Microsoft Exam 70-292-Managing and Maintaining a Windows Server
2003 Environment for an MCSA Certified on Windows 2000
This exam has retired on March
31, 2008
Main focus of the test:
·
DNS
·
SUS
·
Disaster Recovery
·
ASR
·
Backups
·
Index
Windows
2003 Features
· Standard Edition
· 4 GB RAM
· Up to 4 CPU’s
· No cluster support
· No 64 bit support
· No support for Itanium based systems.
·
· Up to 32 GB RAM (x86) and 64 GB RAM for Itanium
· Up to 8 CPU’s
· 8 node clusters
· 64 bit support
· Datacenter Edition
· Up 64 GB RAM (x86) and 512 GB RAM for Itanium
· Minimum 8 CPU’s, up to 32 CPU’s (x86) and 64 CPU’s for Itanium
· 8 node clusters
· 64 bit supported.
· Always pre-installed on OEM systems
· Web Edition
· Up to 2 GB RAM
· Up to 2 CPU’s
· No domain controllers
· No 64 bit support
· Limited to 10 SMB connections
· CALs do not apply since it is not used as a file or print server
Installing
and Upgrading To Windows 2003 Server
· If upgrading from NT, need to update to service pack 5 or later.
· Upgrading from NT 3.51 is not possible. Need to upgrade to NT 4 first.
· Before upgrading, can run the Microsoft Windows Upgrade Advisor tool from the Win2003 cd to see if there is any software or hardware issues.
· Hardware Compatibility List(HCL) can be found online at http://www.microsoft.com/whdc/hcl/default.mspx
· To test software, run the Program Compatibility Wizard, found by typing at the Run command: hcp://system/compatctr/compatmode.htm
· If joining a Windows 2003 domain controller to a Windows 2000 domain, need to run adprep /forestprep on the DC holding the schema master and adprep /domainprep on the DC holding the Infrastructure role to prepare Windows 2000 domain for 2003.
Recursive – the server will resolve the name on behalf of the client
Iterative- the dns server will give a referral to the client of other dns servers that might be able to answer.
· 4 types of DNS servers
· primary
· secondary
· AD integrated
· Caching only
· 3 Types of Zones
· Primary
· Secondary
· Stub
· One primary server is designated for each zone and is authoritative for that zone.
· Secondary servers are authoritative.
· Creating your first zone installs a primary server
· Primary server hosts the DNS database and is in contact with the secondary servers
· The refresh interval is the time at which the secondary servers query the primary server. Does not affect AD Integrated.
· If the primary server has a higher serial number than the secondary servers, the secondary servers will pull a copy of the changes to the read only database.
· Default install of DNS will be AD Integrated with Secure Only for dynamic updates.
· Secure updates only supported by AD integrated.
· Unix DNS servers using BIND 4.9.2 or later will support secure dynamic updates
· Win98 and NT will not support dynamic updates but will need to have DHCP do it for them.
· Win2000 server and 2003 support incremental zone transfers, NT does not.( only Full transfers)
· Active Directory Integrated Zones are always primary zones because they contain writable copies of the zone database and Active Directory Integrated DNS servers are all primary servers in that AD uses replication and maintains a database that is part of AD.
· Active Integrated Zones do not use zone transfers so they do not require DNS notifications to be sent.
· Secure dynamic updates are only available with Active Directory Integrated Zones.
· To increase fault tolerance of an AD domain install a second AD integrated server.
· If there are A records for more than one IP address for on host name, the resolver(located on the computer) will order the records based on the closest.
· Ways to install DNS:
· During install of Server 2003
· Add\Remove Windows Components in Control Panel
· During DCPromo.
· Configure Your Server Wizard in Administrative Tools
· Manage Your Server Wizard in Administrative Tools
· Primary servers with the Notify button (Zone Transfers tab in the properties of the zone) enabled will update secondary servers immediately when there is a change, otherwise the secondary servers will poll the primary at each Refresh Interval found on the State of Authority (SOA) tab.
· You cannot force a zone transfer from the Primary server, but from the secondary.
· If primary goes down the secondary’s DNS records are good for a day.
· The cache.dns file is also referred to the root hints file.
· If installing a DNS server in an environment where there are no other DNS servers and no internet, the system will automatically designate the DNS server as the root server. Once have access to the internet, you should delete the “.”(dot ) zone and enable the forwarders form the ISP.
· A root server is the ultimate authority for all name resolution.
· A server configured as a root server cannot be configured for root hints or forwarders because it IS the ultimate authority for name resolution.
· If you are hosting your own root hint server, this file should be deleted and the Root Hints tab in the server properties is unavailable.
· In order to use NSLOOKUP there has to be a reverse lookup zone.
· DNS administration can be accomplished thru the command line using dnscmd.
