Happy Mothers Day To All My Mommys Out There. Heres A Lil Song For U.
Subscribe to:
Post Comments (Atom)
skip to main |
skip to sidebar
Search:
Counter
Blog Archive
-
▼
2009
(106)
-
▼
May
(9)
- Funniest Album Cover Ever
- Freestyles
- Charles Hamilton Loses More Respect
- Song Of The Week: T.I. - Hell Of A Life
- Its Been A Minute, But Im BAAAAAAACK!!!!!
- Happy Mothers Day To All The Mothers
- The "What the Piss" Pic of the Day
- The What the Piss Question of the Day
- Kevin Barnes Seeks Quick Transistion
-
▼
May
(9)
1 comment:
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Chapter 1:
Introduction to Windows Server 2003
Objectives
• Differentiate between the different editions of Windows Server 2003
• Explain Windows Server 2003 network models and server roles
• Identify concepts relating to Windows Server 2003 network management and maintenance
• Explain Windows Server 2003 Active Directory concepts
Windows Server 2003 Network Administration Goals
• To ensure that network resources such as files, folders, and printers are available to users
• To secure the network so that available resources are only accessible to users who have been granted the proper permissions
Windows Server 2003 Editions
• Multiple versions of Windows Server 2003 exist
• Each version is defined to meet the need of a certain market segment
• Versions Include:
• Standard Edition
• Enterprise Edition
• Datacenter Edition
• Web Edition
Standard Edition
• Designed for everyday needs of small to medium businesses or as a departmental server for larger organizations
• Provides file and print services, secure Internet connectivity, centralized management of network resources
• Logical upgrade path for Windows 2000 Server
• Can be used as a domain controller, member server, or standalone server
Enterprise Edition
• Generally used for medium to large businesses
• Designed for organizations that require better performance, reliability, and availability than Standard Edition provides
• Provides support for mission-critical applications
• Available in both 32 and 64-bit editions
Datacenter Edition
• Designed for mission-critical applications, very large databases, and information access that requires the highest levels of availability
• Can only be obtained from Original Equipment Manufacturers (OEMs)
Web Edition
• Lower-cost edition
• Designed for hosting and deploying Web services and applications
• Meant for small to large companies or departments that develop and/or deploy Web services
Windows Networking Concepts Overview
• Two different security models used in Windows environments
• Workgroup
• Domain
• Three roles for a Windows Server 2003 system in a network
• Standalone server
• Member server
• Domain controller
Workgroups
• A workgroup is a logical group of computers
• Characterized by a decentralized security and and administration model
• Authentication provided by a local account database – Security Accounts Manager (SAM)
• Limitations
• Users need unique accounts on each workstation
• Users manage their own accounts (security issues)
• Not very scalable
Domains
• A domain is a logical group of computers
• Characterized by centralized authentication and administration
• Authentication provided through centralized Active Directory
• Active Directory database can be physically distributed across domain controllers
• Requires at least one system configured as a domain controller
Member Servers
• A member server
• Has an account in a domain
• Is not configured as a domain controller
• Typically used for file, print, application, and host network services
• All 4 Windows Server 2003 Editions can be configured as member servers
Domain Controllers
• Explicitly configured to store a copy of Active Directory
• Service user authentication requests
• Service queries about domain objects
• May be a dedicated server but is not required to be
Computer Accounts
• Assigned in Windows NT, 2000, XP, and 2003
• Assigned when joining a domain
• Method for authentication and access auditing
• Accounts are represented as computer objects
• Accounts can be viewed using administrative tools
• e.g., Active Directory Users and Computers
Using Active Directory Users and Computers to View a Computer Object
Network Management and Maintenance Overview
• Five major focus areas of administrative tasks
• Managing and maintaining physical and logical devices
• Managing users, computers, and groups
• Managing and maintaining access to resources
• Managing and maintaining a server environment
• Managing and implementing disaster recovery
Managing and Maintaining Physical and Logical Devices
• Network administrator responsibilities include:
• Installing and configuring hardware devices
• Managing server disks
• Monitoring and managing performance
• Tools include
• Control panel applets
• Device Manager
• Disk Defragmenter
Managing Users, Computers, and Groups
• User accounts
• Creation, maintenance, passwords
• Group accounts
• Assign network rights and permissions to multiple users
• Support e-mail distribution lists
• Computer accounts
• Active Directory tools and utilities used to create and maintain computer accounts
The Reset Password Dialog Box in Active Directory Users and Computers
Managing and Maintaining Access to Resources
• Server 2003 uses sharing technique
• Sharing setup
• Through Windows Explorer interface and Computer Management administrative tool
• Shared folder and NTFS permissions
• Terminal services
• Allows access to applications through a central server
• Allows access from desktops running different operating systems
Managing and Maintaining a Server Environment
• Covers a wide variety of tasks including:
• Managing server licensing
• Managing patches and software updates
• Managing Web servers
• Managing printers, print queues, disk quotas
• A wide variety of tools are available including:
• Event Viewer and System Monitor
• Software Update Services
• Microsoft Management Console
The Add Standalone Snap-in Dialog Box
Selecting the Snap-In Focus
Managing and Implementing Disaster Recovery
• Main component of disaster recovery is system backup
• Backup tool provided is Windows Backup
• Different types of backup
• Automated scheduling of backups
• Back up critical system state information
• Automated system Recovery
• Shadow Copies of Shared Folders
Introduction to Windows Server 2003 Active Directory
• Provides the following services
• Central point for storing and managing network objects
• Central point for administration of objects and resources
• Logon and authentication services
• Delegation of administration
• Stored on domain controllers in the network
• Changes made to any Active Directory will be replicated across all domain controllers
• Multimaster replication
• Fault tolerance for domain controller failure
• Uses Domain Name Service (DNS) conventions for network resources
Active Directory Objects
• An object represents a network resource such as a user, group, computer, or printer
• Objects have attributes depending on object type
• Objects are searchable by attributes
Active Directory Schema
• Schema defines the set of possible objects for entire Active Directory structure
• Only one schema for a given Active Directory, replicated across domain controllers
• Two main definitions
• Object classes
• Attributes
• Attributes and object classes have a many-to-many relationship
Active Directory Logical Structure and Components
• Active Directory comprises components that:
• Enable design and administration of a network structure
• Logical
• Hierarchical
• Components include:
• Domains and organizational units
• Trees and forests
• A global catalog
Domains and Organizational Units
• Domain
• Has a unique name
• Is organized in hierarchical levels
• Has an Active Directory replicated across its domain controllers
• Organizational unit (OU)
• A logical container used to organize domain objects
• Makes it easy to locate and manage objects
• Allows you to apply Group Policy settings
• Allows delegation of administrative control
An Active Directory Domain and OU Structure
Trees and Forests
• Sometimes necessary to create multiple domains within an organization
• First Active Directory domain is the forest root domain
• A tree is a hierarchical collection of domains that share a contiguous DNS naming structure
• A forest is a collection of trees that do not share a contiguous DNS naming structure
• Transitive trust relationships exist among domains in trees and, optionally, in and across forests
Global Catalog
• An index and partial replica of most frequently used objects and attributes of an Active Directory
• Replicated to any server in a forest configured to be a global catalog server
• Four main functions
• Enable users to find Active Directory information
• Provide universal group membership information
• Supply authentication services when a user logs on from another domain
• Respond to directory lookup requests from Exchange 2000 and other applications
An Active Directory Forest
Active Directory Communications Standards
• The Lightweight Directory Access Protocol (LDAP) is used to query or update Active Directory database directly
• LDAP follows convention using naming paths with two components
• Distinguished name: the unique name of an object in Active Directory
• Relative distinguished name: the portion of a distinguished name that is unique within the context of its container
Active Directory Physical Structure
• Physical structure distinct from logical structure
• Important to consider the effect of Active Directory traffic and authentication requests on physical resources
• A site is a combination of 1+ Internet Protocol (IP) subnets connected by a high-speed connection
• A site link is a configurable object that represents a connection between sites
Summary
• Windows Server 2003 network administration goals:
