f369252f8b15c/mbsasetup. The syntax password in italics represents the actual password to be used on the account.1 utility may be downloaded in English only at the URL: http://download. SQL server and Office Applications.microsoft. – samid is the security account name used for this object.xml file located on Microsoft’s website.

This tool also works if you have the Windows XP adminpak installed from the Windows Server 2003 CD-Rom. Microsoft also has an article number 322684 located at http://support. For example. and delete directory objects on Window Server 2003 and Windows XP Professional machines.9 below shows some general import parameters that can be used with the ldifde command utility.Windows Server 2003 159 To get additional information on these three commands just go to the command prompt on the Windows Server 2003 machine and type the command with the /? Command. This utility also allows administrators to extend their Active Directory schema. populate. The LDAP Data Interchange Format Directory Exchange or ldifde command line utility allows Administrators to create. import and export user and/or group information from within Active Directory to additional applications and services. to get more information on the dsrm command go to the command prompt and type dsrm /? The output will list all available switches with instructions. It will list all switches relevant to the command. -c From DN ToDN -f -i -j -s -t -u -v Help . Switch Definition Switches Replace occurrence of FromDN to ToDN Input or Output filename Turn on Import Mode (Export mode is the default mode) Log File location Server to bind to Port Number if you wish to change from default of 389 Use Unicode Format Turn on Verbose Mode -? Table 2-4: Syntax to use with the LDIFDE utility. modify.com for further reference. Table 2.microsoft. which was discussed earlier in this section.

you may not be able to perform export and import operations against the Active Directory. 1.160 Users. .ldf On the first line of the Notepad file type the following exactly as it is shown in Figure 2.ldf using Notepad Creating the import file to use with ldifde. Name the blank notepad file myimport. . 2. and Groups To import user accounts from one Active Directory controller to another you must be logged in as the Administrator. Click on the Start button | Click Run and type cmd. Computers. Once at the command prompt use the following command ldifde -v -i -s 2003svr -f myimport. the –v displays the output in the verbose mode. Figure 2-24: Myimport.24 below. -i is the import mode (you must use this to import because the command uses export by default). 3. a. If you log on using an account that does not have administrative privileges. Click on Start | Run and type Notepad. the –s command is the name of the server we are importing from and the –f is the name of the import file we created with notepad. b.ldf To break it down bit by bit look at the command closely. In the following steps we will import a user account named John Doe using the ldifde command.

and the sn syntax represents the surname we are importing. Enhancements to this network operating system allow administrators much more flexibility and control over their environment using command line utilities such as the ones listed in this section 2. The –v command displays the information verbose. This is a great tool to use if you have a large number of accounts to import and you would like to view the output of the import file. The object class specifies the type of object. An example of how to use this function is listed below. The –f command identifies the name of the import file. 2. The –i command must be used for importing (exporting is also used by default). The –s command specifies the server name. However this utility does has its limitations it can only be used to import and export from Active Directory not to create and delete objects like the ldifde command is capable of doing. which in this case is the user. This means that applications such as Microsoft Excel can read the output of the file. These are a few of the many tools that are available for use with the Windows Server 2003 network operating server. We will use this utility to create an LDAP search filter to import users with the surname smith. 3. The command switches are just like the ones that were used in the ldifde command in the previous section so we are not going to list those here. Click on Start | Run | Type cmd Type in the following command Csvde –r –f –v –i –s 2003svr (and(objectClass=User)(sn=smith)) The –r command creates and LDAP search filter for the data export.csv 1.5 Troubleshoot computer accounts Troubleshooting computer accounts can be done with the Active Directory snap-in can be used to assist you with Computer account problems.Windows Server 2003 161 CSVDE The CSVDE utility is much like the ldifde command but it uses a comma-separated format (CSV). . The import will be viewable in a filename we create called myimport.

As you can see from the menu you have options available to: ● ● ● ● Disable Account.25. Reset Account. which would render it unusable. Manage as well as run the Resultant Set of Policy on the computer this is shown Figure 2. Move. Computers. Figure 2-25: Troubleshooting a Computer Account using the Active Directory Users and Computer console.5.1 Diagnose and resolve issues related to computer accounts by using the Active Directory Users and Computers MMC snap-in Open the Active Directory Users and Computers console and drill down to the Computer account you wish to troubleshoot and right-click on the computer shown in Figure 2. Reset Account – Which resets the computer account Move – Move the account to another location All Tasks – Allows you to do the Disable Account.26.162 Users. . and Groups 2.

27. ● Resultant set of Policy – Can be used to troubleshoot Security problems on an account. Figure 2-28: Re-enabling a computer account.28. To re-enable a computer account just right-click the computer and select the Enable option as shown in Figure 2. Figure 2-27: A disabled computer account. .Windows Server 2003 163 Figure 2-26: The All tasks option for troubleshooting. A disabled account will appear as shown in Figure 2.

Figure 2. and Groups Re-enabling a computer account. Just open the Active Directory Users and Computers console and select the Computer Account you wish to reset. .2 Reset computer accounts Resetting a computer account is done in the same manner as disabling and re-enabling a computer account.164 Users. 2. Figure 2-29: The re-enabled computer account verification. Right-click the computer account and select Reset the dialog box shown in Figure 2.5. The account will appear in the list of computer accounts and be accessible for use. Figure 2-30: Resetting a Computer Account using Active Directory Users and Computers.30 will prompt you to make certain you wish to complete this procedure. Computers.29: will show the dialog that states the computer account has been re-enabled.

Windows Server 2003 165 Click Yes to reset the account. Figure 2. . Figure 2-31: Successful completion of a computer account reset.31 shows the successful dialog box that appears once the account has been reset.

Maximum Password Age . Minimum Password Length . Creating a Password Policy for a Domain Administrators can create password policies to enforce restrictions on domain and member server passwords. and Groups 2. Use common sense when implementing a password policy and take into account how many users your Helpdesk has to support. Remember seven should be a minimum for strong password implementation. Computers.Password must consist of a specific number of characters.Checks to make certain all new passwords meet strong password requirements.166 Users. ● ● Enforce Password History . User Account issues can be caused by a number of issues. ● ● ● . the last thing you want to do is enforce a policy and have your helpdesk flooded with support calls. The Account Password policy console can be access by clicking on Start then Run and type MMC select File then Add/Remove snap-in choose Add Group Policy Object Editor and Add.Users are not allowed to use the same password when the current one expires. In the Select Group policy object choose the browse option | In Browse for a Group Policy Object select a group policy object | Click OK then Finish | Click Close then OK | Choose the Password policy from the console tree. This is used in conjunction with the Enforce password history option.6. Some options when creating Password Policies.Passwords cannot be changed until they are so many days old. 2.1 Diagnose and resolve account lockouts If a password policy has been implemented on a domain and an account has been locked out and cannot gain access to the network use the information below to identify and correct this problem. Passwords must meet complexity requirements . Minimum Password Age .6 Troubleshoot user accounts. If the network was compromised by a hacker then the hacker only has access to the network until the password expires (if the hacker had not been previously caught).Used to have passwords expire as often as you wish. The following section explains some of the issues and ways to diagnose and solve user account problems.

This feature is used to store user names and passwords for servers. Change the password so it is less than 14 characters. Also. Change the password. Is the password more than 14 characters? Windows 95 and Windows 98 cannot recognize passwords over 14 characters. No need for user to log off and on in order to supply multiple user names and passwords for different computers.10 below: The password policy has been changed but it has not gone into effect. Cannot login to Windows 95. and other passwords are not functioning. . A user can connect to different servers using user names and passwords that are different than those used to log on to the network. Cannot login to Windows 95. Windows 98. Windows 98. Much more additional information may be found at Microsoft’s Windows Server 2003 Website http://www. Once it has been in put into place it should allow for a more controlled and secure domain. The system you are logging into does not support unusual characters. Educate end-users on the basics of password use and security. Click on Start | Run | type gpupdate | Click OK. The benefits of using this feature are: ● ● ● ● ● User has a single sign-on experience. educate your clients on the basics of security and password best practices. Some Account Password Policy troubleshooting scenarios are listed in Table 2.microsoft. Various strong passwords can be created and stored for a variety of resources. User names and passwords can be stored in a user's profile to provide privacy and portability of the user names and passwords. Users can store as many user names and passwords which can in turn be used in the future. and other passwords are not functioning. Some main topics to remember when implementing security is to think through how your organization functions and how you can use the features discussed in this article to assist you with greater security and less administrative overhead.mspx Microsoft Windows XP Clients and can use the Windows Server 2003 Stored User Name and Password feature.com/windowsserver2003/default.10 Troubleshooting Account Password Policies This section covered client authentication and troubleshooting issues in Windows Server 2003. The user can store these for later reuse.Windows Server 2003 167 Enforcing the Account Password policy should not be done when it has not been thought through by the Administrator. The gpupdate command is used to refresh policy settings. Table 2.

For obvious reasons it would not be a wise idea to use the Stored User name and Password feature on extremely sensitive data. A user name and password was stored for this account that has either too much or too little access to resources. Lock the desktop. Non Dictionary word. Either a user name and/or a password which was stored for this account has expired or the password has been changed without updating stored information. company name or real name is used. Turn the computer off or use a password protected screen saver. Correct the stored user name and password Table 2. Passwords should also be changed on a regular basis. Issue Cause Correction Computer connects to computers with the incorrect access level or account. Additional security can be used by using various strong passwords for each computer. When I logon I cannot access resources that were currently available to me. No username. Use different passwords for individual accounts. The intruder would be limited to the damage that could be done because he would not have access to all other passwords because they are all different. Delete the stored user name and password Delete the stored user name and password. When this feature is used then any person who has access to your account can access stored information. and Groups The stored user name and password feature can be access on any Windows Server 2003 by clicking on Start | Control Panel | Stored User Name and Password. Computers.168 Users. But before we jump on the Stored User Name and Password bandwagon there are precautions that should be taken for various security reasons. Table 2.10 below shows some common problems and troubleshooting information. This will help ensure that a guessed or stolen password does not weaken security. The user account stored a user name and password for this resource. A strong password can defined as a password that meets the following requirements: Seven characters at minimum. Causes and corrections for user account problems . ● Use strong passwords for remote resources as well as local computer and domain accounts. Computer has incorrect access when using a shared user account. ● ● ● ● Secure your computer when it is not in use.11: Issues. Is different from previous passwords that have been used.

The SysKey utility may be used computers throughout a network.Windows Server 2003 169 Passwords Not enough can be written regarding passwords.32. Never share passwords with anyone. If it must be done make certain the paper is stored in a secure location. ● ● Explain to end-users how to protect their accounts. The utility is shown in Figure 2. Some best recommended guidelines are listed below to help you implement strong passwords and account policies. This nifty utility is used to enable strong password encryption techniques to secure account password information. ● ● ● ● ● Figure 2-32: The SysKey utility . Always remember to change passwords immediately if they may have been compromised. lock their desktops and turn off their computers when they are sway. Use different passwords for all user accounts. Create a policy for passwords that guarantees that clients are following password policy guidelines. It has never been a great idea to write passwords on a piece of paper. The utility can be used by clicking on Start | Run then type syskey.

In addition to these guideline accounts password policies may be created on a Windows Server 2003 machine by administrators.170 Users.6. Microsoft Windows Server 2003 supports various authentication protocols as well as a key feature known as Stored User Names and Passwords for client access to network resources. The interactive logon is used to confirm the user’s identity. Figure 2-33: DSADD utility.33 shows the dsadd utility as well as the syntax to use with the command. Computers. Figure 2. 2. The first process is the interactive logon.2 Diagnose and resolve issues related to user account properties Creating and managing users in Windows Server 2003 is much like that of its predecessor Windows 2000 Server. Accounts may be added using the Active Directory Users and Computer console or via the command prompt with a nifty utility called dsadd. . Authentication is based on two processes in Microsoft Windows Server 2003. The topics are discussed in the following pages. The process varies for each of these accounts. Using this console is assuming you have Active Directory installed and properly running on the 2003 Server. This verification is done either by a local computer account or a domain account. and Groups These are just a few common sense guidelines that Administrators can follow when education clients about the importance of passwords.

Windows Server 2003 171 Local computer account – A client simply logs onto the computer and the credentials in the local security account database (SAM) are used. Domain Account – A client logs onto the network with a password or a smart card and the credentials stored in the Active Directory are used to give access to network resources. When a client logs into the domain using a domain account they can then access any resources in the domain as well as other trusting domains. The second process is known as Network authentication. Network authentication is used to confirm the client’s identification. This authentication is done by various authentication means. Table 2.11 shows the authentication protocols, which are supported in Windows 2003 Server. Kerberos authentication V5 This protocol can be used with a smart card or a password for interactive logons to resources. This protocol can be used when a client machine attempts to access a secure web server. If a client tries to connect with an older version of Windows Server 2003 or an older version of a Windows client machine this protocol is used. This is a single sign on server for user authentication.

Secure Sockets Layer/Transport Layer Security Authentication (SSL/TLS) NTLM Authentication Passport Authentication

Table 2.11: Authentication Protocols used in Windows 2003 Server. Kerberos V5 is the default authentication service used in Windows Server 2003. This protocol is enabled by default to all computers, which are joined to a Windows Server 2003 or Windows 2000 Server domain. The great thing about Kerberos is that it can be configured through the Kerberos security settings, which are part of account policies. The list below shows some of the settings that can be controlled through these settings: Kerberos policies do not exist in local computer policy only for domain user accounts. Before we jump into the Kerberos policies you need to know about Tickets. Tickets are used as a set of identification and are issued by a domain controller for user authentication. There are two different types of tickets service tickets and ticket-granting tickets. Kerberos policies may be used to enforce any of the following security features: Enforce User logon restrictions – Open the Policy and expand the console tree Computer Configuration | Windows Settings Security Settings | Account Policies | then choose the Kerberos Policy.

172 Users, Computers, and Groups Maximum tolerance for computer clock synchronization – This is used by Kerberos V5 as a time stamp to prevent replay attacks. Clocks on Servers and client machines need to be in close time sync. Administrators can use this to set the maximum acceptable difference between the server and client time. If the difference between the client and server time is less than the maximum time specified in this policy then any time stamp used in a session is considered to be authentic. Set the Maximum lifetime for service ticket – This policy setting is used to determine the maximum amount of minutes that a granted session ticket can be used to access a particular service. It cannot be more minutes than the setting for the Maximum Lifetime user ticket. It also must be a minimum of 10 minutes. Set the Maximum lifetime for a user ticket – This policy is used to determine in hours the maximum amount of time that a client’s ticket granting ticket (TGT) may be used. If the TGT expires then existing ticket may be either renewed or a new ticket must be requested. Set the Maximum lifetime for user ticket renewal – This policy is used to determine in days 7 by default the amount of time that a user’s ticket granting ticket (TGT) can be renewed.

Windows Server 2003 173

2.7 Troubleshoot user authentication issues
Microsoft Windows 2003 Server supports various authentication protocols as well as a key feature known as Stored User Names and Passwords for client access to network resources. The topics are discussed in the following pages.

2.7.1 Authentication Process
Authentication is based on two processes in Microsoft Windows 2003 Server. The first process is the interactive logon. The interactive logon is used to confirm the user’s identity. This verification is done either by a local computer account or a domain account. The process varies for each of these accounts. ● ● Local computer account – A client simply logs onto the computer and the credentials in the local security account database (SAM) are used. Domain Account – A client logs onto the network with a password or a smart card and the credentials stored in the Active Directory are used to give access to network resources. When a client logs into the domain using a domain account they can then access any resources in the domain as well as other trusting domains.

2.7.2 Domain User Accounts using Kerberos
Kerberos policies do not exist in local computer policy only for domain user accounts. Before we jump into the Kerberos policies you need to know about Tickets. Tickets are used as a set of identification and are issued by a domain controller for user authentication. There are two different types of tickets service tickets and ticket-granting tickets. Kerberos policies may be used to enforce any of the following security features: ● Enforce User logon restrictions – Open the Policy and expand the console tree Computer Configuration | Windows Settings Security Settings | Account Policies | then choose the Kerberos Policy. Maximum tolerance for computer clock synchronization – This is used by Kerberos V5 as a time stamp to prevent replay attacks. Clocks on Servers and client machines need to be in close time sync. Administrators can use this to set the maximum acceptable difference between the server and client time. If the difference between the client and server time is less than the maximum time specified in this policy then any time stamp used in a session is considered to be authentic. Set the Maximum lifetime for service ticket – This policy setting is used to determine the maximum amount of minutes that a granted session ticket can be used to access a particular service. It cannot be more minutes than the setting for the Maximum Lifetime user ticket. It also must be a minimum of 10 minutes. Set the Maximum lifetime for a user ticket – This policy is used to determine in hours the maximum amount of time that a client’s ticket granting ticket (TGT) may be used. If the TGT expires then existing ticket may be either renewed or a new ticket must be requested.

174 Users, Computers, and Groups ● Set the Maximum lifetime for user ticket renewal – This policy is used to determine in days 7 by default the amount of time that a user’s ticket granting ticket (TGT) can be renewed.

2.7.3 Local Computer Account Policy
The local computer account policy can be access via the MMC console. Click on Start | Administrative Tools | choose the Local Security Policy. The MMC will open as shown in Figure 2.34

Figure 2-34: The Local Security Policy MMC

2.7.4 Stored user names and passwords
Microsoft Windows XP Clients and can use the Windows 2003 Server Stored User Name and Password feature. This feature is used to store user names and passwords for servers. A user can connect to different servers using user names and passwords that are different than those used to log on to the network. The user can store these for later reuse. The benefits of using this feature are: ● ● ● ● ● User has a single sign-on experience. No need for user to log off and on in order to supply multiple user names and passwords for different computers. Users can store as many user names and passwords which can in turn be used in the future. User names and passwords can be stored in a user's profile to provide privacy and portability of the user names and passwords. Various strong passwords can be created and stored for a variety of resources.

Windows Server 2003 175 The stored user name and password feature can be access on any Windows 2003 Server by clicking on Start | Control Panel | Stored User Name and Password. But before we jump on the Stored User Name and Password bandwagon there are precautions that should be taken for various security reasons. For obvious reasons it would not be a wise idea to use the Stored User name and Password feature on extremely sensitive data. ● Use strong passwords for remote resources as well as local computer and domain accounts. A strong password can defined as a password that meets the following requirements:

ο ο ο ο

Seven characters at minimum. Non Dictionary word. No username, company name or real name is used. Is different from previous passwords that have been used.

Secure your computer when it is not in use. Lock the desktop, Turn the computer off or use a password protected screen saver. When this feature is used then any person who has access to your account can access stored information. Passwords should also be changed on a regular basis. Use different passwords for individual accounts. Additional security can be used by using various strong passwords for each computer. This will help ensure that a guessed or stolen password does not weaken security. The intruder would be limited to the damage that could be done because he would not have access to all other passwords because they are all different.

176 Users, Computers, and Groups

Chapter 2: Review Questions
1. You suspect that a user's profile or their account might be corrupted. What actions can you take to figure out which is the case? A. Create a new user account and give it the same rights and group memberships or associations as the account that has the profile that you suspect may be damaged. B. Copy the user settings in the suspect profile to the profile of the newly created user account. Click Start, point to Control Panel, and then click the System applet. C. Create an administrative account and give it the same rights and group memberships or associations as the account that has the profile that you suspect may be damaged. D. Click Advanced, and then under User Profiles, click Settings. Under Profiles stored on this computer, click the suspect user profile, and then click Copy To. In the Copy To dialog box, click Browse. Locate the drive:\Documents and Settings\user_profile folder, where drive is the drive where Windows is installed, and where user_profile is the name of the newly created user profile, and then click OK. Click OK, click Yes to overwrite the folder contents, and then click OK two times. Use the newly-created user account to log on.

Windows Server 2003 177

2. How can you configure a user account so that it can be trusted for delegation in Windows Server 2003? A. Double-click the user that you want to configure B. Right-click the user that you want to configure, and then click Properties. C. Click the Delegation tab, click Trust this user for delegation to any service (Kerberos only) , and then click OK. D. In Active Directory Sites and Services, click Users. E. In Active Directory Users and Computers, click Users.

3. Which of the following options gives you the ability to log on even with a disabled local Administrator account on a 2003 Server? A. Run the Defragment Tool B. Use Recovery Console C. Start Windows 2003 in Safe Mode D. Boot from a network card that is PXE compliant

178 Users, Computers, and Groups

4. Which of the following does a remote administrator have control over by using regedit? A. The number of persons who can be denied access B. How frequently the failed attempts counter is reset C. The number of failed attempts before future attempts are denied D. The number of persons who can be allowed access

5. What are some of the requirements for installing Microsoft Group Policy Management Console? A. Either Windows Server 2003 or Windows XP Professional. B. The QFE Q326469 hotfix, which updates your version of gpedit.dll to 5.1.2600.1186. C. Windows Advanced Server 2003 and Windows XP Home with Service Pack 1 (SP1) and the Microsoft .NET Framework. D. Either Windows Server 2003 or Windows XP Professional with Service Pack 1 (SP1) and the Microsoft .NET Framework.

Windows Server 2003 179

6. Using the dsadd command, which of the following would create an account in the domain domain.com for John Smith with a password of password? A. dsadd user 'cn=jsmith,cn=users' -samid user -upn jsmith -fn john -ln smith -display 'user' -pwd password. B. dsadd user 'dc=domain,dc=com' -samid user -upn domain.com -fn john -ln smith display 'user' -pwd password. C. dsadd user 'cn=jsmith,cn=users,dc=domain,dc=com' -samid user -upn jsmith@domain.com -fn john -ln smith -display 'user' -pwd password. D. dsadd user 'cn=jsmith,cn=users,dc=domain,dc=com' -samid user -upn jsmith@domain.com -fn john -ln smith -display 'user' -pwd.

7. What steps are necessary in creating a shared mandatory profile to ensure company employees will have the same desktop? A. Create a temporary user account, configure it, and change the profile from NTUSER.DAT to NTUSER.MAN B. Add the path to the profile in the account C. Create a local user template D. Create a user template in Active Directory E. Create a temporary user account, configure it, and change the profile from NTUSER.DAT to NTUSER.MND

180 Users, Computers, and Groups

8. Which of the following statements are true about group nesting? A. Group nesting isn't used to grant permissions to groups B. The domain involved has be in native mode C. The domain involved has be in mixed mode D. Group nesting is the placement of a group into another group

9. If you needed to only give a specific group remote access to a number of terminal servers, what would you do? A. Create a domain and move all the servers into it. Create a GPO and link it to the domain. Configure the GPO to allow the members in the group to log on locally. B. Create a GPO and move all the servers into it. Create another GPO and link it to the GPO. Configure the GPO to allow the members in the group to log on locally. C. Create an OU and move all the servers into it. Create a GPO and link it to the domain. Configure the GPO to allow the members in the group to log on locally. D. Create an OU and move all the servers into it. Create a GPO and link it to the OU. Configure the GPO to allow the members in the group to log on locally.

click to select the Deny check box for the Apply Group Policy permission. Expand Local Users and Groups. and then click Properties. click Users. E. Click the administrators group (or other group or user) that you do not want the policy to apply to. E. Open Active Directory Domains and Trusts and right-click the name of the domain where the policy is applied. Open Active Directory Users and Computers and right-click the name of the domain where the policy is applied. and then click Properties. Click Start. Click Properties. Click the Group Policy tab and select the default domain policy. In the Permissions windows. Delete the user or group from the policy. After starting up in Safe Mode. C. Click the Group Policy tab and select the default domain policy. Click Properties. right-click My Computer. and then click Explore. right-click My Computer.Windows Server 2003 181 10. but you do not want this policy to apply to Administrators. and then click OK. and then click Manage. You Windows 2003 Server has a disabled local Administrator account. what steps can you take to reactivate that Administrative account? A. and then click Properties. You have just finished editing the default domain policy for your domain. Expand Local Users and Groups. B. and then click Properties. Click to clear the Account is disabled check box. C. right-click Administrator in the right pane. click Users. 11. What should you do to prevent this? A. right-click Guest in the right pane. . D. and then click the Security tab. D. Add the user or group if you need to. Click Start. and then click the Security tab. B.

182 Users. C.msc file in the Support\Tools folder. netdom resetpwd /s:srv12 /ud:tiger\User /pd:* C. and then click Open.asc file in the Tools folder. netdom resetpwd /s:server /ud:tiger\User /pd:* . and then click Run. Right-click the Suptools. and then click Run. netdom resetpwd /s:Servertwelve /ud:tgr\User /pd:* D. Right-click the Suptools. What should you do if you want to install support tools on a 2003 domain controller? A.msi file in the Support\Tools folder. and Groups 12. Right-click the Suptools. B. netdom resetpswd /s:srv12 /ud:domain\User /pd:* B.mst file in the Support\Tools folder. Which of the following is the proper way to format the netdom command if you are attempting to reset the password on a Windows 2003 domain controller named svr12 in a domain called tiger? A. Computers. 13. D. Right-click the Suptools. and then click Install.

what will result? A. In another global group B. Password policy changes are enforced immediately for computers in the domain C. When nesting global groups. In a domain local group 15. where should they be placed to give them rights locally and avoid unnecessary overhead? A. If you run the command secedit/refreshpolicy user_policy/enforce on a domain controller. Password policy changes are enforced after five minutes for computers in the domain . Password policy changes are enforced immediately for users in the domain B.Windows Server 2003 183 14. In a universal group C. Password policy changes are enforced after five minutes for users in the domain D. In a distribution group D.

create a new user account. and then click OK.184 Users. click the suspect user profile. Create an administrative account and give it the same rights and group memberships or associations as the account that has the profile that you suspect may be damaged. C. click Yes to overwrite the folder contents. Under Profiles stored on this computer. and then click Copy To. Click OK. and where user_profile is the name of the newly created user profile. In the Copy To dialog box. and then click Copy To. Click Advanced. Under Profiles stored on this computer. If you do not experience any errors. Computers. Create a new user account and give it the same rights and group memberships or associations as the account that has the profile that you suspect may be damaged. point to Control Panel. *B. and then click the System applet. If you experience the same errors that led you to question the suspect user profile. where drive is the drive where Windows is installed. What actions can you take to figure out which is the case? *A. click Settings. In the Copy To dialog box. where drive is the drive where Windows is installed. and then click OK two times. Explanation: If you want to check to see if a user account has a damaged profile. and then click the System applet. . Copy the user settings in the suspect profile to the profile of the newly created user account. and then under User Profiles. click Yes to overwrite the folder contents. Click OK. it is the user account that is damaged. click the suspect user profile. the user profile is damaged. Use the newly-created user account to log on. point to Control Panel. Locate the drive:\Documents and Settings\user_profile folder. click Settings. and then under User Profiles. click Browse. You suspect that a user's profile or their account might be corrupted. Click Start. *D. and Groups Chapter 2: Review Answers 1. Click Start. Click Advanced. and then click OK. Copy the user settings in the suspect profile to the profile of the newly created user account. Locate the drive:\Documents and Settings\user_profile folder. Use the newly-created user account to log on. and where user_profile is the name of the newly created user profile. click Browse. and then click OK two times. Give it the same rights and group memberships or associations as the account that has the profile that you suspect may be damaged.

From the Windows Advanced Options menu. click Start. . click Users. On the message that states Windows is running in safe mode. and then click Properties. Double-click the user that you want to configure *B. In Active Directory Sites and Services. click Users. In the console tree. Start the computer. click Users. click Control Panel. Run the Defragment Tool *B. Even when the Administrator account is disabled. Use Recovery Console *C. and then click Manage. and then click Properties. select Safe Mode. click OK. click to select an item in the Why did the computer shut down unexpectedly list. right-click My Computer. Click the Delegation tab. Start Windows 2003 in Safe Mode D. Log on to Windows as Administrator. If you are prompted to do so. When you have logged on successfully in Safe mode. Right-click the user that you want to configure. click Trust this user for delegation to any service (Kerberos only) . Expand Local Users and Groups. Click the Delegation tab. In Active Directory Users and Computers. D. and then press the F8 key when the Power On Self Test (POST) is complete. *C. you are not prevented from logging on as Administrator in Safe mode. Boot from a network card that is PXE compliant Explanation: To log on to Windows 2003 by using the disabled local Administrator account. start Windows in Safe mode. double-click Administrative Tools. Explanation: If you want to configure a user account so that it can be trusted for delegation in Windows Server 2003. Right-click the user that you want to configure. click Users. and then click Properties. and then click OK. and then click OK. and then double-click Active Directory Users and Computers. re-enable the Administrator account. How can you configure a user account so that it can be trusted for delegation in Windows Server 2003? A. and then click OK. 3. and then click OK. Which of the following options gives you the ability to log on even with a disabled local Administrator account on a 2003 Server? A. click Trust this user for delegation to any service (Kerberos only) . Click Start. *E. Disabling the local Administrator account does not prevent you from logging on to the recovery console as Administrator. You can also use the recovery console to access the computer even if the local Administrator account is disabled. Click to clear the Account is disabled check box. right-click Administrator in the right pane.Windows Server 2003 185 2. and then log on again.

You need either Windows Server 2003 or Windows XP Professional with Service Pack 1 (SP1) and the Microsoft .NET Framework.1186. The QFE Q326469 hotfix. Which of the following does a remote administrator have control over by using regedit? A. The requirements to install GPMC aren't that demanding.dll to 5. The number of failed attempts before future attempts are denied D.1. it simplifies management of Group Policy security.2600.1186.186 Users. 5. It provides a user interface for ease of use.NET Framework. Explanation: Microsoft Group Policy Management Console (GPMC) is a new tool in 2003 Server for Group Policy management. Computers.dll to 5. *B. What are some of the requirements for installing Microsoft Group Policy Management Console? A.2600.1. backups/restores GPOs. which updates your version of gpedit. . *D.NET Framework. and Groups 4. imports/exports GPOs and Windows Management Instrumentation filters. How frequently the failed attempts counter is reset *C. You also need the QFE Q326469 hotfix. which updates your version of gpedit. This QFE is included with GPMC. Windows Advanced Server 2003 and Windows XP Home with Service Pack 1 (SP1) and the Microsoft . The number of persons who can be allowed access Explanation: Remote access server administrators can adjust the number of failed attempts before future attempts are denied as well as how frequently the failed attempts counter is reset. Either Windows Server 2003 or Windows XP Professional. The number of persons who can be denied access *B. and GPMC setup will prompt you to install it. C. Either Windows Server 2003 or Windows XP Professional with Service Pack 1 (SP1) and the Microsoft .

dc=domain. Add the path to the profile in the account C. and change the profile from NTUSER.cn=users. D. For example. B. and change the profile from NTUSER.Windows Server 2003 187 6. from a command prompt. Explanation: To create a user account by using dsadd user. and add the path to the profile in the account.MND Explanation: First.com -fn john -ln smith -display 'user' -pwd.com -fn john -ln smith -display 'user' -pwd password.cn=users' -samid user -upn jsmith -fn john -ln smith display 'user' -pwd password.dc=com' -samid user -upn jsmith@domain. Create a temporary user account. configure it.DAT to NTUSER. 7. Then create a user template in Active Directory. Create a local user template *D. configure it. dsadd user 'cn=jsmith.dc=domain. configure it.dc=domain. dsadd user 'dc=domain. dsadd user 'cn=jsmith. create a temporary user account.dc=com' -samid user -upn domain. What steps are necessary in creating a shared mandatory profile to ensure company employees will have the same desktop? *A.DAT to NTUSER.MAN.MAN *B. Using the dsadd command. dsadd user 'cn=jsmith. Create a temporary user account.com -fn john -ln smith -display 'user' -pwd password.com -fn john -ln smith -display 'user' -pwd password.DAT to NTUSER. *C. type dsadd user UserDomainName [-samid SAMName] [-upn UPN] [-fn FirstName] [-ln LastName] [-display DisplayName] [-pwd {Password|*}] Use ' ' if there is a space in any variable.com for John Smith with a password of password? A.dc=com' -samid user -upn jsmith@domain. and change the profile from NTUSER.cn=users. . dsadd user 'cn=jsmith. which of the following would create an account in the domain domain.cn=users.dc=com' -samid user -upn jsmith@domain. Create a user template in Active Directory E.

Group nesting isn't used to grant permissions to groups *B. Create an OU and move all the servers into it. what would you do? A. Which of the following statements are true about group nesting? A. 9. For example. Computers. The domain involved has be in mixed mode *D. Group nesting is the placement of a group into another group Explanation: Group nesting is the placement of a group or groups into another group. Explanation: Creating an OU and moving all the servers into it will keep access restricted to just those servers. Create another GPO and link it to the GPO. Create a GPO and link it to the OU. Create an OU and move all the servers into it. Create a GPO and move all the servers into it. C. and Groups 8. Create a GPO and link it to the domain. Native mode has to be set for the domain or domains involved. linking it to the OU. Configure the GPO to allow the members in the group to log on locally. configuring the GPO to allow the members in the group to log on locally provides the proper permissions for them to gain access to the terminal servers. a global group would be nested in a domain local group to give the global group the permissions of the domain local group. Configure the GPO to allow the members in the group to log on locally. Create a GPO and link it to the domain. Generally. *D. Creating a GPO. If you needed to only give a specific group remote access to a number of terminal servers. you would do this to grant permissions to the groups nested. Create a domain and move all the servers into it. Configure the GPO to allow the members in the group to log on locally.188 Users. The domain involved has be in native mode C. B. Configure the GPO to allow the members in the group to log on locally. .

On the message that states Windows is running in safe mode. what steps can you take to reactivate that Administrative account? A. When you have logged on successfully in Safe mode. and then click Properties. right-click Guest in the right pane. If you are prompted to do so. Start the computer. From the Windows Advanced Options menu. Expand Local Users and Groups. and then click OK. You can also use the recovery console to access the computer even if the local Administrator account is disabled. Click Start. and then click Properties. *C. . Even when the Administrator account is disabled. and then click OK. and then log on again. you are not prevented from logging on as Administrator in Safe mode. re-enable the Administrator account. click to select an item in the Why did the computer shut down unexpectedly list. Explanation: To log on to Windows 2003 by using the disabled local Administrator account. and then click Manage. right-click My Computer. Click to clear the Account is disabled check box. Expand Local Users and Groups. click Users. Log on to Windows as Administrator. *B. Expand Local Users and Groups. and then click Properties. You Windows 2003 Server has a disabled local Administrator account. *D. right-click My Computer.Windows Server 2003 189 10. and then click Explore. click Users. and then click OK. right-click Administrator in the right pane. click Users. E. After starting up in Safe Mode. and then click Manage. click OK. right-click Administrator in the right pane. select Safe Mode. and then press the F8 key when the Power On Self Test (POST) is complete. Click Start. Click to clear the Account is disabled check box. Click Start. right-click My Computer. Disabling the local Administrator account does not prevent you from logging on to the recovery console as Administrator. start Windows in Safe mode.

In the left console tree. click to select the Deny check box for the Apply Group Policy permission. In the Permissions window. and then click the Security tab. By default. Click Add. and then click Properties. Computers. *D. and then click the Security tab. If the group or user who you do not want policies to apply does not appear in the list. Explanation: If you want to prevent group policies from applying to Administrator accounts. Click Properties. Open Active Directory Users and Computers and right-click the name of the domain where the policy is applied. right-click the name of the domain where the policy is applied. E. Click the group policy object that you do not want to apply to administrators. Click the domain where the account resides. and then click Properties. Click the Group Policy tab. and then click Active Directory Users and Computers. Open Active Directory Domains and Trusts and right-click the name of the domain where the policy is applied. and then click it in the list. and then click Properties. Click the Group Policy tab and select the default domain policy. the only policy that is listed in the window is the Default Domain Policy. click to select the Deny check box for the Apply Group Policy permission. In the Permissions windows. What should you do to prevent this? A. Add the user or group if you need to. and then click the Security tab. *B. Delete the user or group from the policy. This prevents the group policy object from being accessed and applied to the selected group or user account. Click the Group Policy tab and select the default domain policy. and then click OK. Click the administrators group (or other group or user) that you do not want the policy to apply to. Find the account. Click Add. Click Properties. . and Groups 11. point to Administrative Tools. *C.190 Users. but you do not want this policy to apply to Administrators. Click the administrators group (or other group or user) to which you do not want the policy to apply. click Start. You have just finished editing the default domain policy for your domain. Click Properties.

Right-click the Suptools. and then click Run. D.exe to reset a machine account password. the current user account is used. and replication propagates the change to other domain controllers: netdom resetpwd /s:server2 /ud:mydomain\administrator /pd:* Restart the server whose password was changed. This must be in domain\User format. If you want to reset the password for a Windows domain controller. Now type the following command: netdom resetpwd /s:server /ud:domain\User /pd:* The /s:server is the name of the domain controller to use for setting the machine account password. What should you do if you want to install support tools on a 2003 domain controller? *A. and then click Open.exe on Server1 with the following parameters. The /ud:domain\User is the user account that makes the connection with the domain you specified in the /s parameter. This forces the domain controller with the incorrect computer account password to contact another domain controller for a Kerberos ticket. B.msi file in the Support\Tools folder. and then click Install. C. For example. you can restart the Kerberos Key Distribution Center service and set its startup type back to Automatic. The /pd:* specifies the password of the user account that is specified in the /ud parameter. Right-click the Suptools. You will need to install the Support Tools for Windows Server 2003 on the domain controller whose password you want to reset. After you restart and verify that the password has been successfully reset.Windows Server 2003 191 12. and type cmd and click OK.msc file in the Support\Tools folder. and then click Run. . right-click the Suptools. Click Start. To install these tools. These tools are located in the Tools folder in the Support folder on the Windows Server 2003 CD-ROM.asc file in the Tools folder. the password is changed locally and is simultaneously written on Server2. Right-click the Suptools. and then click Install. the local domain controller computer is Server1 and the peer Windows domain controller is Server2. Use an asterisk (*) to be prompted for the password.msi file in the Support\Tools folder. Right-click the Suptools.mst file in the Support\Tools folder. you must stop the Kerberos Key Distribution Center service and set its startup type to Manual. If this parameter is omitted. Run. If you run Netdom. Explanation: You can use Netdom. this is Server1. In this example.

Click Start.msi file in the Support\Tools folder. Now type the following command: netdom resetpwd /s:server /ud:domain\User /pd:* The /s:server is the name of the domain controller to use for setting the machine account password. In this example. the local domain controller computer is Server1 and the peer Windows domain controller is Server2.192 Users. For example. To install these tools. the password is changed locally and is simultaneously written on Server2. The /pd:* specifies the password of the user account that is specified in the /ud parameter. and replication propagates the change to other domain controllers: netdom resetpwd /s:server2 /ud:mydomain\administrator /pd:* Restart the server whose password was changed. and Groups 13. netdom resetpwd /s:server /ud:tiger\User /pd:* Explanation: You can use Netdom. this is Server1. You will need to install the Support Tools for Windows Server 2003 on the domain controller whose password you want to reset. If you run Netdom. right-click the Suptools. The /ud:domain\User is the user account that makes the connection with the domain you specified in the /s parameter. Which of the following is the proper way to format the netdom command if you are attempting to reset the password on a Windows 2003 domain controller named svr12 in a domain called tiger? A. If this parameter is omitted. netdom resetpwd /s:srv12 /ud:tiger\User /pd:* C. netdom resetpswd /s:srv12 /ud:domain\User /pd:* *B. and then click Install. Use an asterisk (*) to be prompted for the password. This must be in domain\User format. netdom resetpwd /s:Servertwelve /ud:tgr\User /pd:* D. This forces the domain controller with the incorrect computer account password to contact another domain controller for a Kerberos ticket. . you must stop the Kerberos Key Distribution Center service and set its startup type to Manual. the current user account is used. If you want to reset the password for a Windows domain controller.exe to reset a machine account password. After you restart and verify that the password has been successfully reset.exe on Server1 with the following parameters. Computers. These tools are located in the Tools folder in the Support folder on the Windows Server 2003 CD-ROM. and type cmd and click OK. you can restart the Kerberos Key Distribution Center service and set its startup type back to Automatic. Run.

will enforce password policy changes immediately for users in the domain. This allows the global and universal groups to gain the rights that the domain local group possesses. Password policy changes are enforced immediately for users in the domain B. where should they be placed to give them rights locally and avoid unnecessary overhead? A. when run on a domain controller. In a domain local group Explanation: When nesting. When nesting global groups. In a universal group C. Password policy changes are enforced after five minutes for users in the domain D. place global and universal groups in domain local groups. run the secedit/refreshpolicy machine_policy/enforce command. Password policy changes are enforced after five minutes for computers in the domain Explanation: The command secedit/refreshpolicy user_policy/enforce. computer accounts. In a distribution group *D. Global groups can only contain user accounts. Windows 2000 domain controllers will refresh after five minutes without any extra administrative action. . and global groups from the same domain. Password policy changes are enforced immediately for computers in the domain C. If you run the command secedit/refreshpolicy user_policy/enforce on a domain controller. Secedit is used to immediately refresh policy. Universal groups could work but would increase overhead. To accomplish the same thing for computers in the domain. In another global group B. 15. what will result? *A. Distribution groups cannot be used for security purposes.Windows Server 2003 193 15.

1 Diagnose and resolve issues related to Terminal Services security 3.1.1 Manage shared folder permissions 3.3.1 Configure access to shared folders 3.2.3 Configure file system permissions 3.2 Diagnose and resolve issues related to client access to Terminal Services 3.3.2.2 Troubleshoot Terminal Services 3.4 Troubleshoot access to files and shared folders .194 Access to Resources Managing and Maintaining Access to Resources The objective of this chapter is to provide the reader with an understanding of the following: 3.2 Change ownership of files and folders 3.1 Verify effective permissions when granting permissions 3.

User rights define capabilities at the local level and permissions are used to grant access to objects such as files. What net command can be used to view open sessions on a computer? 5. What is the default permission for shares on Windows 2003 Server? 2. troubleshoot Terminal Service error messages and configure File system permissions. folders. The following chapter will show you how to configure shared folder access. Make certain you do not get user rights confused with permissions. Getting Ready Questions 1. Can an administrator give ownership of a file to a user? . What are the two types of security modes when Terminal Services has been installed in Application mode? 4. printers and additional Active Directory objects.Windows Server 2003 195 Chapter 3: Access to Resources Introduction: Information Technology personnel working with Windows 2003 Server networks always face the task of assigning and maintaining access to network files and folders. Do share permissions apply to terminal service clients? 3. manage shared folder permissions.

Logon privileges can sometime conflict if you are not careful as to the group you assign the user. the user must assume ownership. READ the default permission given to shares created on Windows 2003 Servers. The members of this group would have to be given Power User rights or the User Group would have to have its privileges elevated to a higher level. 2. There are numerous types of groups and they are outlined below: ● User Groups – The most secure by default and lowest level of security. User rights are increases as the user is added to more groups. Introduction Continued: User Right Administration It is always easier to administer rights to groups rather than individual users. nor can operating systems Windows 95 or Windows 98. Terminal server has two separate security modes they are when Terminal Server has been installed in the Application mode: ● Full Security – This mode will provide the most security in the Windows 2003 Server environment. 3. ● Relaxed Security – This mode is commonly used to allow legacy applications (pre-Windows 2000) to run. Share Permissions do not apply to terminal service clients. .196 Access to Resources Getting Ready Answers 1. Windows Server 2000 and Windows 2003 Server. The NTFS file system or access control should be used to set share permissions instead. Clients belonging to this group cannot by default change any operating system setting. 5. Windows 2000. Ownership itself cannot be given. 4. They are Privileges and Logon Rights. User Rights can be divided into two groups. An administrator can give Take Ownership permission to a user. The net session command can be used to view open sessions on a computer. The only software users can use that are members of this group is Administrator installed Windows logo software such as Windows XP. Access Control Lists (ACL) consists of the Permission Entries in security descriptors. Permission Entries that are also a type of Access Control Entry (ACE) are created each time a user is assigned to a group. Privileges are the rights to back up directories or files and logon rights give users rights to log onto a system locally. It allows the system registry to be edited. However. Legacy software cannot by default be run by members of this group. Users can have more than one series of rights based on the group membership of that user. No.

