Windows 2000 Professional Study Notes By http://www.mcmcse.com Tutorial Quick Links: Installation Backup and Recovery File System Hardware Devices Permissions Printers Registry Optimization and Tuning User Environment Network Connections Remote Access Security Acronyms
Installation
The following are the installation requirements for a Windows 2000 Professional workstation: • • • •
133 MHz or higher Pentium-compatible processor 64MB minimum; 4GB maximum) 2GB hard drive with a minimum of 650 MB of free space(Additional free hard disk space is required if you are installing over a network). Windows 2000 Professional supports up to 2 processors.
Always check the HCL before beginning any installation. Installations can be created on any type of partition-FAT, FAT32, or NTFS. NTFS is recommended, but use FAT or FAT 32 for dual booting. Upgrades can be performed on Windows 9x machines and NT 3.51 and higher OS's. To upgrade a Windows 3.1 or NT 3.5, first upgrade to Windows 9x or NT 4.0, respectively. To install over a network, install a distribution server first. Slipstreaming is the ability to install Windows 2000 and the service packs at the same time, and can be done using a distribution image for many computers. There are four logs for troubleshooting failed installations: Setupact.log, Setuperr.log, Setupapi.log and Setuplog.txt. The following table lists some of the common switches available for use with WINNT.EXE
WINNT.EXE: /e: command
Executes a command before the last phase of setup.
/r: foldername
Creates an additional folder in the folder where the Windows 2000 files are installed. The folder IS NOT DELETED after Setup finishes. You can use additional /r switches to install additional folders.
/rx: foldername
Creates a folder to be copied as a part of setup - into the Windows 2000 directory, but the folder IS DELETED as setup finishes.
Use Winnt32.exe for a clean installation or upgrade from Windows 9.x or NT Workstation. There are a number of switches that can be used with winn32.exe. Below are a couple of the important ones:
WINNT32.EXE: /copydir: foldername
Creates an additional folder in the folder where the Windows 2000 files are installed. The folder IS NOT DELETED after Setup finishes. You can use additional /r switches to install additional folders. Same as /r for winnt.exe.
/copysource: foldername
Creates a folder to be copied as a part of setup - into the Windows 2000 directory, but the folder IS DELETED as setup finishes. Same as /rx for winnt.exe.
/cmd:
Executes a command before the last phase of setup. Same as /e: for winnt.exe.
/cmdcons
Installs the appropriate files to restart the system in command-line nongraphical mode for repair purposes.
/syspart
Prepares a hard disk to be transferred to another computer system. This switch installs setup files and marks the partition active. Requires the use of /tempdrive switch.
/tempdrive
Specifies which drive to install Windows 2000 temporary files during setup.
/makelocalsource
Copies all of the Windows 2000 source files to the target drive during installation.
/noreboot
Avoids reboot after installation so that another command can be run.
/checkupgradeonly
Checks your system for incompatibilities that will prevent a successful upgrade.
/unattend
Upgrades your previous version of Windows by using unattended Setup mode. All user settings are taken from the previous installation so that no user intervention is required during Setup. You can also use this command in an unattended installation by specifying the [seconds][:answer_file] variables.
Windows 2000 Professional supports unattended installations. The /U switch is used for unattended installations and is followed by the location of the answer and installation files. Unattended installations can be done for clean installs as well as upgrades. Unattended installations can be fully automated. The default answer file that ships with Win2K is called unattend.txt and can be modified. Setup Manager can also create answer files. For more in depth information about unattended installations, read our tutorial Windows 2000 Unattended
Installations. Windows 2000 comes with a variety of tools that can be helpful during installations. Understand the following concepts: • • • •
Disk duplication is used when the computers have identical hardware configurations, and is only used for clean installs. Sysprep is used when you need to prepare an image of a computer for cloning but does not provide the actual distribution of this image. That is done with third-party tools. To use Remote Installation Service(RIS), there must be DHCP server service, DNS server service, and AD running on the network. Scripting is used when computers have different hardware configurations and when disk duplication cannot be used. Answer files offer information that is normally manually input into installation dialog boxes like user name, password, domain name, time zones, etc.