• Make network resources available to users as permitted
• Secure the network from unauthorized access
• Four editions of Windows Server 2003 with different features and costs
• Two network security models with three possible server roles
• Five broad categories of network administration tasks in a Windows Server 2003 environment
• Native directory service is Active Directory
• Objects and schema
• Domains, organizational units and controllers
• Trees and forests
• Sites and site links
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Chapter 2:
Managing Hardware Devices
Objectives
• Understand the importance of managing hardware
• Understand the purpose of device drivers
• Configure hardware resource settings and resolve resource setting conflicts
• Configure driver signing options
• Optimize server processor and memory usage
• Create and configure hardware profiles
• Configure server power options
Introduction to Managing Hardware
• Managing and maintaining hardware is a primary responsibility of a network administrator
• A wide variety of internal and external hardware components available
• Key concepts to be discussed
• Hardware compatibility
• Device drivers
• Device Manager
Hardware Compatibility
• Server hardware must meet minimum system requirements for Windows Server 2003
• Microsoft maintains information about compatible hardware
• Previous Windows versions: Hardware Compatibility List
• Windows Server 2003: Windows Server Catalog
Windows Server Catalog Web Site
Understanding Device Drivers
• A device driver is a software interface between an operating system and a hardware device
• Generally want to use the specific recommended driver for a device
• Affects stability and performance
• Driver updates are frequent and usually available from manufacturer
• Driver signing is used to verify that a driver has been tested
Device Manager
• Primary tool for managing device drivers
• Allows administrator to view and modify hardware device properties
• Should be used soon after Windows Server 2003 installation to verify device detection and functioning
• Accessible from Control Panel or Computer Management tool
• Displays non-functioning devices
• Yellow exclamation point
• Displays manually disabled devices
• Red x
• Allows you to update drivers
• Download driver and install through Device Manager
• Use Hardware Update Wizard
Adding New Devices
• Two main categories of devices
• Plug and Play
• Legacy
• Plug and Play devices typically installed and configured automatically
• Legacy devices typically configured manually
Plug and Play Devices
• Windows Server 2003 is Plug and Play compliant
• New hardware is usually Plug and Play
• Installed devices detected automatically
• Detected devices configured automatically
• May need to locate or update device driver
Legacy Devices
• Many older devices not Plug and Play
• Industry Standard Architecture (ISA) bus devices not Plug and Play
• May or may not be detected by Windows Server 2003
• Typically must be configured manually
• Add Hardware Wizard used to install and/or configure
Hardware Resource Settings
• Four main types of resources
• Direct Memory Access (DMA) channels
• Input/Output (I/O) ranges
• Memory address ranges
• Interrupt request (IRQ) lines
• Resource settings configured from Resources tab of properties of hardware device in Device Manager
• Manually configured resource settings may have conflicts
• Resource conflicts can cause device malfunction
• Conflicts determined using Device Manager
• Resources tab for a device
Direct Memory Access Channels
• Allow hardware devices to access system memory (RAM) directly
• Information transfer bypasses CPU
• Common devices
• Hard and floppy disk controllers
• Sound cards
• CD-ROM drives
• DMA channel used by a device can be determined from Device Manager
Input/Output Ranges
• Small dedicated memory areas
• Allocated specifically for data transfer between computer and hardware device
• Type of device dictates size of memory area
• I/O ports can be determined from Device Manager
Interrupt Request Lines
• Used to gain attention of the system processor to handle some event
• Traditionally, each device had dedicated line
• Trend is toward sharing lines, Windows Server 2003 supports sharing among some Plug and Play devices
• IRQ lines can be viewed and managed from Device Manager
Memory Addresses
• Used for communication between a hardware device and the operating system
• Devices configured with dedicated, unique memory address ranges
• Windows Server 2003 will automatically allocate memory addresses for Plug and Play devices
• For legacy devices, address ranges usually specified in documentation
Troubleshooting Resource Setting Conflicts
• Manual configuration of devices can lead to resource conflicts (overlaps and duplication of assignments)
• Two methods for checking for resource conflicts
• Resources tab in properties of device using Device Manager
• System Information tool
• To open, type msinfo32.exe in Run command
• System Information tool
• Reporting rather configuration
• Hardware Resources section displays summary info
• Conflicts display conflicts
• Forced Hardware allows identification of manually configured devices
• Components displays resource settings plus driver info
• Problem Devices shows devices with known problems
Viewing Problem Devices using the System Information tool
Configuring Device Driver Signing
• Every built-in driver in Windows Server 2003 is digitally signed by Microsoft
• Signing ensures compatibility, quality, authenticity, verified to work with hardware
• Three possible driver signing verification options
• Ignore: install any driver whether signed or not
• Warn: show warning if attempt is made to install unsigned driver
• Block: don’t allow installation of unsigned driver
Configuring Driver Signing Options
Advanced File Signature Verification Settings
Roll Back Driver Feature
• Common for vendors to release new or updated drivers for hardware devices
• Fix known issues, take advantage of updated features
• Driver updates sometimes result in system stability problems
• When update causes problems, roll back allows going back to a previous version
The Driver Tab in the Properties of a Display Adapter
Configuring Processor and Memory Settings
• Three basic areas to configure for optimal performance
• Processor scheduling and memory usage
• Virtual memory
• Memory for network performance
Processor Scheduling
• Allows you to configure how processor resources are allocated to programs
• Default is Background services (all running applications receive equal processor time)
• Can set to Programs (foreground application receives priority processor time)
• Memory usage options used to configure amount of system memory allocated to executing programs versus other server functions
• Default is System cache option
• Computer is acting as network server
• Running programs that require considerable memory
• Programs option
• Computer is acting as workstation
• Running programs at console
Virtual Memory
• Disk storage used to expand RAM capacity
• Slower than RAM
• Uses paging technique
• Blocks (pages) of information moved from RAM to virtual memory on disk
• On Pentium, pages are 4KB
• Paged out when not in use, reloaded into RAM when needed
• Area allocated is called paging file
• Default amount allocated when operating system installed but should be tuned by administrator
• Name of paging file is pagefile.sys
• Location of paging file important
• Two important parameters: initial and maximum size
Memory for Network Performance
• Memory used for both server functions and network connectivity functions
• Server functions use RAM and memory
• Network connectivity uses only memory
• If performance is poor, may need to tune network memory parameters
Configuring Server Memory for Network Optimization
Hardware Profiles
• Set of instructions defining which devices to start and drivers to load when computer starts
• Profile 1 created when Windows Server 2003 installed, every device enabled
• Portable computers change set of hardware device available at different times
• Can create additional profiles to match situation
Configuring Power Options
• Default power scheme is Always On (monitor off after 20 minutes, hard disks never off)
• Can select other predefined schemes or create custom scheme
• Standby mode
• Components shut down and memory is not written to disk (if power goes out, memory information is lost)
• Power supply and CPU remain active
• Hibernate mode
• Memory contents saved before shutting down disks
• Can restart with previous applications running
• Uninterruptible power supply (UPS)
• Battery backup device
• Best fault-tolerance method to prevent damage with power loss
• Can only sustain power for a limited time
Summary
• Device drivers
• Driver signing
• Driver roll back
• Device Manager tool
• Primary tool for device management
• Plug and play versus legacy devices
• Installation and configuration
• Hardware Resource Settings
• Direct Memory Access (DMA) channels
• Input/Output (I/O) ranges
• Memory address ranges
• Interrupt request (IRQ) lines
• Processor Scheduling and Memory Usage
• Virtual memory
• Network memory
• Hardware Profiles
• Power Options
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Chapter 3:
Creating and Managing User Accounts
Objectives
• Understand the purpose of user accounts
• Understand the user authentication process
• Understand and configure local, roaming, and mandatory user profiles
• Configure and modify user accounts using different methods
• Troubleshoot user account and authentication problems
Introduction to User Accounts
• A user account is an Active Directory object
• Represents information that defines a user with access to network (first name, last name, password, etc.)
