You are on page 1of 196

Operating System Concepts

and Networking Management

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Session 1: NETWORK CONFIGURATION

Exercise 1 : Run the following commands and write the use of each command

Ipconfig

C:\Documents and Settings\Administrator>ipconfig


Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix :
IP Address : 10.227.1.81
Subnet Mask : 255.255.255.128
Default Gateway : 10.227.1.1
............
...........
.........

Ping

C:\Documents and Settings\Administrator>ping


Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
[-r count] [-s count] [[-j host-list] | [-k host-list]]
[-w timeout] destination-list

Options:
-t Ping the specified host until stopped.
To see statistics and continue - type Control-Br
To stop - type Control-C.
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


-w timeout Timeout in milliseconds to wait for each reply.-t Ping the specified host
until stopped.

telnet
Microsoft (R) Windows 2000 (TM) Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Client
Telnet Client Build 5.00.99206.1
Escape Character is 'CTRL+]'
Microsoft Telnet>

diskperf
C:\Documents and Settings\Administrator>diskperf
Physical Disk Performance counters on this system are currently set to start at boot.

netdiag
C:\Documents and Settings\Administrator>netdiag
'netdiag' is not recognized as an internal or external command, operable program or batc file.

netstat

C:\Documents and Settings\Administrator>netstat


Active Connections
Proto Local Address Foreign Address State
TCP Amb:1208 72.20.27.115:8080 SYN_SENT
TCP Amb:2380 105.173.200.246:microsoft-ds SYN_SENT
TCP Amb:2381 17.43.237.130:microsoft-ds SYN_SENT
TCP Amb:2382 185.57.26.6:microsoft-ds SYN_SENT
TCP Amb:2383 11.230.24.215:microsoft-ds SYN_SENT
TCP Amb:2384 122.126.219.134:microsoft-ds SYN_SENT
TCP Amb:2387 143.135.200.171:microsoft-ds SYN_SENT
TCP Amb:2388 8.229.211.254:microsoft-ds SYN_SENT
TCP Amb:2389 12.188.152.119:microsoft-ds SYN_SENT
TCP Amb:2390 53.74.31.59:microsoft-ds SYN_SENT
TCP Amb:2391 63.78.51.82:microsoft-ds SYN_SENT
TCP Amb:2393 185.166.131.126:microsoft-ds SYN_SENT
TCP Amb:2394 50.60.189.211:microsoft-ds SYN_SENT
TCP Amb:2395 122.123.9.47:microsoft-ds SYN_SENT
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
TCP Amb:2396 131.186.166.19:microsoft-ds SYN_SENT
TCP Amb:2397 53.74.31.59:microsoft-ds SYN_SENT

Pathping

C:\Documents and Settings\Administrator>pathping


Usage: pathping [-n] [-h maximum_hops] [-g host-list] [-p period]
[-q num_queries] [-w timeout] [-t] [-R] [-r] target_name
Options:
-n Do not resolve addresses to hostnames.
-h maximum_hops Maximum number of hops to search for target.
-g host-list Loose source route along host-list.
-p period Wait period milliseconds between pings.
-q num_queries Number of queries per hop.
-w timeout Wait timeout milliseconds for each reply.
-T Test connectivity to each hop with Layer-2 priority tags.
-R Test if each hop is RSVP aware.

ftp
C:\Documents and Settings\Administrator>ftp
ftp>

tftp
C:\Documents and Settings\Administrator>tftp
Transfers files to and from a remote computer running the TFTP service.
TFTP [-i] host [GET | PUT] source [destination]
-i Specifies binary image transfer mode (also called octet). In binary image
mode the file is moved literally, byte by byte. Use this mode when
transferring binary files.
host Specifies the local or remote host.
GET Transfers the file destination on the remote host to the file source on the
local host.
PUT Transfers the file source on the local host to the file destination on the
remote host.
source Specifies the file to transfer.
destination Specifies where to transfer the file.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
Sfc

C:\Documents and Settings\Administrator>sfc


Microsoft(R) Windows 2000 Windows File Checker Version 5.00 (C) 1999 Microsoft Corp.
All rights reserved
Scans all protected system files and replaces incorrect versions with correct Microsoft versions.

SFC [/SCANNOW] [/SCANONCE] [/SCANBOOT] [/CANCEL] [/ENABLE]


[/PURGECACHE] [/CACHE SIZE=x] [/QUIET]
/SCANNOW Scans all protected system files immediately.
/SCANONCE Scans all protected system files once at the next boot.
/SCANBOOT Scans all protected system files at every boot.
/CANCEL Cancels all pending scans of protected system files.
/QUIET Replaces all incorrect file versions without prompting the user.
/ENABLE Enables Windows File Protection for normal operation
/PURGECACHE Purges the file cache and scans all protected system files
immediately.
/CACHESIZE=x Sets the file cache size

nbtstat
C:\Documents and Settings\Administrator>nbtstat
Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP).

NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval] ]

-a (adapter status) Lists the remote machine's name table given its name
-A (Adapter status) Lists the remote machine's name table given its
-P printer Name of the print queue
-C class Job classification for use on the burst page
-J job Job name to print on the burst page
-o option Indicates type of the file (by default assumes a text file) Use "-o l" for
binary (e.g. postscript) files
-x Compatibility with SunOS 4.1.x and prior
-d Send data file first

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


tracert
C:\Documents and Settings\Administrator>tracert
Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name
Options:
-d Do not resolve addresses to hostnames.
-h maximum_hops Maximum number of hops to search for target.
-j host-list Loose source route along host-list.
-w timeout Wait timeout milliseconds for each reply.

nslookup
C:\Documents and Settings\Administrator>nslookup
*** Default servers are not available
Default Server: UnKnown
Address: 127.0.0.1

route
C:\Documents and Settings\Administrator>route
Manipulates network routing tables.
ROUTE [-f] [-p] [command [destination] [MASK netmask] [gateway] [METRIC metric] [IF
interface]

-f Clears the routing tables of all gateway entries. If this is used in conjunction with
one of the commands, the tables are cleared prior to running the command.
-p When used with the ADD command, makes a route persistent across boots of
the system. By default, routes are not preserved when the system is restarted.
Ignored for all other commands, which always affect the appropriate persistent
routes. This option is not supported in Windows 95. command

One of these:
PRINT Prints a route
ADD Adds a route
DELETE Deletes a route
CHANGE Modifies an existing route
destination Specifies the host.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
MASK Specifies that the next parameter is the 'netmask' value.
netmask Specifies a subnet mask value for this route entry.
If not specified, it defaults to 255.255.255.255.
gateway Specifies gateway.
interface the interface number for the specified route.
METRIC specifies the metric, ie. cost for the destination. All symbolic names used
for destination are looked up in the network database file
NETWORKS The symbolic names for gateway are looked up in the host name database
file
HOSTS. If the command is PRINT or DELETE. Destination or gateway can be a
wildcard, (wildcard is specified as a star '*'), or the gateway argument
may be omitted. If Dest contains a * or ?, it is treated as a shell pattern,
and only matching destination routes are printed. The '*' matches any
string, and '?' matches any one char. Examples: 157.*.1, 157.*, 127.*,
*224*.

Diagnostic Notes:
Invalid MASK generates an error, that is when (DEST & MASK) != DEST.
Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1
The route addition failed: The specified mask parameter is invalid.
(Destination & Mask ) != Destination.
Examples:
> route PRINT
> route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
destination^ ^mask ^gateway metric^ ^ Interface^
If IF is not given, it tries to find the best interface for a given gateway.
> route PRINT
> route PRINT 157* ....
> route DELETE 157.0.0.0
> route PRINT
Only prints those matching 157*
Lpq

C:\Documents and Settings\Administrator>lpq


Displays the state of a remote lpd queue.
Usage: lpq -Sserver -Pprinter [-l]
Options:
-S server Name or ipaddress of the host providing lpd service
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
-P printer Name of the print queue
-l verbose output

net session

C:\Documents and Settings\Administrator>net session


There are no entries in the list.

drivers
C:\Documents and Settings\Administrator>drivers
'drivers' is not recognized as an internal or external command, operable program or batch file.

nettime
C:\Documents and Settings\Administrator>nettime
'nettime' is not recognized as an internal or external command, operable program or batch file.

rsh
C:\Documents and Settings\Administrator>rsh
Runs commands on remote hosts running the RSH service.

RSH host [-l username] [-n] command


host Specifies the remote host on which to run command.
-l username Specifies the user name to use on the remote host. If omitted,
the logged on user name is used.
-n Redirects the input of RSH to NULL.
command Specifies the command to run.

chkdsk
C:\Documents and Settings\Administrator>chkdsk

The type of the file system is FAT32.


Volume HCL created 22/08/2002 5:53 PM
Volume Serial Number is 3A51-1906
Windows is verifying files and folders...
File and folder verification is complete.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
Windows has checked the file system and found no problem.
39,058,992 KB total disk space.
1,287,888 KB in 734 hidden files.
53,440 KB in 3,223 folders.
22,328,464 KB in 67,626 files.
15,389,184 KB are available.
16,384 bytes in each allocation unit.
2,441,187 total allocation units on disk.
961,824 allocation units available on disk.

hostname
C:\Documents and Settings\Administrator>hostname
Amb

net account
C:\Documents and Settings\Administrator>net account
The syntax of this command is:
NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP
| HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |
SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]

Exercise 2: Use arp command to find your Ethernet physical address.

C:\Documents and Settings\Administrator>arp


Displays and modifies the IP-to-Physical address translation tables used by address resolution
protocol (ARP).
ARP -s inet_addr eth_addr [if_addr]
ARP -d inet_addr [if_addr]
ARP -a [inet_addr] [-N if_addr]

-a Displays current ARP entries by interrogating the current


protocol data. If inet_addr is specified, the IP and Physical
addresses for only the specified computer are displayed. If more than one
network interface uses ARP, entries for each ARP table are
displayed.
-g Same as -a.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


inet_addr Specifies an internet address.
-N if_addr Displays the ARP entries for the network interface
Specified by if_addr.
-d Deletes the host specified by inet_addr. inet_addr may be
wildcarded with * to delete all hosts.
-s Adds the host and associates the Internet address inet_addr
with the Physical address eth_addr. The Physical address is
given as 6 hexadecimal bytes separated by hyphens. The entry
is permanent.
eth_addr Specifies a physical address.
if_addr If present, this specifies the Internet address of the interface
whose address translation table should be modified. If not
present, the first applicable interface will be used.
Example:
> arp -s 157.55.85.212 00-aa-00-62-c6-09 Adds a static .... entry.
> arp -a .... Displays the arp table.

Exercise 3: Modify the routing table using ipzroute

C:\Documents and Settings\Administrator>ipxroute


NWLink IPX Routing and Source Routing Control Program v2.00
Unable to open transport \Device\NwlnkIpx.

Exercise 4 :View tcp/ip settings


netsh>show mode tcp/ip
online

Exercise 5 : Configure interfaces:


netsh>set
The following commands are available:
Commands in this context:
set machine - Sets the current machine on which to operate.
set mode - Sets the current mode to online or offline.

netsh>set interface
The following command was not found: set interface.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


netsh>set mode interface
'mode' is not an acceptable value for 'interface'.
The parameter is incorrect.
netsh>set mode

Usage: set mode [ mode= ] { online | offline }


Parameters: Tag Value
mode - One of the following values:
online: Commit changes immediately
offline: Delay commit until explicitly requested
Remarks:
Sets the current mode to online or offline.
netsh>set machine

Exercise 9 : Configure remote Access.


With Netsh.exe, you can easily configure your computer's IP address
and other TCP/IP related settings
For example:
The following command configures the interface named Local Area Connection with the static
IP address 192.168.0.100, the subnet mask of 255.255.255.0, and a default gateway of
192.168.0.1:
netsh interface ip set address name="Local Area Connection" static
192.168.0.100 255.255.255.0 192.168.0.1 1
Netsh.exe can be also useful in certain scenarios such as when you
have a portable computer that needs to be relocated between 2 or
more office locations, while still maintaining a specific and static
IP address configuration. With Netsh.exe, you can easily save and restore the appropriate
network configuration.
First, connect your portable computer to location #1, and then manually configure the required
settings (such as the IP address, Subnet Mask, Default Gateway, DNS and WINS addresses).
Now, you need to export your current IP settings to a text file. Use the following command:
netsh -c interface dump > c:\location1.txt

When you reach location #2, do the same thing, only keep the new settings to a different file:
netsh -c interface dump > c:\location2.txt

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


You can go on with any other location you may need, but we'll keep it simple and only use 2
examples. Now, whenever you need to quickly import your IP settings and change them
between location #1 and location #2, just enter the following command in a Command Prompt
window (CMD.EXE):
netsh -f c:\location1.txt
or
netsh -f c:\location2.txt
and so on.
You can also use the global EXEC switch instead of -F:
netsh exec c:\location2.txt

Netsh.exe can also be used to configure your NIC to automatically obtain an IP address from a
DHCP server:
netsh interface ip set address "Local Area Connection" dhcp
Would you like to configure DNS and WINS addresses from the Command Prompt?
You can. See this example for DNS:
netsh interface ip set dns "Local Area Connection" static 192.168.0.200
and this one for WINS: netsh interface ip set wins "Local Area Connection" static
192.168.0.200
Or, if you want, you can configure your NIC to dynamically obtain it's DNS settings:
netsh interface ip set dns "Local Area Connection" dhcp

Exercise 10: User winchat command and communicate with your friend sitting on
a different machine of Windows 2000.

Answer:
To Make a Chat Call
1. On the conversation menu, click Dial
2. Click the computer name, or type the computer name, for the person with whom you
want to chat, and then click OK
3. When the person with whom you want to chat answers the call, begin typing in the Chat
window. You cannot begin typing until the person you are calling answers.
4. If the person you are calling does not answer, or you want to end the call, click Hang Up
on the Conversation menu.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


To Answer a Call
To answer a call, click Chat , which appears on the taskbar when someone uses Chat to call
your computer. Or, if your Chat window is already open, click Answer on the Conversation
menu. Note that you must have Chat running or have the Network DDE service started to
answer a call. To start the Network DDE service:

1. Click Start, click Control Panel click Performance and Maintenance, and then click
Administrative Tools Double-click Computer Management, double-click Services
and
2. Applications, and then double-click Services In the Details pane, click Network DDE
3. On the Action menu, click Start

To have the Network DDE service start automatically every time you start your computer:

1. Click Start, click Control Panel, click Performance and Maintenance, and then click
Administrative Tools
2 . Double-click Computer Management , double-click Services and Applications, and
then double-click Services
3. In the Details pane, click Network DDE
4. On the Action menu, click Properties.
5. On the General tab, in Startup type, select Automatic, andthen click OK.

To Hang Up
To end a call, click Hang Up on the Conversation menu. If the person with whom you are
chatting hangs up before you do, a message appears in the status bar. If you quit Chat, hang-
up occurs automatically.

To Turn Sound On or Off


To turn sound on or off, click Sound on the Options menu.
If your computer has a sound card, you can change the sound for incoming and outgoing rings.
To do so, double-click Sounds and Audio Devices in Control Panel. For more information,
click the Help menu in Control Panel.

To Change the Background Color


To change the background color for the Chat window:
1. On the Options menu, click Background Color .
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
2. Under Basic colors , click the color you want, and then click OK
The color you choose is mapped to the nearest solid color. By default, the pane that displays
your chat partner's conversation uses the background color and font that your chat
partner has selected.

You can view your chat partner's conversation with the same background color and font that
you are using by clicking by clicking Preferences on the Options menu, and then clicking
Use Own Font
.
To Change the Font
1. On the Options menu, click Font
2. In the Font dialog box, click the options you want.

By default, the pane that displays your chat partner's conversation uses the background color
and font that your chat partner has selected. You can view your chat partner's conversation with
the same background color and font that you are using by clicking by clicking Preferences on
the Optionsmenu, and then clicking Use Own Font
.
To Change Window Preferences
1. On the Options menu, click Preferences .
2. Under Window Style click the layout you prefer.
3. Under Partner's Message, click the option you want

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Session 2: Linux/Unix Operating Systems

Exercise 1: First try to execute the following commands on your operating


system and write down the results and use of each command.

man
Step 1 :

Step 2 :

man {section}name
Shows the full manual page entry for "name". Without a section number, "man" may give you
any or all man pages for that "name". For example, "man write" will give you the manual pages
for the write command, and "man 2 write" will give you the system call for "write" ( usually from
the C or Pascal programming language ).

pwd
Step 1 :

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Step 2 :

pwd
Shows current working directory path.

ls
Step 1 :

Step 2:

ls {directory}
Shows directory listing. If no "directory" is specified, "ls" prints the names of the files in the
current directory.

ls –a

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


ls –a: List entries starting with”.”
ls –al

ls –al | more
Step 1 :

Step 2 :

cd

cd {dirname}
Change current directory. Without a "dirname", it will return you to your home directory.
Otherwise, it takes you to the directory named. "cd /" will take you to the root directory.

cd ..

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Cd –

chmod

cat passwd

Exercise 2:Try to explore the file system, write what is there in /bin, /usr/bin,
/sbin, /tmp and /boot. Find and list the devices that are available in your system.

/bin

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


/usr/bin

/tmp

/sbin

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


/boot

Exercise 3: Make your own subdirectories called uni and linu in your home
directory, Made? Ok, now delete the subdirectory called uni.

Exercise 4: Create a file called ignou.txt that contains the words “hello I am
student of IGNOU”. Now copy this file and paste to other directory. Copied? Can
you move the file also from one directory to another?

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Exercise 5: In the previous question you have a file ignou.txt; change its
permission to rwxrwxr-x. You can try different possibilities to changes in its
permissions. One possibility may be rwxr-xr-x permissions. Find out what are the
different commands available that can be used to change the permissions of a
file/files.

chmod To change permission of file/directory.


Permissions
+r : Grant read permission
+w : Grant write permission
+x : Grant execute permission
-r : Revoke read permission
-w : Revoke write permission
-x : Revoke execute permission
User Permission
u : User/owner
g : Group
o : Others
a : All (User, Group and Others)
Octal Permission
0 : ___
1 : __x
2 : _w_
3 : _wx
4 : r__
5 : r_x
6 : rw_
7 : rwx

Exercise 6: Display the names of all files in the home directory using find. Can
you display the names of all files in the home directory that are bigger than
500KB.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Exercise 7: Display a sorted list of all files in the home directory that contain the
word ignou inside them. Hint: Use find and grep and sort. Can you use locate to
find all filenames that contain the word ignou?

Exercise 8: Use egrep to try to find out which lines in an ignou.txt file are
satisfied by the regular expression given: (^[0-9]{1,5}[a-zA-z]+$)|none and check
the result with different combinations of lines.

Exercise 9: Change your password and write down restrictions for given
password.

Exercise 10: Open ignou.txt using vi editor, go to the end of the file and type in
the following paragraph:
In 1971 Bell Labs releases the first Unix operating system. Then 1985 Richard Stallman
releases his GNU (“GNU is not Unix”) Manifesto thus starting the open sourci revolution. He
wanted to creat an open-source version of Unix Unix. Stallman’s Free Software Foundation
eventually created the GNU General Public License (GPL) which is basically an anti-copyright
also referred to as a
Now you correct spelling errors in the first three lines and remove the extra “Unix” in the 3rd line
of the paragraph. Add the words “copyleft” to the end of the paragraph. Replace the string
“GNU is not Unix” with a string “Unix is not a GNU”. Save the file and quit. Repeat the same
exercise emacs also. Write down the difference between the two editors, also write which one
you find easier and why.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
Difference:-
• Vi was designed to write programs while emacs was designed to write text
• Vi is much smaller and loads much faster compared to emacs
• Emac is modeless while vi can work in different modes
• Vi has few feature while in emac various plugins are available
• Vi is designed for unix while emacs works on every OS.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Session 3: LINUX / UNIX OPERATING SYSTEM

Exercise 1 : Find the files in your home directories those name as starting with
character ‘s’ and redirect the output in to a file redirecting.txt and if your receive
an error message of an execution of command redirect into error.exe.

if [find . -name “s*.*”]


then
find . -name “s*.*”>> redirecting.txt
else
find . -name “s*.*”>> error.txt
fi

Exercise 2 : Execute sleep 25 in the foregound, suspend it with Ctrl-z and then
put it into the backgound with bg.show all process running in background, bring
any process back into the foreground with fg. Repeat the same exercise using kill
to terminate the process and use & for sending into backgound.

sleep 25
crtl+z
bg
ps
fg %4052

sleep 25
ctrl+z
ps
bg 4052|kill
ps

Exercise 3 : Combine the commands cat nonexistent and echo helloIGNOU using
suitable operators. Now reverse the order of the commands and try.

cat nonexistent && echo “helloIGNOU” Combination of two commands using && Operator
cat >> nonexistent Combination of two commans using append operator

Exercise 4 : Write a shell script which returns the PID of a process and accept the
name of process

#ps -ef | grep processname


eg:-
#ps -ef | grep firefox

Exercise 5 : Use ping to find the round-trip delay to www.ignou.ac.in.

ping ignou.ac.in -c 1

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Exercise 6 : Send a message to all users which are online. Make provision so that
you can send messages to other users but others cannot. Use talk to send
messages.

talk username
who|talk

Exercise 7 : Print a file ignou.txt and then send multiple files to a printer. Write
the command you will execute to remove any file from print queue.

lpr ignou.txt
lpr abc.txt

lpq shows jobs in printer queue along with job no.


To remove job
lprm 10

Exercise 8 : Send a mail to yourself, and include ignou.txt inside the mail. Read
the mail you have sent to yourself. Save the piece of message and file into
somefolder. Reply to yourself.

Mail root(user 1) ->


Mail amb(user 2)

Exercise 9 : Use telnet and ftp to get connected with other remote machine. Write
the problems you encounter during connection with remote machine.

1. Install a telnet program (client) on your computer. HyperTerminal, included with


Windows, will perform many telnet operations. You can also locate an array of freeware,
shareware or commercial telnet clients from various software Web sites.
2. Open your telnet program.
3. Enter the telnet address in the address box. Click OK.
4. Enter your login ID. If you have been given special permission, your host will have
provided you with a login ID. If it is an anonymous site, you may be able to log in as
"guest" or by using your e-mail address.
5. Once you are logged in, the procedure varies depending on how the host has been set
up.

Exercise 10 : Use the ls command and grep to display all names starting with “s”.

ls –d | grep “^s*”

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Session 3: Linux / Unix Operating System
Exercise 1: Find the files (with full path) in your home directory those name are
starting with the character ‘s’ and redirect the output into a file redirecting.txt and
if you receive any error message on execution of the command redirect into
errors.txt.
Ans : 1

Exercise 2: Execute sleep 25 in the foreground, suspend it with Ctrl-z and then
put it into the background with bg. show all process running in background,
bring any process back into the foreground with fg. Repeat the same exercise
using kill to terminate the process and use & for sending into background. (You
need to see different options of the kill command)
Ans:2

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Exercise 3: Write a shell script, which returns the PID of a process and accept the
name of the process.
Ps e | grep init
Echo $a | cut –f1 –d ― ―

Ans 3:

Exercise 4: Use ping to find the round-trip delay to www.ignou.ac.in

Use ping to find the round-trip delay to www.ignou.ac.in


Ping ―www.ignou.ac.in

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Exercise 5: Send a message to all users which are online. Make provision so that
you can send messages to other users but others cannot. Use talk to send
messages.
Answer : Mesg n

Exercise 6: Send a mail to yourself, and include ignou.txt inside the mail. Read
the mail you have sent to yourself. Save the piece of message and file into some
folder. Reply to yourself.

Answer : Mail root(user 1) ->


Mail amb(user 2)
Ans: 6

Exercise 7: Print a file ignou.txt, and then send multiple files to printer. Write the
command you will execute to remove any file from print queue.

Ans: lpr ignou.txt

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Exercise 8: Use the ls command and grep to display all names starting with "s".

Ans : 8

Exercise 9: Use telnet and ftp to connected with other remote machine. Write the
problems you encounter during connection with remote machine.
Ans: 9

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Session 4: SYSTEM ADMINISTRATOR USING UNIX & LINUX

Exercise 1: Use finger or who to get a list of users on the machine.

Who –all Lists all the users logged in to system


Finger –sl Lists all the logged in with detailed information

Exercise 2: Add different users,set their passwords and define permissions.


Check whether you are able to change the passwords of all users or not.

Useradd user1 This will add a user named user1


Useradd user2 This will add a user named user2
Passwd user1 This will ask to enter new password for user1
Usermod –g root user1 This will assign root as a primary group to user1

Only super user can change password and permissions of other users on linux system.

Exercise 3: Delete the user, which just now you have added.

Userdel user2 This will delete user2 from the user list

Exercise 4: Set the execution time of two jobs so that it can run automatically
tomorrow, one at 11:oo p.m. After this setting, how can you change the time of
execution of job?

Erontab –e This will open a file in vi editor and it will reflect to the scheduled where we can
change the time of execution and run the job

0 11 * * * || /etc > > /|| Entries edited to run the job at 11:00 a.m.
0 13 * * * mv /|| /||| Entries edited to run the job at 3:00 p.m.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Exercise 5: Try to access your account available at a remote machine. Download
some file from that machine to your machine.

ssh 192.168.0.254 This will help to enter to the system having ip


192.168.0.254. The condition is ther must be sshd service running
there on that system. After running this command it will ask for the
administrator password of that user. After entering the successful
entry of super user password, it will give the control
of that system on command prompt.

Scp/tmp/jeet.txt 192.168.0.11:/home/jeet/tmp/jeetnew/.txt
This will copy or download the file from the remote machine to the
machine whose ip is 192.168.0.11

Exercise 6: Create a cron job that sends you a message after every 5 minutes.

crontab –e This will start the cron job

*/5 * * * * echo “Testing” This will edit the cron job entry
~25~

Exercise 7: Restart any system daemon like the web server httpd.

Service vsfted restart This will restart the service httpd

Exercise 8: Write a message to inform all user “they should shut down their
machine after completing the lab exercise”

Wall “they should shut down their machine after completing the lab exercise”

Exercise 9: Monitor the log time of users using xargs.

Who/var/adm/wtmpx | xargs

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Exercise 10: Eliminate file names from all users home direstories containing bad
characters and whitespace.

1 #!/bin/bash
2
3 # Delete filenames in current directory containing bad characters.
4
5 for filename in *
6 do
7 badname=’echo “$filename” | sed –n /[\+\{\;\”\\\=\?~\(\)\<\>\&\*\|\$]/p’
8 # Files containing those nasties: +{ ; “ \ = ? ~ () < > & * | $
9 rm $badname 2>/dev/null #So error messages deep-sixed.
10 done
11
12 # Now, take care of files containing all manner of whitespace.
13 find. –name “* *” –exec rm –f {} \;
14 # The path name of the file that “find” finds replkaces the “{}”.
15 # The ‘\’ ensures that the ‘;’ is interpreted literally, as end of command.
16
17 exit 0
18
19 #---------------------------------------------------------------------------
20 #Commands below this will not execute because of “exit” command.
21
22 # An alternative to the above script:
23 find . –name ‘*[+{;”\\=?~()<>& ]*’ -exec rm -f ‘{}’ \;
24 exit 0

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Session 5 : INTRODUCTION TO NETWORKING

Exercise 1: Different System Tools And Administartive Tools Computer Management

Use Computer Management to manage local or remote computers using a single, consolidated
desktop tool. It combines several Windows 2000 administration utilities into a single console
tree, providing easy access to a specific computer's administrative properties and tools. Use
Computer Management to:
 Monitor system events such as logon times and application errors.
 Create and manage shares.
 View a list of users connected to a local or remote computer.
 Start and stop system services such as the Task Scheduler and the
 Spooler.
 Set properties for storage devices.
 View device configurations and add new device drivers.

Manage server applications and services such as the Domain Name System (DNS) service or
the Dynamic Host Configuration Protocol (DHCP) service.

Local Security Settings

The Security Settings node allows a security administrator to configure security levels assigned
to a Group Policy object or local computer policy.This can be done after or instead of importing
or applying a security template.

