You are on page 1of 18

Windows 2000 Professional Study Notes


Tutorial Quick Links:
Backup and Recovery
File System
Hardware Devices
Optimization and Tuning
User Environment
Network Connections
Remote Access

The following are the installation requirements for a Windows 2000 Professional

• 133 MHz or higher Pentium-compatible processor
• 64MB minimum; 4GB maximum)
• 2GB hard drive with a minimum of 650 MB of free space(Additional free
hard disk space is required if you are installing over a network).
• Windows 2000 Professional supports up to 2 processors.

Always check the HCL before beginning any installation. Installations can be
created on any type of partition-FAT, FAT32, or NTFS. NTFS is recommended, but
use FAT or FAT 32 for dual booting. Upgrades can be performed on Windows 9x
machines and NT 3.51 and higher OS's. To upgrade a Windows 3.1 or NT 3.5,
first upgrade to Windows 9x or NT 4.0, respectively. To install over a network,
install a distribution server first. Slipstreaming is the ability to install Windows
2000 and the service packs at the same time, and can be done using a
distribution image for many computers. There are four logs for troubleshooting
failed installations: Setupact.log, Setuperr.log, Setupapi.log and Setuplog.txt.

The following table lists some of the common switches available for use with
/e: command Executes a command before the last phase of setup.
Creates an additional folder in the folder where the Windows 2000 files are
/r: foldername installed. The folder IS NOT DELETED after Setup finishes. You can use
additional /r switches to install additional folders.
Creates a folder to be copied as a part of setup - into the Windows 2000
/rx: foldername
directory, but the folder IS DELETED as setup finishes.
Use Winnt32.exe for a clean installation or upgrade from Windows 9.x or NT
Workstation. There are a number of switches that can be used with winn32.exe.
Below are a couple of the important ones:

Creates an additional folder in the folder where the Windows 2000
files are installed. The folder IS NOT DELETED after Setup finishes.
/copydir: foldername
You can use additional /r switches to install additional folders. Same as
/r for winnt.exe.
Creates a folder to be copied as a part of setup - into the Windows
/copysource: foldername 2000 directory, but the folder IS DELETED as setup finishes. Same as
/rx for winnt.exe.
Executes a command before the last phase of setup. Same as /e: for
Installs the appropriate files to restart the system in command-line non-
graphical mode for repair purposes.
Prepares a hard disk to be transferred to another computer system. This
/syspart switch installs setup files and marks the partition active. Requires the
use of /tempdrive switch.
Specifies which drive to install Windows 2000 temporary files during
Copies all of the Windows 2000 source files to the target drive during
/noreboot Avoids reboot after installation so that another command can be run.
Checks your system for incompatibilities that will prevent a successful
Upgrades your previous version of Windows by using unattended
Setup mode. All user settings are taken from the previous installation
/unattend so that no user intervention is required during Setup. You can also use
this command in an unattended installation by specifying the
[seconds][:answer_file] variables.
Windows 2000 Professional supports unattended installations. The /U switch is
used for unattended installations and is followed by the location of the answer
and installation files. Unattended installations can be done for clean installs as
well as upgrades. Unattended installations can be fully automated. The default
answer file that ships with Win2K is called unattend.txt and can be modified.
Setup Manager can also create answer files. For more in depth information about
unattended installations, read our tutorial Windows 2000 Unattended

Windows 2000 comes with a variety of tools that can be helpful during
installations. Understand the following concepts:

• Disk duplication is used when the computers have identical hardware
configurations, and is only used for clean installs.
• Sysprep is used when you need to prepare an image of a computer for
cloning but does not provide the actual distribution of this image. That is
done with third-party tools.
• To use Remote Installation Service(RIS), there must be DHCP server
service, DNS server service, and AD running on the network.
• Scripting is used when computers have different hardware configurations
and when disk duplication cannot be used. Answer files offer information
that is normally manually input into installation dialog boxes like user
name, password, domain name, time zones, etc.