Backup and Recovery
Recovery Console: Now that you have installed Windows 2000, you should immediately take steps to protect your installation by installing the Recovery Console. Recovery Console is similar to the emergency repair disk in NT 4.0, but with many functionality enhancements. Recovery Console will allow you to You can start and stop services, read and write data on a local drive (including drives formatted with the NTFS file system), copy data from a floppy disk or CD, format drives, fix the boot sector or master boot record, and perform other administrative tasks. With Windows NT 4.0, many administrators would create a FAT partition that would allow them to boot to a DOS prompt. The recovery console eliminates the need to create a FAT partition for this purpose. Recovery Console is set up as follows: Insert the installation CD and switch to the I386 directory. Type C:\>winnt32 /cmdcons. When asked for confirmation, answer "yes". The file will be copied to the hard disk. After rebooting the computer you will be able to select "Microsoft Windows 2000 Command Console" and start Windows 2000 in command mode. You will be prompted for a Windows 2000 installation that you wish to repair and will be prompted for the Adminstrator password. Once you are in, there is a wide variety of commands that you will be able to perform. Type HELP for a list of all of the commands. Some of the more important commands are: • • • • • • •
DISKPART - Similar to fdisk LISTSVC - Lists services ENABLE/DISABLE - Enable/disable service or driver FIXBOOT - Create a new boot sector on the system partition FIXMBR - Repairs master boot record MAP - Shows a list of drives and ARC paths. LOGON - Choose which installation to work with
Backup: The Backup program has been greatly enhanced in order to support Active Directory and a much wider variety of backup media including removable disks,
network drives, logical drives and tape devices are now supported. Another nice feature is that an integrated scheduling option has been added which relieves the need to use AT or other scheduling utility. For more in depth information on backing up Windows 2000, read our tutorial Backing Up and Restoring Windows 2000. Other: Windows 2000 has several other utilities to aid in the event of a failure, many of which are included in "Advanced Options" which are accessed by pressing F8 at the boot menu. In order to troubleshoot failures, it is a good idea to understand the boot process which occurs in the following steps: 1. 2. 3. 4. 5. 6. 7. 8.
Power-on self test (POST) Initial startup Bootstrap loader process Select operating system Detecting hardware Selecting a configuration Loading and initializing the kernel(Ntoskrnl.exe) Log on
The boot process requires the following files: File Location NTLDR Active Partition Boot.ini Active Partition Ntdetect.com Active Partition Ntoskrnl.exe %SystemRoot%\System32 Hal.dll %SystemRoot%\System32 SYSTEM key %SystemRoot%\System32\Config Device drivers %SystemRoot%\System32\Drivers Ntbootdd.sys is required only if you are using a SCSI-controlled boot partition, and the SCSI adapter does not have a SCSI BIOS enabled. Bootsect.dos is required only for multiple booting. When working with the boot.ini file, you need to understand ARC naming conventions. ARC is an architecture-independant way of naming drives for x86, risc, alpha, etc. NT uses this convention in its boot.ini file to determine which disk holds the OS. The table below will explain the different options.
Specifies an EIDE disk or a SCSI disk if the bios is enabled to detect it. Can only be used on x86 systems. "x" is the number of the controller. Defines a SCSI controller if the BIOS is not enabled to do so. Again, SCSI(x) "x" is the number of the controller. Defines which SCSI disk the OS is on. If SCSI(x) was used then Disk(x) x=the SCSI ID of the drive. If Multi(x) was used then x=0. Defines disk which the OS is on when it is on an EIDE disk. x=0-1 if Rdisk(x) on primary controller. x=2-3 if on multi-channel EIDE controller. Specifies the partition that the operating system is located on. Partition(x) (x)=the partition's number. Multi(x)
Below are the various recovery tools included in Windows 2000. ERD - Emergency Repair Disk. The RDISK utility found in NT 4.0 is gone. An ERD is now created using the ntbackup utility and no longer backs up registry data. Enable VGA Mode - Located in the advanced options menu, this utility allows one to fix display settings or drivers that have caused the display to become unviewable. Last Known Good Configuration - Tells Windows 2000 to forget any changes that you have made since the previous boot, by looking for the last configuration that did not cause system critical errors at boot. Good to try if you have made a change to the system and then rebooted with problems. Safe Mode - Loads a minimal version of Windows 2000 with only the drivers needed to boot the computer. Because this option does not load any network services or drivers, it is a good tool to use when you suspect that the problem lies in this area. Safe Mode With Networking - Same as Safe Mode, but includes networking support. Safe Mode With Command Prompt - Safe Mode in which EXPLORER.EXE is replaced by CMD.EXE. From the command prompt it is still possible to run Explorer and other GUI applications from a command line. No networking support in this mode.
