Microsoft Exam 70-292-Managing and Maintaining a Windows Server
2003 Environment for an MCSA Certified on Windows 2000
This exam has retired on March
31, 2008
Main focus of the test:
·
DNS
·
SUS
·
Disaster Recovery
·
ASR
·
Backups
·
Index
Windows
2003 Features
· Standard Edition
· 4 GB RAM
· Up to 4 CPU’s
· No cluster support
· No 64 bit support
· No support for Itanium based systems.
·
· Up to 32 GB RAM (x86) and 64 GB RAM for Itanium
· Up to 8 CPU’s
· 8 node clusters
· 64 bit support
· Datacenter Edition
· Up 64 GB RAM (x86) and 512 GB RAM for Itanium
· Minimum 8 CPU’s, up to 32 CPU’s (x86) and 64 CPU’s for Itanium
· 8 node clusters
· 64 bit supported.
· Always pre-installed on OEM systems
· Web Edition
· Up to 2 GB RAM
· Up to 2 CPU’s
· No domain controllers
· No 64 bit support
· Limited to 10 SMB connections
· CALs do not apply since it is not used as a file or print server
Installing
and Upgrading To Windows 2003 Server
· If upgrading from NT, need to update to service pack 5 or later.
· Upgrading from NT 3.51 is not possible. Need to upgrade to NT 4 first.
· Before upgrading, can run the Microsoft Windows Upgrade Advisor tool from the Win2003 cd to see if there is any software or hardware issues.
· Hardware Compatibility List(HCL) can be found online at http://www.microsoft.com/whdc/hcl/default.mspx
· To test software, run the Program Compatibility Wizard, found by typing at the Run command: hcp://system/compatctr/compatmode.htm
· If joining a Windows 2003 domain controller to a Windows 2000 domain, need to run adprep /forestprep on the DC holding the schema master and adprep /domainprep on the DC holding the Infrastructure role to prepare Windows 2000 domain for 2003.
Recursive – the server will resolve the name on behalf of the client
Iterative- the dns server will give a referral to the client of other dns servers that might be able to answer.
· 4 types of DNS servers
· primary
· secondary
· AD integrated
· Caching only
· 3 Types of Zones
· Primary
· Secondary
· Stub
· One primary server is designated for each zone and is authoritative for that zone.
· Secondary servers are authoritative.
· Creating your first zone installs a primary server
· Primary server hosts the DNS database and is in contact with the secondary servers
· The refresh interval is the time at which the secondary servers query the primary server. Does not affect AD Integrated.
· If the primary server has a higher serial number than the secondary servers, the secondary servers will pull a copy of the changes to the read only database.
· Default install of DNS will be AD Integrated with Secure Only for dynamic updates.
· Secure updates only supported by AD integrated.
· Unix DNS servers using BIND 4.9.2 or later will support secure dynamic updates
· Win98 and NT will not support dynamic updates but will need to have DHCP do it for them.
· Win2000 server and 2003 support incremental zone transfers, NT does not.( only Full transfers)
· Active Directory Integrated Zones are always primary zones because they contain writable copies of the zone database and Active Directory Integrated DNS servers are all primary servers in that AD uses replication and maintains a database that is part of AD.
· Active Integrated Zones do not use zone transfers so they do not require DNS notifications to be sent.
· Secure dynamic updates are only available with Active Directory Integrated Zones.
· To increase fault tolerance of an AD domain install a second AD integrated server.
· If there are A records for more than one IP address for on host name, the resolver(located on the computer) will order the records based on the closest.
· Ways to install DNS:
· During install of Server 2003
· Add\Remove Windows Components in Control Panel
· During DCPromo.
· Configure Your Server Wizard in Administrative Tools
· Manage Your Server Wizard in Administrative Tools
· Primary servers with the Notify button (Zone Transfers tab in the properties of the zone) enabled will update secondary servers immediately when there is a change, otherwise the secondary servers will poll the primary at each Refresh Interval found on the State of Authority (SOA) tab.
· You cannot force a zone transfer from the Primary server, but from the secondary.
· If primary goes down the secondary’s DNS records are good for a day.
· The cache.dns file is also referred to the root hints file.
· If installing a DNS server in an environment where there are no other DNS servers and no internet, the system will automatically designate the DNS server as the root server. Once have access to the internet, you should delete the “.”(dot ) zone and enable the forwarders form the ISP.
· A root server is the ultimate authority for all name resolution.
· A server configured as a root server cannot be configured for root hints or forwarders because it IS the ultimate authority for name resolution.
· If you are hosting your own root hint server, this file should be deleted and the Root Hints tab in the server properties is unavailable.
· In order to use NSLOOKUP there has to be a reverse lookup zone.
· DNS administration can be accomplished thru the command line using dnscmd.
·
WINS- data
from a WINS server gets stored in the DNS cache on a DNS server.
· IPCONFIG /flushdns command run from a DNS server will not remove the DNS cache. Only works for DNS clients. Use the “clear cache” from the DNS server context menu.
· Stopping and starting the DNS server will also clear the cache.
· 3 ways to clear the DNS servers cache
· restart DNS server service
· Right click on server and select “Clear Cache”
· Command line: dnscmd /clearcache
· Can only view the cache thru the DNS console by selecting Advanced under View. This will create a folder called “ Cached Lookups” under the server.
·
Reloading
a zone will reload the data stored in the zone file into the cache BUT the
cache is not cleared.
· Zone transfers in Active Directory Integtrated Zones are replicated with AD.
· Can use replmon.exe to force an Active Directory Integrated Zone replication.
· A DHCP reservation will register the IP address and name with a DNS server dynamically which means it will be assigned a TTL non-zero timestamp.
· DNS (A) records will be assigned a zero TTL time stamp, therefore it will never get scavenged
· NS record-advertises the server name that is authoritative for a domain. example: server1 domain.com
· A glue record( A record) is needed to accompany an NS record to state it’s IP address. Example: server1 192.168.1.1
· CNAME records are an alias for the same server and they involve one computer. Cannot be used with Round Robin.
· Service Location (SRV) resource record- DNS uses this record to identify domain controllers. Computers look for this record to find a DC. A port of the service can be defined.
· DNS Debugging can only be enabled on the server not on the scope. Is resource intensive, so its disabled by default.
· Dynamic DNS update triggers
· When a computer is turned on
· IP address lease changes or renews
· IP address is changed or modified in the TCP/IP properties of the client.
· Member server promoted to domain controller
· IPCONFIG /registerdns
· Delegation- Delegating Zones- refers to assigning authority over portions of your DNS namespace to sub domains with in the namespace.
§ the parent domain must have an A(glue record) and NS(delegation record) records pointing to the authoritative server of the newly delegated domain.
§ Delegations take precedence over forwarding
§ Right click the parent zone and select the New Delegation Wizard
§ Need to enter the sub-domain and the name of at least one name server that will be authoritative.
·
Conditional
Forwarding- handles name resolution only for a specific domain
· Has to be entered manually in the DNS server’s forwarders tab.
· Could slow name resolution if there are too many entries
· When to use conditional forwarding-
· Suitable for fixed DNS infrastructure
· More simple to setup than Stub zones
· Stub Zones- contains SOA record, NS record, and A record(glue record) of name servers authoritative for specified zone.
·
automatically updates current DNS servers for
that zone,
·
read-only
·
does not provide redundancy like Secondary zones
·
similar to secondary zones, but contains only
three records(secondary is a copy of primary and contains all records)
· When to use stub zones-
· In a DNS infrastructure that is changing or could change.
· Efficient over slow WAN links
· A little more complex than conditional forwarders
· Caching only server-
·
does not
contain zone info or a zone database
·
contains info based on the results of queries
that it has already performed.
·
Learns from forwarders that are set up on the
cache server’s properties.
·
Not authoritative.
·
The cache takes place of the zone database
·
Can be setup quickly
·
Uses the cache.dns(root hints) file to begin
·
Adds to the cache as it issues iterative queries
when responding to client requests.
·
Advantages of:
·
They do not participate in zone transfers so no
transfer traffic.
·
They can be placed on the far side of a slow WAN
link at a satellite office and provide host name resolution for remote offices
that do not require a high level of host name resolution support.
·
Well suited for branch offices where setting up
a new domain or subnet is not feasible.
·
They can provide secure host name resolution
when configured as forwarders
·
Does not require any administration
· Cannot be rebooted because the cache will be lost.
· The cache must be built over time, so there will be an increase in traffic at first.
· TTL tells the cache only server how long to hold the record
·
DNS Zone
Properties
·
General
tab
· Status of DNS server
· Type of zone(AD integrated, Primary, etc)
· Dynamic updates security(Secure Only, Nonsecure and secure, None)
· Scavenging
·
SOA tab-
· Refresh interval- default is 15 minutes, determines the time interval that the secondary server checks the primary server for accuracy. If the data is inaccurate, the secondary server will poll for updates to the zone file. The setting applies to that server where the setting is located.
· Retry interval- default is 10 minutes, time to retry zone transfer, used when the refresh interval is unsuccessful
· Expires after- dns records on secondary servers that have expired
· TTL- determines when a record in a zone file expires.
·
Name
Servers tab-fully qualified domain name (FQDN) of the name server with
options to edit , remove and add.
·
Wins tab-
to enable WINS forward lookup servers for down level clients
·
Zone
Transfers tab- you can setup a secondary server that the primary will send
updates whenever they are available.
The Notify button is used for this purpose.
·
DNS
Server Properties:
·
Advanced
tab-
·
Disable recursion- disabled by default, breaks
the regular server-client interaction by forcing the client to do its own
iterative queries. Enabling
disables forwarding.
·
BIND secondaries- enabled by default, disables
“fast transfer format” and must be enabled for DNS servers running
BIND 4.9.2 or earlier to perform zone transfers with 2000/2003 servers.
·
Fail on load if bad zone data-disabled by
default. As a result, the DNS server will hold any zone even
though it knows there is an error.
·
Enable round robin- balances server load by
re-ordering the address list for each subsequent request. Example: server1 is mapped to 3 IP
addresses, the first client would get the first address, second would get the
second address and so on.
This would also work for a website scenario where you have one server overloaded with hits and you want to add a couple more to reduce the load on the one. Add 2 or 3 servers with different IP addresses but their A records have the WWW name.
CNAME cannot be
used with Round Robin.
·
Enable netmask ordering- also called
“LocalNetPriority”.
Orders the list of IP addresses for records with multiple addresses
based on how they match the address of the requesting client. Example: server1
is mapped to three different IP addresses; the client would be directed to the
one closest to his subnet. This
setting takes precedence over round robin.
· Secure cache against pollution-When disabled, the A record of the website along with NS record are cached. When enabled the A record is not cached and the DNS server must initiate a cache update query to resolve the address of anything outside the domain.
·
DNS
Server Properties (right click on dns server)
· Create Default Application Directory Partitions- partitioning in Active Directory is used to differentiate data for different replication purposes
· Set Scavaging- configure refresh intervals for resource records
· Scavenge Stale Resource Records- use this option to manually remove old outdated resource records.
· Update Server Data files-writes all zone file changes in AD
·
Satellite
office and name resolution questions- 2 offices connected by a WAN connection
· A Primary zone server at one location and secondary zone at the other will increase traffic substantially because of zone transfers.
· Not placing any DNS server at the satellite office will be a problem if the WAN connection goes down.
· 2 separate DNS servers???? Traffic increase due to replication and zone transfers
· Caching only server is recommended
· Stub zone will minimize traffic and good for changing environments.
· conditional forwarding will minimize traffic but requires a static environment.
Groups
Group Scopes
Universal-
· Used for assigning permissions throughout entire forest.
· Can only be used when the domain functional level is set to Windows 2000 native or 2003.
· Replicated to every global catalog in the entire forest.
· Can be changed to a domain local group at any time.
· Can be changed to a global group only if it does not have other universal groups as its members.
· Can contain :
· Users
· Global groups
· Other universal groups
· But NOT Domain local
·
GUU
Global-
· In Mixed Mode-can ONLY add user accounts from the same domain
· In Native and 2003 Mode-contain user accounts and other Global groups ONLY from the same domain in which the global group is located.
· Can be assigned permissions of resources in any domain in the forest.
· Cannot contain universal or domain local groups.
·
GU
Domain Local-
· can contain:
· user accounts,
· universal groups,
· global groups from any domain.
· Other domain local groups within domain
·
GUUD
· only can be assigned permissions of resources in their own domain.
· Can be changed to a universal group only if it does not have any other domain groups as members
To get a full list of groups that a user is a members use the command:
Dsget user UserDN –memberof –expand
The –expand option shows the nested groups
Group Types-
Security-Has a SID associated
Distribution-No SID and just for email.
Can change the group types in Windows 2000 native and 2003, but have to be a member of the Account Operators, Enterprise Administrator, or Domain Administrator, or delegated authority.
Common practice is not to add user accounts to domain local groups but to Global groups and add global groups as members to Domain local groups
Avoid assigning permissions directly to Global groups but to Domain Local groups. Then add the Global group to the Domain local.
Group Scope conversions can only occur in Windows 2000 Native and 2003 domain functional levels
Universal groups can be converted to Domain local anytime without restrictions
Know the difference between group scopes and group types
Know the difference between permissions and rights
Permissions grant access to files and folders
Rights grant abilities thru AD such as logging onto a computer.
Know the difference between daily and normal, incremental and differential
·
local
administrator
·
backup
operator
·
Owners of
files
·
A user
with the “Backup Files and Directories” right
· Creator
· Owner
· Backup operator
· Admin
·
Users with the Backup Files and Directories
right are allowed to read, write and access the tape.
· First do a non-authoritative restore in Directory Services Restore Mode
· Second: use NTDSUTIL at a command prompt.
o Can use NTDSUTIL to just mark an OU for a authoritative restore.
· Must be started in Directory Services Restore Mode
· Boot and system files
· Boot.ini
· NDTLDR
· NTDetect.com
· Registry
· Com+ class registration database files
· System files under windows file protection
· Sysvol directory (domain controller)
· Active directory –contains the integrated DNS zone data if DNS is running. NTDS.dit located in c:\winnt\ntds
· Certificate services database ( if installed)
· Cluster service information ( if within a cluster)
· IIS Metadirectory (if installed)
· When you restore a system state to an alternate location only the following files get copied:
· system boot files
· registry files
· sysvol directory
· cluster info
· The following files are NOT are not restored:
· Active Directory –NTDS.dit
· Certificate Services Database
· Com + class registration database
· Restoring a member server can be done with the Backup Utility in normal mode.
· Restoring a Domain Controller
· Need to boot up into Directory Services Restore Mode with recovery password that you created during DCPROMO- press F8 upon reboot.
· Directory Services Restore Mode (DSRM)-
· Takes the domain controller offline and not functioning as a domain controller.
Press F8 enter
· Can restore system state from here.
· 3 kinds of restores
· Non-authoritative(normal)-after the restore, reboot server and let it replicate and update AD and Sysvol from other DC’s
· Authoritative- will cause other DC’s to replicate from the restored server
· First perform a non-authoritative restore, but do not restart the server.
· Open command prompt and use ntdutil to mark the database as authoritative
· Primary Restore-used when all or the only DC in a domain has failed
· Must be restored in DSRM.
·
Microsoft Windows XP -
ASR(Automated System
Recovery)
· Replaces the ERD of Windows NT and 2000
· Requires floppy drive on server to be recovered
· Restores a failed and\or non bootable server to its former state.
· Restores the operating system and all applications and settings
· The F2 key initiates the ASR process after the server boots from the 2003 Server cd. Then the prompt for the floppy should appear.
· Backs up:
· System state data
· System services
· Operating system components
· Needs:
· ASR floppy that contains: info about the disk configuration, disk signatures, volumes and partitions so it can start the computer.
· ASR backup set consisting of critical system files and registry
· Windows 2003 cd to boot from
· Manufacturer’s driver disk for the mass storage controller(press F6 when prompted). Can be included with ASR floppy
· ASR will not backup data files. That should get backed up separately.
· Uses shadow copy
· ASR floppy contains 2 files: Asr.sif and Asrpnp.sif
· What if you do not have a floppy disk drive?
· Copy asr.sif and asrpnp.sif found in %systemroot%\repair after the ASR process is finished to a network share on another server(one that has a floppy drive) and create there, BUT the ASR process requires a floppy drive on the server to be restored.
· The hard drives are formatted during this process.
· The ASR process requires that you boot from the Win 2003 disk
· Should be the last resort.
· Recover with Automated System Recovery
http://hacks.oreilly.com/pub/h/1196
· The ASR process
· Used to run diagnostics, disable drivers, and services, replace files
· Can be started by booting up from the Win 2003 cd and pressing R to choose the repair and recover option, when prompted.
· Can be installed beforehand by inserting the Win 2003 cd in regular mode and type: cddrive:\i386\winnt32 /cmdcons in the command line.
· There is no uninstall for this. Have to manually delete the Cmdcons folder and the entry in the boot.ini file
· By default, can only view files in the %windir% and Cmdcons folder but can be disabled by:
· Enabling the policy “Recovery Console: Allow Floppy copy and access to all drives and all folders” within the local GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
· Use the Set AllowAllPaths = True command (include space before and after equals sign)
· By default you can only copy files to the local hard disk not from it, but the limitation can be disabled by:
· Enable the “Recovery Console: Allow Floppy copy and access to all drives and all folders”
·
Type the command in Recovery console: Set AllowRemovableMedia = True (include spaces before and after
equals sign)
· By Default, cannot use wildcards, but disable by:
· Enable the “Recovery Console: Allow Floppy copy and access to all drives and all folders”
· Type the command in the Recovery console: Set AllowWildCards = True (include spaces before and after equals sign)
· By Default, the administrator password must be supplied, but can be skipped by enabling the policy located in the Security Policy of Local Policies: Recovery Console: Allow Automatic Administrative Logon
Volume
Shadow Copy Service-VSS
· Allows the backing up of databases and files that are open or locked
Shadow Copies of Shared Folders
· Applications can continue to write data during backup- Uses VSS
· Only support on NTFS volumes
· Open files are no longer omitted during backup
· Backups can be performed at any time without locking out files and users
· Users can view, copy and restore their own previous file versions.
· Only copies files that were changed since the last shadow copy. Files that have changed many times will not save all those changes.
· When the storage limit is reached Shadow Copies will start deleting Shadow Copy backups, beginning with the oldest.
· Built into Windows 2003 server. Win 98, WinNT, Win2kpro and server and XP have to install Shadow Copies of Shared Folders. Can be downloaded.
· On a Windows 2003 Server the client files can be found here: X:\WINDOWS\system32\clients\twclient\x86 folder
· Users can restore files without the help of an admin.
· Copies ALL shared folders. Specific shares cannot be selected.
· The whole volume needs to be enabled and NOT individual folders
· Default settings for Shadow Copy\Volume (go to My Computer and the properties of the drive and the Shadow Copies tab)
· The storage area for the shadow copies are located on the same volume
· The minimum assigned disk space is always 100mb, the max. limit is set to 10% of the disk size by default.
·
The schedule to create a shadow copy is twice a
day, Monday thru Friday at
· When a file is restored the shadow copy is deleted. If you do not want the shadow copy deleted and the original deleted use the Copy button.
· If you want to move the shadow copy storage to another volume(enhances performance and not redundancy), no shadow copies must be present or the data will be lost during the move. Shadow copy must be disabled first, before you can direct to another volume. When the shadow copy is enabled the data will be deleted..
· Previous Versions tab will not show up if there are no previous versions stored on the server.
· Cannot see the Previous Versions tab if the files are stored on the local drive.
· You can Copy or Restore a file in the Previous Versions tab.
· Security settings of the previous version is not restored. In a copy or restore, if the original file is not there, the previous version file will inherit the permissions from the parent. If the original file is there and you are doing a restore the previous version will use the permissions of the original.
· If the file has been deleted, then you will not be able to access the Previous Versions tab of that file, so you need to go to the parent folder.
· Shadow copies are stored in the System Volume Information folder on drive C by default.
Backup
Permissions
·
SUS has 2 components
·
Software Update Services Server-server side
·
Client Automatic Updates-client side
· WSUS (version 2.0) is the updated version of SUS (with SP1).
· To apply service packs you need to apply the SUS service pack 1 to the SUS server version 1. Service pack 1 applied to SUS 1 also allow SUS to be run on a Domain Controller.
· The command WMIC.exe QFE will list all updates installed on the computer
· SUS can be installed on a Windows 2000 Server SP2 or later and Server 2003.
· Updates are for Windows 2000, Windows 2003, or XP
· SUS can be applied via Automatic Updates, which is supported but not included for:
· Windows 2000 server SP2 or later
· Windows Server 2003
· Windows 2000 Pro SP2 or later
· XP Pro and Home
·
Automatic Update software is included with
Windows 2000 SP3, XP SP1, and Server 2003.
· Minimum requirements for an SUS server:
· Pentium II 700mhz processor
· 512 MB RAM
· 6 GB free space
· IE 5.5 or higher
· IIS installed
· Default storage location: c:\SUS\WSUSContent
· By default the All Languages is enabled during setup and will download 600mb of updates
· SUS installs and applies the IIS lockdown tool to Windows 2000 SP2 Server and earlier.
· You must be a local admin on the SUS server to install and view the Admin Web page
· Policies can be configured using Windows NT 4 System Policy or by a registry entry.
· Group policy can be setup for Windows 2000 and 2003
· The “ Configure Automatic Updates” computer policy must be enabled. Within here, choose the type of download (Notify or auto-download) and install (schedule or notify). If disabled, the client options will be disabled in Control Panel.
· The “Specifiy Intranet Microsoft Updates Service Location” computer policy needs to be enabled and the URL to the SUS server entered as : http://server
· IIS is not installed on 2003 Server by default so need to install the minimum:
· World Wide Web Service-used to interface with the clients
· Common Files for IIS
· Internet Information Services Manager
· Backing up an SUS server thru NT backup:
· The Storage folder- SUS Content directory needs to be backed up (C:\SUS\Content)
· Backup the IIS Metabase(thru IIS backup/restore) and the file it creates: C:\windows\system32\inetsrv\metaback
· C:\inetpub\wwwroot( the site that contains the SUSAdmin and AutoUpdate virtual directories)
· Restore an SUS server:
· Disconnect server from network and perform a clean install and give it the same name
· Make sure IIS is the same install.
· Apply all service packs and updates as previously installed
· Install SUS in the same directory
· Restore all files from above
· Log files:
· history-sync.xml (the synchronization log)
· history_approve.xml (the approval log).
Restricted Groups
· Affects computer accounts only not user accounts.
· When members are added thru restricted groups it will overwrite the existing membership of the group.
· If the restricted group were to be left blank then the group would have no members once the GPO was applied to the computer.
· Used to control membership of the local admin.group account on a server or computer.
· It can also be used to automatically remove any local user accounts that should not be added to the local admin group.
Samid- security accounts manager identifier- is used for client computers that are released prior to the availability of AD such as NT and Win98.
Upn- user principle name such as jim @domain7.local
GPO’s (local, Domain, OU) are cumulative
GPO’s are processed from top to bottom with the Default Domain Policy first. Any GPO’s after override unless the No Override option is selected
Runas command tool-
MMC
Snap-Ins
Remote Desktop for Administration
· Allows two concurrent connections whereas XP only allows one.
· Remote Desktop Connection(RDC-mstsc.exe) is the client side software used for the connection to the server.
· Only administrators are granted access to DC’s thru Remote Desktop
· The 32-bit Remote Desktop Connection client software is located in %systemroot%\system32\clients\Tsclient\Win32 of the Terminal Server
· Also available thru a web browser. This feature cannot be installed on a DC.
· The “Allow Logon Through Terminal Services” in the Default Domain Controllers Policy must be granted to the Remote Desktop Users group or user for access to a DC.
· The Remote Desktop Users group by default has the “Allow Logon Through Terminal Services” for access to non-DC servers.
· Remote Desktop for Administration took the place of Terminal Services in Administration mode in Server 2003.
· Depends on the Terminal Services service
· Installed already on Windows 2003 Server, but needs to be enabled in Control Panel\System Properties\Remote tab
· any user added to the Remote tab will be added to the Remote Desktop Users Group
· these users are given the “Allow log in through Terminal Services” right on the local computer.
· If they are added as Remote Desktop users they will not be able to login
· In Windows 2000 users needed the “log on locally” right to logon remotely to a Terminal Server.
· The message “The local policy of this system does not permit you to logon interactively” when trying to connect to a server using RDC probably indicates that you are not a member of the Remote Desktop Users group
· The message: “ The client could not connect to the remote computer. Remote connections might not be enabled……” refers to the check box in Control Panel\System\Remote tab to enable Remote Desktop.
· When a user tries to connect to a server or computer remotely the following conditions must all be met and checked in this order:
· The box “Allow Users to connect remotely to this computer” is checked in the Remote tab
· The user is assigned the “Allow log on through Terminal Services “ user right on the computer within the Local Policy.
· The “Allow logon to terminal server” option is enabled on the Terminal Services Profile tab of the user account.
· The user is a member of either the Remote Desktop Users or Administrators local group on the computer.
Remote Assistance-know in more
detail such as GPO relationship and who initiates.
· Allows a user to request help from a remote user over the internet.
· Shares the desktop.
· Depends on the Terminal Services service
· Disabled by default on Windows 2003 servers
· Remote assistance uses port 3389
· Invitation can be sent via
· Email-
· File- saved to a floppy disk
· Messenger
Terminal Server (formally called Terminal Services Application
Server mode of Win 2000 Server)
· Used for application sharing
· Can be used for a period of 120 days without purchasing licenses
· After the 120 days requires a client license for each connected client.
· To issue licenses the Terminal Server Licensing server needs to be installed and activated through the Microsoft Clearinghouse by using the Terminal Server License Server Activation Wizard.
· By default a terminal service license server is installed as an Enterprise License server, but you should configure as a Domain License server if you want to keep each domain separately or you have NT 4 domains.
· It is not recommended that the Terminal server and license server be on the same server. Should be separate. The terminal server periodically polls the network for a license server.
· When TS is installed you must choose security
· Full-default-denies applications on the server access to the registry and system files. Can be changed to Relaxed in the TS Sever Configuration Tool if a program will not run. But applications that were installed previously need to be reinstalled.
· Relaxed- allows access to the registry and system files and may be required for older applications
· Remote Desktop Users group must have at least User Access permissions to the connection of the server which can be modified in Terminal Services Configuration tool.
· You must install applications in Add\Remove Programs or at a command line enter : change user /install and then after install change user /execute
· To enable and disable logging on to a TS Server: change logon /disable and change logon /enable at a command prompt. It can also be accomplished thru the Remote tab of System Properties.
§ Terminal Server Session Directory-stores user session information. this service allows a user to reconnect to a disconnected session, preventing a loss of data and the use of another license. Used with Network Load Balancing. It is recommended that this server not be a part of the cluster.
· Tools to configure TS (in order of precedence)
· Active Directory Group policy which beats all configuration settings
· Terminal Services Configuration console aka; RDP-TCPsettings. Doesn’t beat GPO but everything else such as user account settings and client settings.
· User account settings in AD
· RDP and TS client settings
· There are four tabs in the User Properties that are associated with the TS config:
· Terminal Services Profile Tab
· “Profile Path”-allows to configure roaming and mandatory profile for users
· “Terminal Services Home Folder”-specifies a home directory for every user that logs on to the terminal server
· “Allow Logon to Terminal Server” option-enabled by default and can be disabled to make an exception for this particular user. If disabled, the user cannot logon to any Terminal Servers no matter what group he belongs.
· Environment Tab
· These settings override the settings in the RDP client software
· The “Starting Program” section allows you to specify a program to be executed at logon
·
“Client Devices” – controls if
local drives(only
· Remote Control Tab
· By default remote control is enabled by default.
· Choices of level of control are:
· View the user’s session
· Interact with the session(default)
· To start a remote control session on a client machine, the admin first needs to start a session with the terminal server, start Terminal Services Manager admin tool( found in Administrative Tools), right click the user’s session and select Remote Control.
· Sessions Tab
· Set session limits on terminal server.
· There are 3 different limits for a terminal server session:
· End a disconnected session-when a user disconnects without logging off, the session and programs will remain open on the server. This allows the user to reconnect and find the remote session as he left it.
· Active session limit- specifies a limit during which a user is actively using the TS.
· Idle session limit-specifies the limit for no activity.
· If you choose to end sessions, the user might loose data.
· Know difference between ending a session and disconnecting.
· Disconnecting- allows the user to connect to the same session with no loss of data.
· End-all data is lost
· Allow Reconnection section:
· “From any client”
· “From any originating client only”- the user can reconnect only from the computer where the session originated.
· All the settings in the User Properties in AD can also be configured on the server level by using the Terminal Services Configuration snap-in. This would have to be configured on each server. You will also need to check the box to override.
· Remote Desktop Connection client settings-
· On the Local Resources tab, under local devices, a user can map a local disk which can be accessed in the terminal session. This allows a user to use an application on the Terminal Server, but store the data on the local disk drive. Same for printer and serial ports.
Default
Groups
The following groups are in the Builtin container. These groups are all domain local and cannot be moved to another OU:
· Account Operators-
· members can administer domain user and group accounts,
· login locally and on DC’s
· Can shutdown DC’s.
· Cannot modify the administrators and domain administrators.
· Backup Operators-
· Can backup and restore files without being limited by file permissions on domain controllers
· Can logon to DC’s
· Can shutdown DC’s
·
· Can create incoming , one-way trust relationships to this forest
· Appears only in the root domain of the forest.
· Network Configuration Operators-
· Can change the TCP/IP settings on domain controllers in the domain
· Performance Monitor Users-
· Can monitor performance counters on domain controllers
· Performance Log Users-
· can manage performance counters, logs and alerts on domain controllers
· Pre-Windows 2000 Compatible Access-
· Have read access to all users and groups in the domain.
· Provides backward compatibility for computers running Windows version pre-windows, such as NT 4
· Everyone group is a member by default
· Print Operators
· Can administer printers connected to domain controllers and shared printer objects in AD
· Can log on to DC’s
· Can shutdown DC’s.
· No members by default
· Remote Desktop Users
· Granted the right to logon remotely using terminal session.
· No members by default
· Replicator-
· System group account used for file replication
· Has no members
· Server Operators-
· Can administer shared resources on domain servers
· Start and stop certain services
· Format hard disks
· Have the same rights as back up operators including shutdown DC’s
· No members by default
The following default groups reside in the Users container in AD. User container contains domain local, global, and universal scope default groups. These groups can be moved to another OU:
Folder
and File Access
· Share (network)Permissions
· Full
· Change
· Read
· NTFS (local)permissions
· Full
· Modify- able to view, create, change, delete and files and folders
· Read and Execute- can view and execute files and folders.
· List Folder Contents
· Read
· Write
· Special Permissions
§ Full
§ Traverse/Execute file
§ List folder/Read Data
§ Read Attributes
§ Read Extended attributes
§ Create files/Write data
§ Create folders/Append data
§ Write Attributes
§ Write Extended Attributes
§ Delete subfolders and files
§ Delete
§ Read Permissions
§ Change Permissions
§ Take Ownership
§ Default NTFS permissions for a folder for Domain Users
§ Read and Execute
§ List Folder Contents
§ Read
§ Special Permissions
§ Create Files/Write data
§ Create Folders/Append data
§ Special Groups
§ Interactive-for logging in locally
§ Network-logging into a folder over the network
· Authentication refers to security, as in passwords and how or if they are encrypted. See
· Authorization refers to
· Each time it there is a change to the website the metabase.xml file is backed up in the c:\windows\system32\inetsrv\history
· Can also be backed up manually by right clicking on the server and choosing “All Tasks” and Backup\Restore.
· Two metabase files
· Metabase.xml-contains the IIS config. settings
· Mbschema.xml-contains the schema and should be edited with ASDI
· Files are located: C:\windows\system32\inetsrv
· The only accounts that have access are NT Authority\System and Builtin\administrator with Full control
· It is not recommended to use the import\export feature for backing up because it does not include passwords and other sensitive data.
· Web browser: https://localhost:8098
· IIS manager(for remote use the Connect to)
· Command line
· IISweb.vbs-used to start, stop, create, delete, and list Web sites.
· IISftp.vbs-same as above but for FTP
· IISvdir.vbs-same as above but for virtual directories.
· IISftpdr.vbs-used to create, delete, and display virtual directories under a root.
· IISconfg.vbs-used to import and export IIS configuration to an XML file.
· IISback.vbs-Used to backup and restore IIS configuration
· IISapp.vbs-used to list application pool and process IDs for started worker process.
· IISweb.vbs-used to configure web service extensions
· There are 7 authentication methods IIS authentication
· Anonymous-
· no password for access
· Uses the IUSR_machinename account
· When this is enabled IIS does not use any other authentication schemes unless NTFS permissions deny access to a resource.
· Enabled by default
· Integrated Windows-
· requires windows password
· will use NTLM or Kerberous depending on a negotiation between IE and IIS
· best scheme for an intranet where users have domain accounts.
· Digest
· works with AD and sends a hashed value.
· Requires that a Realm is defined.
· One step above basic authentication
· Requires a domain user account in AD
· Advanced Digest
· Requires a domain user account in AD
· Has a medium level of security
·
· Basic –
· passwords sent in clear text
· uses windows user accounts
· .NET Passport
· level of security is high
· provides a single unified logon thru SSL, HTTP redirects, cookies, and javascript
· Certificate
· Strong authentication scheme
· Uses SSL
· Preferred method for conducting business over the internet.
· IIS Host Headers- allows multiple host names to share a single IP address. IE will specify in the HTTP header the actual domain name requested and IIS uses this to determine which site to use.
An A record needs to reference the host header name.
Users will access the site by the host header name.
Host headers solve the problem of multiple websites on the same server, using the same IP address and port.
Host Header Names to Host Multiple Sites from One IP
Address in IIS 5.0 :http://support.microsoft.com/kb/190008
·
To support WebDAV(Web
Distributed Authoring and Versioning) the WebDAV Web service extension must be
enabled in IIS on the web server.
·
WebDAV- uses port 80, so no
extra ports need to be opened.
·
Steps to install WebDav
·
For 2003 Server, needs to be
installed even if IIS is already installed. Can add from Add\Remove Programs
under Application Server\IIS\World Wide Web Service
·
After installation, it needs to
be enabled under the WebDAV option under the Web Service Extensions node in IIS
manager
·
XP clients that will be
managing and creating content to the site will need to have the Webclient
service started and set to automatic
·
Permissions are a combination of
NTFS and what is set in IIS for that virtual directory.
·
Default permissions for a
virtual directory is read.
·
Application
Pooling-Applications can run unaffected by other applications.
·
To change the application pool,
go to properties of website or application, Home Directory tab and the
application pool list box.
·
HTTP SSL- is used when you want
encryption for private websites such as for OWA.
·
World Wide Publishing service
provides HTTP services for non-secure public website.
·
Printing over the internet. First IIS has to be installed, then
Internet Printing. Then you can
print using http://servername/printers
· Change logon /disable disables Terminal sessions into a server.
· Change logon /enable disables Terminal sessions into a server.
Uses the CSV format and can be used with Excel.
Will not create passwords.
-i will import
-k ignores errors
· Ldifde.exe- is a more advanced tool that can create, modify, and delete AD objects.
Default is to export, so have to user the –i switch to import
Cannot use this with Excel.
Uses the LDAP (LDIF) directory interchange format.
·
MBSAcli-
command line version of MBSA. Will
go out on the internet or the SUS server(switch: /sus) to check if updates
are current.
·
Nbtstat-
shows NETBIOS statistics about a computer
·
Netsh-Used to
change and view network configurations on a remote or local computer.
·
Netdiag-Used
to test the network connectivity of a computer including Kerberous.
·
Netcap-used
to monitor packets and write to a log file.
·
Nltest-can
obtain a list of domain controllers on the network, query the status of a trust
relationship.
·
Secedit
– command line tool used to analyzed and configure security settings on a
computer. Security Configuration
and Analysis is the GUI version
·
Schtasks-
used to schedule tasks. Can connect
to a remote computer.
· Tsshutd wait_time /server:xxxxx /reboot /powerdown /delay:log_off_delay /v
Wait_time refers to the time in seconds to wait after users are notified to log them off.
Delay refers to the time after users are logged off to stop processes and shutdown the server.
the /v is to display to the user the actions
Will disconnect a session
but keep processes running.
·
WMIc- command
line tool used to control WMI
·
WMIc qfe-
will check for patches on the given computer.
Important
Paths to Files
Domain Functional Levels – know difference between all
· Does not support renaming of domain controller.
· To change the functional level go to Active Directory for Domains and Trusts
http://support.microsoft.com/kb/190008
· The Default functional level for a new domain is mixed.
Levels
Windows
2000(default)
No 2003
features available EXCEPT for improved global catalog replication. Windows 2003 replicates only changes to
other global catalogs, but 2000 forests replicates the entire catalog.
Windows
2003 interim
Windows
2003
All
domains must be at Windows 2000 native functional level.
As
a part of the process of raising to this level, all the domains are raised to
the Windows 2003 domain functional level.
To change the functional level go to Active Directory for Domains and Trusts
· Hash rule
o Cryptographic fingerprint that identifies a file regardless of where it is accessed or what it is named, so file can be moved or renamed.
o Used when an admin might not want a user to run a particular version of a program.
o If the internal workings of the file are changed in anyway the hash rule will not work. Hash must be re-computed.
· Certificate rule
o Needs to be signed from a commercial certificate authority such as Verisign, Microsoft, or self signed.
o Used where you want to identify a set of scripts that can be run anywhere.
o Will not work if the program file is renamed.
· Path rule
o Can specify a path to a folder or path to a program.
o Can be a local path or UNC
o Can use variables such as %foldr% to adapt to a particular user’s environment.
o Can also have a path pointed to a registry entry.
o If there are more than one path rule the more specific takes precendence.
o C:\folder1\folder2\file.exe will take precedence over c:\folder1
o Use the path rule for programs that are always installed in the same place.
· Zone rule
o Can identify software from the Internet Explorer zone from which it is downloaded.
o Only applies to MSI packages and not software downloaded in IE.
o Used to allow software to be installed from trusted internet zone sites.
· Don’t use hash rules if you need to make modifications to the file.
· Great Link for more info: Microsoft Windows XP: Using Software Restriction Policies to Protect Against Unauthorized Software
· Tools to manipulate security templates are:
·
Security
Configuration and Analysis MMC
·
Templates
can be modeled and applied
· Security Templates MMC
· Used to create and modify templates
· Secedit.exe- command line equivalent of Security Configuration and Analysis MMC
·
Built-in
· DC security.inf (domain controller default security)-this is used to configure security of the registry and file system of a server that has been promoted to domain controller.
· Setup security.inf (default security)- used to reapply the default security settings of a freshly installed computer. Created during installation for each computer. Replaces ocfiless.inf and ocfilesw.inf in Windows 2003
· Securedc.inf- used to increase the security and communications with the domain controllers but not to the level of the hisecdc.inf. Clients and servers only use NTLMv2 authentication. Enables (does not require) SMB packet signing. Prohibits LanManager authentication.
· Securews.inf- used to increase security and communications for the client and member servers. Clients and servers only use NTLMv2 authentication. Enables (does not require) SMB packet signing. Prohibits LanManager authentication.
· Hisecdc.inf-used to increase the security and communication with domain controllers. Requires SMB packet signing. Prohibits LanManager and NTLM authentication
· Hisecws.inf- used to increase security and communication for the client computers and member servers. Requires SMB packet signing. Prohibits LanManager and NTLM authentication.
· Compatws.inf-required by older applications that need to have weaker security to access the registry and the file system
· Notssid.inf (No Terminal Server user SID)- used to weaken security to allow older applications to run on Windows Terminal Server. Removes TS sids from the file system and registry when TS is not running.
· Ocfiless.inf- used for optimal components that are installed after the main OS is installed. Supports TS and certificate services. Used in Windows 2000. Replaced by default security.inf.
· Ocfilesw.inf-for workstations. Used in Windows 2000
· Rootsec.inf-defines permissions for the root of the system drive.
·
Basicwk.inf-
the default XP and
There are 3 types of IPSEC policies:
· Server(request security)-for all IP traffic, always request security using Kerberos trust. Allow unsecured communications with clients that do not respond to request.
· Client (respond only)- communicate normally(unsecured). Use the default response rule to negotiate with servers that request security. Only the requested protocol and port traffic with that server is secured.
· Secure server (require security)- always require security using Kerberous. Does not allow unsecure communication.
·
Computers
and servers need to belong to the same forest in order to use IPsec. Cannot be used by a stand-alone server
and AD must be involved.
· Certificate or shared –key authentication is used.
· Netdiag- command line utility is used to view the IPsec policies in Windows 2000 server
· Netsh- command line utility used to view the IPsec policies in Windows 2003 server
· IPseccmd - command line utility used to view the IPsec policies in Windows 2003 server
· IPseccmd-command line utility used to view the IPsec policies in XP
· IP Security Monitor console can also be used to monitor for server 2003 and XP.
· Tells which IPSec policy is active and weather a secure channel between computers is established.
Active Directory Partitions
Active directory database is composed of partitions:
-Schema partition-defines object types that can be created and the attributes that it can have.
-Configuration partition- Stores information on the forest such as sites and services
-Domain
directory partition-contains active directory object information about the
domain. Contains computers, groups, users. AD Users and Computers Tool manages this
partition. Replicated to all domain
controllers in the domain.
-Application
directory partition-
-stores data
(object and attributes) related to AD about a service such as DNS or TAPI.
-Allows
to designate a particular area of AD for use by an application.
-can not contain security principles (users, groups, computers, etc.).
-use the NTDSUTIL command line tool, ADSIEDIT, or LDAP commands(LDP.exe) or application specific tools supplied by vender
-Some application vendors will also include code in their applications to create the application directory partition for you.
-Managing Application Directory Partitions
- Only Windows 2003 server Domain Controllers can host the application directory partition.
-objects stored in the application directory partition are not replicated to global catalogs, but DC’s that are GC’s can hold an application directory partition.
Active Directory Replication
By default replication occurs every hour between domain controllers
Can force a replication between DC’s in AD Sites and Services.
Windows 2000 native and mixed have a 5000 group member limit. Anything over that will have problems replicating.
Logical Components of Active Directory
Domain-
Tree-collection of domains.
Forest-collection of domains that share a schema and global catalog.
Schema- set of definitions of object classes and attributes that can be stored in AD.
Schema Master- the domain controller assigned to control all updates to the schema in the forest. There is only one schema master in a forest.
Global Catalog- role held by domain controllers that contain info about objects in the forest.
-Responsible for UPN based logins(exchange)
-first domain controller is a GC. All others afterward have to be setup manually.
-Can be enabled in Active Directory Sites and Services
Sites-collection of well connected IP subnets.
Can control replication between sites
Domain Controllers-any Windows Server 2003 can be a DC except for the Web Edition.
-Contains the AD database- NTDS.dit
-first domain controller is the global catalog server
1st Domain Controller holds 5 roles
Schema master-found on forest root domain
Domain naming master-found on the forest root domain
Relative identifier master
primary domain controller (PDC) Emulator
Infrastructure master
Universal Group Membership Caching
-When a DC gets a request for universal group membership it needs to contact a global catalog server.
-enabled in Active Directory Sites and Services
Is site specific so all domain controllers get the caching that are within that site.
5 Ways to promote a server to Domain Controller
Active Directory Installation Wizard- DCPROMO
Answer file
DCPROMO /answer: answer file
From backup
DCPROMO
/adv using a backup of the
active directory database-a backup of the
From “Configure Your Server Wizard”
Can only be used this for the first domain controller. If tried for a backup DC, the Active Directory Installation Wizard will appear automatically.
Types
Tree-root-automatically created- Transitive and 2 way
Parent-child- automatically created- Transitive and 2 way
Shortcut trust-manually created for performance reasons to eliminate long transitive paths in large domains. AKA. Cross-link trusts. Transitive and 1 way or 2 way
Realm trust- manually created for systems of non-Windows Kerberos such as Unix. Non-transitive or transitive and 1 way or 2 way.
External trust-manually created between different forests or between an NT and 2003 domain. Non-transitive and 1 way or 2 way.
Forest Trust- manually created for forest root domains in 2 separate forests. Transitive and 1 way and 2 way. Both forests must be configured as Server 2003 forest functional level.
Terms
Incoming trust
Outgoing trust
Trusting domain
Trusted domain
The “Other Organization” SID is created with a trust that has been configured for selective authentication.
User
Accounts
When copying a user account or user template, only some properties are copied
General tab-none
Address tab-all but street address
Account tab- all but login name
Profile tab-all
Telephone tab- none
Organization tab- all but title
Member of tab- all
Dial-in, Environment, Sessions, Remote Control, Terminal Services Profile, Com +tabs- none
Security tab-none
Computer configuration settings are applied when the OS starts up and every 90 minutes
User Configuration settings are applied when user logs in and every 90 minutes.
Policy inheritance
GPO’s in parent OU’s are inherited to child OU’s if a policy is set to Not Configured
If the parent policy and child are both configured then the child overrides
No Override setting in a parent container cannot be blocked by the Block Policy setting in a child container(No Overide always wins)
To block the application of a GPO to a group or user, the rights to Read and Apply Group Policy can be denied.
Computer configuration settings over ride User configuration settings if the same settings are applied.
When multiple GPO’s are linked to a site, domain, etc the last policy on the list is applied first. They are applied from the bottom.
The “No Override” setting always overrides any Block Policy Inheritance setting.
In order for a GPO to take affect of a security group or user they have to have Allow Read and Allow Apply Group Policy permissions to the GPO.
WMI filtering can be used for each GPO. Right click on GPO and click on Properties and the WMI Filter. They only work for XP and 2003 server.
Group Policy Management Console- is a tool that is used to administer GPO’s
Not included in Windows 2003 server but can be obtained from MS website.
Can backup and restore GPO’s
Can import and copy GPO settings from within forest.
Command Line tools for GPO’s
Secedit.exe-used to analyze and configure security settings based on templates.
Equivalent to the Security Configuration and Analysis MMC
In 2000, it was used to refresh GPO policies with the switch: /refreshpolicy
Gpupdate.exe-used to refresh GPO settings.
Replaces Secedit /refreshpolicy
Can force a reboot or logoff to make sure the policy is applied.
GPUPDATE /force
Gpresult.exe- used to display GPO settings and RSOP of a target computer or user.
RSOP-Resultant Set of Policies- Used to verify the group policies that are in effect on a computer.
Can be created by
Domain Administrators
Enterprise Admins
Group Policy Creator Owner Groups
Delegated authority
Audit Policy-set by default in the Default Domain Controllers Policy
· When logging on locally on client computer an account logon event occurs
· Logon event is generated on the DC when a policy or script is applied to a client.
· Logon event is generated on the client computer when logging in locally OR on the domain.
· This has to be enabled for file or folder auditing.
**Know the difference between Audit Logon
Events and Audit Account Logon Events
**Know the difference between Audit
Directory Services Access and Audit Object Access
The following table sums up the difference between Account Logon and Logon events:
|
Action |
Account Logon Event
Occurs On |
Logon Event Occurs
on |
|
User attempts to log on to a domain From a client computer |
Domain controller |
Local computer |
|
Logon script or policy applied to client computer |
|
Domain controller |
|
User attempts to logon to a computer using a local user account |
Local computer |
Local computer |
|
User attempts to access a resource on a server over the network |
|
Server Computer |
Account Policies-set in the
Default Domain Policy
·
Password
Policy
Enforce Password History-max value is 24, enabled by
default
Maximum Password Age-default value 42 days
Minimum Password Age-default value is 1 day
Minimum Password Length-default value is 7 characters
Password
Must Meet Complexity Requirements-enabled by default
Not
based on user’s account name
At
least 6 characters long
Uppercase
letter
Lowercase
letter
Number
Non-alphanumeric
character- !,@,#,$, etc
Store
Passwords Using Reversible Encryption-The default for passwords is
NON-REVERSIBLE encryption which is stronger. Disabled by default
Account
Lockout Duration- not enabled by default because it is used in conjunction with
the Account Lockout Threshold- A value of 0 requires that an Admin unlocks account.
Account
Lockout Threshold-number of invalid login attempts-can be set from 0 to
999. A value of 0 will result in
account never being locked.
Reset Account
Lockout Counter After-specifies the time the account is locked out and counter
specified in the Account Lockout Threshold is reset to 0. Must be less than or equal to the
Account Lockout Duration.
·
Kerberous
Policy
Enforce User
Logon Restrictions-enabled by default
Maximum
Lifetime For Service Ticket-default is 600 minutes
Maximum
Lifetime For User Ticket-
Maximum
Lifetime For User Ticket Renewal-
Maximum
Tolerance For Computer Clock Synchronization-default is 5 minutes
Loopback Processing Mode
· GPO setting that is intended to keep the configuration of the computer the same regardless of who logs on.Using
· Is located in the Computer Configuration\Administrative Templates\System\Group Policy folder.
· Can be set to one of 3 settings
· Merge-Computer and User configuration settings are merged, but the Computer is applied last and any settings within take precedence over User
· Not configured
· Replace- Computer settings replace User.
Loopback Processing to Configure User
Settings http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
Software Deployment via GPO- Software Installation Extension
Assign – Can be assigned in the User setting or Computer
If assigned in the Computer setting, then the application is installed when the computer starts up
If assigned in the User setting then the application in installed when the user clicks on the shortcut or opens a file.
Publish-
Application is advertised and installed in Add\Remove Programs
Windows Installer Packages-contains instructions on installing a program. There are 2 types of packages:
Native Windows Installer Package (.msi ) file
Repackaged application (.msi) file
Transforms (.mst) files are used to customize the installation of an application.
Patch (.msp) files are used to update an existing .msi file.
RADIUS-Remote Authentication Dial In User Service
RAID 0- two or more disks
RAID 1- two disks
RAID 5- at least 3 disks
Terms:
Importing-When physically moving a disk or disks to another server, you will need to IMPORT the disks because they are considered foreign.
Reactivate-used when an existing disk is temporarily unavailable and you want to bring it back online or activate.
Repair-Run when a RAID array looses a disk due to failure or corruption, but the disk is not replaced. Volume repaired from space on the existing disks.
Initializing-When a new disk is added to a computer. This process will write the MBR and a signature.
Use IP routing if you want the all remote access clients
to access the entire network
Uncheck if you want them to have access to just the RRAS
server.
If the “Enable IP Routing” on the IP tab of
the RRAS server is cleared, then the dial-in clients will not have access to
resources on the network.
RRAS Authorization Process:
The
connection attempt tries to match the conditions. If conditions are met in the policy then
the permissions are checked in Active Directory.
If
the permissions are to accept access, then the settings of the policy profile
and user or computer account in AD are applied.
If
the permissions are to deny access, then the connection is dropped.
If
the connection attempt does not match all policy conditions, the next policy is
processed.
If
the connection attempt does not match any remote access policy, then the
connection is dropped.
You can set Remote Access Permissions on user or computer
accounts in Active Directory for Users and Computers.
Policies-When there are several
policies the first one that meets the criteria is applied and the rest are
ignored. If the user’s account is selected for allow or deny remote
access then the policy is ignored, but the Profile is still applied.
The
policy has to have a condition.
Authentication for validating a PPP connection
MS-CHAP
v2- mutual (2-way) authentication where the data and authentication is
encrypted. Windows 98 machines must
install SP1 to support.
MS-CHAP-one way authentication
protocol. Server authenticates the
client but the client doesn’t authenticate to the server. The authentication and data are both
encrypted.
EAP-supports
smart cards.
EAP-MD5
EAP-TLS-only available for members of a domain. A workgroup computer or stand-alone will
not work. Certificate based. The only authentication that works with
smart cards. The Strongest authentication.
EAP-Radius
SPAP-doesn’t
provide encryption of connection data.
CHAP-
doesn’t provide encryption of connection data.
PAP-
doesn’t provide encryption of connection data.
Screeen shot of
NAT/Basic Firewall
DHCP
Common
and Uncommon Options
003
Router- used to configure the default gateway
006
DNS Servers-provides clients with DNS servers for name resolution.
015 DNS Domain
Name-provides clients with the domain name that should be appended to
unqualified host names before those names are submitted to a DNS server
252
WPAD options- Web Proxy Auto Detect allows computer to detect local ISA server.
DHCP
Relay Agent- relays DCHP packets between different subnets.
Listens
for DHCPDiscover packets
Installed
under IP Routing in RRAS, therefore can only be installed on a server and not
XP.
A
router that is RFC 1542 compliant also acts as a relay agent between different
subnets.
If a Windows 2003 DHCP server that is
not a member of a domain detects a 2003 DHCP server that is a member of a
domain and is authorized, the stand alone will cease to provide IP
addresses. NT will not do this.
Reservation
Options override class options, which override scope options, which override
server options
Only
the MAC address can be changed in a DHCP reservation. If you want to change the IP address,
the reservation needs to be deleted and re-created.
If a DHCP server goes down and the client leases expire. The clients will re-assign an APIPA address to themselves. They will be able to communicate to other XP, 2000, 98, 2003 machines that were assigned for automatic but not the computers and servers that were assigned statically.
Performance
Monitor
Processor\% processor time – acceptable is less than 85%
Physical Disk: Current Disk Queue Length –less than the number of spindles +2
Physical Disk: % disk time- should be at or below 50%
Avg. disk queue length- 2 to 3 is good
Memory: Available Mbytes-should be at or above 5% of total system memory. So 512 MB of RAM should have 25MB or above available.
Memory: Page Faults\sec- should be below 5.
Memory; Pages\sec- should be between 0 and 20
Counter Log-to gather performance data
The preferred method to gather data is SQL in an enterprise environment.
The file is saved in HTM format.
Trace Log-gathers info about system events
Network Monitor
Can only be used to analyze packets in and out of the computer from where it is running.
Capture filters-filters only packets that you selected during capture.
Dedicated Capture Mode- uses less resources, does not display or refresh capture statistics.
Display filters- are used after you stop the capturing. You can display only the type of packets(http, ftp, etc) you want to view.
The difference between the 2 filters is the capture is filtering during the capture process and display is after the capture process.
IAS- Internet Authentication Service -provides a centralized method to monitor and control RAS and dial up services using RADIUS standards.
ICS- Internet Connection Sharing
Provides networked computers with the ability to share a single internet connection.
Installs a DHCP service that provides 192.168.0.x.
Host computer will get 192.168.0.1 address.
Server Cluster- fault tolerant configuration where shared storage devices are used such as Direct Attached Storage. The other server(s) are held as a hot standby in case the live server goes down.
NLB-Network Load Balancing cluster. Fault tolerant configuration of multiple servers
NAT-Network Address Translation
Maps a set of private addresses to a set of public addresses.
Services
Secondary Logon-enables a user to use the runas command
Net Logon- used to authenticate and verify login requests onto a domain. First queries the DNS server for which it is configured for a DC. On a domain controller, this service is responsible for registering its SRV records with the DNS server.
Server service-responsible for access to shared folders and printers.
MS
Windows Authentication Levels
LAN Manager- lowest authentication level. Considered insecure.
NTLMv1- next step above LAN Manager. Considered insecure.
NTLMv2-most secure of the Windows authentication protocols. Computers in workgroup mode use this.
Kerberos-Most secure and the industry standard. XP, 2003 and 2000 will use this when communicating with AD.
Workstations and server must have the same time within 5 minutes.
PEAP-used for wireless
Is an enhancement of Extensible Authentication Protocol(EAP)
Digital certificate needs to be installed on the authenticating server.
Server Message Block protocol is used for files and print sharing. To prevent “man in the middle attacks” that modifies SMB packets in transit, the SMB protocol supports digital signing of SMB packets.
Event Viewer
By default each log is limited to 16 MB and is set to overwrite events as needed.
Has a Find and Filter feature.
If tracking domain login events, the events get logged on the server that has granted access.
Can only save the evt files to local hard drive. CANNOT save over the network.
Power User
Local account on a computer that has privileges below administrator.
To Administer a Domain
from a Workstation
You can browse to the Windows 2003 server: c:\windows\system32 folder and install adminpak.msi. The Active Directory Users and Computers console will be installed.
Do not be confused with MS test questions that mention the dsa.msc command, which will open the AD Users and Computers, but only on computers where it is already installed.
You cannot use the RUN command and add the mmc console for AD Users and Computers from an XP machine.
User Profiles
Default User Profile- used for a starting point for any new user. When a user logs on for the first time, Windows creates a new folder to store the new user’s profile and copies the default profile into that new folder. Changes that the user makes to the default profile are then recorded in the user’s copy. The default user profile is hidden by default.
All Users profile- each user’s Start Menu and Desktop contain all of the items from the All Users profile as well as his own. Items within the All Users can be seen by all users on the system. If an item such as a shortcut is deleted from this folder then it is deleted from all profiles.
Subnetting
Formula to determine the number of subnets is 2n where n is the number of bits that are borrowed from the host portion of the address.
Formula to determine the number of hosts that can exist on a subnet 2n-2 where n is the number of bits remaining in the host portion of the address
Windows 2003 Administrative
Tools
Can be installed
Operational Master
Roles(FSMO-flexible single master operations)
Schema master- one schema master in the forest.
Domain naming master- one domain master in the forest. Controls the addition or removal of domains in the forest.
Infrastructure master-updates references from objects in its domain to objects in other domains
Relative ID master-
PDC emulater- advertises itself as the primary domain controller to workstions, servers that run earlier versions of windows. Handles time and password descrepencies.
MBSA-Microsoft Baseline Security Analyzer- by default attempts to connect to the MS download center website for the most recent version of mssecure.cab. From that file it extracts mssecure.xml.
Misc.
In a scenario where you are running out of disk
space on one drive, but have ample space
on another. You can mount the drive
with space to a folder on the low space drive. You would then move data to that folder. You cannot mount a drive to another
drive or the root of another drive, only folders.
A basic volume cannot be extended, only dynamic.
You can convert a basic to dynamic and then extend to another drive.
Things to be added:
Event viewer
Performance monitor
Look at Zone Replication scopes (DNS)
RAID
DHCP Relay agent
Addendum 08\26\06
Links
Dave's Notes for Exam 70-292 http://www.lilligren.com/mcse/2003/dave_70-292.htm
70-292 Exam Study Notes