Backup and Recovery
Recovery Console:
Now that you have installed Windows 2000, you should immediately take steps
to protect your installation by installing the Recovery Console. Recovery Console
is similar to the emergency repair disk in NT 4.0, but with many functionality
enhancements. Recovery Console will allow you to You can start and stop
services, read and write data on a local drive (including drives formatted with the
NTFS file system), copy data from a floppy disk or CD, format drives, fix the boot
sector or master boot record, and perform other administrative tasks. With
Windows NT 4.0, many administrators would create a FAT partition that would
allow them to boot to a DOS prompt. The recovery console eliminates the need
to create a FAT partition for this purpose.

Recovery Console is set up as follows:
Insert the installation CD and switch to the I386 directory. Type C:\>winnt32
/cmdcons. When asked for confirmation, answer "yes". The file will be copied to
the hard disk. After rebooting the computer you will be able to select "Microsoft
Windows 2000 Command Console" and start Windows 2000 in command mode.
You will be prompted for a Windows 2000 installation that you wish to repair and
will be prompted for the Adminstrator password. Once you are in, there is a wide
variety of commands that you will be able to perform. Type HELP for a list of all
of the commands. Some of the more important commands are:

• DISKPART - Similar to fdisk
• LISTSVC - Lists services
• ENABLE/DISABLE - Enable/disable service or driver
• FIXBOOT - Create a new boot sector on the system partition
• FIXMBR - Repairs master boot record
• MAP - Shows a list of drives and ARC paths.
• LOGON - Choose which installation to work with

The Backup program has been greatly enhanced in order to support Active
Directory and a much wider variety of backup media including removable disks,
network drives, logical drives and tape devices are now supported. Another nice
feature is that an integrated scheduling option has been added which relieves the
need to use AT or other scheduling utility. For more in depth information on
backing up Windows 2000, read our tutorial Backing Up and Restoring Windows

Windows 2000 has several other utilities to aid in the event of a failure, many of
which are included in "Advanced Options" which are accessed by pressing F8 at
the boot menu. In order to troubleshoot failures, it is a good idea to understand
the boot process which occurs in the following steps:

1. Power-on self test (POST)
2. Initial startup
3. Bootstrap loader process
4. Select operating system
5. Detecting hardware
6. Selecting a configuration
7. Loading and initializing the kernel(Ntoskrnl.exe)
8. Log on

The boot process requires the following files:

File Location
NTLDR Active Partition
Boot.ini Active Partition Active Partition
Ntoskrnl.exe %SystemRoot%\System32
Hal.dll %SystemRoot%\System32
SYSTEM key %SystemRoot%\System32\Config
Device drivers %SystemRoot%\System32\Drivers
Ntbootdd.sys is required only if you are using a SCSI-controlled boot partition,
and the SCSI adapter does not have a SCSI BIOS enabled. Bootsect.dos is
required only for multiple booting.

When working with the boot.ini file, you need to understand ARC naming
conventions. ARC is an architecture-independant way of naming drives for x86,
risc, alpha, etc. NT uses this convention in its boot.ini file to determine which
disk holds the OS. The table below will explain the different options.
Specifies an EIDE disk or a SCSI disk if the bios is enabled to
Multi(x) detect it. Can only be used on x86 systems. "x" is the number of
the controller.
Defines a SCSI controller if the BIOS is not enabled to do so. Again,
"x" is the number of the controller.
Defines which SCSI disk the OS is on. If SCSI(x) was used then
x=the SCSI ID of the drive. If Multi(x) was used then x=0.
Defines disk which the OS is on when it is on an EIDE disk. x=0-1 if
on primary controller. x=2-3 if on multi-channel EIDE controller.
Specifies the partition that the operating system is located on.
(x)=the partition's number.

Below are the various recovery tools included in Windows 2000.

ERD - Emergency Repair Disk. The RDISK utility found in NT 4.0 is gone. An
ERD is now created using the ntbackup utility and no longer backs up registry
Enable VGA Mode - Located in the advanced options menu, this utility
allows one to fix display settings or drivers that have caused the display to
become unviewable.
Last Known Good Configuration - Tells Windows 2000 to forget any
changes that you have made since the previous boot, by looking for the last
configuration that did not cause system critical errors at boot. Good to try if you
have made a change to the system and then rebooted with problems.
Safe Mode - Loads a minimal version of Windows 2000 with only the drivers
needed to boot the computer. Because this option does not load any network
services or drivers, it is a good tool to use when you suspect that the problem
lies in this area.
Safe Mode With Networking - Same as Safe Mode, but includes networking
Safe Mode With Command Prompt - Safe Mode in which EXPLORER.EXE is
replaced by CMD.EXE. From the command prompt it is still possible to run
Explorer and other GUI applications from a command line. No networking support
in this mode.