Event Viewer
Using the event logs in Event Viewer, you can gather information about hardware, software,
and system problems and monitor Windows 2000 security events. Windows 2000 records
events in three kinds of logs:

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


The application log
The application log contains events logged by applications or programs. For example, a
database program might record a file error in the application log. The developer decides which
events to record.
The system log
The system log contains events logged by the Windows 2000 system components. For
example, the failure of a driver or other system component to load during startup is recorded in
the system log. The event types logged by system components are predetermined.
The security log
The security log can record security events such as valid and invalid logon attempts, as well as
events related to resource use, such as creating, opening, or deleting files. An administrator can
specify what events are recorded in the security log. For example, if you have enabled logon
auditing, attempts to log on to the system are recorded in the security log.

Services
Using Services, you can start, stop, pause, or resume services on remote and local computers,
and configure startup and recovery options. You can also enable or disable services for a
particular hardware profile.

With Services, you can:


 Manage services on local and remote computers, including remote
computers running Windows NT 4.0.
 Set up recovery actions to take place if a service fails, such as
restarting the service automatically or restarting the computer (on
computers running Windows 2000 only).
 Create custom names and descriptions for services so that you can
easily identify them (on computers running Windows 2000 only).

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Backup
The Backup utility helps you protect data from accidental loss due to hardware or storage media
failure. For example, using Backup you can create duplicate copy of the data on your hard disk
by backing up the data to another storage device such as a hard disk or a tape. In the event
that the original data on your hard disk is accidentally erased or overwritten, or becomes
inaccessible because of a hard disk malfunction, you can easily restore the data from the
backed up copy.
Using Backup, you can:
 Back up selected files and folders on your hard disk.
 Restore the backed up files and folders to your hard disk or any other
disk you can access.

Create an Emergency Repair Disk (ERD), which will help you repair system files in the event
they get corrupted or are accidentally erased.
 Make a copy of any Remote Storage data and any data stored in mounted
drives.
 Make a copy of your computer's System State, which includes such things
as the registry, the boot files, and the system files.
 Back up services on servers and domain controllers, including such
things as the Active Directory service database, the Certificate
 Services database, and the File Replication service SYSVOL directory.
 Schedule regular backups to keep your backed up data up to date.

You can use Backup to back up and restore data on either FAT or NTFS volumes.However, if
you have backed up data from an NTFS volume used in Windows 2000,it is recommended that
you restore the data to an NTFS volume used in Windows2000, or you could lose data as well
as some file and folder features. For example, permissions, encrypting file system (EFS)
settings, disk quota information, mounted drive information, and Remote Storage information
will be lost if you back up data from an NTFS volume used in Windows 2000 and thenrestore it
to a FAT volume or an NTFS volume used in Windows NT 4.0.

Disk Defragmenter
Disk Defragmenter locates fragmented files and folders on local volumes. A fragmented file or
folder is split up into many pieces and scattered over a volume. When a volume contains a lot of
fragmented files and folders, Windows takes longer to gain access to them because it requires
several additional disk drive reads to collect the various pieces. Creating new files and folders
also takes longer because the free space available on the volume is scattered. Windows must
then save new files and folders to various locations on the volume.

Disk Defragmenter moves the pieces of each file or folder to one location on the volume, so that
each occupies a single, contiguous space on the disk drive. As a result, your system can gain

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


access to your files and folders and save new ones more efficiently. By consolidating your files
and folders, Disk

Defragmenter also consolidates your free space, making it less likely that new files will be
ragmented. The process of finding and consolidating fragmented files and folders is called
defragmentation. The amount of time that defragmentation takes depends on several factors,
including the size of the volume, the number of files on the volume, the amount of ragmentation,
and the available local system resources. You can find all of the fragmented files and folders
before defragmenting them by analyzing the volume first. You can see how many fragmented
files and folders are saved on the volume and then decide whether or not you would benefit
from defragmenting the volume.Disk Defragmenter can defragment FAT, FAT32, and NTFS
formatted volumes.For more information, see Related Topics.

System Information
System Information collects and displays your systemconfiguration information. Support
technicians require specific information about your computer when they are troubleshooting
your configuration. You can use System Information to quickly find the data they need to
resolve your system problem.

System Information displays a comprehensive view of your hardware, systemcomponents, and


software environment. The displayed system information isorganized into a system summary
and three top-level categories that correspond to the Resources, Components, and Software
Environment nodes on the console tree.
 The node displays general information about System Summary your
computer and the version of Windows 2000 operating system installed.
 This summary includes the name and type of your system, the name of
 your Windows system directory, regional options, and statistics about
physical and virtual memory.
 The Hardware Resources node displays hardware-specific settings, namely
DMA, IRQs, I/O addresses, and memory addresses. The Conflicts/Sharing
node identifies devices that are sharing resources or are in conflict.
This can help identify problems with a device.
 The Components node displays information about your Windows
configuration and is used to determine the status of your device
drivers, networking, and multimedia software. In addition, there is a
comprehensive driver history, which shows changes made to your
components over time.
 The Software Environment node displays a snapshot of the software
loaded in computer memory. This information can be used to see if a
process is still running or to check version information.
Other applications may add nodes to System Information that display
information specific to the application.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


 You can use the View menu to switch between the display of Basic and
Advanced information. The Advanced view shows all of the information in the
Basic view plus additional information that may be of interest to the more
advanced user or to Microsoft Product Support Services

Exercise 2 : ADD DIFFERENT USERS AND GROUPS. ALSO CONFIGURE THEIR


PERMISSIONS.
OPEN THE START MENU
SELECT SETTINGS
CLICK CONTROL PANEL

DOUBLECLICK USERS AND PASSWORDS

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


IN DIALOG BOX CLICK USERS TAB
MAKE SURE USERS MUST ENTER A USERNAME AND PASSWORD CHECKBOX IS
SELECTED
TO ADD A NEW USER CLICK ADD BUTTON AND FOLLOW PROMPT TO NAME ACCOUNT

ESTABLISH ACCESS LEVEL AND PASSWORD


TO SET PASSWORD CLICK SET PASSWORD BUTTON.
TO CHANGE ACCESS PRIVILAGES SELECT AN ACCOUNT AND CLICK PROPERTIES.
FROM RESULTING DIALOUGE BOX YOU CAN ALTER ACCESS PRIVILAGES FOR THE
ACCOUNT

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


EXERCISE 3: INSTALL AND CONFIGURE A LOCAL PRINTER

(1)GO TO START MENU SETTINGS PRINTERS AND FAXES

(2)DOUBLECLICK THE ADD A PRINTER OPTION


IN THE PRINTERS AND FAXES FOLDER

(3)CLICK THE NEXT BUTTON OF THE WELCOME SCREEN OF THE ADD PRINTER
WIZARD

(4)SELECT LOCAL PRINTER AND CLICK NEXT ON THE LOCAL OR NETWORK


PRINTER PAGE

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


(5)SELECT A PORT FROM THE DROP DOWN MENU AND CLICK THE NEXT BUTTON

(6)SELECT THE MANUFACTURER AND PRINTER AND CLICK THE NEXT BUTTON

(7)SPECIFY A NAME FOR THE PRINTER AND SETTINGS FOR USING THE PRINTER
AS A DEFAULT PRINTER IF YOU WANT TO SHARE THE PRINTER ON THE NETWORK
THEN CLICK NEXT

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


(8)SPECIFY THE SETTINGS FOR SHARING THE PRINTER AND CLICK THE NEXT
BUTTON

(9)SPECIFY THE LOCATION AND COMMENT FOR THE PRINTER AND CLICK NEXT
BUTTON

(10)SPECIFY WHETHER OR NOT TO PRINT A TEST PAGE AND CLICK NEXT

(11)CLICK THE FINISH BUTTON

Exercise 4 : Windows 2000 Active Directory and Domain controller.


The Active Directory (AD) of Windows 2000 Server and Windows Server
2003 basically manages all the information that is relevant in the network's
operation. This includes connections, applications, databases, printers,
users and groups. Microsoft's text describes it concisely: Active Directory

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


provides a standard way to name, describe, localize, manage, secure and
access these resources.
To Start Active Directory Installation,

The dcpromo command is used to raise the level of the server to become an
Active Directory controller. The process takes approximately ten minutes and
is described briefly in the following.

We assume that there are no other servers in your network and therefore, we
want a controller for a new Active Directory infrastructure

Afterwards, we define whether the new AD domain is to be integrated into an existing system.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Active Directory uses its own database system in order to manage the
described information efficiently. Provided your environment could grow
quickly and the server could take on additional tasks, the database as well
as the log files should be swapped out to a separate hard disk in order to
keep system performance as high as possible.

The SYSVOL folder is another specialty of the Active Directory because its
contents are replicated by all the Active Directory controllers in a domain.
This includes login scripts, group policies and other things that must be
available on other servers as well. The location of this folder can of course be changed
according to need.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


There is no DNS Server running. So we need to install DNS Server.
After Installing Forward Lookup zone, We have to install Reverse lookup zone also.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Exercise 5 : Create a Hierarchical Directory Tree

A hierarchical representation of the folders, files, disk drives, and other


resources connected to a computer or network. For example, Windows Explorer
uses a tree view to display the resources that are attached to a computer or a network.

Exercise 6 : Share and Share Permissions.

I create a folder test uder c:\temp directry and set permissions as


follows.
Take Properties of Local Area Connction.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Exercise 7: Install and Configure TCP/IP
Properties of TCP/IP

Exercise 8 : Install a caching DNS server and find out how it reduces the network
traffic
Windows 2000 authentication is implemented in two steps: an interactive logon process and a
network authentication process. Typically, the same set of credentials is used by the interactive
logon process and the network authentication process. If your credentials differ, you are

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


prompted to provide Windows domain credentials each time you access a network resource.
You can avoid this by logging on to your computer using your Windows domain name, your
Windows domain user name, and Windows domain password before you try to connect to a
network resource. If you log on without being connected to the network, Windows 2000
recognizes the information from a previous successful logon. You receive the message
"Windows cannot connect to a server to confirm your logon settings. You have been logged on
using previously stored account information." When you connect to your network, the cached
credentials are passed to your Windows 2000 domain and you are able to access network
resources without having to provide a password again. Limiting the number of protocols on your
computer enhances network performance and reduces network traffic

Exercise 9 : Configure a DNS Server as a root name server.

If you originally set up a DNS server forinternal queries only, it's possible that the root hints in
yourserver are empty or that someone has modified them to point tointernal servers. If you now
want the DNS server to resolve queriesfor external hosts, it's important to ensure that the server
has avalid set of root hints.
To configure root hints for the server, followthese steps:
1. Ensure that you've configured the server touse an upstream DNS server capable of
resolving external hosts.
2. Open the DNS console from the AdministrativeTools folder.
3. In the left pane, right-click the server inquestion, and choose Properties.
4. On the Root Hints tab, select the firstserver in the Name Servers list, and click Edit.
5. Click Resolve to resolve the host name to itsIP address, and click OK. You can also
manually enter the IPaddress for the target server.
6. Repeat the process for the remaining rootservers, and add others if necessary.
7. When you've finished, close all dialogboxes.

Exercise 10 : Implement delegated zones for a Doman Name server


In the Macintosh environment, a logical grouping that simplifies browsing the network for
resources, such as servers and printers. It is similar to a domain in Windows 2000 Server
networking.

In a DNS (Domain Name System) database, a zone is a subtree of the DNS database that is
administered as a single separate entity, a DNS server. This administrative unit can consist of a
single domain or a domain with subdomains. A DNS zone administrator sets up one or more
name servers for the zone.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Session 6 : Windows 2000 : Server Management

Exercise 1:Install and Configure Windows 2000 Client

Solution :

This step-by-step Windows 2000 Professional installation (W2k pro installation), is


design to guide user using the screenshot (all screen capture, image on the page)
that taken from the installation process of the Windows 2000 Professional operating
system.

You can use this step by step guide to install or setup Windows 2000 Professional
on i386 machine, but you must make appropriate adjustment that suitable to your
system configuration and network configuration for your machine and network
environment. There is some part on this installation process that may require you to
consult your system administrator.

Objective:

1. Install Windows 2000 Professional on Intel base machine (i386 PC).

Tools and Equipments;

1. Operating System manual.


2. Operating system Windows 2000 Professional installation CD's.
3. A set of complete Personal Computer (PC).

Safety:

1. Follow Standard Operating Procedure (SOP).


2. Make necessary backup for your system (incase something wrong happen).
3. Make sure that you have the right tools while working on this installation project.
4. Prepare the necessary documentations as reference when needed.

Knowledge and ability:

Upon the completion of this Windows 2000 installation project, you will be able to:
1. Install new operating system on your personal computer (PC).
2. Able to make new partition on the hard drive.
3. Able to Format the partition using NTFS file system.
4. Configure the Windows 2000 Professional operating system on personal
computer (PC).

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Steps :

1. Set your computer to boot from the CD-ROM drive by changing computer BIOS
Boot Sequence setting.

2. Insert Windows 2000 Professional installation CD into the CD-ROM drive and
reboot the computer so that the computer will boot from Windows 2000 Professional
installation CD-ROM that already on the CD-ROM drive.

3. After your computer boot the Windows 2000 Professional installation CD-ROM,
the Windows 2000 Setup then start checking the system configuration and loading
files driver.

4. Windows 2000 Professional Setup screen, then display the Welcome to Setup.
Press [ ENTER ] to set up Windows 2000 or press [ R ] key to repair a Windows
2000 installation or if you want to quit the installation process now, press [ F3 ] key.

Press [ENTER] key to proceed with the installation process.

5. Windows 2000 Professional Setup, detect that the hard disk is new or has been
erased, or that your computer running on operating system that is incompatible with
windows 2000.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


NOTE: Make sure that your hard disk is new or not contain any data, because the
installation will destroy all data on the disk.
* Best practice, make backup before upgrading or installing new software on the
system. *

Press [C] key to proceed with the setup process.

6. Windows 2000 Licensing Agreement screen. Read the licensing agreement


carefully, use the [ Page Down ] and [ Page Up ] key to scroll down and up the
licensing agreement. If you find the licensing agreement acceptable, press [ F8 ] to
agree and press [ Esc ] key if you not agree with the licensing agreement term.

Press [F8] key to proceed with the setup process.

7. Windows 2000 Professional Setup screen then display the


existing partition information. Here, on this screen you can create new partition to
the hard disk or delete unwanted partition, or you can select the unpartition space to
make partition for your Windows 2000 Professional.
To delete partition, press [D] key.

Highlight the unpartition space then press [C] key to create a partition.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


8. Windows 2000 Professional Setup then display the size of unpartition space on
the disk that we select in the above procedure. To create a new partition for
Windows 2000, resize the partition by entering the desire partition size in megabytes
(MB) for the partition then,
Press [ENTER] key to create the new partition space.

9. Windows 2000 Professional Setup screen then display the disk partition
information. To create more partition space on disk highlight the un-partition space
then, press [C] key.

To set up Windows 2000 on the desire partition, highlight the New <Unformatted> ,
make sure that this partition space is enough to put the Windows 2000 Operating
system then,

Press [ENTER] key to install Windows 2000 Professional on the selected partition.

Note: This is the last point to Quit the installation process without destroying any
data on the disk. There is no turning point after this step. To quit the installation
process without destroying any data on the disk, press [ F3 ] key.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


10. Windows 2000 Professional Setup screen then prompt that the partition
selected is not formatted. In order to make your disk useable, disk formatting is
the process to prepare the computer hard disk to used file system . On this screen
there is two type of file system that you can use choose from; for the operating
system NTFS filesystem or FAT file system . One of the advantages of using NTFS
file system on Windows 2000 is the increase of security features.

Highlight the Format the partition using the NTFS file system, to format the
partition using NTFS file system then,

Press [ENTER] key to continue.

Recommended reading and digging on the different between NTFS file system
and FAT file system:

NTFS vs. FAT: Which Is Right for You?


Basic information on NTFS and FAT
Comparison of file systems

11. Windows 2000 Professional Setup screen then display that the partition is being
formatted and the progress bar show percentage of the partition being formatted.
Wait for a while, this procedure may take some time depending on the size of the
partition and the speed of the computer it self.

12. Windows 2000 Professional Setup screen then copies files to the Windows
2000 installation folder. The progress bar show percentage of the files that already

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


being copies to the Windows 2000 installation folder. Wait for a while, this process
may take some time to complete...

13. Windows 2000 Professional Setup screen than display that the portion of setup
has complete successfully, remove any bootable media.

Press [ENTER] key to restart the computer or you can wait for setup to restart your
computer automatically.

14. After restart, the Microsoft Windows 2000 Professional screen will be display
and starting up your Windows 2000 Professional for a first time.

15. Windows 2000 Setup screen display please wait...

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


16. Windows 2000 Professional Setup screen then display, Welcome to the
Windows 2000 Setup Wizard. The Windows 2000 Setup Wizard will gather
information about you and the computer to setup Windows 2000 Profesional
operating system properly on your computer.

Note: From this Setup Wizard screen onwards, you can start using your mouse to
click on the button instead using the keyboard.

Click [Next >] button to continue with the setup process.

17. Windows 2000 Professional Setup screen display Installing Devices. On this
screen, Setup detect and installing devices on the computer. Setup also inform that
the screen of the computer may flicker for a few seconds. Wait for a while for setup
to finish detecting and installing the devices on the computer.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


18. Windows 2000 Professional Setup screen then display Regional Settings, in
this setup screen you can customize the system locale and the user locale for all
users on the computer by clicking the [ Customize... ] button, or you can accept the
default setting that the system locale is set to English (United States), and the user
locale is set to English (United States) for all users on the computer.
In this example, the default setting for the keyboard layout is US Keyboard layout,
you can customize this keyboard layout setting by clicking the [ Customize... ]
button.

Click [Next >] button to continue with the setup process.

19. Windows 2000 Professional Setup screen then display Personalize Your
Software, in this screen type in your name in the Name box and type in name of
your organization in the Organization box.

<Consult your system


Name:
Administrator>
<Consult your system
Organization:
Administrator>

Click [Next >] button to continue with the setup process.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


20. Windows 2000 Professional Setup screen then display Your Product Key, type
in the Product Key for your Windows 2000 Professional in the Product Key box.
You can find this 25 character Product Key in the back of your Windows 2000
Professional CD case or consult your system Administrator. Make sure that you
properly key in the right product key or you cannot proceed to next installation
process

Click [Next >] button to continue with the setup process.

21. Windows 2000 Professional Setup screen then display Computer Name and
Administrator Password, type in the computer name in the Computer name box.
Type in an administrator password in the Administrator password box, then retype
the same administrator password again in the Confirm password box.

<Consult your system


Computer name:
Administrator>

Administrator
password:
Confirm password:

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Click [Next >] button to continue with the setup process.

22. Windows 2000 Professional Setup screen then display Date and Time
Settings, adjust the date & time and time zone configuration as necessary.

Click [Next >] button to continue with the setup process.

23. Windows 2000 Professional Setup screen then display Networking Settings,
the screen also show the progress bar on Windows installs networking components.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


24. After Windows install networking components progress bar complete, the
screen then display two options (Typical settingand Custom setting) for
networking setting.
Choose the Typical setting to:
Creates network connections using the Client for Microsoft Networks, File and
Printing Sharing for Microsoft Networks, and the TCP/IP transport protocol with
automatic addressing.

Click [Next >] button to continue with the setup process.

25. Windows 2000 Professional Setup screen then display Workgroup or


Computer Domain settings, on this screen you can choose to join the existing
Domain (Collection of computers defined by a network administrator) or be in
Workgroup (Collection of computers that have the same workgroup name).

Select by clicking the radio button to:


No, this computer is not on a network, or is on a network without a Domain.
Type a workgroup name in the following box.

Note: The configuration on the connection Windows 2000 Professional workstation


to the existing Domain is on the 'Step-by-step how to connect Windows 2000
Professional to Windows Domain' lab project.\
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
Click [Next >] button to continue with the setup process.

26. Windows 2000 Professional Setup screen then display progress bar on the
status of installing Windows 2000 components. Wait until Setup install all the
components. This process may take several minutes to finish.

27. Windows 2000 Professional Setup screen then display Performing Final
Tasks window. On this screen progress bar show the progress on Setup to
complete a final set of task.

Please wait until Setup complete:


Installs Start menu items
Registers components
Saves settings
Remove any temporary files used

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


28. After Setup complete Performing Final Tasks, the Windows 2000 Professional
Setup screen then display massage that we have successfully completed Windows
2000 setup. Remove the Windows 2000 Professional installation media from the
CD-ROM drive then ...

Click [Finish] button to restart the computer ...

29. Splash screen display Windows 2000 Professional is starting up on the first
boot up after installation.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


30. After Windows finish loading (Starting up...), then the screen of Windows 2000
Professional, display the Welcome window of the "Network Identification Wizard".

Click [Next >] button to continue with the setup process.

31. The Network Identification Wizard window screen then prompt you the question
"who can log on on this computer?"... if you using this computer yourself or only you
the user of the computer, click on the radio button that say "Windows always
assume the following user has logged on to this computer:" then set password
for the user if needed. or

if this computer is for the use of multiple users (e.g. for public computer network)
the select "Users must enter a user name and password to use this computer".
The only user for this computer now is Administrator, this means that the
Administrator have to logon on this computer and set up the user account or join
domain to make this computer available to use for other users.

Click [Next >] button to continue with the setup process.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


32. To complete the Network Identification Wizard, click [Finish] button.

33. Now the Log On To Windows 2000 Professional screen appear, this screen
only available if we select "Users must enter a user name and password to use
this computer" option and enter the password on the above procedure (Network
Identification Wizard --> Users of This Computer).

if you select "Windows always assume the following user has logged on to this
computer:" option on above procedure (Network Identification Wizard --> Users
of This Computer) and leave the password box blank (didn't set any password) the
system will login automatically and this Log On screen will never appear.

Enter the user name and password for the user can click [OK] button to start login
to the system.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


34. The system start to load and the Windows 2000 Professional desktop will
appear.

Microsoft Windows 2000, with its Active Directory Services, allows companies to
develop large, centralized directories of network resources. Managing large
numbers of users is easy due to its centralized directory architecture. Access
Gateway with Advanced Access Control 4.2 can take advantage of a company's
Active Directory infrastructure by authenticating users through the Internet
Authentication Service (IAS), Microsoft's implementation of RADIUS.

Procedure

Configuring IAS with the Advanced Access Control server:

1. Go to Start > Programs > Administrative Tools > Internet Authentication


Service to start the IAS console.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


2. To add the Advanced Access Control server as a client, right-click the
RADIUS Clients node and then select New RADIUS Client. Type in a
friendly name and the IP address or Fully Qualified Domain Name (FQDN) of
the Advanced Access Control server. Click Next.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


3. Under Client-Vendor, leave the default selection RADIUS Standard and
ensure the Request must contain the Message Authenticator attribute
check box is cleared. Type in the shared secret to use for the connection. The
shared secret is used when configuring the logon point on the Advanced
Access Control server.

4. Click Finish.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Note: The shared secret allows for basic encryption of the RADIUS packets
between the RADIUS server and the Advanced Access Control server. Additionally,
the shared secret is case-sensitive.

Once this process is complete, the RADIUS server permits the Advanced Access
Control server to query it; however, a Remote Access Policy is still required to
permit or deny access to specific users.

Configuring Policies in IAS with the CTXSUserGroups attribute:

A remote access policy tells the IAS server to permit or deny access to a user based
on a set of credentials. It also allows for the configuration of Vendor-specific
Attributes (VSAs), a form of RADIUS extensions, which allow you to send specific
information to the Advanced Access Control server. Remote access policies can
permit access based on parameters such as a user’s group membership in Active
Directory and scheduled times or dates, among many others. Before any user can
authenticate to the IAS server, a remote access policy must be defined. In this
article, the following policy is created:

Advanced Access Control Carmel Group Policy: Permit Access to Carmel users and
return Carmel User-Group attribute

This policy permits users who are members of the Active Directory group Carmel to
authenticate to the RADIUS server. This policy will also return attributes to the
Advanced Access Control server if the user is a member of the Carmel group, so
access can be restricted to members of the Carmel group only.

1. To define a remote access policy, from the IAS console, right-click Remote

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Access Policies and click New Remote Access Policy.

2. In the New Remote Access Policy Wizard, select Set up a custom policy
and type a policy name. Click Next.

3. Under the Policy Conditions box, click Add and then select the Windows-
Groups attribute type.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


4. Select the Active Directory user group whose access you want to restrict. In
this article, the Carmel group is selected. A summary of conditions to match
for this policy is shown. You may add additional groups, but users must be a
member of all the groups to be granted access. Click Next.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


5. Select Grant remote access permission and click Next.

6. Click Edit Profile to edit the dial-in properties for the remote access profile.
This is where Password Authentication Protocol (PAP) or Challenge
Handshake Authentication Protocol (CHAP) authentication and VSAs are
enabled. Click the Authentication tab and clear the Microsoft Encrypted
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
Authentication check boxes. Select the Encrypted authentication (CHAP)
and Unencrypted authentication (PAP, SPAP) check boxes.

7. The RADIUS server must tell the Advanced Access Control server that users
matching this policy are members of the Carmel group in Active Directory.
This is done by sending VSAs to the Advanced Access Control server as part
of this remote access policy.

8. Click the Advanced tab and remove any attributes that are present. Click
Add.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


9. Select Vendor Specific and then click Add. From the Multivalued Attribute
Information window, click Add and then select Enter Vendor Code. Type 4
as the vendor code. Select Yes. It conforms. and click Configure
Attribute…

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


10. Type 14 as the Vendor-assigned attribute number and then enter
CTXSUserGroups=Carmel as the Attribute value. Click OK.

11. Complete the wizard. A dialog box pops up warning that you have changed
settings. Click No and then click OK.

When you have finished configuring your remote access policy, it appears in the
Remote Access Policies list in the IAS console. This policy permits access and
returns the Carmel attribute to the Advanced Access Control server when users
who match these conditions authenticate.

Configuring Advanced Access Control for RADIUS authentication and authorization:

1. From the Access Suite Console, select the farm properties node and click

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Edit farm properties under Common Tasks. On the Authentication Profiles
page, under Radius Profiles, click New and provide a name for your
RADIUS profile. In this example the name is IAS Radius.

2. Click New… and add the IP address or FQDN of the RADIUS server. Change
the port numbers if you changed them on the IAS server. Otherwise, the
default values work. Click OK.

3. Select Enable RADIUS auditing and then click Configure Authorization.


Enter 4 for the Vendor identifier and then enter 14 for the Vendor specified

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


type. Click OK and OK again to exit the wizard.

4. Select the logon point you wish to use with RADIUS and click Edit logon
point under Common Tasks. On the Authentication page, select the
RADIUS profile option and then choose the RADIUS server from the list box.

5. On the Authorization page, the RADIUS profile option is selected


automatically. Select the Enable pass-through authentication to Active

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Directory check box and then enter the default Active Directory domain.

6. On the Visibility page, select Allow external (gateway appliance) users


access to this logon point to enable access to the Access Gateway
appliance. Click OK.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


7. Add the RADIUS shared secret using the Server Configuration utility. Go to
Start > Programs > Citrix > Access Gateway > Server Configuration and
select Configured Logon Points.

8. Select the logon point you configured for RADIUS and then click
Authentication Credentials. Under RADIUS Servers, in Global secret for
all servers, enter and confirm the shared secret for the RADIUS server you
created in IAS. Click OK.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


9. To make use of the group(s) returned by RADIUS, you must create a
resource in the Access Suite Console and create a policy for the resource.
When creating the policy, choose the RADIUS server from the list box and
click Add. Add the name of the group you configured to allow access to this
resource. In this example, Carmel is selected. Click OK.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Now you are ready to log on to the Advanced Access Control server using RADIUS
authentication and authorization. After logging on, the default navigation page
displays the resource created for members of the Carmel group to access.