• Required for anyone using resources on network
• Assists in administration and security
• Must follow organizational standards
User Account Properties
• Primary tool for creating and managing accounts is Active Directory Users and Computers
• Active Directory is extensible so additional tabs may be added to property pages
• Major account properties that can be set include:
• General
• Address
• Account
• Profile
• Sessions
The Account Tab of Properties
User Authentication
• The process by which a user’s identity is validated
• Used to grant or deny access to network resources
• From a client operating system
• Name, password, resource required
• In Active Directory environment
• Domain controller authenticates
• In a workgroup
• Local SAM database authenticates
Authentication Methods
• Two main processes
• Interactive authentication
• User account information is supplied at log on
• Network authentication
• User’s credentials are confirmed for network access
Interactive Authentication
• The process by which a user provides a user name and password for authentication
• For domain logon, credentials compared to centralized Active Directory database
• For local logon, credentials compared to local SAM database
• In domain environments, users normally don’t have local accounts
Network Authentication
• The process by which a network service confirms the identify of a user
• For a user who logs on to domain, network authentication is transparent
• Credentials from interactive authentication valid for network resources
• A user who logs on to local computer will be prompted to log on to network resource separately
Authentication Protocols
• Windows Server 2003 supports two main authentication protocols:
• Kerberos version 5 (Kerberos v5)
• NT LAN Manager (NTLM)
• Kerberos v5 is primary protocol for Active Directory environments but is not supported on all client systems
• NTLM is primary protocol for older Microsoft operating systems
Kerberos v5
• Primary authentication protocol used in Active Directory domain environments
• Supported by Windows 2000, Windows XP, Windows Server 2003
• Protocol followed:
• Log on request passed to Key Distribution Center (KDC), a Windows Server 2003 domain controller
• KDC authenticates user and, if valid, issues a ticket-granting ticket (TGT) to client system
• When client requests a network resource, it presents the TGT to KDC
• KDC issues a service ticket to client
• Client presents service ticket to host server for network resource
• Every domain controller in Active Directory environment holds role of KDC
• Not all clients follow this protocol
NTLM
• A challenge-response protocol
• Used with operating systems running Windows NT 4.0 or earlier or with Windows 2000 or Server 2003 when necessary
• Protocol followed:
• User logs in, client calculates cryptographic hash of password
• Client sends user name to domain controller
• Domain controller generates random challenge and sends it to client
• Client encrypts challenge with hash of password and sends to domain controller
• Domain controller calculates expected value to be returned from client and compares to actual value
• After successful authentication, domain controller generates a token for user for network access
User Profiles
• A collection of settings specific to a particular user
• Stored locally by default
• Do not follow user logging on to different computers
• Can create a roaming profile
• Does follow user logging on to different computers
• Administrator can create a mandatory profile
• User cannot alter it
User Profile Folders and Contents
Local Profiles
• New profiles are created from Default User profile folder
• User can change local profile and changes are stored uniquely to that user
• Administrator can manage various elements of profile
• Change Type
• Delete
• Copy To
Roaming Profiles
• Roaming profiles
• Allow a profile to be stored on a central server and follow the user
• Provide advantage of a single centralized location (helpful for backup)
• Configured from Profiles page of Active Directory Users and Computers
• Changing a profile from local to roaming requires care – should copy first
Mandatory Profiles
• Local and roaming profiles allow users to make permanent changes
• Mandatory profiles allow changes only for a single session
• Local and roaming profiles can both be configured as mandatory
• ntuser.dat à ntuser.man
Creating and Managing User Accounts
• Standard tool is Active Directory Users and Computers
• Also a number of command line tools and utilities
Active Directory Users and Computers
• Available from Administrative Tools menu
• Can be added to a Microsoft Management Console
• Can be run from command line (dsa.msc)
• Graphical tool
• Can add, modify, move, delete, search for user accounts
• Can configure multiple objects simultaneously
User Account Templates
• A user account that is pre-configured with common settings
• Can be copied to create new user accounts with pre-defined settings
• New account is then configured with detailed individual settings
Command Line Utilities
• Some administrators prefer working from command line
• Can be used to automate creation or management of accounts more flexibly
DSADD
• Allows object types to be added to directory
• Computer accounts, contacts, quotas, OUs, users, etc.
• Syntax for user account is
• DSADD USER distinguished-name switches
• Switches include
• -pwd (password), -memberof, -email, -profile, -disabled
DSMOD
• Allows object types to be modified from the command line
• Computer accounts, users, quotas, OUs, servers, etc.