Legacy Applications that run on the network may need the anonymous access permission applied in order to function or you may change the Network Access: let Everyone permissions to apply to anonymous users.0 to Windows 2003 Server the Restricted Users group is by default put into the Power Users Group. ● Power Users – Member of this group have higher permissions than those of the user group. ● To allow applications to run that may have backward compatibility issues after the upgrade process from NT 4. or a member of the Windows Server 2003 family. and locally created groups. and their own portion of the registry key HKEY_CURRENT_USER. ● Local accounts that are created on the local computer are created without passwords and are added to the Administrators group by default. Power users can make Printer changes. Security Configuration Manager allows you to control membership of the Administrators (or any other group) with the Restricted Groups policy. If this server was upgraded then this group is added to the Power Users group to allow access to legacy software. ● Interactive – Contains users who are currently logged into the computer. If this is a concern. Administrators – Administrators have full permissions over everything on the computer.0 will run for a Terminal Server User in Windows 2000.Windows Server 2003 197 ● The User Group members also have control over their local profile folder. Windows XP Professional. have Control Panel access. ● Backup Operators – Member of this group can back-up as well as restore any file on a computer or server. They can perform elevated tasks except tasks explicitly given to Network Administrators. ● Network – This group holds all users who access the system via the network. . Members of this group cannot change any security setting on the machine. Any program that a user can run in Windows NT 4. can stop and restart services and install software. Terminal Server User – Any user in this group can access applications that are installed and running on the Terminal Server in Application mode (not remote Administration Mode). In the Windows 2003 Server and Windows XP Professional software operating systems the Anonymous group is no longer a member of the Everyone group.

The Permissions tab will open and you can add Groups or Users that need access to this folder. Locate the Folder you wish to share and Right-click on the folder. The Full Control permission allows the group to have complete control over the shared folder. It is the default permission given to shares created on Windows 2003 Servers. Administrators Group or Server Operator Group. Click OK once the changes have been made and then click Apply and OK for the settings to take effect. The default Group is the Everyone group and the default permissions are Read. In order to assign permissions to folders you must be logged on as a user that is a member of the Power Users Group. Sharing Folders using Windows Explorer To share folders using Windows Explore open Windows Explorer on a Windows 2003 Server by clicking on Start select All Programs click on Accessories and then choose Windows Explorer. The Read permission is the most restrictive permission of the three available. . modify files by changing data in the file. Next you can set the User limit and Permissions for clients who will need to access this folder over the network. Enter a name for the share and then enter a description for the share if you wish.1 Configure access to shared folders Administrators always face the arduous task of assigning access to folders that are on the network. Options other than the Read option which allows by default everyone the ability to read the contents of the Shared Folder meaning they can view file names. If you use the Command line or Windows Explorer to configure permissions you can only do this locally. subfolders. The Change option gives clients the ability to Delete files and subfolders in the share. which means that they can read. and make basically any modification to the contents of the folder by default.198 Access to Resources 3. programs that are running and data in each file are Change and Full Control. Just click the Add or Remove button to change these settings. adding subfolders and files to the Shared folder and also Read permissions. If you use the Share Folders MMC you can set permissions both locally and on remote computers. Select the Sharing option and then choose the Share this Folder option. delete. Using the Windows Explorer. There are three basic ways that you can assign permissions to folders in Windows 2003 Server. Use the steps below to configure sharing on folders. write. using the Shared Folders Microsoft Management Console (MMC) or using the command line.

allow all files and/or programs in the share are available offline or allow none of the files or programs inside the share to be available offline. You can choose to allow the users to specify which files or folders are offline. The option to add another share is also available and if you select this option then Close. Once this has been completed just select the OK button and then Finish. You also have the option of setting Offline settings for the folders and files. Select Computer Management from the list then select Add. you can click on Start then select Run and then type MMC. make certain you are on the Shares option under Shared Folders. Select the Shares option from the Shared Folders list and open the Action menu then select the New Share button. Choose Close then OK and the Computer Management console will be added in the Console Root.Alternately. Offline settings are used by Administrators to make the contents of the share available offline. . The Share a Folder Wizard opens and requests that a path to the folder you need to share either be typed in manually or browsed to by selecting the Browse button. If you do not do this. Once these settings have been entered click the Next button and set the permissions to the shared folder. The option to manage a local computer or Another Computer is available. If you select the Customize option then a small screen will appear that is identical to the one that is used in the Windows Explorer permission option. The Share Wizard will start over again giving you the option to add more shares. Select File then Add/Remove Snap-in. These are optional. Select the computer you wish to manage then click the Finish button. This can be changed by adding the Groups or Users you wish to give access to and then selecting the appropriate permissions. The default option is to allow all users (Everyone) the ability to have readonly access. Once the wizard closes then the Share will be shown in the left pane of the Shared Folders console. This screen shows the default Everyone group with Read access.Windows Server 2003 199 Sharing Folders using Shared Folder Console The Shared Folders Console can be opened by clicking on Start selecting Administrative Tools and then choosing Computer Management. You can chose to allow Administrators to have Full Access and all others to have read-only access. Select Next once the path has been entered and the next options will appear to allow you to enter the Share Name for the share and to also enter a description for the share. Administrators can have full access and all others can have read and write access or set custom share and folder permissions by choosing the Customize option. the New Share option is not available. The last screen will appear stating that Sharing was successful and if will show you the status of the share and the Summary of the share properties.

This does not apply to client created shares that end in the $. which allow advanced settings to be configured. If only applies for default shares on the server. It has also been referred to as Locking Down files or folders. ● ● Permissions – Used to give access to objects such as files. . To share a simple folder just type the following: net share sharename=drive:path then press the enter key. Please remember this as you are preparing for the exam. you can close the command prompt. Once this command has completed successfully. drives. ● To view all syntax available for the Net share command just type net help share at the command prompt. folders.This allows you to select the number of users who have access to this share or give unlimited users access to this share in numbers only.200 Access to Resources Sharing Folders using the Command Line To share a folder using the command line just open the command line by clicking on Start then All Programs and Accessories then choose the Command Prompt option. Default settings on default shared resources such as the ADMIN$ by either restarting the computer or starting and stopping the Server service. The net share command has numerous switches available. etc. net share sharename /grant:user [Read. printers. Change or Full] permissions – This syntax allows you to grant users access permissions. The syntax to use is the net share command. Security – This is used to modify access to a file or folder. Additional net share switches are: ● net share sharename /USERS:number or/ unlimited. Security Settings on Files and Folders There is a difference between Permissions and Security Settings on files and folders. Make sure you know your path to the folder you need to share before you type this command.

Windows Server 2003 201 This is shown in Figure 3-1 by right clicking on the folder or file. . Figure 3-1: Assigning Access to Network Folders.

List Folder allows or denies viewing file names and subfolder names within the folder. Create Folders/Append Data. or overwriting existing data.) Traverse folder takes effect only when the group or user is not granted the Bypass traverse checking user right in the Group Policy snap-in. The Write Attributes permission does not imply creating or deleting files or folders.) Read Attributes Read Extended Attributes Create Files/Write Data Allows or denies viewing the attributes of a file or folder. (Applies to folders only. the Everyone group is given the Bypass traverse checking user right.202 Access to Resources Permission Description Traverse Folder/Execute File For folders: Traverse Folder allows or denies moving through folders to reach other files or folders. deleting. (Applies to files only. (Applies to folders only. such as read-only and hidden. Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder. In order to allow (or deny) create or delete operations.) Read Data allows or denies viewing data in files. (Applies to folders only. Attributes are defined by NTFS. even if the user has no permissions for the traversed folders. Create Folders/Append Data Write Attributes . such as read-only or hidden. Write Data allows or denies making changes to the file and overwriting existing content. List Folder only affects the contents of that folder List Folder/Read and does not affect whether the folder you are setting the permission Data on will be listed. Delete Subfolders and Files. Allows or denies viewing the extended attributes of a file or folder. (Applies to files only. it only includes the permission to make changes to the attributes of a file or folder. Extended attributes are defined by programs and may vary by program. Attributes are defined by NTFS.) For files: Execute File allows or denies running program files.) Create Folders allows or denies creating folders within the folder. (Applies to folders only).) Allows or denies changing the attributes of a file or folder. Create Files allows or denies creating files within the folder. (By default. see Create Files/Write Data. and Delete. (Applies to files only).) Append Data allows or denies making changes to the end of the file but not changing. (Applies to files only.

such as Full Control. and Write.Windows Server 2003 203 Permission Description Write Extended Attributes Allows or denies changing the extended attributes of a file or folder. Read. even if the Delete Delete Subfolders permission has not been granted on the subfolder or file. This permission applies only to multithreaded. Synchronize Table 3-1:: Permissions . Allows or denies taking ownership of the file or folder. such as Full Control. multiprocess programs. Create Folders/Append Data. and Delete. Allows or denies reading permissions of the file or folder. Delete Subfolders and Files. Allows or denies deleting subfolders and files. If you do not have Delete permission on a file or folder. regardless of any existing permissions that protect the file or folder.) Delete Read Permissions Change Permissions Take Ownership Allows or denies deleting the file or folder. Extended attributes are defined by programs and may vary by program. In order to allow (or deny) create or delete operations. see Create Files/Write Data. Read. (Applies to and Files folders. you can still delete it if you have been granted Delete Subfolders and Files on the parent folder. The Write Extended Attributes permission does not imply creating or deleting files or folders. it only includes the permission to make changes to the attributes of a file or folder. and Write. Allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. The owner of a file or folder can always change permissions on it. Allows or denies changing permissions of the file or folder.

This is unless the folder or file inherits conflicting settings from different parents. If you choose to not allow the child folder to ability to inherit the parent folder permissions you can choose the This folder only in Apply onto settings as you are setting up the folder permissions. Typically the Allow permission will always be overridden by the Deny permission. This is shown below in Figure 3. When this occurs the setting inherited from the parent closest to the object in the subtree will have priority.2. To access the shared folder permissions right click on the folder | Select Security | Select the Advanced option. .204 Access to Resources As you are assigning permissions to a folder remember: ● ● If a folder is within a folder and you assign permissions to a parent folder the child folder will inherit the parent folders permissions by default. Figure 3-2: The Advanced Option for Folder Security.

Clear the button that reads Inherit from parent the permission entries that applies to the child objects.Windows Server 2003 205 In cases where you want to prevent only certain files or subfolders from inheriting permissions you can use the following steps to stop the rights from being applied to the folders or files. 2. Figure 3-3: Removing the Parent Permission Entries from a child object. Override the inherited permissions by choosing either Allow or Deny. . Include these with entries explicitly defined here option. If you are certain that you want to prevent this folder or file from inheriting permissions from the parent click the Remove option. Take the check mark out of the Inherit from parent the permission entries that apply to child objects. Just right-click on the folder or file and click the Properties button | Click Security then choose the Advanced option. none of the parent permission entries applied will be applied to this file or folder. Inherited permissions on folders or files can be changed in three various ways: If you change the parent folder then the child folder will inherit the permissions. A dialog box like the one shown in Figure 3-3 below will appear and explain to you that once you have selected this option for this particular file or folder. 1. If you are unable to make changes to the boxes because they are shaded this means that the folder or file already has inherited permissions from the parent folder.

Figure 3-4: Permissions that have been removed from a file or folder. After this screen has appeared and you select the Apply button another dialog box will appear that Figure 3-5: The Final dialog box for removing the Permissions from a file or folder. . The following screen will appear as shown in Figure 3-4.206 Access to Resources After the Remove option has been selected the file or folder will not inherit permissions from the parent folder.

Open the Active Directory Users and Computers console and click on the View menu then select the Advanced Features option then the Security tab to view this information. To reapply the permissions that had previously been removed from the file or folder just Right-click the file or folder then click the Advanced option. Include these with entries explicitly defined here option. In this example. After selecting Apply click the OK button. The permissions from the parent folder will reappear in the dialog box. we removed all permissions from the folder named TestFolder so that the owner is the only user who can access the folder. Then choose apply. In the Permissions tab click the mouse in the Allow inheritable permissions from the parent to propagate to this object and all child objects. These security descriptors are made up of two access control lists: the System access control list (SACLS) which is used to identify the groups and users that can be audited for object access and the Discretionary access control list (DACLS) which are used to identify users and groups that try to access an object and are denied access. .Windows Server 2003 207 Click Yes to remove the permissions from the folder or file. If you have forgotten which folders are being shared on a server or computer you can easily view the folders by using the Shared Folders console. To access this console click on Start then Run type MMC and select File then Add/Remove Snap-in and select the Shared Folders console from the list then click Add and Close. Security descriptors are used by Active Directory to store access controls permissions. Shared Folders Setting share permissions on folders is done differently than Share permissions are different than permissions set on a file or folder. The NTFS file system or access control should be used to set share permissions instead. This does not show you all folders on the computer but it will help you out if you need information on Shared Folders. Share Permissions do not apply to terminal service clients or users who log on locally.

Figure 3-7: Viewing Shared Folders using the Shared Folders console. Once the computer has been chosen just click the Finish option and Close then select OK. The console will open and show the shared folder information as in Figure 3-9. . Figure 3-6: Viewing the Shared Folder Management Console.208 Access to Resources A screen like the one shown in Figure 3-8 below will appear allowing you to select a Computer you wish to view shared folders.

Figure 3-8: Auditing Files and Folders . Also Auditing can be used on files and folders by manually Right-Clicking the file or folder and selecting Advanced from the menu.microsoft. Some folders are shared by default and it is not advisable to change the share permissions on folders without really knowing what the change will cause to the system.Windows Server 2003 209 Notice the Shared Folders with the Blue Arm underneath the Folder name. To view the settings and permissions on the folders just drill out to the folder using Windows Explorer and Right-click each folder then select Properties. For more information on this please see the Microsoft Website at http://www. Group Policy can be used to audit files and folders. The Auditing tab is shown in Figure 3-6 below. This is a great option to implement when you need to make certain documents and folders such as Human Resource information stored in a folder on the network remain secure.com. This lets me know that this folder is on my local computer and is being shared. Auditing Folders and Files Files and Folders may be audited by Network Administrators to enhance and secure network information.

Select the Security Log from the list. To access the Security Logs click on Start select Administrative Tools and choose Event Viewer.210 Access to Resources Before you turn auditing on for a Domain or Organizational Unit you need to make sure you have your Security Logs settings in the Event Viewer set to the properly. . Figure 3-9: The Default Security Log settings in Windows 2003 Server. Figure 3-7 shows the Security Log. Security Logs fill up amazingly fast even on a small network so make sure you have them set to grow to a proper size.

By default the log size is set to 16.1 shows some events that may be audited as well as the console that is used to audit the event. If this is an email or database server your security log will fill up quickly. ο Events can also be set not to clear by being overwritten or if they are a certain age. Click the Apply button once the entries have been entered. Log Size . Deciding on what to Audit can be a difficult task for Administrators. ● To change the default properties of the Security Log just choose the option you wish to change then enter the new settings. If should also help you to not over audit events on the system. Take special consideration when dealing with the Security Log. The path is %systemroot%\config\SecEvent. I save my events around the same time of day with the date and the word security in a single location. detecting unauthorized access to files and folders? Auditing for typical day-to-day events? Knowing the answers to these questions will help you decide on the auditing of success and failure events.Windows Server 2003 211 The default options on the Security Log are: ● ● ● Display Name – Security is the Display Name and you do have the option to change this if you wish. Implementing an Audit Policy Once changes have been made to the Event Viewer Security Log you can choose what functions you wish to audit. If you are auditing files that are accessed often and the server is a Domain Controller your security log will also fill up rather quickly. As time progresses I will purge old events after I have made certain that my backups have retained them and also if I see nothing odd within the events. ο The size can be increased if the server is particularly busy. Log Name – This is the default name and location that the log is saved to on the server. Be cautious when using this setting if Auditing is enabled.384 KB. As a word of precaution.evt. Personally. The log would have to be cleared manually by the Administrator. Table 3. . Using a low-speed connection – This setting is helpful if you need to view the security logs over a low speed connection such as dial-up. ο The log file can also be set to overwrite itself when it reaches it maximum size. ο Events can also be overwritten if they are older than a certain number of days. Some questions you may wish to ask yourself are: What information am I trying to obtain? Are you trying to audit for forensics. always archive copies of Security Logs for future use.

audit policies or trust policies. folder. Not all rights are audited because if they were the computer’s performance could be degraded. Success only events are audited by default. registry. If this is enabled. Table 3-2: Audit Events available for tracking on Windows 2003 Servers. The account must be a domain user account. Policy Change This will audit any changes to user rights assignment policies. Only object that have their own System Access Control List are audited. Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy. Create token objects Generate security audits Back-up and Restore files and directories Success events on Domain Controllers and auditing are not turned on for Member Servers. a file. The following rights are not audited by default even with this turned on: Bypass traverse checking Debug programs. If enabled will audit each attempt that a user makes to log onto or off of a computer. printer. Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy Auditing is Turned off by default. This audit property will audit any instance of a user exercising any user right. . To enable the auditing of all rights navigate to the Registry using regedt32 and enable the key FullPrivilegeAudit ing. Enabled on Domain Controller only. will be audited. etc. No auditing is enabled by default.212 Access to Resources Event Description Default Setting Configuration container System Event Logon Events Object Access Privile ge Use This is used to audit any Successful or Failed entries in the Event Viewer Security log or the security of the system. Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

After the Domain or OU has been selected drill to the following policy: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options choose enabled. To configure security auditing you need to open the policy. Open the Policy by either selecting the Domain or Organizational Unit you wish to enable security events on and open the policy. Do not use the Security Configuration and Analysis mmc to configure security for a domain or organizational unit. Table 3-2 below shows the settings to use based on where you are located. The computer will have to be rebooted for the changes to take effect. Remember that Group Policy settings will always override settings made from this tool to the local computer. Security Configuration and Analysis This tool is used to configure security settings on local files. or at a workstation or domain controller that has the Windows Server 2003 Administration Tools Pack installed. Security Auditing Security Auditing is turned off by default. If you do then each client would have to be configured one by one. workstation or server joined to the domain. Editing the Security Settings on Group Policy Objects Depending on whether or not you are at a local computer.Windows Server 2003 213 When viewing the Security Log in the Event Viewer note that if you see a Policy Change Event category that the Local Security Authority LSA policy has been changed by someone. Only use this tool for local computer security settings. services on the local system and registry settings that are local to the computer it does not require Administrative Privileges. or sitting at the domain controller for the domain you have various ways to edit group policy object security settings. Next select Add and choose the Security Configuration and Analysis console from the list and click on the Add button then select Close and OK. Use Security Templates and then apply to the Domain or Organizational Unit. folders. To access this tool just click on Start type Run then enter MMC. Click on File then Add/Remove Snap-In. .

To change the security settings click on Local Policies. Never use Group Policy to apply the Setup Security.exe. ● ● ● . In the console select the Group Policy object you wish to edit and Right-click on the object. User Rights or Security settings. Add the Local Security Policy. User Rights or Security settings. Workstation or Server joined to the domain.214 Access to Resources Setting Procedure Local computer Workstation or Domain controller using Administration Tools Pack. It has a built-in option to reapply default security settings in the event that security gets messed up on the Domain. File then Add/Remove Snap-in. Here are a few best practices to use when implementing changes via Security templates. events or accesses make certain the Security log settings will meet the needs of the Audit Policy. Table 3-3: Computer Settings If you choose to audit numerous objects. which is a local computer template. Use extreme caution when changing any settings for a domain or OU that is in a live environment. or local computer. Select the GroupPolicy Object\ Computer configuration\Windows Settings\Security Settings console. Select Account Policies. You can either create a new Group Policy Object by clicking on New and Edit or you can edit an existing object by clicking on Edit. To edit the Audit Policy. Select Browse to obtain the object you wish to edit. User Rights or Security settings. Select Local Policies. Close and OK. Click Finish. Computer configuration\Windows Settings\Security Settings console. Then double-click the policy you wish to change. Always test the changes first on a test lab at minimum. Domain Controller for the Domain. Choose Properties and click the Group Policy tab. Do not edit the default security template named security. Open Active Directory Users and Computers. Select Local Policies to edit the Audit Policy. When finished click OK. To edit the Audit Policy. Open your Local Security Settings by clicking on Start then Run type MMC. Click Start and Run then type MMC. OU.inf template. This template is typically applied using either the Security Configuration and Analysis console or the command prompt file secedit. This way if you mess up the settings the default template will be available with pristine settings.inf. Add/Remove Snap-in and select Add then choose Group Policy Object Editor. Click on Start then Administrative Tools then select the Domain Controller Security Policy. Click the Security Settings option from the Computer configuration\Windows Settings\Security Settings console. ● Do not change the default template of the console but to make changes and save the template under a different name such as the date and template name.

The Server will also have to be rebooted after the changes have been made. Until the log settings have been changed to appropriate settings only members of the Administrators Group will be able to access the server. . This usually will occur if the Security event log becomes full with events and either the Overwrite Events by days or the Do not Overwrite Events are enabled. A STOP error will generate that states the following: STOP: C0000244 {Audit Failed} An attempt to generate a security audit failed. The Administrator will have to logon to the Server and clear the Security logs.Windows Server 2003 215 If the Security Settings are enabled and are not properly implemented the System will shut down if it cannot log security events.

It allows the system registry to be edited. Administrators will typically have the need to troubleshoot issues pertaining to Terminal Server such as client connectivity and error messages. The Full security mode does not apply a security descriptor to the user group. and use network resources as if they were sitting at that machine. Choose the Server Settings option and then on the left select the Permissions Compatibility option. . Terminal Server Services can also be used by Network Administrators to run applications from a single server. To open the consoled click on Start then select Administrative Tools and choose the Terminal Services Configuration option from the menu.216 Access to Resources 3. Clients can run programs. Relaxed Security – This mode is commonly used to allow legacy applications (pre-Windows 2000) to run. Terminal server has two separate security modes they are when Terminal Server has been installed in the Application mode (not Remote Administration mode): ● ● Full Security – This mode will provide the most security in the Windows 2003 Server environment. 3. If the relaxed mode was chosen and it has been decided to be changed to the Full Security mode it can be done by opening the Terminal Services Configuration console. save files. Multiple client machines can access the application on the Terminal Server instead of having the application loaded individually on each machine.2 Troubleshoot Terminal Services Terminal Services allow Administrators the ability to gain remote access to a Windows Client computer. Use the Run As command or make sure you are a member of the Domain Administrators (for computers joined to a domain) or Administrators group (for local computers). Depending on which security mode is selected will have a large impact on the security of the Windows 2003 Server. A security descriptor is written to the user group in the Relaxed mode to allow legacy applications the ability to run properly. Choose Full Security and click OK.1 Diagnose/Resolve issues on Terminal Services Security Administrators have various settings that may be applied to enhance security while using Terminal Server in the Application mode on Windows 2003 Servers.2.

The user will be disconnected once the time limit has been reached or the session will end and the session is permanently removed from the Terminal server. idle or disconnected. Enter the maximum amount of time that a client disconnected session can remain on the server in the End a disconnected session option. Administrators also have the ability to set time-out settings for clients who are active.0 Terminal Server Edition computer to Windows Server 2003 you could receive an error stating that: You need Whistler Advanced Server or higher for Terminal Server. Terminal Server is also included as part of Windows XP Datacenter Server. Right-click the connection that needs modifying and choose Properties. you must cancel this upgrade and install Windows XP Advanced Server. Once the session ends it is deleted from the server and the Never option may be used to allow an idle session to remain on the server forever. Terminal Server is not supported on Windows XP Server. The Active Session Limit option can be used to enter the maximum amount of time a session can be active on the Terminal Server. The Idle session limit is used to set a maximum amount of time a session can remain without client activity. ● ● . To upgrade this computer and continue to run Terminal Server. The session will permanently be removed from the server unless you select the Never option which allows the session to remain on the server for an indefinite amount of time. Once this time has been reached the session will end. This error means that you need to use Microsoft Windows Server 2003 Advanced Server. Open the Terminal Services Configuration Console by clicking on Start selecting Administrative Tools then choosing the Terminal Services Configuration option.Windows Server 2003 217 If you attempt to upgrade a Windows NT 4. Microsoft Windows XP Setup has detected that the computer you are upgrading is running Terminal Server (formerly "Terminal Services in Application Server mode"). ● Select the Sessions tab and choose the Override user settings box.

You will now have the option to install the client license key packs on the server by choosing the Next button or you may uncheck the Start Terminal Server Client Licensing Wizard Now and choose the Finish button to complete this step at a later time. Enter the ID and then select Next. Open All Servers and choose the server that needs activation and Right-click on the server. Web Browser . Enter your name. name. The option is also available for you to enter the e-mail address of the company or yourself and company address. Automatically . Enter your Product ID. Select your Country or Region then choose Next. The activation process is used to validate the server ownership and identity and is provided by Microsoft. organization. Choose the Telephone option for the Activation method and then choose Next.Click Start select Administrative Tools choose Terminal Server Licensing. A unique ID will then be created and given to you to enter by the Microsoft support representative. You will now have the option to install the client license key packs on the server by choosing the Next button or you may uncheck the Start Terminal Server Client Licensing Wizard Now and choose the Finish button to complete this step at a later time. Select Next after this optional information has been entered. Country or Region then choose the Next button. Name. The license will then be activated.2 Diagnose/Resolve issues on Terminal Services Client Access Before the Terminal Server computer can give clients licenses it must be activated. Select the Activate Server option then click Next on the Activation Wizard.218 Access to Resources 3. Review the process below for the procedures to use for Terminal Server Activation: ● Telephone Activation – Click Start select Administrative Tools choose Terminal Server Licensing. Choose the Automatic connection (recommended) and then select Next. Organization Name. Open All Servers and choose the server that needs activation and Right-click on the server. country or region and click on Next. The telephone number will appear for you to call.2. Open All Servers and choose the server that needs activation and Right-click on the server. Have the Product ID for the product available. The License server ID will then be given to you and you can go to the License Activation Page and enter the License ID and select the Next button. organization name and the licensing you need to activate. Click on the hyperlink given to activate the license and choose the Select Option and select Activate a License Server then click on Next.Click Start select Administrative Tools choose Terminal Server Licensing. Select the Activate Server option then click Next on the Activation Wizard. The license can be activated by a Telephone. Web Browser or Automatic Activation. You will now have the option to install the client license key packs on the server by choosing the Next button or you may uncheck the Start Terminal Server Client Licensing Wizard Now and choose the Finish button to complete this step at a later time. Choose the Web Browser activation method and choose Next. Select the Activate Server option then click Next on the Activation Wizard. ● ● .

and you should know what happens if they do. A better solution would be to remove the Everyone group. even inherited Deny permissions.3. and computers.Windows Server 2003 219 3. you gain the greatest breadth of effect with the least effort. Security Templates. or computers permissions to that object. avoid changing the default permission entries on file system objects.1 Verify effective permissions when granting permissions Deny permissions should be used for certain special cases Use Deny permissions to exclude a subset of a group that has Allowed permissions. Privileges can sometimes override permissions Privileges and permissions may disagree. Never deny the Everyone group access to an object If you deny everyone permission to an object. . Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry. By doing this. use security templates whenever possible. particularly on system folders and root folders Changing default permissions can cause unexpected access problems or reduce security. groups. as long as you give other users. Use Deny to exclude one special permission when you have already granted full control to a user or group. groups. If possible. The permission settings you establish should be adequate for the majority of users. Use security templates Rather than set individual permissions. that includes administrators. Active Directory has its own set of best practices regarding permissions. Assign permissions to an object as high on the tree as possible and then apply inheritance to propagate the security settings through the tree You can quickly and effectively apply access control settings to all children or a subtree of a parent object. Explicit permissions take precedence over inherited permissions.

Ownership can be transferred by current owners to other users. Owner’s control access permissions on the object.2 Change ownership of files and folders On Windows 2003 Servers Administrators need to know how to take ownership of files and folders in order to repair or change them.3. The Windows 2003 Server Administrators have the built-in ability to take ownership of a file from the Take Ownership of files or other objects right. Figure 3-10: Taking Ownership of a file using the Ownership tab in the Advanced properties of the object. To take ownership of a file you can click on Start select All Programs choose Accessories then select Windows Explorer. Files and Folders have an owner. All Active Directory objects. Select the Advanced tab then choose the Ownership tab as shown on Figure 3-10. Find the file or folder you wish to take ownership of and Right-click on the file choose Properties then select Security from the security tab. .220 Access to Resources 3.

All subfolders (if applicable) and objects in the tree can have their ownership changed by selecting the Replace owner on subcontainers and objects check box. Ownership can also be transferred by clients with the Restore files and directories rights can select the Other users and groups by double-clicking and then selecting a user or group to assign ownership.Windows Server 2003 221 The screen will show the current owner of the file or folder. . click the new owner. To give ownership to a user or group just click on the Other Users or Groups button and type the user or group name in the Enter the object name to select (examples). To change the owner to a user or group that is listed. Or the Take ownership permission can be applied to clients.

share this command will show the net share command syntax that can be used to troubleshoot files as shown in Figure 3-11. Table 3-3 shows some common problems. To view syntax for these commands open the command prompt and type (you must be a member of the local Administrators group for local computers or the Domain Administrators group for computers joined to the domain before these commands may be used): ● ● ● net share – net help share this command will show the net share command syntax that can be used to troubleshoot shares. The net share command or the net file (for machines running the server service only) command (which shows all open files on a machine) or the net session command may also be used at the command prompt to view information on shares or files. Shared Files that are shared Shared folder permissions Check the permissions to cannot be accessed by any are set incorrectly. Problem Cause Solution Shared Folders that are Shared folder permissions Check the permissions to shared cannot be accessed are set incorrectly.4 Troubleshoot access to files and shared folders Troubleshooting access to files and folders that are shared on Windows 2003 Servers can sometimes be daunting. causes and solutions that uses could experience when accessing shared resources on a Windows 2003 Server. by any client. . the file for accuracy. net session – net help session this will show the net session command syntax that can be used to show all open sessions on a computer as shown in Figure 312. the folder for accuracy. connectivity on server and client.222 Access to Resources 3. Folders that are shared Possible network Check and verify network cannot be accessed by any connection has been lost. client. client machines. Usually you want to also make certain the Everyone Group has not been denied access to files or folders. net file – net help file .

Using any or all of the methods above can typically assist you with troubleshooting client access to files and shared folders. . Figure 3-12: The net session command syntax.Windows Server 2003 223 Figure 3-11: The net file command syntax. The net session command shown in Figure 3-12 can be used to view open sessions on a computer.

click Run. C. D. What steps do you need to take? A. 2. and then click Assign.moc. B.224 Access to Resources Chapter 3: Review Questions 1. Which of the following are ways that a shared folder can be accessed in Windows 2003? A. and then click Distribute. Click Start. click Run. right-click the Client (respond only) policy. right-click the Server (respond only) policy. and then click OK. and then click OK. By a mapped network drive D. Expand Security Settings in the left pane. type gpedit. By its IP address B.msc. By its Universal Naming Convention (UNC) C. Through My Network Places . type gpmod. You want to ensure that your clients respond to your Terminal Server's requests for security. Click Start. Expand Security Settings in the left pane.

What permissions will apply to Edward when he connects to the Accounts folder? A. His user permissions. What might be the problem? A. Users are able to do more in the Backup folder when they log onto the Windows 2003 member server you have made available to users. NTFS permissions.Windows Server 2003 225 3. His user permissions B. and NTFS permissions . The member server doesn't have an NTFS partition C. as well as permissions assigned to groups of which he is a member on the Accounts folder. His user permissions. Inherited permissions that are incorrect for the shared resource B. Group memberships that may grant different levels of permissions D. and shared folder permissions C. The users are in the Everyone group 4. Edward has permissions assigned to his account specifically. group permissions in which he is a member. group permissions in which he is a member. His user permissions and group permissions in which he is a member D. Some of these permissions are shared permissions and some are NTFS permissions.

Secure*. Which of the following security templates is the most secure? A. hisec*.inf B.226 Access to Resources 5. DC security.inf C.inf E.inf B. DC security. Secure*. Compatws. hisec*.inf C.inf 6. Setup security.inf . Which of the following security templates are default security templates? A.inf D. Compatws.inf D.

No Answer is Correct 8. user and group management. subnet mask. and system events . Insufficient rights (i. restart. shutdown.Windows Server 2003 227 7.e. Bad IP information (incorrect IP. . Which of the following audit events should you enable to monitor misuse of privileges? A. Which of the following might be the cause of network connectivity issues? A. Physical connectivity is down (the server may be down or the cable could have failed) D.the proxy server only allows access to certain persons or sites) B. security change policies. default gateway) C. Success audit for user rights. Success audit for logon/logoff D. Failure audit for logon/logoff C. Success and Failure audit for file-access and object-access events B.

security change policies. Success audit for user rights. Failure audit for logon/logoff C. and system events . security change policies. restart. restart. user and group management. Success and Failure audit for file-access and object-access events D. Success audit for logon/logoff D. user and group management. Success audit for logon/logoff B. Success audit for user rights. shutdown. shutdown. and system events 10.228 Access to Resources 9. Which of the following audit events should you enable to monitor misuse of privileges? A. Failure audit for logon/logoff C. Which of the following audit events should you enable to monitor access to sensitive files? A. Success and Failure audit for file-access and object-access events B.

0. Which of the following directories contains the Remote Desktop Client program? A. Windows XP and Server 2003 E. %windir%\system32\clients\sclient\drivers B.Windows Server 2003 229 11. Windows 2000. Windows NT 4. Which of the following operating systems can have the Remote Desktop Client program installed on them by using the installation program in the %windir%\system32\clients\tsclient\win32 directory? A. %windir%\system32\clients\tsclient\win32 12. %windir%\system32\clients\tsclient C. %windir%\system32\clients D. Windows XP Home and Professional D. %windir%\system32\tsclient\win32 E. Windows 95 and 98 C. All Answers are Correct . Windows XP B.

Which of the following HTTP error messages would indicate that the file for which you are looking isn't found? A. 404 E. USR_SERVERNAME .230 Access to Resources 13. Which of the following is the default user account that IIS uses when you specify anonymous access? A. 401 C. 402 D. R_SERVERNAME E. USER_SERVERNAME C. IUSR_SERVERNAME B. IUSR_SERVERNAME D. 405 14. 400 B.

and then click OK. On the Edit menu. E. Locate. In the Value data box. In the Value data box. type 2. type 1. B. click Modify. In the Value data box. How can this be accomplished using the registry? A. type 0. Type exit to quit Command Prompt. type regedit. and then click OK. and then click OK. Click Start.Windows Server 2003 231 15. Locate. . Locate. C. and then click OK. D. On the Edit menu. click Modify. and then click Run. In the Open box. type cmd. and then click OK. and then click Run. You want to remove the administrative shares on your Windows 2003 server. click Start. and then click the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanSer ver\Parameters\AutoShareServer. On the Edit menu. click Modify. and then click the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanSer ver\Parameters\AutoShareServer. Type the following: net stop server (Press Enter) net start server (Press Enter). and then click the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanSer ver\Parameters\AutoShareServer. In the Open box.

*C. Expand Security Settings in the left pane. and then click OK. . By its IP address *B. right-click the Client (respond only) policy. and then click OK. Through My Network Places Explanation: In Windows 2003. a shared folder can be accessed in My Network Places. right-click the Server (respond only) policy. and then click Assign. By its Universal Naming Convention (UNC) *C.232 Access to Resources Chapter 3: Review Answers 1. by its Universal Naming Convention (UNC). By a mapped network drive *D. and then click Assign. click Run. Expand Security Settings in the left pane.msc. click Run. and then click Distribute. You want to ensure that your clients respond to your Terminal Server's requests for security. click Run. Which of the following are ways that a shared folder can be accessed in Windows 2003? A. Expand Security Settings in the left pane. B. type gpedit. click Start. and then click OK. D. Explanation: To ensure that your clients respond to your Terminal Server's requests for security. right-click the Client (respond only) policy. type gpedit. What steps do you need to take? *A. Click Start. Click Start. 2. or by a mapped network drive.msc. type gpmod.moc.

group permissions in which he is a member. His user permissions *B. as well as permissions assigned to groups of which he is a member on the Accounts folder. Users are able to do more in the Backup folder when they log onto the Windows 2003 member server you have made available to users. What might be the problem? *A. permissions are inherited from the folder that contains the object. and NTFS permissions Explanation: When you access data over the network. both share permissions and file and folder permissions apply. His user permissions. If users have permissions that they shouldn't have when they log on locally. NTFS permissions. Share access permissions are combined with any permissions that are assigned directly to the user and those that are assigned to any groups of which the user is a member. Inherited permissions that are incorrect for the shared resource B. 4. His user permissions. Edward has permissions assigned to his account specifically. His user permissions and group permissions in which he is a member D. . and shared folder permissions C. Some of these permissions are shared permissions and some are NTFS permissions. look for both inherited permissions that are incorrect for the shared resource and for group memberships that may grant different levels of permissions. The member server doesn't have an NTFS partition *C. Group memberships that may grant different levels of permissions D. group permissions in which he is a member. The users are in the Everyone group Explanation: By default.Windows Server 2003 233 3. What permissions will apply to Edward when he connects to the Accounts folder? A.

It reflects default security settings on files.inf *D. and audit settings.inf) are supersets of the Secure templates and they impose further restrictions on the levels of encryption and signing that are required for authentication and for the data that flows over secure channels and between server message block (SMB) clients and servers.inf template changes the default file and registry permissions that are granted to the Users group. The Compatws. hisec*. The Secure templates (Secure*.inf defines the permissions for the root of the system drive. DC security. . The Secure templates (Secure*.inf) define stronger password. registry keys.inf Explanation: The Setup security.inf template is created during installation of the operating system for each computer and represents default security settings that are applied during installation.inf) define stronger password. and system services.inf template is created when a server is promoted to a domain controller.inf) are supersets of the Secure templates and they impose further restrictions on the levels of encryption and signing that are required for authentication and for the data that flows over secure channels and between server message block (SMB) clients and servers. Rootsec. including the file permissions for the root of the system drive. Compatws. Rootsec. hisec*. Secure*.inf template is created when a server is promoted to a domain controller.inf E. The Highly Secure templates (hisec*. Compatws.inf C. lockout. The DC security.inf template is created during installation of the operating system for each computer and represents default security settings that are applied during installation. registry keys.inf B. Which of the following security templates is the most secure? A. including the file permissions for the root of the system drive. lockout.inf template changes the default file and registry permissions that are granted to the Users group. The Highly Secure templates (hisec*. Setup security. and audit settings. The DC security. The Compatws. Which of the following security templates are default security templates? *A.234 Access to Resources 5.inf D. 6. Secure*.inf C.inf *B. It reflects default security settings on files.inf Explanation: The Setup security.inf defines the permissions for the root of the system drive. DC security. and system services.

No Answer is Correct Explanation: If the IP information is wrong or dated (incorrect IP.the proxy server only allows access to certain persons or sites) *B.Windows Server 2003 235 7. Failure audit for logon/logoff C. and system events' audit event when you want to monitor misuse of privileges. test the connectivity with ping. Bad IP information (incorrect IP. Use the 'Success audit for user rights. Which of the following might be the cause of network connectivity issues? *A. . Use the 'Success and Failure audit for file-access and object-access events' audit event when you want to monitor access to sensitive files. DNS issues (a bad DNS server address. and pathping. subnet mask. . Which of the following audit events should you enable to monitor misuse of privileges? A. restart. Success and Failure audit for file-access and object-access events B. restart. security change policies. If the issue is physical in nature. security change policies. Success audit for user rights. which is possible. Use the 'Success audit for logon/logoff' audit event when you want to monitor for stolen or unsecured passwords. if the client is trying to access the Internet in an improper way. shutdown. Success audit for logon/logoff *D. tracert. Insufficient rights (i. user and group management. default gateway). and system events Explanation: Use the 'Failure audit for logon/logoff' audit event when you want to monitor random password hacking or brute force attacks. Physical connectivity is down (the server may be down or the cable could have failed) D. shutdown. user and group management. Insufficient rights or restrictions could the problem. default gateway) *C. whether it is manually entered or cached) could also be the problem. 8. subnet mask.e. it could stop a client from getting to the Internet.

shutdown. Success audit for user rights. shutdown. user and group management. security change policies. user and group management. Which of the following audit events should you enable to monitor access to sensitive files? A. Use the 'Success audit for logon/logoff' audit event when you want to monitor for stolen or unsecured passwords. Which of the following audit events should you enable to monitor misuse of privileges? A. Success and Failure audit for file-access and object-access events D. restart. user and group management. shutdown. . Success audit for user rights. restart. Success and Failure audit for file-access and object-access events B. Use the 'Success and Failure audit for file-access and object-access events' audit event when you want to monitor access to sensitive files. Success audit for logon/logoff *D. Use the 'Success audit for logon/logoff' audit event when you want to monitor for stolen or unsecured passwords. restart. Use the 'Success audit for user rights. Failure audit for logon/logoff *C. Failure audit for logon/logoff C. user and group management. restart. security change policies. shutdown. and system events' audit event when you want to monitor misuse of privileges. Use the 'Success and Failure audit for file-access and object-access events' audit event when you want to monitor access to sensitive files. 10. and system events Explanation: Use the 'Failure audit for logon/logoff' audit event when you want to monitor random password hacking or brute force attacks. Success audit for logon/logoff B. Use the 'Success audit for user rights. security change policies. and system events Explanation: Use the 'Failure audit for logon/logoff' audit event when you want to monitor random password hacking or brute force attacks. and system events' audit event when you want to monitor misuse of privileges.236 Access to Resources 9. security change policies.

NT 4. Which of the following directories contains the Remote Desktop Client program? A. 2000. Windows XP Home and Professional D. as well as XP and 2003. %windir%\system32\clients D. NT 4. Which of the following operating systems can have the Remote Desktop Client program installed on them by using the installation program in the %windir%\system32\clients\tsclient\win32 directory? A. as well as XP and 2003.0. Windows XP B. 12. Windows 95 and 98 C.0. 2000. . All Answers are Correct Explanation: The %windir%\system32\clients\tsclient\win32 directory contains the Remote Desktop Client program. This can install Remote Desktop client on Windows 9x. Me. %windir%\system32\clients\tsclient C. Windows 2000. Windows XP and Server 2003 *E. Me. %windir%\system32\clients\sclient\drivers B.0. Windows NT 4. This program can be used to install Remote Desktop client on Windows 9x. %windir%\system32\clients\tsclient\win32 Explanation: The %windir%\system32\clients\tsclient\win32 directory contains the Remote Desktop Client program. %windir%\system32\tsclient\win32 *E.Windows Server 2003 237 11.