Exercise 2:Install and Configure Windows 2000 Server

Solution :

Step #1: Plan your installation

When you run the Windows 2000 Server Setup program, you must provide
information about how to install and configure the operating system. Thorough
planning can make your installation of W2K more efficient by helping you to avoid
potential problems during installation. An understanding of the configuration options
will also help to ensure that you have properly configured your system.

I won't go into that part right now but here are some of the most important things you
should take into consideration when planning for your Windows Server 2000
installation:

 Check System Requirements

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


 Check Hardware and Software Compatibility
 Determine Disk Partitioning Options
 Choose the Appropriate File System: FAT, FAT32, NTFS
 Decide on a Workgroup or Domain Installation
 Complete a Pre-Installation Checklist

After you made sure you can go on, start the installation process.

Step #2: Beginning the installation process

You can install Windows 2000 Server in several methods - all are valid and good, it
all depends upon your needs and your limitations.

 Manual installations usually come in 3 flavors:


 Boot from CD - No existing partition is required.
 Boot from the 4 Setup Boot Disks, then insert the CD - No existing partition is
required.
 Boot from an MS-DOS startup floppy, go to the command prompt, create a 4GB
FAT32 partition with FDISK, reboot, format the C partition you've created, then
go to the CD drive, go into the I386 folder, and run the WINNT.EXE command.
 Run an already installed OS, such as Windows NT 4.0 Server. From within NT
4.0 go to the I386 folder in the W2K installation CD and run the WINNT32.EXE
command.
 If you want to upgrade a desktop OS such as Windows 98 into Windows 2000
Professional you can follow the same procedure as above (You cannot upgrade
Windows 98 into W2K Server).

There are other non-manual installation methods, such as using an unattended file
along with a uniqueness database file, using Sysprep, using RIS or even running
unattended installations from within the CD itself, but we won't go into that right now.

It doesn't matter how you run the setup process, but the moment it runs - all setup
methods look alike.

Step #3: The text-based portion of the Setup program

The setup process begins loading a blue-looking text screen (not GUI). In that
phase you will be asked to accept the EULA and choose a partition on which to
install W2K, and if that partition is new, you'll be asked to format it by using either
FAT, FAT32 or NTFS.

1. Start the computer from the CD.

2. You can press F6 if you need to install additional SCSI adapters or other mass-
storage devices. If you do you will be asked to supply a floppy disk with the drivers

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


and you CANNOT browse it (or a CD for that matter). Make sure you have one
handy.

3. Setup will load all the needed files and drivers.

4. Select To Setup W2K Now. If you want, and if you have a previous installation of the
OS, you can try to fix it by pressing R. If not, just press ENTER.

5. In case your server is a new one, or it is using a new hard disk that hasn't been
partitioned yet, you'll get a warning message. Read it, and if you want to continue,
press C.

6. Read and accept the licensing agreement and press F8 if you accept it.

7. Select or create the partition on which you will install W2K. Depending upon your
existing disk configuration choose one of the following:

 If the hard disk is not yet partitioned, you can create and size the partition on
which you will install Windows 2000. Press C.

 If the hard disk is new and you want to create a partition that will span the entire
hard disk's size - press Enter.

Other optionsL

 If the hard disk is already partitioned, but has enough unpartitioned disk space,
you can create an additional partition in the unpartitioned space.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
 If the hard disk already has a partition that is large enough, you can install
Windows 2000 on that partition. If the partition has an existing operating
system, you will overwrite that operating system if you accept the default
installation path. However, files other than the operating system files, such as
program files and data files, will not be overwritten.
 If the hard disk has an existing partition, you can delete it to create more
unpartitioned space for the new partition. Deleting an existing partition erases
all data on that partition.

If you select a new partition during Setup, create and size only the partition on which
you will install Windows 2000. After installation, use Disk Management to partition
the remaining space on the hard disk.

8. Select a file system for the installation partition. After you create the partition on
which you will install W2K, you can use Setup to select the file system with which to
format the partition. W2K supports the NTFS file system in addition to the file
allocation table (FAT) and FAT32 file systems. Windows Server 2003, Windows XP
Professional, Windows 2000, and Windows NT are the only Microsoft operating
systems that you can use to gain access to data on a local hard disk that is
formatted with NTFS. If you plan to gain access to files that are on a local W2K
partition with the Microsoft Windows 95 or Windows 98 operating systems, you
should format the partition with a FAT or FAT32 file system. We will use NTFS.

9. Setup will then begin copying necessary files from the installation point (CD, local
I386 or network share).
10. Note: If you began the installation process from an MS-DOS floppy, make sure you
have and run SMARTDRV from the floppy, otherwise the copying process will
probably last more than an hour, perhaps even more. With SMARTDRV (or if setup
was run by booting from CD) the copying will probably last a few minutes, no more
than 5 max.

11. The computer will restart in graphical mode, and the installation will continue.

Step #4: The GUI-based portion of the Setup program

The setup process reboots and loads a GUI mode phase.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


It will then begin to load device drivers based upon what it finds on your computer.
You don't need to do anything at this stage.

If your computer stops responding during this phase (the progress bar is stuck
almost half-way, and there is no disk activity) - shut down your computer and begin
removing hardware such as PCI and ISA cards. If it works for you then later try to
figure out how to make that specific piece of hardware work (it's probably not in the
HCL).

1. Click Customize to change regional settings, if necessary.

 Current System Locale - Affects how programs display dates, times, currency,
and numbers. Choose the locale that matches your location, for example,
French (Canada).
 Current Keyboard Layout - Accommodates the special characters and symbols
used in different languages. Your keyboard layout determines which characters
appear when you press keys on the keyboard.

If you don't need to make any changes just press Next.

If you do need to make changes press Customize and add your System Locale etc.

Note for Hebrew users: In W2K it is NOT SAFE to install Hebrew language support
at this phase!!! Trust me, do it later. If you don't listen to me, good chances are that
you'll get ???? fonts in some Office applications such as Outlook and others.

Read the Install Hebrew on Windows 2000 page for more info.

2. Type your name and organization.

3. Type the product key.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


If you'd like to skip this step in the future, please read Install Windows 2000 Without
Supplying the CD Key.

4. Enter the appropriate license type and number of purchased licenses.

5. Type the computer name and a password for the local Administrator account. The
local Administrator account resides in the SAM of the computer, not in Active
Directory. If you will be installing in a domain, you need either a pre-assigned
computer name for which a domain account has been created, or the right to create
a computer account within the domain.

6. Choose which components to install or remove from the system.

7. Select the date, time, and time zone settings.

6. Setup will now install the networking components.

After a few seconds you will receive the Networking Settings window. BTW, if you
have a NIC that is not in the HCL (see the What's the HCL? page) and W2K cannot
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
detect it, or if you don't have a NIC at all, setup will skip this step and you will
immediately go to the final phase of the setup process.

Press Next to accept the Typical settings option if you have one of the following
situations:

 You have a functional DHCP on your network.


 You have a computer running Internet Connection Sharing (ICS).
 You're in a workgroup environment and do not plan to have any other servers or
Active Directory at all, and all other workgroup members are configured in the
same manner.

Otherwise select Custom Settings and press Next to customize your network
settings.

7. Highlight the TCP/IP selection and press Properties.

In the General tab enter the required information. You must specify the IP address
of the computer, and if you don't know what the Subnet Mask entry should be - you
can simply place your mouse pointer over the empty area in the Subnet Mask box
and click it. The OS will automatically select the value it thinks is good for the IP
address you provided.

Lamer note: In the above screenshot I've configured the computer with a valid IP
address for MY network, along with the Default Gateway and the address of MY
DNS server. Your settings may differ.

If you don't know what these values mean, or if you don't know what to write in
them, press cancel and select the Typical Settings option. You can easily change
these values later.

8. In the Workgroup or Domain window enter the name of your workgroup or domain.

 A workgroup is a small group of computers on a network that enables users to


work together and does not support centralized administration.
 A domain is a logical grouping of computers on a network that has a central
security database for storing security information. Centralized security and

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


administration are important for computers in a domain because they enable an
administrator to easily manage computers that are geographically distant from
each other. A domain is administered as a unit with common rules and
procedures. Each domain has a unique name, and each computer within a
domain has a unique name.

If you're a stand-alone computer, or if you don't know what to enter, or if you don't
have the sufficient rights to join a domain - leave the default entry selected and
press Next.

If you want to join a domain (NT 4.0 domain of W2K/2003 Active Directory domain)
enter the domain's name in the "Yes, make this computer a member of the following
domain" box.

To successfully join a domain you need the following:

 The person performing the installation must have a user account in Active
Directory. This account does not need to be the domain Administrator account.

and

 The computer must have an existing computer account in the Active Directory
database of the domain that the computer is joining, and the computer must be
named exactly as its domain account is named.

or

 The person performing the installation must have appropriate permission to


create a domain account for the computer during installation.

Also, you need to have connectivity to the domain's domain controllers (only to the
PDC if on an NT 4.0 domain) and a fully functional DNS server (only in AD
domains). Read the Joining a Domain in Windows XP Pro and Requirements when
Joining a Domain pages for more on this issue.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Enter the Active Directory domain name (in the form of xxx.yyy, for example:
DPETRI.NET) or the NetBIOS name of the NT 4.0 domain (in the form of xxx, for
example: DPETRI). Press Next.

Note: If you provide a wrong domain name or do not have the correct connectivity to
the domain's DNS server you will get an error message.

A username/password window will appear. Enter the name and password of the
domain's administrator (or your own if you're the administrator on the target
domain).

Note: Providing a wrong username or password will cause this phase to fail.

9. Next the setup process will finish copying files and configuring the setup. You do not
need to do anything.

10. After the copying and configuring phase is finished, if Windows Server 2003 finds
that you have a badly configured screen resolution it will advise you to change it and
ask you if you see the new settings right.
11. Setup finishes and displays the finish window. Unfortunately, you must press Finish
in order to reboot..

12. Windows 2000 reboots and you should get the CTRL-ALT-DEL window.

13. That's it! you're done!

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Exercise 3: Set your printer on sharing and assign print permissions
according to different users, configuring printer priorities for different
groups.

Solution : The easiest way to connect and manage network printers is through
Active Directory. You can also use Group Policy to change the default behavior of
the printing environment and to provide computers and users a standard set of
preferences.

Some of the most common tasks are publishing a printer in Active Directory ,
remotely managing printers , setting Group Policy for printers , and setting or
removing permissions for a printer . You can also manage network printers from the
Managing printing from the command line .

To publish a printer in Active Directory


1. Open Printers and Faxes.
2. Right-click the printer you want to publish, and then click Sharing.
3. On the Sharing tab, click Share this printer, and then type a name for the
shared printer.
4. Select the List in the Directory check box to publish the printer in Active
Directory.

To remotely manage printers


1. Double-click My Network Places, and then locate the print server for the
printers you want to manage.
2. Double-click the print server, double-click the Printer folder icon on that server,
and then click a printer.

Important

• To facilitate stronger network security, remote printer management is not


available by default. To enable remote printer management, in Group
Policy, you must enable the Allow Print Spooler to Accept Client
Connections policy.
3. Change the print server, printer, or printing preference settings as required.

To set Group Policy for printers


1. Start Group Policy according to the object you want to set printer policy to.
2. After selecting the properties page of the object you want to set printer policy to,
select the Group Policy node.

• If you want to set policies that apply only to computers, expand the
Computer Configuration node, and then expand Administrative

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Templates.
• If you want to set policies that apply only to users, expand the User
Configuration node, expand Administrative Templates, and then
expand Control Panel.
3. Double-click Printers to open a listing of policies.
4. Double-click the printer policy you want to set.
5. On the Policy tab, enable or disable the policy by selecting or clearing the
appropriate radio button. With some policies, you might need to enter additional
information.

To set or remove permissions for a printer


1. Open Printers and Faxes.
2. Right-click the printer for which you want to set permissions, click Properties,
and then click the Security tab.
3. Do one of the following:

• To change or remove permissions from an existing user or group, click the


name of the user or group.
• To set up permissions for a new user or group, click Add. In Select Users,
Computers, or Groups, type the name of the user or group you want to
set permissions for, and then click OK to close the dialog box.
4. In Permissions, click Allow or Deny for each permission you want to allow or
deny, if necessary. Or, to remove the user or group from the permissions list,
click Remove.

Exercise 4: Install and Configure the DHCP Server Service.

Solution : How to Install the DHCP Service


Before you can configure the DHCP service, you must install it on the server.
DHCP is not installed by default during a typical installation of Windows
Standard Server 2003 or Windows Enterprise Server 2003. You can install
DHCP either during the initial installation of Windows Server 2003 or after
the initial installation is completed.

How to Install the DHCP Service on an Existing Server


Click Start, point to Control Panel, and then click Add or Remove
1.
Programs.

In the Add or Remove Programs dialog box, click Add/Remove Windows


2.
Components.

In the Windows Components Wizard, click Networking Services in the


3.
Components list, and then click Details.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


In the Networking Services dialog box, click to select the Dynamic Host
4.
Configuration Protocol (DHCP) check box, and then click OK.

In the Windows Components Wizard, click Next to start Setup. Insert the
Windows Server 2003 CD-ROM into the computer's CD-ROM or DVD-ROM
5.
drive if you are prompted to do so. Setup copies the DHCP server and tool
files to your computer.

6. When Setup is completed, click Finish.

How to Configure the DHCP Service


After you have installed the DHCP service and started it, you must create a
scope, which is a range of valid IP addresses that are available for lease to
the DHCP client computers on the network. Microsoft recommends that each
DHCP server in your environment have at least one scope that does not
overlap with any other DHCP server scope in your environment. In Windows
Server 2003, DHCP servers in an Active Directory-based domain must be
authorized to prevent rogue DHCP servers from coming online. Any
Windows Server 2003 DHCP Server that determines itself to be
unauthorized will not manage clients.

How to Create a New Scope


Click Start, point to Programs, point to Administrative Tools, and then
1.
click DHCP.

In the console tree, right-click the DHCP server on which you want to create
2.
the new DHCP scope, and then click New Scope.

In the New Scope Wizard, click Next, and then type a name and description
for the scope. This can be any name that you want, but it should be
3. descriptive enough so that you can identify the purpose of the scope on your
network (for example, you can use a name such as "Administration Building
Client Addresses"). Click Next.

Type the range of addresses that can be leased as part of this scope (for
example, use a range of IP addresses from a starting IP address of
192.168.100.1 to an ending address of 192.168.100.100). Because these
4.
addresses are given to clients, they must all be valid addresses for your
network and not currently in use. If you want to use a different subnet mask,
type the new subnet mask. Click Next.

Type any IP addresses that you want to exclude from the range that you
5. entered. This includes any addresses in the range described in step 4 that
may have already been statically assigned to various computers in your
organization. Typically, domain controllers, Web servers, DHCP servers,

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Domain Name System (DNS) servers, and other servers, have statically
assigned IP addresses. Click Next.

Type the number of days, hours, and minutes before an IP address lease
from this scope expires. This determines how long a client can hold a leased
6. address without renewing it. Click Next, and then click Yes, I want to
configure these options now to extend the wizard to include settings for
the most common DHCP options. Click Next.

Type the IP address for the default gateway that should be used by clients
7. that obtain an IP address from this scope. Click Add to add the default
gateway address in the list, and then click Next.

If you are using DNS servers on your network, type your organization's
domain name in the Parent domain box. Type the name of your DNS
server, and then click Resolve to make sure that your DHCP server can
contact the DNS server and determine its address. Click Add to include that
8.
server in the list of DNS servers that are assigned to the DHCP clients. Click
Next, and then follow the same steps if you are using a Windows Internet
Naming Service (WINS) server, by adding its name and IP address. Click
Next.

Click Yes, I want to activate this scope now to activate the scope and
9.
allow clients to obtain leases from it, and then click Next.

10. Click Finish.

In the console tree, click the server name, and then click Authorize on the
11.
Action menu.

Exercise 5: Configure Windows 2000 Client to use DHCP, DNS, and WINS.

Solution : Configuring the clients to use DHCP

Once the DHCP server is configured, each client must be configured to use DHCP.
The following information describes the steps to configure your Windows (R) and
OS/2(R) clients to request their configuration information from the DHCP server. In
addition, it describes how the clients can view their own DHCP lease information.

Windows 2000 clients


To enable DHCP:

1. On the Start Menu, select and Settings --> Network and Dial-up
Connections.
2. Right-click the appropriate connection name and select Properties.
3. Select TCP/IP Protocol and select Properties.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


4. On the General tab, select Obtain an IP address from a DHCP server.
5. Select OK.

Windows NT and Windows 2000 clients also have a utility that displays the client's
MAC address and DHCP lease information. To check the DHCP lease for a
Windows NT and Windows 2000 client:

1. Open an MS-DOS Command Prompt.


2. Run IPCONFIG /ALL.

Note: This utility does not dynamically update the displayed information, so it will
be necessary to re-run the utility to view updated status. You can use the same
utility with different parameters to release and renew a lease (IPCONFIG
/RELEASE and IPCONFIG /RENEW). Run IPCONFIG /? from an MS-DOS
Command Prompt to see all of the possible parameters for the command.

Windows 2000 DHCP clients need to be configured if you want the DHCP server to
update DNS A records on behalf of the client. You may want to delegate updates
to the DHCP server if your network has standard legacy Microsoft (R) Windows
clients like Windows 95 and NT, since these clients currently do not update DNS A
records. This may simplify your DNS administration because DNS updates will
originate from the DHCP server for all clients, rather than having some clients
update their own records.

To disable DNS dynamic updates from the client perform the following steps:

1. On the Start Menu, select Settings --> Network and Dial-up Connections.
2. Right-click the appropriate connection name and select Properties.
3. Select TCP/IP Protocol and select Properties.
4. Select Advanced.
5. On the DNS tab, deselect the "Register this connection's addresses in DNS"
and "Use this connections DNS suffix in DNS registration" options.
6. Select OK.

This should be done for all connections that you want to have the DNS
records update delegated to the DHCP server.
How to Configure DNS Dynamic Update on a Windows 2000 DNS Client
Computer
To configure DNS dynamic update on a Windows 2000 DNS client computer:

Click Start, point to Settings, and then click Network and Dial-up
1.
Connections.

Right-click the network connection that you want to configure, and then click
2.
Properties.

3. Click either the General tab (for the local area connection) or the Networking
tab (for all other connections), click Internet Protocol (TCP/IP), and then click

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Properties.

4. Click Advanced, and then click the DNS tab.

To use DNS dynamic update to register both the IP addresses for this
connection and the full computer name of the computer, click to select the
5.
Register this connection's addresses in DNS check box. This check box is
selected by default.

To configure a connection-specific DNS suffix, type the DNS suffix in the DNS
6.
suffix for this connection box.

To use DNS dynamic update to register the IP addresses and the connection-
specific domain name for this connection, click to select the Use this
7.
connection's DNS suffix in DNS registration check box. This check box is
selected by default.

Installation
To disable WINS/NetBT name resolution:

Click Start, point to Settings, and then click Network and Dial-up
1.
Connections.

Click the local area connection that you want to be statically configured, and
2.
then click Properties on the File menu.

Click Internet Protocol(TCP/IP), click Properties, click Advanced, and then


3.
click the WINS tab.

4. Click Disable NetBIOS over TCP/IP.

5. Click OK, click OK, and then click OK.

NOTE: Optionally, you can select the Use NetBIOS setting from the DHCP server if
you are using a DHCP server that can selectively enable and disable NetBIOS
configurations through DHCP option types. NetBIOS over TCP/IP can also be
disabled for computers that are running Windows 2000 by using DHCP option
types that are supported by the Windows 2000 DHCP Server service.

Exercise 6: Configuring a Windows Client as a VPN Client.

Solution :

WindowsXP VPN Client

The following page details the steps necessary to create a WindowsXP VPN
Connection to a Server

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


1. Go to Start / Settings / Network Connections

2. Start the New Connection Wizard

3. Select Connect to the network at my workplace

4. Click on the Next button.

5. Click on Virtual Private Network connection

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


6. Click on the Next button

7. Give the Connection a Name

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


8. Click on the Next button

If prompted, select whether or not you need to dial to the Internet before
9.
establishing a VPN connection.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Enter in the IP address of the server you want to connect to. This needs to be
10
the external WAN IP address that is being used by the VPN Server. Not the
.
LAN IP address of the VPN server.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


11 Check whether you want to have an icon placed on the desktop and click on
. the Finish button.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


VPN and Browsing
Browsing the remote network can be difficult if not impossible over a VPN
1.
connection. There are too many variables that can hinder this.

To make browsing work a little easier, you might want to edit the HOSTS and
LMHOSTS files on the VPN Client.
2.
These are in the C:\Windows\System32\drivers\etc directory for XP.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Just add a line with the LAN IP address of the VPN server followed by it's name.
3.
e.g
192.168.1.10 SERVER
You can also add in the LAN IP address and Name of any other computers on the
4.
remote network that you may want to connect to

5. Also, make sure the workgroup name is the same on all computers.

The default Client TCP/IP setting might interfere with your ability to access the
Internet while having a VPN connection. To correct this:
1. Go to the properties for your VPN connection

2. Click on the Networking tab

3. Double click on TCP/IP

4. Click on the Advanced button

5. Uncheck "Use default gateway on remote computer"

Exercise 7: Implement Dfs (Distributed file system) replication.

Solution : The Distributed File System is used to build a hierarchical view of


multiple file servers and shares on the network. Instead of having to think of a
specific machine name for each set of files, the user will only have to remember one
name; which will be the 'key' to a list of shares found on multiple servers on the
network. Think of it as the home of all file shares with links that point to one or more
servers that actually host those shares. DFS has the capability of routing a client to
the closest available file server by using Active Directory site metrics. It can also be
installed on a cluster for even better performance and reliability. Medium to large
sized organizations are most likely to benefit from the use of DFS - for smaller
companies it is simply not worth setting up since an ordinary file server would be
just fine.

Understanding the DFS Terminology

It is important to understand the new concepts that are part of DFS. Below is an
definition of each of them.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Dfs root: You can think of this as a share that is visible on the network, and in this
share you can have additional files and folders.

Dfs link: A link is another share somewhere on the network that goes under the
root. When a user opens this link they will be redirected to a shared folder.

Dfs target (or replica): This can be referred to as either a root or a link. If you have
two identical shares, normally stored on different servers, you can group them
together as Dfs Targets under the same link.

The image below shows the actual folder structure of what the user sees when
using DFS and load balancing.

Figure 1: The actual folder structure of DFS and load balancing

Windows 2003 offers a revamped version of the Distributed File System found in
Windows 2000, which has been improved to better performance and add additional
fault tolerance, load balancing and reduced use of network bandwidth. It also comes
with a powerful set of command-line scripting tools which can be used to make
administrative backup and restoration tasks of the DFS namespaces easier. The
client windows operating system consists of a DFS client which provides additional
features as well as caching.

Setting Up and Configuring DFS

The Distributed File System console is installed by default with Windows 2003 and
can be found in the administrative tools folder. To open, press Start > Programs >
Administrative Tools > Distributed File System or in the Control Panel, open the
Administrative Tools folder and click on the Distributed File System icon. This will
open the management console where all the configuration takes place.

The first thing you need to do is create a root. To do this, right click the node and
select New Root.

Press next on the first window to be brought to the screen where you will have to
make the choice of creating either a stand alone or domain root. A domain root will
publish itself in Active Directory and supports replication, whereas a stand alone
root does not. If you have an AD Domain Controller set up on your machine, I
recommend choosing the domain root.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
Note: The root would be the top level of the hierarchy. It is the main Active Directory
container that holds Dfs links to shared folders in a domain. Windows 2003 allows
your server to have more than one root - which wasn't the case in Windows 2000.

The next screen is the one where you have to select which trusted domains will be
hosted. Since I only have one domain in my network, only domain.com is visible.

Once this is done you have to select a server on that domain - in my example it is
netserv. The FQDN (Fully Qualified Domain Name) of this host server is
netserv.domain.com.

Figure 2: inputting the host server name

The following screen allows you to specify the root name of your primary DFS root.
You should give it something which will accurately define the contents of that share.
In my example I have called this root "Company" - which would be a real name of an
ogranization. You can change this to anything you want. You might wish to have a
root called "Documents" - which would clearly state that one can expect to find
anything related or specific to documents, and documentation in that root.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Figure 3: entering the dfs root name

You will now have to select the location of a folder in which all the files will be
stored.

Figure 4: selecting the root share

Tip: for added security, when selecting a folder, try to choose one that is located on
a partition other than that of the operating system.

Your DFS root is now configured and visible in the configuration console. Right click
the root target and press Status to check if it is online or not.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


A green check mark verifies that everything is working properly and that the node is
online, whereas a red X means that there is a problem.

To add a new link, right click the root for which you want the link to be created, and
select New Link.

In the "New Link" screen, enter a name and path for the link and click OK. Repeat
this for as many links as you need to create.

Figure 5: creating a new link

Links are visible right under the node. Below is a screenshot displaying the three
links I have created for the COMPANY root.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Figure 6: dfs root and three links in the DFS mmc console

Publishing the root in Active Directory

By publishing dfs roots in AD as volume objects, network users will be able to


search for shares more easily and administration can be delegated.

To do this right click the desired dfs root, select Properties and go to the Publish tab.
Enter the appropriate details in each box and press OK.
In the keywords section you can specify certain words that will help locate the dfs
root when it is being searched for.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Figure 7: publish tab in the dfs properties window

The dfs root will now be published in Active Directory.

File Replication Services

There are two types of replication:

 Automatic - which is only available for Domain DFS


* Manual - which is available for stand alone DFS and requires all files to be
replicated manually.
 The four ways in which replication can be achieved between two or more
servers are:
 -Ring
-Hub and Spoke
 - Mesh
 - Custom

The first three refer to network topologies and the last allows you to specify an
advanced method of replication, which can be tuned to your needs.

The advantages and disadvantages of replication are as follows:

Advantages - client caching, integration with IIS, easy to administer and setup.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Disadvantages - limited configuration options, there is no method of
programmatically initiating a replication session

Exercise 8: Install and configure Microsoft Certificate Server (MCS).

Solution : INSTALLING THE CERTIFICATE SERVER

The Microsoft Certificate Server (MCS) enables you to install the Certificate Server
service as either its own Root Certificate Authority (Root CA) or as a service that will
use an external (public) Certificate Authority (non-Root CA). These two
configurations require very different configuration processes, and are mutually
exclusive. Your Certificate Server can be either a Root CA or a non-Root CA, but
not both.

Before you install the MCS on your server, you need to evaluate how you are going
to use it. For example, if your use of the MCS is to provide your corporate intranet
users with secure communications, then you would want to install the MCS as a
Root CA, and issue your own self-signed certificates to your servers and users.

However, if you intend to use the MCS on your Internet server to provide your
Internet users with secure communications so they can safely provide confidential
purchasing information (such as credit card numbers), then you would want to install
the MCS as a non-Root CA and obtain a validating certificate from an external CA
such as VeriSign.

Because of the differences between installing the MCS for external (non-Root CA)
and internal (Root-CA) use, we have described each of these uses separately later
in this chapter, following the section on installation.

To install the Microsoft Certificate Server, you must install the Windows NT 4.0
Option Pack using the Custom option, and select the Certificate Server for
installation. You have two distinct options for installing Certificate Server:

 Installing MCS as a stand-alone Certificate Authority by specifying it as the


Root CA (commonly used for intranet implementations)
 Installing MCS to use a public Certificate Authority hierarchy by specifying it
as a non-Root CA (commonly used for Internet servers)

This selection is significant in determining where the certificates supplied by MCS


derive their validation (from your enterprise or from a public agency verifying your
identity). This important option is selected in step 2 in the following list.

Note: Certificate Server cannot be installed on a Windows NT Server that is a


Backup Domain Controller (BDC). The Certificate Server must either be installed on

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


a Primary Domain Controller (PDC) or a stand-alone Server.

During the installation of the Windows NT 4.0 Option Pack, you are prompted with
several dialog boxes to configure the Certificate Server settings.