File System Disk Manager is the old Disk Administrator and is a snap-in. It can be used to defragment, create, and manage volumes and disks. Disk systems now support FAT32, NTFS, and FAT. The convert.exe utility can be used to convert a FAT or FAT32 partition to NTFS. NTFS partitions cannot be converted to FAT or FAT32. If such a need exists, the partition must be deleted and recreated as FAT or FAT32. The NTFS file system has many new capabilities as follows: EFS - Encrypted File System. Windows 2000 NTFS volumes have the ability to encrypt data on the disk itself. This is based on public key and private key encryption procedures. Private keys are used to encrypt and decrypt files, and the key can be placed on a floppy disk for transport to other machines. The CIPHER command can be used for encrypting from a command line. Only the user that stored the file can open it again or a recovery agent. Taking ownership of an encrypted file will not let you read it. Cipher.exe is a command line utility
that allows for bulk or scripted file encryption. To enable a folder to have any new contents encrypted, simply view the property page for the folder and select "Encrypt contents to secure data". Disk Quotas - Provides the ability to set space limitations on users on a per volume basis. The ownership of a file determines which user to charge the space used against. You must enable quota management from the properties dialog quota tab of a given disk. You can then set thresholds for individual users including a warning level when their files exceed a certain amount of storage that is approaching their quota limit. Defragmentation - Windows 2000 now includes a disk defragmenter that can be used on NTFS partitions. Volume Mount Points - Provides the ability to add new volumes to the file system without having to assign a drive letter to them. This feature is only available on an NTFS partition using dynamic volumes. The Distributed File System has also been enhanced. There are two types of DFS implementations: Stand-alone and Fault Tolerant. Stand-alone DFS stores the configuration information on a single node (server). Child nodes can only go one level below root, and can exist on any server. Fault Tolerant DFS stores the DFS configuration information in Active Directory. There can be two identical shares on different servers configured as a single child node to provide fault tolerance. You can have multiple levels of child volumes and file replication is supported. Clients must have DFS software installed. Windows NT4, Windows 2000 and Windows 98 include this software while Windows 95 clients must download the appropriate DFS client software from Microsoft.com Windows 2000 features a new storage type is called "dynamic disks". Dynamic disks' advantages include an unlimited number of volumes created per disk. NTFS Volumes can be extended and we can now include space from different disks. Perhaps the most important item is that the disk configuration is stored on the disk itself. This means that we can move disks between computers (within reason) and have the data available with little additional effort. Dynamic volumes are not supported for Zip disks or laptops. Basic disks can be upgraded to dynamic disks without restarting the computer, but backward conversion causes all data to be lost. Simple volumes are created on dynamic disks and are made up of one physical disk. Spanned volumes combines many physical disks(up to 32), and are written to sequentially until all are full. Striped volumes are created from multiple disks(up to 32) and are written to concurrently. There are no fault tolerant disk configurations available in Windows 2000 Professional.
Hardware Devices Plug and play is now supported in Windows 2000. Both APM and ACPI are supported for power management. Must be supported by computer's BIOS. ACPI is new, APM is legacy. Device Manager is still used for the usual activities: troubleshooting, updating drivers, etc. and still have the familiar red and yellow warnings. Changes to network adapters no longer require the computer be rebooted, and if they are plug and play, are automatically configured.
NTFS Permissions
File and Directory Permissions: NTFS permissions are largely the same. The following tables will break down each of the permissions types. The following table displays the different
permissions for files. Full Control
Read, write, modify, execute, change attributes, permissions, and take ownership of the file.
Modify
Read, write, modify, execute, and change the file's attributes.
Read & Execute
Display the file's data, attributes, owner, and permissions, and run the file (if it's a program or has a program associated with it for which you have the necessary permissions).
Read
Display the file's data, attributes, owner, and permissions.
Write
Write to the file, append to the file, and read or change its attributes.