• Syntax for modifying user account is
• DSMOD USER distinguished-name+ switches+
• Can modify multiple accounts simultaneously
DSQUERY
• Allows various object types to be queried from command line
• Supports wildcard (*)
• Output can be redirected to another command (piped)
• Example: return all user accounts that have not changed passwords in 14 days
• dsquery user domainroot –name * -stalepwd 14
DSMOVE
• Allows various object types to be moved from current location to a new location
• Allows various object types to be renamed
• Only moves within the same domain (otherwise use MOVETREE)
• Example: to move a user account into a marketing OU
• dsmove "cn=Paul Kohut,cn=users,dc=domain01, dc=dovercorp,dc=net" –newparent "ou=marketing, dc=domain01,dc=dovercorp,dc=net"
DSRM
• Allows objects to be deleted from directory
• Can delete single object or entire subtree
• Has a confirm option that can be overridden
• Example: to delete the Marketing OU and all its contained objects without a confirm prompt:
• dsrm –subtree –noprompt –c "ou=marketing, dc=domain01,dc=dovercorp,dc=net "
Bulk Import and Export
• Allows an organization to import existing stores of data rather than recreating from scratch
• Allows an organization to export data that is already structured in Active Directory to secondary databases
• Two command line utilities for import and export
• CSVDE
• LDIFDE
CSVDE
• Command-line tool to bulk export and import Active Directory data to and from comma-separated value (CSV) files
• CSV files can be created/edited using text-based editors
• Example:
• csvde –f output.csv
LDIFDE
• Command-line tool to bulk export and import Active Directory data to and from LDIF files
• LDAP Interchange Format
• Industry standard for information in LDAP directories
• Each attribute/value on a separate line with blank lines between objects
• Can be read in text-based editors
• Common uses: extending AD schemas, importing bulk data to populate AD, manipulating user and group objects
Troubleshooting User Account and Authentication Issues
• Normally creating and configuring user accounts is straightforward
• Issues do arise related to
• Configuration of account
• Policy settings
Account Policies
• Authentication-related policy settings
• Configured in Account Policies node of Group Policy objects at domain level
• Account lockout, passwords, Kerberos
• Default Domain Policy
• Accessed from Active Directory Computers and Users
• Configures policies for all domain users
Password Policy
• Configuration settings
• Password history and reuse
• Maximum password age
• Minimum password age
• Minimum password length
• Complexity requirements
• Encryption policy
Account Lockout Settings
• Configuration settings
• Account lockout duration
• Account lockout threshold
• Reset account lockout counter after
Kerberos Policy
• Configuration settings
• Enforce user logon restrictions
• Maximum lifetime for service ticket
• Maximum lifetime for user ticket
• Maximum lifetime for user ticket renewal
• Maximum tolerance for computer clock synchronization
Auditing Authentication
• Audit account logon event
• Configured in Group Policy object linked to Domain Controllers OU (Default Domain Controllers Policy)
• Default is to log only successful logons
• Event viewable in Security log (use Event Viewer)
• Can choose to edit failed logons
• May be helpful for troubleshooting
• Codes provide information about type of failure
Resolving Logon Issues
• Some common logon issues (and fixes)
• Incorrect user name or password (administrative reset)
• Account lockout (manual unlock)
• Account disabled (administrative enable)
• Logon hour restrictions (check account restrictions)
• Workstation restrictions (check account restrictions)
• Domain controllers (check configured DNS settings)
• Client time settings (check client clock synchronization)
• Down-level client issues (install Active Directory Client Extensions)
• UPN logon issues (check Global Catalog server)
• Unable to log on locally (set policy on local server)
• Remote access logon issues (check access on Dial-up properties)
• Terminal services logon issues (check allow logon to terminal server permission)
Summary
• A user account is an object stored in Active Directory
• Information that defines user and access to network
• Primary tools to create and manage user accounts
• Active Directory Users and Computers
• Command line utilities (DSADD, DSMOD, DSQUERY, DSMOVE, DSRM)
• Two main authentication processes
• Interactive authentication
• Network authentication
• Two main authentication protocols
• Kerberos v5, NTLM
• User profiles used to configure and customize desktop environment
• Local, roaming, mandatory
• Utilities for bulk importing and exporting user data to and from Active Directory
• LDIFDE and CSVDE
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Chapter 4:
Implementing and Managing Group and Computer Accounts
Objectives
• Understand the purpose of using group accounts to simplify administration
• Create group objects using both graphical and command-line tools
• Manage security groups and distribution groups
• Explain the purpose of the built-in groups created when Active Directory is installed
• Create and manage computer accounts
Introduction to Group Accounts
• A group is a container object
• Used to organize collections of users, computers, contacts, other groups
• Used to simplify administration
• Similar to Organizational Units except
• OUs are not security principals, groups are
• OUs can only contain objects from their parent domain, groups can contain objects from within forest
Group Types
• Security groups
• Defined by Security Identifier (SID)
• Can be assigned permissions for resources
• In discretionary access control lists (DACLs)
• Can be assigned rights to perform different tasks
• Can also be used as e-mail entities
• Distribution groups
• Primarily used as e-mail entities
• Do not have associated SID
Group Scopes
• Scope refers to logical boundary of permissions to specific resources
• Both Security and Distribution Groups have scopes
• Three scopes
• Objects possible within each scope dependent on configured functional level of a domain
• Scope types are global, domain local, and universal
• Three domain functional levels:
• Windows 2000 mixed: default configuration, supports a combination of Windows NT Server 4.0, 2000 Server, and Server 2003 domain controllers
• Windows 2000 native: supports a combination of Windows 2000 Server and Server 2003 domain controllers
• Windows Server 2003: supports Windows Server 2003 domain controllers only
Global Groups
• Organize groups of users, computers, groups within the same domain
• Usually represents a geographic location or job function group
• Types of objects in group related to configured functional level of the domain
• Depends on the types of domain controllers in environment
Domain Local Groups
• Created on domain controllers
• Can be assigned rights and permissions to any resource within the same domain
• Can contain groups from other domains
• Specific objects allowed in group related to configured functional level of the domain
Universal Groups
• Typically created to aggregate users or groups in different domains
• Stored on domain controllers configured as global catalog servers
• Can be assigned rights and permissions for any resource within a forest
• Can only be created at the Windows 2000 native or Windows Server 2003 domain functional level
Creating Group Objects
• Group objects are stored in Active Directory database
• Variety of tools can be used can be used for creation and management
• Active Directory Users and Computers
• Command-line utilities
• DSADD, DSMOD, DSQUERY, etc.
Active Directory Users and Computers
• Primary tool
• To create group accounts
• Can also be used to configure properties of group accounts
• Groups can be created in any built-in containers, at root of the domain object, or in custom OU objects
• Possible group scopes determined by the functional level the domain is configured to
• Follow directions to raise the functional level of your domain to Windows Server 2003
• Continue the exercise to create a new universal group
• Continue the exercise to add existing groups to the new group
Converting Group Types
• May need to change a security group to a distribution group or vice versa
• Type of group can only be changed if domain functional level is Windows 2000 native or above
Converting Group Scopes
• Scope of a group can be changed
• Domain functional level must be at least Windows 2000 native
• Supported changes
• Global to universal
• Domain local to universal
• Universal to global
• Universal to domain local
Command Line Utilities
• An alternative to Active Directory Users and Computers
• Some administrators have a preference for command-line utilities
• Command-line utilities are more flexible for group management and creation in some situations
DSADD
• Introduced in Windows Server 2003
• Used to create new user and group accounts
• Syntax is
• dsadd group distinguished-name switches
• Switches include: -secgrp, -scope, -memberof, -members
• More help is available for switches and options at Windows Server 2003 Help and Support Center or at command-line
DSMOD
• Also introduced in Windows Server 2003
• Allows various object types to be modified from the command line
• Syntax is
• dsmod group distinguished-name switches
• Switches include: -desc, -rmmbr, -addmbr
• More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line
DSMOD
• Objective: Use the DSMOD GROUP command to modify group accounts
• Follow directions to execute dsmod group command to add a description to an existing group
• Verify modification with Active Directory Users and Computers
• Modify group by adding and removing members and verify changes
DSQUERY
• Also introduced in Windows Server 2003
• Used to query various object types from the command line, returns values
• Syntax for groups is
• dsquery group query
• Supports wildcard character (*)
• Output can be piped as input to other command-line tools