Which of the following HTTP error messages would indicate that the file for which you are looking isn't found? A. USR_SERVERNAME Explanation: IUSR_SERVERNAME is the default user account that IIS uses when you specify anonymous access. 404 E.238 Access to Resources 13. IUSR_SERVERNAME B. IUSR_SERVERNAME D. R_SERVERNAME E. 405 Explanation: The 404 HTTP error message would indicate that the file for which you are looking isn't found. 401 C. 400 B. 14 Which of the following is the default user account that IIS uses when you specify anonymous access? A. 402 *D. USER_SERVERNAME *C. .

and then click Run. On the Edit menu. type cmd. and then click Run. You want to remove the administrative shares on your Windows 2003 server. . and then click OK. and then click OK. In the Open box. and then click OK. type regedit. and then click the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanSer ver\Parameters\AutoShareServer. click Modify. and then click OK. In the Open box. type 2. In the Value data box. and then click OK. Type exit to quit Command Prompt. type 0. In the Open box. *B. Stop and then start the Server service. and then click the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanSer ver\Parameters\AutoShareServer. click Start. Press ENTER after each line: net stop server (Press Enter) net start server (Press Enter). At the command prompt. type cmd. Quit Registry Editor. and then click OK. type 0. click Modify. click Modify. D. and then click the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanSe rver\Parameters\AutoShareServer. and then click Run. Type the following: net stop server (Press Enter) net start server (Press Enter). click Modify. On the Edit menu. Locate. Note that this does not apply to the IPC$ share or shares that you create manually. In the Open box. Locate. When this value is set to 0 (zero). E. In the Value data box. and then click the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServ er\Parameters\AutoShareServer. type regedit. On the Edit menu. How can this be accomplished using the registry? *A. Type exit to quit Command Prompt. type 1. click Start. Click Start. On the Edit menu. Click Start. type the following lines. *C. Locate. In the Value data box.Windows Server 2003 239 15. Explanation: To remove administrative shares and prevent them from being automatically created in Windows. and then click OK. and then click Run. Locate. and then click OK. Windows does not automatically create administrative shares. In the Value data box.

7.2 Monitor print queues 4.3 Manage a server by using available support tools 4.8.1 Monitor disk quotas 4.5 Troubleshoot print queues 4.8 Monitor and optimize a server environment for application performance 4.1 Task Manager 4.1.3.1.7.1 Monitor memory performance objects 4.1.2.1.1.1 Event Viewer 4.3 System Monitor 4. Tools might include: 4.2 Manage a server by using Terminal Services remote administration mode 4.2 Event Viewer 4.2 Manage software update infrastructure 4.2 Monitor print queues 4.7.2 Manage security for IIS .6 Monitor system performance 4.7 Monitor file and print servers.4 Manage servers remotely 4.7.7.1.4.3.7.9 Manage a Web server 4.9.7. 4.7.7.7.1 Tools might include: 4.2 System Monitor 4.3 Monitor server hardware for bottlenecks 4.1Manage Internet Information Services (IIS) 4.1 Monitor disk quotas 4.3.1 Monitor disk quotas 4.4 Monitor disk performance objects 4.4.2.9.8.8.3 Monitor server hardware for bottlenecks 4.3 Monitor process performance objects 4.1 Manage a server by using Remote Assistance 4.3 Manage software site licensing 4.240 The Server Environment Managing and Maintaining a Server Environment The objective of this chapter is to provide the reader with an understanding of the following: 4.2 Monitor network performance objects 4.4.1.3 Monitor server hardware for bottlenecks 4.1 Monitor and analyze events.2.8.1.7.7.2 Monitor print queues 4.

Windows Server 2003 241 .

.

What are the three views available to you in System Monitor? 3. What are the three basic logs in Event Viewer? 2.Windows Server 2003 243 Chapter 4: The Server Environment Introduction: Getting Ready Questions 1. What is SUS? 5. What are the four process priority classes? 4. What is Remote Assistance? .

security patches and service packs. Histogram and Report. or Windows XP. Normal. with Server 2003. The three basic logs in Event Viewer are Application. The four process priority classes are Idle. Directory Service and File Replication Service. 2. Remote Assistance allows the administrator to assist another individual remotely.Chart. . Remote Assistance requires explicit permission from the individual requesting assistance. SUS (Software Update Services) is a server-based distribution system for critical updates. High and Real Time. In addition. 3. There are three views available to you in System Monitor -. System and Security. in real time.244 The Server Environment Getting Ready Answers 1. you may have logs for DNS Server. when the remote system is running Server 2003. 5. 4.

Windows Server 2003 245 4. If your performance is poor just during peak periods. days of the week or periods during the month. as I do. . And you don’t have to do it. you either love it or you view it with all the enthusiasm of a visit to the dentist. and for identifying those nagging trouble areas in a network before they become migraine headaches. The up-to-date data from a monitoring session will fall under one of three analytical categories. It will also help those who view monitoring in a less-than-eager light to understand the necessity of monitoring and how to do it in an expedient and efficient manner. you can assume that the poor performance is only temporary. However. in reality. and what should be done to improve it. However. during certain times of the day. you pray that you work with someone who falls into the first category. you may want to do a more thorough analysis of your situation. you want to take into consideration your users’ habits. poor performance is occurring during downtime. Monitoring is not only for maintenance. Let’s be honest. And it’s you. as shown in the table below. When it comes to monitoring servers. What is the normal state of the four main subsystems? ● ● ● ● Memory Processor Disk Network When considering establishing what is baseline performance for a server. Category Examples Maintenance Troubleshooting Network Problems/Server Bottlenecks Future Planning Consolidating servers Supporting request for new hardware Lack of memory Unbalanced workloads Incorrect configurations Application monopolizing resources Monitoring trends Planning upgrades Table 4-1: Reasons for Monitoring/Analysis One thing that is necessary for any successful analysis of monitored servers is a baseline. This section is designed to point out what is new in monitoring and analysis for Server 2003. most of the time there’s only one person to do the job. It is vital for predicting future growth.1 Monitor and analyze events. They attack it like a dog munching a t-bone. If you fall into the second category.

Under any configuration of Server 2003. Figure 4-1: Event Viewer The Event Log service provides the capabilities for applications and services to log their respective events. system problems.1.1. is used to monitor data stored over an extended period of time on the network.1 Event Viewer The Event Viewer console (Figure 4-1) uses event logs to gather hardware and software information. let’s just review the two types of monitoring you will be performing – real time and logged monitoring.1. 4. Real time monitoring establishes the current state of the four main subsystems.246 The Server Environment It is helpful to track a baseline. a snapshot of what is happening at that moment in time. in essence. Just before we look at the monitoring tools available in Server 2003. You will want to perform analysis on this data to determine how the server is performing on all four subsystems.1 Tools might include: 4. Long term decrease in performance may indicate change in usage patterns that may require additional servers or better load balancing. Event Viewer will always record events in three different logs: ● ● ● Application Log System Log Security Log . Logged monitoring. It is. and security events (auditing). on the other hand.

and Information. with Error being the most critical. These columns are Type. which indicates a successful security access. Source. ● Application Log contains events logged by programs or applications. Figure 4-2: Application Log NOTE: Both the Application log and the System log can show three different types of events: Error. Event. There are eight columns showing information about the event. User. The Security log produces two events. Date. The first is the Success Audit. Category. Warning. The second is the Failure Audit.Windows Server 2003 247 Let’s discuss these logs in further detail. such as a file error logged by a database program. . Time. and Computer. These events are determined by the developer of the application as to what events to produce and to what degree of verbosity to implore. Each of these event types shows a degree of severity for the event. For each log you can quickly view the events in the console window. which indicates a failed security access.

Figure 4-3: Application Log Event ● System Log contains events. predetermined by the server. logged by system components. Figure 4-4: System Log . such as failure of a driver to load.248 The Server Environment Double-clicking on any of the events shown in the console window will display a dialog box with further detail on the particular event.

Windows Server 2003 249 Figure 4-5: System Log Event .

for example. By default. Security logs are only viewable by administrators. depending on what was requested to be audited. Figure 4-6: Security Log . a failed logon attempt. these events are not recorded.250 The Server Environment • Security Log records security events as successful or failed. These events are controlled by the auditing functions of the various resources and subsystems.

predetermined by the server. Figure 4-8: System Log . such as failure of a driver to load.Windows Server 2003 251 Figure 4-7: Security Log Event • System Log contains events. logged by system components.

252 The Server Environment Figure 4-9: System Log Event .

Windows Server 2003 253 If Server 2003 is configured as a domain controller. there will be two additional logs available: ● Directory Services Log contains events logged by the Active Directory services. such as connection problems between the global catalog and the server Figure 4-10: Directory Service Log .

254 The Server Environment Figure 4-11: Directory Service Log Event .

such as file replication failures Figure 4-12: File Replication Service Log Figure 4-13: File Replication Service Log Event .Windows Server 2003 255 ● File Replication Service Log contains events logged by the File Replication service.

an additional log is available: • DNS Server Log contains events logged by the DNS Service.256 The Server Environment If Server 2003 is configured as a DNS Server. Figure 4-14: DNS Server Log Figure 4-15: DNS Server Log Event . such as the start of the DNS service.

Figure 4-17: Log Filter . Figure 4-16: Connecting to another computer Another feature is the ability to filter the events that are displayed to identify any problem areas quickly. Not only can you view events for the local server. The filters are applied on a per log basis. but also you can view events for other remote servers.Windows Server 2003 257 Event Viewer provides great functionality for monitoring and analysis. simply by right clicking on “Event Viewer” at the top of the left pane.

258 The Server Environment 4. System Monitor allows you to view real time performance of your server. Figure 4-18: System Monitor .2 System Monitor System Monitor and Performance Logs and Alerts are both found in the Performance Console in Server 2003. When you first open System Monitor.1. Performance can be found under Administrative Tools in Control Panel. You can capture this data in a log as well. so that you can view it at a later time.1. you will notice that nothing is being tracked. These counters will be displayed on the screen. This is because you must first set counters to monitor the particular process in which you are interested.

as well as define alerts. You can use this tool to collect logged data. Figure 4-19: Performance Logs and Alerts . which can be used for detailed analysis and record keeping.Windows Server 2003 259 There are three views available to you in System Monitor: ● Chart (The default view) allows you to view a small number of counters over a set period of time Histogram (Bar chart) allows you to view a large number of counters as a snapshot Report Allows you to view the counters in text format in real time ● ● Using the Performance Logs and Alerts will allow you to create counter and trace logs.

you should plan how often to collect data. Figure 4-20: Setting Up a Counter Log . As an administrator. based on the type of results you need to obtain. or on-demand. You can configure logging to occur on a regular basis.260 The Server Environment The three logs available to you through Performance Logs and Alerts are: ● Counter logs record data about hardware usage and activity on a system.

Figure 4-21: Setting Up a Trace Log .Windows Server 2003 261 ● Trace logs measure data on a continuous basis.

a predetermined setting. Figure 4-22: Setting Up an Alert . or falls below.262 The Server Environment ● Alerts are messages that are sent to the system administrator when a specific counter exceeds.

Windows Server 2003 263

4.1.1.3 Task Manager ● Task Manager will allow you to view the applications and processes that are currently running on your system. Task Manager provides “real time” monitoring of a server or system. You can access it in a number of ways: Right click the taskbar Using CTRL|SHIFT|ESC Using CTRL|ALT|DEL There are five tabs available under Task Manager: Applications Processes Performance Networking Users

● ● ● ● ● ● ● ●

When you view the Applications Tab, you will see the applications that are running and their status (running, not responding, stopped). On this tab you can end a task, switch to a task, or start a new task.

Figure 4-23: Applications Tab (Task Manager)

264 The Server Environment The Processes tab will show you all the processes currently running on your server, including processes used by the operating system. This tab allows you to end a process that has ceased to function or is causing system instability. If you right-click a process, a menu is displayed allowing you to end the process, end the process tree, debug (if a debugger is registered on the system), set the affinity (on multiprocessor systems) or change the priority of the process.

Figure 4-24: Processes Tab (Task Manager)

Windows Server 2003 265 On multiprocessor systems, the Set Affinity command can inform an application or process to use a specific processor or processors. The effect of this can be a doubleedged sword. You are essentially removing the ability of the process to benefit from the asymmetrical processing capabilities of Windows 2003. On the other hand, certain applications can gain substantial benefits from it, specifically if they do not use threading. By changing the priority of a process, you can optimize it to use a specific amount of processor time. This can adversely affect the overall performance of not only the process itself, but of all other processes as well. By raising the priority, you grant the process more processing time, making it run faster. Inversely, by lowering the priority, you limit the amount of processing time, making it run slower. In order for Windows 2003 to guarantee that every process will get a chance for processing time, a mechanism for scheduling threads is used. This mechanism is the basis for the pre-emptive multitasking strategy in Windows 2003. Each and every thread and process are assigned a priority, which then determines the order in which they are granted processing time. A thread’s priority is based on the priority class of its parent process. There are four process priority classes: ● ● ● ● Idle – used for processes (such as screen savers) that periodically update the display Normal – the default priority class for a process High – these processes receive the majority of processor time Real Time – used mostly by kernel-mode processes (such as mouse and keyboard input)

Each of these priority classes set a range of priority values between 0 and 31. Priority 0 is reserved for system use. Priorities between 1 and 31 have increasingly higher priorities (with 1 being the lowest). Idle, Normal, and High priorities range between 1 and 15, Real Time priorities range between 16 and 31. For processes that are Real Time, the thread’s priority cannot change while the thread is running. For all other priorities, the threads are considered variable (they can change thread priority while running). For threads running in the Normal or High priority classes, the thread’s priority can be raised or lowered by up to a value of 2, but cannot fall below its original, program-defined base priority. The resulting value of changing the base priority for optimized thread scheduling is called the thread’s dynamic priority.

266 The Server Environment A listing of all Windows 2003 process priorities is listed in Table 4.2. Note: If you have at least one priority 31 thread running, other threads cannot run.
Process Priority Classes Thread Priorities Real Time High Normal Idle

Time Critical Highest Above Normal Normal Below Normal Lowest Idle

31 26 25 24 23 22 16

15 15 14 13 12 11 1

15 10 9 8 7 6 1

15 6 5 4 3 2 1

Table 4-2: Server 2003 Process Priorities With Task Manger, you can change the base priority of a process to one of the following: ● ● ● ● ● ● Realtime (Time Critical) High (Highest) AboveNormal Normal BelowNormal Low (Lowest)

Remember that you cannot change the Process Priority Class, just the thread priority. Changes made to the base priority of the process are not permanent; they are effective only as long as the process runs. Note: You must be an administrator to change a process’ priority.

Windows Server 2003 267 The information on the Processes tab can be modified to gain even more information. By choosing Select Columns… on the View menu will display Figure 4-25. Each of these options are explained in Table 4.3.

Figure 4-25: Task Manager Processes

268 The Server Environment

Column

Description

Base Priority CPU Time CPU Usage GDI Objects Handle Count Image Name I/O Other

I/O Other Bytes

I/O Reads

I/O Read Bytes

I/O Writes

I/O Write Bytes

Memory Usage

Memory Usage Delta Non-paged Pool Page Faults

A precedence ranking that determines the order in which the threads of a process are scheduled for the processor. The total processor time, in seconds, used by a process since it started. The percentage of time that a process used the CPU since the last update. The number of Graphics Device Interface (GDI) objects currently used by a process. The number of object handles in a process's object table. The name of a process. The number of input/output operations generated by a process that are neither a read nor a write, including file, network, and device I/Os. The number of bytes transferred in input/output operations generated by a process that are neither a read nor a write, including file, network, and device I/Os. The number of read input/output operations generated by a process, including file, network, and device I/O's. I/O Reads directed to CONSOLE (console input object) handles are not counted. The number of bytes read in input/output operations generated by a process, including file, network, and device I/Os. I/O Read Bytes directed to CONSOLE (console input object) handles are not counted. The number of write input/output operations generated by a process, including file, network, and device I/Os. I/O Writes directed to CONSOLE (console input object) handles are not counted. The number of bytes written in input/output operations generated by a process, including file, network, and device I/Os. I/O Write Bytes directed to CONSOLE (console input object) handles are not counted. The current working set of a process, in kilobytes. The current working set is the number of pages currently resident in memory. The change in memory, in kilobytes, used since the last update. The amount of memory used by a process, in kilobytes, that is not paged to disk. The number of times data has to be retrieved from disk for a process because it was not found in memory. The page fault value accumulates from the time the process started.

Windows Server 2003 269
Column Description

Page Faults Delta Paged Pool Peak Memory Usage PID (Process Identifier) Thread Count USER Objects Virtual Memory Size Session ID (Terminal Services Only) User Name (Terminal Services Only)

The change in the number of page faults since the last update. The amount of system allocated virtual memory, in kilobytes, used by a process. The peak amount of physical memory resident in a process since it started. A numerical identifier that uniquely distinguishes a process while it runs. The number of threads running in a process. The number of USER objects (windows, menus, cursors, icons, etc) currently being used by a process. The amount of virtual memory, or address space, committed to a process. The Terminal Services session ID that owns the process. The name of the user whose Terminal Services session owns the process.

Table 4-3: Process Definitions

270 The Server Environment The Performance Tab will give you a quick glance at CPU and memory usage. This tab provides you with a quick version of the System Monitor tool.

Figure 4-26: Performance Tab (Task Manager)

Windows Server 2003 271 By clicking Show Kernel Times on the View menu, red lines are added to the CPU Usage gauge and CPU Usage History graph. These red lines indicate the percentage of processor time consumed in privileged or kernel mode.

Figure 4-27: Performance View with Kernel Times On multiprocessor systems, you can change the graph to display each processor in a single graph, or in separate graphs. Clicking CPU History on the View Menu achieves this functionality.

272 The Server Environment New to Server 2003 is the Networking Tab. Introduced with Windows XP, with this view, you can see bytes sent, received, and total. The Networking tab provides a quick indication of the network traffic on the server. A quick reference for determining the amount of network bandwidth being consumed, when there are multiple network connections, it allows easy comparison of the traffic for each connection.

Figure 4-28: Networking Tab (Task Manager) Note: If there is no network card connected to the server, this tab will not appear.

When there is more than one user connected to the server. Figure 4-29: User Tab (Task Manager) . you can see who is connected. and you can send them a message. which was introduced in Windows XP with Fast User Switching enabled.Windows Server 2003 273 Also new to Server 2003 is the Users tab. what they are working on. you can disconnect users if necessary. As well.

essentially. the administrator would have to distribute them to the desktop PCs and servers in their network using a distribution methodology. service packs and security patches that had been released since the last check. In the past. .274 The Server Environment 4. This can be done at http://www. With Windows Server 2003.microsoft. Windows XP SP1. The Network Administrator must first sign up for e-mail notification. and Server 2003.com/windows2000/windowsupdate/sus/redir-email. Windows Update.2 Manage software update infrastructure Most people who are running Windows 2000 Professional or Windows XP are familiar with the new innovation. SUS connects through the corporate firewall to the Windows Update site and allows administrators to collect the patches. updates and service packs needed for their network via a web-based application. a server-based Windows Update that that provides updates for Server and Professional 2000 SP3. Software Update Services (SUS) is introduced as a server-based distribution system for critical updates. After verifying and testing these “fixes”. security patches and service packs. Running as a service on an internal server.asp (Figure 430). SUS is. network administrators had to set up a schedule to check for critical updates.

Windows Server 2003 275 Using SUS. Administrators are then able to verify. network administrators will receive an e-mail notification (Figure 4-31) when updates are added to their SUS channel. using the Automatic Update feature on client machines and servers. SUS is designed for distribution of critical patches. test and install critical updates quickly without disruption to the network. Figure 4-30: E-Newsletter Subscription . service packs and security updates. Note: All non-security-related patches. such as patches for applications or device drivers cannot be managed through SUS. The updates can be downloaded from the live Windows Update servers and saved on the SUS Server on the network.

276 The Server Environment Figure 4-31: SUS Content Notification Email .

2. Figure 4-32: SUS Server Component Webpage Interface .1 Components SUS is comprised of three components that can be downloaded from the Microsoft site: ● Server Component – the service to be installed on the SUS Server (SUS10SP1.exe).Windows Server 2003 277 4.

the updates can be approved. Finally. He or she can synchronize the corporate SUS Server with the main Software Update Services servers at Microsoft. the synchronization log and approval log can be viewed. the SUS server can be monitored from this interface. As well. Figure 4-33: Scheduling SUS Server Synchronization . and options such as proxy server and storage of updates can be set. or set up the synchronization schedule. From the list of downloaded patches.278 The Server Environment From this interface the administrator can tune the corporate SUS Service to meet the needs of the organization.

there are three options – notify on download and on install. if the system is powered off during the specified time. ● ● . the administrator can then specify both the intranet update service for detecting updates and the intranet statistics server. ● Specify intranet Microsoft update service location (Not Configured | Enabled | Disabled) Under Enabled. Windows XP SP1 or later. and Windows Server 2003 (wuau22*. the administrator can then schedule the install date and time. No auto-restart for scheduled Automatic Updates installations This is a specific setting so that Automatic Updates are not rescheduled on system startup. the administrator can schedule when the Automatic Updates should be applied.msi) Group Policy Component – template add-on to configure the Automatic Updates component on client computers (servers and workstations). There are four settings that can be configured (Figure 4-34): ● Figure 4-34: SUS Automatic Update GPO Configure Automatic Updates (Not Configured | Enabled | Disabled) Under Enabled. automatic download and schedule install. Reschedule Automatic Updates scheduled installations (Not Configured | Enabled | Disabled) Under Enabled. automatic download/notify on install.Windows Server 2003 279 ● Client Component – download is only required for systems running Windows 2000 SP2 and Windows XP RTM. This schedule is “x” number of minutes after system startup. With the third option. Already included in Windows 2000 SP3 or later.

● If Server 2003 is installed on only one server. is considered a device. Per Server connections are allocated on a first-come. select Per Server. For the purposes of Windows licensing. with an unlimited number of simultaneous connections to any server. workstations. a server dedicated to the Human Resource Department. and you are unsure which license mode to use. There is a one-time conversion available to Per User or Per Device licensing. This is the normal licensing mode for Server 2003 installed on multiple servers in a network setting. This can include servers. as you are allowed a onetime conversion to Per User or Per Device licensing. ● If users frequently access multiple servers on the corporate network. The numbers of connections are limited to the number of CALs (Client Access Licenses). including file and print sharing. terminals and handhelds. Per Server is the best option. . remote access and authentication. any electronic equipment that can access or use the services of Server 2003. which is accessed by only a certain number of users at any one time.280 The Server Environment 4. first-served basis to the server licensed. NOTE: If you are installing Server 2003 on a single server. Per User or Per Device licensing is the best option.3 Manage software site licensing Let’s review the differences in the licensing options for Server 2003. This type of license is best in a single server environment or in an environment where a designated server is used by only a single group (for example. This licensing mode enables all network devices or users to access all the servers on a network.

you must enable it under Services. or a member of the Administrators Group.3. You must be the Administrator. in order to work with this tool. By default. In order to use it. located under Administrative Tools.1 Administering Enterprise Licensing Administration of licensing in an enterprise environment for Server 2003 is done through the Licensing tool. the licensing tool is not enabled. Figure 4-35: Enabling the Licensing Tool Figure 4-36: Licensing Tool .Windows Server 2003 281 4. located in Administrative Tools in Control Panel.

There are four tabs: ● Purchase History It is under this tab that you will manage the purchase or deletion of licenses for server products on network servers. Figure 4-37: Licensing Agreement . the license agreement will appear.0. the type of license and the date of purchase. the entries you make are not verified by the system. nor are they entered automatically. The Purchase History entries are not intuitive – that is. Here you enter the number of licenses.282 The Server Environment The interface for the Licensing Tool in Server 2003 family is similar to that in Windows 2000 or Microsoft Windows NT 4. It is important that you track your licensing carefully and accurately. When you enter a number of licenses into the Purchase History dialog box.

You can also manage replication remotely. Figure 4-38: Remote Licensing Management . you can view usage statistics for each user. Server Browser Under server browser. you can view Per Server and Per Device or Per User licenses for the site or a particular group in the site. Users Under this tab. select Properties. by right-clicking the server.Windows Server 2003 283 ● Products View Under this tab. This tool will allow you to track license usage and ascertain when additional licenses are required. and then using the Replication tab. you can remotely manage licensing on servers (for server products licensed in Per Server mode). including licensed and unlicensed usage.

Figure 4-39: Licensing Mode (Control Panel) .2. just go to Control Panel. by right clicking the local server and selecting Properties. The dialog box illustrated in Figure 4-39 will appear.2 License Replication 4. and select Licensing. To configure the number of licenses. Note: You can also record local licensing under the Server Browser tab of the Licensing Tool. you can use Licensing under Control Panel.3.1 Configuring Replication Locally To record a number of new licenses (that will appear in the Products View tab of the Licensing Tool) or to configure replication for the local server. you CANNOT configure replication for a local machine through this process.3. However.284 The Server Environment 4.

the steps are similar to those listed above. If you look at Figure 4-39. specify the interval at which the licensing information should replicated to the site license server. right-click the server to manage.2 Configuring Replication for Remote Servers In order to configure replication for remote servers. you will note the Replication… button on the bottom right hand corner. You can also switch your licensing.0 domain. you have two choices. The option to specify a master server does not exist in a Server 2003 environment. one time only. If it is a stand-alone server in an NT 4. Under Replication Frequency. Note: It is important to note that under Windows NT 4. or at a scheduled interval. Select the Replication tab. Figure 4-40: Replication (Control Panel) From here. As outlined in the previous section. On the Server Browser tab.0 domains. Clicking that button will bring up the dialog box in Figure 4-40 that will allow you to configure replication for the local server. and then click Properties. 4. .2. and domain controllers replicate to the site license server. You can select a specific time for daily replication by clicking Start At and entering a time.3. or you can set a time interval between replication cycles by clicking Start Every and entering the desired interval. from Per Server to Per Device or Per user. it will replicate to the PDC. From Administrative Tools. you can use the Master Server options to specify where the server replicates. expand the domain. Server 2003 replicates automatically to a domain controller. This has changed with Windows 2000 and 2003 domains. open Licensing.Windows Server 2003 285 It is from this interface that you can add licenses for both Windows Server 2003 and Windows Back Office. you can configure when you want the licensing information to replication. either at a specific time.

Your work computer will appear in a new window. They use the same basic technology. you can use Remote Desktop to connect to your work computer. This feature is used so that administrators can resolve problems without having to be physically at the user’s computer or server. Remote Assistance allows an administrator to use an Internet connection to access a user’s computer or remote server to provide help.4. Remote Assistance requires explicit permission from the individual requesting assistance. For example.286 The Server Environment 4. It allows the administrator to assist another individual remotely. and you can work remotely off your own desktop at work. if you are working at home.4 Manage servers remotely Remote Desktop and Remote Assistance are both new to Server 2003. The administrator can view the remote computer’s screen in a window and communicate with the user through a “chat box”. or Windows XP. gaining access to files and applications. Note: This feature is NOT available under Server 2003 64-bit version. in real time. 4. but there are some fundamental differences between these two features. The remote system must be running Server 2003. .1 Manage a server by using Remote Assistance Remote Assistance was first introduced in Windows XP. Remote Desktop allows access to a remote Windows computer.

double-click System. and click OK. Figure 4-41: Group Policy Object Editor . Group Policy must be enabled. This can be done by: ● ● Click Start | Run. Under Computer Configuration.msc.Windows Server 2003 287 In order to use Remote Assistance. type gpedit. and then double-click Remote Assistance. double-click Administrative Templates.

The default maximum time a Remote Assistance invitation can stay open is determined by this Control Panel setting (Figure 4-42). this setting is set to “Not Configured”. When the status is set to Not Configured. a user can enable. By default. ● Figure 4-42: Remote Assistance (Control Panel) . disable and configure Remote Assistance in System properties in Control Panel. there are two settings that can be configured under Remote Assistance Group Policy: ● Solicited Remote Assistance This setting specifies whether a user can request (solicit) assistance using Remote Assistance.288 The Server Environment As you will note.

the Remote Assistance invitation is closed and a new one must be generated. and keyboard activity in real time. the administrator can view the user’s screen. mouse. When the user invites an administrator to connect to the computer. a user can create a Remote Assistance invitation that the administrator (or another support person) can use at another computer to connect to the user’s computer. You can use either the Mailto. After that period expires. The user can stop the administrator’s control at any time. in . but only make a request to take control. When permission is given. The "Select the method for sending e-mail invitations" setting specifies which e-mail standard to use when sending Remote Assistance calls. The "Permit remote control of this computer" setting specifies whether a user on a different computer can control this computer.Windows Server 2003 289 Figure 4-43: Solicited Remote Assistance (Registry) If you set the status to Enabled. The expert cannot assume control. the administrator can then take control of this computer. The "Maximum ticket time" setting sets a time limit on the period that a Remote Assistance invitation can remain open. and gives permission.

When you try to connect. even under this setting. both of which are self-explanatory. the user is given an opportunity to accept or deny the assistance. the administrator is given view-only privileges to the user's desktop. As well." To set up the list of helpers. . If this setting is enabled.290 The Server Environment which case the invitation recipient will connect through an Internet link. The user just then click a button to give you the ability to remotely control the desktop. you can also specify the list of users or user groups that will be allowed to offer remote assistance. If Remote Assistance is disabled in the previous setting (Solicit Remote Assistance). You can also use the SMAPI standard. click "Show. users cannot request Remote Assistance and this computer cannot be controlled from another computer. Offer Remote Assistance How this setting is configured will determine whether or not the administrator (or a support person) is able to offer remote assistance to this computer without a user first explicitly requesting it. These are termed "helpers. the “Offer Remote Assistance” setting will also be disabled. users or groups cannot offer unsolicited remote assistance to this computer. in which case the invitation will be attached to an e-mail message. If you disable or do not configure this policy setting. Note: You cannot connect to the computer unannounced or control it without permission from the user. When it is accepted. There are two additional choices. you can offer remote assistance. or if it is set to “Not configured” and disabled in Control Panel. if remote control has been enabled. It is important to remember that the email program MUST support the selected e-mail standard. If the status is set to Disabled." A new window opens in which you can enter the names of the helpers. You can select either "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer”.

This certainly makes life easier for any administrator! So. Managing your servers from any computer on your network. and manage them as if you were physically there. or switching among several servers. This is done through Control Panel | System and then clicking on the Remote tab.2 Using Terminal Services Remote Administration Mode (Remote Desktop) There are some administrative tasks that can be performed by you. These are: ● ● Logging onto one server remotely. how do we set it up? The first requirement is that Remote Desktop must be enabled on each remote server. using Remote Desktop (formerly Terminal Services remote administration mode) along with different tools.4. the administrator. Figure 4-44: Enabling Remote Desktop .Windows Server 2003 291 4.

From that dialog box. Figure 4-45: Configuring Remote Desktop Users .292 The Server Environment You will note that there is a button “Select Remote Users”. or groups of users. will be allowed to access the server through Remote Desktop. Clicking on the button will display the dialog box shown in Figure 4-45. you can designate which users.

Windows Server 2003 293 Once you have set up all of your servers to allow Remote Desktop access. . A Remote Desktop Connection dialog appears. Figure 4-46: Remote Desktop Connection You will note the Options button in the bottom right hand corner of this dialog box. This is done through Start | Programs | Accessories | Communications | Remote Desktop Connection. as illustrated in Figure 4-46. you should set up the connections to each server. These options will allow you to set up each connection to suit particular network demands.

and the username. on the first tab. There is an option to save the password. The General tab allows you to set up certain logon parameters. such as the name of the computer. you will need to remember to modify the password for each . password and domain being used to establish the connection. General. General Tab . the dialog box shown in Figure 4-47 will appear.rdp file. When you click options. Figure 4-47: Remote Desktop. one by one.rdp connection after changing the password. to which you wish to connect. it is from this dialog box that you will save the settings as a . which enables you to reconnect to this remote computer without any input. Note: If your network is set up to have passwords expire after a certain preset time period.294 The Server Environment We will walk through each of these options. As well. after configuring all the options. so that the settings are saved for the next time you wish to use this connection.

Figure 4-48: Remote Desktop (Display) . from a smaller window to full desktop. you are able to configure how you wish the remote desktop to appear on your computer. you can select the color settings for the remote desktop. From this tab.Windows Server 2003 295 The second tab (Figure 4-48) is the display tab. You can select the default size of the remote desktop window. You are also able to ensure that the connection bar still appears at the top of the screen should you choose to operate the remote desktop in full screen mode. As well. it is important to note that the settings on the remote computer may override the selection you make at this tab. However.

296 The Server Environment Figure 4-49: Remote Desktop (Local Resources) .

perhaps. From this dialog box. Figure 4-50: Remote Desktop (Programs) . As well. or if.Windows Server 2003 297 The third tab is the Local Resources tab. you only want them to work when you are in full screen mode. you can select whether you want certain Windows key combinations to work on the remote desktop. serial ports and printers assigned to the remote computer will be automatically connected when you log onto the remote computer. you can select whether the disk drives. Finally. you can choose whether or not you want the sound from the remote computer to be brought to your desktop.

and then put the appropriate path and file name into the text box. For example. In that case. Figure 4-51: Remote Desktop (Experience) .298 The Server Environment From the fourth tab. you would check the Start the following program on connection checkbox. you may wish to view the Event Viewer on the remote server each time you connect. you can choose to have certain monitoring or maintenance programs run when the connection is established.

even on a 100 mbps LAN. capabilities are limited and security is minimal at best. the more options that are selected. By default. or delegate to other members of your team. ● There is one new remote administration feature with Server 2003 that is worth a closer look – the Web Interface for Remote Administration. The feature is. You can also choose to have the remote desktop connection automatically reconnect if. windows contents and themes “behind”.3 Manage a server by using available support tools There are a few other ways of managing your servers remotely. By default. 28. you can create your own custom MMC consoles for tasks you frequently do. Remember – it is command line driven.Windows Server 2003 299 The fifth and final tab for configuration is the Experience tab. so that performance can be optimized. This can be accomplished using the old standby – Telnet. the connection is unexpectedly dropped. for optimal performance. 4. by default. if available. that the only item selected is Bitmap Caching. . NOT set up on any version of Server 2003. Let’s look at them briefly. leaving the desktop background. ● Manage several servers by performing similar tasks This can be achieved by using the appropriate saved MMC consoles. for whatever reason. certain options will be selected according to your connection speed.8 Kbps Modem is selected. Connect to a remote computer when that computer cannot access the network or is not in an operational state because of hardware or software failure.4. Alternately. such as the situation listed above. The faster the connection speed. It is from this dialog box that you can specify what your connection speed is. You will note in Figure 4-51. there are times. However. I usually select only Menu and Window animation and Bitmap Caching. when the “old way” is still the “best way”. so that the connections to the remote servers are saved for next time. Remember! To return to the General tab to save your settings. except for the Web Edition. You may wish to opt for custom settings.

server farms and multiple sites per server can be remotely managed from your workstation. found in Control Panel | Add/Remove Programs. including: ● ● ● ● Creating and deleting Web sites Configuring network settings Managing local user accounts Restarting the Web server . Select Application Server | Internet Information Services | World Wide Web Service and then select the checkbox next to Remote Administration (HTML) (Figure 4-52).300 The Server Environment In order to install this feature on another version of Server 2003. The Web Interface for Remote Administration provides a new way of performing common Web server configuration tasks. The feature is buried quite deep within the Wizard. Figure 4-52: Installing the Web Interface for Remote Administration Designed specifically for remote administration of Web Servers. the Web Interface for Remote Administration is a web-based application that you can use to configure and manage the server from a remote client. Individual servers. you must utilize the Windows Components Wizard.

Figure 4-53 – Remote Administration Web Interface . It is worth your while to take a moment and walk through each page to familiarize yourself.Windows Server 2003 301 The interface is very easy to work with and maneuver through.

when we’re talking about printers. and create the printer.5 Troubleshoot print queues Normally. You can access your printer configuration by using Control Panel. we mean the piece of hardware that produces printed copy. Therefore. You must be a member of the Administrators group to create a printer in Windows 2003.1 Connect to a local print device When you run the Add Printer Wizard (Figure 7. the printer is a software interface between the physical printing device and the Windows operating system. make sure that the computer has enough processing power to handle the printing requests and enough free disk space to queue the print jobs. before you can access your physical print device. In the Windows world. 4. If the printer is going to be shared on the network. or by going Start | Printers and Faxes. the computer on which the printer has been created becomes the print server for that print device. Figure 4-54: Add Printer Wizard .5. you must first configure a printer.22).302 The Server Environment 4.

2003 and XP clients the next time it connects to the print server. The Properties’ dialog box has a number of different tabs. including its model name. Other operating systems may require a specific protocol or service to be running on the print server in order to use the shared printer. One word of caution – Windows 95 and 98 clients will download the driver the first time they connect to the print server. and the features available with the printer. it will also be automatically updated on Windows NT. the optional location and comment provided at the time of installation.2 Manage printers and print jobs You manage the printer properties by right clicking on the printer and selecting Properties. Let’s look at some of them. .5. you will have to manually install the updated drivers on the clients. The General Tab (Figure 4-55) has the basic information and features of the installed printer. Most Microsoft client operating systems will automatically download the driver from the print server the first time the client connects to the printer.Windows Server 2003 303 In order to use the printer. all clients will have to have the appropriate driver installed on their system. If the driver is updated on the server. 4. 2000. If you update the driver on the print server.

304 The Server Environment

Figure 4-55: Printer Properties General Tab

Windows Server 2003 305 It also allows you to configure printing preferences, such as the layout of the paper, the page order, and the paper source. You can also print a test page from the General tab of Properties. Printing a test page is frequently used for troubleshooting. You may choose to print a test page when you have installed an updated driver for your printer and want to verify that it is working. If a Windows 2003 driver is not available for the printer, and you wish to try a compatible print driver, you may wish to test the driver by printing a test page. The Sharing tab (Figure 4-56) in Properties allows you to start or stop sharing the printer with the network. It provides a checkbox if you wish to have the printer listed in the network’s Active Directory. The Additional Drivers button allows you to add drivers onto the print server for the Itanium versions of Windows XP and Server 2003, as well as x86 drivers for Windows 95, 98, ME and NT 4.0.

Figure 4-56: Printer Properties Sharing Tab

306 The Server Environment Server 2003 supports both physical printing ports (LPT and COM) as well as logical (TCP/IP) ports. A physical (local) port is used when the print device is connected physically to the computer. A logical port is used when the print device has its own network card and IP address, and the computer will be acting as the print server for the network enabled print device. The Ports tab (Figure 4.57) allows you to add, configure, and delete ports for the printer. It also allows you to set up printer pooling. Printer pooling is when multiple print devices are acting as one printer. The jobs sent to the printer are shared among the print devices. It should go without saying that if you create a printer pool with multiple print devices, the print devices should be located in the same physical workspace. Print devices in a printer pool MUST use the same print driver.

Figure 4-57: Printer Properties Ports Tab

Windows Server 2003 307 If your printer device fails, the Ports tab enables you to redirect scheduled print jobs to another print device, provided that print device can use the same driver as the failed print device. To redirect a print job, click the Add Port button, select New Port, and choose New Port time. You should use the UNC naming convention to name the printer, that is, \\SERVERNAME\SHARENAME, where SERVERNAME is the name of the computer acting as the print server for the new print device and SHARENAME is the name given to the shared printer. There are a number of options available under the Advanced Properties tab (Figure 4-58). The first item on the dialog box allows you to schedule times when the printer is available. There can be a number of reasons why you might choose to do this.

Figure 4-58: Printer Properties Advanced Tab

308 The Server Environment Let’s say that the print device is in a secure area that is locked at 6:00 p.m. If a user is working late, he or she wouldn’t be too happy if they printed out an important job and then discovered that they can’t get to it. By scheduling the printer to not be available after 6:00 p.m., this situation can be avoided. Keep in mind, though, that a printer is NOT a print device. You can create two printers for one physical print device. You could name one “Daytime Printer” and have it scheduled from 7:00 a.m. to 6:00 p.m. You could then create a second printer “Overnight Printer” and have it scheduled from 6:00 p.m. to 7:00 a.m. Large jobs, or jobs that are heavy in graphics that might take a long time to print, can be sent to the “Overnight” printer. Both printers work on the same print device. By default, when a printer is created, it is always available. The next item on the Advanced Properties dialog box is Priority. This is used to ensure that urgent print jobs are produced before less urgent ones. The lowest priority is “1” and the highest priority is “99”. You would create two printers for the same print device, and give each a different priority. Make sure that the share names reflect the priority of the printer. Jobs sent to the printer with the higher priority will print first on the print device. Spooling is the next selection on the Advanced tab. You can choose to have jobs spooled or print directly to the printer. If you choose not to have the job spooled, the application doing the printing will not be free until the job is completed. Printing directly to the printer can be helpful in troubleshooting printer problems. If you can print directly to the printer, but printing fails when you try to print through the spooler, you know that the problem lies with the spooler, not the print device. Spooling, the normal choice in a multi-user environment, allows jobs to be queued for the printer. The spooler acts as traffic lights – all the jobs do not try to print at the same time. There are four print options available: ● Hold Mismatched Documents Used when there are multiple forms associated with the printer. If, for example, you have one paper type, and need to print on both plain paper and a sales form, enabling the “Hold Mismatched Documents” feature will allow all jobs that need to be printed on the special form to be printed first, and then all the documents that need plain paper. By default, this feature is disabled. Print Spooled Documents Firs/Start Printing Immediately A set of radio buttons, the first of which instructs the spooler to print jobs that have completed spooling before printer larger jobs that are still spooling, even if the larger job has a high priority. This option is enabled, by default, because it increases printer efficiency. If Start Printing Immediately is selected, the first job in the queue is printed, whether or not it has completed spooling. A long document will need to complete spooling and printing before a second, shorter document will begin to print. Keep Printed Documents By default, this option is disabled, because it takes up a lot of hard disk space on

Windows Server 2003 309 the print server. When selected, jobs are kept in the spooler even after printing is completed.

310 The Server Environment ● Enable Advanced Printing Features Enabled by default, this option specifies that features such as Page Order and Pages Per Sheet, which are supported by your printer, can be used. If problems occur with special features, this option can be disabled.

At the bottom of the dialog box are three buttons – Printing Defaults, Print Processor, and Separator Pages. Printing Defaults opens the Print Preferences dialog box, the same one as on the General tab. The Print Processor tab is used when Server 2003 needs to do additional processing to print jobs. Unless specified otherwise by the print device manufacturer, it is best to leave this at the default setting. Separator pages are used to identify the owner of the print job. To save paper, this is normally disabled; however, when a large number of users share one printer, it can be handy. Server 2003 comes with four separator page files: ● PCL.SEP Used with HP Printers that have dual printer language capabilities, it sends a separator page when the printer has switched from PostScript to PCL. PSCRIPT.SEP Used to switch the print server to PostScript printing mode (does not send a separator page) SYSPRINT.SEP Used by PostScript printers to send a separator page SYSPRTJ.SEP Used by PostScript printers to send a separator page, but also has support for Japanese characters.

● ●

Windows Server 2003 311 Another tab on the Properties dialog box is Color Management (Figure 4-59).

Figure 4-59: Printer Properties Color Management Tab

312 The Server Environment This tab with appear only when a color print device has been installed. The Color Management tab allows you to assign a color profile to the printer depending on what medium is being used and how the printer is configured. You can select Automatic, which allows Server 2003 to select the color profile from the associated list. This option is selected by default. You can also choose to select Manual, which allows you to select which color profile will be used by default. You can also add and remove color profiles. If you have permission to modify printer access and permissions, the security tab will appear (Figure 4-60). These permissions are covered in detail in the next section. For now, let’s just take a look at the tab.