The following table displays the different permissions for directories. Read, write, modify, and execute files in the folder, change Full Control attributes, permissions, and take ownership of the folder or files within. Modify
Read, write, modify, and execute files in the folder, and change attributes of the folder or files within.
Read & Execute
Display the folder's contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder (if they're programs or have a program associated with them for which you have the necessary permissions).
List Folder Contents
Display the folder's contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder (if they're programs or have a program associated with them for which you have the necessary permissions).
Read
Display the file's data, attributes, owner, and permissions.
Write
Write to the file, append to the file, and read or change its attributes.
The Read & Execute and List Folder Contents folder permissions appear to be exaclty the same, however, they are inherited differently, thus are different permissions. Files can inherit the Read & Execute permissions but can't inherit the List Folder Contents permission. Folders can inherit both. So you may be wondering what is really different from NT 4.0. NT 4.0 gave the options of granting access or not specifying. Windows 2000 has the new option of denying a user or users a particular permission. For example, if you wanted to make sure that Bob is unable to read any file, then simply deny him read permissions. Permissions are cumulative, except for Deny, which overrides everything. The next table shows what happens to files when they are copied or moved within or across NTFS partitions.
Moving within a partition
Does not create a new file - simply updates location in directory. File keeps its original permissions.
Moving across a partition
Creates a new file and deletes the old one. Inherits the target folders permissions.
Copying within a partition
Creates a new file which inherits permissions of target folder.
Files moved from an NTFS partition to a FAT partition do not retain their attributes or security descriptors, but will retain their long filenames. As with NT 4.0, Windows 2000 also supports special access permissions which are made by combining other permissions. The following tables will show special access permissions and how the recipe to make them. File Special Permissions Full Control Modify
Read & Execute
Traverse Folder/Execute File X
X
X
List Folder/Read Data
X
X
X
X
Read Attributes
X
X
X
X
Read Extended Attributes
X
X
X
X
Create Files/Write Data
X
X
X
Create Folders/Append Data
X
X
X
Write Attributes
X
X
X
Write Extended Attributes
X
X
X
Read Write
Delete Subfolders and Files X Delete
X
X
Read Permissions
X
X
X
X
X
Change Permissions
X
Take Ownership
X
Synchronize
X
X
X
X
X
Folder Special Permissions
Full Control
Modify
Read & Execute
List Folder Contents
Traverse Folder/Execute File
X
X
X
X
List Folder/Read Data
X
X
X
X
X
Read Attributes
X
X
X
X
X
Read Extended Attributes
X
X
X
X
X
Create Files/Write Data X
X
Create Folders/Append x Data
x
Write Attributes
X
X
Write Extended Attributes
X
X
Read
Delete Subfolders And X Files Delete
X
X
Read Permissions
X
X
X
X
X
Change Permissions
X
Take Ownership
X
Synchronize
X
X
X
X
X
Remember that file permissions override the permissions of its parent folder. Anytime a new file is created, the file will inherit permissions from the target folder. Share Permissions: Shares are administered through the MMC, My Computer or through Explorer and permissions can be set on a share in the "Share Permissions" tab. Share level permissions only apply when a file or folder is being accessed via the network and do not apply to a user logged into the machine locally. The following are the different share-level permissions: Read
View files and subdirectories. Execute applications. No changes can be made.
Change
Includes read permissions and the ability to add, delete or change files or subdirectories
Full Control
Can perform any and all functions on all files and folders within the share.
These permissions are identical to NT 4.0, however, there is one new change. As we discussed above the Deny permission can also be applied to shares. The Deny permission overrides all others. When folders on FAT and FAT32 volumes are shared, only the share level permissions apply as these systems do not support file and directory permissions. When folders on NTFS volumes are shared, the
effective permission of the user will be the most restrictive of the two. This means that if Bob is trying to access a file called mystuff located on myshare and he has share permissions of read and file permissions of full control, his effective permissions would be read. Conversely, if his share permissions are full control and his file permissions are read, he will still only have read permissions to mystuff When comparing either Share or NTFS permissions, the least restrictive always wins out. When comparing both Share and NTFS permissions, take the least restrictive of each category and then the more restrictive of those two.