The following list walks you through the dialog boxes used in installing Certificate
Server:

1. Following the installation dialog boxes for SMTP, NNTP, and MSMQ (if
selected), the Windows NT 4.0 Option Pack installation process switches to
installing the Certificate Server, and you are prompted with several dialog
boxes to configure Certificate Server settings. The first Certificate Server
installation dialog box is shown in Figure 17-1.
You must set the following options in the Microsoft Certificate Server Setup
dialog box:
 The Configuration Data Storage Location must be set to a local
directory that is shared on the network, so users can access and install
certificates. The local pathname for this shared directory must be
specified in full, including the drive letter (for example, D:\CertFile).
 The Database Location folder defaults to the %systemroot%\system32\
CertLog directory, but it can be modified by clicking Browse and
selecting a different directory.
 The Log Location folder also defaults to the %systemroot%\system32\
CertLog directory, and may be changed by clicking Browse and
selecting a different directory.
 The Show Advanced Configuration checkbox, by default, is not
selected, and the defaults for MCS specify that it will install as a Root
CA. This default is acceptable only if you are going to use the MCS as
a Root CA on your intranet. If you want to employ this installation of
MCS on an Internet server, you will likely want to setup MCS as a non-
Root CA and obtain a server certificate from a public CA source (such
as VeriSign).

Note: This option is very important in the installation of MCS, because you cannot
change from a Root CA to a non-Root CA without reinstalling.

The Show Advanced Configuration checkbox enables you to set up MCS as a non-
Root CA or to modify any other Advanced option. If you want to configure MCS as a
non-Root CA, in its subsequent dialog box select the Non-Root CA option.

Once you have selected the desired directories and enabled the Show Advanced
Configuration option (if needed), click Next to continue.

2. If the Show Advanced Configuration checkbox is checked, the next dialog


box, shown in Figure 17-2, will request you to set MCS as a Root or non-Root
CA, as well as select a Cryptographic Services Provider (CSP) and a hash

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


algorithm. In this version of Certificate Server, the Microsoft Base
Cryptographic Provider is the only CSP option available, and the MD5
hashing algorithm is selected by default.

Note: As indicated by the README.TXT for Service Pack 4, do not use the HMAC
hashing algorithm, or the MCS installation will fail.

This dialog box offers the following options:

 A checkbox enabling you to use existing keys (not selected by default).


This option is useful when restoring Certificate Server or when you
want to use keys generated by other applications. When the Use
Existing Keys option is enabled, the remaining options in the bottom
half of the dialog boxes are disabled.
 A checkbox option to remove existing certificate information, which is
not selected by default. To remove existing certificate data, click the
checkbox next to Erase all previous configuration information.
 This Certificate Server installation will be automatically set as the
default Certificate Server. To allow a different Certificate Server to be
the default, clear the checkbox next to Make this Certificate Server the
default.
 The Certificate Authority Hierarchy is specified in this dialog box, and
by default assigns the selected CSP Root Certificate Authority that
creates a root certificate for the Certificate Authority. When the Root
CA option is selected, the Certificate Server Configuration Wizard
creates a public/private pair of keys and a self-signed root (signature)
and key exchange certificates for your newly created Root CA.
 If Non-Root CA is selected, a Root CA certificate is not generated, and
only a CA certificate request file is created. The non-Root CA must be
selected if you want to use a public CA certificate on this server for
Internet applications.

Note: This non-Root CA certificate request file must be submitted to a CA (such as


VeriSign or MCS) in order to generate a certificate. This externally validated non-
Root CA certificate would be used in a CA hierarchy, though only limited support for
CA hierarchies (for use with Exchange) is included in this version of MCS. Full
support for CA hierarchies is planned for the Windows 2000 version of MCS. This
certificate request file is not a server certificate request file, and does not contain a
Common Name (that is, DNS name) value required for valid server certificates. You
should use Key Manager to create a server certificate request file after you have
completed the installation.

Once you have selected the desired options, click Next to continue.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


3. In the next Certificate Server dialog box, shown in Figure 17-3, you are asked
to provide the Certificate Authority name, organization, organizational unit,
locality, state, country, and description for this Certificate Authority. Fill in the
information for your enterprise and click Next to continue.
4. Upon completion of the identifying information, the Configuration Wizard does
one of two things, depending upon the type of CA that was selected.
If a Root CA was selected, the Configuration Wizard creates the root
(signature) and key exchange certificates for your newly created Root CA.
The keys, certificates, and configuration data are handled in the following
manner:
 The keys are stored in the local machine’s key repository, and
configuration information is written to the registry.
 The certificates will be stored in the Configuration Data Storage
Location specified in the first Certificate Server installation dialog box.
You will be able to use these certificates for server and client
authentication in support of SSL sessions for your Web sites.
 The newly created CA certificate will be added to the Certificate
Authority Certificate List Web page, which enables clients to install a
CA certificate via their Web browser. This process is discussed in the
“Installing a CA Certificate on the Client” section later in this chapter.
 The Certificate Server configuration file is written to the Configuration
Data Storage Location in a text file called CertSrv.txt.

If the Non-Root CA option is chosen, only a certificate request file is


generated. The request file must be submitted to an external CA (such as
VeriSign) in order to receive a root certificate. This process is discussed in
the “Obtaining a Server Certificate from a Public CA” section later in this
chapter.

The Certificate Server files are installed in the %systemroot%\system32 directory on


the server. The Certificate Server enrollment and Web-based management tools are
written to the %systemroot%\system32\CertSrv directory and the CertEnroll,
CertControl, CertAdm, and CertQue subdirectories. The Certificate Authority
certificates are written to the share specified in the Configuration Data Storage
Location field of the first Certificate Server installation dialog box.

After you install the Certificate Server configuration settings, the Windows NT 4.0
Option Pack installation will continue.

USING MCS AS THE ROOT CA


In order to make SSL work on your NT Server with MCS as the Root CA, the
following requirements must be met:

 You must install Certificate Server and select the Root CA option which will
install the self-signed Root CA certificate on your server.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


 You must then use Key Manager to create a key pair for the server, submit
the key pair to Certificate Server to be automatically processed and installed,
and then commit the changes in Key Manager. This is described in detail in
the following section, “Creating the Key Pair and Server Certificate.”
 Then, you must load IIS 4.0, go to the Web site Properties, select the
Directory Security property sheet, bring up the Secure Communications
dialog box, and click the Require Secure Channel checkbox.

Once the prerequisites are met, you will be able to use your browser to connect to
the site. The site now requires an SSL connection (the URL must be prefaced with
HTTPS://). You may receive a message telling you that the certificate issuer is
unknown. If you click Yes when you receive this message, you will be connected to
the site anyway. To avoid the unknown issuer message, have users download the
CA certificate and add it to their browser.

In order to use certificates in support of SSL sessions, you must first create the
encryption key pair. A key pair consists of a public key and a private key, which are
used to negotiate a secured SSL connection between the Web server and client
browser. The Key Manager is used to create the pair of keys that are required to
create a server certificate.

Using the MCS as a Root CA, you can create the key pair and automatically submit
the certificate request to the MCS, which generates the server certificate containing
the server’s public key. You then bind the server certificate to the IP address and
SSL port of your Web site, which enables users to create SSL connections to the
site.

Exercise 9 : Install the Network Monitor Driver and show how to capture data with
network monitor.

Solution : To install the Network Monitor driver


1. Open Network Connections.
2. In Network Connections, click Local Area Connection, click the File menu,
and then click Properties.
3. In the Local Area Connection Properties dialog box, click Install.
4. In the Select Network Component Type dialog box, click Protocol, and then
click Add.
5. In the Select Network Protocol dialog box, click Network Monitor Driver, and
then click OK.
6. If you are prompted for additional files, insert the installation CD for your
operating system, or type a path to the location of the files on the network.

Notes

• To perform this procedure, you must be a member of the Administrators group on


the local computer, or you must have been delegated the appropriate authority. If
the computer is joined to a domain, members of the Domain Admins group might

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


be able to perform this procedure.
• To open Network Connections, click Start, click Control Panel, and then double-
click Network Connections.
• Network Monitor Driver does not appear in the Select Network Protocol dialog
box if the Network Monitor driver is already installed.

To capture network frames


1. Open Network Monitor.
2. If prompted, select the local network from which you want to capture data by
default.
3. On the Capture menu, click Buffer Settings, and then set the buffer and frame
size as appropriate.
4. On the Capture menu, click Start.

To save captured frames to a file


1. Open Network Monitor.
2. If prompted, select the local network from which you want to capture data by
default.
3. On the Capture menu, click Buffer Settings, and then set the buffer and frame
size as appropriate.
4. On the Capture menu, click Start.
5. To halt the data capture temporarily, on the Capture menu, click Pause.
6. To stop and view the data capture, on the Capture menu, click Stop and View.
7. On the File menu, click Save As.
8. Open the folder in which you want to store the file.
9. In the File Name box, specify a file name.
10. If necessary, do one of the following:

• To save a range of frames, in the From box, type the beginning frame
number, and in the To box, type the ending frame number.
• To save only the frames that appear when the current display filter is in
use, select the Filtered check box.
11. Click Save.

To set a capture trigger


1. Open Network Monitor.
2. If prompted, select the local network from which you want to capture data by
default.
3. On the Capture menu, click Trigger.
4. Do one of the following to specify trigger criteria:

• To initiate a trigger action when a specific ASCII or hexadecimal string


appears in a frame, click Pattern match. In the Pattern box, type the
string you want Network Monitor to detect, and then specify whether the
pattern is in hexadecimal or ASCII. If you want, specify where Network

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Monitor should search for the pattern.
• To initiate a trigger action when a specific percentage of the capture buffer
is full, click Buffer space, and then specify the percentage needed.
• To initiate a trigger action when Network Monitor detects a specific pattern
in a frame after a specific percentage of the capture buffer becomes full,
click Buffer space then pattern match, and specify the percentage and
pattern needed.
• To initiate a trigger action when a specific percentage of the capture buffer
becomes full after Network Monitor detects a specific pattern in a frame,
click Pattern match then buffer space, and specify the pattern and
percentage needed.
• To clear any capture triggers that have been set, click Nothing.
5. Do one of the following to specify a trigger action:

• To have the computer beep, click Audible Signal Only.


• To stop the capture, click Stop Capture.
• To run a command or a program, click Execute Command Line and
specify the command or program that runs when the conditions for the
trigger are met. To specify a program, type the path and the name of the
program file, or click Browse and navigate to the program file. To use an
MS-DOS command, such as copy, type CMD /K, and then type the
command.

To capture data in dedicated capture mode


1. Open Network Monitor.
2. If prompted, select the local network from which you want to capture data by
default.
3. On the Capture menu, click Dedicated Capture Mode.
4. On the Capture menu, click Start.

Exercise 10: Implement different kind of servers like File Server, Print Server,
and Application Server. Learn different routine administration tasks for each
kind of server.

Solution : File Server Overview

The File Server feature for Microsoft® Windows® CE .NET enables clients to
access files and other resources over the network. The File Server feature uses
the Common Internet File System (CIFS), which is an extension of the Server
Message Block (SMB) file sharing protocol. CIFS enables a network-enabled
application to access and manipulate files and directories on a remote server in

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


the same way that the application accesses and manipulates files and
directories on the local system.

Session 7: Windows 2000: Advanced Networking

Exercise 1: Implement different Groups in a Workgroup and in a Domain also.


A Windows based computer network can be a workgroup (Peer to Peer) or
domain (client/server). You can make your computer a part of the workgroup or a
domain. If you have centralized server then your computer will be part of the domain
and if you have no server then all computers will be having peer to peer networking.
In both cases, while joining your computer to a domain or a workgroup always
assign unique, sequenced, memorable and meaningful names to the computers. Do
not use duplicate names and the special characters such as / \ *,:,,. In order to join a
computer to a domain or workgroup in Windows 2000 and Windows XP
Professional do the following.
1) Right Click on My Computer
2) Click Properties
3) Click on Computer Name
4) In Workgroup or domain, enter the name of the workgroup or domain.
If everything is correct such as unique computer name, unique IP address, correct
workgroup or domain name then you computer will be the part of the workgroup or
domain in the few seconds and you will be see a welcome to domain or workgroup
message and will be prompted to restart the computer name.

Exercise 2: Show how you can enhance the feature and strength of file and
print servers with Active Directory.
Being on network computer files and printer sharing is a must. To enable the
files and folder sharing in Windows XP Professional 2000 and Windows 2000 do the
following.
1) Right Click on the folder name you want to share.
2) Click on the properties.
3) Click Sharing.
4) Click on Share this computer on the network.
5) Assign a shared computer name.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


You can set the sharing rights for the users and also control the shared folder
access by allowing and denying permissions to specific users or groups. If you want
to share the individual files, you can put the files in the same shared folder. All the
files and folders in the parent shared folder will be automatically shared.

Exercise 3: Install the routing and remote access services for IP Routing.
Installing Routing and Remote Access Service
During Routing and Remote Access Service Setup, you can install the Routing and
Remote Access Service files on the same computer on which you downloaded the
files, or you can download the files and then install Routing and Remote Access
Service on another computer.
To set up Routing and Remote Access Service by downloading from the Web, see
"Downloading and Installing Routing and Remote Access Service from the Web."
To set up Routing and Remote Access Service on another computer, see "Installing
Routing and Remote Access Service by Using a Network Connection to the Setup
Files."
Downloading and Installing Routing and Remote Access Service from the
Web
To download and install Routing and Remote Access Service from the Web, you
need to follow the steps outlined in the following sections:
 Download the Routing and Remote Access Service files
 Install Routing and Remote Access Service options
 Finish installation if you install a RAS Server
Download the Routing and Remote Access Service Files
1) In your Web browser, go to Routing and Remote Access Service Update for
Windows NT Server 4.0 .
2) Follow the instructions on the screen to download the Routing and Remote
Access Service installation files to your computer.
Specify the path and directory where you want to put the Routing and Remote
Access Service installation files. These files are kept on your computer for
future configuration or installations.
After copying the files to a directory on your computer, you can then continue Setup
and install Routing and Remote Access Service, or you can exit Setup to install
Routing and Remote Access Service at a later time or on another computer.

Install Routing and Remote Access Service Options


During Routing and Remote Access Service Setup the dialog box shown in Figure
2.1 appears automatically.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Figure 2.1 Setting Routing and Remote Access Service options
You can use this dialog box to install any or all of the options described in Table 2.3.
If do not install an option, such as Remote access service, and you later want this
functionality, you must run mprsetup again to install it. For information on how to
use this command, see the procedure "Run Setup" in the section "Installing Routing
and Remote Access Service by Using a Network Connection to the Setup Files"
later in this chapter.

Table 2.3 Routing and Remote Access Service Installation Options


Option Effect if selected

Remote access Installs support for client dial-up networking.


service

LAN routing Installs support for LAN-to-LAN routing (including WAN cards
that support LAN emulation).

Demand-dial Installs support for routing over WANs and dial-up media, such
routing as ISDN and PPTP.

Finish Installation If you Install a RAS Server


If you install Remote Access Service (RAS), you must configure additional Setup
dialog boxes. Additionally, you can choose to use Remote Authentication Dial-In
User Service (RADIUS) authentication instead of Windows NT authentication to
authenticate remote clients.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


1) In the Add RAS Device dialog box, select the remote access devices, such
as modems or PPTP VPNs, that you want to use for demand-dial routing and
RAS, and click OK.
2) In the Routing and Remote Access Setup dialog box, click Network.
3) In the Network Configuration dialog box, select the network protocols (IP or
IPX) you want to use for your router.
4) If you want to use RADIUS authentication, in the Authentication provider
box, click the RADIUS option and click Configure.
You can then select and configure RADIUS servers to use as your provider.
5) In the Routing and Remote Access Setup dialog box, click Continue.
After you have finished installing Routing and Remote Access Service, the Routing
and RAS Admin tool is installed in your Start/Programs/Administrative Tools
(Common) folder. Any network adapters that you have installed automatically
appear as interfaces in Routing and RAS Admin. If you plan to use routing
protocols, you must add the protocols and then add interfaces to them before you
can begin to use the Windows NT router. For more information on how to add these
see Chapter 3, "Administering Routing and Remote Access Service."
Installing Routing and Remote Access Service by Using a Network
Connection to the Setup Files
You can download the files as described in "Downloading and Installing Routing and
Remote Access Service from the Web," and then install Routing and Remote
Access Service on another computer.
Although you can download the Routing and Remote Access Service files to any
client or workstation computer, Routing and Remote Access Service can be
installed only on a computer running Windows NT Server.
To install Routing and Remote Access Service on another computer, you need to
follow the steps outlined in the following sections:
 Copy Setup files
 Run Setup
Copy Setup Files
Copy the file mprsetup.exe from the directory where you stored the installation files
to Systemroot\System32 on your computer running Windows NT Server.
Run Setup
1) On the computer running Windows NT Server, open a Command Prompt
window.
2) Run mprsetup and type the path to the installation files.
For example, type:
mprsetup \\Computername\Share

Exercise 4: Install the RIP and OSPF protocols.


Configuring RIP interface properties
Next, you need to configure RIP’s properties. If you’ve just specified an interface for
RIP, Windows 2000 automatically pops up the property sheet for the interface.
Otherwise, select the RIP branch and then right-click the interface and choose
Properties. The General page lets you configure several properties, as shown in
Figure A.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


The Operation
Mode property
specifies the way in
which RIP updates
routes. The Auto-
Static Update Mode
option configures
RIP to send out
route
announcements
only when adjacent
routers request an
update. Routes
learned through
Auto-Static Mode
are treated as static
routes and are not
removed from the
routing table even if
the router is
rebooted, although
you can manually
remove the routes.
Auto-Static Update
Mode is the default
mode used for demand-dial interfaces.

The second option for operation mode is Periodic Update Mode. When you enable
this option, RIP automatically generates RIP announcements at a predefined
interval (configured through the Periodic Announcement Interval on the Advanced
property page). Any routes added using this mode are handled as RIP routes and
are flushed when the router is rebooted. They must be added again through RIP
advertisements. Periodic Update Mode is the default mode for LAN interfaces.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


The Outgoing Packet Protocol property specifies the protocol that RIP uses for
outgoing RIP announcements. If all adjacent routers support RIP v2, select RIP
Version 2 Multicast. In a mixed environment where RIP v1 and RIP v2 routers are
present, select RIP Version 2 Broadcast. You can’t use the multicast option in this
scenario because RIP v1 doesn’t support multicast announcements. If none of the
adjacent routers supports RIP v2, select RIP Version 1 Broadcast. The final option,
Silent RIP, prevents the router from generating RIP announcements and causes it to
operate in Listen-Only Mode. In this mode, the router listens for RIP announcements
from other routers and updates its routing table based on those RIP
announcements, but it doesn’t broadcast its own announcements.

The Incoming Packet Protocol property specifies the protocol the router uses for
incoming packets. Select an option based on the capabilities of the adjacent routers.
Or select Ignore Incoming Packets if you want the router to ignore RIP
announcements from adjacent routers. This option places the router in Announce-
Only Mode.

Use the Added Cost For Routes property to modify the cost for the route. You would
increase this number to increase the cost of the route and direct traffic through
other, less costly routes when possible. Keep in mind that RIP is limited to a
maximum of 15 hops, and routes with an effective cost of more than 15 are
considered unreachable.

The Tag For Announced Routes property lets you assign a tag number to be
included with all RIP announcements. Inclusion of a tag number is applicable only to
RIP v2. The tag is used to mark specific routes for administrative purposes and is
generally not required.

Advanced options
The Advanced property page for a RIP interface, shown inFigure B, offers several
options. I’ll look at each of these options.

 Periodic Announcement Interval: This value specifies the frequency of RIP


announcements from the
local router. This value is used in
conjunction with Periodic Update
Mode, which you set through
the General property page for the RIP
interface. You can specify a value
in seconds between 15 seconds and
24 hours.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


 Time Before Routes Expire: This setting specifies the time-to-live (TTL) for
routes that are learned from other routers through RIP. Routes that do not
update before they exceed the specified TTL are marked as invalid. As with
the announcement interval, this setting is applicable only with Periodic
Update Mode.
 Time Before Route Is Removed: Use this setting to specify the amount of
time a route will remain in the routing table before it expires and is removed.
Valid values are between 15 seconds and 72 hours. This setting is applicable
only with Periodic Update Mode.
 Enable Split-Horizon Processing: This option, when enabled, prevents
routes learned on a given network from being announced on that same
network. Deselecting the option allows those routes to be announced.

 Enable Poison-Reverse Processing: Use this option to assign a metric of


16 to those routes learned on a given network that are announced on the
same network. Assigning a metric higher than 15 marks the routes as
unreachable.
 Enable Triggered Updates: Use this option to allow the router to generate
triggered updates, as discussed earlier.
 Send Clean-Up Updates When Stopping: Selecting this option causes the
local router to broadcast RIP announcements for all routes with a metric of 15
to indicate to adjacent routers that the routes are unreachable. When the
router comes back up, it generates additional announcements that
reannounce the routes with their default metrics, making them available
again.
 Process Host Routes In Received Announcements: Use this option to
include host routes received in incoming RIP announcements. By default,
host routes are ignored.
 Include Host Routes In Sent Announcements: Use this option to include
host routes in outgoing RIP announcements. By default, host routes are not
included.
 Process Default Routes In Received Announcements: Use this option to
include default routes learned through incoming RIP announcements. By
default, the default routes are ignored. Enabling this option could result in the
router being disabled if the default routes learned through RIP are not

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


applicable to the local router. So, use this option with discretion and only if the
default routes apply to all routers on the interface.
 Include Default Routes In Sent Announcements: Use this option to include
default routes in outgoing RIP announcements. See the previous item for an
explanation of why this can cause problems.
 Disable Subnet Summarization: Use this route to prevent subnet routes
from being summarized by class-based network ID for outgoing RIP
announcements generated to networks that are not part of the same class-
based network. Subnet summarization can improve routing performance by,
in effect, sorting the routes. Subnet summarization requires that all adjacent
routers support either RIP v2 Broadcast or RIP v2 Multicast. The option is
disabled by default.

Exercise 5: Configure web-based printer.


How to Connect to a Printer Using a Web Browser
To connect to a printer using a Web browser, follow these steps:
1) Start Internet Explorer.
2) In the Address box, type the address of the printer:
o If you do not know the name of the printer to which you want to
connect, type the following address, where print_server is the name of
the print server:
http://print_server/printers/
For example, to view a list of all of the printers that are located on a
print server that is named "MyPrintServer," type the following address:
http://myprintserver/printers/
A list of all of the printers on the print server is displayed in your
browser window. In the list of available printers, click the name of the
printer to which you want to connect.

If you know the name of the printer to which you want to connect, type the
address of the printer using the following format, where print_server is the
name of the print server and printer is the name of the printer:
http://print_server/printer/
For example, if you want to go directly to the page of a printer that is
named "Laser" that is shared from a server that is named
"MyPrintServer," type the following address:
http://MyPrintServer/Laser/
3) To connect to the printer, click Connect under Printer Actions.
When you connect to the printer, the print server downloads the appropriate printer
driver to your computer. After the installation is complete, the printer's icon is added

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


to the Printers folder on your computer. You can use, monitor, and administer the
printer as if it were attached to your computer.
1) Open Printers.
2) Double-click Add Printer to start the Add Printer wizard, and then click Next.
3) Click Network printer, and then click Next.
4) Connect to the desired printer by:
o Searching for it in the Active Directory.
o Typing its name using the following format, or clicking Next to locate
the printer on the network:
o Typing its URL using the following format:
5) Follow the instructions on the screen to finish connecting to the network
printer.
6)
Exercise 6: Install and configure Terminal Services.

To Install Terminal Services


1) Insert the Windows 2000 Server CD-ROM into the CD-ROM or DVD-ROM
drive.
2) If a dialog box appears automatically after you insert the CD-ROM, click
Install Add-on Components. If no dialog box appears, click Start, point to
Settings, and then click Control Panel. Double-click Add/Remove
Programs, and then click Add/Remove Windows Components.
3) In the list of components, click to select the Terminal Services check box.
4) Click to clear the Terminal Services Licensing check box if it is selected.
You do not need this service for Remote Administration mode. Click Next.
5) Click Remote Administration Mode, and then click Next.
6) The Terminal Services Wizard runs and installs Terminal Services. Close the
wizard when it is finished, and then reboot your computer if you are prompted
to do so.
Connecting to Terminal Services
To connect to Terminal Services running on a server, you must use a Terminal
Services client. The client is available on the server on which you installed Terminal
Services, in the following folder:
%SystemRoot%\System32\Clients\Tsclient\Net\Win32
Create a share on your server so that you can easily install the client on any
computer.

To Create a Share on Your Server


1) Use Windows Explorer to locate the
%SystemRoot%\System32\Clients\Tsclient\Net\Win32 folder. Note that
%SystemRoot% may be the C:\Winnt folder.
2) Right-click the Win32 folder, and then click Sharing.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


3) On the Sharing tab, click Share this folder.
4) Change the share name to TSClient.
5) Click Permissions.
6) Click to clear the Full control and Change check boxes. Only the Read
permission should be selected.
7) Click OK, and then click OK.
To Install the Terminal Services Client
1) Connect to the \\Servername\TSClient share that you created earlier.
2) Double-click Setup.exe.
3) Click Continue in the dialog box that appears, and then type your name and
organization in the next dialog box.
4) Click I agree (if you agree) when you see the license agreement.
5) Click the large button in the next dialog box. You can change the installation
path first, if you want to.
6) Click Yes when you are prompted whether you want all users to have the
same initial settings.
Using the Terminal Services Client
Before you can manage your Terminal Services servers remotely, you must create a
connection to these servers. This procedure uses the Client Connection Manager
tool to create icons for all of the Terminal Services servers you want to manage.
To Create a Connection to the Terminal Services Server
1) Click Start, point to Programs, point to Terminal Services Client, and then
click Client Connection Manager.
2) When the Client Connection Manager Wizard starts, click Next.
3) In the Connection name box, type a descriptive name for the connection.
4) In the Server name or IP address box, type the server's name or IP address,
or click Browse to search for the server. When you are done, click Next.
5) Leave all automatic logon information blank. Using automatic logon
information might present a security problem if a non-administrator has
access to the computer from which you run the client. Click Next.
6) Click a screen resolution that is appropriate for you. It is best to use the
largest area you can select (the client does not let you select an area that is
larger than your local screen can display). Do not select Full screen at this
time; you can toggle between windowed and full screen modes later. Leaving
the initial connection in a window helps reinforce the fact that you are working
on a remote computer rather than your local workstation. Click Next.
7) Leave the Enable data compression and Cache bitmaps check boxes
clear. They are useful only if you are working over a slow dial-up link. Click
Next.
8) Leave the Start the following program check box clear. You want the client
to display the server's desktop. Click Next. Change the icons if you want to.
Click Next. Click Finish to complete the wizard.
This process creates an icon for your server. Double-clicking the icon connects you
to the server. You can also right-click the icon to change the connection properties if
you need to.

To Connect to the Server Using Terminal Services


SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
1) Double-click the server icon in Client Connection Manager.
2) The Terminal Services client window appears and displays the server's logon
dialog box. You might need to double-click the window's title bar to see it all.
3) Type an appropriate set of credentials to log on to the server. Typically, you
will log on as some kind of administrator (local, domain, or enterprise).
4) If you use correct credentials, you see the server's desktop.

Exercise 7: Create a Remote Access Policy. Show how you can change the
Remote Access Logging setting.

1>To create a remote access server, follow these steps:


1) Click Start, point to Settings, and then click Network And Dial-up
Connections.
2) Click Make New Connection to start the Network Connection Wizard, and
then click Next.
3) Click Accept Incoming Connections, and then click Next.
4) Click to select one or more check boxes for connection devices.
5) For each selected device, click Properties, configure the connection, and
then click OK.
6) Click Next.
7) Click either Allow Virtual Private Connections or Do not allow virtual
private connections, and then click Next.
8) Click the type of users that are allowed to connect to the server, and then
click Next.
9) Click to select the network component options you want to enable for
incoming connections, and then click Next.
10) Type the name for the connection in the box, and then click Finish.