• More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line
DSMOVE
• Used to move or rename various object types from the command line
• Syntax for groups is
• dsmove group distinguished-name switches
• Switches include: -newparent, -newname
• Can only be used for groups within a single domain
• More help is available for switches and options at Windows Server 2003 Help and Support Center or at the command-line
DSRM
• Used to delete various object types from the command line
• Syntax for groups is
• dsrm group distinguished-name switches
• Switches include: -noprompt
• More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line
Managing Security Groups
• Strategy for managing security groups uses acronym A G U DL P:
– Create user Accounts (A) and organize them within Global groups (G)
– Optional: Create Universal groups (U) and place global groups from any domain in universal groups
– Create Domain Local groups (DL) and add global and universal groups
– Assign Permissions (P) to the domain local groups
Determining Group Membership
• Important task for administrators is to ensure that users are members of correct groups
• One method is via Member Of tab in the properties of a user account
• Only shows first level of groups (not groups of groups)
• Second method is to use DSGET
• Returns values to a query
• Syntax is
• dsget group distinguished-name switches
• Switches include: -members, -memberof
• Can also be used as dsget user to get membership information about a specific user
• Output can be saved to a file:
• dsget group distinguished-name switches >> filename
Built-In Groups
• When Windows Server 2003 Active Directory is installed
• Built-in groups are created automatically
• Rights are pre-assigned
• Stored in Builtin container and Users container
• Use built-in groups where possible
• Eases implementation of security rights
The Builtin Container
• Contains a number of domain local group accounts
• Allocated different user rights based on common administrative or network-related tasks
The Users Container
• Contains a number of domain local and global group accounts
• Some groups only found in the root domain of an Active Directory forest rather than in individual domains
Creating and Managing Computer Accounts
• Computer accounts needed on Windows NT 4.0, 2000, XP, Server 2003
• Can be created during installation or added manually later
• Creation and management tools
• Active Directory Users and Computers
• System applet in Control Panel
• Command-line utilities
Resetting Computer Accounts
• Secure channel
• Used by computers that are domain members to communicate with domain controller
• Uses password that is changed every 30 days
• Automatically synchronized between domain controller and workstation
• Occasional synchronization issues arise
• Administrator must reset computer account
• Using Active Directory Users and Computers or Netdom.exe command from Windows Support Tools
Summary
• Group accounts reduce administrative effort by enabling assignment of common rights and permissions to multiple users simultaneously
• Two group security types:
• Security groups
• Distribution groups
• Three types of scoping possible for groups
• Global groups
• Domain local groups
• Universal groups
• Group and computer accounts can be created and managed
• From Active Directory Users and Computers
• From command-line utilities
• Builtin and User groups and containers are automatically created at installation with specific pre-assigned rights and permissions
• Windows NT 4.0, 2000, XP, and Server 2003 require computer accounts in Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Chapter 5:
Managing File Access
Objectives
• Identify and understand the differences between the various file systems supported in Windows Server 2003
• Create and manage shared folders
• Understand and configure the shared folder permissions available in Windows Server 2003
• Understand and configure the NTFS permissions available in Windows Server 2003
• Determine the impact of combining shared folder and NTFS permissions
• Convert partitions and volumes from FAT to NTFS
Windows Server 2003 File Systems
• Three main file systems
• File Allocation Table (FAT)
• FAT32
• NTFS
• Final choice of file system depends on
• How system will be used
• Whether there are multiple operating systems
• Security requirements
• NTFS is most highly recommended
FAT
• Used by MS-DOS
• Supported by all versions of Windows since
• Traditionally limited to partitions up to 2 GB
• Windows Server 2003 version supports partitions up to 4 GB
• Limitations
• Small partition sizes
• No file system security features
• Disk space usage is poor
FAT32
• A derivative of the FAT file system
• Supports partition sizes up to 2 TB
• Still does not provide advanced security features
• Cannot configure permissions on file and folder resources
NTFS
• Introduced with Windows NT operating system
• Current version (version 5)
• Windows NT 4.0
• Windows 2000
• Windows XP
• Windows Server 2003
• Theoretically supports partition sizes of up to 16 Exabytes (EB)
• Practically supports maximum partition sizes from 2 TB to 16 TB
• Advantages of NTFS
• Greater scalability and performance on larger partitions
• Support for Active Directory on systems configured as domain controllers
• Ability to configure security permissions on individual files and folders
• Built-in support for compression and encryption
• Ability to configure disk quotas for individual users
• Support for Remote Storage
• Recovery logging of disk activities
Creating and Managing Shared Folders
• Shared folder
• A data resource made available over a network to authorized network clients
• Specific permissions required for creating, reading, modifying
• Groups that can create shared folders:
• Administrators
• Server Operators
• Power Users (only on member servers)
• Several ways to create shared folders
• Two important methods
• Windows Explorer Interface
• Computer Management console
• Also allows shared folders to be monitored
Using Windows Explorer
• Used since Windows 95
• Can create, maintain, and share folders
• Folders can be on any drive connected to the computer
• Folders are shared in Windows Explorer by accessing the Sharing tab of folder’s properties
• Shared name of folder does not have to be the actual file name
• Hand icon used to indicate shared status
• Shared folders can be hidden from My Network Places and Network Neighborhood
• Place dollar sign ($) after name, e.g., Salary$
• Number of hidden administrative shares created automatically at installation
Using Computer Management
• Computer Management console is a pre-defined Microsoft Management Console (MMC)
• Allows you to share and monitor folders for local and remote computers
• Allows you to stop sharing if desired
• Share a Folder Wizard
• Used to create folders in Shared Folders section of Computer Management
• Used to provide preconfigured or manual permissions
• All users have read-only access
• Administrators have full access; others have read-only access
• Administrators have full access; others have read and write access
• Custom share and folder permissions
Folders Using Computer Management
• Objective is to create and view shared folders using Computer Management
• Open Computer Management and the Shared Folders node
• Open Shares folder and note hidden files and other file types
• Open the Share a Folder Wizard
• Configure the folder attributes
• Configure the folder permissions
• Verify folder accessibility from command line
Monitoring Access to Shared Folders
• Monitoring involves
• Who is using shared files
• What shared files are open at any given time
• Other functions
• Disconnect users from a share
• Send network alert messages
• Primary monitoring tool is Computer Management
Managing Shared Folder Permissions
• A shared folder has a discretionary access control list (DACL)
• Contains a list of user or group references that have been allowed or denied permissions
• Each reference is an access control entry (ACE)
• Accessed from Permissions button on Sharing tab of folder’s properties
• Permissions only apply to network users, not those logged on directly to local machine
• To deny access to a user or group
• Windows Server 2003 does not include No Access share permission
• Must explicitly deny access to each individually
• Default permission is read access for Everyone group
• Should be immediately addressed when a share is created
• Folder permissions are inherited by all contained objects
NTFS Permissions
• Resources located on an NTFS partition or volume can be given NTFS permissions
• An administrator must
• Know how permissions are applied
• Standard and special NTFS permissions available
• How effective permissions are determined
NTFS Permission Concepts
• NTFS permissions are configured via the Security tab
• NTFS permissions are cumulative
• Access denial always overrides permitted access
• NTFS folder permissions are inherited unless otherwise specified
• NTFS permissions can be set at file or folder level
• A new ACE has default permission
• Read and Read and Execute for files
• List Folder Contents for folders
• Windows Server 2003 has set of standard permissions plus special permissions
Special NTFS Permissions
• Can provide more or less access than standard permissions
• Special permissions accessed from Advanced button in the Security tab on Properties dialog box for resource
• Permission Entry dialog box enables assignment of permissions and control of inheritance settings
• Inheritance settings
• This folder only
• This folder, subfolders, and files (default)
• This folder and subfolders
• This folder and files
• Subfolders and files only
• Subfolders only
• Files only
Determining Effective Permissions
• Permissions that actually apply to a user can be the result of membership in multiple groups
• Prior to Windows Server 2003, determining effective permissions was done manually
• In Windows Server 2003, there is an Effective Permissions tab in Advanced Security Settings dialog box for resource
• Shows specific permissions for a user or group
Combining Shared Folder and NTFS Permissions
• NTFS permissions can be combined with share permissions
• When accessing a share across a network, if both apply, use most restrictive
• When accessing a file locally, only NTFS permissions apply
Converting a FAT Partition to NTFS
• For highest security, partitions and volumes should be configured to use NTFS
• Command-line utility, CONVERT, will convert FAT or FAT32 partitions and volumes to NTFS
• All existing files and folders are retained
• CONVERT cannot convert NTFS to FAT or FAT32
Summary
• Windows Server 2003 supports 3 file systems
• FAT
• FAT32
• NTFS (preferred)
• Two types of permissions
• Shared folder (network only)
• Tools are Windows Explorer, Computer Management, and NET SHARE command
• NTFS (local and network)
• NTFS partitions only
• Permissions
• Shared folders, 3 standard permissions
• NTFS, 6 standard and 14 special permissions
• Permissions are cumulative
• Effective permissions can be determined from Advanced Security Settings of a resource
• Shared folder and NTFS permissions can be combined
• CONVERT utility can convert a FAT or FAT32 partition to the NTFS file system
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Chapter 6:
Managing Disks and Data Storage
Objectives
• Understand concepts related to disk management
• Manage partitions and volumes on a Windows Server 2003 system
• Understand the purpose of mounted drives and how to implement them
• Understand the fault tolerant disk strategies natively supported in Windows Server 2003
• Determine disk and volume status information and import foreign disks
• Maintain disks on a Windows Server 2003 system using a variety of native utilities
Disk Management Concepts
• Windows Server 2003 supports two data storage types:
• Basic disks
• Uses traditional disk management techniques
• Has primary partitions, extended partitions, logical drives
• Dynamic disks
• Does not use traditional disk partitioning
• No restriction on number of volumes implemented on one disk
Basic Disks
• Maximum of four primary partitions or three primary and one extended partition on a disk
• Each primary partition:
• Can use FAT, FAT32, or NTFS file system
• Has a drive letter
• Boot partition
• Operating system files reside on boot partition
• Can be located on a primary partition or logical drive
Primary Partitions
• A basic drive must contain at least one and no more than four primary partitions
• One partition is the system (or active) partition
• Contains files to start operating system
• Usually drive C on Windows
• Can also be used for traditional data storage
Extended Partitions and Logical Drives
• An extended partition:
• Is created from free hard disk space that is not partitioned, formatted, or assigned a drive letter
• Allows you to extend the four-partition limit
• Can be divided into logical drives
• Each drive is then formatted and assigned a drive letter
Volume Sets and Stripe Sets
• Only on Windows NT Server 4.0
• Volume set
• Two or more partitions combined to look like one volume with a single drive letter
• Stripe set
• Two or more disks striped for RAID level 0 or 5
• Windows Server 2003 and 2000 provide backward compatibility
• Can use but not create
Dynamic Disks
• Can set up a large number of volumes per disk
• Volumes are similar to partitions but with additional capabilities
• Reasons to implement dynamic disks include
• Can extend NTFS volumes
• Can configure RAID volumes for fault tolerance and performance
• Can reactivate missing or offline disks
• Can change disk settings with restarting computer
Simple Volume and Spanned Volume
• A simple volume:
• Dedicated, formatted portion of space on a dynamic disk
• NTFS volumes can be extended (not system or boot)
• A spanned volume:
• Space in 2 to 32 dynamic disks
• Treated as a single volume
• Allows you to maximize use of scattered space across several disks
Striped Volume
• Referred to as RAID level 0
• Implemented for performance enhancement, particularly for storage of large files
• Not fault tolerant
• Requires from 2 to 32 disks
• Data is written in 64 KB blocks across rows in the volume
Managing Partitions and Volumes
• Primary tool is Disk Management
• Central facility for
• Viewing information
• Creating partitions and volumes
• Deleting partitions and volumes
• Converting basic disks to dynamic disks
Managing Disk Properties
• Disk Management:
• Can be added to a custom MMC
• Most commonly accessed via Storage section of Computer Management
• Used for the creation, deletion, and management of disks, partitions, and volumes
• Shares some property sheets with Windows Explorer, Device Manager
Extending Volumes
• Volume can be extended unless
• Functioning as boot or system volume
• Possible tools
• Disk Management
• DISKPART command-line utility
Mounted Drives
• Mounting a drive is an alternative to assigning it a drive letter
• A mounted drive is represented as a folder with a normal path
• To mount a drive:
• Must be on an NTFS volume
• Must be an empty folder
• Reasons:
• 26 drive letter limit
• Path access is convenient
• Backups
Fault Tolerant Disk Strategies
• Fault tolerance
• The ability to recover gracefully from hardware or software failure
• Hard disks do fail periodically
• Software RAID provides various levels of fault tolerance
• A combination of RAID and backup can minimize disruption and loss of data
RAID Levels
• Redundant Array of Independent Disk strategies
• Set of standards for:
• Lengthening disk life
• Preventing data loss
• Enabling uninterrupted access to data
• Windows Server 2003 supports level 0, 1, and 5
• RAID level 0
• Striping with no other redundancy features
• RAID level 1
• Disk mirroring (duplicating data from main disk to backup disk)
• RAID level 2
• Disk striping, error correction across all disks
• RAID level 3
• Disk striping, error correction on 1 disk
• RAID level 4
• Disk striping, error correction across all disks, checksum on 1 disk
• RAID level 5
• Disk striping, error correction across all disks, checksum across all disks
• Supported on FAT and NTFS
• Either RAID level 1 or 5 is usually recommended
• Considerations:
• Placement of boot and system files
• Number of disks required or supported
• Cost (per megabyte of storage)
• Amount of memory required
• Read and write access speed
Striped Volume (RAID 0)
• Reasons to use:
• Reduce wear on disk drives by equalizing load
• Increase disk performance
• No specific fault tolerance support
• Can be created using New Volume Wizard
Mirrored Volume (RAID 1)
• Creates a copy of data on a backup disk
• Requires 2 disks
• Highly effective fault tolerance since a complete copy of data is available
• Disk read performance is equal to non-mirrored
• Disk write time is doubled
• Created through New Volume Wizard
RAID-5 Volume
• Requires a minimum of 3 disks
• Provides good fault tolerance
• Parity information distributed across all drives
• Performance slower than with a striped volume (parity information must be computed and stored)
• Read access is equal to striped volume
• Storage requirement for parity information is 1/n with n the number of disks
• Created through New Volume Wizard
Software RAID and Hardware RAID
• Software RAID uses existing hardware and implements particular software strategies
• Hardware RAID requires specialized hardware (more expensive) but lessens the burden on the OS
• Often implemented on the adapter for disk drives
• Often includes a battery backup
• Advantages include: faster read and write, mixed RAID levels, failed disk hot-swap, better setup options
Monitoring Disk Health and Importing Foreign Disks
• Disk Management provides status information on disks and volumes
• Number of different status descriptions
• Windows Server 2003 provides the ability to import disks from other servers if necessary (foreign disks)
Disk and Volume Status Descriptions
• Optimal descriptions:
• Disk should be ONLINE
• Volume should be HEALTHY
• Common volume messages include:
• Failed, failed redundancy, formatting, healthy, regenerating, resyncing, unknown
• Common disk messages include:
• Audio CD, foreign, initializing, missing, no media, not initialized, online, online (errors), offline, unreadable
Importing Foreign Disks
• Used when a server fails
• Disks from the server can be moved to another server
• When first connected, the disk status will be foreign and it will not be accessible
• Use the Import Foreign Disks option on the disk
• If multiple disks are imported
• Each disk is imported individually
• Default is that disk will use its original drive letter but an available letter is chosen if there is a conflict
Other Disk Maintenance and Management Utilities
• Introduces disk-related utilities other than Disk Management
• Some provide extra features or functions
• Some are similar but are accessible from the command line
Check Disk
• Allows you to scan a disk for bad sectors and file system errors
• Disk can’t be in use during scan
• Two start options:
• Automatically fix file system errors
• Scan for and attempt recovery of bad sectors
• CHKDSK command-line utility has similar functionality
CONVERT
• CONVERT is a command-line utility
• Converts existing FAT and FAT32 partitions or volumes to NTFS
• Leaves existing data intact
Disk Cleanup
• Allows an administrator to determine where disk space is being used and could potentially be freed
• Files that can be removed include:
• Temporary internet files
• Downloaded program files
• Files in recycle bin
• Windows temporary files
• No longer used Windows components and programs
• Can also compress files
• Command-line version is CLEANMGR
Disk Defragmenter
• Free disk space eventually become fragmented as files are created and removed
• Results in slower access and higher disk wear
• Defragmentation attempts to place files in contiguous areas
• Defragmentation should be done periodically
DISKPART
• Command-line utility for managing disks, volumes, partitions
• Uses include:
• Configuring active partition, assigning drive letters, implementing fault tolerance schemes, etc.
• Can manage disks from within scripts
• Get the complete syntax and options with DISKPART /?
FORMAT
• Used to implement a file system on an existing partition
• Also used on MS-DOS and Windows 9X
• Has a variety of advanced settings
• Setting allocation unit (cluster) size
• Command-line version can be run from scripts
• Get the complete syntax and options with FORMAT /?
FSUTIL
• Used with FAT, FAT32, and NTFS file systems
• Includes many advanced features, requires experienced user
• Information available includes:
• Listings of drives, volume information, NTFS-specific data
• Tasks include:
• Managing disk quotas, displaying free space
• Get complete information in Help and Support Center
MOUNTVOL
• Used to create, delete, or list volume mount points from command line
• VolumeName parameter is difficult to use
• Complicates adding new mount point
• Doesn’t affect removing mount points
• Get complete syntax and options with MOUNTVOL /?
Summary
• Windows Server 2003 supports data storage types:
• Basic disk
• Divided into 4 primary partitions or 3 primary and 1 extended partition with logical drives
• Dynamic disk
• Can be divided into a number of volumes on 1 disk
• A number of disks can be configured in 1 volume
• Support simple, spanned, striped, mirrored, RAID-5 volumes
• Primary tool for disk management:
• Disk Management
• Fault tolerance implemented through RAID strategies
• Most highly recommended are:
• RAID level 1 (mirrored volumes)
• RAID level 5 (striped, distributed parity info)
• Hardware RAID very effective but more costly
• A number of command-line tools and other utilities are available for disk management and cleanup
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Chapter 7:
Advanced File System Management
Objectives
• Understand and configure file and folder attributes
• Understand and configure advanced file and folder attributes
• Implement and manage disk quotas
• Understand and implement the Distributed File System
File and Folder Attributes
• Used since MS-DOS operating system
• Attributes describe files, folders, and their characteristics
• Applicable utilities include graphical tools and the ATTRIB command
• Four standard file and folder attributes
• Read-only
• Archive
• System
• hidden
Read-only
• Designates that the contents of a file cannot be changed and file cannot be deleted
• Available in all file systems (FAT, FAT32, NTFS partitions and volumes)
• FAT, FAT32 attributes can be changed by any user
• NTFS attribute can only be changed by a user with appropriate permissions
• Can be configured for a file or folder
• For folders, attribute pertains to the files it contains, not the folder itself
Archive
• Marks which files and folders have been recently changed or created
• Recently modified files are marked as ready for archiving
• Important for backup
• Backup methods update the status of the archive attribute
• Viewing the attribute is done using Windows Explorer or command-line utilities (e.g., DIR, ATTRIB)
System
• Originally designed to identify O.S. in MS-DOS
• In Windows Server 2003
• Used in conjunction with hidden attribute
• When system and hidden both true, file or folder is “super hidden” (not displayed in Windows Explorer interface)
• Treated as “protected operating system files” with specific alternate display options
• Can only be manipulated using ATTRIB command
Hidden
• Used to make files and folders less visible to users from Windows Explorer and command-line
• Default configuration in Windows Server 2003 displays hidden files as semi-transparent icons unless in conjunction with system attribute
• Hidden attribute can be configured from General tab of Properties
• Visibility can be configured from View tab of Folder Options from Tools in Windows Explorer
• Show hidden file and folders
• Hidden files and folders appear in Windows Explorer as semi-transparent icons
• Do not show hidden files and folders
• Files with set hidden attributes do not appear in Windows Explorer
• Hide protected operating system files
• All files with both hidden and system attributes set are hidden in Windows Explorer when set
The ATTRIB Command
• A command-line utility used to view, add or remove the four attributes of files and folders
• Only way to configure system attribute
• Supports wildcards (*) allowing multiple files or folders to be changed simultaneously
• Syntax
• View: attrib filename
• Set: attrib +attribute filename
• Remove: attrib –attribute filename
Advanced Attributes
• Advanced attributes found on NTFS partitions or volumes
• Archive and Index attributes
• File is ready for archiving
• Indexing service
• Compress or Encrypt
• Compress contents to save disk space
• Encrypt contents to secure data
File Compression
• Reduces amount of disk space needed for files and folders
• Automatically uncompressed when the resource is accessed
• Compressed resources displayed in different color in Windows Explorer (blue by default)
• Moving and copying resources can affect compression
COMPACT
• Used with NTFS file system only
• Command-line utility for configuring the compression attribute
• Syntax
• COMPACT (to view)
• COMPACT switches resourcename (to set attributes)
• Switches
• /c (to compress resources)
• /u (to uncompress resources)
File Encryption
• Encrypting File System (EFS) uses public key cryptography to encrypt files and folders
• Only on NTFS file systems
• Transparent to user
• Implemented using 2 main types of keys
• File encryption key (FEK)
• Session key added to header of encrypted data (data decryption field)
• Public key encrypts DDF
• Main challenge for public key cryptography is when users leave organization
• Can rename user account
• Can use data recovery agent
• FEK also stored in data recovery field (DRF)
• Encrypted using data recovery agent’s public key
• Default is administrator, additional recovery agents can be designated
• Moving or copying files can affect encryption
• Encrypted files cannot be compressed, vice versa
Sharing Encrypted Files
• In Windows 2000, only user and data recovery agent could access an encrypted file
• In Windows Server 2003, Advanced Attributes allows sharing with other specific named users
• Issues:
• Only for files, not folders
• Can only share with users, not groups
• Users must have a certificate on computer
• Users must have appropriate NTFS permissions
The CIPHER Command
• Command-line utility for file and folder encryption
• Used by administrator
• NTFS partitions and volumes only
• Syntax
• CIPHER (to view)
• CIPHER switches resourcename (to set attributes)
• Switches
• /e (to encrypt a folder)
• /d (to decrypt a folder)
• /a (to apply other switches to a file rather than a folder)
• Cannot encrypt files which have their read-only attribute set
• Can use the wildcard character (*)
Disk Quotas
• Disk quotas used to monitor and control user disk space
• Advantages
• Prevents users from consuming all disk space
• Encourages users to delete old files
• Allows monitoring for planning purposes
• Allows monitoring of individual users
• Disabled by default
• Implemented only on NTFS volumes
• Configured from Properties of a volume
Managing Disk Quotas from the Command Line
• FSUTIL QUOTA command-line utility can be used to manage disk quotas
• Can enable/disable, modify, display, track, report
• Example (to enable disk quotas on drive E)
• fsutil quota enforce e:
• Events written to System log (displayed in Event Viewer) every hour by default
• fsutil behavior command can change the interval
• Help available for fsutil quota and fsutil behavior commands in Help and Support Center
Distributed File System
• Makes it appear that multiple shared-file resources are stored in a single hierarchical structure
• Users do not have to know which server a shared folder resides on
• Configured using the Distributed File System console in Administrative Tools menu
• Tree structure (root and DFS links)
DFS Models
• Two models:
• Standalone DFS model (more limited capabilities)
• Domain-based DFS model
• Hierarchical structure is called DFS topology or logical structure, three elements to structure
• The DFS root
• Main container on host server
• The DFS links
• Pointers to physical location of shared folders
• Servers on which the DFS shared folders are replicated as replica sets
• Replica set is set of shared folders that is replicated across multiple servers
Managing DFS
• Tasks involved in managing DFS system
• Deleting a DFS root
• Removing a DFS link
• Adding root and link replica sets
• Checking the status of a root or link
• Replication capability provides fault tolerance and load balancing
• DFS replication options and topologies managed from Configure Replication wizard
• DFS element status is indicated with colored icons
Summary
• File and folder attributes are:
• Read-only (can a resource be modified or deleted)
• Archive (has a resource recently been changed)
• System (does resource have specific display requirements, especially in conjunction with Hidden)
• Hidden (should the resource appear normally in Windows Explorer)
• File and folder attributes can be set through graphical tools or the ATTRIB command-line utility
• Advanced attributes on NTFS partitions or volumes include:
• Archiving (specifies whether to back up file)
• Indexing (makes resource searchable)
• Compression (saves disk space)
• Encryption (makes resources accessible only to those holding keys)
• Command-line utilities for advanced attributes include:
• COMPACT
• CIPHER
• Disk quotas allow management of disk space usage by individual users
• Managed from the Properties of a volume or using the FSUTIL command-line utility
• Distributed File System allows management of shared-file resources
• Appear as a single hierarchical structure
• Can be physically located on different servers
• 2 DFS models: standalone and domain-based
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Chapter 8:
Implementing and Managing Printers
Objectives
• Understand Windows Server 2003 printing terms and concepts
• Install and share printer resources
• Configure and manage installed printers
• Publish printers in Active Directory
• Troubleshoot printer problems
Windows Server 2003 Printing Concepts
• These concepts are required for configuring and troubleshooting Windows Server 2003 printing:
• Print device
• Printer
• Print driver
• Print server
• Print client
• For efficient printing, network has following hardware requirements:
• One or more computers as print servers
• Sufficient space on a hard drive for the print server
• Sufficient RAM beyond that of minimum Windows Server 2003 requirements
Understanding Network Printing
• User sends job to local printer
• Job is spooled on local computer
• Directed to specific port, e.g., LPT1
• User sends job to network printer
• Print client generates a print file
• Print file is rendered
• Print job is spooled on client machine
• If remote printer ready, print file is transmitted to Server service
• Network print server processes print file (router, print provider, print processor, and print monitor)
Installing and Sharing Printer Resources
• The following sections discuss:
• Installing a local printer
• Sharing printers for access to network users
• Connecting to an existing network printer
Adding a Printer as a Local Device
• Smaller networks may share print devices connected directly to a local port
• Need administrator privileges to install
• Use Add Printer Wizard for Windows Server 2003, configuration options include:
• Make, model, driver, port, default status, sharing
• Printers can be detected by Plug & Play or manually configured
Adding a Printer as a Network Device
• Print device can be installed as a network device rather than directly connected to local print server
• Will communicate via TCP/IP (or other protocol)
• Add Printer Wizard also used to install a print device on the network
• Primary difference in configuration
• Create a new TCP/IP port rather than using local port using the Add Standard TCP/IP Printer Port Wizard
Configuring and Managing Printer Resources
• Initial configuration of a printer done at installation through Add Printer Wizard
• Additional configuration can be done through Properties of installed printer
Configuring an Existing Printer
• Can modify configuration settings through Properties
• Sharing tab
• Allows you to enable or disable printer sharing and Active Directory publishing
• Security tab
• Allows you to control printer permissions
Printer Pools and Priorities
• A printer pool is a single printer connected to a number of print devices
• Multiple physical print devices function as a single logical printer
• High-volume environments
• Reduced printing time
• Configured on Ports tab of printer’s Properties
• The priority of a printer is set from the Advanced tab of the printer’s Properties
• Priority is a number from 1 (lowest) to 99 (highest)
• To ensure that a specific user always has the highest priority, allow only that user access to the highest priority printer
Setting Up and Updating Client Computers
• After printer is installed and configured
• Set up client computers to print to the print server
• Clients running Windows 2000, Windows Server 2003, or Windows XP automatically download print driver upon connection
• Windows 95, 98, ME and NT 4.0 download if available, otherwise can be manually added
• Older Windows versions and non-Windows must have print driver manually installed
Managing Print Queues
• Print jobs are queued while waiting for an available printer to be ready
• To view print queue, double-click the printer icon in the Printers and Faxes tool
• Users with Print permission can pause, resume, restart, or cancel printing of their own documents
• Users with Manage Documents permission can pause, resume, restart or cancel printing of other users’ documents
Internet Printing Protocol
• The Internet Printing Protocol (IPP) specification allows printers to be managed via a Web browser
• URL of the form http://printservername/printers
• IPP support is build into Windows Server 2003 but requires Internet Information Services (IIS)
• IIS not installed by default
• Clients running Windows 2000, XP and Server 2003 can connect to existing printers using Web interface or Add Printer Wizard
• Add Printer Wizard URL is http://printservername/printers/printername/.printer
• Benefits of using IPP
• Simplifies administrative management of printers from any system on the network
• Does not require printers to be installed on local client system
• Can print to other locations over the Internet, allows users access to remote printers
Printer Command-Line Utilities
• Windows Server 2003 provides a number of built-in VBScript files
• Allow printers to be managed from command line
• Because the utilities are VBScripts, they must be invoked using Windows Script Host (WSH)
• Command-line version is cscript.exe
• Example command to display current configuration of a printer named HPLaserJet-Server01
• cscript prncnfg.vbs –g –p hplaserjet-server01
Print Spooler
• Jobs are spooled on the hard disk of the print server by default
• For Windows Server 2003, spooling occurs in the WINDOWS/system32/spool/PRINTERS folder by default
• Not optimal for high-volume printing because it is located in the same volume as the Windows operating system files
• For best performance
• Move the print spool folder to a different partition
• On a dedicated disk optimally
Publishing Printers in Active Directory
• Shared printers can be published into Active Directory to help users find network printer resources
• Windows 2000- and Windows Server 2003-compatible printers installed on a domain print server are automatically published
• On earlier Windows versions, can be published manually
• Use VBScript pubprn.vbs to automate process
Troubleshooting Printer Problems
• Print jobs will not print
• Ensure printer is online, there is enough disk space for spool folder, not out of paper
• Printer output appears garbled
• Ensure that you have the correct drivers
• Users receive an Access Denied message when attempting to print
• Review and correct permissions
• Users cannot find an existing printer when searching Active Directory
• Ensure printer is published
• Printer only works at certain times of the day
• Change printer availability or direct user to a different printer
• Windows 95/98/ME users cannot connect to a printer
• Make required drivers available
• Print jobs become stuck in the print queue
• Restart from the print server
• Print device failure
• Redirect print jobs if necessary
Summary
• Components of a printing system include print devices (local and network), printers, print drivers, print servers, print clients
• A printer is a configurable object that controls the connection to a print device
• Main tool for installing printers is the Add Printer Wizard
• Printer configuration options can be modified through the Properties of the printer
• Printer permissions include:
• Print, Manage documents, Manage printers, Special permissions
• Printer priorities can be set from 1 to 99
• A printer pool is a single printer connected to a number of print devices
• A print queue contains jobs that are waiting to print
• Can be managed by users with appropriate permissions
• Alternatives to managing printers via the Printers and Faxes tool:
• Internet Printing Protocol
• Printer command-line utilities (VBScripts)
• Spool folder should be located carefully
• Shared printers can be published into Active Directory for ease in locating appropriate features
• Common printer problems and standard fixes are used for troubleshooting
Post a Comment