·
WINS- data
from a WINS server gets stored in the DNS cache on a DNS server.
· IPCONFIG /flushdns command run from a DNS server will not remove the DNS cache. Only works for DNS clients. Use the “clear cache” from the DNS server context menu.
· Stopping and starting the DNS server will also clear the cache.
· 3 ways to clear the DNS servers cache
· restart DNS server service
· Right click on server and select “Clear Cache”
· Command line: dnscmd /clearcache
· Can only view the cache thru the DNS console by selecting Advanced under View. This will create a folder called “ Cached Lookups” under the server.
·
Reloading
a zone will reload the data stored in the zone file into the cache BUT the
cache is not cleared.
· Zone transfers in Active Directory Integtrated Zones are replicated with AD.
· Can use replmon.exe to force an Active Directory Integrated Zone replication.
· A DHCP reservation will register the IP address and name with a DNS server dynamically which means it will be assigned a TTL non-zero timestamp.
· DNS (A) records will be assigned a zero TTL time stamp, therefore it will never get scavenged
· NS record-advertises the server name that is authoritative for a domain. example: server1 domain.com
· A glue record( A record) is needed to accompany an NS record to state it’s IP address. Example: server1 192.168.1.1
· CNAME records are an alias for the same server and they involve one computer. Cannot be used with Round Robin.
· Service Location (SRV) resource record- DNS uses this record to identify domain controllers. Computers look for this record to find a DC. A port of the service can be defined.
· DNS Debugging can only be enabled on the server not on the scope. Is resource intensive, so its disabled by default.
· Dynamic DNS update triggers
· When a computer is turned on
· IP address lease changes or renews
· IP address is changed or modified in the TCP/IP properties of the client.
· Member server promoted to domain controller
· IPCONFIG /registerdns
· Delegation- Delegating Zones- refers to assigning authority over portions of your DNS namespace to sub domains with in the namespace.
§ the parent domain must have an A(glue record) and NS(delegation record) records pointing to the authoritative server of the newly delegated domain.
§ Delegations take precedence over forwarding
§ Right click the parent zone and select the New Delegation Wizard
§ Need to enter the sub-domain and the name of at least one name server that will be authoritative.
·
Conditional
Forwarding- handles name resolution only for a specific domain
· Has to be entered manually in the DNS server’s forwarders tab.
· Could slow name resolution if there are too many entries
· When to use conditional forwarding-
· Suitable for fixed DNS infrastructure
· More simple to setup than Stub zones
· Stub Zones- contains SOA record, NS record, and A record(glue record) of name servers authoritative for specified zone.
·
automatically updates current DNS servers for
that zone,
·
read-only
·
does not provide redundancy like Secondary zones
·
similar to secondary zones, but contains only
three records(secondary is a copy of primary and contains all records)
· When to use stub zones-
· In a DNS infrastructure that is changing or could change.
· Efficient over slow WAN links
· A little more complex than conditional forwarders
· Caching only server-
·
does not
contain zone info or a zone database
·
contains info based on the results of queries
that it has already performed.
·
Learns from forwarders that are set up on the
cache server’s properties.
·
Not authoritative.
·
The cache takes place of the zone database
·
Can be setup quickly
·
Uses the cache.dns(root hints) file to begin
·
Adds to the cache as it issues iterative queries
when responding to client requests.
·
Advantages of:
·
They do not participate in zone transfers so no
transfer traffic.
·
They can be placed on the far side of a slow WAN
link at a satellite office and provide host name resolution for remote offices
that do not require a high level of host name resolution support.
·
Well suited for branch offices where setting up
a new domain or subnet is not feasible.
·
They can provide secure host name resolution
when configured as forwarders
·
Does not require any administration
· Cannot be rebooted because the cache will be lost.
· The cache must be built over time, so there will be an increase in traffic at first.
· TTL tells the cache only server how long to hold the record
·
DNS Zone
Properties
·
General
tab
· Status of DNS server
· Type of zone(AD integrated, Primary, etc)
· Dynamic updates security(Secure Only, Nonsecure and secure, None)
· Scavenging
·
SOA tab-
· Refresh interval- default is 15 minutes, determines the time interval that the secondary server checks the primary server for accuracy. If the data is inaccurate, the secondary server will poll for updates to the zone file. The setting applies to that server where the setting is located.
· Retry interval- default is 10 minutes, time to retry zone transfer, used when the refresh interval is unsuccessful
· Expires after- dns records on secondary servers that have expired
· TTL- determines when a record in a zone file expires.
·
Name
Servers tab-fully qualified domain name (FQDN) of the name server with
options to edit , remove and add.
·
Wins tab-
to enable WINS forward lookup servers for down level clients
·
Zone
Transfers tab- you can setup a secondary server that the primary will send
updates whenever they are available.