Exercise 8: Install the routing and remote access services as VPN server.
Create a VPN Remote Access policy also.

How to Install and Enable VPN


To install and enable a VPN server, follow these steps:
1) On the Microsoft Windows 2000 VPN computer, confirm that both the
connection to the Internet and the connection to your local area network
(LAN) are correctly configured.
2) Click Start, point to Administrative Tools, and then click Routing and
Remote Access.
3) Click the server name in the tree, and click Configure and Enable Routing
and Remote Access on the Action menu, and then click Next.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


4) In the Common Configurations dialog box, click Virtual private network
(VPN server), and then click Next.
5) In the Remote Client Protocols dialog box, confirm that TCP/IP is included
in the list, click Yes, all of the available protocols are on this list, and then
click Next.
6) In the Internet Connection dialog box, select the Internet connection that will
connect to the Internet, and then click Next.
7) In the IP Address Assignment dialog box, select Automatically in order to
use the DHCP server on your subnet to assign IP addresses to dialup clients
and to the server.
8) In the Managing Multiple Remote Access Servers dialog box, confirm that
the No, I don't want to set up this server to use RADIUS now checkbox is
selected.
9) Click Next, and then click Finish.
10) Right click the Ports node, and then click Properties.
11) In the Ports Properties dialog box, click the WAN Miniport (PPTP)
device, and then click Configure.
12) In the Configure Device - WAN Miniport (PPTP) dialog box, do one
of the following:
o If you do not want to support direct user dialup VPN to modems
installed on the server, click to clear the Demand-Dial Routing
Connections (Inbound and Outbound) check box.
o If you do want to support direct user dialup VPN to modems installed
on the server, click to select the Demand-Dial Routing Connections
(Inbound and Outbound) check box.
13) Type the maximum number of simultaneous PPTP connections that
you want to allow in the Maximum Ports text box. (This may depend on the
number of available IP addresses.
14) Repeat steps 11 through 13 for the L2TP device, and then click OK.
How to Configure the VPN Server
To further configure the VPN server as required, follow these steps.
Configuring the Remote Access Server as a Router
For the remote access server to forward traffic properly inside your network, you
must configure it as a router with either static routes or routing protocols, so that all
of the locations in the intranet are reachable from the remote access server.

To configure the server as a router:


1) Click Start, point to Administrative Tools, and then click Routing and
Remote Access.
2) Right-click the server name, and then click Properties.
3) On the General tab, click to select Enable This Computer As A Router.
4) Select either Local area network (LAN) routing only or LAN and demand-
dial routing, and then click OK to close the Properties dialog box.
How to Configure PPTP Ports
Confirm the number of PPTP ports that you need. To verify the number of ports or to
add ports, follow these steps:
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
1) Click Start, point to Administrative Tools, and then click Routing and
Remote Access.
2) In the console tree, expand Routing and Remote Access, expand the
server name, and then click Ports.
3) Right-click Ports, and then click Properties.
4) In the Ports Properties dialog box, click WAN Miniport (PPTP), and then
click Configure.
5) In the Configure Device dialog box, select the maximum number of ports for
the device, and then select the options to specify whether the device accepts
incoming connections only, or both incoming and outgoing connections.
How to Manage Addresses and Name Servers
The VPN server must have IP addresses available in order to assign them to the
VPN server's virtual interface and to VPN clients during the IP Control Protocol
(IPCP) negotiation phase of the connection process. The IP address assigned to the
VPN client is assigned to the virtual interface of the VPN client.

For Windows 2000-based VPN servers, the IP addresses assigned to VPN clients
are obtained through DHCP by default. You can also configure a static IP address
pool. The VPN server must also be configured with name resolution servers,
typically DNS and WINS server addresses, to assign to the VPN client during IPCP
negotiation.
How to Manage Access
Configure the dial-in properties on user accounts and remote access policies to
manage access for dial-up networking and VPN connections.

Access by User Account


If you are managing remote access on a user basis, click Allow Access on the
Dial-In tab of the user's Properties dialog box for those user accounts that are
allowed to create VPN connections. If the VPN server is allowing only VPN
connections, delete the default remote access policy called "Allow Access If Dial-In
Permission Is Enabled." Then create a new remote access policy with a descriptive
name, such as VPN Access If Allowed By User Account. For more information, see
Windows 2000 Help.

CAUTION: After you delete the default policy, a dial-up client that does not match at
least one of the policy configurations you create will be denied access.

If the VPN server is also allowing dial-up remote access services, do not delete the
default policy, but move it so that it is the last policy to be evaluated.

Access by Group Membership

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


If you are managing remote access on a group basis, click the Control access
through remote access policy radio button on all user accounts by using the
Active Directory Users and Computers Console in Administrator Tools or MMC
snap-in. Create a Windows 2000 group with members who are allowed to create
VPN connections. If the VPN server allows only VPN connections, delete the default
remote access policy called Allow Access If Dial-In Permission Is Enabled. Next,
create a new remote access policy with a descriptive name such as VPN Access If
Member Of VPN-Allowed Group, and then assign the Windows 2000 group to the
policy.

If the VPN server also allows dial-up networking remote access services, do not
delete the default policy; instead move it so that it is the last policy to be evaluated.
How to Configure a VPN Connection from a Client Computer
To set up a connection to a VPN:
1) On the client computer, confirm that the connection to the Internet is correctly
configured.
2) Click Start, point to Settings, and then click Network And Dial-Up
Connections.
3) Double-click Make New Connection.
4) Click Next, and then click Connect To A Private Network Through The
Internet, and then click Next.
5) Do one of the following:
 If you use a dial-up connection to connect to the Internet, click
Automatically Dial This Initial Connection and then select your dial-
up Internet connection from the list.
 If you use a full-time connection (such as a cable modem), click Do
Not Dial The Initial Connection.
6) Click Next.
7) Type the host name (for example, Microsoft.com) or the IP address (for
example, 123.123.123.123) of the computer to which you want to connect,
and then click Next.
8) Click to select For All Users if you want the connection to be available to
anyone who logs on to the computer, or click to select Only For Myself to
make it available only when you log onto the computer, and then click Next.
9) Type a descriptive name for the connection, and then click Finish.
10) Click Start, point to Settings, and then click Network And Dial-Up
Connections.
11) Double-click the new connection.
12) Click Properties to further configure options for the connection:
 If you are connecting to a domain, click the Options tab, and then click
to select the Include Windows logon domain check box to specify
whether to request Windows 2000 logon domain information before
attempting to connect.
 If you want the connection to be redialed if the line is dropped, click the
Options tab, and then click to select the Redial if line is dropped
check box.
To use the connection:
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
1) Click Start, point to Settings, and then click Network And Dial-Up
Connections.
2) Double-click the new connection.
3) If you do not currently have a connection to the Internet, Windows offers to
connect to the Internet.
4) Once the connection to the Internet is made, the VPN server prompts you for
your user name and password. Enter your user name and password, click
Connect, and your network resources should be available to you in the same
way they are when you connect directly to the network.NOTE: To disconnect
from the VPN, right-click the connection's icon, and then click Disconnect.

Exercise 9: Install and configure a Web server.

Installing Internet Information Services


Microsoft Internet Information Services (IIS) is the Web service that is integrated
with Windows 2000. To install IIS:
1) Click Start, point to Settings, and then click Control Panel.
2) In Control Panel, double-click Add/Remove Programs.
3) Click Add/Remove Windows Components.
4) In the Windows Components Wizard, select the Internet Information
Services (IIS) check box, and then click Details.
5) Clear all the check boxes, and then select the following check boxes:
Common Files
Documentation
FrontPage 2000 Server Extensions
Internet Information Services Snap-In
Internet Services Manager
World Wide Web Server
6) Click OK, and then on the Windows Components page, click Next. If you are
prompted to do so, insert the Windows 2000 CD-ROM, and then click OK.
7) On the "Completing the Windows Components Wizard" page, click Finish.
8) In the Add/Remove Programs dialog box, click Close.
Configuring Anonymous Authentication
1) Click Start, point to Programs, point to Administrative Tools, and then click
Internet Services Manager. (In Windows 2000 Professional, you can start
Administrative Tools from Control Panel.)
2) Right-click * server name (where server name is the name of the server),
and then click Properties.
3) In the Master Properties box, click WWW Service (if it is not already
selected), and then click the Edit button that is next to the Master Properties
box.
4) Click the Directory Security tab.
5) Under Anonymous access and authentication control, click Edit.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
6) Under Authenticated access, select the Integrated Windows
authentication check box.
7) Select the Anonymous access check box, and then click Edit. Note the user
account in the Username box. This account is used by Windows to
authenticate anonymous users when they browse the Web site.
8) Click OK, click OK, click OK, and then click OK.
Basic Web Site Configuration
1) Start Internet Services Manager.
2) In the Tree list, expand * server name (where server name is the name of
the server).
3) Right-click Default Web Site, and then click Properties.
4) If you have multiple IP addresses assigned to your computer, click the IP
address that you want to assign to this Web site in the IP Address box.
5) If you do not want unlimited connections to the Web site, click Limited To,
and then type the number of concurrent connections that you want.

6) Click the Performance tab.


7) Move the Performance tuning slider to the position that you want.
8) If you want to limit the amount of network bandwidth that is available for
connections to this Web site, select the Enable bandwidth throttling check
box, and then type the amount that you want in the Maximum network use
box.
9) If you want to limit the amount of computer processing time spent servicing
requests for content on this Web site, select the Enable process throttling
check box, and then type the amount that you want in the Maximum CPU
use box.

This prevents the Web site from consuming too much processor time to the
detriment of other computer processes.

10) Click the Home Directory tab.


 If you want to use Web content that is stored on the local computer,
click A directory located on this computer, and then type the path
that you want in the Local Path box. For example, the default path is
C:\Inetpub\wwwroot.
 If you want to use Web content that is stored on a different computer,
click A share located on another computer, and then type the
location that you want in the Network Directory box that appears.
 If you want to use Web content that is stored on another Web address,
click A redirection to a URL, and then type the location that you want
in the Redirect to box. Under The client will be sent to, select the
appropriate check box.
11) Click the Documents tab. Note the list of documents that IIS can use
as the default start documents. If you want to use Index.html as your start
document, you must add it. To do this:
 Click Add.
 In the Add Default Document dialog box, type Index.html, and then
click OK.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


 Click the up-arrow button until Index.html is displayed at the top of the
list.
12) Click the Operators tab. Note the user accounts that have operator
privileges on this Web site. Click Add to add additional user accounts to
operate this Web site.
Click OK to return to the Internet Information Services window.
13) Right-click Default Web Site, and then click Stop.
14) Right-click Default Web Site, and then click Start

Exercise 10: Create two global groups and configure so that users from both
groups should be able to access some command folders.

Groups with Global Scope


Global groups, effectively the same as Windows NT global groups, have the
following features:
 Mode. Global groups exist in both mixed-mode and native-mode domains.
 Membership. Global groups can have members from within their own
domain (only).
 Permissions. Although a global group is limited to domain-wide scope as far
as membership goes, it can be made a member of machine or domain local
groups or granted permissions in any domain (including trusting domains in
other forests and down-level domains with which a trust relationship exists).
That is, groups with global scope can be put into other groups in any trusting
domain.
Using Global Groups
Groups with global scope help you manage directory objects that require daily
maintenance, such as user and computer accounts.
Use global groups to collect users or computers that are in the same domain and
share the same job, organizational role, or function. For example, "Full-time
employees," "Managers," "RAS Servers" are all possible global groups. Because
group members typically need to access the same resources, make these global
groups members of domain local or machine local groups, which, in turn, are listed
on the DACL of needed resources. Membership of these groups can be efficiently
managed by administrators of user domains, because these administrators are
familiar with the functions and roles played by users and computers in their domain.
Groups with Universal Scope
Universal groups, a new feature of the Windows 2000 operating system, have the
following features:
 Mode. Universal groups are available only in native-mode domains.
 Membership. Universal groups can have members from any Windows 2000
domain in the forest. (Universal groups can contain members from mixed-
mode domains in the same forest, but this is not recommended. Members

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


from such domains cannot have the universal group's SID added to their
access token because universal groups are not available in mixed-mode
domains. Therefore, troubleshooting access problems would be difficult.)
 Permissions. Universal groups can be granted permissions in any domain,
including in domains in other forests with which a trust relationship exists.
Using Universal Groups
A small organization can use universal groups to implement a relatively simple
group structure. If you choose to use groups with universal scope in a multi-domain
environment, these groups can help you represent and consolidate groups that span
domains. For example, you might use universal groups to build groups that perform
a common function across an enterprise.
Although few organizations will choose to implement this level of complexity, you
can add user accounts to groups with global scope, nest these groups within groups
having universal scope, and then make the universal group a member of a domain
local (or machine local) group that has access permissions to resources. Using this
strategy, any membership changes in the groups having global scope do not affect
the groups with universal scope.
A useful guideline is to designate widely used groups that seldom change as
universal groups. The reasons for this approach are explained next.
Group Scope and Replication Traffic
Groups having universal scope—and all of their members—are listed in the global
catalog. Whenever one member of a group with universal scope changes, the entire
group membership must be replicated to all global catalogs in the domain tree or
forest. Therefore, if you use groups with universal scope, use them in situations
where the membership of the group does not change frequently.
Groups having global or domain local scope are also listed in the global catalog, but
their individual members are not listed. Using these groups thus reduces the size of
the global catalog and reduces the replication traffic needed to keep the global
catalog up-to-date. Therefore, use groups with global or domain local scope if the
group membership changes frequently.

Session 8: Windows 2000: Security

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Exercise 1: Enable and configure IPsec policy on local computer.(also Enable
and configure IPsec policy for an entire domain.)
How to create a new IPSec policy
1. Open the IP Security Policy Management console.
2. Right-click IP Security Policies and then select Create IP Security Policy from
the shortcut menu.
3. The IP Security Policy Wizard initiates.
4. Click Next on the IP Security Policy Wizard Welcome page.
5. On the IP Security Policy Name page, provide a name and a description for
the new IPSec policy, and then click Next.
6. On the Requests for Secure Communication page, you can leave the Activate
the default response rule option selected, or you can deselect the option.
Click Next.
7. On the Default Rule Authentication Method page, set the authentication
method for the security rule, and then click Next.
8. On the Completing the IP Security Policy Wizard page, select the Edit
properties option, and then click Finish.
9. The IP Security Policy Properties dialog box for the new policy opens so that
you can change the properties of the policy, and change any security rules.
10. Click Edit on the IP Security Policy Properties dialog box.
11. When the Edit Rule Properties dialog box opens, you can add and remove
security methods, modify existing security methods, set the order of
precedence for security methods, and specify the utilization of session key
perfect forward secrecy (PFS).
12. Click the Authentication tab. This is where you add and remove
authentication methods, and set the order of precedence for authentication
methods.
13. Click OK to close the Edit Rule Properties dialog box.
14. Before you assign the IPSec policy, first ensure that the IPSec service is
running.
15. In the IP Security Policy Management console, right-click the new policy
name that you want to assign, and then click Assign from the shortcut menu.
How to assign IPSec policy for a Active Directory domain
1. Click Start, click Run, type mmc in the Run dialog box, and then click OK.
2. Click the File Menu item, and select Add/Remove Snap-in.
3. The Add/Remove Snap-in dialog box opens. Click Add.
4. The Add Standalone Snap-In dialog box opens.
5. Select Group Policy Object Editor, and then click Add.
6. The Select Group Policy Object dialog box opens. Click Browse
7. The Browse For A Group Policy Object dialog box opens.
8. Select Default Domain Policy, and then click OK.
9. Click Finish.
10. Click Close to close the Add Standalone Snap-in dialog box.
11. Click OK to close the Add/Remove Snap-in dialog box.
12. Expand Domain Policy, expand Computer Configuration, expand Windows
Settings, expand Security Settings, expand IP Security Policies on Active
Directory.
13. Select IP Security Policies On Active Directory.
14. The details pane displays all available IPSec policies.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
15. Right-click the IPSec policy which you want to assign, and then click Assign
from the shortcut menu
16.
Exercise 2: Protect client machine by using Internet Connection Firewall (ICF)

Windows 2000 includes a Firewall to protect your system against unwanted


"visitors" from the Internet ( but not controlling connections from your system to the
Internet, for which you would need to install a Non-Microsoft Firewall, like
ZoneAlarm ) , which is configured using the Properties
of the modem-connection :( using the Firewall on a LAN connection will cause
network access problems to your system )

In the properties of the Internet


Connection :
tab: Advanced.

make sure, that the checkmark is


placed for
the Internet Connection Firewall.

Using Settings, you can configure


the firewall.

tab : Services

The list of programs, which could


run on your
system.
By default, no access is allowed
from the
Internet to your system to any of
these services.

Unless you need to grant such an


access,
do NOT activate any of these
services.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


tab: Security Logging

Allows to activate a log-file

tab : ICMP

ICMP (Internet Control Message


Protocol is
part of TCP/IP, the most common
use is the
PING program to test a network
connection.

By default, the firewall will NOT


respond to
any ICMP , incl. PING, from the
Internet.

Advanced Setup:
In case you have the Internet
Information Server
(maybe including the FTP-server)
installed and you
like to allow access from the
Internet, then you
need to place the Check-marks
(you are prompted
to confirm the system allowed to
be accessed)

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Activate ONLY the service, which
people
need to access from the Internet.

tab: ICMP

To allow people on the Internet to


test, that the
connection is working to your
system, you should
allow incoming echo requests
(PING-requests).

Warning: now your systems


becomes also
visible for all these "bad boys and
girls", which
probe all IP-addresses on the
Internet and then
try to find out which system they
had found, and
some of them may try to damage
your system !

Exercise 3: Configure TCP/IP packet filter.


1. Click Start , point to Settings , click Control Panel , and then double-
click Network and Dial-up
Connections .
2. Right-click the interface on which you want to configure inbound
access control, and then click Properties .
3. In the Components checked are used by this connection box, click
Internet Protocol (TCP/IP) , and then click Properties .
4. In the Internet Protocol (TCP/IP) Properties dialog box, click
Advanced .

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


5. Click the Options tab.
6. Click TCP/IP filtering , and then click Properties .
7. Select the Enable TCP/IP Filtering (All adapters) check box. When
you select this check box, you enable filtering for all adapters, but you
configure the filters on a per-adapter basis. The same filters do not
apply to all adapters.
8. There are three columns with the following labels:
TCP Ports
UDP Ports
IP Protocols
In each column, you must select either of the following options:
Permit All . If you want to permit all packets for TCP or UDP traffic, leave
Permit All activated.
Permit Only . If you want to allow only selected TCP or UDP traffic, click
Permit Only , click Add , and then type the appropriate port in the Add Filter
dialog box.
If you want to block all UDP or TCP traffic, click Permit Only , but do
not add any port numbers in the UDP Ports or TCP Port column. You cannot
block UDP or TCP traffic by selecting Permit Only for IP Protocols and
excluding IP protocols 6 and 17.

Note that you cannot block ICMP messages, even if you select Permit Only
in the IP Protocols column and you do not include IP protocol 1. TCP/IP
Filtering can filter only inbound traffic. This feature does not affect outbound
traffic or response ports that are created to accept responses from outbound
requests. Use IPSec Policies or packet filtering if you require more control
over outbound access.

Exercise 4: Monitor the IP Routing status.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Command Purpose

Query a multicast router about which


Router# mrinfo [hostname |
neighboring multicast routers are peering with
address] [source-address | interface]
it.

Router# mstat source [destination] Display IP multicast packet rate and loss
[group] information.

Traces the path from a source to a destination


Router# mtrace source
branch for a multicast distribution tree for a
[destination][group]
given group.

Exercise 5: Customize and configure IPsec policy and rules for transport mode on
the local computer.

1. Using HQ-RES-WRK-01, in the left pane of the MMC Console, right-click IP


Security Policies on Local Machine, and then click Create IP Security Policy.
The IP Security Policy Wizard appears.
2. Click Next.
3. Type Partner as the name of your policy, and click Next.
4. Clear the Activate the default response rule check box, and then click Next.
5. Make sure the Edit Properties check box is selected (it is by default), and
then click Finish.
6. In the Properties dialog box for the policy you have just created, ensure that
Use Add Wizard check box in the lower-right corner is selected, and then
click Add to start the Security Rule Wizard.
7. Click Next to proceed through the Security Rule Wizard, which you started at
the end of the previous section.
8. Select This rule does not specify a tunnel, (selected by default) and then click
Next.
9. Select the radio button for All network connections, (selected by default) and
click Next.

Exercise 6: Configure IPsec for tunnel mode. (Note: You need separate computers
to which you have administrative access)
How to configure a policy for IPSec tunnel mode
IPSec tunnel mode can be used to provide security for WAN and VPN connections
that use the Internet as the connection medium. With tunneling, the data contained
in a packet is encapsulated inside an additional packet. The new packet is then sent
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
over the network. In tunnel mode, IPSec encrypts the IP header and the IP payload.
Tunnel mode is typically used for server to server, server to gateway, and gateway
to gateway configurations.
To configure an IPSec policy for IPSec tunnel mode
1. Open the IP Security Policy Management console.
2. Right-click the IP Security Policies On Local Computer node and select
Create IP Security Policy from the shortcut menu.
3. When the IP Security Policy Wizard initiates. click Next on the IP Security
Policy Wizard Welcome page.
4. Provide a name and a description for the new IPSec policy, and then click
Next.
5. On the Requests for Secure Communication page, disable the Activate the
default response rule option, and then click Next.
6. On the Completing the IP Security Policy Wizard page, select the Edit
properties option, and then click Finish
7. The Tunnel To Properties dialog box opens.
8. Click Add on the Rules tab.
9. The Create IP Security Rule Wizard starts.
10. Click Next on the Create IP Security Rule Wizard Welcome page.
11. On the Tunnel Endpoint page, select The Tunnel Endpoint Is Specified By
The Following IP Address option, and then enter the IP address of the other
machine. Click Next.
12. On the Network Type page, select the Local Area Network (LAN) option and
then click Next.
13. Specify the All IP Traffic option and then click Next.
14. On the Filter Action page, specify the Request Security (Optional) option and
then click Next.
15. On the Authentication Method page, specify the Active Directory Default
(Kerberos V5 protocol) option and then click Next.
16. Click Finish and then click OK.
17. Repeat the process on the other machine

Exercise 7: Audit the IPsec logon activities and event. (Note: you can use two IP
capable computers that are able to communicate to each other with there
administrative access)
1. Before you attempt to ping from a computer on one subnet to the other (NetA
or NetB), type ipconfig at a command prompt. The network interfaces that
are initialized in the TCP/IP stack are displayed.
2. Run the IP Security Monitor tool.
3. Load Network Monitor, click Capture/Network, and then click the W2KextIP
interface (you can start a capture by clicking Capture/Start).
4. Attempt to ping the computer. The first ICMP echo packets may timeout while
the IPSec tunnel is being built. If the ping attempt is not successful, check the
security and system logs.
5. If the ping attempt is successful, stop the Network Monitor capture and see if
the ICMP traffic went on the clear or if you just see the ISAKMP and IPSec
protocol packets. Check IP Security Monitor to see if an SA was created
using the NetA to NetB filter you created. Also check the security log. You
should see Event ID 541 (IKE security association established).
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
6. Type ipconfig at a command prompt again so you see that there is no
additional TCP/IP interface while the tunnel is up. This is because IPSec is
actually protecting the traffic going through the physical interface (W2KextIP).

Exercise 8: Install the network monitor application. Show the use of capture filter
and display filter with the help of your own examples.

Installing Network Monitor


1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Add/Remove Programs.
3. Click Add/Remove Windows Components.
4. Click Management and Monitoring Tools, and then click Details.
5. Click to select the Network Monitor Tools check box, and then click OK.
6. Click Next.

1. CAPTURE FILTERS

The capture filter syntax is the same as the one used by


programs using the Lipcap (Linux) or Winpcap
(Windows) library like the famous TCPdump. The
capture filter must be set before launching the
Wiershark capture, which is not the case for the
display filters that can be modified at any time during
the capture.
The steps to configure a capture filter are the following: -
select capture -> options.
- Fill the "capture filter" field or
click on the "capture filter"
button to give a name to your
filter to reuse it for subsequent
captures.
- Click on Start to capture data.

Protocol:
Values: ether, fddi, ip, arp, rarp,
decnet, lat, sca, moprc, mopdl,
tcp and udp.
If no protocol is specified, all the
protocols are used.

Direction:
Values: src, dst, src and dst, src
or dst
If no source or destination is
specified, the "src or dst" keywords are applied.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".

Host(s):
Values: net, port, host, portrange.
If no host(s) is specified, the "host" keyword is used.
For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1".

Logical Operations:
Values: not, and, or.
Negation ("not") has highest precedence. Alternation ("or") and concatenation
("and") have equal precedence and associate left to right.
For example,
"not tcp port 3128 and tcp port 23" is equivalent to "(not tcp port 3128) and tcp port
23".
"not tcp port 3128 and tcp port 23" is NOT equivalent to "not (tcp port 3128 and tcp
port 23)".

2. DISPLAY FILTERS:

The display filter is used to search inside captured data obtained with a capture
filter.
Its search capabilities are more extended than those of the capture filter and it is
not necessary to restart the capture when you need to change your filter.
Protocol:

A large number of protocols, located between layers two and seven of the OSI model, is
available. They can be seen when you click on
the
"Ex
pre
ssio
n..."
butt
on
in
the
main screen.
Some examples are: IP,TCP,DNS,SSH

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Supported protocols with a little description can also be consulted as
indicated below:
The Wireshark website provides explanations about protocols and their
sub categories.
String1, String2 (Optional settings):
Sub protocol categories
insi
de
the
prot
ocol
.
To
find
the
m,
look
for
a
prot
ocol
and
then
click on the "+" Exercise 9: Configure
PPTP packet filter such that it will block every packet stream except PPTP stream.

How to Configure PPTP Filters to Allow Traffic for PPTP VPN Clients
PPTP is a popular VPN protocol because it is very secure and easy to set up. You
can deploy PPTP easily in both Microsoft-only and mixed environments. You can
configure your Windows 2000-based Routing and Remote Access service VPN
server to drop non-PPTP packets by using packet filters.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


How to Configure PPTP Input Filters to Allow Inbound Traffic from PPTP VPN
Clients
1. Start the Routing and Remote Access console from the Administrative
Tools menu.
2. In the left pane of the Routing and Remote Access console, expand your
server, and then expand the IP Routing node.
3. Click the General node. Right-click the external interface, and then click
Properties.
4. On the General tab, click Input Filters.
5. Click Add.
6. Select the Destination network check box. In the IP address box, type the
IP address of the external interface. In the Subnet mask box, type
255.255.255.255.
7. In the Protocol box, click TCP. In the Protocol Number box, type 1723.
Click OK.
8. Click Drop all packets except those that meet the criteria below.
9. Click Add.
10. Select the Destination network check box. In the IP address box, type the
IP address of the external interface. In the Subnet mask box, type
255.255.255.255. In the Protocol box, click Other. In the Protocol Number
box, type 47. Click OK.
11. Click OK.
How to Configure PPTP Output Filters to Allow Outbound Traffic to PPTP VPN
Clients
1. On the General tab in the External_interface Properties dialog box, click
Output Filters.
2. Click Add.
3. Select the Source network check box. In the IP address box, type the IP
address of the external interface. In the Subnet mask box, type
255.255.255.255. In the Protocol box, click TCP. In the Source port box,
type 1723. Click OK.
4. Click Drop all packets except those that meet the criteria below option.
5. Click Add.
6. Select the Source network check box. In the IP address box, type the IP
address of the external interface. In the Subnet mask box, type
255.255.255.255. In the Protocol box, click Other. In the Protocol Number
box, type 47. Click OK.
7. Click OK.
8. Click OK.
NOTE After you make these changes, only PPTP traffic is allowed into and out of
the external interface of the Routing and Remote Access service VPN server. These
filters support communications with a PPTP VPN client that initiates an inbound call
to the Routing and Remote Access service VPN server.
Exercise 10: Implementing Server Security by using Security Templates

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


You can apply security template settings by using the Security Configuration and
Analysis snap-in. When you use this snap-in, you can import security templates and
apply them to a computer, site, domain, or to an organizational unit. You can apply
the security settings to a local computer configuration or to a Group Policy Object.
You can also use this tool to analyze the security settings for a local computer or for
a Group Policy Object.