File System
Disk Manager is the old Disk Administrator and is a snap-in. It can be used to
defragment, create, and manage volumes and disks. Disk systems now support
FAT32, NTFS, and FAT. The convert.exe utility can be used to convert a FAT or
FAT32 partition to NTFS. NTFS partitions cannot be converted to FAT or FAT32. If
such a need exists, the partition must be deleted and recreated as FAT or FAT32.

The NTFS file system has many new capabilities as follows:

EFS - Encrypted File System. Windows 2000 NTFS volumes have the ability to
encrypt data on the disk itself. This is based on public key and private key
encryption procedures. Private keys are used to encrypt and decrypt files, and
the key can be placed on a floppy disk for transport to other machines. The
CIPHER command can be used for encrypting from a command line. Only the
user that stored the file can open it again or a recovery agent. Taking ownership
of an encrypted file will not let you read it. Cipher.exe is a command line utility
that allows for bulk or scripted file encryption. To enable a folder to have any new
contents encrypted, simply view the property page for the folder and select
"Encrypt contents to secure data".
Disk Quotas - Provides the ability to set space limitations on users on a per
volume basis. The ownership of a file determines which user to charge the space
used against. You must enable quota management from the properties dialog -
quota tab of a given disk. You can then set thresholds for individual users
including a warning level when their files exceed a certain amount of storage that
is approaching their quota limit.
Defragmentation - Windows 2000 now includes a disk defragmenter that
can be used on NTFS partitions.
Volume Mount Points - Provides the ability to add new volumes to the file
system without having to assign a drive letter to them. This feature is only
available on an NTFS partition using dynamic volumes.

The Distributed File System has also been enhanced. There are two types of DFS
implementations: Stand-alone and Fault Tolerant. Stand-alone DFS stores the
configuration information on a single node (server). Child nodes can only go one
level below root, and can exist on any server. Fault Tolerant DFS stores the DFS
configuration information in Active Directory. There can be two identical shares
on different servers configured as a single child node to provide fault tolerance.
You can have multiple levels of child volumes and file replication is supported.
Clients must have DFS software installed. Windows NT4, Windows 2000 and
Windows 98 include this software while Windows 95 clients must download the
appropriate DFS client software from

Windows 2000 features a new storage type is called "dynamic disks". Dynamic
disks' advantages include an unlimited number of volumes created per disk.
NTFS Volumes can be extended and we can now include space from different
disks. Perhaps the most important item is that the disk configuration is stored on
the disk itself. This means that we can move disks between computers (within
reason) and have the data available with little additional effort. Dynamic volumes
are not supported for Zip disks or laptops. Basic disks can be upgraded to
dynamic disks without restarting the computer, but backward conversion causes
all data to be lost. Simple volumes are created on dynamic disks and are made
up of one physical disk. Spanned volumes combines many physical disks(up to
32), and are written to sequentially until all are full. Striped volumes are created
from multiple disks(up to 32) and are written to concurrently. There are no fault
tolerant disk configurations available in Windows 2000 Professional.

Hardware Devices
Plug and play is now supported in Windows 2000. Both APM and ACPI are
supported for power management. Must be supported by computer's BIOS. ACPI
is new, APM is legacy. Device Manager is still used for the usual activities:
troubleshooting, updating drivers, etc. and still have the familiar red and yellow
warnings. Changes to network adapters no longer require the computer be
rebooted, and if they are plug and play, are automatically configured.

NTFS Permissions
File and Directory Permissions:
NTFS permissions are largely the same. The following tables will break down
each of the permissions types. The following table displays the different
permissions for files.

Full Read, write, modify, execute, change attributes, permissions, and
Control take ownership of the file.
Modify Read, write, modify, execute, and change the file's attributes.
Display the file's data, attributes, owner, and permissions, and run
Read &
the file (if it's a program or has a program associated with it for
which you have the necessary permissions).
Read Display the file's data, attributes, owner, and permissions.
Write Write to the file, append to the file, and read or change its attributes.
The following table displays the different permissions for directories.