Printers
A Printer is a physical piece of equipment (AKA print device), a logical printer is what the user sees on the screen of the local computer (AKA software), print processor, print router, and printer pools are all self-explanatory. Print spools hold documents until they are ready to be printed. Printers can be located in AD and can be found by querying the location of a printer that can staple, print on specific papers, or can be chosen by printer type to name a few. Windows 2000 Professional automatically downloads the drivers for clients running Windows 2000, Windows NT 4/3.51 and Windows 9x. Print Pooling allows jobs to be dispersed across more than one printer, making them behave as one. Printer pools must contain printers that use the same driver. If a printer experiences a jam in the middle of a job, you can select "resume" to continue where you left off.
Registry Key
Definition
HKEY_CURRENT_USER
Contains the root of the configuration information for the user who is currently logged on and contains their profile.
HKEY_USERS
Contains the root of all user profiles on the computer. HKEY_CURRENT_USER is an alias for a subkey in the HKEY_USERS subtree.
HKEY_LOCAL_MACHINE Contains configuration information particular to the computer(for any user). HKEY_CLASSES_ROOT
A subkey of HKEY_LOCAL_MACHINE \Software. The information stored here ensures that the correct program opens when you open a file by using Windows Explorer.
HKEY_CURRENT_CONFIG Contains information about the hardware profile used by the local computer at system startup. The registry editors included with Windows 2000 include Regedt32 and Regedit. Each registry editor has advantages and disadvantages. You can perform most tasks with either registry editor, but certain tasks are easier with one registry editor. The following are advantages of Regedt32: •
Using the Security menu, you can check for and apply access permissions
• • • • •
to subtrees, keys, and individual subkeys. Each subtree is displayed in its own dedicated window, reducing clutter. You can set an option to work in read-only mode. You can edit values longer than 256 characters. You can easily edit REG_MULTI_SZ entry values. You can load multiple registry files at the same time.
The following are advantages of Regedit: • • • • • •
Regedit has more powerful search capabilities. All the keys are visible in one Windows Explorer like window. You can bookmark favorite subkeys for fast access later on. Regedit reopens to the subtree that was last edited. You can export the registry to a text file. You can import a registry file from the command line.
Optimization and Tuning
Performance Monitor is included in Windows 2000 and is an MMC snap-in. Just as in NT 4.0, there are performance counters that can be used to determine the source of performance problems. The following is a list of important counters and suggested thresholds. Processor: Object = Processor. Counter = % Processor Time - If this value is consistently at or above 80% and disk and network counter values are low, a processor upgrade may be necessary Object = System. Counter = % Processor Queue Length - A sustained processor queue length that is over 2 may indicate a processor bottleneck. Memory: Object = Memory. Counter = Pages/sec - If value is consistently over 20 the system may need a memory upgrade. Object = Memory. Counter = Commited bytes - Should be less than amount of RAM in the computer. Physical Disk: Object = PhysicalDisk. Counter = % Disk Time - If over 90%, add more disk drives and partition the files among all of the drives. Object = PhysicalDisk. Counter = Disk Queue Length - If consistently over 2 drive access may be a bottleneck. Logical Disk: Object = PhysicalDisk. Counter = Disk Queue Length - If consistently over 2 drive access may be a bottleneck. Network: Object = Server. Counter = Bytes Total/sec - If the sum of Bytes Total/sec for all servers is about equal to the max transfer rates of your network, the network may need to be further segmented. Windows 2000 Performance Monitor has several different logging methods. Many 3rd party performance applications utilize the Trace log feature. Counter logs allow you to log performance values at a designated interval for local or remote Win2K computers. Alert logs can send a message or run a script/program when a
pre-determined threshold has been surpassed. Performance Monitor now offers more flexibility for exporting data as it can now be saved in HTML, binary, binary circular, .csv, and .tsv. Paging File A paging file(pagefile.sys) is responsible for managing virtual memory and stores data that is not resident in RAM. There is a lot of conflicting information on Microsoft's website regarding the recommended size of the paging file and we are not sure which is correct. Some references say that it should be 1.5x the amount of physical RAM and others say that it should be physical RAM +12mb as in NT 4.0. You can see the conflicting recommendations in the following support articles: http://support.microsoft.com/support/kb/articles/Q216/8/99.ASP http://support.microsoft.com/support/kb/articles/Q197/3/79.ASP http://support.microsoft.com/support/kb/articles/Q259/1/51.ASP What you will more likely see on the exam are questions that attempt to see if you understand situations in which the page file should be increased rather than memorizing recommended settings. One such situation is when SQL Server is employed. In this case it is recommended that the paging file be set to 1.5x the amount of physical RAM. http://www.microsoft.com/TechNet/sql/Technote/sql7prep.asp For better performance, the paging file should be distributed across multiple drives that do not contain system or boot files. Driver Signing Driver signing is the verification by MS that the drivers you are installing have been tested and will work. You can set limits on users for installing drivers by choosing Warn, Ignore or Block if the driver isn't signed properly. Use the System File Checker (SFC /scannow) to check the digital signatures of drivers on a computer. Other options include /quiet, /scanboot, /scanonce, /cancel, and others.