To apply security template settings:


1. At a command prompt, type mmc.
2. Click Add/Remove Snap-in on the Console menu.
3. Click Add in the Add/Remove Snap-in dialog box.
4. In the Add Standalone Snap-in dialog box, click the Security Configuration
and Analysis snap-in, click Add, click Close, and then click OK.
5. To create a new security database, right-click the Security Configuration
and Analysis node in the left pane, and then click Open Database.
6. Type a name for the database in the Open database dialog box, and then
click Open.
7. In the Import Template dialog box, click the security template that you want
to apply, and then click Open.
8. Right-click the Security Configuration and Analysis node in the left pane,
and then click Configure Computer Now.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Session 9: Windows 2000 Network Management

Example : 1 Create a Group Policy object

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

To create a Group Policy object

1. Open Group Policy Management.

2. Depending upon whether you want to create or delete, use one of the
following procedures:

o Create

o Create and link

Create

1. In the console tree, right-click Group Policy Objects in the forest and
domain in which you want to create a Group Policy object (GPO).

Where?

Forest name/Domains/Domain name/Group Policy Objects

2. Click New.

3. In the New GPO dialog box, specify a name for the new GPO, and then click
OK.

Create and link

1. In the console tree, right-click the domain name in the forest in which you
want to create and link a Group Policy object (GPO).

Where?

Forest name/Domains/Domain name

2. Click Create and Link a GPO Here.

3. In the New GPO dialog box, specify a name for the new GPO, and then click
OK.

Notes

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


 To create a GPO, you must have GPO creation privileges. By default only
domain administrators, enterprise administrators, and members of the Group
Policy creator owners group can create Group Policy objects. To delegate
GPO creation permissions to additional groups and users, go to Group
Policy Objects in the desired domain and click the Delegation tab.

 To delete a GPO, you must have Edit Settings, Delete, Modify Security
permissions for the GPO.

 When you use this procedure to create a GPO, no links are created to the
GPO, but you can add links within the same forest by right-clicking any
domain, site, or organizational unit, and then clicking Link Existing GPO.
Alternatively, you can both create and link a GPO by right-clicking any
domain or organizational unit and then clicking Create and Link a GPO
Here.

 When you delete a GPO, Group Policy Management attempts to delete all
links to that GPO in the domain of the GPO. However, to delete a link to a
GPO, you must have permission to link Group Policy objects for the
organizational unit or domain. If you do not have rights to delete a link, the
GPO will be deleted, but the link will remain. Links from other domains and
sites are not deleted. The link to a deleted GPO appears in Group Policy
Management as Not Found. To delete Not Found links, you must either
have permission on the site, domain or organizational unit containing the link,
or ask someone with sufficient rights to delete it.

 Group Policy objects are distinguished in the Active Directory by GUID, and it
is theoretically possible for more than one GPO to have the same friendly
name. The Group Policy Management snap-in prevents the creation of Group
Policy objects with duplicate friendly names, but the Group Policy
infrastructure does not enforce uniqueness of friendly names. Therefore, it is
possible for duplication of friendly names to occur if you use legacy tools to
create Group Policy objects, if replication is slow, or if you use a script to
perform operations on Group Policy objects.

 You cannot delete the Default Domain Controllers policy or the Default
Domain policy.

 Before deleting a GPO, you can check for cross-domain links by navigating to
the Scope tab of the GPO you want to delete and, in the Display links in
this location box, selecting Entire Forest. You can then select all links, right
click the selection, and click Delete link. This procedure ensures that cross-
domain links are deleted before you delete the GPO.

Search for a Group Policy object

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

To search for a Group Policy object

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


1. Open Group Policy Management.

2. In the console tree, double-click the forest containing the domain that you
want to search for a Group Policy object (GPO), double-click Domains, right-
click the domain, and then click Search.

3. In the Search for Group Policy Objects dialog box, in the Search for GPOs
in this domain box, select a domain or All domains shown in this forest.

4. In the Search item box, select the type of object on which you want to base
your search.

If you select Security Group, the Select User, Computer, or Group dialog
box appears. Specify the appropriate object type, location of the object, and
object name, and then click OK.

You can choose GPO-links on the Search item dropdown menu to find
unlinked GPOs and GPOs linked across domains.

5. In the Condition box, select the condition that you want to use in the search.

6. In the Value box, select or specify the value that you want to use to filter the
search, and then click Add.

7. Repeat steps 4 through 6 until you complete the definition of all search
criteria, and then click Search.

The search is based on the intersection of the criteria specified, so a GPO


must meet all criteria specified for it to be returned in the results.

8. When search results are returned, do one of the following:

o To save the search results, click Save results and then, in the Save
GPO Search Results dialog box, specify the file name for the saved
results, and then click Save.

o To navigate to a GPO found in the search, double-click the GPO in the


search results list.

o To clear the search results, click Clear.

9. Repeat steps 3 through 8 until you have completed all required searches, and
then click Close.

Notes

 You can also open the search dialog box by by right-clicking a forest and then
clicking Search. In this case, the Search for GPOs in this domain box defaults
to All domains shown in this forest.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


 If a setting is enabled, and then all the settings in that extension are removed,
there can be false-positive search for certain types of settings. This happens
because the GPO has the extension listed as active. The extensions with this
behavior are Security Settings, Software Installation, Folder Redirection,
Internet Explorer Maintenance, and Encrypting File System (EFS).

2. Configuring Software Deployment Setting.


Configuring Software Deployment
You can also use Group Policy to deploy line-of-business applications
throughout your Active Directory network. This installation can take place silently,
without the need for user intervention or assigning elevated privileges to your users
at the desktop level. Software that's installed via Group Policy is self-healing, which
means that any application files that become corrupted or deleted will be replaced
automatically by the Group Policy Object. Depending on the needs of your
environment, Group Policy software deployment can allow a user's applications to
follow him no matter where he logs on to the network from, or ensure that a specific
set of tools is available on a particular machine no matter who logs on to it. In this
section, we'll look at some of the most useful options available to you in using Group
Policy to deploy software.
Creating an Installation Package
As long as you have an .MSI installer for the application you want to deploy,
doing so through Group Policy is pretty much a snap. If your application does not
have an .MSI file associated with it, though, you are still not entirely out of luck. You
can create a .ZAP file that will still allow you to deploy the software, with the
following caveats:
The installation process can't take advantage of elevated privileges for
installation. So if your users are only members of the Users group and they need
Administrator access to perform the installation, the deployment will fail.
The program can't be installed on the first use of the software—we'll talk
about how .MSI does this in a moment.
You won't be able to install a feature on the first use of the feature, similar
to how Microsoft Word can leave the Thesaurus function uninstalled, but you can
copy it to the user's workstation the first time she tries to use it.
Most problematic of all, you can't roll back an unsuccessful installation,
modification, repair, or removal of a .ZAP file the way you can with .MSI.
To create a software installation package for an .MSI installer, follow these
steps:
1. Open the GPO that you want to use from the GPMC console.
2. Navigate to User Configuration ➤Software Settings ➤Software Installation from
either the Computer Configuration or User Configuration node. (You can also deploy
software to computers instead of users; we'll talk about that in the "Understanding
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
Deployment Options" section next.)
3. Right-click the Software Installation node and select New ➤Package. Browse to
the location of the .MSI file and click OK.
4. The next screen gives you a choice of how you want to deploy the
software: Published, Assigned, or Advanced. We'll go over the differences between
these options next; for now select Published, which will install the application the
first time a user clicks a file associated with it. (Double- clicking a .DOC file would
launch the Microsoft Word installer, for example.)
5. Click OK to finish. The GPO Editor will take a moment to refresh itself, and then
you'll see your software package listed in the Software Installation window. From
here you can right-click the package and select Properties to change any
deployment options.
Understanding Deployment Options
When deploying software, you need to make two major decisions:
Do I want to publish this software package, or assign it?
Do I want to deploy this software to a user object or a computer object?
In this section we'll look at the differences between these choices, as well as
some more advanced options available for software deployments.
Publishing Applications
Publishing an application will make that application available to your users at
their next login. Once you've published an application, a user can install or uninstall
it by using the Add/Remove Programs applet in Control Panel. The installer will also
launch through document invocation, that is, when the user tries to view or edit a file
that requires the published application to open. This is a good way to roll out
applications that might not be used consistently across your network, since you
won't be performing the actual installation unless (and until) the user actively
requires the software. Using Group Policy will still ease the installation process for
your users since they won't need to remember share names or instructions for
manually installing software.
You have a few additional options available to you when publishing a
software package. When you right-click the package and go to Properties, you'll see
the screen shown in Figure 4-6 by clicking the Deployment tab.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Figure 4-6
As you can see, the option to install the app when a user double-clicks the
appropriate file extension is enabled by default. Two other options that you can
enable are
Uninstall this application when it falls out of the scope of management:
Let's say that user JSmith is contained in the Accounting OU of your domain and
has the PeachTree accounting package installed via Group Policy. If JSmith moves
to Marketing, and the Marketing OU does not have the accounting software
published to it, then the application will be uninstalled from JSmith's workstation.
This is useful in ensuring that sensitive applications do not remain installed on a
workstation if the user no longer has a need for them.
Do not display this package in the Add/Remove Programs control panel:
Just like it sounds, this ensures that a published application will only be installed
through document invocation. You may enable this option to prevent applications
from being installed unnecessarily by curious users.
Assigning Software
In addition to publishing an application, you can also assign it to either a
computer or a user object. By assigning an application to a computer object, the
application will be automatically installed the next time the computer boots up: this
requires no document invocation or user intervention of any kind. Once the program
has been installed, only an administrator will be able to uninstall it (either manually
or through Group Policy). Like a published application, an assigned application is
self-healing so that it can automatically repair or replace any damaged or erased
program files.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Assigning an application to a user takes one of two forms. In the default
scenario, the user will see a shortcut to the application on her Desktop or Start
menu. However, the app won't actually be installed until the first time she double-
clicks the shortcut or uses document invocation. And since the installation takes
place silently, a user can easily be confused when he tries to launch the program
and nothing seems to happen. It's important to be aware of this fact, since "I double-
clicked the Excel icon and my machine has been hung up for like two minutes" can
be a common help desk phone call in this situation.
While this was the only way of assigning software to a user in Windows 2000,
Windows Server 2003 provides the Install application at logon option, which will
perform an install as soon as the user logs on. Similar to the help desk calls you
might experience from the default scenario, though, this option may greatly increase
your users' logon times while the installation process is running. As with anything
else, good communication with your users and support staff will help to make this
operation as smooth as possible.
You'll typically assign software to computer objects for critical applications
that need to be present on any computer on your network: antivirus software is a
favorite use of this feature. Simply add the antivirus software's .MSI file to the
Default Domain policy, and every machine in your network will receive the
installation the next time they reboot.
Deploying Custom Applications and Upgrades
For applications with many different parts, such as Microsoft Office, you can
even configure the installation file so that it only installs the components you want.
The remaining components can be left out entirely, or you can allow them to be
installed on their first use: the first time a user requests the Word spell-checker, for
example. To customize your applications in this way, you'll use a transform file with
the .MST extension. You'll specify these .MST files on the Modifications tab of the
software package's Properties sheet, which you saw in Figure 4-6.
Finally, once you've deployed a software package through a GPO, you can
use a newer installer to upgrade that package using the Upgrades tab of the
Properties sheet. An upgrade package can either be optional or mandatory, and the
upgrade will take place the next time the user logs on or the machine boots up.
Exercise 3: Configure Remote And Removable Storage.
Remote and Removable Storage
 Storage Concepts

 Understanding Libraries

 Understanding Media Pools

 Understanding Media States

 Setting up and Using Remote Storage


SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
 Volume Management

 Managing Media

 Using Removable Storage

 Configuring and Managing Libraries

 Configuring Media Pools

 Configuring and ManagingPhysical Media

 Configuring Queued Work and Operator Requests

 Configuring Removable Storage Security

 Summary

Disk storage space is an ongoing issue in networking environments. Even with


the large hard drives available today, file storage continues to pose a
problem in many environments. Microsoft addresses this issue by providing
remote storage on tape drives and removable media drives in Windows
2000. This technology makes it easy for you to gain additional storage
space without having to purchase more hard disks.
Remote storage is not the same as backup. Remote storage is designed to be a
storage solution to extend a hard drive, but a regular backup plan should
still be in place and followed. In the following sections, you first learn how
remote and removable storage work and the benefits that can be gained,
then you learn how to configure and manage Remote and Removable
Storage in Windows 2000.
Storage Concepts
Remote storage works by moving eligible files from your local hard disk volumes
to a remote storage location. When the space on your local, or managed,
volume falls under the level you specify, remote storage automatically
removes the content from the original file and moves it to the remote
storage location. The file still appears on your local drive, but the file size is
zero since the file actually resides in a remote location. When the file is
needed, remote storage recalls the file and caches it locally so the file can
be accessed. Since response time is slower than if the file were actually
stored on your local volume, you specify the files or the parameters for the
files that should be stored remotely so that your most commonly used files
remain on the local volume.
Removable storage allows you to extend your local volumes by using removable
storage media to store information. Removable Storage Manager handles
this process and keeps track of the location of data stored on removable
media, such as CD-ROMs, digital audio tape (DAT), Zip disks, and DVD.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Understanding Libraries
Removable storage organizes data in libraries so that it can track the storage
location of individual files. There are two major types of libraries. The first
are the Robotic libraries, often called changers or jukeboxes, that hold
multiple tapes or disks and can automatically switch between tapes and
disks as needed. For example, a ten-CD stereo player can automatically
mount the various CDs loaded to the CD drive. The second type are Stand-
alone libraries, which are single drives that hold one tape or disk at a time
and must be manually changed by the administrator. Remote storage can
also manage and track offline media not currently contained in a library. For
example, you could store some of the disks or tapes in a file folder until they
are needed. Even though the disks or tapes are not currently available,
remote storage is aware of them and still considers them a part of the
storage library.

Exercise 4: Setup the filter options for Advanced Users and Groups.

Introduction

This guide introduces you to administration of the Microsoft® Windows® 2000


Active Directory™ service and the Active Directory Users and Computers snap-in.
This snap-in allows you to add, move, delete, and alter the properties for objects
such as users, contacts, groups, servers, printers, and shared folders.

Prerequisites

This Software Installation and Maintenance document is based on Step-by-Step


Guide to the Common Infrastructure for Windows 2000 Server
Deployment, http://www.microsoft.com/windows2000/techinfo/planning/server/serve
rsteps.asp.

Before beginning this guide, please build the common infrastructure, which specifies
a particular hardware and software configuration. If you are not using the common
infrastructure, you need to make the appropriate changes to this instruction set.

You can run the Administrative Tools from the server, or you can run the tools from
a computer running Windows 2000 Professional. The Administrative Tools are
installed by default on all Windows 2000 domain controllers.

You must be logged on as a user with administrative privileges to run through the
procedures in this document.

If you are working on a domain controller, the Active Directory Schema snap-in
might not be installed. To install it:

1. Click Start, point to Settings, click Control Panel, and then click Change or
Remove Programs.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
2. When prompted, reinstall all the Administrative Tools.

On Windows 2000-based stand-alone servers or workstations, Active Directory


Administrative Tools are optional. You can install them fromAdd/Remove
Programs in Control Panel, using the Windows Components wizard, or from the
ADMINPAK on the Windows 2000 Server or Professional CD.

In this Step-by-Step Guide:

Common Administrative · Creating Organizational Units


Tasks · Creating Users and Contacts
· Creating Groups and adding members to Groups

Advanced Administrative · Publishing shared network resources, such as shared folders a


Tasks printers.
· Moving Users, Groups, and Organizational Units
· Using Filters and Searches to retrieve objects

Creating a Group

1. Right-click the Engineering OU, click New, and then click Group.
2. In the Name of New Group text box, type: Tools

Select the appropriate Group type and Group scope and then click OK.

 The Group type indicates whether the group can be used to assign
permissions to other network resources, such as files and printers. Both
security and distribution groups can be used for e-mail distribution lists.
 The Group scope determines the visibility of the group and what type of
objects can be contained within the group.

Scope Visibility May contain


Domain Local Domain Users, Domain Local, Global, or Universal Groups

Global Forest Users or Global groups

Universal Forest Users, Global, or Universal Groups

Adding a User to a Group

1. Click Engineering in the left pane.


2. Right-click the Tools group in the right pane, and click Properties.
3. Click the Members Tab and click Add.
4. Scroll to James Smith, select his name, click Add, then click OK as in Figure
7 below.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Figure 7: Add James Smith to the Tools Group

Note: You can select multiple users or groups in this dialog by pressing
the CTRL key as you click them. You can also type the name directly. If the name is
ambiguous, a further list is displayed to confirm your selection.

Alternatively, you can select the users from the results pane, right click then
click Add members to a Group. Or you can click Add the selected objects to a
group you specify on the snap-in toolbar. This may be more efficient for adding
large numbers of members to a group.

Top of page

Publishing a Shared Folder

Any shared network folder, including a Distributed File System (Dfs) folder, can be
published in Active Directory. Creating a Shared folder object in the directory does
not automatically share the folder. This is a two-step process: you must first share
the folder, and then publish it in Active Directory.

1. Use Windows Explorer to create a new folder called Engineering Specs on


one of your disk volumes.
2. In Windows Explorer, right-click the folder name, and then click Properties.
Click Sharing, and then click Share this folder.
3. In the New Object–Shared Folder dialog box, type ES in the Share
name box and click OK. By default, Everyone has permissions to this shared
folder. If you want, you can change the default by clicking
the Permissions button.
4. Populate the folder with files, such as documents, spreadsheets, or
presentations.

Exercise 5 :Backup and Restore all files in a domain.


File-By-File Restore of a Domain Controller
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
Overview
To perform a full restore of a failed operating system on a domain controller, it
is necessary to have a full backup of the system partition, including the System
State and Active Directory. When restoring a failed operating system, hardware
identical to the original machine should be used whenever possible.
Prerequisites for Full Operating System Restore
 The restore target must be booted into Directory Services Restore
mode.

 The Windows name and OS version of the restore target must match the
original system.

 The OS on the restore target must be installed to the path as the original
system. WINDOWS (XP, 2003) or WINNT (NT, 2000) are the default names
for the %SYSTEMROOT% path.

 All of the latest OS service packs must be applied to the restore target.

 Install the full version of UltraBac on the restore target.

 Any new hardware should be matched to the original hardware as closely as


possible.

 If the restore is being performed remotely, ensure the default UltraBac


account has enough authority on the restore target to perform an OS restore.

Restoring to Dissimilar Hardware


If restoring a machine with dissimilar hardware, try including only the
Software Registry hive (a sub-component of the System State). Run the restore in
two separate sessions, restoring all of the files first, followed by the Registry hive.
Depending on how dissimilar the hardware on the target machine is from the
original, restoring the full System State may cause system instability.
Restore
To begin the restore process:

1. Launch the "Restore Wizard" by clicking “File”/”Load Index for Restore/Verify"


from the main UltraBac menu.

2. Select and load the index for restore.

3. Select all objects in the OS partition and the System State.

4.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


NOTE: When restoring the System State/Active Directory, all System State
components must be restored. If one component is excluded from the restore, all
objects will be excluded.

5.

6.
Fig. 1 - Loaded set in the File Viewer, OS partition, System State, and Active
Directory selected.

7.

8. Click "Operations"/"Restore Selected Files."

9. Check "Restore in-use files"

10. Set the "Overwrite option" to Always" and click "Next."

11.
Fig. 2 - Restore Options

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


12. Check "Run unattended" and click "Restore." If "Run unattended" is not
checked, UltraBac will return a prompt for every file skipped or overwritten.

Viewing the Restore Logs


When the restore is finished, UltraBac will confirm that the System State has
been restored (if selected), and prompt for a reboot.

Click "Cancel" to view the UltraBac restore log or if an authoritative restore is


to be run.
Authoritative Restore
1. From the Command prompt on the restore target, type "NTDSUTIL" and
press "Enter."

2. Type "authoritative restore" at the NTDSUTIL.EXE prompt and press "Enter."

3. Type in the text "restore database" at the Authoritative Restore prompt and
press "Enter", to make the full Active Directory restore Authoritative. This
command will be used in most cases.

4. Select "Yes" when prompted with the Authoritative Restore confirmation


screen.

5.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Fig. 3 - Authoritative Restore confirmation prompt.

6. NTDSUTIL will return the number of records that need updating, as well as
the number of records updated.

7.
Fig. 4 - NTDSUTIL from a DOS prompt.

8. Type in "quit" at the authoritative restore prompt and press "Enter."

9. Type in "quit" at the NTDSUTIL.EXE prompt and press "Enter."

10. Reboot.

Exercise 6. : Protect Data By Using Encrypting File System (EFS) And Recover
Encrypted Data With a Data Recovery Agent.

Introduction

In many businesses, users share desktop computers. Some users travel with
portable computers that they use outside the physical protection of the business, in
customer facilities, airports, hotels, and at home. This means that valuable data is
often beyond the control of the business. An unauthorized user might try to read
data stored on a desktop computer. A portable computer can be stolen. In all of
these scenarios, malevolent parties can gain access to sensitive company data.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


One solution to help reduce the potential for stolen data is to encrypt sensitive files
by using Encrypting File System (EFS) to increase the security of your data.
Encryption is the application of a mathematical algorithm to make data unreadable
except to those users who have the required key. EFS is a Microsoft technology that
lets you encrypt data on your computer, and control who can decrypt, or recover,
the data. When files are encrypted, user data cannot be read even if an attacker has
physical access to the computer's data storage. To use EFS, all users must have
Encrypting File System certificates-digital documents that allow their holders to
encrypt and decrypt data using EFS. EFS users must also have NTFS permission to
modify the files.

Two types of certificates play a role in EFS:

 Encrypting File System certificates. This type of certificate allows the holder
to use EFS to encrypt and decrypt data, and is often called simply an EFS
certificate. Ordinary EFS users get this type of certificate. The Enhanced Key
Usage field for this type of certificate (visible in the Enrollment no:-
115043695Certificates Microsoft Management Console snap-in) has the
value Encrypting File System (1.3.6.1.4.1.311.10.3.4).
 File Recovery certificates. This type of certificate allows the holder to recover
encrypted files and folders throughout a domain or other scope, no matter who
encrypted them. Only domain admins or very trusted designated persons
called data recovery agents should get this. The Enhanced Key Usage field for
this type of certificate (visible in the Certificates Microsoft Management
Console snap-in) has the value File Recovery (1.3.6.1.4.1.311.10.3.4.1).
These are often called EFS DRA certificates.

Requirements

 Credentials: Administrator of the domain.


 Tools: the Active Directory Users and Computers snap-in to MMC.

 To create a domain-based recovery agent


1. Click Start, click Control Panel, double-click Administrative Tools,
and then double-click Active Directory Users and Computers.

2. Right-click the domain whose recovery policy you want to change, and
then click Properties.
3. Click the Group Policy tab.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


4. Right-click the recovery policy you want to change, and then click Edit.
5. In the console tree (on the left), click Encrypting File System. This can
be found at Computer Configuration\Windows Settings\Security
Settings\Public Key Policies\Encrypting File System.

6. In the details pane (on the right), right-click, and then click Create Data
Recovery Agent.

Note: The Create Recovery Agent Wizard prompts you to add a user as
a recovery agent either from a file or from Active Directory. When you
add a recovery agent from a file, the user is identified as
USER_UNKNOWN. This is because the user name is not stored in the
file.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


In order to add a recovery agent from Active Directory, EFS recovery
agent certificates (file recovery certificates) must be published in Active
Directory. However, because the default EFS file recovery certificate
template does not publish these certificates, you need to create a
template that does so. To do this, in the Certificate Templates snap-in,
copy the default EFS file recovery certificate template to create a new
template, right click the new template, choose Properties, and, on
the General tab of the Properties dialog box for the copied certificate,
and select the Publish certificate in Active Directory check box.

7. Follow the instructions in the Create Recovery Agent Wizard to finish


creating a domain-based recovery agent.

7.Establishing Intrusion Detection for Public Server.


Network-based Intrusion Detection Overview
Data centers are experiencing an increase in network security threats resulting in
the loss of revenue, productivity, and business opportunity. Comprehensive security
policies and architectures that include network-based intrusion detection systems
(NIDS) are a means to combat this expanding threat. NIDS perform analysis of all
traffic passing on a network segment or subnet. This chapter provides insight into
the need for NIDS in the data center and the benefits of a properly deployed,
configured, and managed system.
This chapter also describes the techniques used by "electronic thieves" and
attackers when attacking networks, and the methods they use to avoid detection. It
also explains the methods that Cisco IDS products employ to detect and thwart
network intrusion. The goal is to mitigate the impact of these attacks and improve
network visibility. The Cisco IDS product line provides a flexible range of
deployment options for securing modern network architectures. This chapter also
reviews the Cisco management alternatives available in the data center for creating
a secure, efficient, and thorough intrusion protection solution.
The Need for Intrusion Detection Systems
Data centers enable the consolidation of critical computing resources in controlled
environments under centralized management. They allow enterprises to operate
around the clock, according to their business needs. A data center provides the
following services to support application availability:
• Infrastructure—Layer 2, Layer 3, intelligent network services, and data center
transport
• Application optimization services—Content switching, caching, SSL offloading,
and content transformation
• Storage—Consolidation of local disks, network attached storage, and storage
area networks (SANs)
• Security—Access control lists (ACLs), firewalls, and intrusion detection systems
• Management—Management devices applied to the elements of the architecture

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


When a malfunction occurs in the data center and critical business services are not
available, the bottom line usually suffers. Security policies must be developed and
implemented to mitigate vulnerabilities and assure data center resilience against
external and internal threats.
You should deploy security services in the data center as an end-to-end, layered
solution consisting of firewalls, access lists, and intrusion prevention and detection
systems. You should implement security policies to prevent the following security
vulnerabilities:
• Unauthorized access
• Denial of service (DoS)
• Network reconnaissance
• Viruses and worms
• IP spoofing
• Layer 2 attacks
Applications are targets in the data center. Packet inspectors, such as firewalls, are
not enough to protect business critical applications from external and internal
threats. The devices employed to enforce security policies must scrutinize the
protocols and application data traversing the network. NIDS satisfy this requirement
by identifying harmful network traffic and performing the appropriate action based on
the established security policy. Possible actions include logging, shunning, or
resetting traffic that is identified as detrimental to the network.
Solution Topology
The enterprise data center is designed to satisfy the business and application
requirements of the organization, and is a complex structure segmented into service
and security domains. The following service domains exist in the enterprise data
center:
• Internet gateway
• Internet edge
• Extranet data center
• Internet server farm
• Intranet data center
Data center networks have multiple points of vulnerability that are susceptible to
attack. To fortify this architecture, strategically position NIDS to protect all the areas
within the data center.
Figure 8-1 indicates the multiple network vulnerability points that the enterprise
security policy must address across service domains. The deployment of NIDS is
essential to a comprehensive security implementation.
Figure 8-1 Enterprise Data Center—Network Vulnerability Points

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


NIDS monitor these domains and provide protection from various threats. Network
sensors (intrusion detection devices) are essential to building a secure enterprise
data center architecture. For example, sensors can protect critical assets in the
intranet data center from internal threats, such as disgruntled employees. Network
sensors can also provide an extra level of safety in the extranet domain by
monitoring traffic between partners. Cisco recommends the deployment of network
intrusion sensors in the following locations:
• Behind firewalls
• On demilitarized zone (DMZ) segments that house public servers (web, FTP,
Domain DNS, or e-commerce)
• Behind VPN concentrators for monitoring unencrypted virtual private network
(VPN) traffic
• On segments that house corporate servers or other intranet services that are
defined as sensitive in the security policy
• On segments that house network and security management servers
• On the corporate intranet where critical resources are located
• At corporate extranet junction points between the campus network and branch
networks as well as between the enterprise and partner networks

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


8. Configuration the administrator account user profile to restrict the dial-up
Access.
About Administrator Accounts
From the Administration Control page, you can link to pages that establish the
names, passwords, and privileges for individual administrators or groups of
administrators.
ACS administrator accounts are:
• Unique to ACS and not related to other accounts, such as Windows
administrator accounts, ACS TACACS+ accounts, or any other ACS user
accounts.
• Unrelated to external ACS users because ACS stores ACS administrator
accounts in a separate internal database.
Privileges
The privileges that you grant to each administrator determine access to areas of the
web interface. By default, new administrators do not have any privileges.
Administration Control Privilege
Administrators who have the Administration Control privilege can access the
complete Administration Control page. For these administrators, this page provides
management of administrators and access to pages that control administrative
access policy. Restricted administrators can update their passwords. Figure 11-
1 shows the access granted by the administration control privilege.