Read, write, modify, and execute files in the folder, change
Full Control attributes, permissions, and take ownership of the folder or files
Read, write, modify, and execute files in the folder, and change
attributes of the folder or files within.
Display the folder's contents and display the data, attributes, owner,
Read & and permissions for files within the folder, and run files within the
Execute folder (if they're programs or have a program associated with them
for which you have the necessary permissions).
Display the folder's contents and display the data, attributes, owner,
List Folder and permissions for files within the folder, and run files within the
Contents folder (if they're programs or have a program associated with them
for which you have the necessary permissions).
Read Display the file's data, attributes, owner, and permissions.
Write to the file, append to the file, and read or change its
The Read & Execute and List Folder Contents folder permissions appear to be
exaclty the same, however, they are inherited differently, thus are different
permissions. Files can inherit the Read & Execute permissions but can't inherit
the List Folder Contents permission. Folders can inherit both.

So you may be wondering what is really different from NT 4.0. NT 4.0 gave the
options of granting access or not specifying. Windows 2000 has the new option of
denying a user or users a particular permission. For example, if you wanted to
make sure that Bob is unable to read any file, then simply deny him read
permissions. Permissions are cumulative, except for Deny, which overrides

The next table shows what happens to files when they are copied or moved
within or across NTFS partitions.
Moving within a Does not create a new file - simply updates location in
partition directory. File keeps its original permissions.
Moving across a Creates a new file and deletes the old one. Inherits the target
partition folders permissions.
Copying within a
Creates a new file which inherits permissions of target folder.

Files moved from an NTFS partition to a FAT partition do not retain their
attributes or security descriptors, but will retain their long filenames.

As with NT 4.0, Windows 2000 also supports special access permissions which
are made by combining other permissions. The following tables will show special
access permissions and how the recipe to make them.

Read &
File Special Permissions Full Control Modify Read Write
Traverse Folder/Execute File X X X
List Folder/Read Data X X X X
Read Attributes X X X X
Read Extended Attributes X X X X
Create Files/Write Data X X X
Create Folders/Append
Write Attributes X X X
Write Extended Attributes X X X
Delete Subfolders and Files X
Delete X X
Read Permissions X X X X X
Change Permissions X
Take Ownership X
Synchronize X X X X X
Folder Special Full Read & List Folder
Modify Read
Permissions Control Execute Contents
Folder/Execute File
List Folder/Read Data X X X X X
Read Attributes X X X X X
Read Extended
Create Files/Write Data X X
Create Folders/Append
x x
Write Attributes X X
Write Extended
Delete Subfolders And
Delete X X
Read Permissions X X X X X
Change Permissions X
Take Ownership X
Synchronize X X X X X

Remember that file permissions override the permissions of its parent folder.
Anytime a new file is created, the file will inherit permissions from the target

Share Permissions:
Shares are administered through the MMC, My Computer or through Explorer and
permissions can be set on a share in the "Share Permissions" tab. Share level
permissions only apply when a file or folder is being accessed via the network
and do not apply to a user logged into the machine locally. The following are the
different share-level permissions:

View files and subdirectories. Execute applications. No changes
can be made.

Includes read permissions and the ability to add, delete or change
files or subdirectories

Full Can perform any and all functions on all files and folders within
Control the share.

These permissions are identical to NT 4.0, however, there is one new change. As
we discussed above the Deny permission can also be applied to shares. The Deny
permission overrides all others. When folders on FAT and FAT32 volumes are
shared, only the share level permissions apply as these systems do not support
file and directory permissions. When folders on NTFS volumes are shared, the
effective permission of the user will be the most restrictive of the two. This
means that if Bob is trying to access a file called mystuff located on myshare and
he has share permissions of read and file permissions of full control, his effective
permissions would be read. Conversely, if his share permissions are full control
and his file permissions are read, he will still only have read permissions to

When comparing either Share or NTFS permissions, the least restrictive always
wins out. When comparing both Share and NTFS permissions, take the least
restrictive of each category and then the more restrictive of those two.