The Notify button is used for this purpose.
·
DNS
Server Properties:
·
Advanced
tab-
·
Disable recursion- disabled by default, breaks
the regular server-client interaction by forcing the client to do its own
iterative queries. Enabling
disables forwarding.
·
BIND secondaries- enabled by default, disables
“fast transfer format” and must be enabled for DNS servers running
BIND 4.9.2 or earlier to perform zone transfers with 2000/2003 servers.
·
Fail on load if bad zone data-disabled by
default. As a result, the DNS server will hold any zone even
though it knows there is an error.
·
Enable round robin- balances server load by
re-ordering the address list for each subsequent request. Example: server1 is mapped to 3 IP
addresses, the first client would get the first address, second would get the
second address and so on.
This would also work for a website scenario where you have one server overloaded with hits and you want to add a couple more to reduce the load on the one. Add 2 or 3 servers with different IP addresses but their A records have the WWW name.
CNAME cannot be
used with Round Robin.
·
Enable netmask ordering- also called
“LocalNetPriority”.
Orders the list of IP addresses for records with multiple addresses
based on how they match the address of the requesting client. Example: server1
is mapped to three different IP addresses; the client would be directed to the
one closest to his subnet. This
setting takes precedence over round robin.
· Secure cache against pollution-When disabled, the A record of the website along with NS record are cached. When enabled the A record is not cached and the DNS server must initiate a cache update query to resolve the address of anything outside the domain.
·
DNS
Server Properties (right click on dns server)
· Create Default Application Directory Partitions- partitioning in Active Directory is used to differentiate data for different replication purposes
· Set Scavaging- configure refresh intervals for resource records
· Scavenge Stale Resource Records- use this option to manually remove old outdated resource records.
· Update Server Data files-writes all zone file changes in AD
·
Satellite
office and name resolution questions- 2 offices connected by a WAN connection
· A Primary zone server at one location and secondary zone at the other will increase traffic substantially because of zone transfers.
· Not placing any DNS server at the satellite office will be a problem if the WAN connection goes down.
· 2 separate DNS servers???? Traffic increase due to replication and zone transfers
· Caching only server is recommended
· Stub zone will minimize traffic and good for changing environments.
· conditional forwarding will minimize traffic but requires a static environment.
Groups
Group Scopes
Universal-
· Used for assigning permissions throughout entire forest.
· Can only be used when the domain functional level is set to Windows 2000 native or 2003.
· Replicated to every global catalog in the entire forest.
· Can be changed to a domain local group at any time.
· Can be changed to a global group only if it does not have other universal groups as its members.
· Can contain :
· Users
· Global groups
· Other universal groups
· But NOT Domain local
·
GUU
Global-
· In Mixed Mode-can ONLY add user accounts from the same domain
· In Native and 2003 Mode-contain user accounts and other Global groups ONLY from the same domain in which the global group is located.
· Can be assigned permissions of resources in any domain in the forest.
· Cannot contain universal or domain local groups.
·
GU
Domain Local-
· can contain:
· user accounts,
· universal groups,
· global groups from any domain.
· Other domain local groups within domain
·
GUUD
· only can be assigned permissions of resources in their own domain.
· Can be changed to a universal group only if it does not have any other domain groups as members
To get a full list of groups that a user is a members use the command:
Dsget user UserDN –memberof –expand
The –expand option shows the nested groups
Group Types-
Security-Has a SID associated
Distribution-No SID and just for email.
Can change the group types in Windows 2000 native and 2003, but have to be a member of the Account Operators, Enterprise Administrator, or Domain Administrator, or delegated authority.
Common practice is not to add user accounts to domain local groups but to Global groups and add global groups as members to Domain local groups
Avoid assigning permissions directly to Global groups but to Domain Local groups. Then add the Global group to the Domain local.
Group Scope conversions can only occur in Windows 2000 Native and 2003 domain functional levels
Universal groups can be converted to Domain local anytime without restrictions
Know the difference between group scopes and group types
Know the difference between permissions and rights
Permissions grant access to files and folders
Rights grant abilities thru AD such as logging onto a computer.
Know the difference between daily and normal, incremental and differential
·
local
administrator
·
backup
operator
·
Owners of
files
·
A user
with the “Backup Files and Directories” right
· Creator
· Owner
· Backup operator
· Admin
·
Users with the Backup Files and Directories
right are allowed to read, write and access the tape.
· First do a non-authoritative restore in Directory Services Restore Mode
· Second: use NTDSUTIL at a command prompt.
o Can use NTDSUTIL to just mark an OU for a authoritative restore.
· Must be started in Directory Services Restore Mode
· Boot and system files
· Boot.ini
· NDTLDR
· NTDetect.com
· Registry
· Com+ class registration database files
· System files under windows file protection
· Sysvol directory (domain controller)
· Active directory –contains the integrated DNS zone data if DNS is running. NTDS.dit located in c:\winnt\ntds
· Certificate services database ( if installed)
· Cluster service information ( if within a cluster)
· IIS Metadirectory (if installed)
· When you restore a system state to an alternate location only the following files get copied:
· system boot files
· registry files
· sysvol directory
· cluster info
· The following files are NOT are not restored:
· Active Directory –NTDS.dit
· Certificate Services Database
· Com + class registration database
· Restoring a member server can be done with the Backup Utility in normal mode.
· Restoring a Domain Controller
· Need to boot up into Directory Services Restore Mode with recovery password that you created during DCPROMO- press F8 upon reboot.
· Directory Services Restore Mode (DSRM)-
· Takes the domain controller offline and not functioning as a domain controller.
Press F8 enter
· Can restore system state from here.
· 3 kinds of restores
· Non-authoritative(normal)-after the restore, reboot server and let it replicate and update AD and Sysvol from other DC’s
· Authoritative- will cause other DC’s to replicate from the restored server
· First perform a non-authoritative restore, but do not restart the server.
· Open command prompt and use ntdutil to mark the database as authoritative
· Primary Restore-used when all or the only DC in a domain has failed
· Must be restored in DSRM.
·
Microsoft Windows XP -
ASR(Automated System
Recovery)
· Replaces the ERD of Windows NT and 2000
· Requires floppy drive on server to be recovered
· Restores a failed and\or non bootable server to its former state.
· Restores the operating system and all applications and settings
· The F2 key initiates the ASR process after the server boots from the 2003 Server cd. Then the prompt for the floppy should appear.
· Backs up:
· System state data
· System services
· Operating system components
· Needs:
· ASR floppy that contains: info about the disk configuration, disk signatures, volumes and partitions so it can start the computer.
· ASR backup set consisting of critical system files and registry
· Windows 2003 cd to boot from
· Manufacturer’s driver disk for the mass storage controller(press F6 when prompted). Can be included with ASR floppy
· ASR will not backup data files. That should get backed up separately.
· Uses shadow copy
· ASR floppy contains 2 files: Asr.sif and Asrpnp.sif
· What if you do not have a floppy disk drive?
· Copy asr.sif and asrpnp.sif found in %systemroot%\repair after the ASR process is finished to a network share on another server(one that has a floppy drive) and create there, BUT the ASR process requires a floppy drive on the server to be restored.
· The hard drives are formatted during this process.
· The ASR process requires that you boot from the Win 2003 disk
· Should be the last resort.
· Recover with Automated System Recovery
http://hacks.oreilly.com/pub/h/1196
· The ASR process
· Used to run diagnostics, disable drivers, and services, replace files
· Can be started by booting up from the Win 2003 cd and pressing R to choose the repair and recover option, when prompted.
· Can be installed beforehand by inserting the Win 2003 cd in regular mode and type: cddrive:\i386\winnt32 /cmdcons in the command line.
· There is no uninstall for this. Have to manually delete the Cmdcons folder and the entry in the boot.ini file
· By default, can only view files in the %windir% and Cmdcons folder but can be disabled by:
· Enabling the policy “Recovery Console: Allow Floppy copy and access to all drives and all folders” within the local GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
· Use the Set AllowAllPaths = True command (include space before and after equals sign)
· By default you can only copy files to the local hard disk not from it, but the limitation can be disabled by:
· Enable the “Recovery Console: Allow Floppy copy and access to all drives and all folders”
·
Type the command in Recovery console: Set AllowRemovableMedia = True (include spaces before and after
equals sign)
· By Default, cannot use wildcards, but disable by:
· Enable the “Recovery Console: Allow Floppy copy and access to all drives and all folders”
· Type the command in the Recovery console: Set AllowWildCards = True (include spaces before and after equals sign)
· By Default, the administrator password must be supplied, but can be skipped by enabling the policy located in the Security Policy of Local Policies: Recovery Console: Allow Automatic Administrative Logon
Volume
Shadow Copy Service-VSS
· Allows the backing up of databases and files that are open or locked
Shadow Copies of Shared Folders
· Applications can continue to write data during backup- Uses VSS
· Only support on NTFS volumes
· Open files are no longer omitted during backup
· Backups can be performed at any time without locking out files and users
· Users can view, copy and restore their own previous file versions.
· Only copies files that were changed since the last shadow copy. Files that have changed many times will not save all those changes.
· When the storage limit is reached Shadow Copies will start deleting Shadow Copy backups, beginning with the oldest.
· Built into Windows 2003 server. Win 98, WinNT, Win2kpro and server and XP have to install Shadow Copies of Shared Folders. Can be downloaded.
· On a Windows 2003 Server the client files can be found here: X:\WINDOWS\system32\clients\twclient\x86 folder
· Users can restore files without the help of an admin.
· Copies ALL shared folders. Specific shares cannot be selected.
· The whole volume needs to be enabled and NOT individual folders
· Default settings for Shadow Copy\Volume (go to My Computer and the properties of the drive and the Shadow Copies tab)
· The storage area for the shadow copies are located on the same volume
· The minimum assigned disk space is always 100mb, the max. limit is set to 10% of the disk size by default.
·
The schedule to create a shadow copy is twice a
day, Monday thru Friday at
· When a file is restored the shadow copy is deleted. If you do not want the shadow copy deleted and the original deleted use the Copy button.
· If you want to move the shadow copy storage to another volume(enhances performance and not redundancy), no shadow copies must be present or the data will be lost during the move. Shadow copy must be disabled first, before you can direct to another volume. When the shadow copy is enabled the data will be deleted..
· Previous Versions tab will not show up if there are no previous versions stored on the server.
· Cannot see the Previous Versions tab if the files are stored on the local drive.
· You can Copy or Restore a file in the Previous Versions tab.
· Security settings of the previous version is not restored. In a copy or restore, if the original file is not there, the previous version file will inherit the permissions from the parent. If the original file is there and you are doing a restore the previous version will use the permissions of the original.
· If the file has been deleted, then you will not be able to access the Previous Versions tab of that file, so you need to go to the parent folder.
· Shadow copies are stored in the System Volume Information folder on drive C by default.
Backup
Permissions
·
SUS has 2 components
·
Software Update Services Server-server side
·
Client Automatic Updates-client side
· WSUS (version 2.0) is the updated version of SUS (with SP1).
· To apply service packs you need to apply the SUS service pack 1 to the SUS server version 1. Service pack 1 applied to SUS 1 also allow SUS to be run on a Domain Controller.
· The command WMIC.exe QFE will list all updates installed on the computer
· SUS can be installed on a Windows 2000 Server SP2 or later and Server 2003.
· Updates are for Windows 2000, Windows 2003, or XP
· SUS can be applied via Automatic Updates, which is supported but not included for:
· Windows 2000 server SP2 or later
· Windows Server 2003
· Windows 2000 Pro SP2 or later
· XP Pro and Home
·
Automatic Update software is included with
Windows 2000 SP3, XP SP1, and Server 2003.
· Minimum requirements for an SUS server:
· Pentium II 700mhz processor
· 512 MB RAM
· 6 GB free space
· IE 5.5 or higher
· IIS installed
· Default storage location: c:\SUS\WSUSContent
· By default the All Languages is enabled during setup and will download 600mb of updates
· SUS installs and applies the IIS lockdown tool to Windows 2000 SP2 Server and earlier.
· You must be a local admin on the SUS server to install and view the Admin Web page
· Policies can be configured using Windows NT 4 System Policy or by a registry entry.
· Group policy can be setup for Windows 2000 and 2003
· The “ Configure Automatic Updates” computer policy must be enabled. Within here, choose the type of download (Notify or auto-download) and install (schedule or notify). If disabled, the client options will be disabled in Control Panel.
· The “Specifiy Intranet Microsoft Updates Service Location” computer policy needs to be enabled and the URL to the SUS server entered as : http://server
· IIS is not installed on 2003 Server by default so need to install the minimum:
· World Wide Web Service-used to interface with the clients
· Common Files for IIS
· Internet Information Services Manager
· Backing up an SUS server thru NT backup:
· The Storage folder- SUS Content directory needs to be backed up (C:\SUS\Content)
· Backup the IIS Metabase(thru IIS backup/restore) and the file it creates: C:\windows\system32\inetsrv\metaback
· C:\inetpub\wwwroot( the site that contains the SUSAdmin and AutoUpdate virtual directories)
· Restore an SUS server:
· Disconnect server from network and perform a clean install and give it the same name
· Make sure IIS is the same install.
· Apply all service packs and updates as previously installed
· Install SUS in the same directory
· Restore all files from above
· Log files:
· history-sync.xml (the synchronization log)
· history_approve.xml (the approval log).
Restricted Groups
· Affects computer accounts only not user accounts.
· When members are added thru restricted groups it will overwrite the existing membership of the group.
· If the restricted group were to be left blank then the group would have no members once the GPO was applied to the computer.
· Used to control membership of the local admin.group account on a server or computer.
· It can also be used to automatically remove any local user accounts that should not be added to the local admin group.
Samid- security accounts manager identifier- is used for client computers that are released prior to the availability of AD such as NT and Win98.
Upn- user principle name such as jim @domain7.local
GPO’s (local, Domain, OU) are cumulative
GPO’s are processed from top to bottom with the Default Domain Policy first. Any GPO’s after override unless the No Override option is selected
Runas command tool-
MMC
Snap-Ins
Remote Desktop for Administration
· Allows two concurrent connections whereas XP only allows one.
· Remote Desktop Connection(RDC-mstsc.exe) is the client side software used for the connection to the server.
· Only administrators are granted access to DC’s thru Remote Desktop
· The 32-bit Remote Desktop Connection client software is located in %systemroot%\system32\clients\Tsclient\Win32 of the Terminal Server
· Also available thru a web browser. This feature cannot be installed on a DC.
· The “Allow Logon Through Terminal Services” in the Default Domain Controllers Policy must be granted to the Remote Desktop Users group or user for access to a DC.
· The Remote Desktop Users group by default has the “Allow Logon Through Terminal Services” for access to non-DC servers.
· Remote Desktop for Administration took the place of Terminal Services in Administration mode in Server 2003.
· Depends on the Terminal Services service
· Installed already on Windows 2003 Server, but needs to be enabled in Control Panel\System Properties\Remote tab
· any user added to the Remote tab will be added to the Remote Desktop Users Group
· these users are given the “Allow log in through Terminal Services” right on the local computer.
· If they are added as Remote Desktop users they will not be able to login
· In Windows 2000 users needed the “log on locally” right to logon remotely to a Terminal Server.
· The message “The local policy of this system does not permit you to logon interactively” when trying to connect to a server using RDC probably indicates that you are not a member of the Remote Desktop Users group
· The message: “ The client could not connect to the remote computer. Remote connections might not be enabled……” refers to the check box in Control Panel\System\Remote tab to enable Remote Desktop.
· When a user tries to connect to a server or computer remotely the following conditions must all be met and checked in this order:
· The box “Allow Users to connect remotely to this computer” is checked in the Remote tab
· The user is assigned the “Allow log on through Terminal Services “ user right on the computer within the Local Policy.
· The “Allow logon to terminal server” option is enabled on the Terminal Services Profile tab of the user account.
· The user is a member of either the Remote Desktop Users or Administrators local group on the computer.
Remote Assistance-know in more
detail such as GPO relationship and who initiates.
· Allows a user to request help from a remote user over the internet.
· Shares the desktop.
· Depends on the Terminal Services service
· Disabled by default on Windows 2003 servers
· Remote assistance uses port 3389
· Invitation can be sent via
· Email-
· File- saved to a floppy disk
· Messenger
Terminal Server (formally called Terminal Services Application
Server mode of Win 2000 Server)
· Used for application sharing
· Can be used for a period of 120 days without purchasing licenses
· After the 120 days requires a client license for each connected client.
· To issue licenses the Terminal Server Licensing server needs to be installed and activated through the Microsoft Clearinghouse by using the Terminal Server License Server Activation Wizard.
· By default a terminal service license server is installed as an Enterprise License server, but you should configure as a Domain License server if you want to keep each domain separately or you have NT 4 domains.
· It is not recommended that the Terminal server and license server be on the same server. Should be separate. The terminal server periodically polls the network for a license server.
· When TS is installed you must choose security
· Full-default-denies applications on the server access to the registry and system files. Can be changed to Relaxed in the TS Sever Configuration Tool if a program will not run. But applications that were installed previously need to be reinstalled.
· Relaxed- allows access to the registry and system files and may be required for older applications
· Remote Desktop Users group must have at least User Access permissions to the connection of the server which can be modified in Terminal Services Configuration tool.
· You must install applications in Add\Remove Programs or at a command line enter : change user /install and then after install change user /execute
· To enable and disable logging on to a TS Server: change logon /disable and change logon /enable at a command prompt. It can also be accomplished thru the Remote tab of System Properties.
§ Terminal Server Session Directory-stores user session information. this service allows a user to reconnect to a disconnected session, preventing a loss of data and the use of another license. Used with Network Load Balancing. It is recommended that this server not be a part of the cluster.
· Tools to configure TS (in order of precedence)
· Active Directory Group policy which beats all configuration settings
· Terminal Services Configuration console aka; RDP-TCPsettings. Doesn’t beat GPO but everything else such as user account settings and client settings.
· User account settings in AD
· RDP and TS client settings
· There are four tabs in the User Properties that are associated with the TS config:
· Terminal Services Profile Tab
· “Profile Path”-allows to configure roaming and mandatory profile for users
· “Terminal Services Home Folder”-specifies a home directory for every user that logs on to the terminal server
· “Allow Logon to Terminal Server” option-enabled by default and can be disabled to make an exception for this particular user. If disabled, the user cannot logon to any Terminal Servers no matter what group he belongs.
· Environment Tab
· These settings override the settings in the RDP client software
· The “Starting Program” section allows you to specify a program to be executed at logon
·
“Client Devices” – controls if
local drives(only
· Remote Control Tab
· By default remote control is enabled by default.
· Choices of level of control are:
· View the user’s session
· Interact with the session(default)
· To start a remote control session on a client machine, the admin first needs to start a session with the terminal server, start Terminal Services Manager admin tool( found in Administrative Tools), right click the user’s session and select Remote Control.
· Sessions Tab
· Set session limits on terminal server.
· There are 3 different limits for a terminal server session:
· End a disconnected session-when a user disconnects without logging off, the session and programs will remain open on the server. This allows the user to reconnect and find the remote session as he left it.
· Active session limit- specifies a limit during which a user is actively using the TS.
· Idle session limit-specifies the limit for no activity.
· If you choose to end sessions, the user might loose data.
· Know difference between ending a session and disconnecting.
· Disconnecting- allows the user to connect to the same session with no loss of data.
· End-all data is lost
· Allow Reconnection section:
· “From any client”
· “From any originating client only”- the user can reconnect only from the computer where the session originated.
· All the settings in the User Properties in AD can also be configured on the server level by using the Terminal Services Configuration snap-in. This would have to be configured on each server. You will also need to check the box to override.
· Remote Desktop Connection client settings-
· On the Local Resources tab, under local devices, a user can map a local disk which can be accessed in the terminal session. This allows a user to use an application on the Terminal Server, but store the data on the local disk drive. Same for printer and serial ports.
Default
Groups
The following groups are in the Builtin container. These groups are all domain local and cannot be moved to another OU:
· Account Operators-
· members can administer domain user and group accounts,
· login locally and on DC’s
· Can shutdown DC’s.
· Cannot modify the administrators and domain administrators.
· Backup Operators-
· Can backup and restore files without being limited by file permissions on domain controllers
· Can logon to DC’s
· Can shutdown DC’s
·
· Can create incoming , one-way trust relationships to this forest
· Appears only in the root domain of the forest.
· Network Configuration Operators-
· Can change the TCP/IP settings on domain controllers in the domain
· Performance Monitor Users-
· Can monitor performance counters on domain controllers
· Performance Log Users-
· can manage performance counters, logs and alerts on domain controllers
· Pre-Windows 2000 Compatible Access-
· Have read access to all users and groups in the domain.
· Provides backward compatibility for computers running Windows version pre-windows, such as NT 4
· Everyone group is a member by default
· Print Operators
· Can administer printers connected to domain controllers and shared printer objects in AD
· Can log on to DC’s
· Can shutdown DC’s.
· No members by default
· Remote Desktop Users
· Granted the right to logon remotely using terminal session.
· No members by default
· Replicator-
· System group account used for file replication
· Has no members
· Server Operators-
· Can administer shared resources on domain servers
· Start and stop certain services
· Format hard disks
· Have the same rights as back up operators including shutdown DC’s
· No members by default
The following default groups reside in the Users container in AD. User container contains domain local, global, and universal scope default groups. These groups can be moved to another OU:
Folder
and File Access
· Share (network)Permissions
· Full
· Change
· Read
· NTFS (local)permissions
· Full
· Modify- able to view, create, change, delete and files and folders
· Read and Execute- can view and execute files and folders.
· List Folder Contents
· Read
· Write
· Special Permissions
§ Full
§ Traverse/Execute file
§ List folder/Read Data
§ Read Attributes
§ Read Extended attributes
§ Create files/Write data
§ Create folders/Append data
§ Write Attributes
§ Write Extended Attributes
§ Delete subfolders and files
§ Delete
§ Read Permissions
§ Change Permissions
§ Take Ownership
§ Default NTFS permissions for a folder for Domain Users
§ Read and Execute
§ List Folder Contents
§ Read
§ Special Permissions
§ Create Files/Write data
§ Create Folders/Append data
§ Special Groups
§ Interactive-for logging in locally
§ Network-logging into a folder over the network
· Authentication refers to security, as in passwords and how or if they are encrypted. See
· Authorization refers to
· Each time it there is a change to the website the metabase.xml file is backed up in the c:\windows\system32\inetsrv\history
· Can also be backed up manually by right clicking on the server and choosing “All Tasks” and Backup\Restore.
· Two metabase files
· Metabase.xml-contains the IIS config. settings
· Mbschema.xml-contains the schema and should be edited with ASDI
· Files are located: C:\windows\system32\inetsrv
· The only accounts that have access are NT Authority\System and Builtin\administrator with Full control
· It is not recommended to use the import\export feature for backing up because it does not include passwords and other sensitive data.
· Web browser: https://localhost:8098
· IIS manager(for remote use the Connect to)
· Command line
· IISweb.vbs-used to start, stop, create, delete, and list Web sites.
· IISftp.vbs-same as above but for FTP
· IISvdir.vbs-same as above but for virtual directories.
· IISftpdr.vbs-used to create, delete, and display virtual directories under a root.
· IISconfg.vbs-used to import and export IIS configuration to an XML file.
· IISback.vbs-Used to backup and restore IIS configuration
· IISapp.vbs-used to list application pool and process IDs for started worker process.
· IISweb.vbs-used to configure web service extensions
· There are 7 authentication methods IIS authentication
· Anonymous-
· no password for access
· Uses the IUSR_machinename account
· When this is enabled IIS does not use any other authentication schemes unless NTFS permissions deny access to a resource.
· Enabled by default
· Integrated Windows-
· requires windows password
· will use NTLM or Kerberous depending on a negotiation between IE and IIS
· best scheme for an intranet where users have domain accounts.
· Digest
· works with AD and sends a hashed value.
· Requires that a Realm is defined.
· One step above basic authentication
· Requires a domain user account in AD
· Advanced Digest
· Requires a domain user account in AD
· Has a medium level of security
·
· Basic –
· passwords sent in clear text
· uses windows user accounts
· .NET Passport
· level of security is high
· provides a single unified logon thru SSL, HTTP redirects, cookies, and javascript
· Certificate
· Strong authentication scheme
· Uses SSL
· Preferred method for conducting business over the internet.
· IIS Host Headers- allows multiple host names to share a single IP address. IE will specify in the HTTP header the actual domain name requested and IIS uses this to determine which site to use.
An A record needs to reference the host header name.
Users will access the site by the host header name.
Host headers solve the problem of multiple websites on the same server, using the same IP address and port.
Host Header Names to Host Multiple Sites from One IP
Address in IIS 5.0 :http://support.microsoft.com/kb/190008
·
To support WebDAV(Web
Distributed Authoring and Versioning) the WebDAV Web service extension must be
enabled in IIS on the web server.
·
WebDAV- uses port 80, so no
extra ports need to be opened.
·
Steps to install WebDav
·
For 2003 Server, needs to be
installed even if IIS is already installed. Can add from Add\Remove Programs
under Application Server\IIS\World Wide Web Service
·
After installation, it needs to
be enabled under the WebDAV option under the Web Service Extensions node in IIS
manager
·
XP clients that will be
managing and creating content to the site will need to have the Webclient
service started and set to automatic
·
Permissions are a combination of
NTFS and what is set in IIS for that virtual directory.
·
Default permissions for a
virtual directory is read.
·
Application
Pooling-Applications can run unaffected by other applications.
·
To change the application pool,
go to properties of website or application, Home Directory tab and the
application pool list box.
·
HTTP SSL- is used when you want
encryption for private websites such as for OWA.
·
World Wide Publishing service
provides HTTP services for non-secure public website.
·
Printing over the internet. First IIS has to be installed, then
Internet Printing. Then you can
print using http://servername/printers
· Change logon /disable disables Terminal sessions into a server.
· Change logon /enable disables Terminal sessions into a server.
Uses the CSV format and can be used with Excel.
Will not create passwords.
-i will import
-k ignores errors
· Ldifde.exe- is a more advanced tool that can create, modify, and delete AD objects.
Default is to export, so have to user the –i switch to import
Cannot use this with Excel.
Uses the LDAP (LDIF) directory interchange format.
·
MBSAcli-
command line version of MBSA. Will
go out on the internet or the SUS server(switch: /sus) to check if updates
are current.
·
Nbtstat-
shows NETBIOS statistics about a computer
·
Netsh-Used to
change and view network configurations on a remote or local computer.
·
Netdiag-Used
to test the network connectivity of a computer including Kerberous.
·
Netcap-used
to monitor packets and write to a log file.
·
Nltest-can
obtain a list of domain controllers on the network, query the status of a trust
relationship.
·
Secedit
– command line tool used to analyzed and configure security settings on a
computer. Security Configuration
and Analysis is the GUI version
·
Schtasks-
used to schedule tasks. Can connect
to a remote computer.
· Tsshutd wait_time /server:xxxxx /reboot /powerdown /delay:log_off_delay /v
Wait_time refers to the time in seconds to wait after users are notified to log them off.
Delay refers to the time after users are logged off to stop processes and shutdown the server.
the /v is to display to the user the actions
Will disconnect a session
but keep processes running.
·
WMIc- command
line tool used to control WMI
·
WMIc qfe-
will check for patches on the given computer.
Important
Paths to Files
Domain Functional Levels – know difference between all
· Does not support renaming of domain controller.
· To change the functional level go to Active Directory for Domains and Trusts
http://support.microsoft.com/kb/190008
· The Default functional level for a new domain is mixed.
Levels
Windows
2000(default)
No 2003
features available EXCEPT for improved global catalog replication. Windows 2003 replicates only changes to
other global catalogs, but 2000 forests replicates the entire catalog.