Figure 11-1 The Administration Control Privilege

Examples of privileges that you can grant to administrators or groups of


administrators include:
• Shared profile components
• Network, system, and interface configuration
• Administration control
• External user databases, posture validation, and network access profiles (NAPs)
• Reports and activities

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


For example, you are an administrator with the Administration Control privilege who
wants to configure access to the Network Configuration section of the web interface
for administrators whose responsibilities include network management. Therefore,
you check only the Network Configuration privilege for the applicable administrator
accounts.
Group Access Privileges
ACS includes options that determine the type of administrator access to groups or
users in groups. When enabled, these options grant an administrator the following
privileges with respect to any available group:
• Add or edit user pages
• Edit group pages
• Read access to user pages
• Read access to the group pages
Table 11-1 describes the interaction of the options:

Table 11-1 Group Access Options

Add and
Edit Read
Access Access Result
No No Administrators cannot view the users in
the Editable groups.

No Yes Administrators can view the users in the


Editable groups, but Submit is not
available.

Yes No Full access granted in either case. When


enabled, Add/Edit Users in these groups
Yes Yes overrides Read Access.

Password Expirations and Account Lockouts


Successful logins take administrators to the main ACS web interface page.
However, all logins are subject to the restrictions that have been configured in
Administration Control, including expiration, account lockout, and password
configuration options.
Limits set for password lifetime and password inactivity can force password change
or account lockout. In addition, the limit set for failed attempts can force password
change, and privileged administrators can manually lock accounts. In the case of an
account lockout, a privileged administrator must unlock the account.
ACS includes the Account Never Expires option that can globally override automatic
account lockouts and password configuration options. If the Account Never Expires

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


option is enabled for a specific administrator, all administrator lockout options are
ignored.
In the case of an account lockout, ACS displays the Login Process Fail page.
Depending on the options, ACS displays the following pages for changing
passwords:
• A password update page appears when you attempt to log in.
• The Change Password page appears when you click the Administration Control
button in the navigation bar, if you do not have the Administration Control
privilege. The Change Password page includes a list of the password criteria.
Figure 11-2 shows the process flow at login time.
Figure 11-2 Login Process Flow
1
When the administrator reaches the Incorrect Password Attempts limit, ACS
locks the account. At this point,
9.Use The Registry Editor to view and search for information in any
registry.Show how to add a value in a registry.Save the Registry to some
textfile.

Overview

The Registry is a database used to store settings and options for the 32 bit versions
of Microsoft Windows including Windows 95, 98, ME and NT/2000. It contains
information and settings for all the hardware, software, users, and preferences of
the PC. Whenever a user makes changes to a Control Panel settings, or File
Associations, System Policies, or installed software, the changes are reflected and
stored in the Registry.

The physical files that make up the registry are stored differently depending on your
version of Windows; under Windows 95 & 98 it is contained in two hidden files in
your Windows directory, called USER.DAT and SYSTEM.DAT, for Windows Me
there is an additional CLASSES.DAT file, while under Windows NT/2000 the files
are contained seperately in the %SystemRoot%\System32\Config directory. You
can not edit these files directly, you must use a tool commonly known as a "Registry
Editor" to make any changes (using registry editors will be discussed later in the
article).

The Structure of the Registry

The Registry has a hierarchal structure, although it looks complicated the structure
is similar to the directory structure on your hard disk, with Regedit being similar to
Windows Explorer.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Each main branch (denoted by a folder icon in
the Registry Editor, see left) is called a Hive,
and Hives contains Keys. Each key can
contain other keys (sometimes referred to as
sub-keys), as well as Values. The values
contain the actual information stored in the
Registry. There are three types of
values; String, Binary, and DWORD - the use
of these depends upon the context.

There are six main branches, each containing a specific portion of the information
stored in the Registry. They are as follows:

o HKEY_CLASSES_ROOT - This branch contains all of your file


association mappings to support the drag-and-drop feature, OLE
information, Windows shortcuts, and core aspects of the Windows user
interface.
o HKEY_CURRENT_USER - This branch links to the section of
HKEY_USERS appropriate for the user currently logged onto the PC
and contains information such as logon names, desktop settings, and
Start menu settings.
o HKEY_LOCAL_MACHINE - This branch contains computer specific
information about the type of hardware, software, and other
preferences on a given PC, this information is used for all users who
log onto this computer.
o HKEY_USERS - This branch contains individual preferences for each
user of the computer, each user is represented by a SID sub-key
located under the main branch.
o HKEY_CURRENT_CONFIG - This branch links to the section of
HKEY_LOCAL_MACHINE appropriate for the current hardware
configuration.
o HKEY_DYN_DATA - This branch points to the part of
HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of
Windows, this section is dymanic and will change as devices are added
and removed from the system.

Windows Registry Tutorial

Overview

The Registry is a database used to store settings and options for the 32 bit
versions of Microsoft Windows including Windows 95, 98, ME and NT/2000. It
contains information and settings for all the hardware, software, users, and
preferences of the PC. Whenever a user makes changes to a Control Panel
settings, or File Associations, System Policies, or installed software, the changes

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


are reflected and stored in the Registry.

The physical files that make up the registry are stored differently depending on
your version of Windows; under Windows 95 & 98 it is contained in two hidden
files in your Windows directory, called USER.DAT and SYSTEM.DAT, for
Windows Me there is an additional CLASSES.DAT file, while under Windows
NT/2000 the files are contained seperately in the
%SystemRoot%\System32\Config directory. You can not edit these files directly,
you must use a tool commonly known as a "Registry Editor" to make any changes
(using registry editors will be discussed later in the article).

The Structure of the Registry

The Registry has a hierarchal structure, although it looks complicated the


structure is similar to the directory structure on your hard disk, with Regedit being
similar to Windows Explorer.

Each main branch (denoted by a folder


icon in the Registry Editor, see left) is
called a Hive, and Hives contains Keys.
Each key can contain other keys
(sometimes referred to as sub-keys), as
well as Values. The values contain the
actual information stored in the Registry.
There are three types of
values; String, Binary, and DWORD - the
use of these depends upon the context.

There are six main branches, each containing a specific portion of the information
stored in the Registry. They are as follows:

o HKEY_CLASSES_ROOT - This branch contains all of your file


association mappings to support the drag-and-drop feature, OLE
information, Windows shortcuts, and core aspects of the Windows
user interface.
o HKEY_CURRENT_USER - This branch links to the section of
HKEY_USERS appropriate for the user currently logged onto the PC
and contains information such as logon names, desktop settings,
and Start menu settings.
o HKEY_LOCAL_MACHINE - This branch contains computer specific
information about the type of hardware, software, and other
preferences on a given PC, this information is used for all users who
log onto this computer.
o HKEY_USERS - This branch contains individual preferences for
each user of the computer, each user is represented by a SID sub-
key located under the main branch.
o HKEY_CURRENT_CONFIG - This branch links to the section of
HKEY_LOCAL_MACHINE appropriate for the current hardware

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


configuration.
o HKEY_DYN_DATA - This branch points to the part of
HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of
Windows, this section is dymanic and will change as devices are
added and removed from the system.

Each registry value is stored as one of five main data types:

o REG_BINARY - This type stores the value as raw binary data. Most
hardware component information is stored as binary data, and can
be displayed in an editor in hexadecimal format.
o REG_DWORD - This type represents the data by a four byte number
and is commonly used for boolean values, such as "0" is disabled
and "1" is enabled. Additionally many parameters for device driver
and services are this type, and can be displayed in REGEDT32 in
binary, hexadecimal and decimal format, or in REGEDIT in
hexadecimal and decimal format.
o REG_EXPAND_SZ - This type is an expandable data string that is
string containing a variable to be replaced when called by an
application. For example, for the following value, the string
"%SystemRoot%" will replaced by the actual location of the directory
containing the Windows NT system files. (This type is only available
using an advanced registry editor such as REGEDT32)
o REG_MULTI_SZ - This type is a multiple string used to represent
values that contain lists or multiple values, each entry is separated
by a NULL character. (This type is only available using an advanced
registry editor such as REGEDT32)
o REG_SZ - This type is a standard string, used to represent human
readable text values.

Other data types not available through the standard registry editors include:

o REG_DWORD_LITTLE_ENDIAN - A 32-bit number in little-endian


format.
o REG_DWORD_BIG_ENDIAN - A 32-bit number in big-endian
format.
o REG_LINK - A Unicode symbolic link. Used internally; applications
should not use this type.
o REG_NONE - No defined value type.
o REG_QWORD - A 64-bit number.
o REG_QWORD_LITTLE_ENDIAN - A 64-bit number in little-endian
format.
o REG_RESOURCE_LIST - A device-driver resource list.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Editing the Registry

The Registry Editor (REGEDIT.EXE) is included with most version of Windows


(although you won't find it on the Start Menu) it enables you to view, search and
edit the data within the Registry. There are several methods for starting the
Registry Editor, the simplest is to click on the Start button, then selectRun, and in
the Open box type "regedit", and if the Registry Editor is installed it should now
open and look like the image below.

An alternative Registry Editor (REGEDT32.EXE) is available for use with


Windows NT/2000, it includes some additional features not found in the standard
version, including; the ability to view and modify security permissions, and being
able to create and modify the extended string values REG_EXPAND_SZ &
REG_MULTI_SZ.

Create a Shortcut to Regedit


This can be done by simply right-clicking on a blank area of your desktop,
selecting New, then Shortcut, then in the Command line box enter "regedit.exe"
and click Next, enter a friendly name (e.g. 'Registry Editor') then click Finish and
now you can double click on the new icon to launch the Registry Editor.

Using Regedit to modify your Registry


Once you have started the Regedit you will notice that on the left side there is a
tree with folders, and on the right the contents (values) of the currently selected
folder.

Exercise 10 : Enable network connectivity between netware,Macintosh,and


Unix networks.
UNIX
For basic integration with UNIX systems, Windows NT Server includes support
for the industry-standard protocols used by UNIX systems, such as TCP/IP
and DNS. To make it easier to integrate existing UNIX environments with
Windows NT Server, Microsoft offers the Windows NT Services for UNIX
Add-on Pack. This includes technologies for resource sharing, remote
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
administration, password synchronization and common scripting across
platforms.
Network
Transmission Control Protocol/Internet Protocol (TCP/IP). Windows NT Server
includes TCP/IP, the primary transport protocol for the Internet and intranets
as well as for homogeneous and heterogeneous networks. Having TCP/IP
built into the operating system enables Windows NT Server to exchange
data with both UNIX hosts and the Internet.
FTP, HTTP, and Telnet. Through FTP and HTTP services, users can copy files
across networks of heterogeneous systems and then manipulate them
locally as text files or even Microsoft Word documents. In addition to
copying UNIX files, PC users can access character-based UNIX
applications through the Windows NT support for remote logon. By running
terminal emulation software built into the Microsoft Windows® 95, Windows
98, and Windows NT operating systems, a user of a Windows-based
computer can log on to a UNIX timesharing server in a manner similar to a
dial-up connection. After entering an authorized user name and password,
PC users will be able to employ character-based applications residing on
the remote UNIX workstation as if they were logged on to the system
directly.
Domain Name System (DNS) Service. DNS is a set of protocols and services on
a TCP/IP network that allows users of the network to employ hierarchical
user-friendly names when looking for other computers instead of having to
remember IP addresses. Windows NT Server 4.0 has a built-in, standards-
based DNS service. This allows administrators to easily migrate from their
existing DNS to the Windows NT Server DNS, or coexist with a non-
Microsoft DNS.
Dynamic Host Configuration Protocol (DHCP) and BOOTP. The standards-
based DHCP protocol can automatically configure a host during boot up on
a TCP/IP network as well as change settings while the host is attached.
This lets all available IP addresses be stored in a central database along
with associated configuration information such as the subnet mask,
gateways, and address of DNS servers. Since DHCP for Windows NT
Server is based on industry standards, it supports requests from any clients
supporting these RFC's. The Microsoft DHCP server also offers Boot
Protocol (BOOTP) support, used for booting diskless workstations.
Network File System (NFS). Included in the Windows NT Services for UNIX Add-
on Pack, NFS is a standard for sharing files and printers in the UNIX
environment. The NFS client and server software Add-on lets Windows NT
Server users access files on UNIX and lets UNIX users access files on
Windows NT Server.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Advanced Server for UNIX (ASU). ASU extends interoperability between
Windows NT and UNIX providing full Windows NT domain controller support
on UNIX. The UNIX system can be either a Primary Domain Controller or
Backup Domain Controller in a Windows NT environment. This means that
the users can log on to the Windows NT-based network once and gain
access to resources distributed between a UNIX server and Windows NT
Server on the network. AT&T exclusively licenses the ASU technology to
virtually all major UNIX suppliers, such as Compaq, Hewlett-Packard, Data
General, Fujitsu-ICL, and Siemens-Nixdorf.
Data
Oracle database access. The Microsoft Visual Studio® Enterprise Edition
development system offers comprehensive support for Oracle 7.3 and later
databases. Using Visual Studio, developers can visually build or edit data-
driven Web pages quickly from multiple data sources. In addition,
developers can use Visual Studio to build and edit stored procedures,
database diagrams, triggers, and scripts.
Open Database Connectivity (ODBC) and OLE DB. ODBC is a software
interface that separates the access to data from the data sources, making it
easier to access a database on a network. The ODBC database access
interface lets programmers access data from a diverse set of sources, using
a standard series of functions and commands. This means an application
developer using ODBC can create applications that can connect to
databases running on either UNIX or Windows NT Server and have their
application code run in exactly the same way. This shields programmers
from having to code to each specific data source's requirements, an
efficiency that can significantly increases productivity. OLE DB takes ODBC
a step further. Whereas ODBC is designed around accessing relational data
sources using Structured Query Language (SQL), OLE DB is focused on
providing access to any data, anywhere. For example, there is an ODBC
provider that provides access to Windows NT Server 4.0, Novell version 3,
and NDS directory services—all through OLE DB.
NetWare
Windows NT Server 4.0 includes several technologies that let it readily integrate
with Novell NetWare networks. These technologies address interoperability
at the network, data, and management layers. Additional connectivity
technologies are offered in the Microsoft Services for NetWare Add-on
Pack.
Network
NWLink. Windows NT Server includes NWLink (IPX/SPX Compatible Transport
Protocol). NWLink lets you add a Windows NT Server to a NetWare 2.x/3.x
and 4.x (in bindery emulation mode) network without requiring modifications
to other servers or clients. NWLink lets NetWare clients access

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


applications—such as Microsoft Exchange, SQL Server™, or other
software—running on a Windows NT Server-based machine. The Microsoft
implementations of the IPX/SPX and Novell NetBIOS-compatible protocols
can coexist with other protocols on the same network adapter card. That
means you can have several networks running independently on the same
network hardware connection. NWLink supports Windows Sockets, Novell
NetBIOS, and Named Pipes protocols.
Client Services for NetWare . Microsoft Windows NT Workstation 4.0 includes
Client Services for NetWare (CSNW). This lets Windows NT Workstation-
based clients access files and print resources on Novell NetWare 4.x
servers.
File and Print Services for NetWare (FPNW). Included in the Microsoft Services
for NetWare Add-on Pack, FPNW lets users log on to a machine running
Windows NT Server and have their interface look the same as if they had
logged on to a NetWare 3.x Server. FPNW—which runs as part of the
NWLink IPX/SPX-compatible service—enables Windows NT Server to
emulate a NetWare file and print server, providing file and print resources
using the same dialogs as NetWare servers. The Windows NT Server file
and print services can be managed with NetWare tools, eliminating the
need for retraining. Plus, using FPNW does not require changes to NetWare
clients. For example, a client program that uses NetWare protocols and
naming conventions needs no redirection or translation.
Gateway Service for NetWare (GSNW). Included with Windows NT Server,
GSNW lets Windows NT Server act as a gateway to a NetWare network,
allowing you access to all the resources on a NetWare server. Windows NT
Workstation-based clients can access NetWare resources using TCP/IP,
the native network communication protocol for Windows NT. In addition,
GSNW allows Windows NT Server-based network clients to access files on
a NetWare server without requiring a NetWare client redirector on an
IPX/SPX protocol stack (such as NWLink). These efficiencies reduce the
administrative load for each client and improve network performance.
GSNW also supports Novell's NetWare Directory Services (NDS) navigation,
authentication, printing, and login scripts. This support allows NetWare
clients to take advantage of the Windows NT Server platform and still retain
fully functional access to their NetWare 4.x servers via the Windows NT
Server gateway. Lastly, GSNW lets a machine running Windows NT Server
act as a communications server to a NetWare network, re-sharing the
network connections from the NetWare server. So, for example, you can
use Windows NT Server Remote Access Service to access NetWare server
resources.
Management
Client Services for NetWare (CSNW). Included with Windows NT Workstation
4.0, CSNW lets you use a single login and password for Windows NT and
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
NetWare. CSNW supports Novell's NDS authentication, including
authentication to multiple NDS trees. It also provides full support for NDS
property pages, NDS passwords, and processing NetWare login scripts.

Directory Service Manager for NetWare (DSMN). Included in the Microsoft


Services for NetWare Add-on Pack, DSMN allows you to centrally manage
NetWare binderies. Using DSMN, NetWare Servers can be added to a
Windows NT Server domain, where they can be centrally managed with
Windows NT Server utilities. By offering a simple, direct administration for
growing networks, DSMN helps administrators manage multiple
environments with a central point of administration. Administrators can
manage NetWare servers and manage the user accounts on the servers as
if they were native Windows NT Server user accounts. In addition, DSMN
gives users a single network login to all services, including applications.

Connecting with Macintosh


Microsoft Windows NT Server Services for Macintosh is an integrated
component of Windows NT Server, making it possible for computers
running Windows NT Server and Apple Macintosh Clients to share files and
printers. Services for Macintosh File and Print Services allow Macintosh
users access to Windows NT Server 4.0. Macintosh clients can print
Postscript jobs to either Postscript or non-Postscript printers using the
Windows NT Server print server. Server-side print spooling means faster
return to the application and increased productivity for Macintosh clients

SESSION 10: Windows 2000 - Troubleshooting

Exercise-1 :Recover a windows 2000 server that Does Not Start.

To run the Recovery Console on a computer that does not start:

1. Insert the Windows 2000 Server Setup Disk 1 floppy disk into your disk drive,
or, if you have a
bootable CD-ROM drive, you can instead insert the Windows 2000 Server CD-
ROM into your
CD-ROM drive.
2. Restart your computer.
3. Follow the directions that are displayed on the screen. If you are using the
Setup disks, you are
prompted to insert the other Setup disks into the disk drive. It may take several
minutes to load
files. Select the appropriate options to repair your Windows 2000 installation and
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
to start the
Recovery Console.
4. Once in the Recover Console, type HELP, and then press ENTER to see a list
of commands.

Back to the top


Remove the Recovery Console
As a precaution, you should not normally remove the Recovery Console. However,
if you want to remove the Recovery Console, you must do so manually.

To remove the Recovery Console:

1. Restart your computer, double-click My Computer, and then double-click the


hard disk on which
you installed the Recovery Console. On the Tools menu, click Folder Options,
and then click the View tab.
2. If needed, click Show hidden files and folders, click to clear the Hide protected
operating system
files check box, and then click OK.
3. Delete the Cmdcons folder from the root folder, and then delete the Cmldr file.
4. In the root folder, right-click the Boot.ini file, and then click Properties. Click to
clear the Read-only
check box, and then click OK.
5. If you incorrectly modify the Boot.ini file, your computer may not start correctly.
Because of
this, only delete the entry for the Recovery Console from the Boot.ini file.

Use a text editor (such as Notepad) to open the Boot.ini file, and then remove
the entry for the
Recovery Console. The entry should look similar to this entry:
C:\cmdcons\bootsect.dat="Microsoft Windows 2000 Recovery Console"
/cmdcons
Save the file and close it.

Back to the top


Precautionary Measures
How to Install the Recovery Console as a Startup Console
It may be useful to install the Recovery Console on a computer that is functioning
properly so that it is available for use after a system failure. This precautionary
measure can save time should you have to use the Recovery Console.

To install the Recovery Console as a startup option:

1. While Windows is running, insert the Windows 2000 Professional CD-ROM into
your CD-ROM drive.
2. When you are prompted to upgrade to Windows 2000, click No.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
3. At the command prompt, switch to your CD-ROM drive, type \i386\winnt32.exe
/cmdcons, and then press ENTER.
4. Follow the instructions on the screen. To use the Windows 2000 Recovery
Console, restart your computer, and then select Windows 2000 Recovery console
from the Startup menu.

Create an Emergency Repair Disk


You can also use a Windows 2000 Emergency Repair Disk (ERD) to fix problems
that prevent your computer from starting. It may be useful to prepare an ERD when
your computer is functioning well, so you can be prepared to use it if you need to
repair system files. To start a computer that needs repair, use the Windows 2000
Setup CD-ROM or floppy disks you created from the CD-ROM and choose the
Repair method to utilize the ERD. The repairs that are possible with this method are
limited to basic system files, the partition boot sector, and the startup environment.
The repair process does not recover the registry.

Note that the repair process relies on information that is saved in the
SystemRoot\Repair folder. You must not change or delete this folder. If you also
back up the registry to the Repair folder, you can save your current registry files in a
folder within your SystemRoot\Repair folder. This is useful if you must recover your
system in the event that your hard disk fails.

1. Click Start, point to Programs, point to Accessories, point to System Tools, and
then click Backup.
2. On the Tools menu, click Create an Emergency Repair Disk.
3. Follow the instructions that appear on your screen.

Exercise 2 :Troubleshoot the "NTLDR Is Missing" Error Message in machine.


When you start your Windows 2000-based computer, you may receive the following
error message:
NTLDR is missing
Press any key to restart
This problem may occur if the basic input/output system (BIOS) on your computer is
outdated, or if one or more of the following Windows boot files are missing or
damaged:
Ntldr
Ntdetect.com
Boot.ini
To resolve this issue, verify that the BIOS on your computer is current, and then use
one or more of the following methods, as appropriate to your situation, to repair the
Windows 2000 startup environment.
Verify That the BIOS on the Computer Is Current
Make sure that the latest revision for BIOS is installed on the computer. Contact the
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
computer manufacturer to inquire about how to obtain, and then install the latest
BIOS update that is available for the computer.

For information about how to configure and how to verify the correct BIOS settings
for the computer, see the computer documentation or contact the manufacturer of
the computer. For information about how to contact your computer manufacturer,
click the appropriate article number in the following list to view the article in the
Microsoft Knowledge Base:
65416 Hardware and software vendor contact information, A-K

60781 Hardware and software vendor contact information, L-P

60782 Hardware and software vendor contact information, Q-Z


For more information about how to contact BIOS manufacturers, click the following
article numbers to view the articles in the Microsoft Knowledge Base:
243909 List of BIOS manufacturer Web sites Part 1
243971 List of BIOS manufacturer Web sites Part 2
To repair the Windows startup environment, use one or more of the following
methods, as appropriate to your situation.

Method 1: Use a Boot Disk to Start the Computer

1. Create a Windows 2000 boot disk that contains the following files:
Ntldr
Ntdetect.com
Boot.ini
Ntbootdd.sys
For more information about how to create a boot disk, click the following article
numbers to
view the articles in the Microsoft Knowledge Base:
301680 How to create a boot disk for an NTFS or FAT partition in Windows
101668 How to use a Windows boot disk to prevent boot failure
2. Modify the Boot.ini file to point to the correct hard disk controller and to the
correct volume for
your Windows installation. For more information about how to create a boot disk,
click the
following article number to view the article in the Microsoft Knowledge Base:
311578 How to edit the Boot.ini file in Windows 2000
3. Insert the boot disk into the computer's floppy disk drive, and then restart the
computer.
4. Copy the Ntldr file, the Ntdetect.com file, and the Boot.ini file from the boot disk
to the system
partition of the local hard disk.

Method 2: Use the Recovery Console

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


1. Use the Windows 2000 Setup disks to restart the computer, or use the
Windows 2000 CD-ROM to
restart the computer.
2. At the Welcome to Setup screen, press R to repair the Windows 2000
installation.
3. Press C to repair the Windows 2000 installation by using the Recovery
Console.
4. Type the number that corresponds to the Windows installation that you want to
repair, and then
press ENTER. For example, type 1, and then press ENTER. For more
information, click the following
article number to view the article in the Microsoft Knowledge Base:
229716 Description of the Windows Recovery Console
5. Type the Administrator password, and then press ENTER.
6. Type map, and then press ENTER. Note the drive letter that is assigned to the
CD-ROM drive that
contains the Windows 2000 CD-ROM.
7. Type the following commands, pressing ENTER after you type each one, where
drive is the drive
letter that you typed in step 4 of "Method 2: Use the Recovery Console," of this
article:
copy drive:\i386\ntldr c:\

copy drive:\i386\ntdetect.com c:\


If you are prompted to overwrite the file, type y, and then press ENTER.

NOTE: In these commands, there is a space between the ntldr and c:\, and
between
ntdetect.com and c:\.
8. Type the following command, and then press ENTER:
type c:\Boot.ini
A list similar to the following list appears:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT

[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000
Professional" /fastdetect

If you receive the following message, the Boot.ini file may be missing or
damaged:
The system cannot find the file or directory specified.
9. If the Boot.ini file is missing or damaged, create a new one. To do so, follow
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
these steps:
1. Use a text editor, such as Notepad or Edit.com, to create a boot loader file
similar to the following boot loader file:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT

[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000
Professional" /fastdetect

For more information, click the following article number to view the article in
the
Microsoft Knowledge Base:
102873 Boot.ini and ARC path naming conventions and usage
301680 How to create a boot disk for an NTFS or FAT partition in Windows
2. Save the file to a floppy disk as Boot.ini.

NOTE: If you used Notepad to create the file, make sure that the .txt
extension is not
appended to the Boot.ini file name.
3. Type the following command at the Recovery Console command prompt to
copy the
Boot.ini file from the floppy disk to the computer:
copy a:\Boot.ini c:\
10. Type exit, and then press ENTER. The computer restarts.

Method 3: Use the Windows 2000 CD-ROM

1. Insert the Windows 2000 CD-ROM into the computer's CD-ROM drive or DVD-
ROM drive, and start Windows 2000 Setup.
2. On the Welcome to Setup page, press R.
3. On the Windows 2000 Repair Options page, press R.
4. When you are prompted to select one of the repair options, press M.
5. Press the UP ARROW, press the UP ARROW again, to select Verify Windows
2000 system files, and
then press ENTER to clear the selection.
6. Press the DOWN ARROW to select Continue (perform selected tasks), and
then press ENTER. The
following message appears:
You need an Emergency Repair disk for the Windows 2000
installation you want to repair.
7. Do one of the following, as appropriate to your situation:
* If you have an Emergency Repair Disk, follow these steps:
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
1. Press ENTER.
2. Insert the Emergency Repair Disk into the computer's floppy disk drive,
and then
press ENTER.
3. Follow the instructions to repair the installation, and then restart the
computer.
-or-
* If you do not have an Emergency Repair Disk, follow these steps:
1. Press L. You receive a message similar to the following:
Setup has found Windows 2000 in the following folder:
drive:\WINNT "Microsoft Windows 2000"
2. Press ENTER.