User Environment
Profiles User profiles are used to keep users' desktop settings and preferences available to them each time they log on. Roaming user profiles will keep this information on the network server so users can access their profile from any computer on the network. Ntuser.dat and Ntuser.man are the same as in NT 4.0 for creating mandatory profiles. Local profiles are stored in C:\Documents and Settings\username. Offline Files Offline files can be configured to allow users to cache network information normally stored on servers. The Synchronization Manager is used to manage those files once it is set up. Offline files are stored in the systemroot\CSC directory. Offline files supports 3 types of caching as follows: manual caching for documents - This setting requires users to specify the documents that they would like cached. automatic caching for documents - As you might expect, this option will
cache all files that a user opens. automatic caching for programs - Reduces network traffic as the network versions of the documents or programs are only stored once. After it is cached, the offline copies are used. Localization There are 24 localized versions of Win2K. UNICODE is a character set that supports world-wide communications and has characters for French, Russian, and other foreign languages. RTL and API allow developers to create a single program for an application and allow these programs to be used correctly in other languages. Locales are localized language and customs settings and are listed below: User locales = numbers, currency, time, etc. Input locales = keyboard, mouse, etc. System locales = character set and fonts Software Packages Software can be efficiently deployed, updated and removed using Group Policies and two technologies built into Windows 2000 - Windows Installer and Software Installation and Maintenance. Windows Installer will replace Setup.exe for many applications. Its advantages include the ability to build custom installations, enable programs to "repair" themselves if a critical file is missing or corrupt and to remove themselves very cleanly when necessary. Software Installation and Maintenance combines Group Policies and Active Directory technologies to enable an administrator to install, manage and remove software across the network. This is only available for Windows 2000 clients. When you deploy software, you can choose to assign it or publish it. Assigned software can be targeted at users or computers. If you assign an application to a USER, the icons show up on the desktop and/or start menu, but the program is only installed when the user runs it for the first time. If it is assigned to a COMPUTER, it's installed the next time the system is restarted. If you publish an application, the user can install it through Add/Remove Programs or through opening a file that requires that particular program(a file association). Published programs cannot self repair, cannot be published to computers and are not advertised on the users' desktop or start menu - only through add/remove programs. Assigned applications require a windows installer file(.msi) while published applications can use Windows Installer files or ZAP files. A .ZAP file is an administrator created text file that specifies the parameters of the program to be installed and the file extensions associated with it. Installations that utilize .ZAP files cannot self repair or install with higher privileges and will typically require user intervention to completely install. You can deploy upgrades using GPO's simply by specifying which program is to be upgraded and whether or not it is a mandatory upgrade. You can apply service packs or patches by "re-deploying" an existing Group Policy with the new information regarding the service pack.
Fax Support Windows 2000 Professional ships with built-in fax support with a single user license. Faxing is managed via the Fax Service Management tool which will be installed when a fax device is installed on the computer. The "virtual" fax machine will appear as an icon in the printers folder. In order for faxes to be sent, the user must have appropriate permissions to send them. These permissions can be viewed by finding the fax icon in the printer folder and viewing the Security tab in the properties. In order to receive faxes, the "Enable to Receive" must be selected.