A Printer is a physical piece of equipment (AKA print device), a logical printer is
what the user sees on the screen of the local computer (AKA software), print
processor, print router, and printer pools are all self-explanatory. Print spools hold
documents until they are ready to be printed. Printers can be located in AD and
can be found by querying the location of a printer that can staple, print on
specific papers, or can be chosen by printer type to name a few. Windows 2000
Professional automatically downloads the drivers for clients running Windows
2000, Windows NT 4/3.51 and Windows 9x.

Print Pooling allows jobs to be dispersed across more than one printer, making
them behave as one. Printer pools must contain printers that use the same

If a printer experiences a jam in the middle of a job, you can select "resume" to
continue where you left off.

Key Definition
HKEY_CURRENT_USER Contains the root of the configuration information for the
user who is currently logged on and contains their profile.
HKEY_USERS Contains the root of all user profiles on the computer.
HKEY_CURRENT_USER is an alias for a subkey in the
HKEY_USERS subtree.
HKEY_LOCAL_MACHINE Contains configuration information particular to the
computer(for any user).
information stored here ensures that the correct program
opens when you open a file by using Windows Explorer.
HKEY_CURRENT_CONFIG Contains information about the hardware profile used by
the local computer at system startup.

The registry editors included with Windows 2000 include Regedt32 and Regedit.
Each registry editor has advantages and disadvantages. You can perform most
tasks with either registry editor, but certain tasks are easier with one registry
editor. The following are advantages of Regedt32:

• Using the Security menu, you can check for and apply access permissions
to subtrees, keys, and individual subkeys.
• Each subtree is displayed in its own dedicated window, reducing clutter.
• You can set an option to work in read-only mode.
• You can edit values longer than 256 characters.
• You can easily edit REG_MULTI_SZ entry values.
• You can load multiple registry files at the same time.

The following are advantages of Regedit:

• Regedit has more powerful search capabilities.
• All the keys are visible in one Windows Explorer like window.
• You can bookmark favorite subkeys for fast access later on.
• Regedit reopens to the subtree that was last edited.
• You can export the registry to a text file.
• You can import a registry file from the command line.

Optimization and Tuning
Performance Monitor is included in Windows 2000 and is an MMC snap-in. Just as
in NT 4.0, there are performance counters that can be used to determine the
source of performance problems. The following is a list of important counters and
suggested thresholds.

Object = Processor. Counter = % Processor Time - If this value is consistently
at or above 80% and disk and network counter values are low, a processor
upgrade may be necessary
Object = System. Counter = % Processor Queue Length - A sustained
processor queue length that is over 2 may indicate a processor bottleneck.
Object = Memory. Counter = Pages/sec - If value is consistently over 20 the
system may need a memory upgrade.
Object = Memory. Counter = Commited bytes - Should be less than amount
of RAM in the computer.
Physical Disk:
Object = PhysicalDisk. Counter = % Disk Time - If over 90%, add more disk
drives and partition the files among all of the drives.
Object = PhysicalDisk. Counter = Disk Queue Length - If consistently over 2
drive access may be a bottleneck.
Logical Disk:
Object = PhysicalDisk. Counter = Disk Queue Length - If consistently over 2
drive access may be a bottleneck.
Object = Server. Counter = Bytes Total/sec - If the sum of Bytes Total/sec for
all servers is about equal to the max transfer rates of your network, the network
may need to be further segmented.

Windows 2000 Performance Monitor has several different logging methods. Many
3rd party performance applications utilize the Trace log feature. Counter logs
allow you to log performance values at a designated interval for local or remote
Win2K computers. Alert logs can send a message or run a script/program when a
pre-determined threshold has been surpassed.

Performance Monitor now offers more flexibility for exporting data as it can now
be saved in HTML, binary, binary circular, .csv, and .tsv.

Paging File
A paging file(pagefile.sys) is responsible for managing virtual memory and stores
data that is not resident in RAM. There is a lot of conflicting information on
Microsoft's website regarding the recommended size of the paging file and we are
not sure which is correct. Some references say that it should be 1.5x the amount
of physical RAM and others say that it should be physical RAM +12mb as in NT
4.0. You can see the conflicting recommendations in the following support

What you will more likely see on the exam are questions that attempt to see if
you understand situations in which the page file should be increased rather than
memorizing recommended settings. One such situation is when SQL Server is
employed. In this case it is recommended that the paging file be set to 1.5x the
amount of physical RAM.