Figure 4-60: Printer Properties Security Tab

Windows Server 2003 313 Another tab on the Properties dialog box is the Device Settings tab (Figure 4-61). The properties that are displayed are dependent upon the printer and driver installed on the print server. This tab useful if, for example, you want to assign different forms to different trays, or assign the Euro currency symbol to postscript fonts.

Figure 4-61: Printer Properties Device Settings Tab Other tabs may appear with different printers. Some printers will show a tab called Services, which allows you to do certain maintenance tasks, such as aligning or cleaning the print cartridges, or printing an ink-level page. Other printers may have an “About” tab.

to connect to the printer and to send print jobs to the print device. or delete that job from the queue. shared printers have different levels of access. The user cannot perform any action on any other print job. change spooler settings. change permissions. A user with his permission can pause and restart the printer and the spooler. restart. pause.5. or restart the printer. Take Ownership The individual can become the Creator/Owner. or group. A user with this permission can pause. but cannot control the printer status. Change Permissions The individual can alter permissions.3 Control access with permissions Assigning permissions to users and groups can control access to printers. and delete queued documents. share the printer. The three levels of basic printer permissions are: ● Print Print permission allows the user.314 The Server Environment 4. As with shared folders. but cannot make changes to them. A user with print permission can pause and restart their own print job. to delete jobs. as well as change printer permissions and manage properties. Manage Documents Manage Documents permission is granted to user group to troubleshoot the dayto-day problems that can occur with printers. Manage Printers Manage Printers permission is a permission you granted to a user or group that needs to have administrative control of the printer. ● ● There is now a new permission. Special Permissions (Figure 4-62). Read Permissions The individual can see what permissions are effective. This allows: ● ● ● . Access can mean the ability to use the print device.

or both the printer and the documents.Windows Server 2003 315 It should be noted that permission can be changed for that printer only. the documents only. Figure 4-62: Editing Special Permissions .

This dialog box allows the management of permissions. Figure 4-63: Advanced Security Settings . and managing the permissions for that printer.316 The Server Environment There are also Advanced Security Settings as shown in Figure 4-63. the management of auditing. changing the Creator/Owner.

printer permissions can be explicitly allowed. the following options are available: ● ● ● ● ● Pause Resume Restart Cancel Properties Figure 4-60 shows the Security tab for the printer. denied. Double-click the printer that contains the documents that need to be managed. A shortcut menu appears with the following management choices on a local printer: ● ● ● ● ● ● ● ● ● ● Open Set as Default Printer Printing Preferences… Pause Printing Sharing Use Printer Offline Create Shortcut Delete Rename (Printer) Properties Managing documents is done from within the print queue. or not specified. The printer administrator (the user with Manage Printers permission) right clicks the printer to be managed. The effective permission for any user account is determined in the same fashion as share permissions.Windows Server 2003 317 Printers and documents are managed from the Printers folder. . As with share permissions. By choosing Document from the menu bar.

this is a very good opportunity to take quick look at certain TCP parameters that you may want to monitor. However. as they can affect performance. and we will be looking at some very specific counters later in the chapter. . which is why monitoring system performance is a natural part of system administration. the network and the workload so that the system can be tuned to meet performance goals. it is always possible to tune the server settings for performance gains. Monitoring should always examine the hardware. We have already outlined some of the main tools using in monitoring and analyzing system performance earlier in this chapter. However.318 The Server Environment 4.6 Monitor system performance Server 2003 has been designed for high performance immediately upon installation.

You can set the following registry entry to as high as 0xfffe (65534): HKEY_LOCAL_MACHINE\System\CurrentControlSet\Se rvices\Tcpip \Parameters\MaxUserPort Table 4-4: TCP Perfomrance Parameters .535 100 Mbps link – 16.535 bytes by using the following registry entry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Se rvices\Tcpip \Parameters\TcpWindowSize (REG_DWORD) Default settings: Gigabit interface – 65. you may need to increase window size over 64K.6. After you do this.000 for each IP address) and TCP time-wait requirements.535.384 Lower speeds – 8. This value determines the size of the hash table holding the state of TCP connections. When a large concurrent connection load is expected on the system. Given the default value of available user mode ports (5.192 Window Scaling For high bandwidth-delay products.Windows Server 2003 319 4. you can modify TCPWindowSize to values up to 1GB.536). Default value is 128 * number of processors2. set the following registry entry to a higher value :HKEY_LOCAL_MACHINE\System\CurrentControlSet\S ervices\Tcpip \Parameters\MaxHashTableSize (REG_DWORD) MaxUserPort The maximum value is 0x10000 (65. Parameter Description TCPWindowSize This value determines the maximum amount of data (in bytes) that can be outstanding on the network at any given time. it may be necessary to make more ports available on the system.1 TCP Parameters There are certain TCP parameters that can be monitored and adjusted to improve server performance and increase throughput. Modify the following registry entry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Se rvices\Tcpip\Parameters \Tcp1323Opts (REG_DWORD) MaxHashTableSize to 1 to enable window sizes of greater than 65. A port is used whenever an active connection is used from a computer. like satellite links. It can be set to any value from 1 to 65.

but it avoids the short-name attribute creation for the file. The following section will outline some of the key parameters to utilize. .320 The Server Environment 4. If you have an NTFS volume with a high number of folders or files. the Last Access Time is no longer updated. you can set disablelastaccess to disable updating the Last Access Time. Limiting the paged pool allows for a larger system cache.3 naming convention. also changing the way NTFS displays and manages the file. NumTcbTable Partitions HKLM\system\CurrentControlSet\Services\Tcpip\Parame ters\. This parameter determines whether NTFS generates a short name in the 8. NTFS does not generate a short name. which causes more content to be cached and allows faster serving of files.3 (DOS) naming convention for long file names and for file names that contain characters from the extended character set. the Last Access Time remains the same as the File Creation Time. This parameter controls the number of TCB table partitions. the I/O bandwidth used to generate the Last Access Time updates can be a significant percentage of the overall I/O bandwidth. files can potentially have two names: the name that the user specifies and the short name that NTFS generates. HKLM\System\CurrentControlSet\Control\FileSystem\. this registry key is not created. and a program is running that briefly accesses each of these in turn. (REG_DWORD) By default this key is not created. The TCB table can be partitioned to improve scalability on multiprocessor systems by reducing contention on the TCB table. To increase the speed of access to a folder or file. If the name the user specifies conforms to the 8. NtfsDisable8d ot3NameCreati on HKLM\System\CurrentControlSet\Control\FileSystem\ (REG_DWORD) Default is 0. Parameter PagedPoolSize Description HKLM\System\CurrentControlSet\Control\Session Manager\MemoryManagement\ (REG_DWORD) File cache space and paged pool space share a common area in system virtual address. Changing this value does not change the contents of a file. (REG_DWORD) Disablelastacc ess By default. If the value of this entry is 0.7 Monitor file and print servers. After you use this command and restart the computer. If you create a new file. specifically when fine-tuning performance on file and print servers under Server 2003.

ack once every five packets. This helps reducing packet processing costs for the Network Stack. Table 4-5: File Server Parameters . This helps reducing packet processing costs for the Network Stack. If only acking data and not any control packets. For FastEthernet cards: HKLM\system\CurrentControlSet\Services\Tcpip\Parame ters\Interfaces For each FastEthernet adapter. ack once every 13 packets. add: TcpAckFrequency (REG_DWORD) = 13 (decimal) By default this entry is not in the registry. instead of the default of two. in the case of large writes (uploads) from the client into the server. If only acking data and not any control packets. add: TcpAckFrequency (REG_DWORD) = 5 (decimal) By default this entry is not in the registry. instead of the default of two.Windows Server 2003 321 Parameter TcpAckFreque ncy Description Note: TcpAckFrequency applies only to Windows Server 2003. The recommended setting for TcpAckFrequency is between one-third and one-half of TcpWindowSize. in the case of large writes (uploads) from the client into the server. For Gigabit cards: HKLM\system\CurrentControlSet\Services\Tcpip\Parame ters\Interfaces For each Gigabit adapter.

These system tools will allow you to create a baseline. processor. you will be able to ascertain which. It is a good idea to take a baseline report at the same time every day for a set period of time. Some counters that you will want to use to monitor memory usage are: ● Memory >Available Mbytes The amount of physical memory available to run processes – the more. A bottleneck is a system resource that is causing slowdowns because of inefficient performance. of your systems may be causing degraded performance. Determining trends. Memory Performance There was a running joke among IT Professionals using Windows NT. the better! Memory>Pages/Sec The number of times the requested information had to be retrieved from the page file on the hard disk – optimal performance should be around 4. These can be found in the Performance console.8 Monitor & optimize a server environment for application performance Before you can optimize your system. you will need to monitor all the critical subsystems. Windows 2003 loves RAM. The solution to every performance problem is “Add RAM”.000 times slower) than RAM. under Administrative Tools in Control Panel. Paging File>% Usage Indicates how much of the page file is currently being used – the lower. This will indicate that you will need to upgrade the amount of RAM in your system in the future. A baseline is a snapshot of how your system is performing. is a proactive approach to optimization. The more RAM available to the system. Server 2003 comes with two tools: System Monitor and Performance Logs and Alerts. such as memory. and network. identify system bottlenecks. you may notice that your page file usage is increasing slowly but steadily. By setting counters (which we will review a little later in this chapter). and determine trends. it is still going to be substantially (up to 1. the less paging (use of virtual memory) has to occur. No matter how fast your hard drive’s performance. on the other hand. If you monitor your system on a regular basis. if any. the better! ● ● . This will allow you to get a real feel for how your system is reacting to different requests. to see if anything needs to be changed or upgraded on your system.322 The Server Environment 4. disk. Determining trends allows you to predict what upgrades your system may need in the future so that you can plan accordingly. Just like NT.

add another processor. Keep in mind that paging also takes place on the hard disk. Optimally. Disk Performance Disk access can be improved by using faster disks and faster disk controllers. the odds are that your processor is not the cause of your bottleneck. It is preferable that this counter be below 90%. If you do use multiple protocols. this will not be above 80%. Two counters that are useful for monitoring the network are: ● Network Interface>Bytes Total/Sec Measures the total number of bytes sent and received by the NIC. As mentioned earlier in the book. Lower is better. However. To optimize network traffic. This includes traffic from all protocols. place the most commonly used protocols at the top of the binding order. Processor>Interrupts/Sec Shows the number of hardware interrupts the processor receives each second. you will want to monitor the processor to make sure that it is running efficiently. use only the network protocols you need.Windows Server 2003 323 Processor Performance Unless you are running processor intensive programs. and ones that take full advantage of the bus width. PhysicalDisk>Current Disk Queue Length Indicates the number of disk requests waiting to be processed. PhysicalDisk>%Disk Time The amount of time that the disk is busy processing read and write requests. Adding another disk controller will help with load balancing as well. The counters you may wish to monitor are: ● Processor>%Processor Time The amount of time the processor spends responding to system requests. using disk striping and volume striping will also improve I/O performance. TCP>Segments/Sec Measures the number of bytes that are sent or received by the NIC by the TCP protocol only. so adding RAM may also help performance in this area. you may want to upgrade your processor. There is no need to install NetBEUI. You do not want this value above 2. if you never need to use it. for example. Use faster network cards. ● ● There are two important counters for disk performance: ● ● Network Performance You can optimize performance on the network card by monitoring the traffic generated on your NIC and by monitoring the network protocols you are using. if your system supports it. Otherwise. ● . or.

The Performance Options dialog box. (By default.) . will allow you to configure your system so that performance is optimized for either the background applications or for the foreground applications.324 The Server Environment Application Performance The benefit of any Windows operating system is that you can operate a number of applications at the same time. the Programs radio button is selected. Advanced Tab. to give priority to foreground applications. through the System Icon. By default. the foreground application (active window) is given a higher priority than any background application.

0 is a book unto itself. Organize your documents into a well-structured directory system and then use IIS to identify these directories as part of your site.9 Manage a Web server 4. The Web Server will only publish documents contained within these directories. Figure 4-64: IIS Default Installation . A new job listing has to be posted onto the site. Web Site Administration becomes an exercise in troubleshooting.9.Windows Server 2003 325 4.1 Manage Internet Information Services (IIS) Internet Information Services 6.0 is. There are essentially five major areas for IIS administration. What this section will do is try to give you a brief overview of what IIS 6. They are: ● ● ● ● ● Web Site Administration FTP Site Administration NNTP Site Administration SMTP Site Administration Application Administration About Web Site Administration Quite frequently. How smoothly these challenges are overcome are directly related to your ability to control your web site. Users can access these files on the Intranet by using the following URL: http://servername/filename. If the site is small and all of your files are on the same physical hard drive as IIS. we will be focusing solely on web site administration. For purposes of this chapter. Getting Started The very first thing you should do when setting up your web site is to decide which directories have the documents or information that your company wants published up on the “web”. you can simply copy your documents into the default home directory (localdrive:\Inetpub\Wwwroot). and what it can do for your organization. A server goes down and users must be redirected.

the central location for all pages being published on your site. The home directory is the central location for your published pages. Figure 4-65: Properties: Home Directory .326 The Server Environment Home Directories Every web site must have a home directory. The home directory will have the default page or index file that contains the links to other pages on your site and is mapped to your site's domain name or server name.

in most cases. you will need to use virtual directories. An alias is the name that the web browsers use to access that directory. Figure 4-66: New Virtual Directory . It is more secure because users do not know where your files are physically located on the server. but it can really reside anywhere. This is done through the use of aliases. A virtual directory appears to be a subdirectory of your home directory to all users. It also makes it simpler to move directories within the site. To be able to publish pages from any directory that is not contained in the home directory.Windows Server 2003 327 Virtual Directories However. you are not going to want to have every document on your site contained within your home directory. for the very reason that you do not need to change the URL. You simply need to change the mapping between the alias and the physical location of the directory.

When you move a page on the web site. When you are modifying your web site.328 The Server Environment Reroute Requests with Redirects When you move homes. a redirect can ensure that the links that pointed to the original name still access the files in the newly named directory. one of the first things you have to remember to do is to notify the post office of your new address. redirects can be indispensable in terms of time and accuracy. the web server will provide the browser with an updated URL. By doing this. Even if you rename a virtual directory. Redirects are the same thing in the web site world. By using the process called “redirecting a browser request” or “redirecting a URL”. so that a new request can be made. you want to make sure that browsers can still find the page. the post office will forward any mail addressed to you from your old address to your new address. Figure 4-67: Redirection .

the danger from both of these risks. Certificates are digital credentials that can be used to establish a Secure Sockets Layer (SSL) connection. IIS is installed in a fully locked-down mode. . IIS Installed Locked Down One of the greatest innovations to come about with IIS 6. by storing the client credentials as an MD5 hash in the AD Directory Service on the Server 2003 domain controller.2 Manage security for IIS There are major risks to the security of your website. They can also be used for authentication. The second is the one of which we rarely think – well-intentioned users who accidentally alter files without knowing what they have done. This allows only the necessary services to be enabled. All other request-handling features are disabled. tied in with the basic security features of Server 2003. which are sent in plain text unencrypted over the network Digest authentication requests a username and password. Basic authentication requests a username and password. Request-handling for static Web pages is enabled. or even eliminate. ● ● ● ● ● .NET passport to verify the user’s identity.NET Passport uses the already-existing Microsoft . Advanced Digest authentication improves on the security of Digest authentication.9. and lowers the risk from intruders from the minute of installation. Digest authentication is available only on domains with a Windows domain controller. You will frequently see this type of authentication when accessing secure sites on the Microsoft web site. Authentication IIS supports seven methods of authentication. Passwords are sent as a hash value. ● ● Anonymous authentication allows anyone access without requesting a user name or password. The first risk is the one of which we are all aware – malicious individuals. Integrated Windows authentication uses hashing technology to identify users without actually sending passwords over the network.0 is also one of the simplest. Appropriate safeguards on your Web server can reduce.Windows Server 2003 329 4. Additional services must be enabled by the administrator.

330 The Server Environment Figure 4-68: Authentication Access Control IIS takes advantage of Server 2003 NTFS permissions to allow the administrator to restrict write access to individuals who have the appropriate assigned permissions. Any individual can view the web site. . but only those who have been assigned the appropriate permissions can alter content.

You can also obtain certificates from an external certificate authority. the web server can optionally authenticate users by checking the contents of their client certificates. for external use. so that encrypted information can be dispatched. it contains detailed information meant to identify the user and the issuing organization. IIS has certificate-based SSL features that consist of a server certificate. a client certificate. and a public key that is used in establishing a secure connection. it is a way for any user visiting your site to confirm its identity and be assured of the integrity of the secure connection. What is a server certificate? It contains very detailed identification information. They are required for both the server and client's browser in order that an SSL connection can be set up. As well. as well as a public key. These certificates can be created for internal use only with Microsoft Certificate Server. Figure 4-69: Certificates . Again. Essentially.Windows Server 2003 331 Certificates Certificates are digital identification documents that allow both clients and servers to authenticate each other. and digital keys.

In North America. 128 bit security is allowed. It is strongly recommended that the web server is regularly audited to monitor for hacking. Auditing Using the standard Server 2003 utilities. with more bits comprising a higher level of security. you are able to use auditing techniques to monitor a wide rage of user and web server security activity.0 and later). . you can use ASP applications to create your own customized auditing logs. ISS can go up to 128 bit encryption – however. utilizing this level of encryption depends on the laws of the country in which the server resides. Server-Gated Cryptography Server-Gated Cryptography (SGC) is the solution for worldwide secure financial transactions. During the exchange of information a session key (or encryption key) is created. which is used by both the web server and the client browser. As well. a special certificate is required to use SGC. The degree of strength of the encryption is measured in bits.332 The Server Environment Encryption IIS 6. to allow financial institutions to provide highly secure connections for their clients. What is unique about SGC is that it does not require any application to run on the client's browser. It uses 128-bit encryption. While it can be used by any standard of IIS (versions 4. The key pair consists of a public key and a private key.0) to establish a secure encrypted connection. the highest commercial encryption presently available. unauthorized access or tampering.0 uses certificate key pairs (SSL 3.

Change the IP address of the DHCP server to a dynamic one 2. Reinstall the DHCP service B. Start the DHCP service D.Windows Server 2003 333 Chapter 4: Review Questions 1. Slate a scope C. What steps do you need to take after installing DHCP to ensure that it will provide users with IP addresses in your network? A. Configure a scope B. Authorize the DHCP server E. What should you do? A. Install WINS D. You configure a scope for your newly installed DHCP service. Users are complaining that they aren't receiving IP addresses from the DHCP server. Authorize the DHCP server C. Install RRAS .

double-click the license server that you want to reactivate. Remote Desktop Connection client from a Windows 2003 Server. point to Advanced. and then click Reissue Server. After the Licensing Wizard starts. and then click Reactivate Server. Share the Server Setup Folder. What steps should you take to do this? A. point to Advanced. D. Install the 16-Bit Terminal Services Client 4. C. You have a need to use Terminal Services and subsequently you need to reactivate a License Server. B. and your e-mail address that are listed under Information Needed are correct. You have Terminal Services running on the 2003 Server. You need to install the Windows Terminal Services. . B. Share the Client Setup Folder. In the console tree. confirm that your name. In the console tree. right-click the license server that you want to reactivate. C. and then click Next. your phone number (optional). What steps do you need to take? A. Install the 32-Bit Terminal Services Client D. Open the Licensing Terminal Services window.334 The Server Environment 3.

System: Processor Queue Length D. Multiple processors can help in which of the following situations? A. Server Work Queues: % Processor Time C.Windows Server 2003 335 5. Which of the following counters measure the number of threads waiting on the processor? A. System: % Threads . When the present processor is handling the load B. When using a single-threaded application C. Server Work Queues: Queue Length B. When the present processor is overloaded D. When using a multi-threaded application 6.

2 . Average % Processor Time is 87% D.322 E. You probably need to upgrade your RAM if System Monitor indicates which of the following? A. Avg. You probably need to upgrade your processor if System Monitor indicates which of the following? A.336 The Server Environment 7. Disk sec/Transfer is 3.322 E. Avg. Network Interface:Bytes Total/sec is 241. Mem sec/Transfer is 425. Avg.2 8. Average Pages/Sec 27. Average Pages/Sec 27. Avg. Disk sec/Transfer is 3.132 C. Average % Processor Time is 87% D. Mem sec/Transfer is 425. Network Interface: Bytes Total/sec is 241.322 B.132 C.322 B.

Average Pages/Sec 27.322 E.322 . Mem sec/Transfer is 425.132 C. Avg. Avg. Average % Processor Time is 87% B. Disk sec/Transfer is 3. Mem sec/Transfer is 425.322 D. Average % Processor Time is 87% D.2 10. Network Interface: Bytes Total/sec is 241. You probably need to upgrade your processor if System Monitor indicates which of the following? A. Average Pages/Sec 27. Network Interface:Bytes Total/sec is 241. Avg.322 E. Avg.2 B. Disk sec/Transfer is 3.132 C. You probably need to upgrade your RAM if System Monitor indicates which of the following? A.Windows Server 2003 337 9.

On C:\Windows B. On D: (a separate hard drive) C. . Check to see if your default gateway is correct C. Check to see if BIND is being used B. Check to see if WINS is being used. What should you check? A. where should a paging file be placed in a Windows environment where the server operating system is located on the master hard drive (C:)? A. You are setting up a new server. Ideally. Check to see if your subnet mask matches theirs D. you unsuccessfully attempt to use the PING utility to contact other servers in the domain. On E: (the CD-ROM drive) D. Anywhere on C: 12.338 The Server Environment 11.

EXE and click OK. what are some other options for addressing out of memory messages? A. Increase the paging file size D. Select the Hardware tab and choose Device Manager. then to All Programs. System Tools. and choose the Run option. Select the Hardware tab and choose Device Manager. D. Increase the temporary file size in your applications C. Decrease the paging file size . Decrease the temporary file size in your applications B. 13. C. Accessories. How can you see resources used by a device in Windows 2003? A. Type in WINMSD. Right-click the My Network Places option and select properties.Windows Server 2003 339 13. and System Information. Right-click the My Computer option and select properties. If you don't have the money to add more RAM and you are using Windows 2003. B. Go to the Start Menu button. Go to the Start Menu button.

double-click the Web site. D. How would you configure IIS to use Microsoft . and then click Properties. and then expand Web Sites. B. virtual directory. Digest authentication C. or file for which you want to configure authentication. and then under Anonymous and access control. Click the Directory Security or File Security tab (as appropriate). and then under Anonymous and access control. Which of the following methods of authentication are available in IIS 6. and then click Properties. Dual authentication D. C. click Open. Click the Directory Security or File Security tab (as appropriate).NET Passport authentication? A. Microsoft .0 for 2003 Server? A. In the console tree. In IIS Manager.340 The Server Environment 15. In the console tree. where Server_name is the name of the server. virtual directory. right-click the Web site.NET Passport authentication method. expand Server_name. or file for which you want to configure authentication. Integrated Windows authentication B.NET Passport authentication 16. . Click to select the check box next to the Microsoft . click Edit.

2. You configure a scope for your newly installed DHCP service. and then click Authorize. When you install and configure the DHCP service on a member server or stand-alone server. What should you do? A. Users are complaining that they aren't receiving IP addresses from the DHCP server. If there is a red arrow in the lower-right corner of the server object. Install RRAS Explanation: To authorize a DHCP server. right-click the server again. it must be authorized.Windows Server 2003 341 Chapter 4: Review Answers 1. What steps do you need to take after installing DHCP to ensure that it will provide users with IP addresses in your network? *A. When you install and configure DHCP on a domain controller. Start the DHCP service *D. click Administrative Tools. Authorize the DHCP server C. Slate a scope *C. Install WINS D. click Programs. click Start. Reinstall the DHCP service *B. Rightclick the server. and then click Refresh. the server has not yet been authorized. . Change the IP address of the DHCP server to a dynamic one Explanation: After installing DHCP. There should be a green arrow in the lower-right corner to indicate that the server has been authorized. the server is typically authorized when you add it to the DHCP console. and then click DHCP. After a few moments. Select the new DHCP server. the service must be configured and authorized. Authorize the DHCP server E. Configure a scope B.

you will need to install the 32-Bit Terminal Services Client. and then click Next. your phone number (optional). confirm that your name. Explanation: To reactivate a License Server. right-click the license server that you want to reactivate. and then click Reactivate Server. Install the client following the on-screen instructions. *D. In the win32 Properties dialog box. right-click the license server that you want to reactivate.342 The Server Environment 3. confirm that your name. What steps should you take to do this? A. Click OK. In the Open. point to Advanced. B. On the client computer. and then click Reissue Server. Open the Licensing Terminal Services window. You have a need to use Terminal Services and subsequently you need to reactivate a License Server. double-click the license server that you want to reactivate. Install the 16-Bit Terminal Services Client Explanation: First. Share the Client Setup Folder. On the Windows 2003 Server computer that is running Terminal Services. you need to share the Client Setup Folder. Remote Desktop Connection client from a Windows 2003 Server. *C. What steps do you need to take? *A. and then click OK. In the console tree. *C. and then click Run. You need to install the Windows Terminal Services. Share the Server Setup Folder. your phone number (optional). In the console tree. After the Licensing Wizard starts. 4. Click Start. and then click Next. and then locate the following folder: drive:\systemroot\System32\Clients\Tsclient\Win32 where drive is the drive that Windows is installed on and systemroot is the folder that contains the Windows installation files. open Windows Explorer. click Share this folder. In the console tree. Next. connect to the shared client installation folder on the server that is running Terminal Services. and your e-mail address that are listed under Information Needed are correct. box type \\computername\Tsclient\Win32\Setup. . open the Licensing Terminal Services window. Right-click the Win32 folder. and then click Reactivate Server.exe. where computername is the computer name of the Windows 2003 Server-based computer with the installation shared folder. You have Terminal Services running on the 2003 Server. *B. and then click Sharing and Security. Install the 32-Bit Terminal Services Client D. point to Advanced. and your e-mail address that are listed under Information Needed are correct. After the Licensing Wizard starts. point to Advanced.

6. Server Work Queues: Queue Length B. Which of the following counters measure the number of threads waiting on the processor? *A. System: Processor Queue Length D. System: % Threads Explanation: The Server Work Queues: Queue Length and the counter measures the number of threads waiting on the processor. . Multiple processors can help in which of the following situations? A. When the present processor is overloaded *D. When using a single-threaded application *C. When the present processor is handling the load B. When using a multi-threaded application Explanation: Multiple processors can help when using a multi-threaded application or when the present processor is overloaded. Server Work Queues: % Processor Time *C.Windows Server 2003 343 5.

132 *C. Average Pages/Sec 27. Average % Processor Time is 87% D. An Average % Processor Time of 87% would indicate a need for a processor upgrade. An Average % Processor Time of 87% would indicate a need for a processor upgrade. . Disk sec/Transfer is 3. since the average should be more like 15 or less. Average Pages/Sec 27. Disk sec/Transfer of 3. then more RAM is needed. If Average Pages/Sec is 27. Disk sec/Transfer is 3. not even 1. not even 1. since it should be much lower. Mem sec/Transfer is 425.2 Explanation: An Avg.322. You probably need to upgrade your RAM if System Monitor indicates which of the following? *A. Mem sec/Transfer is 425.322 this is within the normal parameters for a NIC card. Average % Processor Time is 87% D. Network Interface: Bytes Total/sec is 241.322 E.0. Network Interface: Bytes Total/sec is 241. since it should be much lower. since the average should be more like 15 or less.2 Explanation: An Avg.132 would indicate that the hard drive needs to be replaced. Network Interface: Bytes Total/sec is 241.322 B.132 would indicate that the hard drive needs to be replaced. Avg.322 E.322. If Average Pages/Sec is 27.0. Avg.322 this is within the normal parameters for a NIC card.322 B. Network Interface:Bytes Total/sec is 241.344 The Server Environment 7.132 C. Avg. 8. Disk sec/Transfer of 3. Avg. You probably need to upgrade your processor if System Monitor indicates which of the following? A. then more RAM is needed.

An Average % Processor Time of 87% would indicate a need for a processor upgrade. then more RAM is needed.Windows Server 2003 345 9. Avg.322.322 this is within the normal parameters for a NIC card.132 would indicate that the hard drive needs to be replaced. then more RAM is needed. Network Interface: Bytes Total/sec is 241.132 would indicate that the hard drive needs to be replaced. Average Pages/Sec 27.2 Explanation: An Avg. Average Pages/Sec 27. since the average should be more like 15 or less.2 B. Network Interface: Bytes Total/sec is 241.0. An Average % Processor Time of 87% would indicate a need for a processor upgrade.322 *E. 10. . not even 1. You probably need to upgrade your RAM if System Monitor indicates which of the following? A.322 Explanation: An Avg. since it should be much lower.132 C.0. Average % Processor Time is 87% D. You probably need to upgrade your processor if System Monitor indicates which of the following? *A.132 C. Avg. Mem sec/Transfer is 425. Average % Processor Time is 87% B. Network Interface: Bytes Total/sec is 241. since the average should be more like 15 or less. Disk sec/Transfer of 3. Disk sec/Transfer of 3. Avg.322.322 D. Avg. If Average Pages/Sec is 27. Network Interface:Bytes Total/sec is 241. Disk sec/Transfer is 3.322 this is within the normal parameters for a NIC card.322 E. not even 1. since it should be much lower. Mem sec/Transfer is 425. Disk sec/Transfer is 3. If Average Pages/Sec is 27.

You are setting up a new server. Check to see if your default gateway is correct *C. Check to see if WINS is being used. a paging file should be placed on a separate hard drive from where the server operating system is located (in this example on D:). you unsuccessfully attempt to use the PING utility to contact other servers in the domain. On E: (the CD-ROM drive) D. Check to see if BIND is being used *B. 12. Ideally. you unsuccessfully attempt to use the PING utility to contact other servers in the domain. On D: (a separate hard drive) C. BIND (UNIX's answer to DNS) and WINS have nothing to do with pinging an IP address. Check to see if your subnet mask matches theirs and if your default gateway is correct. Anywhere on C: Explanation: Ideally. . What should you check? A. where should a paging file be placed in a Windows environment where the server operating system is located on the master hard drive (C:)? A. Explanation: You are setting up a new server.346 The Server Environment 11. On C:\Windows *B. Check to see if your subnet mask matches theirs D.

Type in WINMSD. Right-click the My Computer option and select properties. right-click the My Computer option and select properties. 14. Explanation: If you want to view resources used by a device in Windows 2003. D. How can you see resources used by a device in Windows 2003? *A. and choose the Run option. Decrease the temporary file size in your applications *B. Increase the paging file size D.EXE and click OK. *B.EXE and click OK or you can go to the Start Menu button.Windows Server 2003 347 13. Select the Hardware tab and choose Device Manager. then to All Programs. Decrease the paging file size Explanation: If you don't have the money to add more RAM and you are using Windows 2003. use one of the following methods: go to the Start Menu button. Accessories. To access System Information. Right-click the My Network Places option and select properties. System Tools. type in WINMSD. Accessories. Go to the Start Menu button. then to All Programs. . what are some other options for addressing out of memory messages? A. *C. To access Device Manager. and choose the Run option. and System Information. System Tools. Increase the temporary file size in your applications *C. If you don't have the money to add more RAM and you are using Windows 2003. Select the Hardware tab and choose Device Manager. and System Information. use System Information or Device Manager. Select the Hardware tab and choose Device Manager. you can address out of memory messages by either increasing the paging file size (do this with the Advanced tab in the System applet in Control Panel) or increasing the temporary file size in your applications. Go to the Start Menu button.

This option is best used when you want to grant public access to information that requires no security. However.0 or later. Basic authentication requires a user ID and password. the same domain. The authentication methods that are set by default are Anonymous access and Integrated Windows authentication. and may be used when you want to grant access to secure information from public networks.0 for 2003 Server? *A. or file for which you want to configure authentication. where Server_name is the name of the server. To edit the Windows account used for anonymous access. Integrated Windows authentication (this used to be NTLM or Windows NT Challenge/Response authentication) sends user authentication information over the network as a Kerberos ticket. and then click OK. If you turn on digest authentication. imposed by NTFS file system permissions that designate the level of access and the type of content that is available to public users. To use this method. This method offers the same functionality as basic authentication. Digest authentication requires a user ID and password. When anonymous access is turned on. Click to select the check box next to the authentication method or methods that you want to use. and then under Anonymous and access control. clients must use Microsoft Internet Explorer 2. Windows Integrated authentication is not supported over HTTP proxy connections. and then expand Web Sites.NET Passport authentication Explanation: To configure authentication in IIS. and provides a high level of security. type the realm name in the Realm box. or message digest. Windows Integrated authentication uses Kerberos version 5 and NTLM authentication. or be trusted by. This option is best used for an intranet. right-click the Web site. clients must use Microsoft Internet Explorer 5. Click the Directory Security or File Security tab (as appropriate). When a user tries to connect to your Web site. where both the user and Web server computers are in the same domain. Digest authentication *C. This group has security restrictions. This format provides a low level of security because the password can be read by almost all protocol analyzers. in which the original user name and password cannot be deciphered from the hash. and provides a low level of security. click Browse in the Anonymous access box.0 or later. the IUSER_ComputerName account is a member of the Guests group. start IIS Manager or open the IIS snap-in. click Edit.348 The Server Environment 15. and administrators can make sure that every user is using Internet Explorer 2. and then click Properties. this method transmits user credentials across the network as an MD5 hash. . User credentials are sent in clear text across the network. By default. IIS assigns the connection to the IUSER_ComputerName account. virtual directory. Which of the following methods of authentication are available in IIS 6. Expand Server_name. where ComputerName is the name of the server on which IIS is running. To use this method. provides a medium level of security. In the console tree. Additionally. and the Web clients and Web servers must be members of. Microsoft . Integrated Windows authentication *B. Dual authentication D.0 or later. no authenticated user credentials are required to access the site.

You can also limit access based on source IP address. it is compatible with the widest number of Web clients. which provides users with access to diverse services on the Internet. You can also optionally enter a value in the Realm box.NET Passport credentials. source network ID. requests are redirected to the . This option is best used when you want to grant access to information with little or no need for privacy.NET Passport logon page. When you select this option. If you turn on basic authentication.Windows Server 2003 349 However. requests to IIS must contain valid . . If IIS does not detect .NET Passport authentication provides single sign-in security. type the domain name that you want to use in the Default domain box. Microsoft . or source domain name.NET Passport credentials on either the query string or in the cookie.

Digest authentication requires a user ID and password. no authenticated user credentials are required to access the site. click Edit. where both the user and Web server computers are in the same domain. click Open. This option is best used when you want to grant public access to information that requires no security. right-click the Web site. *B. virtual directory. Windows Integrated authentication is not supported over HTTP proxy connections. or file for which you want to configure authentication.0 or later. or file for which you want to configure authentication. To edit the Windows account used for anonymous access. and then click Properties. where ComputerName is the name of the server on which IIS is running. Click the Directory Security or File Security tab (as appropriate). and may be used when you want to grant access to secure information from public networks. and then click OK. and then under Anonymous and access control. click Edit. In the console tree. virtual directory. How would you configure IIS to use Microsoft . Windows Integrated authentication uses Kerberos version 5 and NTLM authentication. This option is best used for an intranet. *C. clients must use Microsoft Internet Explorer 2. start IIS Manager or open the IIS snap-in. Integrated Windows authentication (this used to be NTLM or Windows NT Challenge/Response authentication) sends user authentication information over the network as a Kerberos ticket. Click to select the check box next to the authentication method or methods that you want to use. Explanation: To configure authentication in IIS. In the console tree. virtual directory. In IIS Manager. click Browse in the Anonymous access box. To use this method. When anonymous access is turned on. Click the Directory Security or File Security tab (as appropriate). Expand Server_name. or file for which you want to configure authentication.NET Passport authentication method. and then click Properties. Click to select the check box next to the Microsoft . and provides a high level of security. and administrators can make sure that every user is using Internet Explorer 2. double-click the Web site. provides a medium level of security. Additionally. IIS assigns the connection to the IUSER_ComputerName account. where Server_name is the name of the server.0 or later. In the console tree. right-click the Web site. Click the Directory Security or File Security tab (as appropriate). This group has security restrictions.NET Passport authentication? *A. where Server_name is the name of the server. expand Server_name. and then expand Web Sites. By default. and then under Anonymous and access control. the IUSER_ComputerName account is a member of the Guests group. The authentication methods that are set by default are Anonymous access and Integrated Windows authentication. D. . and then under Anonymous and access control.350 The Server Environment 16. imposed by NTFS file system permissions that designate the level of access and the type of content that is available to public users. and then expand Web Sites. When a user tries to connect to your Web site. and then click Properties.

or source domain name. . type the domain name that you want to use in the Default domain box. If you turn on basic authentication.Windows Server 2003 351 This method offers the same functionality as basic authentication. If you turn on digest authentication. However. this method transmits user credentials across the network as an MD5 hash. When you select this option. You can also limit access based on source IP address. and the Web clients and Web servers must be members of. Microsoft . To use this method. requests are redirected to the . source network ID.0 or later. type the realm name in the Realm box. in which the original user name and password cannot be deciphered from the hash. requests to IIS must contain valid . This option is best used when you want to grant access to information with little or no need for privacy. User credentials are sent in clear text across the network. and provides a low level of security.NET Passport credentials on either the query string or in the cookie. or be trusted by.NET Passport authentication provides single sign-in security. This format provides a low level of security because almost all protocol analyzers can read the password. If IIS does not detect . which provides users with access to diverse services on the Internet. it is compatible with the widest number of Web clients. You can also optionally enter a value in the Realm box. However. clients must use Microsoft Internet Explorer 5.NET Passport credentials.NET Passport logon page. or message digest. Basic authentication requires a user ID and password. the same domain.

4 Restore backup data 5.3Back up files and System State data to media 5.2.1 Perform system recovery for a server 5.1Implement Automated System Recovery (ASR) 5.352 Disaster Recovery Managing and Implementing Disaster Recovery The objective of this chapter is to provide the reader with an understanding of the following: 5.1.4Configure security for backup operations 5.2 Manage backup procedures 5.1.1.2.3 Recover from server hardware failure 5.2Restore data from shadow copy volumes 5.1 Verify the successful completion of backup jobs 5.2 Manage backup storage media 5.1.5 Schedule backup jobs .

You have installed a new video driver and after logging on. 3. Sooner or later it will happen to you.Windows Server 2003 353 Chapter 5: Disaster Recovery Introduction: It will happen to you. Some of the reasons you you may need to implement a part of your disaster recovery plans may include: ● ● ● ● ● ● A need (or desire) to revert to a previous version of a data file Missing or corrupt data files Missing or corrupt operating system files The system becomes unstable after you update a device driver or add a new hardware device or install a new application Hardware (hard drive) failure Total system failure Proper planning and a good set of tools will allow you to recover in as short a period of time as possible. Getting Ready Questions 1. What is Automated System Recovery? 2. you find that it is causing your system to freeze. Disaster recovery allows you to be able to return the effected system to a proper working state. What are the five different types of backup? 4. Would the Last Known Good Configuration help you in this instance? . Careful use of these tools will allow you to recover from any of the failures mentioned above. Define Shadow Copy. You will have to provide the planning. What is Safe Mode and when would you use it? 5. Will you be ready? The main idea behind disaster recovery is in the name – to be able to recover from a disaster. but fortunately Windows Server 2003 provides a good set of basic tools to help you implement your plan.

you have already logged on. If you shut the system down without logging in. investigate developing fault tolerant systems. The five different types of backup are Normal (Full). ● ● ● . If more than one is damaged. ASR is a tool that will help you collect information needed to repair and reconstruct your operating system and other system state files in case of a failure. 5. etc. No. so Last Known Good will not help you in this instance. drivers and services required to run and operate the system. Use one or more RAID arrays for your system and data file storage. such as power supplies. Shadow Copy is a feature of Windows 2003 Server that allows point-in-time. Copy. You would use it when you suspect a recently installed application or driver is causing a problem. etc. entered by pressing F8. controller. This will not take the place of a good back-up strategy! RAID arrays can only help you recover if one physical disk is damaged. Differential.) fails. Several things you can do to make your system more fault tolerant (some of these will depend upon your hardware manufacturer and the model of systems you purchased) include: ● Adding an uninterruptible power supply (UPS) to protect the server due to a power failure. your excellant set of backups! Consider multiples of everything. However. 4. Investigate this with your hardware manufacturer. This will help protect from data loss due to hard drive failure. loads only the basic devices. you need to resort to plan B. Introduction Continued: To make your system less prone to failures. Your server hardware must be able to support these features. Incremental and Daily. you do not overwrite the Last Known Good Configuration. 3. This is easy to add to any computer. especially for critical servers. 2. power supply. This will allow your server to shut down gracefully. readonly copies of files that are currently stored on network shares.354 Disaster Recovery Getting Ready Answers 1. A fault tolerant system is designed to continue operating even after a key component (hard drive. The Last Known Good Configuration is updated each time Windows is started in normal mode and a user logs in and is authenticated. better protecting key files and components. Use multiple hard dive controllers to provide redundancy if one fails. in this instance. Safe Mode.

where d:\ is the drive letter of your CD drive: d:\i386\winnt32 /cmdcons So. A boot disk is made by formatting a blank floppy. Click yes to install the recovery console.com A damaged mirror set. in that the boot. . What you are provided is a secure. then copying the boot. 4. You can install it or run it from the operating system CD. 3. The best way to do things is to have a seperate diskette for each machine. the boot disk can help you recover from: ● ● ● ● ● A damaged boot sector A damaged master boot record Virus infections of the master boot record Missing or damaged system startup files ntldr or ntdetect. This disk is configuration specific.ini to properly look for the boot and system partitions on the machine that needs repair. 1. type in the following command.Windows Server 2003 355 Two other items that should be in your recovery toolbox are a good boot disk and the recovery console.ini file will need to match the hard drive setup of your particular machine. Close Autorun if it is turned on. To install. You can use a disk made on another machine if you have the same configuration on both machines. NTFS-enabled. A boot disk (or Windows Startup Disk) is useful in helping you recover a critical file on your system hard disk. if your CD drive is drive h: the proper command would be h:\i386\winnt32 /cmdcons You can also install it from a network share. You can access the recovery console from the extended startup options (pressing F8 at system boot). 2. enhanced command prompt that you can use for operations in case you can’t boot the system to safe mode. or if you modify the boot. At a command prompt.com to the floppy. Then copy ntldr and ntdetect. follow these steps: Insert your operating system CD while running Windows 2003 Server. The recover console is a utility you can add to your server installation that will provide several useful features and functions. or in the run box.ini file from your boot drive to the floppy. If your installation isn’t corrupted in some other way.

1Implement Automated System Recovery (ASR) What is Automated System Recovery (ASR)? This is a tool that will help you collect information needed to repair and reconstruct your operating system and other system state files in case of a failure. A major change may be defined as anything done in control panel. Saving this set would allow you to “start over” with a fresh server without the fun of completing reinstalling Windows. ASR does not try to place all the necessary recovery information on a diskette. . or any change to the hard disk configuration. we’ll investigate how to use the different tools to recover from a server failure. Let’s look at some of the tools provided in Windows Server 2003 and their function. Different levels of failure call for different methods of recovery. In a later section. 5. or final recovery.1 Perform system recovery for a server Performing a system recovery (either a partial or full recovery) for a server is a task any network administrator should be very familiar and comfortable with. The ASR set is easy to make. you must be a member of the local Administrators group. the Domain Administrators group. You may also have the necessary permissions delegated to you. As a best practice. The ASR is a set of a single floppy and a backup on removable media (or network file). Another possibility is to create a set after your install the basic operating system and before applications are installed.1.356 Disaster Recovery 5. To perform the following operation. The ASR diskette is not bootable. locations of various plug and play devices and system files on your server. and should be done BEFORE you implement a major change to your server as a fallback method. consider using the Run As feature so that you use these elevated permissions only when performing this operation. instead it makes a system backup and creates three information files on the floppy that describe the disk configurations. such as Add/Remove Programs or Windows Components. and it must be used with your original operating system CD or setup diskettes during the setup program. the Backup Operators group. or if the computer is a member of the domain.

Accessories. Select Backup. Figure 5-1: ASR Set . just switch to advanced mode. perform the following steps: 1. Programs. (Could we hide that any deeper?) If the wizard wants to help you. Start the Windows Server 2003 Backup program. Click on Start. Your screen should look like Figure 5-1. Locate a blank floppy for the last step. and then System Tools.Windows Server 2003 357 To create an ASR set. 2.

Figure 5-2: Automated System Recovery Wizard .358 Disaster Recovery 3. Click on Automated System Recovery Wizard. Click next. The welcome screen is shown in Figure 5-2.

Figure 5-3: Backup Destination . Select the media type and the destination you desire. Welcome to the backup destination screen.Windows Server 2003 359 4. Click next again. as shown in Figure 5-3.

360 Disaster Recovery 5. as shown in Figure 5-4. Figure 5-4: Backup Finish . and you will see the backup progress box as in Figure 5-5. The backup will begin. Verify your information and click finish to exit the wizard and start the backup.

Windows Server 2003 361 Figure 5-5: Backup Progress Display 6. When the backup completes you will be queried for the blank floppy mentioned earlier. See Figure 5-6 Figure 5-6: Backup Utility Insert . Insert it and click OK.

Follow these steps: Locate the following items: ● ● ● 1. You may be prompted to press a key to start from CD. Place the installation CD in your CD drive and restart your computer. remove the floppy. If you have a separate driver file as mentioned above. When the text-only portion of setup begins. and is much easier to use than utilities in previous versions of Windows. Any separate driver diskettes you may have for a mass storage controller that does not appear on the operating system CD. the Domain Administrators group. Backup will write several configuration files to the floppy and confirms the process complete. the Backup Operators group. Windows Server 2003 Operating System installation CD. press F2. 5. See Figure 5-7 Figure 5-7: Backup Utility Remove To use the ASR set in a repair. press F6 again to use the diskette. The system will re-boot. 6. and store the floppy and the media in a safe place. Remember that the ASR set will only repair the operating system files. Click close to exit the backup program. As a best practice. Place the driver diskette in the floppy drive and follow the instructions on screen as you did in step 2. press F6 when prompted in setup and insert the diskette as requested. At this point. To perform the following operation. 2. or if the computer is a member of the domain. . you must be a member of the local Administrators group. If you used a separate driver file as in step 2 above.362 Disaster Recovery 7. 4. You must restore any applications or data separately. follow the instructions on screen. The ASR gives you a very powerful tool to help protect your system data. 3. consider using the Run As feature so that you use these elevated permissions only when performing this operation. You will then be prompted to insert the ASR floppy that matches the media you wish to restore. Click OK. insure that you have the correct ASR set and the Windows 2003 Server CD. You may also have the necessary permissions delegated to you. Restore any necessary program or data backups. ASR floppy disk and backup media.

not single shares. read-only copies of files that are currently stored on network shares. select All Tasks. due to the storage needed to support the feature. With Shadow copy enabled on a volume. All network shares on that volume are then “shadowed”. and Click Configure Shadow Copies. if you may the copy at the appropriate time. Client software must be installed. See Figure 5-8. as it only copies the network shares on the volumes for which it is enabled. Figure 5-8: Start Shadow Copy . You can then schedule the frequency of the copy. Shadow Copy should not be used as a replacement for regular system backups. Shadow Copy is not enabled by default. You could possibly “see” what the document looked like this morning before you started working.1. you can examine the contents of a network share as it existed at a particular point in time. You must enable shadow copy on a volume by volume basis. Shadow Copy will allow you to: ● ● ● Recover files that were deleted Recover files that were overwritten Allow “basic” version control while working on shared documents depending on the copy or archive schedule on the volume.Windows Server 2003 363 5. To configure Shadow Copy. open Computer Management in Administrative Tools. Then right click on Shared Folders. and the share must be accessed across the network.2Restore data from shadow copy volumes Shadow Copy is a feature of Windows 2003 Server that allows point-in-time.

Here you can enable Shadow Copy and configure scheduling on the various volumes in the computer. Figure 5-9: Configure Shadow Copy For the client to be able to use Shadow Copy. You should not schedule a copy more than once an hour. Various methods can be used to distribute the software to the client desktop. and then selecting schedule.364 Disaster Recovery You are then given the Shadow Copy dialog box. client software must be installed. Note the screen shot shows drive C: enabled. including Group Policy. Scheduling can be done by clicking on the settings button. and drives E: and F: disabled. as shown in Figure 5-9. . which may or may not be useful in your environment. or accessing a shared folder across the network. The default schedule is to make a copy at 7:00 AM and 12:00 noon. and you should avoid times of high usage on your server and network.

so you’ve gotten Shadow Copy configured on all your file servers on your network. In the properties dialog box. You have the client software installed on all the workstations on your network. and Kris is quite happy to get the version that is 90 minutes old. select the pervious versions tab. open Windows Explorer and move to the shared folder in question.10) Figure 5-10: Previous Version of Backup . You will now see the different versions of the share available to restore. She is saying something about a marketing project that’s just slightly late and needs to be turned in today. and select properties. You want to use it to recover a file Kris just mistakenly deleted from the network share. Right click on the share. Select a copy to work with. You make a copy every other hour.Windows Server 2003 365 Okay. but must be accomplished from the network client. (See Figure 5. On the client machine. How does the recovery all work? I’m glad you asked! It’s pretty straight forward.

The frequency of your backups typically depends on two things: ● ● How critical is your data to your business? How frequently does it change? The more critical the data. .1. The more frequently it changes. In this case. Let’s discuss System State data for a minute. The others (and a few more) we’ll answer here. This may or may NOT be what you want. “What should I backup? What is a regular basis? What is a regular backup? What is a good schedule?” Scheduling we’ll talk about a bit later in this chapter. If you restore the file to the current location. the more frequent your backup should be. the permissions are not changed. If a file exists now in the folder and did not exist in the version you wish to restore. If you are careful about preforming backups on a regular basis. The System State data is what the computer uses to load.e. Can I easily recreate the day’s transactions and other changes? Maybe a day is too long and you need to be thinking of a period of hours instead. the more frequent your backup should be. this may include various things. The safer route may be to copy the previous version to another location. It is done to protect data from loss due to various reasons.3Back up files and System State data to media What is backup? Backup is a process of copying files and folders from one location in a single operation. But now you may ask. You have to decide. overwriting the folder as it exists now. A good rule of thumb to consider is how much data loss can I afford to recover from without hurting my normal flow of business. depending upon the needs of your organization. and restore the deleted project file to the desired location. doesn’t it? I do all these things and magic will occur when I need it to. copying the folder to another location. If you copy a file. 5. Restore or copy as necessary. then moving the file in question back to the share where Kris can work with it would be the proper method of attack. i.366 Disaster Recovery If at this point you want to restore the entire folder. configure and run the operating system on your computer. Depending upon the type of Windows Server 2003 installation is on your server. You should be able to recover from the loss of data amounting to anything from a single file to a complete hard drive or set of hard drives in a system. the new file will be deleted. A word about file permissions after these operations is called for. as this will restore the folder to it’s previous contents. Sounds great. . you can click on the restore button. BE CAREFUL. when a data loss occurs you will be able to recover from it. it assumes the defaults of the target directory where you copy it.

They are: ● ● ● ● ● Normal or full Copy Differential Incremental Daily The different types allow you to make a complete backup of your selected data.Windows Server 2003 367 The following table outlines the type of data and on what type of server it would appear. This piece of magic involves the archive attribute. You can make several different types of data backups with the backup utility – five to be exact. Component When included in System State Registry Boot files. The reason why is described in the table below. The archive bit is turned on (flipped on or switched on or flipped or toggled are also used to describe the action) every time a file or folder is changed after that backup. such as all the files in a collection of folders. These different types target a specific category of data. or all files on a selected volume that have changed since the last backup. or just changes in the data since the last time you made a backup. Com+ Class registrations. The backup utility can be used to back up your entire server. You can also use the backup utility to schedule a backup operation for you. including the system files Certificate Services Active Directory directory service SYSVOL Directory Cluster service information IIS metadirectory System files that are under Windows File Protection Table 5-1: Backup: Type of Data Always Always If server is a Certificate Server If it is a domain If server is a domain controller If a member of a cluster If IIS is installed Always The System State is backed up and restored as a unit. Other types of backups leave the archive bit alone. or the system state data. selected portions of your server. The archive attribute (or bit) is cleared or turned off every time a full backup or an incremental backup of a file is made. You cannot restore a portion of the System State due to the interdependence of the different sets of data. . thus you are required to backup or restore as a unit. The data must be consistent across all parts of the System State backup.

While your backup time increases.368 Disaster Recovery Backup Type: Description: Clears Archive Bit: Best Used For: Full or Normal Copy Backs up all selected files. you would backup the same file a second time. Always use the first time you create a backup set. This indicates the file has been changed and needs to be backed up again. driver upgrade. Clears the archive bit for future operations. This allows you to perform other types of backups on the files again later. the full backup set. If the file is modified later. so you can perform other types of backups on these files again later. No Making an additional tape or disk without disturbing the archive bit. Using a differential backup with the full backup set lets you restore to a point in time of your last differential set by just restoring two sets. Yes Baseline for future backup jobs. No Differen tial Backs up all selected files and folders that were modified since the last full or incremental backup the files where the archive bit is turned on.) to allow you to recover the files to the exact state before said high risk operation. the restore time is shorter than restoring several incremental backup sets. . Backs up all selected files without changing the archive bit. Quite useful before a high risk operation (OS patch. etc. If you were to make another differential backup using the same selection set. The archive bit isn’t modified. application upgrade. regardless of the archive bit setting. and then the last differential set. the archive bit is then set.

This will take les media per backup set. Table 5-2: Backup Types . This type backs up only the files changed on that date. you must restore all the incremental backup sets. No If a copy of the files modified today are required for any reason in conjunction with another backup type. and ignores the setting of the archive bit. unless they were changed since the last incremental backup. If you were to perform two incremental backups in a row.Windows Server 2003 369 Backup Type: Description: Clears Archive Bit: Best Used For: Increme ntal Daily This type of backup will back up all the selected files that have changed since the last incremental or full backup. as you are not copying all the files changed since the last full backup. It ignores the archive bit setting. even if it was just backed up by another type of backup. as to be sure you have the latest version of each file. the files would not be backed up the second time. It will the clear the archive bit on the files that were backed up. it is backed up. This method will take longer to restore that a full backup set and differentials. Yes Networks that require a faster backup time due to a small maintenance window for the network. If a file was changed on the same day as the backup.

If something were to happen to your server hardware on Saturday. you would have to first restore the full backup from the previous Sunday. recordable CDROM drives and logical drives on your local system. Each backup saves the files changed that day. removable disks. The evening backup takes somewhat longer each evening. You should base your decision for a proper mix of types on the amount of time you can spend creating the backup. something happens to the server on Saturday. Why just the two? Unlike the incremental backups made in scenario one. The archive bit on these files are not changed. Each evening on Monday through Saturday you perform a differential backup. Each evening on Monday through Saturday you perform an incremental backup. and then each incremental backup made on Monday through Friday evening. as the files that were changed were only backed up on the day that they were changed. Recovery time is reduced as compared to scenario one. and the amount of time your can use to restore. as you are backing up all files changed through the entire week. the last differential backup on Friday has all the files that were changed that week on one media set. Here you need to restore the full backup made on Sunday. You can also combine a normal or full backup with a differential or incremental backup. on Monday you backup the files changed on Monday. You can combine different types of backups to allow for shorter backup times or shorter recovery times. you backup the files changed on Monday and Tuesday. Each backup saves the files changed since the full backup made on Sunday. The archive bit on ALL files is reset. The evening backup on Monday through Saturday is done rather quickly (compared to the full backup on Sunday) as just the files changed that day are backed up. Scenario One: Normal backup weekly combined with incremental backups every day. This way. Scenario Two: Normal backup weekly combined with differential backups every day On Sunday evening you perform a normal (full) backup. The archive bit on ALL files is reset. Then to restore your system you just need to restore that day’s backup. This would insure your would get all the files that were changed during the week. Some sample scenarios follow. and so on through the week. and also resets the archive bit on those files that were backed up. On Sunday evening you perform a normal (full) backup. to recover your files to the state of the last known good backup (made on Friday). and you need to restore to the state the files were in on Friday evening when the backup was made. The best scenario would be to make a complete backup of the system each day. The various storage devices and media that is supported include tape drives. follow these steps: .370 Disaster Recovery You can select the type of media you desire to make your backup to. To backup using the Backup utility. Again. On Tuesday. and the last differential backup made on Friday.

and then System Tools. Figure 5-11: Backup Utility Advanced Mode .Windows Server 2003 371 Start the Windows Server 2003 Backup program. Click on Start. If the wizard wants to help you. Accessories. Programs. Your screen should look like Figure 5-11. just switch to advanced mode. Select Backup.

if the wizard wants to help. Again. click cancel. Figure 5-12: Configutre Backup Utility Advance Mode . You should get the selection box that appears in Figure 5-12.372 Disaster Recovery Click on the Backup Wizard button.

bkf) listed under the backup media or filename selection. This means that some subfolder has been selected on that drive. Notice the blue check mark in the My Documents box. Notice also that drive c: has a grey check mark by it. Figure 5-13: Backup Utility Meda . you can click the start backup button. Notice also I have selected to backup this selection to a file (e:\backup. Your screen should appear something like the one in figure 5-13. At this point. so I’ll select that. You can click on the + boxes beside the drive to drill down to the selection. I am going to backup the My Documents folder. That means that particular folder and all of it’s contents will be backed up.Windows Server 2003 373 At this point. and selections will be backed up.

Administrators. Some organizations create separate backup and restore groups to divide these tasks for security reasons. Granting these rights and permissions to a regular user will allow them to backup and restore files and folders not belonging to them. Add the Backup Group to the Backup files and directories Group Policy Object. .374 Disaster Recovery 5. Typically you must be a member of the administrators group. or the server operators group to be able to back up and restore all files and folders on a particular machine.4Configure security for backup operations Who can back up data? You must have certain permissions or be granted certain user rights to be able to back up files and folders on a Windows Server 2003 machine. The above Group Policy Objects can be found in the following group policy – Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignments. Any user can backup their own files and folders. if the quota keeps you from writing to the hard drive in question. the backup operators group.1. and any files and folders that they have read permission for. They also have Modify and Full Control permissions granted by default. If you have a disk quota on your target drive. you may not be able to back up files and folders. To do this complete the following steps: ● ● ● ● ● Create a Backup Group in Active Directory Users and Computers. Add the Restore Group to the Restore files and directories Group Policy Object. Create a Restore Group in Active Directory Users and Computers. backup operators and server operators can back up any file and folder because they have the Backup Files and Directories and Restore Files and Directories user rights granted to them by default. Add the necessary members to each group.

2. Note that the option is NOT selected by default. and then the general tab from the main backup screen as shown in figure 5-14. Select the desired checkbox. the click apply and ok to exit the options dialog. or another location (the best tests to see if you can really read the files you just backed up) one of the options you can select during the backup is Verify Data After Backup Completes. Figure 5-14:Backup Options Dialog . Options for backup are selected by selecting the tools menu.Windows Server 2003 375 5. then selecting options.2 Manage backup procedures Did it work? Did it really work? 5. as it adds to the backup time.1 Verify the successful completion of backup jobs Aside from restoring your data to another server.

Options. and the success of your efforts. which will give you enough detail to see starts and stops. there may be a problem with the media or the file you are using to back up data. If this happens. If you receive a large number of verification errors. You can usually disregard these errors. Figure 5-15: Backup Logs . Consulting log files created during backup is also an excellent way of checking the status of completion. Be aware that some data files that were in use during your backup might also cause you to receive verification errors. Also under Tools. you then need to select the Backup Log tab. try using different media or designate another file and run your backup again.376 Disaster Recovery What this option does is allows you to let the Backup utility compare the backed-up data and the original data on your hard disk to be sure that the two are the same. You should only verify backups of data files. The default is summary. tape swaps and problem files. Verifying system backups is a very difficult process because of the large number of changes that happen to system files on a continual basis. Detailed troubleshooting will require a detailed log. You can also keep a detailed log of each backup operation to exactly identify a particular file that you backed up and that you may wish to restore. as shown in figure 5-15.

. The options you will have available include format a tape. The catalog allows you to easily see the files and folders in a backup set.Windows Server 2003 377 5. If you are using removable media. These options appear if you have a tape drive installed in your computer. The catalog here shows the files and folders in a system state backup recently completely. Samples of expanded on-disk catalogs are shown in Figure 516.2 Manage backup storage media Media catalogs allow you to easily manage the files and folders collected in your backups. Files can be selected to restore from these. Figure 5-16: Backup Restore and Manage Mode The backup utility can also be used to perform some simple tape management. the catalog can be created on-disk as well to speed the restore process.2. and the proper media inserted into a tape drive. and retension of a tape.

You suspect a recently installed application or driver is causing a problem. diagnose problems. All three create a log file. Still others are starting the system in Safe Mode. but with a command prompt instead of a graphical user interface. Safe mode is entered by pressing F8 to display the advanced startup options during system boot. install a service pack or other software patch or possibly reinstall the operating system. This mode will sometimes allow access when others fail. If you have just added or changed something in the system. you may be able to start it in safe mode. Same as Safe Mode. drivers and services required to start and operate the system. If the machine starts. Some things you can do are change server settings. the mouse driver and the video in video graphics adapter (VGA) mode. Fortunately. and using the Last Known Good Configuration. If your system fails to start. Careful examination reveals several lights you never even knew existed. the Windows Startup Disk and the Recovery Console. The idea is to remove all the “frills and extras” and let the system come up with very basic settings allowing you to troubleshoot. When starting in safe mode. Until now. Two of those were mentioned at the beginning of this chapter. safe mode can be used to allow you to remove it or reverse the change you made.378 Disaster Recovery 5. but also adds networking support Safe Mode with Command Prompt Same as safe mode. you know the problem is something beyond the basic settings. You need to verify networking is working properly. They are described in the following table. and/or you need access to the network to obtain files/ You must use command-line troubleshooting tools. remove newly installed software or hardware. Table 5-3: Backup Safe Mode Options . You need to be able to correctly identify the problem and choose the proper tool or tools to respond with. Windows Server 2003 provides some tools to help you recover from hardware failures. Option: Description: Example Use: Safe Mode Safe Mode with Networking Loads only basic devices. Red lights on this server are never a “Good Thing”. no network connection. Windows uses default settings and minimum device drivers. You have three options for safe mode.3 Recover from server hardware failure Lots and lots of red lights are blinking on the front of your server. Others include a good backup. a good System State Backup and a good ASR backup set. Welcome to server hardware failure.

When using the Recovery Console. The Recovery Console is a tool that provides you with a command-line console on a system that is having a software problem that prevents the system from starting. then when prompted to repair or install. then select Last Known Good Configuration. You can then reverse the change just made. and try to correct it. If it is installed. If you were to start your system in safe mode and log in. If you get a stop message or a message that one or more services failed to start immediately after a change. The Recovery Console will allow you to work with a drive even if it is formatted with NTFS. Note it was mentioned earlier that the Last Known Good Configuration is only overwritten when starting in normal mode and logging in. If you shut the system down without logging in. It also allows you access the drives on your system. It loads a minimal version of Windows Server 2003. repair a boot sector or create a new boot sector or master boot record. read and write files to a local hard drive.Windows Server 2003 379 The startup option Last Known Good Configuration allows you to use the registry and device configuration of the last successful system login which Windows saves at every successful login. Last Known Good Configuration can be used to resolve startup problems. If it is not installed. you can run it from the operating system CD. you can enable or disable device drivers or services. or the system cannot access the partition the Recovery Console is installed on. . This allows you to possibly repair a system component that is keeping the system from starting without a complete reinstallation of the operating system. select repair. format a hard drive. This option gives you the ability to quickly recover from an incorrect driver or setting. but were unable to correct the problem. Recovery Console is one of the advanced startup options on a system. Start the system from CD. you could reboot and use the Last Known Good Configuration. The Last Known Good Configuration is updated each time Windows is started in normal mode and a user logs in and is authenticated. When the system is started with the Recovery Console. you do not overwrite the Last Known Good Configuration. you can restart the computer without logging in. and recognizes and enforces the NFTS file and folder permissions. you must log in with the local administrator account and password. Safe mode does NOT overwrite the saved settings.

You can replace files. Use this method as a last resort. Table 5-4: Backup Tools . you can use that backup to restore the state before you started. before some major system change or high risk operation. etc. Also. Use for cases of incorrect configuration. and all that. Using the minimal services it operates with.) Use if you can’t fix your problem with one of the startup options. Murphy’s Law. Always have a good set of backups that protects your data and system settings. it is a good practice to make a system state backup (if the system files will be effected) or a copy backup (if data is effected) to allow you to recover (if necessary) to the point before the operation occurs. as it does format disks. Keep in mind that you will also need a good data backup as the ASR only protects system files and settings. really need such a backup is the time you didn’t make one. then boot normally and correct the issue. If the operation goes bad. It allows you to recover all the system settings. or attempt other manual recovery steps. that existed at the time the ASR set was made. and correct it. (Usually the time you really. You can reverse your most recent driver or other system changes since your last successful login. Use this tool instead of reinstalling Windows from scratch. Tool: Suggested Use: Safe Mode Last Know Good Configuration Backup / Restore Recovery Console Automated System Recovery (ASR) Use when a problem causes your server not to start normally. or roll back to an earlier version of the file. etc. really. you can determine if a recent change or other configuration issue has caused your problem.380 Disaster Recovery Here are some general guidelines for using the various disaster recovery tools provided by Windows Server 2003. Restore (or restoring a shadow copy) will allow you to replace a missing or damaged file.

. Using the restore feature of the backup Utility. The ASR restore was covered in an earlier section. there are two major types of restores. It has been the authors’ experience that losing data is NOT usually the desired outcome when performing a restore operation. Care must be taken to restore files and folders from NTFS volumes back to another NTFS volume. Encrypting File System (EFS) settings. This will allow you to retain several file and folder features. you can restore files and folders to their original positions or to any disk you can access. disk quota information. To restore files and folders using the backup utility. and other settings. You may also lose data. restore files to FAT or NTFS formatted volumes.4 Restore backup data In Windows Server 2003. Your screen should look something like Figure 5-16 seen previously.Windows Server 2003 381 5. start Backup and select the Restore and Manage Media tab. Your mileage may vary. using the Backup Utility and the ASR Restore. In the left pane. select the desired media item. Prices are sometimes slightly higher in the West and the South. then select the files and folders you desire to restore. or restore System State data. like NTFS permissions.

● Figure 5-17: Backup Location Selection . Single folder – this will place all the files into a single folder in the location you designate. All the files and folders will appear in the new location. but keeps the original folder structure. select one of the following: ● ● Original location – this replaces the files and folders back to their original locations.382 Disaster Recovery You then need to designate the location for your restore. In the restore files to box. Alternate location – this allows you to type in or browse to a new location for the files. but loses the original folder structure. This option lets you relocate the files.

not just a part of it. . then click options. Always replace the file on my computer. and click Start Restore. This will select the restore options for this operation. Figure 5-18: Backup Replace Files Option Click on OK to accept your restore options. Select it. System State Data is restored the same way. Before you click on the start restore button. and select the restore tab. replacing the System State files where they need to be placed. Select one of the following (See figure 5-18): ● ● ● Do not replace the file on my computer. Note that you MUST restore the complete System State. Replace the file on disk only if the file on disk is older. Select a media set and expand it to reveal the System State Data selection.Windows Server 2003 383 Figure 5-17 shows files from Drive c: being restored in their original location. then click on the start restore button to restore your files. The restore will begin. select the Tools menu.

either directly assigned or through group membership. Table 5-5: Backup Schedule Options You will also be asked for user credentials to run the job. . or Selecting an existing job from the Scheduled Jobs tab in backup. You can easily automate your backup plan to insure you have the backup sets you need to recover from various problems that may occur. You can schedule a backup one of two ways: ● ● When creating a new backup job. Be sure to provide a login and password of a user that has the necessary user rights and permissions.5 Schedule backup jobs Why schedule backup jobs? Let the system worry about making the backup on the schedule you set up. The Scheduled Backup options are the same as any other scheduled job in Windows Server 2003. instead of you trying to remember to backup the system as necessary. They are: Schedule Option: Executes the operation: Once Daily Weekly Monthly At system startup At logon When idle Once at a specific time on a specific date At the specified time each day At the specified time on each of the specified days of the week At the specified time once a month The next time the system is started The next time the job owner logs on When the system has been idle for a specified number of minutes.384 Disaster Recovery 5.

Windows Server 2003 385 .

How can you install Recovery Console on a hard drive with Windows 2003? A. Use the winnt32. It minimizes the daily backup time 2.386 Disaster Recovery Chapter 5: Review Questions 1. Use the winnt32. It requires more time for restoration C.exe command with the /cmdcons switch D. It increases the daily backup time D. It requires less time for restoration B. Use the winnt32.exe command by itself C.exe command with the /cmdcons switch B.exe command by itself . Use the winnt. What is true of using a backup method that uses a weekly normal and daily incrementals? A.

3 tapes D.Windows Server 2003 387 3. C. It is not used as a daily backup method 4. It is generally done just once a month B. 1 tapes B. how many tapes will be required to restore the server? A. 8 tapes . 2 tapes C. It is a backup in which only files that have increased in size are backed up. It is a normal backup D. 4 tapes E. When using a normal and differential backup method. What is an incremental backup? A.

Simply install the new driver D. Note the properties of the updated driver. Test the new driver on a non-critical machine. If a user tells you that they aren't able to log on their computer after installing a hardware device and it gave them the STOP message. and install the new driver B. Restarting with the last known good configuration D. Performing a brand-new install of the operating system C. Restarting with the Windows 2003 CD-ROM and using Recovery Console . Restarting by using safe mode B. and install the new driver C. Install the new driver and rollback if necessary 6. which of the following steps should you take when updating device drivers on a Windows 2003 server? A. After noting the properties of the installed device driver. what course of action would require the least effort? A. note the properties of the updated driver.388 Disaster Recovery 5.

Just use Last Known Good. Which of the following statements are true regarding how System Restore works with drivers? A. it won't work with System Restore B. you can revert to the restore point before the bad driver was installed B. Just use System Restore. Use System Restore and then use Last Known Good to get the state you want 8. If signed drivers cause problems. it won't work with Last Known Good C. there isn't a restore point created specifically before the bad signed driver was installed D. First. Which of the following scenarios is correct for using Last Known Good with System Restore if your 2003 server won't boot? A. If unsigned drivers cause problems. there isn't a restore point created specifically before the bad signed driver was installed . If signed drivers cause problems. If unsigned drivers cause problems. you can revert to the restore point before the bad driver was installed C.Windows Server 2003 389 7. D. use the Last Known Good method to get the computer to boot and then use System Restore to get the previous state that you want.

C. Start | Programs | System Tools | Accessories | System Restore B. You attempt to restore a RAID 5 array on your 2003 Server box. when you attempt to run ASR. The Logical Disk Manager encountered the following error while restoring the dynamic disk configuration on this system: Failed to commit the disk group creation transaction.. ASR cannot be used with RAID arrays B. Additional information: -25. What is the cause of this error message? A. D. ASR cannot be used with RAID-5 arrays D. C. However.390 Disaster Recovery 9. The disk needs to be defragmented first before using ASR 10. E. What is the correct path to set up a restore point in Windows 2003 Server? A. Start | Programs | Accessories | Communication Tools | System Restore. Start | Programs | Accessories | System Tools | System Restore . Start | Programs | Accessories | System Tools | Disk Cleanup. One of the disks in the array is missing or corrupted. you get the following error message: Logical Disk Manager ASR Utility Error. Start | Programs | Accessories | Tools | System Restore.

Vssadmin. Sssadmin. How can you access shadow copies in 2003 Server? A. With the Shadow Copies tab of the Local Disk Properties dialog box. point to All Tasks. and then click Configure Shadow Copies. In Device Manager. point to All Tasks. right-click Shares. and then click Configure Shadow Copies. With the Copies tab of the Local Disk Properties dialog box. C. . D.exe B. In Computer Management. Which of the following executables starts the Volume Shadow Copy service? A. right-click Shares. B.exe 12.Windows Server 2003 391 11. Vsscopy. Vscadmin.exe D.exe C.

The /r switch D. s=summary 14.392 Disaster Recovery 13. e=edit B. n=none D. the /l switch can indicate what log file types? A. When used with the NTBACKUP command. The /m switch E. f=full C. The /v switch C. The /I switch B. p=partial E. Which of the following NTBACKUP switches restricts access to a tape for the owner or members of the Administrators group? A. The /e switch .

The /v switch D. The /t switch 16. Locates the first available media . Locates the first available hard drive C. The /r switch C.Windows Server 2003 393 15. When used with the NTBACKUP command. The /m switch E. Uses the first available media for the current backup operation E. what does the /um switch do? A. The /a switch B. Formats the first available media D. Locates the first available tape drive B. Which of the following NTBACKUP switches verifies the data after the backup is complete? A.

It minimizes the daily backup time Explanation: The backup method that uses a weekly normal and daily incrementals minimizes the daily backup time and it requires more time for restoration. It requires more time for restoration C. . Use the winnt32. 2. What is true of using a backup method that uses a weekly normal and daily incrementals? A. Use the winnt32. How can you install Recovery Console on a hard drive with Windows 2003? *A.exe command with the /cmdcons switch B.exe command by itself Explanation: Use the winnt32. Use the winnt32.394 Disaster Recovery Chapter 5: Review Answers 1. It increases the daily backup time *D.exe command with the /cmdcons switch if you want to install Recovery Console on a hard drive with Windows 2003. Use the winnt.exe command with the /cmdcons switch D. It requires less time for restoration *B.exe command by itself C.

4 tapes E. 8 tapes Explanation: When using a normal and differential backup method. 4. how many tapes will be required to restore the server? *A. two tapes will be required to restore the server. It is a backup in which only files that have increased in size are backed up. and the differential tape catches the difference since the last full backup tape. . It is generally done daily and to restore fully you would need all incremental since the last normal backup and the normal backup itself.Windows Server 2003 395 3. C. 3 tapes D. 1 tapes B. 2 tapes C. What is an incremental backup? A. It is not used as a daily backup method Explanation: The incremental backup method is a backup where only files that have increased in size are backed up. The normal backup tape catches everything. It is generally done just once a month *B. It is a normal backup D. When using a normal and differential backup method.

After noting the properties of the installed device driver. Recovery Console and performing a brand-new install would require a great deal of effort. Safe mode would be next in line as far as effort is concerned. and install the new driver *B. note the properties of the updated driver. If a user tells you that they aren't able to log on their computer after installing a hardware device and it gave them the STOP message. Restarting with the last known good configuration D. Test the new driver on a non-critical machine. . and install the new driver. Simply install the new driver D. test the new driver on a non-critical machine. Install the new driver and rollback if necessary Explanation: After noting the properties of the installed device driver. note the properties of the updated driver. 6. and install the new driver C. what course of action would require the least effort? A. Performing a brand-new install of the operating system *C. Restarting with the Windows 2003 CD-ROM and using Recovery Console Explanation: The option that requires the least effort in this scenario is the last known good configuration.396 Disaster Recovery 5. Restarting by using safe mode B. which of the following steps should you take when updating device drivers on a Windows 2003 server? A. Note the properties of the updated driver.

This will revert changes made to the system by the driver. D. If signed drivers cause problems. you can revert to the restore point before the bad driver was installed *C. there isn't a restore point created specifically before the bad signed driver was installed D. System Restore cannot be accessed unless the system is bootable into one of these modes. there isn't a restore point created specifically before the bad signed driver was installed Explanation: Using System Restore. Use System Restore and then use Last Known Good to get the state you want Explanation: Last Known Good should be used when there is a non-bootable state. If signed drivers cause problems. you can revert to the restore point before the bad driver was installed B. if an unsigned driver installation appears to be the source of undesired system behavior. it won't work with System Restore B. it won't work with Last Known Good *C. If unsigned drivers cause problems. users can revert their systems to the restore point created automatically just before a driver was installed. the effects of that device driver installation can still be reverted using System Restore. System Restore can be used to capture optimal previous state. First. If unsigned drivers cause problems.Windows Server 2003 397 7. by restoring to the most recently created restore point before the driver was installed. Once booted into either SafeMode or Normal Mode. 8. Which of the following scenarios is correct for using Last Known Good with System Restore if your 2003 server won't boot? A. System Restore would not create a restore point. Just use Last Known Good. . as well as any changes made after that restore point was created. Which of the following statements are true regarding how System Restore works with drivers? *A. use the Last Known Good method to get the computer to boot and then use System Restore to get the previous state that you want. Just use System Restore. In the event the device driver was signed. However.

Start | Programs | Accessories | System Tools | Disk Cleanup.398 Disaster Recovery 9. go to Start | Programs | Accessories | System Tools | System Restore. . 10. The Logical Disk Manager encountered the following error while restoring the dynamic disk configuration on this system: Failed to commit the disk group creation transaction. You attempt to restore a RAID 5 array on your 2003 Server box. you may receive the following error message: Logical Disk Manager ASR Utility Error. One of the disks in the array is missing or corrupted. The disk needs to be defragmented first before using ASR Explanation: When you use Automated System Recovery (ASR) to restore disks that are in a redundant array of independent disks (RAID) set on a computer. Additional information: -25. C. However. ASR cannot be used with RAID arrays *B. The Logical Disk Manager encountered the following error while restoring the dynamic disk configuration on this system: Failed to commit the disk group creation transaction. This behavior may occur if there are corrupted or missing disks in the configuration. What is the correct path to set up a restore point in Windows 2003 Server? A. Additional information: -25. Start | Programs | Accessories | Communication Tools | System Restore. ASR cannot be used with RAID-5 arrays D.. C. *E. Start | Programs | System Tools | Accessories | System Restore B. you get the following error message: Logical Disk Manager ASR Utility Error. Start | Programs | Accessories | Tools | System Restore. What is the cause of this error message? A.. when you attempt to run ASR. Start | Programs | Accessories | System Tools | System Restore Explanation: To set up a restore point in Windows 2003 Server. D.

Vssadmin. *D. point to All Tasks. point to All Tasks. . How can you access shadow copies in 2003 Server? A. Which of the following executables starts the Volume Shadow Copy service? A.exe tool is the command-line equivalent tool of the Volume Shadow Copy service. Explanation: You can access shadow copies of shared folders on the Shadow Copies tab of the Local Disk Properties dialog box. You can also view the same dialog box in the Computer Management snap-in.exe *B. and then click Configure Shadow Copies. and then click Configure Shadow Copies. point to All Tasks. right-click Shares. B. In Device Manager.exe Explanation: You can access shadow copies of shared folders on the Shadow Copies tab of the Local Disk Properties dialog box. right-click Shares. With the Copies tab of the Local Disk Properties dialog box. and then click Configure Shadow Copies. The Vssadmin. In Computer Management. Sssadmin. right-click Shares. Vsscopy. *C. and then click Configure Shadow Copies. point to All Tasks. You can also view the same dialog box in the Computer Management snap-in.exe D. 12. The Vssadmin.exe C. right-click Shares. To do so. To do so.Windows Server 2003 399 11.exe tool is the command-line equivalent tool for the Volume Shadow Copy service. Vscadmin. With the Shadow Copies tab of the Local Disk Properties dialog box.

f=full *C. The /hc:{on|off} switch uses hardware compression on the tape drive. incremental. . The /rs switch backs up the Removable Storage database. The /f switch indicates the logical disk path and file name and it cannot be used with the /p /g /t switches. formats it. The /d switch indicates a label for each backup set. When used with the NTBACKUP command. or daily). copy. The /m switch indicates the backup type (normal. The /um switch locates the first available media. the /l switch can indicate what log file types? A. but not with the /p switch. The /l:{f|s|n} switch indicates the type of log file: f=full. The /g switch overwrites or appends to this tape. s=summary Explanation: The systemstate parameter indicates that you want to back up the system state data. The /t switch overwrites or appends to this tape.bks file) to be used for the backup operation.400 Disaster Recovery 13. differential. p=partial *E. s=summary. no log file is created). The /j switch indicates the job name to be used in the log file. The /p switch indicates the media pool from which you want to use media (you can't use the /a /g /f /t switches with this switch). The /v switch verifies the data after the backup is complete. and uses it for the current backup operation. The /r switch restricts access to this tape for the owner or members of the Administrators group. n=none D. The /a switch performs an append operation and the /g or /t must be used with this switch. e=edit *B. The /n switch indicates the new tape name and can't be used with the /a switch. n=none (with n. The bks file name parameter indicates the name of the backup selection file (.

Windows Server 2003 401 14. . but not with the /p switch. The /g switch overwrites or appends to this tape. formats it. differential. The /t switch overwrites or appends to this tape. incremental. The /hc:{on|off} switch uses hardware compression on the tape drive. The /v switch *C. and uses it for the current backup operation. The /e switch Explanation: The systemstate parameter indicates that you want to back up the system state data. The /n switch indicates the new tape name and can't be used with the /a switch. The /j switch indicates the job name to be used in the log file. s=summary. or daily). copy. The /um switch locates the first available media. The /r switch restricts access to this tape for the owner or members of the Administrators group. The /v switch verifies the data after the backup is complete. The /r switch D. The bks file name parameter indicates the name of the backup selection file (. n=none (with n. The /rs switch backs up the Removable Storage database. The /I switch B. Which of the following NTBACKUP switches restricts access to a tape for the owner or members of the Administrators group? A. The /f switch indicates the logical disk path and file name and it cannot be used with the /p /g /t switches. The /d switch indicates a label for each backup set. The /m switch indicates the backup type (normal. The /m switch E. The /l:{f|s|n} switch indicates the type of log file: f=full. The /p switch indicates the media pool from which you want to use media (you can't use the /a /g /f /t switches with this switch).bks file) to be used for the backup operation. no log file is created). The /a switch performs an append operation and the /g or /t must be used with this switch.

differential. The /f switch indicates the logical disk path and file name and it cannot be used with the /p /g /t switches.bks file) to be used for the backup operation. The bks file name parameter indicates the name of the backup selection file (. . copy. The /r switch restricts access to this tape for the owner or members of the Administrators group. The /r switch *C. The /a switch performs an append operation and the /g or /t must be used with this switch.402 Disaster Recovery 15. The /m switch E. The /n switch indicates the new tape name and can't be used with the /a switch. The /t switch overwrites or appends to this tape. and uses it for the current backup operation. The /um switch locates the first available media. The /g switch overwrites or appends to this tape. The /l:{f|s|n} switch indicates the type of log file: f=full. The /m switch indicates the backup type (normal. no log file is created). The /d switch indicates a label for each backup set. The /rs switch backs up the Removable Storage database. s=summary. Which of the following NTBACKUP switches verifies the data after the backup is complete? A. but not with the /p switch. or daily). The /v switch D. n=none (with n. formats it. The /t switch Explanation: The systemstate parameter indicates that you want to back up the system state data. incremental. The /a switch B. The /j switch indicates the job name to be used in the log file. The /p switch indicates the media pool from which you want to use media (you can't use the /a /g /f /t switches with this switch). The /hc:{on|off} switch uses hardware compression on the tape drive. The /v switch verifies the data after the backup is complete.

The /t switch overwrites or appends to this tape. n=none (with n. The /a switch performs an append operation and the /g or /t must be used with this switch. The /um switch locates the first available media.Windows Server 2003 403 16.bks file) to be used for the backup operation. formats it. s=summary. The /d switch indicates a label for each backup set. differential. copy. . but not with the /p switch. The /n switch indicates the new tape name and can't be used with the /a switch. The /p switch indicates the media pool from which you want to use media (you can't use the /a /g /f /t switches with this switch). Locates the first available tape drive B. The /r switch restricts access to this tape for the owner or members of the Administrators group. Locates the first available media Explanation: The systemstate parameter indicates that you want to back up the system state data. The /v switch verifies the data after the backup is complete. The /f switch indicates the logical disk path and file name and it cannot be used with the /p /g /t switches. The /l:{f|s|n} switch indicates the type of log file: f=full. The /m switch indicates the backup type (normal. incremental. The /hc:{on|off} switch uses hardware compression on the tape drive. When used with the NTBACKUP command. Formats the first available media *D. no log file is created). The bks file name parameter indicates the name of the backup selection file (. Locates the first available hard drive *C. what does the /um switch do? A. The /rs switch backs up the Removable Storage database. The /j switch indicates the job name to be used in the log file. and uses it for the current backup operation. The /g switch overwrites or appends to this tape. Uses the first available media for the current backup operation *E. or daily).

........................................................................................................................................................................203 Table 3-2: Audit Events available for tracking on Windows 2003 Servers.............24 Table 2-1: User Name and Rules ........369 Table 5-3: Backup Safe Mode Options...................................................269 Table 4-4: TCP Perfomrance Parameters ....................................................................................................151 Table 2-2: MBSA v1...........................................384 ....................................................................................367 Table 5-2: Backup Types..3 Table 1-2: RAID error messages and definitions...................................321 Table 5-1: Backup: Type of Data ....................................380 Table 5-5: Backup Schedule Options .......................................378 Table 5-4: Backup Tools ................................................................20 Table 1-4: The Performance counters and alerts toolbar information........................................................................................................................................... manage and delete user accounts..................................................................................18 Table 1-3: System Resources.................................... ...........319 Table 4-5: File Server Parameters..........158 Table 2-4: Syntax to use with the LDIFDE utility................................................. ......1 security scans for Window machines........214 Table 4-1: Reasons for Monitoring/Analysis... ..................................................157 Table 2-3: Command Prompt Syntax to add.............................................245 Table 4-2: Server 2003 Process Priorities.........................................Appendix A: List of Tables and Figures I Listing of all Tables Table 1-1: Differences between Basic and Dynamic Disks..............................266 Table 4-3: Process Definitions...................................................212 Table 3-3: Computer Settings ................................................ Counters and maximum peaks.....................................................................................................................................159 Table 3-1:: Permissions .......

..................... 16 Figure 1-10: Opening the Performance Console to access the System Monitor. 25 Figure 1-14: The Performance Logs and Alerts tool......................... 31 Figure 1-22: The Log Files settings for the Counter Log... ...... 28 Figure 1-17: New Log Settings ............. ............ ............ ....36 Figure 1-27: Creating a new trace log........ 8 Figure 1-5: Remote Desktop – Shadow Copies............................................................................................................... .......... Figure 1-9: Scheduling shadow copies on volumes to run at various intervals........ ................. ....... 29 Figure 1-19: Adding Objects to the counter log...... 26 Figure 1-15: Windows Server 2003 Resource Kit Performance Counters .......................................... 8 Figure 1-6: Remote Desktop Enable Shadow Copies........... .. 33 Figure 1-24: The configure Log File screen....... ................................ 30 Figure 1-21: The newly added Logical Disk Performance object............... ...................Error! Bookmark not defined..............Error! Bookmark not defined............................................................................................................. 28 Figure 1-18: The General Tab for counter logs.................................. 7 Figure 1-4: Customizing the View in the Computer Management Console..................................... 30 Figure 1-20: Viewing the explanation for the Logical Disk Performance Counter.................................................................................... ............................Error! Bookmark not defined.................... Figure 1-12: The Performance Counters and alerts toolbar for System Monitor.............. .............................Windows Server 2003 405 II Listing of all Figures Figure 1-1: The Microsoft Management Console used in Windows Server 2003............. ................................. 6 Figure 1-3: Changing the Views in the Computer Management Console.............. 35 Figure 1-26:The newly created counter log in the Performance Logs and Alerts console..... 9 Figure 1-7: Remote Desktop Shadow Copies.......... 5 Figure 1-2: Changing the View of the Disk Management Console........... .... ............................. 22 Figure 1-13: The Performance Monitor Output file pasted into Wordpad..... .................................................. 19 Figure 1-11: Adding Counters to System Monitor........ Figure 1-8: Remote Desktop Settings.............................................. 34 Figure 1-25: Scheduling a time for the logs to begin and end..................... 27 Figure 1-16: Creating a New Counter Log.................. ....... 37 Figure 1-29: Shows the dialog View option.............. ................... 37 Figure 1-28: Shows the dialog New Log Settings from option...................... ......Error! Bookmark not defined.... 32 Figure 1-23: Selecting a log file type for the counter log...................

..................................... ..62 Figure 1-54: Using the Scan for Hardware Changes option from the Device Manager....................47 Figure 1-40: Selecting the Device Manager from the Systems Properties menu.. .......42 Figure 1-35: Adding Counters to Alerts....55 Figure 1-47: Hardware Update Wizard can search for software in specified folders.........64 Figure 1-56: Accessing the Scan for Hardware Change Wizard from the Action menu...56 Figure 1-48: Choose the search & installation options....... ...........................................................................41 Figure 1-34: Entering Comments & Counters for Alerts using Alert properties menu...........41 Figure 1-33: Entering a name for the Alert............. ..........Figure 1-30: Shows the new Taskpad view option.......................................... .. ...52 Figure 1-44: Updating the driver for the Processor in the Device Manager interface.........................65 Figure 1-57: The reinstalled Lucent WinModem Hardware from the Device Manager..........46 Figure 1-39: A new Alert created in the Performance Management Console...................63 Figure 1-55: The Scan for Hardware Change Wizard.....53 Figure 1-45: Figure 1... Figure 1-31: Configuring a new Taskpad view for the Performance Console................ ......45 Figure 1-38: Command line arguments: Choose to Run this Program option............................... . ................... ....67 Figure 1-59: Hardware device that has a warning....49 Figure 1-41: Windows 2003 Server Device Manager..........44 Figure 1-37: The Action Tab for Alert settings.................... ................................................................... 61 Figure 1-53: The Device Manager after a Modem Uninstall.....................59 Figure 1-51: Choosing to uninstall Hardware from the device manager.. ..................... ..... .......... ........54 Figure 1-46: Hardware update wizard has finished searching for updated software..........57 Figure 1-49: Selecting the Driver to be installed instead.......66 Figure 1-58: The Properties of the COM Port device................50 Figure 1-42: Viewing info on the System processor using the Device Manager...............................40 Figure 1-32: Creating new alerts using the Alerts tool in the Performance console.51 Figure 1-43: Options for the Processor in the Device Manager interface..................................... ...... in the Device Manager... .. Error! Bookmark not defined.......... ......................46: The hardware update wizard searching for new software............ ..................60 Figure 1-52: The Warning message that appears once you choose to uninstall a device..........43 Figure 1-36: The Free Space Alert counter used to configure Alerts..........58 Figure 1-50: Selecting the driver to install from a pre-supplied list on the system..............68 ....................

................................................. 88 Figure 1-80: The File Signature Verification is beginning the file listing process................................ 71 Figure 1-66: Hardware troubleshooting guide for devices..... 85 Figure 1-76: Shows the first screen of the Wizard..................txt file.............. 95 Figure 1-89: Entering a Value for the DMA range....................... .......................... ..................................................................................... 73 Figure 1-69: The Disk Management console................................ . 68 Figure 1-63: General Tab showing the device needs some technical assistance......................... 72 Figure 1-67: Choosing Device Driver troubleshooting options............. ............................................ 91 Figure 1-84: Hardware device with a conflict in the Device Manager........................ ............ 87 Figure 1-77: Shows File Signature Verification wizard............................................... 68 Figure 1-62: The re-enabled device in the Device Manager........... 88 Figure 1-79: Logging option for the Advanced File Signature Verification wizard................. ................. .... 95 ....... 91 Figure 1-85: The resources tab of the Unknown Device.. 94 Figure 1-88: The DMA range with a conflict........................................... ........................................ ........................ ........................................................ 90 Figure 1-83: The File Signature Verification sigverif......... ....................... 89 Figure 1-82: The File Signature Verification results............................................... 79 Figure 1-73: The System Information Tool..Windows Server 2003 407 Figure 1-60: Hardware device that has been disabled in the Device Manager............................................................... 84 Figure 1-75: Unknown device Driver details.................................... 78 Figure 1-72: Defragmenting a volume using the Disk Defragmenter tool.............. 75 Figure 1-70 Modifying a hard drive using the Computer Management console............................. 73 Figure 1-68: Troubleshooting the device with the Hardware Troubleshooting Wizard............................. 92 Figure 1-86: Changing resources manually on an unknown device..... 69 Figure 1-64: The Windows 2003 Server Hardware Troubleshooting guide........ 82 Figure 1-74:The General Tab if the Unknown device........................................... 93 Figure 1-87: Forcing a change of settings on the Unknown Device............... 70 Figure 1-65: The Hardware Troubleshooter wizard............................ .... 89 Figure 1-81: The File Signature Verification is beginning the scan process............................. 87 Figure 1-78: The Advanced properties of the Signature Verification Wizard................ ............................ 76 Figure 1-71: Analyzing a volume using the Disk Defragmenter tool.......................... ........................ 68 Figure 1-61: Re-enabling a device........ ...................................

............. ........126 Figure 2-4: Finishing adding a new Computer using the Active Directory Users and Groups console...............................................128 Figure 2-6: Identifying image scopes using the Active Directory User and Computers console...129 Figure 2-7: Entering the Group Properties.................................................. ............................................................ ...............152 Figure 2-21: Entering a Password and choosing the password options for the new user............................145 Figure 2-18: Creating a New user by right clicking on the User object in the Active Directory Users and Computers console..........................................135 Figure 2-12: The Member of tab for Group settings.............................96 Figure 1-91: Restarting the Server after the Device resources have been modified.................................... ......................97 Figure 1-93: Modifiying Resources for a COM port........ ......................... .........................................132 Figure 2-10: Entering General information for Group settings........ ................................................................................. .......................................................137 Figure 2-14: Pre-existing local groups on TRPublicComputer...................................... ................................................................. .............................................................154 ...................................................................144 Figure 2-17: The output in the console after running the script.......................150 Figure 2-20: Entering the New User information....... .134 Figure 2-11: Member information for the Group.................................153 Figure 2-22: New user account object.....127 Figure 2-5: Creating a User Group using the Active Directory console...........................................................................124 Figure 2-2: Give the Computer a name...............................................125 Figure 2-3: Entering information for Managed Computers...................Figure 1-90: Creating a Forced Configuration on hardware............................................................................................136 Figure 2-13: Managed By tab for Groups.........130 Figure 2-8: Setting the Description Property for the new group...............................................98 Figure 1-94: The new Resource settings for COM1............... .........................................99 Figure 2-1: Creating a new computer account using the Active Directory Users and Computers console............................................................96 Figure 1-92: Automatic settings for a network adapter card that cannot be modified.............................149 Figure 2-19: The New User Dialog Box in the Active Directory Users and Computers console.........142 Figure 2-15: and Figure 2-16 Dialog boxes displayed for administrators.......................................................................131 Figure 2-9: Setting the Description Property for the new group................................................................... ......

............................................... ..................... 220 Figure 3-11: The net file command syntax.............................................. 170 Figure 2-34: The Local Security Policy MMC......................... .................................................. .................................. 169 Figure 2-33: DSADD utility.. .................................... 209 Figure 3-9: The Default Security Log settings in Windows 2003 Server............................ 163 Figure 2-27: A disabled computer account................. 164 Figure 2-31: Successful completion of a computer account reset......... 174 Figure 3-1: Assigning Access to Network Folders.. 162 Figure 2-26: The All tasks option for troubleshooting........................................... 164 Figure 2-30: Resetting a Computer Account using Active Directory Users and Computers.... 223 Figure 4-1: Event Viewer ........................................................................................................................................................................... 208 Figure 3-8: Auditing Files and Folders.................... ......................................................................... 248 Figure 4-4: System Log .................................................................ldf using Notepad ........................................................................Windows Server 2003 409 Figure 2-23: The newly added user in the User Container.................. 163 Figure 2-29: The re-enabled computer account verification............ 248 ...................... 206 Figure 3-5: The Final dialog box for removing the Permissions from a file or folder........................................ 223 Figure 3-12: The net session command syntax...................................... 208 Figure 3-7: Viewing Shared Folders using the Shared Folders console.................................................................................................................................................. 247 Figure 4-3: Application Log Event............ ...................... 204 Figure 3-3: Removing the Parent Permission Entries from a child object................................................. 160 Figure 2-25: Troubleshooting a Computer Account using the Active Directory Users and Computer console............................................................................................ .............................................. 163 Figure 2-28: Re-enabling a computer account............................................. 165 Figure 2-32: The SysKey utility ......................... 210 Figure 3-10: Taking Ownership of a file using the Ownership tab in the Advanced properties of the object....................................................... 155 Figure 2-24: Myimport............................................................... ........................ 205 Figure 3-4: Permissions that have been removed from a file or folder............................................................................................................................... .................................................................................................... 206 Figure 3-6: Viewing the Shared Folder Management Console............ 246 Figure 4-2: Application Log .......... 201 Figure 3-2: The Advanced Option for Folder Security.................................

..................................................................................................................................................................................................................................................................................................................................264 Figure 4-25: Task Manager Processes ..................................................263 Figure 4-24: Processes Tab (Task Manager) .......................................................................................................270 Figure 4-27: Performance View with Kernel Times...................250 Figure 4-7: Security Log Event ......................................................................251 Figure 4-8: System Log .................................................277 Figure 4-33: Scheduling SUS Server Synchronization.................................................................251 Figure 4-9: System Log Event ......278 Figure 4-34: SUS Automatic Update GPO...................................................................................................275 Figure 4-31: SUS Content Notification Email..................................271 Figure 4-28: Networking Tab (Task Manager).........................................................................................258 Figure 4-19: Performance Logs and Alerts...........254 Figure 4-12: File Replication Service Log....256 Figure 4-16: Connecting to another computer .......255 Figure 4-14: DNS Server Log......................................................................273 Figure 4-30: E-Newsletter Subscription .............................................255 Figure 4-13: File Replication Service Log Event ..........267 Figure 4-26: Performance Tab (Task Manager) .......................................................................................................................................................................276 Figure 4-32: SUS Server Component Webpage Interface .....................................................................262 Figure 4-23: Applications Tab (Task Manager) ..........................................279 ......................................252 Figure 4-10: Directory Service Log....................................Figure 4-5: System Log Event ...................257 Figure 4-18: System Monitor.................................................260 Figure 4-21: Setting Up a Trace Log .......................................................................................................................................................................................................................................261 Figure 4-22: Setting Up an Alert .............249 Figure 4-6: Security Log..............253 Figure 4-11: Directory Service Log Event..............................................................................................................................................272 Figure 4-29: User Tab (Task Manager) .........256 Figure 4-15: DNS Server Log Event ..........................................257 Figure 4-17: Log Filter ..........................................................................................................................259 Figure 4-20: Setting Up a Counter Log ...............................................................................................................................................................................

... 325 ....................... 282 Figure 4-38: Remote Licensing Management ........ 294 Figure 4-48: Remote Desktop (Display) .................... 311 Figure 4-60: Printer Properties Security Tab............................. 315 Figure 4-63: Advanced Security Settings ..................................................................... 297 Figure 4-51: Remote Desktop (Experience) ........................................................................... 307 Figure 4-59: Printer Properties Color Management Tab ................................................. 296 Figure 4-50: Remote Desktop (Programs)......................................... 313 Figure 4-62: Editing Special Permissions ....................................................................................................................................................................... 281 Figure 4-36: Licensing Tool.................................................................................................... 300 Figure 4-53 – Remote Administration Web Interface .... 306 Figure 4-58: Printer Properties Advanced Tab.............. General Tab.......................................................Windows Server 2003 411 Figure 4-35: Enabling the Licensing Tool....................... 281 Figure 4-37: Licensing Agreement....................... 285 Figure 4-41: Group Policy Object Editor .............. 287 Figure 4-42: Remote Assistance (Control Panel) .......................................................................................................................... 295 Figure 4-49: Remote Desktop (Local Resources) ............................................................................................................................................................................... 292 Figure 4-46: Remote Desktop Connection .................................................................. 298 Figure 4-52: Installing the Web Interface for Remote Administration............................................................................................... 284 Figure 4-40: Replication (Control Panel) .......................................................................... 283 Figure 4-39: Licensing Mode (Control Panel).................... 316 Figure 4-64: IIS Default Installation .................................... 312 Figure 4-61: Printer Properties Device Settings Tab ................................................................................................. 291 Figure 4-45: Configuring Remote Desktop Users .... 293 Figure 4-47: Remote Desktop....................................................................... 305 Figure 4-57: Printer Properties Ports Tab..... 301 Figure 4-54: Add Printer Wizard........................................................................................................................ 288 Figure 4-43: Solicited Remote Assistance (Registry).................................................... 304 Figure 4-56: Printer Properties Sharing Tab.......................................................................................................................................... 302 Figure 4-55: Printer Properties General Tab ................................................................... 289 Figure 4-44: Enabling Remote Desktop ......................................................................................................................

...........................................363 Figure 5-9: Configure Shadow Copy............................................357 Figure 5-2: Automated System Recovery Wizard .................................326 Figure 4-66: New Virtual Directory ..383 ...............................................................................................................................................327 Figure 4-67: Redirection..............................................................373 Figure 5-14:Backup Options Dialog................................................................................................................................358 Figure 5-3: Backup Destination...................................................................................................................................Figure 4-65: Properties: Home Directory ....................................................................................................362 Figure 5-8: Start Shadow Copy ..................331 Figure 5-1: ASR Set.....................361 Figure 5-6: Backup Utility Insert.......................................................371 Figure 5-12: Configutre Backup Utility Advance Mode ................................................................................................................................364 Figure 5-10: Previous Version of Backup .................................365 Figure 5-11: Backup Utility Advanced Mode..........................................................................360 Figure 5-5: Backup Progress Display ..............................................................................................................................359 Figure 5-4: Backup Finish .............................................................................................................382 Figure 5-18: Backup Replace Files Option................328 Figure 4-68: Authentication.................................................................................................................................................................................................377 Figure 5-17: Backup Location Selection ..............................376 Figure 5-16: Backup Restore and Manage Mode .....................................................................................................................330 Figure 4-69: Certificates .......................375 Figure 5-15: Backup Logs ........................................................................................................................................361 Figure 5-7: Backup Utility Remove..............................372 Figure 5-13: Backup Utility Meda...........................

See also access control entry. system access control list. See also access control entry. discretionary access control list. There are two types of access control lists: discretionary and system. security descriptor.Windows Server 2003 413 Appendix B: Glossary A AC-3 The coding system used by Dolby Digital. See also access control list. or an individual property of an object. the security IDs for groups that the user belongs to. Access token A data structure containing security information that identifies a user to the security subsystem on a computer running Windows 2000 or Windows NT. An access mask is also used to request access rights when an object is opened. security descriptor. access mask. Access mask A 32-bit value that specifies the rights that are allowed or denied in an access control entry (ACE) of an access control list (ACL). See also privilege. . Access control entry (ACE) An entry in an access control list (ACL) containing the security ID (SID) for a user or group and an access mask that specifies which operations by the user or group are allowed. AGP is a dedicated bus that provides fast. high-quality video and graphics performance. An access token contains a user’s security ID. Access control list (ACL) A list of security protections that apply to an entire object. security ID. Accelerated Graphics Port (AGP) A type of expansion slot that is solely for video cards. or audited. a set of the object’s properties. and a list of the user’s privileges on the local computer. A standard for high quality digital audio that is used for the sound portion of video stored in digital format. denied. Designed by Intel and supported by Windows 2000.

414 Appendix B: Glossary Accessibility The quality of a system incorporating hardware or software to engage a flexible. customizable user interface. Administrator See system administrator. . Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. and greater exposure of screen elements to make the computer usable by people with cognitive. ActiveX A set of technologies that enable software components to interact with one another in a networked environment. alternative input and output methods. directory service. hearing. See also directory. physical. ACPI See Advanced Configuration and Power Interface. Accessibility Wizard An interactive tool that makes it easier to set up commonly used accessibility features by specifying options by type of disability. or visual disabilities. Active Accessibility A core component in the Windows operating system that is built on COM and defines how applications can exchange information about user interface elements. It provides network administrators with an intuitive hierarchical view of the network and a single point of administration for all network objects. It stores information about objects on a network and makes this information available to users and network administrators. Active Directory The directory service included with Windows 2000 Server. regardless of the language in which the components were created. Accessibility status indicators Icons on the system status area of the taskbar of the Windows desktop that let the user know which accessibility features are activated. rather than by numeric value changes.

Windows 2000 chooses default sizes based on the size of the volume and the file system used. All file systems used by Windows 2000 organize hard disks based on allocation units. the Software Installation snap-in generates an application advertisement script and stores this script in the appropriate locations in Active Directory and the Group Policy object. Also called cluster. The smaller the allocation unit size. and server computers and peripherals. desktop. . Advertisement In Windows 2000. If no allocation unit size is specified during formatting. ACPI design is essential to take full advantage of power management and Plug and Play in Windows 2000.Windows Server 2003 415 Advanced Configuration and Power Interface (ACPI) An open industry specification that defines power management on a wide range of mobile. the more efficiently a disk stores information. Advanced Power Management (APM) A software interface (designed by Microsoft and Intel) between hardware-specific power management software (such as that located in a system BIOS) and an operating system power management driver. See also Plug and Play. Check the manufacturer’s documentation to verify that a computer is ACPI-compliant. These defaults are selected to reduce the amount of space lost and the amount of fragmentation on the volume. ACPI is the foundation for the OnNow industry initiative that allows system manufacturers to deliver computers that will start at the touch of a keyboard. Allocation unit In file systems an allocation unit is the smallest amount of disk space that can be allocated to hold a file.

In some cases. The default answer file for Setup is known as Unattend. This input includes parameters to answer the questions required by Setup for specific installations. ASCII uses designated 7-bit or 8-bit number combinations to represent either 128 or 256 possible characters. you can use this text file to provide input to wizards. . foreign-language letters. such as the Active Directory Installation wizard. punctuation marks.S. devices. See also Unicode. and special control characters used in U. which is used to add Active Directory to Windows 2000 Server through Setup. There can be any number of application media pools in a Removable Storage system. programs. Assistive technology System extensions. and utilities added to a computer to make it more accessible to users with disabilities. English. Application media pool A data repository that determines which media can be accessed by which applications and that sets the policies for that media. APM See Advanced Power Management.txt. Answer file A text file that you can use to provide automated input for unattended installation of Windows 2000. Standard ASCII uses 7 bits to represent all uppercase and lowercase letters. Application programming interface (API) A set of routines that an application uses to request and carry out lower-level services performed by a computer’s operating system. These routines usually carry out maintenance tasks such as managing files and displaying information. Extended ASCII allows the eighth bit of each character to identify an additional 128 special symbol characters. the numbers 0 through 9. Most current x86 systems support the use of extended (or “high”) ASCII.416 Appendix B: Glossary American Standard Code for Information Interchange (ASCII) A standard single byte character-encoding scheme used for text-based data. API See application programming interface. Applications create application media pools. and graphic symbols.

through a network connection. confidentiality. Authentication verifies the identity of the entities that communicate over the network. Kerberos authentication protocol. nonrepudiation. For example. Authentication Header (AH) A header that provides integrity.Windows Server 2003 417 Asynchronous communication A form of data transmission in which information is sent and received at irregular intervals. an attribute describes characteristics of an object and the type of information an object can hold. the process that verifies the identity of a user who logs on to a computer either locally. For each object class. . Attribute (object) In Active Directory. the schema defines what attributes an instance of the class must have and what additional attributes it might have. one character at a time. This is done by means of start and stop bits. integrity. NTLM authentication protocol. Auditing To track the activities of users by recording selected types of events in the security log of a server or a workstation. Asynchronous Transfer Mode (ATM) A high-speed connection-oriented protocol used to transport many different types of network traffic. authentication. Because data is received at irregular intervals. See also cryptography. Authentication A basic security function of cryptography. or remotely. at a computer’s keyboard. the receiving modem must be signaled to inform it when the data bits of a character begin and end. and anti-replay for the entire packet (both the IP header and the data payload carried in the packet). ATM See Asynchronous Transfer Mode.

1 to 169. PhysicalDisk\Avg. the use of zones by DNS servers to register and resolve a DNS domain name.255. Automatic Private IP Addressing (APIPA) A feature of Windows 2000 TCP/IP that automatically configures a unique IP address from the range 169.0.255.254. Averaging counter A type of counter that measures a value over time and displays the average of the last two measurements over some other factor (for example. and SysPrep.0.254. Automatic caching A method of automatically storing network files on a user’s hard disk drive whenever a file is open so the files can be accessed when the user is not connected to the network.418 Appendix B: Glossary Authoritative In the Domain Name System (DNS). Available state A state in which media can be allocated for use by applications. bootable CD. When a DNS server is configured to host a zone. Disk Bytes/Transfer).254 and a subnet mask of 255. See also zone. Automated installation An unattended setup using one or more of several methods such as Remote Installation Services.0 when the TCP/IP protocol is configured for dynamic addressing and a Dynamic Host Configuration Protocol (DHCP) Server is not available. . DNS servers are granted authority based on information stored in the zone. it is authoritative for names within that zone.

000 Hz. daily.Windows Server 2003 419 B Backup A duplicate copy of a program. See also auditing. access permissions. . a telephone line accommodates a bandwidth of 3. Bad block A disk sector that can no longer be used for data storage. or data. or auditing settings. encryption. Members of the Backup Operators group can back up and restore files and folders regardless of ownership. the rate at which information is sent expressed in bits per second (bps). such as physical media. There are five backup types: copy. and normal. Some application programs automatically make backup copies of data files. made either for archiving purposes or for safeguarding valuable files from loss should the active copy be damaged or destroyed.300 Hz) frequencies it can carry. a disk. global group. Barcode A machine-readable label that identifies an object. Backup types A type that determines which data is backed up and how it is backed up. differential backup. the difference between the highest and lowest frequencies in a given range. For example. See also copy backup. differential. user rights. local group. usually due to media damage or imperfections. In digital communications. Bandwidth In analog communications. Base file record The first file record in the master file table (MFT) for a file that has multiple file records. incremental backup. the difference between the lowest (300 Hz) and highest (3. normal backup. incremental. The base file record is the record to which the file’s file reference corresponds. maintaining both the current version and the preceding version. Backup operator A type of local or global group that contains the user rights needed to back up and restore files and folders. daily backup.

or RAID-5 sets that were created using Windows NT 4. Bi-directional communication Communication that occurs in two directions simultaneously.420 Appendix B: Glossary Baseline A range of measurements derived from performance monitoring that represents acceptable performance under typical operating conditions. Windows 98. as well as volume. Basic disk A physical disk that contains primary partitions or extended partitions with logical drives used by Windows 2000 and all versions of Windows NT. and all versions of Windows NT can access basic disks.0 or earlier. assists with starting the operating system. When you type the filename at the command prompt. Basic disks can also contain volume. striped. “Script” is often used interchangeably with “batch program” in the Windows NT and Windows 2000 environment. Basic volume A volume on a basic disk. mirror. Batch program An ASCII (unformatted text) file containing one or more Windows NT or Windows 2000 commands. Basic and dynamic volumes cannot exist on the same disk. the BIOS is usually invisible to computer users. . The BIOS is stored in read-only memory (ROM) so that it can be executed when the computer is turned on. A batch program’s filename has a . Although critical to performance. mirror.0 or earlier. or RAID-5 sets that were created using Windows NT 4.BAT extension. and supports the transfer of data among hardware devices. Basic input/output system (BIOS) The set of essential software routines that tests hardware at startup. logical drives within extended partitions. Windows 95. the commands are processed sequentially. As long as a compatible file format is used. Bi-directional communication is useful in printing where jobs can be sent and printer status can be returned at the same time. MS-DOS. Basic volumes include primary partitions. Only basic disks can contain basic volumes. striped.

BounceKeys A keyboard filter that assists users whose fingers bounce on the keys when pressing or releasing them. The boot sector is created when you format the volume. BIOS parameter block (BPB) A series of fields containing data on disk size. See also automated installation. located at sector 1 of each volume or floppy disk. and the physical parameters of the volume. the binding relationships and dependencies for the components are established. Boot sector A critical disk structure for starting your computer. When a network component is installed. . geometry variables. When a network component is installed. This method is useful for computers at remote sites with slow links and no local IT department. BIOS See basic input/output system.Windows Server 2003 421 Binding A process by which software components and layers are linked together. the binding relationships and dependencies for the components are established. Binding allows components to communicate with each other. Binding order The sequence in which software components. including information used by the file system to access the volume. Bootable CD An automated installation method that runs Setup from a CD-ROM. network protocols and network adapters are linked together. usually involving a hardware resource. Bottleneck A condition. which causes the entire system to perform poorly. The BPB is located within the boot sector. It contains executable code and data that is required by the code.

See also Computer Browser service. symmetric key encryption.422 Appendix B: Glossary Bound trap In programming. e-mail messages. Bulk encryption A process in which large amounts of data. Browsing The process of creating and maintaining an up-to-date list of computers and resources on a network or part of a network by one or more designated computers running the Computer Browser service. . See also encryption. a problem in which a set of conditions exceeds a permitted range of values that causes the microprocessor to stop what it is doing and handle the situation in a separate routine. or online communications sessions. It is usually done with a symmetric key algorithm. such as files. are encrypted for confidentiality.

resolve. See also cache file. the ability of DNS servers to store information about the domain namespace learned during the processing and resolution of name queries. Cache For DNS and WINS. See also authoritative. See also cache. You can set the TTL either individually for each resource record (RR) or default to the minimum TTL set in the start of authority RR for the zone. caching is also available through the DNS client service (resolve) as a way for DNS clients to keep a cache of name information learned during recent queries. caching. Data placed in the cache is used for a limited period of time and aged according to the active Time To Live (TTL) value. In Windows 2000. Caching The process of storing recently-used data values in a special pool in memory where they are temporarily held for quicker subsequent accesses. expire interval. the cache is built dynamically as the computer queries and resolves names. a local information store of resource records for recently resolved names of remote hosts. The caching resolve service provides system-wide access to DNS-aware programs for resource records obtained from DNS servers during the processing of name queries. naming service. resource record. it helps optimize the time required to resolve queried names. the cache file is named Cache. Cache file A file used by the Domain Name System (DNS) server to preload its names cache when service is started. For Windows DNS servers. Caching resolve For Windows 2000.dns and is located in the %SystemRoot%\System32\Dns folder. resource record. a client-side Domain Name System (DNS) name resolution service that performs caching of recently learned DNS domain name information. minimum TTL. systemroot. cache. Also known as the “root hints” file because resource records stored in this file are used by the DNS service to help locate root servers that provide referral to authoritative servers for remote names. Typically. .Windows Server 2003 423 C Cable modem A modem that provides broadband Internet access in the range of 10 to 30 Mbps. Time To Live (TTL). For DNS.

It provides customizable services for issuing and managing certificates for the enterprise. Card Bus A 32-bit PC Card. and intranets. such as the Internet. Certificate A digital document that is commonly used for authentication and secure exchange of information on open networks. and certificate revocation. Certificate Services The Windows 2000 service that issues certificates for a particular CA. See also certificate. public key.509 version 3 international standard. Activities of a certification authority can include binding public keys to distinguished names through signed certificates. magnetic disk. A certificate securely binds a public key to the entity that holds the corresponding private key. public key. or a service. See also certificate. and execute instructions and to transfer information to and from other resources over the computer’s main data-transfer path.424 Appendix B: Glossary Callback number The number that a RAS server uses to call back a user. extranets. This number can be preset by the administrator or specified by the user at the time of each call. such as 8mm tape. . See also certification authority. The most widely accepted format for certificates is defined by the ITU-T X. managing certificate serial numbers. interpret. Cartridge A unit of media of a certain type. Certification authority (CA) An entity responsible for establishing and vouching for the authenticity of public keys belonging to users (end entities) or other certification authorities. or CDROM. private key. the CPU is the chip that functions as the “brain” of a computer. depending on how the administrator configures the user’s callback status. the bus. Central Processing Unit (CPU) The part of a computer that has the ability to retrieve. certification authority. By definition. The callback number should be the number of the phone line to which the user’s modem is connected. Certificates are digitally signed by the issuing certification authority and can be issued for a user. optical disk. used by Removable Storage. a computer.

or requesting services of. object. plaintext. Cipher text is meaningless to anyone who does not have the decryption key. CIM (COM Information Model) Object Manager (CIMOM) A system service that handles interaction between network management applications and providers of local or remote data or system events. the schema determines what classes of objects can be child objects of what other classes of objects. Change journal A feature new to Windows 2000 that tracks changes to NTFS volumes. encryption key. including additions. Client Any computer or program connecting to.Windows Server 2003 425 Certified-for-Windows Logo A specification that addresses the requirements of computer users with disabilities to ensure quality and consistency in assertive devices. A child object can have only one immediate superior. and modifications. See also server. In Active Directory. Changer The robotic element of an online library unit. Child object An object that is the immediate subordinate of another object in a hierarchy. See also decryption. Challenge Handshake Authentication Protocol (CHAP) A challenge-response authentication protocol for PPP connections documented in RFC 1994 that uses the industry-standard Message Digest 5 (MD5) one-way encryption scheme to hash the response to a challenge issued by the remote access server. or parent. Depending on its class. Cipher text Text that has been encrypted using an encryption key. deletions. The change journal exists on the volume as a sparse file. See also object. encryption. a child object can also be the parent of other objects. . another computer or program. CHAP See Challenge Handshake Authentication Protocol. parent object.

These defaults are selected to reduce the amount of space lost and the amount of fragmentation on the volume. NTFS returns a read error to the calling program. Windows 2000 chooses default sizes based on the size of the volume and the file system used. A server cluster is the type of cluster that the Cluster service implements. are plugged in. that work together as a single system to ensure that mission-critical applications and resources remain available to clients. and no data is lost. the logical address assigned by MS-DOS (versions 3. COM ports are also known as the actual serial ports on a PC where peripherals. Code page A page that maps character codes to individual characters. scanners. Cluster recapping A recovery technique used when Windows 2000 returns a bad sector error to NTFS. If the error occurs during a read. and the data is lost.3 and higher) and Microsoft Windows (including Windows 95. Different code pages include different special characters. The smaller the cluster size. and external modems. Windows NT and Windows 2000) to each of the four serial ports on an IBM Personal Computer or a PC compatible. typically customized for a language or a group of languages.426 Appendix B: Glossary Cluster A group of independent computer systems known as nodes or hosts. The system uses code pages to translate keyboard input into character values for nonUnicode based applications. Windows 98. If the error occurs during a write. Network Load Balancing provides a software solution for clustering multiple computers running Windows 2000 Server that provides networked services over the Internet and private intranets. such as printers. COM See Component Object Model. COM port Short for communications port. the more efficiently a disk stores information. In file systems a cluster is the smallest amount of disk space that can be allocated to hold a file. and to translate character values into characters for nonUnicode based output displays. NTFS writes the data to the new cluster. If no cluster size is specified during formatting. . All file systems used by Windows 2000 organize hard disks based on clusters. Also called allocation units. NTFS dynamically replaces the cluster containing the bad sector and allocates a new cluster for the data.

it allows two or more applications or components to easily cooperate with one another. Component Object Model (COM) An object-based programming model designed to promote software interoperability. Compact disc-rewritable (CD-RW) A type of CD-ROM that can be written many times on a CD recorder and read on a CD-ROM drive. used to start the computer. CIFS was formerly known as SMB (Server Message Block). at different times.Windows Server 2003 427 Commit a transaction To record in the log file the fact that a transaction is complete and has been recorded in the cache. such as disk types and amount of memory. in different programming languages. Complementary metal-oxide semiconductor (CMOS) The battery-packed memory that stores information. Compact Disc File System (CDFS) A 32-bit protected-mode file system that controls access to the contents of CD-ROM drives in Windows 2000. or if they are running on different computers running different operating systems. Object linking and embedding (OLE) technology and ActiveX are both built on top of COM. The Computer Browser service provides the computer lists displayed in the My Network Places. Compact disc-record able (CD-R) A type of CD-ROM that can be written once on a CD recorder and read on a CDROM drive. Computer Browser service A service that maintains an up-to-date list of computers and provides the list to applications when requested. COM is the foundation technology upon which broader technologies can be built. even if they were written by different vendors. Select Computer. . Common Internet File System (CIFS) A protocol and a corresponding API used by application programs to request higher level application services. and Select Domain dialog boxes and (for Windows 2000 Server only) in the Server Manager window.

Copy backup A backup that copies all selected files but does not mark each file as having been backed up (that is. integrity. CPU See Central Processing Unit. object. an Internet Protocol security service that ensures a message is disclosed only to intended recipients by encrypting the data. but it can be hidden. See also cryptography. A copy backup is useful between normal and incremental backups because copying does not affect these other backup operations. See also daily backup. It provides four basic information security functions: confidentiality. Console tree The tree view pane in a Microsoft Management Console (MMC) that displays the hierarchical namespace. See also no container object. The items in the console tree (for example. and controls) and their hierarchical organization determine the management capabilities of a console. a folder is a container object. no repudiation. incremental backup. and no repudiation. differential backup. Cryptography The art and science of information security. Without confidentiality. integrity. For example.428 Appendix B: Glossary Confidentiality A basic security function of cryptography. Confidentiality provides assurance that only authorized users can read or use confidential or secret information. nonrepudiation. See also Microsoft Management Console (MMC). authentication. the archive bit is not set). folders. By default it is the left pane of the console window. namespace. See also confidentiality. normal backup. authentication. . Container object An object that can logically contain other objects. integrity. For example. anyone with network access can use readily available tools to eavesdrop on network traffic and intercept valuable proprietary information. authentication. Web pages.

and maps a 64-bit input block to a 64bit output block. resulting in 56 bits of usable key. The backed-up files are not marked as having been backed up (that is. Windows 2000 uses access control mechanisms and encryption. Data Encryption Standard (DES) An encryption algorithm that uses a 56-bit key. to ensure data confidentiality. normal backup. Windows 2000 uses access control mechanisms and cryptography. In a network.Windows Server 2003 429 D Daily backup A backup that copies all selected files that have been modified the day the daily backup is performed. The key appears to be a 64-bit key. the archive bit is not set). In a network environment. such as DES. Data confidentiality A service provided by cryptographic technology to assure that data can be read only by authorized users or programs. data integrity allows the receiver of a message to verify that data has not been modified in transit. Data packet A unit of information transmitted as a whole from one device to another on a network. incremental backup. Data integrity A service provided by cryptographic technology that ensures data has not been modified. to ensure data integrity. See also copy backup. Data Link Control (DLC) A protocol used primarily for IBM mainframe computers and printer connectivity. . 3DES and RSA encryption algorithms. but one bit in each of the 8 bytes is used for odd parity. Deallocate To return media to the available state after they have been used by an application. data confidentiality ensures that intruders cannot read data. differential backup. such as RSA public-key signing and shared symmetric key one way hash algorithms.

Device driver A program that allows a specific device. which is often on a different sector than the other parts of the file. the computer tends to save these updates on the largest continuous space on the hard disk. to communicate with Windows 2000. See also Hardware Compatibility List (HCL). See also source directory. or printer. and thereafter run invisibly. menus. When files are thus fragmented. See also ciphertext. a driver is usually included with Windows 2000. If a device is listed in the Hardware Compatibility List (HCL). . such as a modem. Desktop The on-screen work area in which windows. Device drivers load (for all enabled devices) when a computer is started. In Active Directory.430 Appendix B: Glossary Decommissioned state A state that indicates that media have reached their allocation maximum. Decryption The process of making encrypted data readable again by converting ciphertext to plaintext. encryption. Destination directory The directory (or folder) to which files are copied or moved. which slows down response time. Windows 2000 cannot use the device until the appropriate driver has been installed and configured. Defragmentation The process of rewriting parts of a file to contiguous sectors on a hard disk to increase the speed of access and retrieval. Configuring a default gateway creates a default route in the IP routing table. When files are updated. Although a device can be installed on a system. the computer must search the hard disk each time the file is opened to find all of the parts of the file. icons. defragmentation rearranges how the data is written in the directory database file to compact it. See also fragmentation. network adapter. Default gateway A configuration item for the TCP/IP protocol that is the IP address of a directly reachable IP router. and dialog boxes appear. plaintext.

into a tag called a signature. daily backup. configure device settings. normal backup. Use Device Manager to view and change device properties.Windows Server 2003 431 Device Manager An administrative tool that can be used to manage the devices on your computer. Device Tree A hierarchical tree that contains the devices configured on the computer. Digital audio tape (DAT) A magnetic medium for recording and storing digital audio data. as well as some secret information held by the sender. and remove devices. update device drivers. restoring files and folders requires that you have the last normal as well as the last differential backup. incremental backup. If you are performing a combination of normal and differential backups. Digital signatures are used in public key environments and they provide no repudiation and integrity services. Differential backup A backup that copies files created or changed since the last normal or incremental backup. Digital signature A means for originators of a message. Digital subscriber line (DSL) A special communication line that uses modulation technology to maximize the amount of data that can be sent over copper wires. the archive bit is not set). or other digitally encoded information to bind their identity to the information. It does not mark files as having been backed up (that is. Digital linear tape (DLT) A magnetic medium for backing up data. . See also public key cryptography. DSL is used for connections from telephone switching stations to a subscriber rather than between switching stations. See also copy backup. The process of digitally signing information entails transforming the information. Digital certificate See certificate. file. DLT can transfer data faster than many other types of tape media.

DMA is frequently used for data transfer directly between memory and a peripheral device. In a file system. In a distributed computing environment (such as a Windows 2000 domain). applications. See also Active Directory. Disk bottleneck A condition that occurs when disk performance is reduced to the extent that overall system performance is affected. Discretionary access control list (DACL) The part of an object’s security descriptor that grants or denies specific users and groups permission to access the object.432 Appendix B: Glossary Direct hosting A feature that allows Windows 2000 computers using Microsoft file and print sharing to communicate over a communications protocol. Only the owner of an object can change permissions granted or denied in a DACL. the device cannot be used while using that hardware profile. if a device in a hardware profile is disabled. . such as TCP or IPX. databases. Directory service Both the directory information source and the service that make the information available and usable. bypassing the NetBIOS layer. such as a disk drive. Direct memory access (DMA) Memory access that does not involve the microprocessor. directory. Disable To make a device nonfunctional. For example. Directory An information source that contains information about computer files or other objects. object. See also access control entry. A directory service enables the user to find an object given any one of its attributes. Disk quota The maximum amount of disk space available to a user. and users. Disabling a device frees the resources that were allocated to the device. thus access to the object is at the owner’s discretion. security descriptor. a directory stores information about files. system access control list. the directory stores information about objects such as printers.

Distribution folder The folder created on the Windows 2000 distribution server to contain the Setup files. information about the domain tree structure. Distributed file system (DFS) A Windows 2000 service consisting of software residing on network servers and clients that transparently links shared folders located on different file servers into a single namespace for improved load sharing and data availability.DC=Com.com domain.DC=Reskit. . by a DNS server. An example of a distinguished name is CN=MyName. This distinguished name identifies the “MyName” user object in the reskit. DNS See Domain Name System. DNS zone In a DNS database. The zone contains resource records for all the names within the zone.CN=Users. The distinguished name identifies the object as well as its location in a tree. Every object in Active Directory has a distinguished name. and other information. DNS server A computer that runs DNS server programs containing name-to-IP address mappings. DNS servers also attempt to resolve client queries. IP address-to-name mappings.Windows Server 2003 433 Dismount To remove a removable tape or disc from a drive. Distinguished name A name that uniquely identifies an object by using the relative distinguished name for the object. plus the names of container objects and domains that contain the object. DMA See direct memory access. a zone is a contiguous portion of the DNS tree that is administered as a single separate entity. See also library.

See also Domain Name System (DNS). domain names are specific node names in the DNS namespace tree. a collection of computers defined by the administrator of a Windows 2000 Server network that share a common directory database. Typically. Each domain has its own security policies and security relationships with other domains and represents a single security boundary of a Windows 2000 computer network. Active Directory is made up of one or more domains. Domain local group A Windows 2000 group only available in native mode domains that can contain members from anywhere in the forest. Domain name In Windows 2000 and Active Directory. DNS domains should not be confused with Windows 2000 and Active Directory networking domain. Domain controllers manage user access to a network. For DNS. Although the names for DNS domains often correspond to Active Directory domains. a domain is any tree or sub tree within the DNS namespace. Domain local groups can only grant permissions to resources within the domain in which they exist. A domain has a unique name and provides access to the centralized user accounts and group accounts maintained by the domain administrator. and access to the directory and shared resources. the server that authenticates domain logons and maintains the security policy and the security accounts master database for a domain. . which includes logging on. or in a trusted pre-Windows 2000 domain. each of which can span more than one physical location. For DNS.434 Appendix B: Glossary Domain In Windows 2000 and Active Directory. in trusted forests. namespace. domain local groups are used to gather security principals from across the forest to control access to resources within the domain.” joined together by periods (. known as “labels. authentication.) that indicate each node level in the namespace. Domain controller For a Windows NT Server or Windows 2000 Server domain. the name given by an administrator to a collection of networked computers that share a common directory. DNS domain names use singular node names.

and vice versa. See also domain name. DVD decoder A hardware or software component that allows a digital video disc (DVD) drive to display movies on your computer screen. a DVD decoder is necessary to display DVD movies on your computer screen. DVD drive A disk storage device that uses digital video disc (DVD) technology. DNS provides a service for mapping DNS domain names to IP addresses. See also DVD decoder. See also DVD disc. DVD disc A type of optical disc storage technology. DVD disc. and applications to query the DNS to specify remote systems by fully qualified domain names rather than by IP addresses. See also DVD decoder. namespace. however. Domain trees are similar in purpose and concept to the directory trees used by computer filing systems for disk storage. A digital video disc (DVD) looks like a CDROM disc. Domain tree In DNS. DVD drive. but it can store greater amounts of data. See also domain. DVD discs are often used to store full-length movies and other multimedia content that requires large amounts of storage space. See also multiple boot.4 Dual boot A computer configuration that can start two different operating systems. A DVD drive reads both CD-ROM and DVD discs. . DOT4 See IEEE 1284. DVD drive.Windows Server 2003 435 Domain Name System (DNS) A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. the inverted hierarchical tree structure that is used to index domain names. This allows users. Ping. computers.

Dynamic disks can contain only dynamic volumes (that is. Dynamic disks cannot contain partitions or logical drives. generally serving a specific function or set of functions. . partition. to be stored separately as files with . volume. mirrored. and to be loaded only when needed by the program that calls them. Dynamic-link library (DLL) A feature of the Microsoft Windows family of operating systems and the OS/2 operating system.436 Appendix B: Glossary Dvorak keyboard An alternative keyboard with a layout that makes the most frequently typed characters more accessible to people who have difficulty typing on the standard QWERTY layout.dll extensions. volumes created by using Disk Management). and RAID-5 volumes. Dynamic volumes must be created on dynamic disks. Dynamic disk A physical disk that is managed by Disk Management. and simple TCP/IP network configuration and offers dynamic configuration of Internet Protocol (IP) addresses for computers. DHCP ensures that address conflicts do not occur and helps conserve the use of IP addresses through centralized management of address allocation. Dynamic volume A logical volume that is created using Disk Management. spanned. Dynamic Host Configuration Protocol (DHCP) A networking protocol that provides safe. DLLs allow executable routines. See also dynamic volume. See also dynamic disk. striped. Dynamic volumes include simple. Dynamic priority The priority value to which a thread’s base priority is adjusted to optimize scheduling. reliable. nor can MS-DOS access them.

the toolbars and menus from the program used to create the information appear. It uses symmetric key encryption in conjunction with public key technology to provide confidentiality for files. Encapsulating security payload (ESP) An IPSec protocol that provides confidentiality. integrity. or nested with the Layer Two Tunneling Protocol (L2TP). it is not updated in the other. log that contains a list of system files installed on the computer. you can edit it in the new document by using toolbars and menus from the original program. This disk can be used during the Emergency Repair Process to repair your computer if it will not start or if your system files are damaged or erased. It runs as an integrated system service. created by the Backup utility. and anti-replay. Emergency repair disk (ERD) A disk. including Setup. See also linked object. Encrypting File System (EFS) A new feature in Windows 2000 that protects sensitive data in files that is stored on disk using the NTFS file system. . When you double-click the embedded icon. Embedded information is not linked to the original file. ESP does not normally sign the entire packet unless it is being tunneled. just the data payload is protected. in combination with AH. in addition to authentication. not the IP header. difficult to attack. which makes EFS easy to manage. When information is embedded. that contains copies of three of the files stored in the %SystemRoot%/Repair folder. ESP can be used alone. Ordinarily.Windows Server 2003 437 E EAP See Extensible Authentication Protocol EIDE See Enhanced Integrated Drive Electronics Embedded object Information created in another application that has been pasted inside a document. and transparent to the file owner and to applications. If you change information in one place.

It allows for standardized interfaces to the system bus. Enterprise Resource Planning (ERP) A software system designed to support and automate the processes of an organization.3 standard for contention networks. Data is transmitted in variable-length frames containing delivery and control information and up to 1. such as a drive. accounting.500 bytes of data. including manufacturing and distribution. path. or by twisted-pair wiring. Ethernet uses a bus or star topology and relies on the form of access known as Carrier Sense Multiple Access with Collision Detection (CSMA/DC) to regulate communication line traffic. The Ethernet standard provides for base band transmission at 10 megabits (10 million bits) per second. Ethernet An IEEE 802. while providing for advanced features. ERD See emergency repair disk. project management and personnel functions. Enhanced Integrated Drive Electronics (EIDE) An extension of the IDE standard. associated with a symbolic name that can be used by Windows NT and Windows 2000. See also public key. or filename. symmetric key. EIDE is a hardware interface standard for disk drive designs that houses control circuits in the drives themselves.438 Appendix B: Glossary Encryption The process of disguising a message or data in such a way as to hide its substance. such as burst data transfers and direct data access. Environment variable A string consisting of environment information. Network nodes are linked by coaxial cable. Use the System option in Control Panel or the set command from the command prompt to define environment variables. fiber-optic cable. private key. . Encryption key A bit string that is used in conjunction with an encryption algorithm to encrypt and decrypt data.

EISA maintains compatibility with the earlier Industry Standard Architecture (ISA) but provides for additional features. the number of seconds that DNS servers operating as secondary masters for a zone use to determine if zone data should be expired when the zone is not refreshed and renewed. XML will enable a new generation of Web-based data viewing and manipulation applications. This facilitates more precise declarations of content and more meaningful search results across multiple platforms. or one billion billion bytes. Expire interval For DNS. Extensible Markup Language (XML) A meta-markup language that provides a format for describing structured data. partition. Extended partition A portion of a basic disk that can contain logical drives. See also basic disk. You can create extended partitions only on basic disks. Only one of the four partitions allowed per physical disk can be an extended partition. unallocated space. In addition. you need to use an extended partition. To have more than four volumes on your basic disk. Explicit trusts can also exist between Windows NT domains and Windows 2000 domains. and no primary partition needs to be present to create an extended partition. to make a file system available by a server to a client for mounting. Export In NFS. . See also zone.Windows Server 2003 439 Exabytes Approximately one quintillion bytes. Extensible Authentication Protocol (EAP) An extension to PPP that allows for arbitrary authentication mechanisms to be employed for the validation of a PPP connection. Extended Industry Standard Architecture (EISA) A 32-bit bus standard introduced in 1988 by a consortium of nine computer-industry companies. and between forests. logical drive. Explicit trust relationship A trust relationship from Windows NT in which an explicit link is made in one direction only. primary partition.

which results in more efficient space allocation on FAT32 drives. File system In an operating system. . FTP is also a client/server application that moves files using this protocol. fault tolerance is provided by the Ftdisk. File record The row in the master file table (MFT) that corresponds to a particular disk file. Token Ring. FAT. the overall structure in which files are named. Fault tolerance The assurance of data integrity when hardware failures occur. and organized.440 Appendix B: Glossary F FAT32 A derivative of the file allocation table file system. File allocation table (FAT) A file system based on a file allocation table (FAT) maintained by some operating systems. See also search filter. It allows applications and services to locate pages rapidly and reduces disk activity. The file record is identified by its file reference. File Transfer Protocol (FTP) A protocol that defines how to transfer files from one computer to another over the Internet. See also LocalTalk. and FAT32 are types of file systems. On the Windows NT and Windows 2000 platforms. Fiber Distributed Data Interface (FDDI) A type of network media designed to be used with fiber-optic cabling. a rule that provides the ability to trigger security negotiations for a communication based on the source. destination. including Windows NT and Windows 2000.sys driver. FAT32 supports smaller cluster sizes than FAT in the same given disk space. File system cache An area of physical memory that holds frequently used pages. Filter In IPSec. See also file allocation table. to keep track of the status of various segments of disk space used for file storage. and type of IP traffic. stored. NTFS. NTFS file system.

they are returned to a free media pool so that they can be used again. Foreground boost A mechanism that increases the priority of a foreground application. Removable Storage. usually to prevent unauthorized access from outside to an internal network or intranet. and Global Catalog. Fragmentation occurs as files on a disk are deleted and new files are added. See also media pool. RepeatKeys. . configuration. Folder redirection A Group Policy option that allows you to redirect designated folders to the network. although usually not severely. When a forest contains multiple trees. Forest A collection of one or more Windows 2000 Active Directory trees.Windows Server 2003 441 FilterKeys A Windows 2000 accessibility feature that allows people with physical disabilities to adjust keyboard response time. Free media pool A logical collection of unused data-storage media that can be used by applications or other media pools. SlowKeys. It slows disk access and degrades the overall performance of disk operations. Firewall A combination of hardware and software that provides a security system. A firewall prevents direct communication between network and external computers by routing communication through a proxy server outside of the network. See also defragmentation. See also BounceKeys. When media are no longer needed by an application. the trees do not form a contiguous namespace. organized as peers and connected by two-way transitive trust relationships between the root domains of each tree. All trees in a forest share a common schema. Fragmentation The scattering of parts of the same disk file over different areas of the disk. The proxy server determines whether it is safe to let a file pass through to the network. A firewall is also called a security-edge gateway.

local group. IP router. Gateway A device connected to multiple physical TCP/IP networks. admission control and call management services in H. See also IP address.442 Appendix B: Glossary G Gatekeeper A server that uses a directory to perform name-to-IP address translation. The attributes in the Global Catalog are those most frequently used in search operations (such as a user’s first and last names) and those attributes that are required to locate a full replica of the object. Global Catalog A domain controller that contains a partial replica of every domain directory partition in the forest as well as a full replica of its own domain directory partition and the schema and configuration directory partitions. a global group can contain user accounts only from its own domain. .323 conferencing. The attributes replicated into the Global Catalog include a base set defined by Microsoft. Global group For Windows 2000 Server. A gateway translates between different transport protocols or data formats (for example. a group that can be used in its own domain. See also group. The Global Catalog enables users and applications to find objects in Active Directory given one or more attributes of the target object. without knowing what domain holds the object. capable of routing or delivering IP packets between them. but each object includes a limited number of its attributes. The Global Catalog holds a replica of every object in Active Directory. in member servers and in workstations of the domain. and in trusting domains. IPX and IP) and is generally added to a network primarily for its translation ability. In all those places a global group can be granted rights and permissions and can become a member of local groups. The Active Directory replication system builds the Global Catalog automatically. Administrators can specify additional properties to meet the needs of their installation. However.

network resources. and processes user logon data for verification. Group Identification (GID) A group identifier that uniquely identifies a group of users. Group A collection of users. A GUID is used to identify a particular device or component. GUIs allow a user to perform operations and make choices by pointing and clicking with a mouse. In an Active Directory environment. global group. In a server cluster. In most cases. and other groups. Group Policy An administrator’s tool for defining and controlling how programs. UNIX uses the GID to identify the group ownership of a file. Group memberships The groups to which a user account belongs. and a sequence number. computers. Graphical user interface (GUI) A display format. Graphical Identification and Authentication (GINA) A DLL loaded during the Windows 2000 Winlogon process. Groups can be used as security or as e-mail distribution collections. See also domain local group. a group is a collection of resources. universal group. which displays the standard logon dialog box. and the operating system operate for users and computers in an organization. Security groups are used both to grant access to resources and as e-mail distribution lists. . Group Policy is applied to users or computers on the basis of their membership in sites. domains. and to determine access permissions. the current date and time. and the basic unit of failover. native mode. the actions a user can perform in Windows 2000 are determined by the group memberships of the user account to which the user is logged on. contacts. like that of Windows. Permissions and rights granted to a group are also provided to its members.Windows Server 2003 443 Globally unique identifier (GUID) A 16-byte value generated from the unique identifier on a device. which represents a program’s functions with graphic images such as buttons and icons. or organizational units. Distribution groups are used only for email. See also group. collects.

Group Policy objects are the documents created by the Group Policy snap-in. Group Policy objects are stored at the domain level. domains. Each Windows 2000-based computer has exactly one group of settings stored locally. and they affect users and computers contained in sites. and organizational units.444 Appendix B: Glossary Group Policy object A collection of Group Policy settings. . called the local Group Policy object.

Imaging Device is a hardware type for digital cameras and scanners. This allows Windows NT and Windows 2000 to be portable from one hardware platform to another.323 The ITU-T standard for multimedia communications over networks that do not provide a guaranteed quality of service. or an instruction not to connect an undocked laptop computer to the network. not load) a driver. users can modify the service configuration for a particular use while preserving the standard configuration unchanged for more general uses. Hardware malfunction message A character-based. It indicates the microprocessor detected a hardware error condition from which the system cannot recover. Hardware abstraction layer (HAL) A thin layer of software provided by the hardware manufacturer that hides. hardware differences from higher layers of the operating system. For example. See also QoS. and data or any combination of these elements. available from the Microsoft Web site. different types of hardware all look alike to the rest of the operating system. full-screen error message displayed on a blue background.Windows Server 2003 445 H H. Because of the instructions in this subkey. This standard provides specifications for workstations. The HAL also provides routines that allow a single device driver to support the same device on all platforms. Through the filter provided by the HAL. or abstracts. devices. Hardware profile A set of changes to the standard configuration of devices and services (including drivers and Win32 services) loaded by Windows 2000 when the system starts. audio. and services to carry real-time video. Hardware type A classification for similar devices. Hardware Compatibility List (HCL) A list of the devices supported by Windows 2000. a hardware profile can include an instruction to disable (that is. The HAL works closely with the kernel. For example. .

A hop is comparable to one “leg” of a journey that includes intervening stops between the starting point and the destination. Human Interface Device (HID) A firmware specification that is a new standard for input and output devices such as drawing tablets.microsoft. Hosts A local text file in the same format as the 4. This file maps host names to IP addresses.3 Berkeley Software Distribution (BSD) UNIX/etc/hosts file. you can use HTML+TIME technology to quickly and easily create multimedia-rich. Hop In data communications. USB speakers.446 Appendix B: Glossary Heartbeat thread A thread initiated by the Windows NT Virtual DOS Machine (NTVDM) process that interrupts every 55 milliseconds to simulate a timer interrupt. this file is stored in the \%SystemRoot%\System32\Drivers\Etc folder. HTML files are simple ASCII text files with embedded codes (indicated by markup tags) to indicate formatting and hypertext links. with little or no scripting. In short. The distance between each of those stops (routers) is a communications hop. HTML+Time A new feature in Microsoft Internet Explorer 5 that adds timing and media synchronization support to HTML pages. one segment of the path between routers on a geographically dispersed network. An HTTP address (one kind of Uniform Resource Locator [URL]) takes the form: http://www. HTML is used for formatting documents on the World Wide Web. and other specialized devices designed to improve accessibility.com. and sounds to an HTML page. Hypertext Transfer Protocol (HTTP) The protocol used to transfer information on the World Wide Web. . you can add images. keyboards. Using a few Extensible Markup Language (XML)-based elements and attributes. In Windows 2000. Hot keys A Windows feature that allows quick activation of specified accessibility features through a combination of keys pressed in unison. Hypertext Markup Language (HTML) A simple markup language used to create hypertext documents that are portable from one platform to another. interactive presentations. video. and synchronize them with HTML text elements over a specified amount of time.

IEEE 1284. . Import media pool A repository where Removable Storage puts media when it recognizes the on-media identifier (OMID). ILS See Internet locator service. ICM attempts to make the output more closely match the colors that are input or scanned. for supporting multi-function peripherals (MFPs).4 An IEEE specification. IDE See integrated device electronics. enabling Windows 2000 print servers to simultaneously send data to multiple parts of an MFP. also called DOT4.Windows Server 2003 447 I I/O request packet (IRP) Data structures that drivers use to communicate with each other. Windows 2000 has a driver called DOT4 that creates different port settings for each function of an MFP. but does not have the media cataloged in the current Removable Storage database. Impersonation A circumstance that occurs when Windows NT or Windows 2000 allows one process to take on the security attributes of another. IIS See Internet Information Services. ICM See Image Color Management. Image Color Management (ICM) The process of image output correction. IEEE 1394 (Firewire) A standard for high-speed serial devices such as digital video and digital audio editing equipment.

See also infrared. It marks files as having been backed up (that is. Originally introduced in the IBM PC/XT with an 8-bit data path. infrared transmitters and receivers can send and receive infrared signals. such as printers. Independent software vendors (ISVs) A third-party software developer. component. normal backup. but a 16-bit expansion card cannot be used in an 8-bit slot. to permit a 16-bit data path. when IBM introduced the PC/AT. Infrared Data Association is also the name of the industry organization of computer. If a combination of normal and incremental backups is used to restore your data. See also Extended Industry Standard Architecture. and telecommunications vendors who establish the standards for infrared communication between computers and peripheral devices. infrared device. Infrared Data Association (IrDA) A networking protocol used to transmit data created by infrared devices. daily backup. the archive bit is set). infrared port. infrared port. Industry Standard Architecture (ISA) A bus design specification that allows components to be added as cards plugged into standard expansion slots in IBM Personal Computers and IBM compatible computers. you need to have the last normal backup and all subsequent incremental backup sets. See also Infrared Data Association. While the light is not visible to the human eye. Infrared (IR) Light that is beyond red in the color spectrum. infrared device. an individual or an organization that independently creates computer software. . A 16-bit ISA slot consists of two separate 8-bit slots mounted end-to-end so that a single 16-bit card plugs into both slots. differential backup. An 8-bit expansion card can be inserted and used in a 16-bit slot (it occupies only one of the two slots). ISA was expanded in 1984.448 Appendix B: Glossary Incremental backup A backup that copies only those files created or changed since the last normal or incremental backup. See also copy backup.

See also infrared. Some libraries have no IE ports. Some IE ports handle only one cartridge at a time.” offer limited access to the cartridges in a library managed by Removable Storage. others can handle several at one time. others have several. printers. IDE offers advantages such as look-ahead caching to increase overall performance.Windows Server 2003 449 Infrared device A computer. . and cameras. also called “mailslots. See also infrared device. Infrared port An optical port on a computer that enables communication with other computers or devices by using infrared light. Integrated device electronics (IDE) A type of disk-drive interface in which the controller electronics reside on the drive itself. The port appears to the microprocessor as one or more memory addresses that it can use to send or receive data. eliminating the need for a separate adapter card. Instantaneous counter A type of counter that displays the most recent measurement taken by the Performance console. Input/Output (I/O) port A channel through which data is transferred between a device and the microprocessor. When an administrator adds cartridges to a library through an IE port. Insert/Eject (IE) port IE ports. Infrared ports can be found on some portable computers. that can communicate using infrared light. the cartridges are placed in the IE port and then the library uses the transport to move the cartridges from the IE port to a slot. or a computer peripheral such as a printer. Institute of Electrical and Electronics Engineers (IEEE) An organization of engineering and electronics professionals that are notable for developing standards for hardware and software. without cables.

and private companies. ISDN lines can transmit at speeds of 64 or 128 kilobits per second. If the packet-and therefore signature-has changed.450 Appendix B: Glossary Integrated Services Digital Network (ISDN) A type of phone line used to enhance WAN speeds. . when the user types information in the Logon Information dialog box displayed by the computer’s operating system. Without integrity. See also wide area network. Integrity A basic security function of cryptography. The Ping tool uses ICMP to perform TCP/IP troubleshooting. connecting research facilities. the users’ data. Internet A worldwide public TCP/IP internetwork consisting of thousands of networks. an Internet Protocol security property that protects data from unauthorized modification in transit. applications. Interactive logon A network logon from a computer keyboard. The phone company must install an ISDN line at both the server site and the remote site. See also cryptography. which typically transmit at 28.8 kilobits per second. no repudiation. but the alteration can go undetected. universities. authentication. which the receiving computer checks before opening the packet. confidentiality. someone might alter information or the information might become corrupted. When IntelliMirror is used in both the server and client. IntelliMirror A set of Windows 2000 features used for desktop change and configuration management. and settings follow them when they move to another computer. as opposed to standard phone lines. For example. Internet Control Message Protocol (ICMP) A required maintenance protocol in the TCP/IP suite that reports errors and allows simple connectivity. ensuring that the data received is exactly the same as the data sent. Hash functions sign each packet with a cryptographic checksum. the packet is discarded. libraries. Integrity provides verification that the original contents of information have not been altered or corrupted.

Windows 2000 supports Internet Printing Protocol (IPP) version 1. and other connection information so users can connect their computers to the ISP’s computers. configuration. Internet locator service (ILS) An optional component of Microsoft Site Server that creates a dynamic directory of videoconferencing users. along with other Internet functions. See also Layer Two Tunneling Protocol. . See also File Transfer Protocol. routing. Internet Protocol (IP) A routable protocol in the TCP/IP protocol suite that is responsible for IP addressing. cryptography-based protection services and protocols. An ISP typically charges a monthly and/or hourly connection fee. Simple Mail Transfer Protocol.Windows Server 2003 451 Internet Information Services (IIS) Software services that support Web site creation. Internet Protocol security (IPSec) A set of industry-standard. and the fragmentation and reassembly of IP packets. a user name. Network News Transfer Protocol. IPSec protects all protocols in the TCP/IP protocol suite and Internet communications using L2TP. a password. Internet Information Services include Network News Transfer Protocol (NNTP). An ISP provides a telephone number. Internet service provider (ISP) A company that provides individuals or companies access to the Internet and the World Wide Web. and management. File Transfer Protocol (FTP).0. Internet Key Exchange (IKE) A protocol that establishes the security association and shared keys necessary for two parties to communicate with Internet Protocol security. Internet Printing Protocol (IPP) The protocol that uses the Hypertext Transfer Protocol (HTTP) to send print jobs to printers throughout the world. and Simple Mail Transfer Protocol (SMTP).

See also Internetwork Packet Exchange / Sequenced Packet Exchange. Each node on the IP internetwork must be assigned a unique IP address. See also Dynamic Host Configuration Protocol. Interrupt request (IRQ) A signal sent by a device to get the attention of the processor when the device is ready to accept or send information. Interrupt A request for attention from the processor. Each device must be assigned a unique IRQ number. 192.7. When the processor receives an interrupt.27). such as employees of a company. Internetwork Packet Exchange / Sequenced Packet Exchange (IPX/SPX) Transport protocols used in Novell NetWare and other networks.168. IP router A system connected to multiple physical TCP/IP networks that can route or deliver IP packets between the networks. which contains the instructions for dealing with the particular situation that caused the interrupt. Transmission Control Protocol/Internet Protocol. . IP address A 32-bit address used to identify a node on an IP internetwork. which is made up of the network ID. the IP address can be configured manually or dynamically through DHCP. it suspends its current operations. router. An intranet is also called a private network.452 Appendix B: Glossary Internetwork Packet Exchange (IPX) A network protocol native to NetWare that controls addressing and routing of packets within and between LANs. Intranet A network within an organization that uses Internet technologies and protocols but is available only to certain people. Each device sends its interrupt requests over a specific hardware line. See also packet. In Windows 2000. plus a unique host ID. routing. This address is typically represented with the decimal value of each octet separated by a period (for example. IPX does not guarantee that a message will be complete (no lost packets). node. saves the status of its work. numbered from 0 to 15. and transfers control to a special routine known as an interrupt handler.

Windows Server 2003 453 IPP See Internet Printing Protocol. source port. Filters are not specific to a network interface. Filters can classify traffic by criteria including source IP address. any of which may apply to a particular packet. Multimedia streams require an isochronous transport mechanism to ensure that data is delivered as fast as it is displayed. block. destination. and to ensure that the audio is synchronized with the video. IPSec driver A driver that uses the IP Filter List from the active IPSec policy to watch for outbound IP packets that must be secured and inbound IP packets that need to be verified and decrypted. IPSec See Internet Protocol security. or secure. or traffic type is found. source subnet mask. Default rules are provided which encompass a variety of clients and server-based communications or rules can be modified to meet custom requirements. . See also IPSec security rules. IPSec filter A part of IPSec security rules that make up an IPSec security policy. IPSec security rules Rules contained in the IPSec policy that govern how and when an IPSec is invoked. IRP See I/O request packet. and destination port. IP protocol type. IrDA See Infrared Data Association. Irtran-p A protocol that transfers images from cameras to Windows 2000 computers using infrared transmissions. IPSec filters determine whether a data packet needs an IPSec action and what the IPSec action is. destination IP address. Isochronous Time dependent. such as permit. making a physical cable connection unnecessary. Each IPSec policy may contain one or many rules. Refers to processes where data must be delivered within certain time constraints. A rule triggers and controls secure communication when a particular source.

454 Appendix B: Glossary J Job object A feature in the Win32 API set that makes it possible for groups of processes to be managed with respect to their processor usage and other factors. .

QoS Admission Control Service. keys are analogous to folders. In the registry structure. NTLM authentication protocol. In an answer file. a key appears as a file folder in the left pane. and other mobility impairments. Internet Protocol security and the QoS Admission Control Service use the Kerberos protocol for authentication. slow response time. For the registry. modify. The kernel works closely with the hardware abstraction layer. Kernel The core of layered architecture that manages the most basic operations of the operating system and the computer’s processor for Windows NT and Windows 2000. such as I/O Manager and Process Manager. The Kerberos v5 authentication protocol is the default authentication service for Windows 2000. Key A secret code or number required to read. and handles hardware exceptions and other hardware-dependent functions. See also Internet Protocol security. and entries are analogous to files. Keyboard filters Special timing and other devices that compensate for erratic motion tremors. Keys are used in conjunction with algorithms to secure data. In the Registry Editor window. a key is an entry in the registry that can contain both subkeys and entries. The kernel schedules different blocks of executing code.Windows Server 2003 455 K Kerberos authentication protocol An authentication mechanism used to verify user or host identity. or verify secured data. for the processor to keep it as busy as possible and coordinates multiple processors to optimize performance. . The kernel also synchronizes activities among Executive-level subcomponents. called threads. keys are character strings that specify parameters from which Setup obtains the needed data for unattended installation of the operating system. Windows 2000 automatically handles key generation.

later configuration changes are lost. See also Layer Two Tunneling Protocol. Using these tunnels. See also Removable Storage. instances. If the current hardware settings prevent the computer from starting. usually managed by Removable Storage. Layer 2 forwarding (L2F) Permits the tunneling of the link layer of higher-level protocols. and other information as a reference to the lines in the graph or the bars in the histogram.25. X. There are two major types of libraries: robotic libraries (automated multiple-media. LAN See local area network. . Library A data-storage system. Inc. a technology proposed by Cisco Systems. mutative devices) and stand-alone drive libraries (manually operated. tunnel. Legend The area of the System Monitor graph or histogram display that shows computer name.456 Appendix B: Glossary L L2TP See Layer Two Tunneling Protocol. A robotic library is also called a jukebox or changer. or ATM networks. Frame Relay. Layer two Tunneling Protocol (L2TP) A tunneling protocol that encapsulates PPP frames to be sent over IP. it is possible to separate the location of the initial dial-up server from the physical location at which the dial-up protocol connection is terminated and access to the network is provided. object name. A library consists of removable media (such as tapes or discs) and a hardware device that can read from or write to the media. Last Known Good Configuration A hardware configuration available by pressing F8 during startup. When the Last Known Good Configuration is used. single-drive devices). the Last Known Good Configuration can allow the computer to be started and the configuration to be examined. L2TP is a combination of the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F). counter name.

LDAP version 3 is defined by a set of Proposed Standard documents in Internet Engineering Task Force (IETF) RFC 2251. LDAP API enables the modification of directory objects. or Windows 2000 print servers over a TCP/IP network. Lightweight Directory Access Protocol (LDAP) A directory service protocol that runs directly over TCP/IP and the primary access protocol for Active Directory. See also Lightweight Directory Access Protocol application programming interface. where such modifications are permitted. and update LDAP servers. See also Line Printer. This request can be issued by an application or by Removable Storage. Line Printer Remote (LPR) See Line Printer. Line Printer Daemon (LPD) A service on the print server that receives documents (print jobs) from line printer remote (LPR) tools running on client systems. You can use the LDAP API to write directory-enabled applications that allow LDAP client applications to search for and retrieve information from an LDAP server. Line Printer Port Monitor A port monitor that is used to send jobs over TCP/IP from the client running Lprmon.Windows Server 2003 457 Library request A request for an online library or stand-alone drive to perform a task. Line Printer Port Monitor can be used to enable Internet printing. Line Printer A connectivity tool that runs on client systems and is used to print files to a computer running an LPD server.dll to a print server running an LPD (Line Printer Daemon) service. UNIX print servers. There are also functions that provide access control for servers. . See also Line Printer Daemon. Lightweight Directory Access Protocol application programming interface (LDAP API) An API for experienced programmers who want to enable new or existing applications to connect to. by allowing clients to authenticate themselves. search.

See also embedded object. a building). A LAN allows any connected device to interact with any other on the network. Localmon. When information is linked. such as a network adapter or a modem. the new document is updated automatically if the information in the original document changes. In addition.458 Appendix B: Glossary Linked object An object that is inserted into a document but still exists in the source file. printers. Local group For computers running Windows 2000 Professional and member servers. If you add a printer to your computer using a serial or parallel port (such as COM1 or LPT1). Similarly. See also wide area network. as opposed to running it from a server. the LSA maintains information about all aspects of local security on a system (collectively known as the local security policy). a group that is granted permissions and rights from its own computer to only those resources on its own computer on which the group resides. this is the monitor that is used. Local Security Authority (LSA) A protected subsystem that authenticates and logs users onto the local system. and provides various services for translation between names and identifiers. See also global group. . Local user profile A computer-based record maintained about an authorized user that is created automatically on the computer the first time a user logs on to a computer running Windows 2000. running a local program means running the program on your computer. and other devices located within a relatively limited area (for example. Local computer A computer that can be accessed directly without using a communications line or a communications device.dll The standard print monitor for use with printers connected directly to your computer. Local area network (LAN) A communications network connecting a group of computers.

A logon script can be assigned to one or more user accounts. A logical drive cannot span multiple disks. a feature that allows a client to find a shared resource or server without providing an address or full name. Logon script Files that can be assigned to user accounts. A logical drive cannot span multiple disks. Typically a batch file. Logical volume A volume created within an extended partition on a basic disk.Windows Server 2003 459 LocalTalk The Apple networking hardware built into every Macintosh computer. Only basic disks can contain logical drives. Locator service In a distributed system. LocalTalk includes the cables and connector boxes to connect components and network devices that are part of the AppleTalk network system. extended partition. You can format and assign a drive letter to a logical drive. and it allows an administrator to influence a user’s environment without managing all aspects of it. extended partition. See also batch program. LocalTalk was formerly known as the AppleTalk Personal Network. Logical drive A volume created within an extended partition on a basic disk. basic volume. Only basic disks can contain logical drives. See also basic disk. which provides a locator service. See also basic disk. basic volume. Generally associated with Active Directory. It can be used to configure a user’s working environment at every logon. a logon script runs automatically every time the user logs on. You can format and assign a drive letter to a logical drive. .

.x users. using Services for Macintosh. This address is used primarily for testing. Windows 2000 supports long file names up to the file-name limit of 255 characters. Loopback address The address of the local computer used for routing outgoing packets back to the source computer. long names to Macintosh-accessible volumes can be assigned when created.3 names for MS-DOS and Windows 3. Macintosh users can assign long names to files and folders on the server and. See also name mapping.3 file name standard (up to eight characters followed by a period and an extension of up to three characters). Windows 2000 automatically translates long names of files and folders to 8.460 Appendix B: Glossary Long file name (LFN) A folder name or file name on the FAT file system that is longer than the 8.

erasable storage medium which uses laser beams to heat the disk and magnetically arrange the data. . Magazine A collection of storage locations.” for cartridges in a library managed by Removable Storage. Master Boot Record (MBR) The first sector on a hard disk. The MBR contains the partition table for the disk and a small amount of executable code called the master boot code. Master file table (MFT) The database that tracks the contents of an NTFS volume. It is the most important area on a hard disk. Media The physical material on which information is recorded and stored. this data structure starts the process of booting the computer. Magnifier A screen enlarger that magnifies a portion of the screen in a separate window for users with low vision and for those who require occasional screen magnification for such tasks as editing art. Maximum password age The period of time a password can be used before the system requires the user to change it. The MFT is a table whose rows correspond to files on the volume and whose columns correspond to the attributes of each file. Magneto-optic (MO) disk A high-capacity. Media access control A sublayer of the IEEE 802 specifications that defines network access methods and framing.Windows Server 2003 461 M MAC See media access control. also called “slots. Magazines are usually removable. Manual caching A method of manually designating network files and folders so they are stored on a user’s hard disk and accessible when the user is not connected to the network.

Media pool Logical collections of removable media that have the same management policies. There are four media pools: Unrecognized. and Unloaded. Microsoft Challenge Handshake Authentication Protocol version 1 (MSCHAP v1) An encrypted authentication mechanism for PPP connections similar to CHAP. . the session ID. Metric A number used to indicate the cost of a route in the IP routing table to enable the selection of the best route among possible multiple routes to the same destination. Each media pool can only hold either media or other media pools. Loaded. The remote access client must return the user name and a Message Digest 4 (MD4) hash of the challenge string. Import. Memory leak A condition that occurs when applications allocate memory for use but do not free allocated memory when finished. Media states Descriptions of conditions in which Removable Storage has placed a cartridge that it is managing. and application-specific. MFP See multi-function peripherals. Media pools are used by applications to control access to specific tapes or discs within libraries managed by Removable Storage. Free. The states include Idle. The remote access server sends a challenge to the remote access client that consists of a session ID and an arbitrary challenge string. Mounted. See also Removable Storage. In Use. and the MD4-hashed password.462 Appendix B: Glossary Media label library A dynamic-link library (DLL) that can interpret the format of a media label written by a Removable Storage application.

World Wide Web pages. Microsoft Point-to-Point Encryption (MPPE) A 128/40-bit encryption algorithm using RSA RC4. A console has one or more windows that can provide views of the console tree and the administrative properties. services. MS-CHAP v2 provides mutual authentication and asymmetric encryption keys. A console is defined by the items on its console tree. Microsoft Management Console (MMC) A framework for hosting administrative consoles.Windows Server 2003 463 Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAP v2) An encrypted authentication mechanism for PPP connections that provides stronger security than CHAP and MS-CHAP v1. MPPE is compatible with Network Address Translation. which might include folders or other containers. and other administrative items. otherwise known as the tape header. The main MMC window provides commands and tools for authoring consoles. . and On Tape Catalog Information (On Tape Catalog Inf). allowing users to search for specific document text or properties. Microsoft Tape Format (MTF) The data format used for tapes supported by the Backup application in Windows 2000. There are three major components to MTF: a Tape Data Block (Tape DBLK). See also console tree. The 40-bit version addresses localization issues based on current export restrictions. Microsoft Internet Directory A Web site provided and maintained by Microsoft used by applications such as NetMeeting to locate people to call on the Internet. The Microsoft Internet Directory is operated through an ILS server. and events that are acted on by the items in the console tree. See also IPSec. MPPE provides for packet security between the client and the tunnel server and is useful where IPSec is not available. Microsoft Indexing Service Software that provides search functions for documents stored on disk. one or more Data Sets. The authoring features of MMC and the console tree might be hidden when a console is in User Mode.

the DNS server includes this value in query answers to inform recipients how long it can store and use resource records provided in the query answer before they must expire the stored records data. Mixed mode The default mode setting for domains on Windows 2000 domain controllers. Mixed mode does not support the universal and nested group enhancements of Windows 2000. See also Time To Live. This value is set in the start of authority (SOA) resource record for each zone. volume. A mirrored volume is slower than a RAID-5 volume in read operations but faster in write operations. Mirrored volumes can only be created on dynamic disks. the data on the failed disk becomes unavailable. fault tolerance. Mirrored volume A fault-tolerant volume that duplicates data on two physical disks. but the system continues to operate by using the unaffected disk. simple drivers or files that contain additional instructions needed by a specific hardware device. In Windows NT 4. When TTL values are set for individual resource records. . See also dynamic disk.464 Appendix B: Glossary Minidrivers Relatively small. to interface with the universal driver for a class of devices. See also native mode. The mirror is always located on a different disk. By default.0. those values will override the minimum TTL. dynamic volume. a mirrored volume was known as a mirror set. You can change the domain mode setting to Windows 2000 native mode after all Windows NT domain controllers are either removed from the domain or upgraded to Windows 2000. Mixed mode allows Windows 2000 domain controllers and Windows NT backup domain controllers to co-exist in a domain. Mode Pruning A Windows 2000 feature that can be used to remove display modes that the monitor cannot support. redundant array of independent disks. If one of the physical disks fails. Minimum TTL A default Time To Live (TTL) value set in seconds for use with all resource records in a zone.

MS-DOS. Multiple boot A computer configuration that runs two or more operating systems. regardless of their location on an IP internetwork. Multihomed computer A computer that has multiple network adapters or that has been configured with multiple IP addresses for a single network adapter. and Windows 2000 operating systems can be installed on the same computer.Windows Server 2003 465 Mount To place a removable tape or disc into a drive. MS-CHAPv2 See Microsoft Challenge Handshake Authentication Protocol version 2. For example. MPEG-2 offers video resolutions of 720 x 480 and 128 x 720 at 60 frames per second. Windows 98. any one of the operating systems can be selected. See also dual boot. Multicast IP IP packets sent from a single destination IP address but received and processed by multiple IP hosts. When the computer is started. Multicasting The process of sending a message simultaneously to more than one destination on a network. . with full CD-quality audio. MP3 Audio compressed in the MPEG1 Layer 3 format MPEG-2 A standard of video compression and file format developed by the Moving Pictures Experts Group. See also library. MouseKeys A feature in Microsoft Windows that allows use of the numeric keyboard to move the mouse pointer.

which displays all of the snap-ins and resources that are accessible to a console. The names in a namespace can be resolved to the objects they represent. namespace corresponds to the DNS namespace in structure. and then submits the fully qualified domain name to a DNS server. that allows friendly names to be resolved to an address or other specially defined resource data that is used to locate network resources of various types and purposes. each domain label. See also mixed mode. For Domain Name System (DNS). Native mode The condition in which all domain controllers within a domain are Windows 2000 domain controllers and an administrator has enabled native mode operation (through Active Directory Users and Computers). making it a fully qualified domain name. such as that provided by WINS or DNS.com. . NDIS miniport drivers A type of minidriver that interfaces network class devices to NDIS.466 Appendix B: Glossary N Name devolution A process by which a DNS resolver appends one or more domain names to an unqualified domain name.” indicates a branch in the domain namespace tree. Naming service A service. Narrator reads aloud most of what the screen displays. For example. For Microsoft Management Console (MMC). For Active Directory. but resolves Active Directory object names. namespace is the vertical or hierarchical structure of the domain name tree. such as “host1” or “example. Narrator A synthesized text-to-speech utility for users who have low vision. the namespace is represented by the console tree. such as “host1. Namespace A set of unique names for resources or items used in a shared computing environment.” used in a fully qualified domain name.microsoft.example.

Windows Server 2003 467 Nested groups A Windows 2000 capability available only in native mode that allows the creation of groups within groups. NetBEUI uses Token Ring source routing as its only method of routing. global group. OS/2. NDIS allows more than one transport protocol to be bound and operate simultaneously over a single network adapter card. Network adapter Software or a hardware plug-in board that connects a node or host to a local area network. Network Control Protocol (NCP) A protocol within the PPP protocol suite that negotiates the parameters of an individual LAN protocol such as TCP/IP or IPX. universal group. Network Driver Interface Specification (NDIS) A software component that provides Windows 2000 network protocols a common interface for communications with network adapters. or some version of UNIX. NetBIOS over TCP/IP (NetBT) A feature that provides the NetBIOS programming interface over the TCP/IP protocol. See also domain local group. NetBIOS Extended User Interface (NetBEUI) A network protocol native to Microsoft Networking that is usually used in local area networks of one to 200 clients. trusted forest. Network basic input/output system (NetBIOS) An application programming interface (API) that can be used by applications on a local area network or computers running MS-DOS. It is the Microsoft implementation of the NetBIOS standard. It is used for monitoring routed servers that use NetBIOS name resolution. NetBEUI See NetBIOS Extended User Interface. NetWare Novell’s network operating system. forest. . NetBIOS provides a uniform set of commands for requesting lower level network services.

Network security administrators should implement a security plan that addresses network security threats. Network security administrators Users who manage network and information security. NIS is a distributed database service that allows for a shared set of system configuration files on UNIX-based systems. Nonrepudiation provides assurance that a party in a communication cannot falsely deny that a part of the communication occurred. eliminating the need for keeping multiple copies of files on separate computers. Node In tree structures. A file is a noncontainer object. Network News Transfer Protocol (NNTP) A member of the TCP/IP suite of protocols. authentication. integrity. confidentiality. used to distribute network news messages to NNTP servers and clients. Without nonrepudiation. or newsreaders. In local area networks (LANs). a location on the tree that can have links to one or more items below it. including password.468 Appendix B: Glossary Network file system (NFS) A service for distributed computing systems that provides a distributed file system. someone can communicate and then later deny the communication or claim that the communication occurred at a different time. and group files. on the Internet. . and the user selects specific items to read. a device that is connected to the network and is capable of communicating with other network devices. See also container object. Nonrepudiation A basic security function of cryptography. In a server cluster. Network Information Service (NIS) Formerly known as Yellow Pages. hosts. See also local area network. See also Transmission Control Protocol/Internet Protocol. Noncontainer object An object that cannot logically contain other objects. object. a server that has Cluster service software installed and is a member of the cluster. See also cryptography. NNTP is designed so that news articles are stored on a server in a central database.

See also copy backup. Normal backup A backup that copies all selected files and marks each file as backed up (that is. It supports file system recovery.Windows Server 2003 469 Nonresident attribute A file attribute whose value is contained in one or more runs. a distributed database that maintains information about every resource on the network and provides access to these resources. outside the master file table (MFT) record and separate from the MFT. differential backup. A nontransitive trust relationship can be a one-way or two-way relationship.x. NT-1 (Network Terminator 1) A device that terminates an ISDN line at the connection location. incremental backup. For example. if domain A trusts domain B and domain B trusts domain C. A normal backup is usually performed the first time a backup set is created. It also supports object-oriented applications by treating all files as objects with user-defined and system-defined attributes. With normal backups. transaction-processing. NTFS file system A recoverable file system designed for use specifically with Windows NT and Windows 2000. See also trust relationship. file system reliability. Novell Directory Services (NDS) On networks running Novell NetWare 4. the archive bit is set). and other advanced features. . daily backup. Nontransitive trust relationship A type of trust relationship that is bounded by the two domains in the relationship.x and NetWare 5. and object paradigms to provide data security. NTFS uses database. It is the only type of trust relationship that can exist between a Windows 2000 domain and a Windows NT domain or between Windows 2000 domains in different forests. large storage media. there is no trust relationship between domain A and domain C. only the most recent copy of the backup file or tape is needed to restore all of the files. or extents. commonly through a connection port. and various features for the POSIX subsystem. transitive trust relationship.

where NetWare-aware Sockets-based applications communicate with IPX/SPX Sockets-based applications. The protocol continues to be supported in Windows 2000 but no longer is the default. NTLM authentication protocol A challenge/response authentication protocol. network basic input/output system. NWLink An implementation of the Internetwork Packet Exchange (IPX). and NetBIOS protocols used in Novell networks. The NTLM authentication protocol was the default for network authentication in Windows NT version 4. See also NTLM authentication protocol.0 and earlier. . Sequenced Packet Exchange (SPX). NWLink is a standard network protocol that supports routing and can support NetWare client/server applications. See also Internetwork Packet Exchange.470 Appendix B: Glossary NTLM A security package that provides authentication between clients and servers. See also authentication.

folder. printer. shared folder. See also attribute. See also ActiveX. For OLE and ActiveX objects. Changes you make in the object in the first document will not be updated in the second unless the embedded object is explicitly updated. or Active Directory object. parent object. an object can also be any piece of information that can be linked to. On-screen keyboard A utility that displays a virtual keyboard on a computer screen and allows users with mobility impairments to type using a pointing device or joystick. and e-mail address. Embedding an object inserts a copy of an object from one document into another document. . location. For example. the attributes of a File object include its name. Object linking and embedding (OLE) A method for sharing information among applications. container object. and size. An application on-media identifier is a subset of the media label. child object. Offline media Media that are not connected to the computer and require external assistance to be accessed. or embedded into. from one document to another inserts a reference to the object into the second document. Any changes you make in the object in the first document will also be made in the second document. such as a file.Windows Server 2003 471 O Object An entity. OnNow See Advanced Configuration and Power Interface. described by a distinct. last name. such as a graphic. noncontainer object. Removable Storage uses on-media identifiers to track media in the Removable Storage database. another object. named set of attributes. On-media identifier (OMID) A label that is electronically recorded on each medium in a Removable Storage system. the attributes of an Active Directory User object might include the user’s first name. Linking an object.

only OHCI-compliant host adapters are supported. Open Host Controller Interface (OHCI) Part of the IEEE 1394 standard. Operator request A request for the operator to perform a task. . OpenType fonts are clear and readable in all sizes and on all output devices supported by Windows 2000. This request can be issued by an application or by Removable Storage. See also font. manufacturers of original equipment typically purchase components from other manufacturers of original equipment and then integrate them into their own products. OpenType fonts Outline fonts that are rendered from line and curve commands. In making computers and computer-related equipment. and can be scaled and rotated. Overclocking Setting a microprocessor to run at speeds above the rated specification. OpenType is an extension of TrueType font technology. TrueType fonts. Original equipment manufacturer (OEM) The maker of a piece of equipment.472 Appendix B: Glossary Open database connectivity (ODBC) An application programming interface (API) that enables database applications to access data from a variety of existing data sources. In Windows 2000 Professional.

This information represents both data and a header containing an ID number. source and destination addresses. object linking and embedding. such as a spreadsheet cell. such as a Paint bitmap. However. embedded information needs to be manually updated. When a package is chosen.Windows Server 2003 473 P Package An icon that represents embedded or linked information. See also embedded object. If the original information is changed. for example) or opens and displays the object. Packet assembler/disassembler (PAD) A connection used in X. Page-description language (PDL) A computer language that describes the arrangement of text and graphics on a printed page. or part of a file. an object that contains the files and instructions for distributing software to a distribution point. linked object. In Systems Management Server. PostScript. linked information is then updated.25 networks. See also printer control language. PAD See packet assembler/disassembler.25 PAD boards can be used in place of modems when provided with a compatible COM driver. Page fault An error that occurs when the requested code or data cannot be located in the physical memory that is available to the requesting process. That information can consist of a complete file. . Packet A transmission unit of fixed maximum size that consists of binary information. X. and error-control data. the application used to create the object either plays the object (if it is a sound file.

Parent object The object that is the immediate superior of another object in a hierarchy. or child. Also called a swap file. . file data is not paged out because it already has allocated disk space within a file system. For example. the schema determines what objects can be parent objects of what other objects. Windows 2000 moves data from the paging file to memory as needed and moves data from memory to the paging file to make room for new data. or RAM. Parallel ports The input/output connector for a parallel interface device. Depending on its class. Paging occurs when physical memory limitations are reached and only occurs for data that is not already “backed” by disk space. PAP See Password Authentication Protocol. A parent object can have multiple subordinate. Parallel device A device that uses a parallel connection. See also virtual memory. See also random access memory. Parallel connection A connection that simultaneously transmits both data and control bits over wires connected in parallel. paging file A hidden file on the hard disk that Windows 2000 uses to hold parts of programs and data files that do not fit in memory. In general. The paging file and physical memory. object. a parallel connection can move data between devices faster than a serial connection. Printers are generally plugged into a parallel port. In Active Directory. virtual memory. See also child object. a parent object can be the child of another object.474 Appendix B: Glossary Paging The process of moving virtual memory back and forth between physical memory and the disk. objects. comprise virtual memory.

Performance counter In System Monitor. type C:\Windows\Readme. PCMCIA devices can include modems. A partition must be completely contained on one physical disk. See also performance object. to specify the path of a file named Readme. For each counter selected. PCNFS Daemon (PCNFSD) A program that receives requests from PC-NFS clients for authentication on remote machines. Each partition can be formatted for a different file system. For example. Peer-to-peer network See workgroup. approximately the size of a credit card. Path A sequence of directory (or folder) names that specifies the location of a directory. and the partition table in the Master Boot Record for a physical disk can contain up to four entries for partitions.doc. .Windows Server 2003 475 Partition A logical division of a hard disk. file.doc located in the Windows directory on drive C. Password authentication protocol (PAP) A simple. System Monitor presents a value corresponding to a particular aspect of the performance that is defined for the performance object. plaintext authentication scheme for authenticating PPP connections. or folder within the Windows directory tree. a data item associated with a performance object. Each directory name and file name within the path must be preceded by a backslash (\). Partitions make it easier to organize information. The user name and password are requested by the remote access server and returned by the remote access client in plaintext. PC Card A removable device. PCI See Peripheral Component Interconnect. that can be plugged into a PCMCIA (Personal Computer Memory Card International Association) slot in a portable computer. network adapters. and hard disk drives.

to authenticate users. A physical medium is referenced by its physical media ID (PMID). See also access control list. Physical object An object. The physical location of cartridges in an online library is the library in which it resides. object. In two-factor authentication. that is connected to a computer and is controlled by the computer’s microprocessor. The offline media physical location is where Removable Storage lists the cartridges that are not in a library. privilege. a logical collection of counters that is associated with a resource or service that can be monitored. the physical object might be an ATM card that is used in combination with a PIN to authenticate the user. Permissions are granted or denied by the object’s owner. or joystick. . Physical location The location designation assigned to media managed by Removable Storage. The two classes of physical locations include libraries and offline media physical locations. In two-factor authentication. See also performance counter. such as a PIN number. Peripheral component interconnect (PCI) A specification introduced by Intel Corporation that defines a local bus system that allows up to 10 PCI-compliant expansion cards to be installed in the computer. printer. Physical media A storage object that data can be written to.476 Appendix B: Glossary Performance object In System Monitor. modem. to authenticate users. such as a password. such as an ATM card or smart card used in conjunction with a piece of information. such as a disk or magnetic tape. Peripheral A device. user rights. such as a disk drive. physical objects are used in conjunction with another secret piece of identification. Permission A rule associated with an object to regulate which users can gain access to the object and in what manner.

such as the Internet or a private intranet. Ping is useful for diagnosing IP network or router failures. Point-to-Point Tunneling Protocol (PPTP) A tunneling protocol that encapsulates Point-to-Point Protocol (PPP) frames into IP datagrams for transmission over an IP-based internetwork.Windows Server 2003 477 Ping A tool that verifies connections to one or more remote hosts. PPP is documented in RFC 1661. decryption. . Point-to-Point Protocol (PPP) An industry standard suite of protocols for the use of point-to-point links to transport multiprotocol datagrams. See also ciphertext. Point and Print A way of installing network printers on a user’s local computer. Pinning To make a network file or folder available for offline use. Plaintext Data that is not encrypted. Sometimes also called clear text. The ping command uses the ICMP Echo Request and Echo Reply packets to determine whether a particular IP system on a network is functional. When users know which network printer they want to use. Point and Print greatly simplifies the installation process. Point of presence (POP) The local access point for a network provider. Each POP provides a telephone number that allows users to make a local call for access to online services. See also Internet Control Message Protocol. Plug and Play A set of specifications developed by Intel that allows a computer to automatically detect and configure a device and install the appropriate device drivers. encryption. Point and Print allows users to initiate a connection to a network printer and loads any required drivers onto the client’s computer.

the highresolution printers used by printing services for commercial typesetting. POSIX was based on UNIX system services. often accompanied by a diagnostic numeric value. the disk drives. See also printer control language. extended partition. Windows 2000 and other operating systems can start from a primary partition. Primary partition A volume created using unallocated space on a basic disk. Because of the widespread use of laser printers. Programs that adhere to the POSIX standard can be easily ported from one system to another. It is the standard for desktop publishing because it is supported by image setters. or three primary partitions and an extended partition. If the POST is successful. Primary partitions can be created only on basic disks and cannot be subpartitioned. Power-on self test (POST) A set of routines stored in read-only memory (ROM) that tests various system components such as RAM. to see if they are properly connected and operating. PPTP See Point-to-Point Tunneling Protocol. and the keyboard. As many as four primary partitions can be created on a basic disk. PostScript A page-description language (PDL) developed by Adobe Systems for printing with laser printers. If problems are found. page-description language. but it was created in a way that allows it to be implemented by other operating systems.478 Appendix B: Glossary Portable Operating System Interface for UNIX (POSIX) An IEEE (Institute of Electrical and Electronics Engineers) standard that defines a set of operating-system services. partition. these routines alert the user with a series of beeps or a message. dynamic volume. PostScript. . this command language has become a standard in many printers. Printer control language (PCL) The page-description language (PDL) developed by Hewlett Packard for their laser and inkjet printers. PostScript offers flexible font capability and high-quality graphics. See also basic disk. POST See power-on self test. it passes control to the bootstrap loader. See also page-description language.

Processor queue An instantaneous count of the threads that are ready to run on the system but are waiting because the processor is running other threads. Privileged mode Also known as kernel mode. Private key The secret half of a cryptographic key pair that is used with a public key algorithm. usually one that affects an entire computer system rather than a particular object.Windows Server 2003 479 Priority A precedence ranking that determines the order in which the threads of a process are scheduled for the processor. See also access token. Process throttling A method of restricting the amount of processor time a process consumes. for example. Priority inversion The mechanism that allows low-priority threads to run and complete execution rather than being preempted and locking up a resource such as an I/O device. See also public key. Users can also place calls to outside numbers. permission. Administrators assign privileges to individual users or groups of users as part of the security settings for the computer. Private branch exchange (PBX) An automatic telephone switching system that enables users within an organization to place calls to each other without going through the public telephone network. . Private keys are typically used to digitally sign data and to decrypt data that has been encrypted with the corresponding public key. using job object functions. the processing mode that allows code to have direct access to all hardware and memory in the system. Privilege A user’s right to perform a specific task. user rights.

Public keys are typically used to verify digital signatures or decrypt data that has been encrypted with the corresponding private key. See also private key. Public key The non-secret half of a cryptographic key pair that is used with a public key algorithm. A proxy server can improve performance by supplying frequently requested data. See also cryptography. public key. such as a popular Web page. Public switched telephone network (PSTN) Standard analog telephone lines. Windows NT and Windows 2000 include NetBEUI. available worldwide. such as requests for unauthorized access to proprietary files. and IPX/SPX-compatible protocols. Public key cryptography A method of cryptography in which two different but complimentary keys are used: a public key and a private key for providing security functions. TCP/IP. Networking software usually implements multiple levels of protocols layered one on top of another. private key. Proxy server A firewall component that manages Internet traffic to and from a local area network and can provide other features. . such as document caching and access control. See also firewall.480 Appendix B: Glossary Protocol A set of rules and conventions by which two computers pass messages across a network. and can filter and discard requests that the owner does not consider appropriate. Public key cryptography is also called asymmetric key cryptography.

the maximum amount of time a thread can run before the system checks for another ready thread of the same priority to run. implemented in Windows 2000. the number of recording tracks. Important applications can be given more bandwidth. The QoS Admission Control Service can be installed on any network-enabled computer running Windows 2000. Quarter-inch cartridge (QIC) An older storage technology used with tape backup drives and cartridges. all of which determine the amount of information that can be written to the tape. less important applications less bandwidth. . QIC represents a set of standards devised to enable tapes to be used with drives from different manufacturers. Older QIC-80 drives can hold up to 340 MB of compressed data.Windows Server 2003 481 Q QoS See Quality of Service. Newer versions can hold more than 1 GB of information. and the magnetic strength of the tape coating. Quantum Also known as a time slice. QoS Admission Control Service A software service that controls bandwidth and network resources on the subnet to which it is assigned. Quality of Service (QoS) A set of quality assurance standards and mechanisms for data transmission. A means of backing up data on computer systems. The QIC standards specify the length of tape.

If a printer does not support raster fonts. you can recreate the data that was on the failed portion from the remaining data and parity. the file system will not be corrupted and disk modifications will not be left incomplete. Raster fonts Fonts that are stored as bitmaps. The structure of the disk volume is restored to a consistent state when the system restarts. If a portion of a physical disk fails. Rate counter Similar to an averaging counter. . Read-only memory (ROM) A semiconductor circuit that contains information that cannot be modified. Recoverable file system A file system that ensures that if a power outage or other catastrophic system failure occurs.482 Appendix B: Glossary R RAID-5 volume A fault-tolerant volume with data and parity striped intermittently across three or more physical disks. the change in the count is divided by the change in time to display a rate of activity. Parity is a calculated value that is used to reconstruct data after a failure. it will not print them. regardless of the file format used. Recovery Console A startable. also called bit-mapped fonts. for basic troubleshooting and system maintenance tasks. Also known as a striped volume with parity. a counter type that samples an increasing count of events over time. text-mode command interpreter environment separate from the Windows 2000 command prompt that allows the system administrator access to the hard disk of a computer running Windows 2000. Raster fonts are designed with a specific size and resolution for a specific printer and cannot be scaled or rotated.

hives. and cost. Windows 2000 provides three of the RAID levels: Level 0 (striping) which is not fault-tolerant. and Windows 95. Reparse points New NTFS file system objects that have a definable attribute containing user-controlled data and are used to extend functionality in the input/output (I/O) subsystem. Registry In Windows 2000. mirrored volume. Removable Storage allows applications to access and share the same media resources. .Windows Server 2003 483 Redundant array of independent disks (RAID) A method used to standardize and categorize fault-tolerant disk systems. striped volume. See also security ID. and entries. Level 1 (mirroring). The registry is organized in a hierarchical structure and consists of subtrees and their keys. Remote access server A Windows 2000 Server-based computer running the Routing and Remote Access service and configured to provide remote access. RAID-5 volume. See also library. Windows NT. Remote procedure call (RPC) A message-passing facility that allows a distributed application to call services that are available on various computers in a network. and Level 5 (striped volume with parity). Relative ID (RID) The part of a security ID (SID) that uniquely identifies an account or group within a domain. See also fault tolerance. a database of information about a computer’s configuration. Removable Storage A service used for managing removable media (such as tapes and discs) and storage devices (libraries). Windows 98. Six levels gauge various mixes of performance. Used during remote administration of computers. reliability.

Resolver DNS client programs used to look up DNS name information. Response time The amount of time required to do work from start to finish. Request for Comments (RFC) A document that defines a standard. For example. such as caching. See also FilterKeys. . a shared printer resource is published by creating a reference to the printer object in Active Directory. Used to describe a color monitor or color value. Each DNS server contains the resource records it needs to answer queries for the portion of the DNS namespace for which it is authoritative. RGB The initials of red. RFCs are published by the Internet Engineering Task Force (IETF) and other working groups. See also caching. In a client/server environment. Resource publishing The process of making an object visible and accessible to users in a Windows 2000 domain. Resource record (RR) Information in the DNS database that can be used to process client queries. caching resolver. Resolvers can be either a small “stub” (a limited set of programming routines that provide basic query functionality) or larger programs that provide additional lookup DNS client functions.484 Appendix B: Glossary Repeat Keys A feature that allows users with mobility impairments to adjust the repeat rate or to disable the key-repeat function on the keyboard. blue. this is typically measured on the client side. green. Resident attribute A file attribute whose value is wholly contained in the file’s file record in the master file table (MFT).

Each rule contains a list of IP filters and a collection of security actions that take place upon a match with that filter list. destination. Router A network device that helps LANs and WANs achieve interoperability and connectivity and that can link LANs that have different network topologies.Windows Server 2003 485 Roaming user profile A server-based user profile that is downloaded to the local computer when a user logs on and is updated both locally and on the server when the user logs off. Routing The process of forwarding a packet through an internetwork from a source host to a destination host. Rules An IPSec policy mechanism that governs how and when an IPSec policy protects communication. RPC See Remote Procedure Call. Routing Information Protocol (RIP) An industry standard distance vector routing protocol used in small to medium sized IP and IPX internetworks. and metrics for reachable network segments on an internetwork. Route table See routing table. A rule provides the ability to trigger and control secure communication based on the source. forwarding addresses. A roaming user profile is available from the server when logging on to any computer that is running Windows 2000 Professional or Windows 2000 Server. Routing table A database of routes containing information on network IDs. and type of IP traffic. ROM See read-only memory. . such as Ethernet and Token Ring.

SCSI See Small Computer System Interface. it enables secure electronic financial transactions on the World Wide Web. Screen-enlargement utility A utility that allows the user to magnify a portion of the screen for greater visibility. such as many hard disks and printers. A script usually expresses instructions by using the application’s or utility’s rules and syntax. . (Also called a screen magnifier or large-print program. “Batch program” is often used interchangeably with “script” in the Windows environment. such as credit card numbers. Filters allow you to define search criteria and give you better control to achieve more effective and efficient searches. combined with simple control structures such as loops and if/then expressions.486 Appendix B: Glossary S Safe Mode A method of starting Windows 2000 using basic files and drivers only.2 committee of the American National Standards Institute (ANSI).) Script A type of program consisting of a set of instructions to an application or utility program. Primarily. This allows the computer to start when a problem prevents it from starting normally. although it is designed to work on other Internet services as well. Search filter An argument in an LDAP search that allows certain entries in the subtree and excludes others. and to other computers and local area networks. without networking. SCSI connection A standard high-speed parallel interface defined by the X3T9. A SCSI interface is used to connect microcomputers to SCSI peripheral devices. Secure Sockets Layer (SSL) A proposed open standard developed by Netscape Communications for establishing a secure communications channel to prevent the interception of critical information. Safe Mode is available by pressing the F8 key when prompted during startup.

both local and domain security principals are stored by SAM in the registry.Windows Server 2003 487 Security Accounts Manager (SAM) A protected subsystem that manages user and group account information. and domain controller security accounts are stored in Active Directory. See also Internet Protocol security. service. In Windows NT 4. Account logon or object access are examples of security event types. object. Security method A process that determines the Internet Protocol security services. key settings. Security ID (SID) A data structure of variable length that uniquely identifies user. who may access it and in what way. In Windows 2000. Security Parameters Index (SPI) A unique. and computer accounts within an enterprise. and algorithms that will be used to protect the data during the communication. See also relative ID. security principal. and what types of access will be audited. Security descriptors include information about who owns the object. identifying value in the SA used to distinguish among multiple security associations existing at the receiving computer. Security event types Different categories of events about which Windows 2000 can create auditing events. .0. workstation security accounts are stored by SAM in the local computer registry. Every account is issued a SID when the account is first created. Security descriptor A data structure that contains security information associated with a protected object. group. Access control mechanisms in Windows 2000 identify security principals by SID rather than by name. Security association (SA) A set of parameters that define the services and mechanisms necessary to protect Internet Protocol security communications. See also access control list.

Seek time The amount of time required for a disk head to position itself at the right disk cylinder to access requested data. or service. parity. Serial Bus Protocol (SBP-2) A standard for storage devices. Serial connection A connection that exchanges information between computers or between computers and peripheral devices one bit at a time over a single channel. computer. Security principal name A name that uniquely identifies a user. security ID. See also security principal. Both sender and receiver must use the same baud rate. This name is not guaranteed to be unique across domains. Server A computer that provides shared resources to network users. group. If the logon is successful. Every process executed on behalf of this security principal will have a copy of its access token. the Local Security Authority (LSA) authenticates the security principal’s account name and password. See also access token. and control information.488 Appendix B: Glossary Security principal An account-holder. Serial communications can be synchronous or asynchronous. or computer within a single domain. . and scanners that is a supplement to the IEEE 1394 specification. When a security principal logs on to a computer running Windows 2000. the system creates an access token. Each security principal within a Windows 2000 domain is identified by a unique security ID (SID). printers. Serial device A device that uses a serial connection. SerialKeys A Windows feature that uses a communications aid interface device to allow keystrokes and mouse controls to be accepted through a computer’s serial port. security principal name. such as a user.

media service providers and telephony service providers. Sfmmon A port monitor that is used to send jobs over the AppleTalk protocol to printers such as LaserWriters or those configured with AppleTalk or any AppleTalk spoolers. When establishing ISDN service. The SMB protocol defines a series of commands that pass information between computers. See also symmetric key encryption. printer. and message. file. Session key A key used primarily for encryption and decryption. your telephone company assigns a SPID to your line. SMB uses four message types: session control. Session keys are typically used with symmetric encryption algorithms where the same key is used for both encryption and decryption. TAPI supports two classes of service providers. See also ISDN. . Service Pack A software upgrade to an existing software distribution that contains updated files consisting of patches and fixes. Service access point A logical address that allows a system to route data between a remote device and the appropriate communications support. Service provider In TAPI. For this reason. session and symmetric keys usually refer to the same type of key. Service Profile Identifier (SPID) A 14-digit number that identifies a specific ISDN line. a dynamic link library (DLL) that provides an interface between an application requesting services and the controlling hardware device.Windows Server 2003 489 Server Message Block (SMB) A file-sharing protocol designed to allow networked computers to transparently access files that reside on remote systems over a variety of networks.

Single-switch device An alternative input device. Simple Network Management Protocol (SNMP) A network management protocol installed with TCP/IP and widely used on TCP/IP and Internet Package Exchange (IPX) networks. (Also called access keys or quick-access letters. SMTP is independent of the particular transmission subsystem and requires only a reliable. Shiva Password Authentication Protocol (SPAP) A two-way. ordered. such as a voice activation program.) ShowSounds A global flag that instructs programs to display captions for speech and system sounds to alert users with hearing impairments or people who work in a noisy location such as a factory floor. reversible encryption mechanism for authenticating PPP connections employed by Shiva remote access servers. . See also permission. that allows a user to scan or select using a single switch. data stream channel. Shortcut key navigation indicators Underlined letters on a menu or control. Simple Mail Transfer Protocol (SMTP) A protocol used on the Internet to transfer mail. The SNMP agent sends status information to one or more hosts when the host requests it or when a significant event occurs.490 Appendix B: Glossary Shared folder permissions Permissions that restrict a shared resource’s availability over the network to certain users. Slot Storage locations for cartridges in a library managed by Removable Storage. SNMP transports management information and commands between a management program run by an administrator and the network management agent running on a host.

which allows the user to brush against keys without any effect. certificate. Smart cards securely store certificates. See also FilterKeys. A smart card reader attached to the computer reads the smart card. nonrepudiation. and to other computers and local area networks. SoundSentry A Windows feature that produces a visual cue. See also destination directory. Small Office/Home Office (SOHO) An office with a few computers that can be considered a small business or part of a larger network. A SCSI interface is used for connecting microcomputers to peripheral devices. Smart card A credit card-sized device that is used with a PIN number to enable certificate-based authentication and single sign-on to the enterprise. such as a screen flash or a blinking title bar instead of system sounds. Source directory The folder that contains the file or files to be copied or moved. See also authentication. such as hard disks and printers. which causes it to stop.2 committee of the American National Standards Institute (ANSI). SNMP See Simple Network Management Protocol.Windows Server 2003 491 SlowKeys A Windows feature that instructs the computer to disregard keystrokes that are not held down for a minimum period of time. public and private keys. Software trap In programming. and other types of personal information. an event that occurs when a microprocessor detects a problem with executing an instruction. . Small Computer System Interface (SCSI) A standard high-speed parallel interface defined by the X3T9. passwords.

StickyKeys An accessibility feature built into Windows that causes modifier keys such as SHIFT. Stop error A serious error that affects the operating system and that could place data at risk. and possibly corrupting data. The status area displays the time and can also contain icons that provide quick access to programs. or ALT to stay on after they are pressed. The operating system generates an obvious message. CTRL. Status area The area on the taskbar to the right of the taskbar buttons. See also Stop message. the printer icon appears after a document has been sent to the printer and disappears when printing is complete. a screen with the Stop message. Other icons can appear temporarily. eliminating the need to press multiple keys simultaneously.492 Appendix B: Glossary SPAP See Shiva Password Authentication Protocol. Speech synthesizer An assistive device that produces spoken words. such as Volume Control and Power Options. Removable Storage treats stand-alone drives as online libraries with one drive and a port. WINDOWS LOGO. Stand-alone drive An online drive that is not part of a library unit. This feature facilitates the use of modifier keys for users who are unable to hold down one key while pressing another. Sparse file A file that is handled in a way that requires less disk space than would otherwise be needed by allocating only meaningful non-zero data. either by splicing together prerecorded words or by programming the computer to produce the sounds that make up spoken words. rather than continuing on. Sparse support allows an application to create very large files without committing disk space for every byte. . Also known as a fatal system error. For example. providing information about the status of activities.

however. along with an indication that.ini files. fault tolerance. If a disk in a striped volume fails. Stop messages are usually followed by up to four additional hexadecimal numbers. full-screen error message displayed on a blue background. bytes. the data in the entire volume is lost. a striped volume was known as a stripe set. which identify developer-defined error parameters. See also Stop error. Striped volumes offer the best performance of all volumes available in Windows 2000. .0. Striped volume A volume that stores data in stripes on two or more physical disks. dynamic volume. See also key. Streams A sequence of bits. subkeys can carry out functions. but they do not provide fault tolerance. allowing you to deliver content by using Advanced Streaming Format over an intranet or the Internet. or other small structurally uniform units. See also dynamic disk. a memory dump file was saved for later use by a kernel debugger. a key within a key. enclosed in parentheses. Keys and subkeys are similar to the section header in . Data in a striped volume is allocated alternately and evenly (in stripes) to these disks. A series of troubleshooting tips are also displayed. Each message is uniquely identified by a Stop error code (a hexadecimal number) and a string indicating the error’s symbolic name. Subkey In the registry. In Windows NT 4.Windows Server 2003 493 Stop message A character-based. if the system was configured to do so. A driver or device may be identified as the cause of the error. Streaming media servers Software (such as Microsoft Media Technologies) that provides multimedia support. You can create striped volumes only on dynamic disks. Subkeys are analogous to subdirectories in the registry hierarchy. A Stop message indicates that the Windows 2000 kernel detected a condition from which it cannot recover. volume. Striped volumes cannot be mirrored or extended.

Each subnet has its own unique subnetted network ID. separated by periods (for example. decryption.494 Appendix B: Glossary Subnet A subdivision of an IP network. This reduces network traffic across subnets by forcing computers to connect to network resources that are closer to them. See also bulk encryption. Because of its speed. the tool used to ensure that a file or directory on a client computer contains the same data as a matching file or directory on a server. session key.0). Symmetric key A single key that is used with symmetric encryption algorithms for both encryption and decryption.255. The Subpicture stream delivers the subtitles and any other add-on data.0. symmetric encryption is typically used rather than public key encryption when a message sender needs to encrypt large amounts of data. Subnet prioritization The ordering of multiple IP address mappings from a DNS server so that the resolver orders local resource records first. Symmetric key encryption An encryption algorithm that requires the same secret key to be used for both encryption and decryption. such as system help or director’s comments. which can be displayed while playing multimedia. encryption. 255. Synchronization Manager In Windows 2000. Subnet mask A 32-bit value expressed as four decimal numbers from 0 to 255. Syntax The order in which a command must be typed and the elements that follow the command. Subpicture A data stream contained within a DVD. This number allows TCP/IP to determine the network ID portion of an IP address. This is often called secret key encryption. .

the System State data includes the registry.0 System Policy Editor.Windows Server 2003 495 System access control list (SACL) The part of an object’s security descriptor that specifies which events are to be audited per user or group. Poledit. The free pool holds unused cartridges that are available to applications. configure. and the system boot files. security. In Windows 2000. administrators need it to set system policy on Windows NT 4. and the unrecognized and import pools are temporary holding places for cartridges that have been newly placed in a library. used by administrators to set system policy on Windows NT 4. The Windows NT 4.exe. the part of Group Policy that is concerned with the current user and local computer settings in the registry. and system shutdowns. discretionary access control list. System media pool A pool used to hold cartridges that are not in use. System files Files that are used by Windows to load. the class registration database. and backing up data. System administrator A person that administers a computer system or network. and run the operating system. System policy In network administration. including administering user accounts. System state data A collection of system-specific data that can be backed up and restored. Generally. System Policy Editor The utility Poledit. storage space. See also access control entry. .exe. registry.0 and Windows 95 computers. See also Microsoft Management Console. system files must never be deleted or moved.0 and Windows 95 computers. Examples of auditing events are file access. is included with Windows 2000 for backward compatibility. a Microsoft Management Console (MMC) snap-in. That is. system policy is sometimes called software policy and is one of several services provided by Group Policy. For all Windows 2000 operating systems. object. logon attempts. security descriptor.

Systemroot The path and folder name where the Windows 2000 system files are located. click Start. this is C:\Winnt. and then type %systemroot%. The value %systemroot% can be used to replace the actual location of the folder that contains the Windows 2000 system files.496 Appendix B: Glossary System volume The volume that contains the hardware-specific files needed to load Windows 2000. . See also volume. The system volume can be (but does not have to be) the same volume as the boot volume. click Run. although a different drive or folder can be designated when Windows 2000 is installed. To identify your systemroot folder. Typically.

a thread environment block. Terabyte Approximately one trillion bytes.Windows Server 2003 497 T Taskbar The bar that contains the Start button and appears by default at the bottom of the desktop. See also Internet Protocol. Thread A type of object within a process that runs program instructions. Taskbar button A button that appears on the taskbar when an application is running. users a prompted to pick which port should be used during device installation. A thread has its own set of registers. The server provides a multisession environment and runs the Windows-based programs being used on the clients. See also desktop. Telephony API (TAPI) An application programming interface (API) used by communications programs to communicate with telephony and network services. The taskbar can be hidden. .ini The file that specifies whether a device supports multiple ports. and a user stack in the address space of its process. or one million million bytes. status area. See also client. or customized in other ways. moved to the sides or top of the desktop. Tcpmon. You can use the taskbar buttons to switch between the programs you are running. If the Tcpmon.ini file indicates that a device can support multiple ports. taskbar button. its own kernel stack. Terminal Services Software services that allow client applications to be run on a server so that client computers can function as terminals rather than independent systems. Using multiple threads allows concurrent operations within a process and enables one process to run different parts of its program on different processors simultaneously.

Time To Live (TTL) A timer value included in packets sent over TCP/IP-based networks that tells the recipients how long to hold or use the packet or any of its included data before expiring and discarding the packet or data. nontransitive trust relationship. or between forests. See also domain tree. Throughput For disks. forest. NUM LOCK. See also Fiber Distributed Data Interface. Token Ring A type of network media that connects clients in a closed ring and uses token passing to allow clients to use the network. or SCROLL LOCK) is turned on or off. Timer bar The colored bar that moves across the screen according to the frequency of the datacollection update interval. Total instance A unique instance that contains the performance counters that represent the sum of all active instances of an object. When a domain joins an existing forest or domain tree. . the states seen most often are 1 for ready. a transitive trust is automatically established. Numbered 0 through 5. ToggleKeys A Windows feature that beeps when one of the locking keys (CAPS LOCK. the transfer capacity of the disk system. In Windows 2000 transitive trusts are always two-way relationships. 2 for running. or between trees in a forest. and 5 for waiting. Transitive trust relationship The trust relationship that inherently exists between Windows 2000 domains in a domain tree or forest.498 Appendix B: Glossary Thread state A numeric value indicating the execution state of the thread. For DNS. TTL values are used in resource records within a zone to determine how long requesting clients should cache and use this information when it appears in a query response answered by a DNS server for the zone.

It enables clients to authenticate servers or. . Transport protocol A protocol that defines how data should be presented to the next receiving layer in the Windows NT and Windows 2000 networking model and packages the data accordingly. The transport protocol passes data to the network adapter driver through the network driver interface specification (NDIS) interface and to the redirector through the Transport Driver Interface (TDI). This string is usually a combination of the fax or telephone number and the name of the business. It also provides a secure channel by encrypting communications. TrueType fonts Fonts that are scalable and sometimes generated as bitmaps or soft fonts. It is often the same as the Called Subscriber ID. TrueType fonts are device-independent fonts that are stored as outlines. optionally. servers to authenticate clients. depending on the capabilities of your printer.Windows Server 2003 499 Transmission Control Protocol / Internet Protocol (TCP/IP) A set of software networking protocols widely used on the Internet that provide communications across interconnected networks of computers with diverse hardware architectures and operating systems. They can be sized to any height. TCP/IP includes standards for how computers communicate and conventions for connecting networks and routing traffic. Transport Layer Security (TLS) A standard protocol that is used to provide secure Web communications on the Internet or intranets. and they can be printed exactly as they appear on the screen. Transmitting Station ID string (TSID) A string that specifies the Transmitter Subscriber ID sent by the fax machine when sending a fax to a receiving machine. See also font.

Trusted forest A forest that is connected to another forest by explicit or transitive trust. User accounts and global groups defined in a trusted domain can be granted rights and permissions in a trusting domain. TWAIN An acronym for Technology Without An Interesting Name. two-way trust relationship. See also trust relationship. transitive trust relationship. and software applications. See also authentication. such as scanners and still image digital cameras. Users can log on from computers in either domain to the domain that contains their account. Tunnel The logical path by which the encapsulated packets travel through the transit internetwork. See also explicit trust relationship.500 Appendix B: Glossary Trust relationship A logical relationship established between domains that allows pass-through authentication in which a trusting domain honors the logon authentications of a trusted domain. . domain. An industry-standard software protocol and API that provides easy integration of image data between input devices. See also font. Two-way trust relationship A link between domains in which each domain trusts user accounts in the other domain to use its resources. TSID See Transmitting Station ID string. forest. PostScript. Type 1 fonts Scalable fonts designed to work with PostScript devices. even though the user accounts or groups do not exist in the trusting domain’s directory.

such as the name of a page of hypertext. the exact disk region used is not selected to create the volume. The type of object created on unallocated space depends on the disk type (basic or dynamic). primary partition. For dynamic disks. partition. UniDriver The UniDriver (or Universal Print Driver) carries out requests (such as printing text. or volume. IP address. HTTP. Unicode A fixed-width. unallocated space outside partitions can be used to create primary or extended partitions. as in the fictitious URL http://www. computer companies developed Unicode. A URL for a World Wide Web site is preceded with http://. 16-bit character-encoding standard capable of representing the letters and characters of the majority of the world’s languages.com/.S. extended partition. Unallocated space Available disk space that is not allocated to any partition. Free space inside an extended partition can be used to create a logical drive. rendering bitmaps.Windows Server 2003 501 U UART See Universal Asynchronous Receiver/Transmitter. For basic disks. unallocated space can be used to create dynamic volumes.html or . or advancing a page) on most types of printers.microsoft. See also basic disk.htm. volume. usually identified by the file name extension . See also HTML. Uniform Resource Locator (URL) An address that uniquely identifies a location on the Internet. . logical drive. Unlike basic disks.example. logical drive. dynamic disk. The UniDriver accepts information from a printer specific minidriver and uses this information to complete tasks. A URL can contain more detail. A consortium of U.

where SERVERNAME is the server’s name and SHARENAME is the name of the shared resource. to the system through a single. printers. CD. global groups. general-purpose port. See also domain local group. A universal group appears in the Global Catalog but contains primarily global groups from domains in the forest. Universal Naming Convention (UNC) A convention for naming files and other resources beginning with two backslashes (\). . The UNC name of a directory or file can also include the directory path after the share name. mice. such as external CD-ROM drives. USB can connect up to 127 peripherals. and Magneto-Optical (MO) discs. USB supports hot plugging and multiple data streams. forest. UNC names conform to the \\SERVERNAME\SHARENAME syntax. Universal Disk Format (UDF) A file system defined by the Optical Storage Technology Association (OSTA) that is the successor to the CD-ROM file system (CDFS). See also asynchronous communication. modems. and keyboards. and users from anywhere in the forest. Universal group A Windows 2000 group only available in native mode that is valid anywhere in the forest.502 Appendix B: Glossary Universal Asynchronous Receiver/Transmitter (UART) An integrated circuit (silicon chip) that is commonly used in microcomputers to provide asynchronous communications. Universal Serial Bus (USB) A serial bus with a bandwidth of 1. indicating that the resource exists on a network computer. Global Catalog. The UART does parallel-to-serial conversion of data to be transmitted and serial-to-parallel conversion of data received. UDF is targeted for removable disk media like DVD. This is accomplished by daisy chaining peripherals together.5 megabits per second (Mbps) for connecting peripherals to a microcomputer. with the following syntax: \\SERVERNAME\SHARENAME\DIRECTORY\FILENAME. This is the simplest form of group and can contain other universal groups.

user accounts are managed by using Local Users and Groups. multitasking operating system initially developed at AT&T Bell Laboratories in 1969 for use on minicomputers. unlike performing a new installation. group. to update existing program files. This includes the user name and password required for the user to log on. folders. less computer-specific—than other operating systems because it is written in C language. For Windows 2000 Professional and member servers. the groups in which the user account has membership. user name. See also domain controller. Upgrading. User Identification (UID) A user identifier that uniquely identifies a user. User account A record that consists of all the information that defines a user to Windows 2000. User mode The processing mode in which applications run. and registry entries to a more recent version. Upgrade When referring to software. and the rights and permissions the user has for using the computer and network and accessing their resources. Unrecognized pool A repository for blank media and media that are not recognized by Removable Storage.Windows Server 2003 503 UNIX A powerful. Newer versions of UNIX have been developed at the University of California at Berkeley and by AT&T. USB See Universal Serial Bus. UNIX-bases systems use the UID to identify the owner of files and processes. and to determine access permissions. multi-user. leaves existing settings and files in place. . user accounts are managed by using Microsoft Active Directory Users and Computers. URL See Uniform Resource Locator. UNIX is considered more portable— that is. For Windows 2000 Server domain controllers.

An example of a logon right is the right to log on to a computer locally (at the keyboard). . The user principal name is the preferred logon name for Windows 2000 users and is independent of the distinguished name. and application settings. See also permission. Each user’s preferences are saved to a user profile that Windows NT and Windows 2000 use to configure the desktop each time a user logs on. User rights Tasks a user is permitted to perform on a computer system or domain. privilege. Utility Manager A function of Windows 2000 that allows administrators to review the status of applications and tools and to customize features and add tools more easily. User principal name (UPN) A friendly name assigned to security principals (users and groups) that is shorter than the distinguished name and easier to remember. The default user principal name is composed of the security principal name for the user and the DNS name of the root domain where the user object resides. such as desktop settings. persistent network connections. See also distinguished name. User profile A file that contains configuration information for a specific user.504 Appendix B: Glossary User name A unique name identifying a user account to Windows 2000. There are two types of user rights: privileges and logon rights. User rights policy Security settings that manage the assignment of rights to groups and user accounts. Administrators assign both types to individual users or groups as part of the security settings for the computer. so a User object can be moved or renamed without affecting the user’s logon name. An example of a privilege is the right to shut down the system. An account’s user name must be unique among the other group names and user names within its own domain or workgroup.

and so on. average. Files in this format have an . The operating system does this in a way that is transparent to the application.Windows Server 2003 505 V Value bar The area of the System Monitor graph or histogram display that shows last. VPE allows the client to negotiate the connection between the MPEG or NTSC decoder and the video port. Virtual memory The space on the hard disk that Windows 2000 uses as memory. x is used where the type of device is not under discussion. neither of which is adequate for full-screen. minimum and maximum statistics for the selected counter. VPE also allows the client to control effects in the video stream. Virtual Device Driver (VxD) Software for Windows that manages a hardware or software system resource. scaling. in which each character is defined as a set of lines drawn between points. such as the Internet. . by paging data that does not fit in physical memory to and from the disk at any given instant. such as cropping.avi extension. Video Port Extensions (VPE) A DirectDraw extension to support direct hardware connections from a video decoder and autoflipping in the graphics frame buffer. Vector fonts Fonts rendered from a mathematical model. Because of virtual memory. The middle letter in the abbreviation indicates the type of device. full-motion video. AVI files are limited to 320 x 240 resolution at 30 frames per second. Video for Windows (VfW) A format developed by Microsoft for storing video and audio information. Vector fonts can be cleanly scaled to any size or aspect ratio. the amount of memory taken from the perspective of a process can be much greater than the actual physical memory in the computer. Virtual private network (VPN) The extension of a private network that encompasses links across shared or public networks.

and Trojan horses.506 Appendix B: Glossary Virus scanner Software used to scan for and eradicate computer viruses. Volume A portion of a physical disk that functions as though it were a physically separate disk. Volume mount points New system objects in the version of NTFS included with Windows 2000 that represent storage volumes in a persistent. Volume mount points allow the operating system to graft the root of a volume onto a directory. worms. robust manner. . In My Computer and Windows Explorer. such as drive C or drive D. volumes appear as local disks.

See also local area network. By using an ActiveX control. WFP determines if the new file is the correct Microsoft version or if the file is digitally signed. Windows Update A Microsoft-owned Web site from which Windows 98 and Windows 2000 users can install or update device drivers.0 and earlier versions of Windows operating systems. Wide area network (WAN) A communications network connecting geographically separated computers. the modified file is replaced with a valid version. and other devices. printers. Windows File Protection (WFP) A Windows 2000 feature that runs in the background and protects your system files from being overwritten. tuners. Enables support for such components as DVD decoders. Windows 2000 Multilanguage Version A version of Windows 2000 that extends the native language support in Windows 2000 by allowing user interface languages to be changed on a per user basis. . A WAN allows any connected device to interact with any other on the network. WINS servers support clients running Windows NT 4. MPEG decoders. This allows users to access resources by name instead of requiring them to use IP addresses that are difficult to recognize and remember. Windows Update compares the available drivers with those on the user’s system and offers to install new or updated versions. Windows Internet Name Service (WINS) A software service that dynamically maps IP addresses to computer names (NetBIOS names). See also Domain Name System. video decoders. This version also minimizes the number of language versions you need to deploy across the network. When a file in a protected folder is modified. If not. and audio codecs.Windows Server 2003 507 W WDM Streaming class The means by which Windows 2000 Professional supports digital video and audio.

which is placed in a queue and processed when the library resource becomes available. made by an application that supports Removable Storage. .508 Appendix B: Glossary WINS See Windows Internet Name Service. Workgroups in Windows 2000 do not offer the centralized user accounts and authentication offered by domains. Winsock An application programming interface standard for software that provides TCP/IP interface under Windows. See also TCP/IP. Work queue item A job request of an existing library. Working set For a process. Short for Windows Sockets. the amount of physical memory assigned to a process by the operating system. Workgroup A simple grouping of computers intended only to help users find such things as printers and shared folders within that group.

25. X. X.Windows Server 2003 509 X X. It conforms to layer 7 of the OSI model and supports several types of transport mechanisms.25 is a standard that defines the communications protocol for access to packetswitched networks. state. This ISO and ITU standard defines how global directories should be structured. and dial-up lines. which means that they have different levels for each category of information.25 X. X Window System X Windows is a standard set of display-handling routines developed at MIT for UNIX workstations.500 is the standard for defining a distributed directory service standard and was developed by the International Standards Organization (ISO). TCP/IP.500 directories are hierarchical. X.400 What is an ISO and ITU standard for addressing and transporting e-mail messages. including Ethernet. X.500 supports X. and city.400 systems. These routines are used to create hardware-independent graphical user interfaces for UNIX systems. . X.500 The X. such as country.

The ability to abort transfer by transmitting two CAN (cancel) characters in a row. The ability to send multiple files (batch file transmission) 3.024-byte) blocks 2. Cyclical redundancy checking (CRC) 4. .510 Appendix B: Glossary Y Ymodem Ymodem is a variation of the Xmodem file transfer protocol that includes the following enhancements: 1. The ability to transfer information in 1-kilobyte (1.

Zero Wait State The condition of random access memory (RAM) that is fast enough to respond to the processor without requiring a wait states.Windows Server 2003 511 Z ZIPI A MIDI-like serial data format for musical instruments. The optical axis that is perpendicular to X and Y axes . ZIPI provides a hierarchical method for addressing instruments and uses an extensible command set. Z axis (X axis) Used in defining specific graphical display locations.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.