Network Connections Windows 2000 supports many industry standard protocols including: TCP/IP(obviously) NetBeui Appletalk IPX/SPX DLC - For use with Mainframes, AS400s, etc. IrDA - Infrared Data Association The same tools are still in use for troubleshooting TCP/IP: PING, IPCONFIG, TRACERT, ARP, NBSTAT, NETSTAT, ROUTE, etc. PATHPING is new and can be used to troubleshoot lost data packets. Like Windows 98, Windows 2000 supports a new feature called Automatic Private IP Addressing. When "Obtain An IP Address Automatically" is enabled, but the client cannot obtain an IP address from a DHCP server, Automatic Private IP addressing assigns an address in the form of 169.254.x.x and a class B subnet mask of (255.255.0.0). The computer broadcasts this address to its local subnet and if no other computer responds to the address, the computer allocates this address to itself. Remember that a computer that picks up one of these addresses will only be able to communicate with other computers have compatible addresses and subnet masks. RAS Policies are a new feature in Windows 2000. Now it is possible to build an entire set of rules called a RAS Policy to dictate several conditions that must exist before a user can connect. It allows the flexibility to require that a user must be dialing from a specific IP address or from a range of addresses, during the right time of day, from the appropriate caller id location using the appropriate protocol. We can restrict access by group membership or the type of service requested. All of these are configurable and optional. Once the user has met all of the conditions, we can apply a profile, which can include items such as the IP address to use for this session, the authentication type that is allowed, any restrictions such as idle time and the rules for BAP with multilink sessions. Windows 2000 now provides support for VPNs. A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can create a connection between two computers across a shared or public network that emulates a pointto-point private link. Windows 2000 supports a couple of different VPN protocols. Point to Point Tunneling Protocol(PPTP) creates an encrypted "tunnel" through an untrusted network and is supported by Windows 95/98/NT4/2000. Layer Two Tunneling Protocol(L2TP) works like PPTP in that it creates a "tunnel", but uses
IPSec encryption in order to support non-IP protocols and authentication. The table below illustrates the features of each: Feature
PPTP L2TP
Header compression
X
Tunnel authentication
X
Built-in encryption X Transmits over IPbased X internetwork
X
Transmits over UDP, Frame Relay, X.25 or ATM
X
Windows 98 supported Internet Connections Sharing(ICS) which is now also supported in Windows 2000. ICS allows multiple PCs to share a single connection with the aid of Network Address Translation(NAT) and is intended for small office/home office(SOHO) environments. When you enable ICS, the network adapter connected to the network is given a new static IP address configuration. Existing TCP/IP connections on the computer are lost and need to be reestablished. NAT can be configured separately from ICS and provides the following features and benefits that do not exist when used with ICS alone: Multiple public IP addresses - NAT can use more than one range of public addresses. Configurable address range - NAT allows manual configuration of IP addresses and subnet masks, whereas ICS uses a fixed IP address range. Any range of IP addresses can be configured using the NAT properties in Routing and Remote Access Manager. A DHCP allocator provides the mechanism for distributing IP addresses, the same way that DHCP does this. NAT can also use IP addresses distributed from a DHCP server by selecting the Automatically assign IP addresses by using DHCP check box in the NAT properties sheet. DNS and WINS proxy - Name resolution can be established by using either DNS or WINS. You can configure this by selecting the appropriate check boxes in the NAT properties sheet under the Name Resolution tab. Multiple network interfaces - You can distribute NAT functionality on more than one network interface by adding the interface to NAT in the Routing and Remote Access Manager.
Remote Access
RAS has changed rather dramatically. Several new RAS protocols are now available to make our communications over dial up lines or the Internet much more secure and more flexible. These new protocols include Extensible Authentication Protocol (EAP), Layer Two Tunneling Protocol (L2TP), Bandwidth Allocation Protocol (BAP), Internet Protocol Security (IPSec) and Remote Authentication Dial-In User Service (RADIUS).
EAP gives the ability to use Transport Level Security, another encryption methodology for usernames and passwords. L2TP enables to create a tunnel through a public network that is authenticated on both ends, uses header compression, and relies on IPSec for encryption of data passed through the tunnel. Bandwidth Allocation Protocol allows to set up Multilink capabilities, but if a user isn’t using the bandwidth of multiple lines, we can drop one of the lines assigned to that user and use it for another user. IPSec is essentially a driver at the IP layer that provides encryption very low down in the protocol stack. RADIUS is an RFC based standard that allows us to provide authentication services from the corporate network to a client that is attaching to an ISP that wants access to our server. The ISP’s dial up server that hosts the client is a client to the Radius Server Service (IAS) on the corporate network. The IAS server allows the user to connect.
Security
Users Local user accounts are managed from the Computer Management Snap-in while domain accounts are managed from the Active Directory User and Computers snap-in. Local accounts only give access to local resources. In a domain model, if a user wishes to access network resources, they will need to have an account in the directory with appropriate permissions to the resources that they are trying to access. There are 2 local user accounts that are created during installation which are Administrator and Guest(disabled by default). Groups There are 2 types of groups in Windows 2000 - Security and Distribution. It is not recommended to use local groups in a domain environment. There are several built-in local groups as follows: Local Group
Description
Administrators
Can manage all functions on the local system.
Backup Operators
Are able to backup and restore files on local system regardless of permissions on files and directories being backed up. May also grant permissions to other users to perform backup operations.
Guests
Provides limited access to system resources.
Power Users
Can create and administer user accounts and groups. Can only manage users that they created. Can install and remove applications and share resources.
Replicator
Used to replicate content between DCs
Users
The default group that a new user is added to. Can run applications installed by administators or power users, but not other local users.
Local Group Policy Group policy is managed using the Group Policy snap-in. Group Policy allows one
to control specific rights to local groups and edit administrative templates. Below are the common security templates for Windows 2000 Workstation. Template
Description
Basic(basicwk.inf)
The default security configuration. Does not cover user rights.
Compatible(compatws.inf)
For allowing compatibility with non-Windows 2000 application installations.
Highly Secure(hisecws.inf)
Limits workstation's ability to communicate with non-Windows 2000 operating systems. Best used in native environments.
Templates only work on NTFS partitions. The Security Configuration and Analysis tool will compare current security settings to recommended settings based on a security template. Local Account and Lockout Policies Allow administrators to manage user's password and lockout configurations including password length, complexity, lockout threshold, duration, etc. Event Viewer Like its predecessors, Windows 2000 is still using the Event Viewer to monitor security, system and application events. Event Viewer is accessed through the Computer Management snap-in. The security log writes events to the logs based on audit policy. Auditing is disabled by default as it can slow system performance. The following table shows the different security events that can be added to an audit policy. Category
Description
Account Logon
Logs each logon attempt.
Logon Events
Logs network logon attempts including interactive or service logons.
Account Management
Logs every instance of changes(management) of user accounts.
Directory Service
Logs Active Directory Service events.
Policy Change
Logs changes in policies.
Process Tracking
Tracks all programs and processes initiated by a user in order to monitor their activities.
Object Access
Tracks a users attempts to access resources in the Active Directory.
Priveledge Use
Logs when a user utilizes special access priveledges.
System Event
Logs configured system events such as startup/shutdown, etc.
Acronyms Acronyms you really must know(not including the ones you already know!) 1. ACL - access control list 2. ACPI - advanced configuration and power interface 3. AD - active directory 4. APM - advanced power management 5. APIPA - automatic private internet protocol addressing 6. CA - certificate authority
7. CAL - client access license 8. DHCP - dynamic host control protocol 9. DNS - domain name system 10. EAP - extensible authentication protocol 11. EFS - encrypting file system 12. FEK - file encryption key 13. GPO - group policy object 14. GPT - group police template 15. HCL - hardware compatibility list 16. IAS - internet authentication services 17. ICS - internet connection sharing 18. IPSec - internet protocol security 19. L2TP - layer two tunneling protocol 20. LDAP - lightweight directory access protocol 21. LPD - line printer daemon 22. MMC - microsoft management console 23. NAT - network address translation 24. NTFS - NT file system 25. ODBC - open database connectivity 26. OSI - open systems interconnection (model) 27. OU - organizational unit 28. PCMCIA - personal computer memory card interface adapter 29. PPP - point to point protocol 30. PPTP - point to point tunneling protocol 31. PXE - preboot execution environment 32. RAS - remote access service 33. RIPrep - remote installation preparation 34. RIS - remote installation services 35. RRAS - routing and remot access service 36. SAM - security accounts manager 37. SMP - symmetric multiprocessing 38. SMS - systems management server 39. Sysprep - system preparation 40. TFTP - trivial file transfer protocol 41. UDF - unique database file 42. UNC - universal naming convention 43. VPN - virtual private network 44. WDM - windows32 driver model