For better performance, the paging file should be distributed across multiple
drives that do not contain system or boot files.

Driver Signing
Driver signing is the verification by MS that the drivers you are installing have
been tested and will work. You can set limits on users for installing drivers by
choosing Warn, Ignore or Block if the driver isn't signed properly. Use the System
File Checker (SFC /scannow) to check the digital signatures of drivers on a
computer. Other options include /quiet, /scanboot, /scanonce, /cancel, and

User Environment
User profiles are used to keep users' desktop settings and preferences available
to them each time they log on. Roaming user profiles will keep this information
on the network server so users can access their profile from any computer on the
network. Ntuser.dat and are the same as in NT 4.0 for creating
mandatory profiles. Local profiles are stored in C:\Documents and

Offline Files
Offline files can be configured to allow users to cache network information
normally stored on servers. The Synchronization Manager is used to manage
those files once it is set up. Offline files are stored in the systemroot\CSC
directory. Offline files supports 3 types of caching as follows:
manual caching for documents - This setting requires users to specify the
documents that they would like cached.
automatic caching for documents - As you might expect, this option will
cache all files that a user opens.
automatic caching for programs - Reduces network traffic as the network
versions of the documents or programs are only stored once. After it is cached,
the offline copies are used.

There are 24 localized versions of Win2K. UNICODE is a character set that
supports world-wide communications and has characters for French, Russian, and
other foreign languages. RTL and API allow developers to create a single program
for an application and allow these programs to be used correctly in other
languages. Locales are localized language and customs settings and are listed
User locales = numbers, currency, time, etc.
Input locales = keyboard, mouse, etc.
System locales = character set and fonts

Software Packages
Software can be efficiently deployed, updated and removed using Group Policies
and two technologies built into Windows 2000 - Windows Installer and Software
Installation and Maintenance.

Windows Installer will replace Setup.exe for many applications. Its advantages
include the ability to build custom installations, enable programs to "repair"
themselves if a critical file is missing or corrupt and to remove themselves very
cleanly when necessary. Software Installation and Maintenance combines Group
Policies and Active Directory technologies to enable an administrator to install,
manage and remove software across the network. This is only available for
Windows 2000 clients.

When you deploy software, you can choose to assign it or publish it. Assigned
software can be targeted at users or computers. If you assign an application to a
USER, the icons show up on the desktop and/or start menu, but the program is
only installed when the user runs it for the first time. If it is assigned to a
COMPUTER, it's installed the next time the system is restarted.

If you publish an application, the user can install it through Add/Remove
Programs or through opening a file that requires that particular program(a file
association). Published programs cannot self repair, cannot be published to
computers and are not advertised on the users' desktop or start menu - only
through add/remove programs.

Assigned applications require a windows installer file(.msi) while published
applications can use Windows Installer files or ZAP files. A .ZAP file is an
administrator created text file that specifies the parameters of the program to be
installed and the file extensions associated with it. Installations that utilize .ZAP
files cannot self repair or install with higher privileges and will typically require
user intervention to completely install.

You can deploy upgrades using GPO's simply by specifying which program is to
be upgraded and whether or not it is a mandatory upgrade. You can apply
service packs or patches by "re-deploying" an existing Group Policy with the new
information regarding the service pack.
Fax Support
Windows 2000 Professional ships with built-in fax support with a single user
license. Faxing is managed via the Fax Service Management tool which will be
installed when a fax device is installed on the computer. The "virtual" fax
machine will appear as an icon in the printers folder. In order for faxes to be
sent, the user must have appropriate permissions to send them. These
permissions can be viewed by finding the fax icon in the printer folder and
viewing the Security tab in the properties. In order to receive faxes, the "Enable
to Receive" must be selected.

Network Connections
Windows 2000 supports many industry standard protocols including:
DLC - For use with Mainframes, AS400s, etc.
IrDA - Infrared Data Association

The same tools are still in use for troubleshooting TCP/IP: PING, IPCONFIG,
TRACERT, ARP, NBSTAT, NETSTAT, ROUTE, etc. PATHPING is new and can be used
to troubleshoot lost data packets.

Like Windows 98, Windows 2000 supports a new feature called Automatic Private
IP Addressing. When "Obtain An IP Address Automatically" is enabled, but the
client cannot obtain an IP address from a DHCP server, Automatic Private IP
addressing assigns an address in the form of 169.254.x.x and a class B subnet
mask of ( The computer broadcasts this address to its local subnet
and if no other computer responds to the address, the computer allocates this
address to itself. Remember that a computer that picks up one of these
addresses will only be able to communicate with other computers have
compatible addresses and subnet masks.

RAS Policies are a new feature in Windows 2000. Now it is possible to build an
entire set of rules called a RAS Policy to dictate several conditions that must exist
before a user can connect. It allows the flexibility to require that a user must be
dialing from a specific IP address or from a range of addresses, during the right
time of day, from the appropriate caller id location using the appropriate
protocol. We can restrict access by group membership or the type of service
requested. All of these are configurable and optional. Once the user has met all
of the conditions, we can apply a profile, which can include items such as the IP
address to use for this session, the authentication type that is allowed, any
restrictions such as idle time and the rules for BAP with multilink sessions.

Windows 2000 now provides support for VPNs. A virtual private network (VPN) is
the extension of a private network that encompasses links across shared or
public networks like the Internet. With a VPN, you can create a connection
between two computers across a shared or public network that emulates a point-
to-point private link. Windows 2000 supports a couple of different VPN protocols.
Point to Point Tunneling Protocol(PPTP) creates an encrypted "tunnel" through an
untrusted network and is supported by Windows 95/98/NT4/2000. Layer Two
Tunneling Protocol(L2TP) works like PPTP in that it creates a "tunnel", but uses
IPSec encryption in order to support non-IP protocols and authentication. The
table below illustrates the features of each:

Feature PPTP L2TP
Built-in encryption X
Transmits over IP-
based X X
Transmits over
UDP, Frame X
Relay, X.25 or ATM

Windows 98 supported Internet Connections Sharing(ICS) which is now also
supported in Windows 2000. ICS allows multiple PCs to share a single connection
with the aid of Network Address Translation(NAT) and is intended for small
office/home office(SOHO) environments. When you enable ICS, the network
adapter connected to the network is given a new static IP address configuration.
Existing TCP/IP connections on the computer are lost and need to be re-

NAT can be configured separately from ICS and provides the following features
and benefits that do not exist when used with ICS alone:

Multiple public IP addresses - NAT can use more than one range of public
Configurable address range - NAT allows manual configuration of IP
addresses and subnet masks, whereas ICS uses a fixed IP address range. Any
range of IP addresses can be configured using the NAT properties in Routing and
Remote Access Manager. A DHCP allocator provides the mechanism for
distributing IP addresses, the same way that DHCP does this. NAT can also use IP
addresses distributed from a DHCP server by selecting the Automatically assign
IP addresses by using DHCP check box in the NAT properties sheet.
DNS and WINS proxy - Name resolution can be established by using either
DNS or WINS. You can configure this by selecting the appropriate check boxes in
the NAT properties sheet under the Name Resolution tab.
Multiple network interfaces - You can distribute NAT functionality on more
than one network interface by adding the interface to NAT in the Routing and
Remote Access Manager.

Remote Access
RAS has changed rather dramatically. Several new RAS protocols are now
available to make our communications over dial up lines or the Internet much
more secure and more flexible. These new protocols include Extensible
Authentication Protocol (EAP), Layer Two Tunneling Protocol (L2TP), Bandwidth
Allocation Protocol (BAP), Internet Protocol Security (IPSec) and Remote
Authentication Dial-In User Service (RADIUS).
EAP gives the ability to use Transport Level Security, another encryption
methodology for usernames and passwords.

L2TP enables to create a tunnel through a public network that is authenticated on
both ends, uses header compression, and relies on IPSec for encryption of data
passed through the tunnel.

Bandwidth Allocation Protocol allows to set up Multilink capabilities, but if a user
isn’t using the bandwidth of multiple lines, we can drop one of the lines assigned
to that user and use it for another user.

IPSec is essentially a driver at the IP layer that provides encryption very low
down in the protocol stack.

RADIUS is an RFC based standard that allows us to provide authentication
services from the corporate network to a client that is attaching to an ISP that
wants access to our server. The ISP’s dial up server that hosts the client is a
client to the Radius Server Service (IAS) on the corporate network. The IAS
server allows the user to connect.

Local user accounts are managed from the Computer Management Snap-in while
domain accounts are managed from the Active Directory User and Computers
snap-in. Local accounts only give access to local resources. In a domain model, if
a user wishes to access network resources, they will need to have an account in
the directory with appropriate permissions to the resources that they are trying
to access. There are 2 local user accounts that are created during installation
which are Administrator and Guest(disabled by default).

There are 2 types of groups in Windows 2000 - Security and Distribution. It is
not recommended to use local groups in a domain environment. There are
several built-in local groups as follows:
Local Group Description
Administrators Can manage all functions on the local system.
Are able to backup and restore files on local system regardless of permissions
on files and directories being backed up. May also grant permissions to other
users to perform backup operations.
Guests Provides limited access to system resources.
Can create and administer user accounts and groups. Can only manage users
Power Users
that they created. Can install and remove applications and share resources.
Replicator Used to replicate content between DCs
The default group that a new user is added to. Can run applications installed by
administators or power users, but not other local users.

Local Group Policy
Group policy is managed using the Group Policy snap-in. Group Policy allows one
to control specific rights to local groups and edit administrative templates. Below
are the common security templates for Windows 2000 Workstation.
Template Description
Basic(basicwk.inf) The default security configuration. Does not cover user rights.
For allowing compatibility with non-Windows 2000 application
Limits workstation's ability to communicate with non-Windows
Highly Secure(hisecws.inf)
2000 operating systems. Best used in native environments.
Templates only work on NTFS partitions. The Security Configuration and Analysis
tool will compare current security settings to recommended settings based on a
security template.

Local Account and Lockout Policies
Allow administrators to manage user's password and lockout configurations
including password length, complexity, lockout threshold, duration, etc.

Event Viewer
Like its predecessors, Windows 2000 is still using the Event Viewer to monitor
security, system and application events. Event Viewer is accessed through the
Computer Management snap-in. The security log writes events to the logs based
on audit policy. Auditing is disabled by default as it can slow system
performance. The following table shows the different security events that can be
added to an audit policy.
Category Description
Account Logon Logs each logon attempt.
Logon Events Logs network logon attempts including interactive or service logons.
Logs every instance of changes(management) of user accounts.
Directory Service Logs Active Directory Service events.
Policy Change Logs changes in policies.
Tracks all programs and processes initiated by a user in order to monitor
Process Tracking
their activities.
Object Access Tracks a users attempts to access resources in the Active Directory.
Priveledge Use Logs when a user utilizes special access priveledges.
System Event Logs configured system events such as startup/shutdown, etc.

Acronyms you really must know(not including the ones you already know!)
1. ACL - access control list
2. ACPI - advanced configuration and power interface
3. AD - active directory
4. APM - advanced power management
5. APIPA - automatic private internet protocol addressing
6. CA - certificate authority
7. CAL - client access license
8. DHCP - dynamic host control protocol
9. DNS - domain name system
10. EAP - extensible authentication protocol
11. EFS - encrypting file system
12. FEK - file encryption key
13. GPO - group policy object
14. GPT - group police template
15. HCL - hardware compatibility list
16. IAS - internet authentication services
17. ICS - internet connection sharing
18. IPSec - internet protocol security
19. L2TP - layer two tunneling protocol
20. LDAP - lightweight directory access protocol
21. LPD - line printer daemon
22. MMC - microsoft management console
23. NAT - network address translation
24. NTFS - NT file system
25. ODBC - open database connectivity
26. OSI - open systems interconnection (model)
27. OU - organizational unit
28. PCMCIA - personal computer memory card interface adapter
29. PPP - point to point protocol
30. PPTP - point to point tunneling protocol
31. PXE - preboot execution environment
32. RAS - remote access service
33. RIPrep - remote installation preparation
34. RIS - remote installation services
35. RRAS - routing and remot access service
36. SAM - security accounts manager
37. SMP - symmetric multiprocessing
38. SMS - systems management server
39. Sysprep - system preparation
40. TFTP - trivial file transfer protocol
41. UDF - unique database file
42. UNC - universal naming convention
43. VPN - virtual private network
44. WDM - windows32 driver model