Setup examines the disks, and then completes the repair process.
For more information about the emergency repair feature, click the following
article number to
view the article in the Microsoft Knowledge Base:
231777 How to create an Emergency Repair Disk in Windows 2000

If Setup Cannot Locate Windows 2000


If you do not have a Windows 2000 Emergency Repair Disk, and if Setup cannot
locate the Windows 2000 installation, follow these steps:

1. Start Windows 2000 Setup.


2. On the Setup will install Windows 2000 on partition page, select Leave the
current file system
intact (no changes), and then press ENTER.
3. Press ESC to install Windows 2000 to a new folder.
4. In the Select the folder in which the files should be copied box, type \tempwin,
and then press
ENTER.

Setup installs a new copy of Windows 2000.


5. Log on to the new copy of Windows 2000.
6. Click Start, and then click Run.
7. In the Open box, type cmd, and then click OK.
8. At the command prompt, type drive:, where drive is the boot drive of the
computer, and then press ENTER. For example, type c:, and then press ENTER.
9. Type attrib -h -r -s Boot.ini, and then press ENTER.
10. Type edit Boot.ini, and then press ENTER.

Edit.com opens a Boot.ini file that is similar to the following file:

[boot loader]
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\TEMPWIN
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\TEMPWIN="Microsoft Windows 2000
Professional" /fastdetect

11. Replace all instances of TEMPWIN with WINNT. The Boot.ini file that appears
is similar to the
following file:

[boot loader]
timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000
Professional" /fastdetect

12. Press ALT+F, and then press S.


13. Press ALT+F, and then press X.
14. Type attrib +h +r +s Boot.ini, and then press ENTER.
15. Type exit to quit the command prompt.
16. Restart the computer.
17. At the Please select the operating system to start screen, use the ARROW
keys to select Microsoft
Windows 2000, and then press ENTER.
18. Start Windows Explorer, locate the following folders, and then delete them:
Tempwin
All Users.Tempwin

Back to the top


Additional Resources
For more information about how to troubleshoot the "NTLDR is Missing" error
message, click the following article numbers to view the articles in the Microsoft
Knowledge Base:
255220 "NTLDR is missing" error message when you upgrade or install Windows
2000 over Windows 95, Windows 98 or Windows Millennium Edition
228004 Changing active partition can make your system unbootable
883275 You cannot start your computer after you modify the permissions in
Windows Server 2003, in Windows XP, or in Windows 2000
Back to the top
Perform a Parallel Installation of Windows 2000
If you cannot resolve the behavior described in the "Symptoms" section of this
article by using any of the methods discussed in this article or by viewing the
Knowledge Base articles in the Additional Resources section of this article, perform
a parallel installation of Windows 2000, and then use Windows Explorer to copy the
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
data that you want to recover from your original Windows installation.

For more information about how to perform a parallel installation of Windows 2000,
click the following article number to view the article in the Microsoft Knowledge
Base:
266465 How to perform a parallel installation of Windows 2000 or Windows Server
2003

Exercise 3 :What you should do when you find that th drive letter
(e.g.c:/drive,A:/drive changes after yopu restart your computer.
If your computer has one hard disk and a CD-ROM:
1. Install one of the versions of Windows that is listed earlier in this article. For
information about
how to install an operating system, view the documentation that is included
with your
operating System.
2. Start your computer normally, and then change the CD-ROM drive letter to T:
1. Click Start, point to Settings, click Control Panel, and then double-click
System.
2. Click the Device Manager tab, and then double-click the CD-ROM branch to
expand it.
3. Click your CD-ROM, click Properties, and then click the Settings tab.
4. Click T in the Start drive letter box, and then click T in the End drive letter
box.
5. Click OK, click Close, and then click Yes when you are prompted to restart
your computer.
255867 How to Use Fdisk and Format to Partition/Repartition a Hard Disk
If you want to add a removable media drive such as a CD-ROM, DVD, or CD-RW
drive and prevent drive letters from changing, read the "Notes" section of this article
before you install any programs.
Back to the top
Computer Has Two or More Hard Disks and a CD-ROM
If your computer has two or more hard disks and a CD-ROM:

1. Before you install an operating system or any programs, set your first hard disk
to use a primary
position, and all other hard disks should be set to use an extended partition. After
you create
partitions on your hard disks, format them.For additional information about how
to partition and
format a hard disk, click the article number below to view the article in the
Microsoft Knowledge
Base:
255867 How to Use Fdisk and Format to Partition/Repartition a Hard Disk
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
2. Install one of the versions of Windows that is listed earlier in this article. For
information about
how to install an operating system, view the documentation that is included with
your operating
system.

IMPORTANT: After you install your operating system, do not install any other
programs. Instead,
continue to the next step.
3. Start your computer normally, and then change the CD-ROM drive letter to T:
1. Click Start, point to Settings, click Control Panel, and then double-click
System.
2. Click the Device Manager tab, and then double-click the CD-ROM branch to
expand it.
3. Click your CD-ROM, click Properties, and then click the Settings tab.
4. Click T in the Start drive letter box, and then click T in the End drive letter
box.
5. Click OK, click Close, and then click Yes when you are prompted to restart
your computer.

255867 How to Use Fdisk and Format to Partition/Repartition a Hard Disk


If you want to add a removable media drive such as a CD-ROM, DVD, or CD-RW
drive and prevent drive letters from changing, read the "Notes" section of this article
before you install any programs.

Exercise 4 : Backup the recovery agent Encrypting File System (EFS) private
key.
To export the recovery agent’s private key from a computer that is a member of a
workgroup, follow these steps:

1. Log on to the computer by using the recovery agent’s local user account.
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in, and then click Add.
4. Under Available Standalone Snap-ins, click Certificates, and then click Add.
5. Click My user account, and then click Finish.
6. Click Close, and then click OK.
7. Double-click Certificates - Current User, double-click Personal, and then
double-click Certificates.
8. Locate the certificate that displays the words "File Recovery" (without the
quotation marks) in the
Intended Purposes column.
9. Right-click the certificate that you located in step 8, point to All Tasks, and then
click Export. The
Certificate Export Wizard starts.
10. Click Next.
11. Click Yes, export the private key, and then click Next.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
12. Click Personal Information Exchange – PKCS #12 (.PFX).

Note We strongly recommend that you also click to select the Enable strong
protection (requires
IE 5.0, NT 4.0 SP4 or above check box to protect your private key from
unauthorized access.

If you click to select the Delete the private key if the export is successful check
box, the private
key is removed from the computer and you will not be able to decrypt any
encrypted files.
13. Click Next.
14. Specify a password, and then click Next.
15. Specify a file name and location where you want to export the certificate and
the private key, and
then click Next.

Note We recommend that you back up the file to a disk or to a removable media
device, and
then store the backup in a location where you can confirm the physical security
of the backup.
16. Verify the settings that are displayed on the Completing the Certificate Export
Wizard page, and
then click Finish.

Export the domain recovery agent's private key


The first domain controller in a domain contains the built-in Administrator profile that
contains the public certificate and the private key for the default recovery agent of
the domain. The public certificate is imported to the Default Domain Policy and is
applied to domain clients by using Group Policy. If the Administrator profile or if the
first domain controller is no longer available, the private key that is used to decrypt
the encrypted files is lost, and files cannot be recovered through that recovery
agent.

To locate the Encrypted Data Recovery policy, open the Default Domain Policy in
the Group Policy Object Editor snap-in, expand Computer Configuration, expand
Windows Settings, expand Security Settings, and then expand Public Key Policies.

To export the domain recovery agent's private key, follow these steps:

1. Locate the first domain controler that was promoted in the domain.
2. Log on to the domain controller by using the built-in Administrator account.
3. Click Start, click Run, type mmc, and then click OK.
4. On the File menu, click Add/Remove Snap-in, and then click Add.
5. Under Available Standalone Snap-ins, click Certificates, and then click Add.
6. Click My user account, and then click Finish.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
7. Click Close, and then click OK.
8. Double-click Certificates - Current User, double-click Personal, and then
double-click Certificates.
9. Locate the certificate that displays the words "File Recovery" (without the
quotation marks) in the
Intended Purposes column.
10. Right-click the certificate that you located in step 9, point to All Tasks, and then
click Export. The
Certificate Export Wizard starts.
11. Click Next.
12. Click Yes, export the private key, and then click Next.
13. Click Personal Information Exchange – PKCS #12 (.PFX).

Note We strongly recommend that you click to select the Enable strong
protection (requires IE
5.0, NT 4.0 SP4 or abovecheck box to protect your private key from
unauthorized access.

If you click to select the Delete the private key if the export is successful check
box, the private
key is removed from the domain controller. As a best practice, we recommend
that you use this
option. Install the recovery agent's private key only in situations when you need
it to recover
files. At all other times, export, and then store the recovery agent's private key
offline to help
maintain its security.
14. Click Next.
15. Specify a password, and then click Next.
16. Specify a file name and location where you want to export the certificate and
the private key, and
then click Next.

Note We recommend that you back up the file to a disk or to a removable media
device, and
then store the backup in a location where you can confirm the physical security
of the backup.
17. Verify the settings that are displayed on the Completing the Certificate Export
Wizard page, and
then click Finish.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Exercise 5 : Encrypt Files and Folders on a Remote Server Windows 2000
server.

1. Connect to the server that contains the files or folders that you want to encrypt.
2. Right-click the file or folder that you want to encrypt, and then click Properties.
3. On the General tab, click Advanced.
4. Click to select the Encrypt contents to secure data check box, click OK, and
then click OK.

Note that if you encrypt a folder, you are prompted to confirm how you want to
apply the
attributes. Click either of the following options, and then click OK:
* Apply to this folder only
* Apply changes to this folder, subfolders and files
5. Repeat steps 2 through 4 for each file or folder that you want to encrypt.

Decrypt Files and Folders on a Remote Server


1. Connect to the server that contains the files or folders that you want to decrypt.
2. Right-click the file or folder that you want to decrypt, and then click Properties.
3. On the General tab, click Advanced.
4. Click to clear the Encrypt contents to secure data check box, click OK, and then
click OK.

Note that if you decrypt a folder, you are prompted to confirm how you want to
apply the
attributes. Click either of the following options, and then click OK:
* Apply to this folder only
* Apply changes to this folder, subfolders and files
5. Repeat steps 2 through 4 for each file or folder that you want to decrypt.

Exercise 6 :If you cannot print to a network printer after adding Internet
Connection Sharing,how will you resolve it?

You will need to designate a Windows XP computer as the host. This computer
must have two network adapters, one for your internal network and one for the
Internet connection. Before attempting to enable ICS, verify that the host computer
has a working connection to the Internet through the network card connected to the
cable modem or DSL line, or on the network connection associated with the modem.
The easiest way to enable ICS is to use the Network Setup Wizard, by following
these steps:

1.Click Start, point to All Programs, point to Accessories, point to Communications,


and then click Network Setup Wizard.
2.Click Next until you see the Select a connection method screen.
3.Click This computer connects directly to the Internet, and complete the wizard to
install ICS.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
This method has several advantages in that the wizard automatically detects the
connection to the Internet, configures Internet Connection Firewall (ICF), bridges
multiple network adapters connected to your home network and creates a log of
information about the configuration named nsw.log in the Windows folder.

Turning on ICS manually is almost as easy as using the wizard except that you
need to create the bridge for multiple network cards before enabling ICS. (See an
earlier column, Building Network Bridges for more information on how to use the
bridging capability in Windows XP.) Then take these steps:

1.
In Control Panel, click Network and Internet Connections and then click Network
Connections.
2.
Click the local area network (LAN) connection or the dial-up networking connection
that you want to share (that is, the one that connects to the Internet), and then,
under Network Tasks, click Change settings of this connection.
3.
Disable Client for Microsoft Networks and File and Print Sharing for Microsoft
Networks by clearing the check boxes shown in Figure 1. This step is extremely
important. Never leave these items enabled for any network card that is directly
connected to the Internet (see sitting duck, above).
Figure 1

Figure 1

4.
Click the Advanced tab, and select the Allow other network users to connect through

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


this computer's Internet connection check box.

Figure 2

5.
You can enable or disable the allowing of other users to control the connection—
users don't need to be able to control the connection to use it.
6.
Under Internet Connection Firewall, select the Protect my computer and network by
limiting or preventing access to this computer from the Internet check box for this
network card, unless you have another firewall between the computer and the
Internet. This is very important.
7.
Click OK, and Internet Connection Sharing will be enabled.

Troubleshooting ICS

If you have a problem with ICS, the best place to start is the Internet Connection
Sharing Troubleshooter. You start the Troubleshooter with the following steps:

1.
Click Start, and then click Help and Support.
2.
Under Pick a Help Topic, click Fixing a problem.
3.
In the left pane, click Networking problems.
4.
In the right pane, click Internet Connection Sharing Troubleshooter and follow the
instructions.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


The Troubleshooter can address problems such as not being able to receive e-mail
on an ICS client, the client or host computer fails to dial out or dials out without
notifying you, you're unable to browse the Internet from a client or host computer, or
your DSL or cable modem connection is slow. However, if the Troubleshooter
leaves you troubled, here are some other common problems and their solutions.

ICS Not Enabled


If you're configuring ICS manually, be sure that the internal network adapter on the
host computer doesn't have Internet Connection Firewall enabled. If ICF is enabled,
you'll have to disable it before configuring ICS on the external adapter. Or take the
easy way and run the Network Setup Wizard, which will automatically disable ICF
on home networking adapters.

Check the IP address on the external adapter to verify that it is obtaining an IP


address from your ISP. Similarly, check the IP address on the internal network
adapter to verify that it is 192.168.0.1. If it's not, disable ICS, and then make sure
the internal adapter is configured to use DCHP. Then re-enable ICS.

Internet Connection Sharing (ICS) automates the IP numbering task for the ICS
clients on your network with the Dynamic Host Configuration Protocol (DHCP)
service. The DHCP service enables the ICS host computer to assign IP addresses
to its clients automatically. By default, when ICS is installed, the DHCP service
begins supplying addresses to computers on the network.
Cannot Print to a Network Printer after Adding ICS
After you add Internet Connection Sharing (ICS), you discover that you can't print.
This can happen because ICS uses a Class C subnet with an address range of
198.168.0.x. To solve the problem, give the printer an IP address to match the
subnet of the client computers.
Computers on the Network Can't Connect to the Host
As part of the process of enabling ICS, the network adapter for the internal network
on the host computer is set to a fixed IP address of 192.168.0.1 and a special
DHCP server is enabled on that connection.
If computers on your network can't see the ICS host, it may be because they are not
enabled to use DHCP. Check to see if DHCP is enabled on the client computer:

1.In Control Panel, click Network and Internet Connections, and then click Network
Connections.
2.Right-click the connection icon, and then click Properties.
3.Highlight Internet Protocol (TCP/IP), and then click Properties.
4.On the General tab, if an IP address is specified, select the option Obtain an IP
address automatically.
If a client computer has DHCP enabled and still can't see the host computer, try
rebooting the client. Make sure that there are no other DHCP providers on the
network, such as an Internet gateway device. Any such device should be on the
outside segment of the network—between the host computer and the Internet, not
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
between the host computer and the internal network
If you use Windows XP at home or in a small business, and you have a topic you'd
like to see covered in a future column, feel free to write me at:
sharoncrawford@mvps.org. I'd be glad to receive ideas and suggestions.
Sharon Crawford is a former editor now engaged in writing books and magazine
articles. Since 1993, she has written or co-written two dozen books on computer
topics. Her books include Windows 2000 Pro: The Missing Manual, Windows 98: No
Experience Required, and Windows 2000 Professional for Dummies (with Andy
Rathbone).

Exercise 7 : When you install Modem,how to enable/disable call waiting on


computer.

Disable Call Waiting


If you subscribe to Call Waiting and you connect to the Internet via a dial-up
account, you should temporarily disable the feature each time you go online. The
audible tone that signals incoming calls can cause your modem to abruptly drop
your connection. By configuring your settings properly, you can prevent this
problem.
If You Use the Hubris Communications CD-ROM Software

1. Double-click the icon on your Desktop labeled “Hubris.”


2. The “Connect to Hubris Communications” window will appear. Within this
window, click the
button labeled “Properties.”
3. The “Location Properties” window will appear. In this box, you can enter various
settings to alter
the way the phone number is dialed.
* Click the checkbox beside the line labeled “To disable call waiting, dial.”
* In the box to the right, select the correct Call Waiting code. For most
customers, *70, is
the correct choice.
4. Click “OK” to save your changes. Now whenever you dial into the Internet, your
modem will dial
the special code to temporarily disable Call Waiting before it dials the connection
number.

If You Connect Directly through Windows


Instructions for Windows 95/98 and Windows ME

1. Configure Dialing Properties to disable Call Waiting:


1. Click the Start menu, then click “Settings,” then “Control Panel.”
2. In the window that appears, double-click the icon labeled “Modems.”
3. In the window that appears, click the button near the bottom labeled “Dialing
Properties.”
4. In the box labeled “Area Code,” be sure to enter your actual area code.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
5. Click the checkbox beside the option labeled “To disable call waiting, dial.”
Then select the
correct code in the drop down list that appears to the right.
6. Click “OK,” then click “OK” again to save your settings.
7. Close all windows to return to the Desktop.
2. Enable the Dialing Properties Feature in the Connectoid:
1. Double-click the My Computer icon on the Desktop.
2. In the window that appears, double-click the Dial-Up Networking icon.
3. In the window that appears, locate the icon for your Internet connection.
Right-click this
icon, then select “Properties” from the menu that appears.
4. In the window that appears, enable the option labeled “Use area code and
Dialing
Properties.” Please note that this does not necessarily mean that you are
telling your
computer to dial the number as a long-distance call!
5. In the box labeled “Area Code,” be sure to enter the area code for the dial-up
access
number you are using to connect to the Internet. In almost all cases, this is
the same area
code as your own phone number.
6. Click “OK” to save your changes.
3. Now, whenever you connect to the Internet, Windows will first dial the code
to disable Call

Waiting before dialing the Internet access number.

Instructions for Windows 2000 and Windows XP

1. Configure Dialing Rules to disable Call Waiting:


1. Click the Start menu, then click “Settings,” then “Control Panel.” (In
Windows XP, “Control
Panel” is listed directly on the Start menu.)
2. In the window that appears, double-click the icon labeled “Phone and
Modem Options.”
3. In the window that appears, click the button near the bottom labeled “Edit.”
4. In the box labeled “Area Code,” be sure to enter your actual area code.
5. Click the checkbox beside the option labeled “To disable call waiting, dial.”
Then select the
correct code in the drop down list that appears to the right.
6. Click “OK,” then click “OK” again to save your settings.
7. Close all windows to return to the Desktop.
2. Enable the Dialing Properties Feature in the Connectoid:
1. Click the Start menu, then click “Settings,” then “Control Panel.” (In
Windows XP, “Control
Panel” is listed directly on the Start menu.)
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
2. Double-click the icon labeled “Network and Dial-up Connections.” (In
Windows XP, it’s
called “Network Connections.”)
3. In the window that appears, locate the icon for your Internet connection.
Right-click this
icon, then select “Properties.”
4. In the window that appears, enable the option labeled “Use dialing rules.”
Please note that
this does not necessarily mean that you are telling your computer to dial the
number as a
long-distance call!
5. In the box labeled “Area Code,” be sure to enter the area code for the dial-
up access
number you are using to connect to the Internet. In almost all cases, this is
the same area
code as your own phone number.
6. Click “OK” to save your changes.
3. Now, whenever you connect to the Internet, Windows will first dial the code
to disable Call
Waiting before dialing the Internet access number.

Exercise 8 :If you are having trouble getting a dial-up connection and you
want to change the modem speed or you want to check the modem's
response how you will check to do it.if you are having noisy channel and you
are not ab le to connect write down the series of steps you will be following to
detect and correct it.

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
To change the maximum modem port speed
1. Open Phone and Modem Options in Control Panel.
2. On the Modems tab, click the modem that you want to configure, then click
Properties.
3. On the Modem tab, in the Maximum Port Speed list, click the speed for the
modem.

Information about functional differences


* Your server might function differently based on the version and edition of the
operating system
that is installed, your account permissions, and your menu settings. For more
information, see
Viewing Help on the Web.

Exercise 9 : When you use a dial up remote access service (RAS) connection
to browse the internet or to a private network,your computer may hang and
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
return a stop error:'' Stop 0x0000000A''.resolve this problem.
Use the Windows Error Reporting tool
You can use the Windows Error Reporting tool to send information about the error to
us and to obtain information about any available fix or workaround. Follow these
steps to use the Windows Error Reporting Tool:

1. When the Windows Error Reporting window pops up on your computer, click
Send Error Report to
send the error report to us.
2. In the confirmation window that appears after you send the error report to us,
click More
Information. This helps you find any available fixes for the problem or information
about how to
work around the issue.
3. If a fix or a workaround is not available, you can use the "Advanced
Troubleshooting" section to
try to resolve this issue. If you are not comfortable with advanced
troubleshooting, you might
want to contact Support. For information about how to contact Support, visit the
following
Microsoft Web site:

Advanced troubleshooting
Use the following methods in the order in which they are presented.
Method 1: Make sure that you have sufficient hard disk space
First, make sure that you have sufficient hard disk space. The Stop error can be
caused by insufficient hard disk space.

If you can use safe mode or the Recovery Console to start the computer, delete any
unnecessary temporary files, Internet cache files, program backup files, and files
that contain saved file fragments from disk scans (.chk files). You can also install
Windows XP on another hard disk that has more free space.

If you cannot start the computer, go to the next method to update the computer
BIOS.

For more information about safe mode or the Recovery Console, click the following
article numbers to view the articles in the Microsoft Knowledge Base:
315222 A description of the Safe Boot Mode options in Windows XP
314058 Description of the Windows XP Recovery Console
Method 2: Update the computer BIOS
If freeing space on your hard disk did not resolve the problem, the BIOS might have
to be updated. Use the hardware and software vendor contact information articles
that are listed in the "References" section to contact the computer manufacturer to
obtain the most recent BIOS update.

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL


Method 3: Disable or update device drivers
If you have updated the BIOS successfully and the problem persists, the video
adapter drivers on the computer might have to be updated or disabled. Follow these
steps to troubleshoot the video adapter drivers:

1. If a driver is listed by name in the Stop error message, disable or remove that
driver.
* If the error occurs during the startup sequence and the system partition uses
the NTFS file
system, you might be able to use safe mode to rename or to delete the faulty
driver.
* If the driver is used as part of the system startup process in safe mode, you
must use the
Recovery Console to start the computer.
2. If the Stop error message does not indicate a specific driver, update the video
adapter drivers to
the latest versions.
3. Disable or remove any drivers or services that you recently added.
4. Check the Microsoft Hardware Compatibility List (HCL) to determine whether
the PCI devices in
the computer are compatible with Windows XP. For information about the HCL,
visit the following
Microsoft Web site:

Method 4: Remove unsigned drivers


If you have updated the video adapter drivers and the problem persists, or if you
cannot start Windows in safe mode, the problem might be caused by a different,
unsigned driver. Remove all drivers that are not digitally signed by Microsoft. For
more information about how to do this, click the following article number to view the
article in the Microsoft Knowledge Base:
316434 How to perform advanced clean-boot troubleshooting in Windows XP

Method 5: Remove all third-party drivers


You might be unable to determine which third-party driver causes the error. If
removing unsigned drivers does not resolve the issue, try moving all third-party
driver files from the %Windir%\System32\Drivers folder to a different location.
Follow these steps to move the third-party driver files:

1. Use the Recovery Console to start the computer, or start the computer from a
different
installation of Windows if you have performed a parallel Windows installation.
2. Create a temporary folder to hold the driver files. For example, you could create
c:\DriverTemp.
3. Move all files that do not have a creation date for Windows XP of 8/13/2001
from the
%Windir%\System32\Drivers folder into the temporary folder that you created in
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
step 2. Caution If the computer relies on third-party IDE or SCSI controller drivers
for correct operation,
you must identify those driver files and then leave them in the
%Windir%\System32\Drivers
folder.
4. Restart the computer.
5. Continue the Windows Setup program. You can add the driver files back to the
computer one at a
time to identify the faulty driver.

Method 6: Remove third-party remote control services


If you still have the problem after you use the previous methods and the Stop error
message contains the Win32k.sys file name instead of a driver file name, the
problem might be caused by a third-party remote control program. To remove the
service, use the Recovery Console to start the computer and then delete the third-
party remote control service file.

Exercise 10 : When you attempt to view a web page and receive an error
message ''Not accepting coockies'',how will you resolve it?

Method 1
Enable the option to accept cookies in Internet Explorer. To do so, follow
these steps:

1. In Internet Explorer, click Internet Options on the Tools menu (or View menu in
Internet Explorer
version 4.x).
2. In Internet Explorer 5, click the Security tab, and then click Custom Level. Click
Enable or Prompt
under Allow cookies that are stored on your computer.

In Internet Explorer 4.x, click the Advanced tab, and then click Prompt Before
Accepting Cookies
or Always Accept Cookies.
3. Click OK until you return to Internet Explorer.
4. Connect to the Web address from which you received the "Not accepting
cookies" error message
to verify that you are able to gain access to the Web page.

If you select the Prompt Before Accepting Cookies option and you still cannot
access the Web page, follow the steps in method 1 again and select the Always
Accept Cookies option (the Enable option in Internet Explorer 5).

Method 2
Rename the cookie file in the Windows\Cookies folder for the Web page from which
you received the "Not accepting cookies" error message. To rename the cookie file,
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
follow these steps:

1. Double-click My Computer, double-click the drive on which the Windows folder


is located,
double-click the Windows folder, and then double-click the Cookies folder.
2. In the Cookies folder, rename the "User name@Web site.txt" file, where user
name is the name
you used to log on to Windows, and Web site is the name of the Web site you
tried to access. For example:
user@microsoft.txt
Using this example, you could rename the User@microsoft.txt file to
User@microsoft.old. For
information about how to rename a file, click Start, click Help, click the Index tab,
type renaming,
and then double-click the Renaming files topic.
3. Connect to the Web page from which you received the "Not accepting cookies"
error message to
verify that you are able to access the Web page.

Method 3
Change the cookies option to try to update the registry correctly. To do so, use the
appropriate steps.
Internet Explorer 5
In Internet Explorer, click Internet Options on the Tools menu, click the Security tab,
choose a lower security level for the Internet zone, and then click OK.
Internet Explorer 4.x

1. In Internet Explorer, click Internet Options on the View menu.


2. Click the Advanced tab, and then click a cookies option other than the currently
selected option.
3. Click OK.
4. In Internet Explorer, click Internet Options on the View menu.
5. Click the Advanced tab, and then click the cookies option you want to use.
6. Click OK.
7. Connect to the Web page from which you received the "Not accepting cookies"
error message to
verify that you are able to access the Web address.

Method 4
Important This section, method, or task contains steps that tell you how to modify
the registry. However, serious problems might occur if you modify the registry
incorrectly. Therefore, make sure that you follow these steps carefully. For added
protection, back up the registry before you modify it. Then, you can restore the
registry if a problem occurs. For more information about how to back up and restore
the registry, click the following article number to view the article in the Microsoft
Knowledge Base:
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
322756 How to back up and restore the registry in Windows
Internet Explorer 5

1. Use Registry Editor to change the "1A02" value under the appropriate key in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSetti
ngs\Zones

Values:

1 = Local intranet
2 = Trusted sites
3 = Internet
4 = Restricted sites
2. Connect to the Web page from which you received the "Not accepting cookies"
error message to
verify that you are able to access the Web address.

Internet Explorer 4.x

1. Use Registry Editor to change the "AllowCookies" value in the following registry
key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSetti
ngs
Use one of the following values for the "AllowCookies" value:

Meaning Value
---------------------------------------
Prompt before accepting cookies 0
Always accept cookies 1
Disable all cookie use 2

SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL