Server Administration Tutorial part 1

baluglow

Download

Post to :

URL :

Related Presentations :

Add to Flag Embed

Views: 7

Category: Education

Presentation Description

Server Administration Tutorial part 1 by Sai Bala subrahmanyam

Comments

Presentation Transcript

Server Configuration :

Server Configuration

Learning Objectives:

Learning Objectives Explain how to use the tools in the Control Panel Install and configure the display, pointing devices, keyboard, computer hardware, recovery options, protocols, and additional Windows 2000 Server components

Learning Objectives (continued):

Learning Objectives (continued) Use the Device Manager to view hardware properties and troubleshoot problems

Control Panel:

Control Panel The Control Panel is one of the first places to start when configuring a server The Control Panel is like a control center from which to customize Windows 2000 Server for devices, network connectivity, and other functions

Accessing the Control Panel:

Accessing the Control Panel Three ways to access the Control Panel are: Click Start, point to Settings, and click Control Panel Open Control Panel from My Computer Open Control Panel from Windows Explorer via the My Computer option

Customizing Control Panel:

Customizing Control Panel Figure 6-1 Control Panel toolbars

Accessibility Options:

Accessibility Options The Accessibility Options tool is for accommodating visual, audio, and sensory needs of the user

Accessibility Options (continued):

Accessibility Options (continued)

Add/Remove Hardware:

Add/Remove Hardware Use the Add/Remove Hardware tool to install new hardware, remove hardware, unplug a device, and make sure that a device is functioning

Add/Remove Hardware (continued):

Add/Remove Hardware (continued) Figure 6-2 Add/Remove Hardware Wizard

Add/Remove Programs:

Add/Remove Programs Use the Add/Remove Programs tool to install new software and to remove software A vital function of Add/Remove Programs is to enable you to add and remove Windows 2000 components

Windows Components:

Windows Components

Windows Components (continued):

Windows Components (continued)

Windows Components (continued):

Windows Components (continued)

Administrative Tools :

Administrative Tools Provides shortcuts to the Windows 2000 Server administrative tools, such as tools to manage user accounts, the Active Directory, and IIS

Date/Time:

Date/Time The Date/Time tool is used to configure the calendar, date, time, and time zones.

Display:

Display The Display tool configures video characteristics such as the desktop background, display colors and resolution, and the appearance of title bars

Display Options:

Display Options

Display Options (continued):

Display Options (continued)

Folder Options:

Folder Options Use the Folder Options tool to customize My Computer, Windows Explorer, and desktop options

Folder Options Configuration:

Folder Options Configuration Figure 6-3 Folder Options window

Folder Options Tabs:

Folder Options Tabs

Fonts:

Fonts The Fonts tool is used to install, remove, and manage fonts in Windows 2000

Game Controllers:

Game Controllers Included more for compatibility with Windows 2000 Professional and enables the setup of game controllers, such as a controller in an expansion slot or connected to a USB port

GSNW:

GSNW The GSNW tool enables you to configure and manage Gateway Services for NetWare, when the Windows 2000 server is setup up to offer a gateway to files on a NetWare server

Internet Options:

Internet Options The Internet Options tool is used to customize Internet access, such as the home Web page, storage of temporary files, and security

Keyboard:

Keyboard The Keyboard tool is used to customize keyboard parameters such as the repeat rate and cursor blink rate

Licensing:

Licensing The Licensing tool is used to manage licenses and is the place in which to add more licenses when they are purchased as your network grows

Mail and Fax:

Mail and Fax The Mail and Fax tool enables you to configure the Windows 2000 Server mail and fax services, such as mail reception options and information about each fax user and fax cover pages

Mouse:

Mouse Use the Mouse tool to configure mouse properties such as pointer symbols and the mouse response rate

Network and Dial-up Connections:

Network and Dial-up Connections The Network and Dial-up Connections tool is one you will come to rely on for configuring all kinds of network connections, configuring protocols, and managing other network properties

Troubleshooting Tip:

Troubleshooting Tip Use the Network and Dial-up Connections tool to temporarily disconnect a server from the network while you are maintaining it or fixing a problem

Disabling a Connection:

Disabling a Connection Figure 6-4 Disabling the local area network connection

Phone and Modem Options:

Phone and Modem Options The Phone and Modem Options tool enables you to configure telecommunications lines, such as setting modem speed and transmission properties

Power Options:

Power Options The Power Options tool is used to configure energy saving features such as turning off the monitor and hard drive when they are not in use; plus it is used to configure communication with an uninterruptible power source

Printers:

Printers Use the Printers tool to install, remove, and manage printers, including making the Windows 2000 server function as a print server

Regional Options:

Regional Options The Regional Options tool is used to customize the time format and international formats for numbers, the date, and currency; plus it is used to set the language used

Scanners and Cameras:

Scanners and Cameras The Scanners and Cameras tool is used to install a scanner card or configure the attachment of a digital camera

Scheduled Tasks:

Scheduled Tasks The Scheduled Tasks tool is used to run a task, command, or script at a particular time

Troubleshooting Tip:

Troubleshooting Tip If the Task Scheduler is not working, make sure that the Task Scheduler service is started and set to start automatically (use the Computer Management tool or the Services tool to check)

Sounds and Multimedia:

Sounds and Multimedia Use the Sounds and Multimedia tool to configure sounds with particular actions and to configure multimedia capabilities such as compression, MIDI, and other features

System:

System The System tool enables you to configure user profiles, the computer’s name, server performance, and access the Device Manager

System Properties:

System Properties Figure 6-5 System options

Driver Signing:

Driver Signing Driver signing: A digital signature that Microsoft incorporates into driver and system files as a way to verify the files and to ensure that they are not inappropriately overwritten

System File Checker:

System File Checker The System File Checker is a tool that is used to find inappropriate versions of critical files, such as .dll and .sys files and restore the appropriate versions

Troubleshooting Tip:

Troubleshooting Tip If you install software from a vendor and afterward find that certain features of Windows 2000 Server no longer work properly, use the System File Checker to locate which system files have been overwritten and then to restore those files

Configuring the Display:

Configuring the Display After installing Windows 2000 Server, use the display tool to: Check the color and pixel settings Install a new display driver Set up a screen saver Set up the background display

Display Properties:

Display Properties Figure 6-6 Configuring the display

Troubleshooting Tip:

Troubleshooting Tip Use the password option with your screen saver to protect the server from intruders Use a screen saver that is not CPU intensive

Screen Saver Configuration:

Screen Saver Configuration Figure 6-7 Screen saver setup

Configuring the Mouse or Pointing Device:

Configuring the Mouse or Pointing Device Configure the mouse or install a new pointing device to match the way that you work, for example you can use the Mouse tool to install a driver for a pointing device that you set up to replace the mouse that came with the server

Mouse Setup Options:

Mouse Setup Options

Installing a Driver:

Installing a Driver Figure 6-8 Installing a pointing device driver

Configuring the Keyboard:

Configuring the Keyboard Change the keyboard characteristics to match the way you work or install a new keyboard and driver

Keyboard Setup Options:

Keyboard Setup Options

Adding, Removing, and Testing Hardware:

Adding, Removing, and Testing Hardware The Control Panel Add/Remove Hardware tool can detect a new device that is installed -- it is also used to remove a device, unplug a device, and run a test to determine if a device is working

Configuration Tip:

Configuration Tip For the most automated installation of a device, make sure that the Plug and Play service is started and set to start automatically

Uninstalling a Device:

Uninstalling a Device Figure 6-9 Uninstalling a NIC

Configuring Startup and Recovery:

Configuring Startup and Recovery Configure the startup sequence and configure how to recover from a system failure Example system failure configuration options are: Record the failure in the system log Send an alert Write debug information in a log Have the computer attempt to reboot automatically

Configuring Startup and Recovery:

Configuring Startup and Recovery Figure 6-10 Configuring startup and recovery options

Configuring Power Management:

Configuring Power Management Use a default power management scheme or configure your own Configure power management for the monitor, disk drives, standby options, and hibernation Configure UPS power management, if a UPS is used with the server

Configuring Power Management:

Configuring Power Management Figure 6-11 Configuring power management

Configuring Protocols:

Configuring Protocols Use the Network and Dial-up Connections tool in Control Panel to install, remove, and configure protocols such as TCP/IP, NWLink, NetBEUI, DLC, and AppleTalk

General Steps to Install a Protocol:

General Steps to Install a Protocol Open the Network and Dial-up Connections tool from Control Panel or from the Start button, Settings option Right-click Local Area Connection and click Properties Click Install, click Protocol, and click Add Double-click the protocol you want to install

Installing a Protocol:

Installing a Protocol Figure 6-12 Installing a protocol

Installing NWLink:

Installing NWLink When installing NWLink, make sure that you configure: Frame type Network number Internal network number (if needed)

Installing NWLink (continued):

Installing NWLink (continued) Figure 6-13 Configuring NWLink

Configuring TCP/IP:

Configuring TCP/IP Typically you will configure static addressing for a server Parameters associated with static addressing include: IP address -- assign a unique address Subnet mask -- such as 255.255.0.0 Default gateway -- a computer or router that forwards communications to another network DNS server -- to resolve computer names to IP addresses

Configuring TCP/IP (continued):

Configuring TCP/IP (continued) Figure 6-14 Configuring TCP/IP

Configuring IPSec:

Configuring IPSec Use the Advanced button in the TCP/IP Properties to configure IPSec for extra security

Configuring IPSec (continued):

Configuring IPSec (continued) Figure 6-15 Configuring IPSec

Installing Additional Windows 2000 Components:

Installing Additional Windows 2000 Components Use the Network and Dial-Up Connections tool to install additional networking components such as Gateway Services for NetWare Use the Add/Remove Programs tool to install additional software components such as Network Monitor or Remote Installation Services

Using the Add/Remove Programs Tool:

Using the Add/Remove Programs Tool Figure 6-16 Adding and configuring components

Troubleshooting Tip: Check for Resource Conflicts:

Troubleshooting Tip: Check for Resource Conflicts Use the Device Manager or the Computer Management tool to check for a resource conflict Example hardware resources include: Interrupt request (IRQ) line I/O address Reserved memory range

Using Device Manager to Check for a Conflict:

Using Device Manager to Check for a Conflict Figure 6-17 Checking for a resource conflict

Chapter Summary:

Chapter Summary The Control Panel is one of the first places where you will begin configuring a newly installed server Some of the Control Panel tools that you will use most often include the Add/Remove Hardware tool, the Add/Remove Programs tool, and the Network and Dial-up Connections tool

Chapter Summary:

Chapter Summary Use the driver signing features of Windows 2000 Server to protect important system files To prepare for troubleshooting, plan to become familiar with the Device Manager and the Computer Management tool

Managing Groups, Folders, Files, and Object Security :

Managing Groups, Folders, Files, and Object Security

Learning Objectives:

Learning Objectives Set up groups, including local, domain local, global, and universal groups, and convert Windows NT groups to Windows 2000 groups Manage objects, such as folders, through user rights, attributes permissions, share permissions, auditing, and Web permissions

Learning Objectives (continued):

Learning Objectives (continued) Troubleshoot a security conflict Determine how creating, moving, and copying folders and files affect security

Managing Resources:

Managing Resources Three ways of managing resources and user accounts include: By individual user By resource By group Managing resources by groups is one effective way to reduce time spent on management

Scope of Influence:

Scope of Influence Scope of influence: The extent of permissions for a type of group, such as access to resources in a single domain or access to all resources in all domains in a forest

Local Security Group:

Local Security Group Use local groups on a standalone server (Active Directory not implemented), such as to manage multiple accounts in a small office Local groups are given access to resources and user accounts are added into the local group to gain access to those resources.

Domain Local Security Group:

Domain Local Security Group Typically a domain local security group is assigned permissions to objects such as folders, printers and other resources. Global security groups in the same or in a different domain gain access to those resources by becoming members of the domain local group. Domain local groups can contain user accounts, but usually that is not the best approach. Microsoft recommends adding users to global groups and adding global groups to local groups .

Membership Capabilities of a Domain Local Group:

Membership Capabilities of a Domain Local Group Table 9-1 Membership Capabilities of a Domain Local Group

Implementing Global Groups:

Implementing Global Groups Use global groups to contain user accounts for accessing resources in the same and in other domains Global groups should contain user accounts and should be added into domain local groups.

Membership Capabilities of a Global Group:

Membership Capabilities of a Global Group Table 9-2 Membership Capabilities of a Global Group

Global Group Example:

Global Group Example Figure 9-2 Managing security through domain local and global groups

Implementing Universal Groups:

Implementing Universal Groups Use universal groups to provide access to forest-wide resources Think of Universal Groups as super global groups. They serve the same purpose and allow you add user accounts from multiple domains.

Membership Capabilities of a Universal Group:

Membership Capabilities of a Universal Group Table 9-3 Membership Capabilities of a Universal Group

Microsoft Guidelines for Using Groups:

Microsoft Guidelines for Using Groups Add the users who need access to resources into a global group. Add the global group into a domain local group or universal group. Use domain local groups or universal groups to provide access to resources in a specific domain by adding them to the ACLs of those resources.

Guidelines for Using Groups (continued):

Guidelines for Using Groups (continued) Use universal groups to provide extensive access to resources, such as when the Active Directory contains trees and forests. Make universal groups members of ACLs for objects in any domain, tree, or forest. Manage user account access by placing accounts in global groups and joining those global groups to domain local or universal groups.

Example Universal Group Setup:

Example Universal Group Setup Figure 9-3 Managing security through universal and global groups

Creating a Group:

Creating a Group To create a group: Right-click the container for the new group Click New, Group Enter the name of the group Select the group scope Select the group type Click OK

Entering the Group Parameters:

Entering the Group Parameters Figure 9-4 Creating a group

Group Properties Tabs:

Group Properties Tabs General: Used to enter a description, set the scope, and set the group type Members: Used to add group members Member Of: Used to join another group Managed By: Establishes who will manage the group (add/remove users) Object: Provides information about the group as an object (on newer versions of Windows 2000) Security: Enables you to set permissions on the group (on newer versions of Windows 2000)

Converting NT Groups to Windows 2000 Server Groups:

Converting NT Groups to Windows 2000 Server Groups Existing NT local groups on a PDC are converted to domain local groups Existing NT global groups on a PDC are converted to global groups If still running in mixed mode, universal groups are not recognized If running in native mode, but there are still Windows NT servers, the NT servers treat Windows 2000 universal groups as NT global groups

Windows 2000 Predefined Security Groups:

Windows 2000 Predefined Security Groups Security Group Scope AD Container Default Members Description Account Operators Built-in local Built-in None Can modify user accounts and groups Administrators Built-in local Built-in Administrator account; Domain admins; Enterprise admins Full access to all domain and local resources Backup Operators Built-in local Built-in None Enables members to backup any folders and files on the computer DHCP Administrators Domain Local Users Domain Admins Enables members to administer DHCP services if installed DNS Administrators Domain Local Users Domain Admins Enables members to administer DNS services if installed Domain Admins Global Users Administrator user account Enables members to manage all resources in a domain

Windows 2000 Predefined Security Groups:

Windows 2000 Predefined Security Groups Security Group Scope AD Container Default Members Description Domain Users Global Users All user accounts Used to grant access to a resource to all user accounts in the domain Enterprise Admins Universal Users Administrator Account Used to manage all resources in multiple domains Schema Admins Universal Users Administrator Account Members have rights to modify the active directory schema Server Operators Built-in local Built-in None Used for common day-to-day server management tasks Users Built-in local Built-in Domain Users group Used to manage general user access, including the ability to be authenticated as a user and to communicate interactively

Rights Security:

Rights Security User rights: Enable an account or group to perform predefined tasks, such as the right to log on to a server or to increase disk quotas Some rights are inherited by group memberships (such as the domain admins group) Specific rights can be granted to users if you do not want to add them to a group that gives them more rights than needed

Configuring Rights:

Configuring Rights To configure rights in a domain: Open the Active Directory Users and Computers tool Right-click a domain or OU, for example Click Properties, click the Group Policy tab, click the group policy, and click Edit Double-click (if necessary) Computer Configuration,Windows Settings, Security Settings, and Local Policies Double-click User Rights Assignment Double-click any policies to configure them

Configuring Rights (continued):

Configuring Rights (continued) Figure 9-6 Configuring user rights as part of group policy

File and Folder Attributes:

File and Folder Attributes Attributes: A characteristic associated with a folder or file used to help manage access and backups

FAT Attributes:

FAT Attributes Read-only Hidden Archive

FAT Attributes (continued):

FAT Attributes (continued) Figure 9-7 Attributes of a folder on a FAT-formatted disk

NTFS Attributes:

NTFS Attributes Regular attributes Read-only Hidden Archive Extended attributes Index Compress Encrypt

NTFS Attributes (continued):

NTFS Attributes (continued) Figure 9-8 Attributes of a folder on an NTFS-formatted disk

Encrypting File System:

Encrypting File System The encrypt attribute uses Microsoft Encrypting File System (EFS) that sets a unique private encryption key that is associated with the user account that encrypted the file or folder. Only that account (or an account setup as a recovery agent) has access to the encrypted file or folder contents. If you move or copy an encrypted file to another new location, it remains encrypted in the new location

Permissions:

Permissions Permissions: Privileges to access and manipulate resource objects, such as folders and printers; for example, privilege to read a file, delete a file, or to create a new file

Configuring Permissions:

Configuring Permissions Figure 9-10 Configuring permissions by groups and users

Inherited Permissions:

Inherited Permissions Inherited permissions: Permissions of a parent object that also apply to child objects of the parent, such as to subfolders within a folder

Configuring Inherited Permissions:

Configuring Inherited Permissions Figure 9-11 Configuring inherited permissions

Ownership:

Ownership Ownership: Having the privilege to change permissions on an object and to fully manipulate the object. The account that creates an object, such as a folder or printer, initially has ownership. Ownership can be taken by an administrator or anyone who is given ownership over the object.

Ownership:

Ownership Guidelines for ownership: The account that creates an object is the initial owner Ownership is changed by first having permission to take ownership and then by taking ownership Full Control permissions are required to take ownership (or the special permission, Take Ownership)

NTFS Folder and File Permissions:

NTFS Folder and File Permissions Table 9-6 NTFS Folder and File Permissions

NTFS Folder and File Permissions (continued):

NTFS Folder and File Permissions (continued)

Special Permissions:

Special Permissions You can customize permissions to meet particular security needs by using special permissions Special permissions can be used to be extremely specific in granting users one or two particular permissions instead of the generic “Modify” permission.

Configuring Special Permissions:

Configuring Special Permissions Figure 9-12 Configuring special permissions

Planning Tip:

Planning Tip Err on the side of too much security at first, because it is easier to give users more permissions later than to take away permissions after users are used to having them

Auditing:

Auditing Auditing: Tracking the success or failure of events associated with an object, such as writing to a file, and recording the audited events in an event log of a Windows 2000 server or workstation

Configuring Auditing:

Configuring Auditing Start by configuring a group policy for auditing Configure auditing on an as needed basis for particular objects, such as a folder or file

Folder Auditing:

Folder Auditing Figure 9-13 Configuring folder auditing

Setting an Audit Policy:

Setting an Audit Policy Figure 9-14 Configuring audit policy as part of the default domain policy

Share Permissions:

Share Permissions Share permissions: Limited permissions that apply to a particular shared object, such as a shared folder or printer

Configuring Share Permissions:

Configuring Share Permissions Figure 9-15 Configuring a shared folder

Share Permissions for a Folder:

Share Permissions for a Folder Read: Permits groups or users to read and execute files Change: Enables users to read, add, modify, execute, and delete files Full Control: Permits full access to the folder, including the ability to take ownership control or change permissions

Offline Access to a Folder through Caching:

Offline Access to a Folder through Caching Use the Caching button in the folder Properties dialog box on the the Sharing tab to set up a folder for offline access via caching Caching a folder means that it can be accessed by a client even when the client computer is not connected to the network

Folder Caching Options:

Folder Caching Options Automatic Caching for Documents: Documents are cached without using intervention – all files in the folder that are opened by the client are cached automatically Manual Caching for Documents: documents are cached only per the user’s request Automatic Caching of Programs: document and program files are automatically cached when opened, but cannot be modified

Multiple Permission Rules NTFS Permissions:

Multiple Permission Rules NTFS Permissions Users can be members of multiple groups and each group can be granted different permissions for a resource. NTFS permissions are cumulative. For example: Bob’s user account is a member of the Sales group and Marketing group. The Sales group has the NTFS “Modify” permission on the “Sales” folder. The Marketing group has the NTFS “Read” permission on the “Sales” folder What NTFS permission does Bob have to the Sales folder?

Multiple Permission Rules NTFS Permission:

Multiple Permission Rules NTFS Permission Because NTFS permissions are cumulative, Bob’s effective NTFS permission to the Sales folder is “modify”. When granted different NTFS permissions for a resource, the user is granted the least restrictive of the NTFS permissions….. EXCEPT: an explicit denial of permissions overrides all other permissions

Multiple Permission Rules Share Permissions:

Multiple Permission Rules Share Permissions Share permissions are cumulative. For example: Bob’s user account is a member of the Sales group and the Marketing group. The Sales group has “full control” share permission to the Sales share. The Marketing group has “read” share permission to the Sales share. What share permission does Bob have to the Sales share?

Multiple Permission Rules Share Permissions:

Multiple Permission Rules Share Permissions Because share permissions are cumulative, Bob’s effective share permission is “full control” When granted different share permissions for a share, the user is granted the least restrictive of the share permissions EXCEPT: an explicit denial of permissions overrides all other permissions

Combined NTFS and Share Permissions:

Combined NTFS and Share Permissions If a user is granted different levels of NTFS and share permissions, the effective permission is the MOST RESTRICTIVE. In this example, Bob’s effective NTFS permission is “modify” and his effective share permission is “full control”. When Bob attaches to the Sales share, his effective overall permission will be “modify” because this is the most restrictive of the two.

Troubleshooting a Permissions Conflict:

Troubleshooting a Permissions Conflict Check the groups to which a user or group belongs Find the least restrictive NTFS permissions of all the groups. Find the least restrictive share permissions of all the groups. Of these two, the effective permission will be the most restrictive. The “deny” permission will override all other permissions granted either explicitly or through a group.

More Examples:

More Examples User Group Memberships and NTFS Permissions Group Memberships and Share Permissions Effective Permissions Bob Marketing – Modify Sales – Read Marketing – full control Sales – Change Modify Maria Accounting – Read Accounting – Full Control Read Jeff R&D – Read Users – Read R&D – Change Users – Full control Read Susan Support – Full control Accounting – Change Change Mike Users – Read Sales – Modify Marketing – Deny Users – Full Control Sales – Full Control Marketing – Full Control Deny

Moving and Copying Files and Folders:

Moving and Copying Files and Folders A newly created file inherits the permissions already set up in a folder A file that is copied from one folder to another on the same volume inherits the permissions of the folder to which it is copied A file that is moved from one folder to another on the same volume takes with it the permissions it had in the original folder

Moving and Copying Files and Folders (continued):

Moving and Copying Files and Folders (continued) A file or folder that is moved or copied to a folder on a different volume inherits the permissions of the folder to which it is moved or copied A file or folder that is moved or copied from an NTFS volume to a shared FAT folder inherits the share permissions of the FAT folder A file or folder moved from a FAT to an NTFS folder inherits the NTFS permissions of that folder

Chapter Summary:

Chapter Summary Without the Active Directory, use local groups to manage access to resources With the Active Directory implemented, use domain local, global, and universal groups to manage resources

Chapter Summary:

Chapter Summary Windows 2000 Server objects are secured through ACLs, user rights, permissions, inherited rights and permissions, share permissions, Web permissions, auditing, and ownership Troubleshoot permissions conflicts by examining the security assigned to all groups to which a user account or group belongs

Managing Accounts and Client Connectivity :

Managing Accounts and Client Connectivity

Learning Objectives:

Learning Objectives Establish account naming conventions Configure account security policies Create and manage accounts, including setting up a new account, configuring account properties, delegating account management, and renaming, disabling, and deleting an account

Learning Objectives (continued):

Learning Objectives (continued) Create local user profiles, roaming profiles, and mandatory profiles Configure client network operating systems to access Windows 2000 Server, and install client operating systems through Remote Installation Services

Account Policies:

Account Policies Account policies: security measures set up in a group policy, such as for a domain or local computer Account policies particularly focus on: Password security Account lockout Kerberos security Use the Group Policy MMC snap-in to set up account policies

Setting Account Policies:

Setting Account Policies Figure 8-1 Account policies

Password Policy Options:

Password Policy Options Enforce password history : Enables you to require users to choose new passwords when they make a password change, because the system can remember the previously used passwords Maximum password age : Permits you to set the maximum time allowed until a password expires Minimum password age : Permits you to specify that a password must be used a minimum amount of time before it can be changed

Password Policy Options (continued):

Password Policy Options (continued) Minimum password length : Enables you to require that passwords are a minimum length Passwords must meet complexity requirements : Requires passwords to be complex (use upper and lowercase letters, numbers and special characters; cannot contain the user name, etc.)

Account Lockout Policy Options:

Account Lockout Policy Options Account lockout duration : Permits you to specify in minutes how long the system will keep an account locked out after reaching the specified number of unsuccessful log on attempts Account lockout threshold : Enables you to set a limit to the number of unsuccessful tries to log onto an account

Account Lockout Policy Options (continued):

Account Lockout Policy Options (continued) Reset account lockout count after : Enables you to specify the number of minutes between two consecutive unsuccessful logon attempts to make sure that the account will not be locked out too soon

Kerberos Policy Options :

Kerberos Policy Options Enforce user logon restrictions : Turns on Kerberos security, which is the default Maximum lifetime for a service ticket : Determines the maximum amount of time in minutes that a service ticket can be used to continually access a particular service in one service session Maximum lifetime for a user ticket : Determines the maximum amount of time in hours that a ticket can be used in one continuous session for access to a computer or domain

Creating Accounts:

Creating Accounts On a member server (not a domain controller) use the Local Users and Groups MMC snap-in to create accounts On a domain controller, use the Active Directory Users and Computers MMC snap-in to create accounts in the domain.

Creating an OU:

Creating an OU To create an OU: Click the container in which to create the OU, such as the domain or another OU Click the Create a new organizational unit in the current container button Enter the name of the OU Click OK

Delegating Authority in an OU:

Delegating Authority in an OU To delegate authority: Right-click the OU and click Delegate control Click Next after the wizard starts Click the Add button and specify the accounts, groups, or computers to have the control Click OK and click Next Select the tasks to delegate and click Next Click Finish

Delegation of Control Options:

Delegation of Control Options

Using Find to Locate an Account:

Using Find to Locate an Account To locate a particular account in order to maintain it: Right-click the domain Click Find Enter the username or the account holder’s name Click Find Now

Account Maintenance Activities:

Account Maintenance Activities Typical account maintenance activities include: Disabling an account, such as when a user takes a leave of absence Enabling an account, such as when a user returns Renaming an account, such as when one user leaves and another user is hired into the same position Moving an account, such as into a different OU

Account Maintenance Activities (continued):

Account Maintenance Activities (continued) Typical account maintenance activities include (continued): Deleting an account, such as when a user leaves the organization and there will be no replacement Resetting a password for users who do not remember theirs Account auditing to track certain kinds of activity performed by an account holder

Sample Events that Can be Audited for an Account:

Sample Events that Can be Audited for an Account Logon and logoff activity Account modifications through account management tools Accesses to files and other objects (for files, folders, and objects that are set up to be audited)

Troubleshooting Tip:

Troubleshooting Tip Management will usually want to audit EVERYTHING Use account auditing sparingly because every audited event is written to the Security log. A server can be overloaded by devoting too much of its resources to auditing.

User Profiles:

User Profiles What is a profile? Windows maintains a group of settings for each individual user that logs into the system. This group of settings is known as a user “profile” What is included in a profile? Most anything that users may wish to set independently from other users (favorites, desktop wallpaper, email settings, web browser home page, etc.)

User Profiles:

User Profiles Where are profiles stored? Under the “Documents and Settings” folder on the boot partition. Each time a new user logs in, a new profile is created for them based on the “Default” user profile.

Local vs. Roaming User Profile:

Local vs. Roaming User Profile Local user profile: a user profile that is stored locally on the boot partition under “Documents and Settings”. Since the profile is local, it will only work on the machine on which it is created. Roaming user profile: a user profile that is copied to a network server so that it can be downloaded to each workstation where the user logs on. This allows the profile to “roam” with the user.

Mandatory User Profile:

Mandatory User Profile Mandatory User Profile: A user profile set up by the server administrator that is loaded from the server to the client each time the user logs on. Changes that the user makes to the profile are not saved. Used to lock down the desktop and prevent users from customizing it.

Associating a Profile with an Account:

Associating a Profile with an Account Figure 8-9 Setting a roaming profile in an account’s properties

Active Directory Support for Non-Windows 2000 Clients:

Active Directory Support for Non-Windows 2000 Clients Plan to install Directory Service Client (DSClient) on Windows 95 and Windows 98 clients DSClient enables non-Windows 2000 Clients for: Kerberos authentication Ability to view and search objects published in the Windows 2000 Active Directory Access a Windows 2000 Distributed File System The Directory Service client can be found on the Windows 2000 Server CD-ROM

Setting Up Client Desktops Using Group Policy and Security Policy:

Setting Up Client Desktops Using Group Policy and Security Policy Use the Group Policy snap-in to set up group policies that govern clients Group Policy can only be applied to Windows 2000 or later clients. The System Policy Editor (Poledit.exe) can be used to configure system policies for Windows NT and Win9x.

Remote Installation Services:

Remote Installation Services Remote Installation Services (RIS): Services installed on a Windows 2000 Server that enable you to remotely install Windows 2000 Professional on one or more client computers

RIS Pre-Installation Steps:

RIS Pre-Installation Steps Purchase the appropriate number of Windows 2000 Professional licenses Make sure the Active Directory is implemented and that there are DHCP and DNS servers on the network Create a Windows 2000 Professional operating system image on a standard PC Create user accounts for the Windows 2000 Professional clients (called pre-staging the clients). This prevents unauthorized users from using Windows 2000 licenses.

RIS Installation Steps:

RIS Installation Steps Installing RIS is a two stage process: First install RIS using the Control Panel Add/Remove Programs tool Configure RIS from the Add/Remove Programs tool

Installing RIS on the Client:

Installing RIS on the Client Install in one of two ways: Using a computer that has a boot-enabled PXE compliant NIC Creating a remote boot disk Both methods use the Preboot eXecution Environment (PXE):Services that enable a prospective client to obtain an IP address and to connect to a RIS server in order to install Windows 2000 Professional

Installing RIS on the Client:

Installing RIS on the Client After booting and contacting the RIS server, the user is presented with a menu to select which RIS image to load.

Chapter Summary:

Chapter Summary Preparing a server and domain entail configuring accounts and configuring client computers Before configuring accounts, consult with members of your organization about naming standards Set up account policies before configuring accounts

Chapter Summary:

Chapter Summary After accounts are created, use the account properties capability to supplement or modify parameters for the accounts, such as time of day access restrictions Configure client computers to access Windows 2000 Server, such as installing DSClient

Chapter Summary:

Chapter Summary Manage clients by setting up group policies or system policies Use RIS to install multiple Windows 2000 Professional clients in order to reduce your TCO

Configuring Server Storage, Backup, and Performance Options :

Configuring Server Storage, Backup, and Performance Options

Learning Objectives:

Learning Objectives Explain basic and dynamic disks Partition, format, and manage basic disks and convert them to dynamic disks Create and manage simple, spanned, striped, RAID-5, and mirrored dynamic disks Mount a drive

Learning Objectives (continued):

Learning Objectives (continued) Manage removable storage and set up media pools Perform disk backups Tune server performance Configure Windows 2000 Server for an uninterruptible power supply (UPS)

Basic Disk:

Basic Disk Uses traditional disk management techniques for partitions and formatting Supports primary and extended partitions, RAID 0, RAID1 and RAID5 Default disk structure for a new 2000 server install and when upgrading any previous versions of NT Server Offered for backward compatibility with earlier versions of Windows and MS-DOS

Disk Partitioning:

Disk Partitioning Process of dividing a disk into sections (partitions) and formatting those sections into tracks and sectors for a file system Each partition is assigned a drive letter (C:, D:, etc.) in Windows Places a master boot record and partition table at the beginning of the disk

Partitioning Tip:

Partitioning Tip When you partition a basic disk, leave 1 MB free for workspace which is necessary to later convert to a dynamic disk

Primary and Extended Partitions:

Primary and Extended Partitions Primary partition: A partition or portion of a hard disk that is bootable Disks must have at least one primary partition and can have up to four Extended Partition: Linked to a primary partition in order to increase the available disk space Disks can have only one extended partition, but the extended partition can have many logical drive letters (C:, D:, etc.) Used mainly to overcome the limit of 4 primary partitions per disk

Boot and System Partitions:

Boot and System Partitions Boot partition: A partition that holds the Windows 2000 Server system files (the WINNT folder) System partition: A partition that contains boot files, such as Boot.ini and Ntldr in Windows 2000 Server

Viewing the System and Boot Partitions:

Viewing the System and Boot Partitions Figure 7-3 System and boot partitions

Formatting Using the Disk Management Tool:

Formatting Using the Disk Management Tool Figure 7-4 Formatting a partition

Formatting Tips :

Formatting Tips When you format a partition, avoid using the quick format option, because it does not check for bad sectors during the format After you partition and format a disk, be sure to update the emergency repair disk to reflect your change

Volume and Stripe Sets:

Volume and Stripe Sets Volume set: Two or more formatted basic disk partitions that are combined to look like one partition with a single drive letter Stripe set: Two or more basic disks set up so that files are striped for RAID0 or RAID5.

Converting a Basic Disk to a Dynamic Disk:

Converting a Basic Disk to a Dynamic Disk To convert a disk: Right-click on the basic disk (not on a partition) to convert Click Upgrade to Dynamic Disk

Converting a Dynamic Disk to a Basic Disk:

Converting a Dynamic Disk to a Basic Disk To convert back to a basic disk: Back up the dynamic disk Delete the dynamic disk volume Click the disk, click the Action menu, and click Restore Basic Disk Partition and format the disk

Dynamic Disks:

Dynamic Disks Dynamic disk: In Windows 2000 Server, a disk that does not use traditional partitioning There is no restriction to the number of volumes that can be set up on one disk You can extend volumes onto other physical disks if more space is needed Dynamic disks are only compatible with Windows 2000.

Dynamic Disks (continued):

Dynamic Disks (continued) Dynamic disks support: Spanned volumes and volume extensions Up to 32 disks in one spanned volume RAID levels 0, 1, and 5 FAT16, FAT32, and NTFS Reactivation if they go off line

Simple Volume:

Simple Volume Simple volume: A portion of a single disk or an entire single disk that is has been converted to a dynamic disk and formatted. A simple volume is not fault tolerant.

Spanned Volume:

Spanned Volume Spanned volume: Two or more sections of one or more Windows 2000 dynamic disks that are combined to appear as one disk. A spanned volume can span any part of 2 to 32 disks

Spanned Volume (continued):

Spanned Volume (continued) Figure 7-5 Spanned volume One drive letter

Design Tip:

Design Tip In a spanned volume if one disk fails, the entire volume is inaccessible. If a portion of a volume is deleted, such as one disk, the entire disk set is deleted. For these reasons, avoid placing mission-critical data and applications on a spanned volume.

Striped Volume:

Striped Volume Striped volume: Two or more dynamic disks (or equal portions of those disks) that use striping so that files are spread in blocks across the disks Also known as RAID level 0 Striping requires at least 2 disks (or equal portions of disks) and can include as many as 32. Striping equalizes the disk load, extends the life of disks, and increases disk performance

Striped Volume Layout:

Striped Volume Layout Figure 7-6 Disks in a striped volume Writing a 720KB file to a Striped Volume that spans 5 disks

Striped Volumes:

Striped Volumes If one or more disks in a striped volume fail, the data will be inaccessible. Frequently back up a striped volume so you do not lose data if a disk failure occurs.

RAID-5 Volume:

RAID-5 Volume RAID-5 volume: Three or more dynamic disks (or equal portions of those disks) that use provide fault tolerance through disk striping and creating parity blocks for data recovery A RAID-5 volume is not as fast at writing because it must calculate and write the parity block for each row RAID-5 is fault tolerant. If a single drive in the volume fails, the parity information can be used to regenerate the lost data.

RAID-5 Layout:

RAID-5 Layout Figure 7-7 Disks in a RAID-5 volume

Disk Spaced Used for Parity:

Disk Spaced Used for Parity The amount of disk space used for parity is 1/n where n equals the number of physical disks When you plan disk capacity, take into account the amount of space (for parity) that cannot be used for production data

Mirrored Volume:

Mirrored Volume Mirrored volume: Two dynamic disks that are set up so that data on one disk is stored (mirrored) on a redundant disk Disk read performance is the same as reading from a simple volume, but the disk write time is increased in order to write on both disks

Design Caution:

Design Caution The system and boot partitions can be on a simple, spanned, or mirrored volume, but not on a striped or RAID-5 volume (unless hardware RAID is used)

Disk Performance and Repair:

Disk Performance and Repair You can extend the life of disks by using striped or RAID-5 volumes because read/write requests are spread across all disks. Regularly defragment disks to extend disk life and increase performance

Using the Disk Defragmenter:

Using the Disk Defragmenter Figure 7-8 Analyzing a disk’s fragmentation

Troubleshooting Tip:

Troubleshooting Tip Ensure disk integrity and repair disk problems by using the “checkdisk” utility, called chkdsk Chkdsk can check FAT16, FAT32, and NTFS formatted volumes

Chkdsk:

Chkdsk In NTFS, chkdsk can check: Files Folders Indexes Security descriptors User files Disk allocation units If there is physical damage on a disk, use chkdsk with the /r switch to identify bad sectors

Mounted Drive:

Mounted Drive Windows 2000 offers the ability to access a physical disk, CD-ROM, or Zip drive through a folder that appears on another drive letter. Using mounted drives enables you to add new drives without allocating drive letters.

Disk Security Through Backup:

Disk Security Through Backup Try to backup a server to a tape drive attached to the server. This provides several advantages: No load on the network while backing up If each server has its own tape drive, you can backup other servers if one tape drive fails The registry can only be backed up locally (without 3 rd party backup tools)

Windows 2000 Backup Options:

Windows 2000 Backup Options Windows 2000 Server backup options: Normal – a full backup – backs up everything selected in the backup job (whether changed or not) and removes the archive attribute. Incremental – a partial backup – only backs up files that have changed since the last full backup or incremental backup and removes the archive attribute. Differential – a partial backup – backs up all files that have changed since the last full backup (even if they have not changed since the last differential backup) and does not remove the archive attribute.

Windows 2000 Backup Options:

Windows 2000 Backup Options Copy – backs up only the files or directories selected and leaves the archive attribute unchanged Daily – backs up only the files that have changed on the day the backup is performed and leaves the archive attribute unchanged

Starting a Backup :

Starting a Backup Figure 7-10 Manually starting a backup

Scheduling Backups:

Scheduling Backups For regularly performed backups, use the scheduling capability in the Backup tool – which actually employs the Scheduled Tasks tool

Configuring a Scheduled Backup:

Configuring a Scheduled Backup Figure 7-11 Scheduling a backup job

Performing a Restore:

Performing a Restore Perform a restore by using the Backup tool and clicking the Restore tab You can restore all files and folders from a backup job or only those you select specifically

Configuring Application Performance:

Configuring Application Performance Windows 2000 can be optimized for applications or background services Use Applications performance when a system will be used by someone logged into the console Use background services when a system will fulfill requests for services on the network (file and print) Application performance is tuned by opening the Control Panel System icon, accessing the Advanced tab, and clicking the Performance Options button

Configuring Virtual Memory:

Configuring Virtual Memory Virtual memory is a file (called the page file) stored on the hard disk and is used to store programs and data when there is little available RAM. The general formula for configuring a page file is to size it to match the amount of RAM times 1.5 For performance, you should tune a server by configuring the page file to be stored on a hard disk separate from the disk which contains the operating system. Virtual memory settings can be found under Control Panel, System, Advanced, Performance Options.

Page File Configuration:

Page File Configuration Figure 7-12 Configuring virtual memory

Configuring Server RAM:

Configuring Server RAM

Configuring Server RAM (continued):

Configuring Server RAM (continued) These options are found in the properties of File and Printer Sharing.

Configuring RAM Allocation:

Configuring RAM Allocation Figure 7-13 Adjusting memory allocation

Chapter Summary:

Chapter Summary Windows 2000 Server supports two kinds of disks, basic and dynamic Basic disks are for backward compatibility and dynamic disks offer comprehensive disk management Windows 2000 Server supports many kinds of removable storage such as tapes, CD-ROMs, CD-RWs, Zip, and Jaz drives

Chapter Summary:

Chapter Summary Removable storage is managed through libraries and media pools Server backups are handled through the Backup tool which offers several backup alternatives Tune your server right away for running applications, virtual memory, and memory used for network connectivity

Managing Accounts and Client Connectivity :

Managing Accounts and Client Connectivity

Learning Objectives:

Learning Objectives (continued):

Account Policies:

Setting Account Policies:

Setting Account Policies Figure 8-1 Account policies

Password Policy Options:

Password Policy Options (continued):

Account Lockout Policy Options:

Account Lockout Policy Options (continued):

Kerberos Policy Options :

Creating Accounts:

Creating an OU:

Delegating Authority in an OU:

Delegation of Control Options:

Delegation of Control Options

Using Find to Locate an Account:

Using Find to Locate an Account To locate a particular account in order to maintain it: Right-click the domain Click Find Enter the username or the account holder’s name Click Find Now

Account Maintenance Activities:

Account Maintenance Activities (continued):

Sample Events that Can be Audited for an Account:

Troubleshooting Tip:

User Profiles:

Local vs. Roaming User Profile:

Mandatory User Profile:

Associating a Profile with an Account:

Associating a Profile with an Account Figure 8-9 Setting a roaming profile in an account’s properties

Active Directory Support for Non-Windows 2000 Clients:

Setting Up Client Desktops Using Group Policy and Security Policy:

Remote Installation Services:

RIS Pre-Installation Steps:

RIS Installation Steps:

RIS Installation Steps Installing RIS is a two stage process: First install RIS using the Control Panel Add/Remove Programs tool Configure RIS from the Add/Remove Programs tool

Installing RIS on the Client:

Installing RIS on the Client After booting and contacting the RIS server, the user is presented with a menu to select which RIS image to load.

Chapter Summary:

Chapter Summary Manage clients by setting up group policies or system policies Use RIS to install multiple Windows 2000 Professional clients in order to reduce your TCO

Installing and Managing Printers :

Installing and Managing Printers

Learning Objectives:

Learning Objectives Explain and apply the fundamentals of Windows 2000 Server printing Install local, network, and Internet printing services in Windows 2000 Server Configure printing services for all types of needs

Learning Objectives (continued):

Learning Objectives (continued) Manage printers and print services Solve common printing problems

Basic Concepts:

Basic Concepts Print server: A network computer or server device that connects printers to the network for sharing and that receives and processes print requests from print clients Print client: A client computer that generates a print job

Standalone Print Server Devices:

Standalone Print Server Devices Figure 11-1 Print server devices

Basic Concepts (continued):

Basic Concepts (continued) Spooling: A process working in the background to enable several print files to go to a single printer. Each file is placed in temporary storage until its turn comes to be printed. Printer driver: A file containing information needed to control a specific printer, implementing customized printer control codes, font, and style information.

Printing Stages:

Printing Stages Figure 11-2 Printing stages

How Network Printing Works:

How Network Printing Works A software application creates a print file, communicating with the graphics device interface (GDI) as it creates the file to include printer control information The print file is temporarily spooled at the client The remote print provider at the client makes a remote procedure call to the network print server

How Network Printing Works (continued):

How Network Printing Works (continued) The print file is transmitted to the Server service on the Windows 2000 Server print server At the print server, the “router” (Print Spool service) directs the print file to the print provider The print provider stores the file in the print server’s spooler

How Network Printing Works (continued):

How Network Printing Works (continued) While in the spooler, the print provider works with the print processor to format the printing for the correct data type (such as TEXT or RAW) When the file is completely formatted the print monitor sends the print file from the spooler to the printer

Design Tip:

Design Tip When you plan disk space for a Windows 2000 Server, take into account the type of printing at that server and the number of users. For example, if there are times when 50 users are sending 1 MB print files simultaneously, then you need to plan on at least 50 MB of disk space just for the print spooler.

How Internet Printing Works:

How Internet Printing Works When an application generates a print file, the file is processed through the client’s browser, which works with the GDI The browser makes a remote procedure call (using the HTTP and IPP protocols) to the Internet Information Services (IIS) in Windows 2000 Server The IIS transfers the print file to the regular Windows 2000 Print Spool service

Print Job Data Type:

Print Job Data Type Data type: The way in which information is formatted in a print file, such as with no formatting, text-type formatting, formatting for Windows-based systems, and formatting for postscript systems

Data Types:

Data Types RAW: Used with MS-DOS, Windows 3.x, and UNIX RAW with FF appended: Puts a form feed code at the end of the print file RAW with FF auto: Checks for a form feed code at the end of the print file and inserts a form feed if one is not present

Data Types:

Data Types TEXT: Used for ANSI-type files, such as from older word processors and text editors Enhanced Metafile (EMF): Used for Windows-based print files that use GDI at the client PSCRIPT1: Used to translate Macintosh Postscript formatted files to non-Postscript

Print Monitors:

Print Monitors Local port : sends print jobs to a local port, such as LPT1 or COM1 and to a regular file Standard TCP/IP Port: sends print jobs to IP print servers, such as an HP print server card LPR : used to coordinate printing with LPR compatible UNIX, DEC, and IBM mainframe and minicomputers

Print Monitors (continued):

Print Monitors (continued) Hewlett-Packard Network Port : used for older HP-type printers with print server cards that do not support TCP/IP but that do support printing through the DLC protocol AppleTalk Printing Devices Port: used for Macintosh clients that communicate via the AppleTalk protocol to PostScript LaserWriter-type printers

Print Monitors (continued):

Print Monitors (continued) Pjlmon.dll and Usbmon.dll: monitors that you install manually and that are used for bidirectional printers and printers attached to USB ports

Windows 2000 Server Print Monitors:

Windows 2000 Server Print Monitors Table 11-1 Windows 2000 Server Print Monitors

Sample Candidates That Can Host a Shared Printer:

Sample Candidates That Can Host a Shared Printer Windows 2000 Server and Professional Windows NT Server and Workstation Windows 98 Windows 95

Printer Sharing:

Printer Sharing Figure 11-3 Shared network printers

Printer Installation:

Printer Installation Depending on the level of Plug and Play sophistication, a printer can be installed in one of several ways, such as: Automatic or manual detection (or a combination of both) using the Add/Remove Hardware Wizard Automatic or manual detection (or a combination of both) using the Add Printer Wizard

Detecting a Newly Connected Printer:

Detecting a Newly Connected Printer Figure 11-4 Add/Remove Hardware Wizard detecting the printer

Configuring a Local Printer via the Add Printer Wizard:

Configuring a Local Printer via the Add Printer Wizard Figure 11-5 Setting up a local printer

Troubleshooting Tip:

Troubleshooting Tip If a Plug and Play compatible printer is not automatically detected, make sure that the Plug and Play service is started

Configuring a Print Monitor:

Configuring a Print Monitor During a manual installation process, use the Create a new port radio button to configure a particular print monitor (or configure one later in the printer’s properties) and select from: AppleTalk Printing Devices Hewlett-Packard Network Port Local Port Standard TCP/IP Port

Selecting the Type of Printer:

Selecting the Type of Printer Also during the manual installation process, you can specify the manufacturer and model of printer in order to select the right printer driver

Selecting the Type of Printer (continued):

Selecting the Type of Printer (continued) Figure 11-6 Entering the type of printer

Specifying a Printer Name and Printer Share Name:

Specifying a Printer Name and Printer Share Name During a manual installation, you can specify a printer name and a printer share name

Entering a Printer Share Name:

Entering a Printer Share Name Figure 11-7 Creating a shared printer

Printer and Printer Share Name Guidelines:

Printer and Printer Share Name Guidelines Compose names that are easily understood and spelled by those who will use the printer Include a room number, floor, or workstation name to help identify where the printer is located Include descriptive information about the printer, such as the type, manufacturer, or model

Review of the Setup Parameters:

Review of the Setup Parameters When you manually set up a printer, there is the option to review setup parameters

Review of the Setup Parameters (continued):

Review of the Setup Parameters (continued) Figure 11-8 Printer setup summary

Printer Properties:

Printer Properties After a printer is set up you can manage the printer’s properties that include: General printer information Printer sharing Printer port setup Printer scheduling and advanced options Security Device settings

General Printer Properties:

General Printer Properties The general printer properties include: The printer name The printer location A descriptive comment about the printer The printer model The printer’s features

General Printer Properties (continued):

General Printer Properties (continued) Figure 11-9 Printer Properties General tab

Sharing Properties:

Sharing Properties The sharing tab is used to: Enable or disable sharing Specify the share name Publish the printer in the Active Directory (if the Active Directory is installed) Install additional drivers for clients other than Windows 2000

Sharing Properties (continued):

Sharing Properties (continued) Figure 11-10 Configuring printer sharing

Port Properties:

Port Properties The Ports tab enables you to: Associate a printer with a port Set up printer pooling Enable bidirectional printing Add a new port, such as a print monitor Remove a port Configure a port in terms of timeout parameters (for parallel ports); and port speed, data bits, parity, stop bits, and flow control (for serial ports)

Printer Pooling:

Printer Pooling Printer pooling: Linking two or more identical printers with one printer setup or printer share

Configuring Ports:

Configuring Ports Figure 11-11 Configuring printer ports

Troubleshooting Tip:

Troubleshooting Tip When configuring a bidirectional printer, make sure that you use an IEEE 1284 cable and check the BIOS setup to configure the port as bidirectional

Advanced Printer Properties:

Advanced Printer Properties The printer properties that you can configure on the Advanced tab include: Printer scheduling The printer’s priority Printer spooling Holding mismatched documents Printing spooled documents first Keeping printed documents (after they have printed) Enabling advanced printing features Specifying print processors and data types Configuring the separator page

Advanced Printer Properties (continued):

Advanced Printer Properties (continued) Figure 11-12 Advanced printer properties

Troubleshooting Tip:

Troubleshooting Tip If pages are intermixing from different printouts try selecting the option, Start printing after last page is spooled

Troubleshooting Tip:

Troubleshooting Tip Use the Hold mismatched documents option to save paper and free the printer when there are users who often send a document formatted for another printer

Separator Page files:

Separator Page files Sysprint.sep: used for PostScript-only printers Pcl.sep: used to print in Printer Control Language (PCL) for printers that can do either PCL or PostScript Pscript.sep: used to print in PostScript for printers that can do either PCL or PostScript

Separator Page Customization Codes:

Separator Page Customization Codes Table 11-2 Separator Page Customization Codes

Separator Page Customization Codes (continued):

Separator Page Customization Codes (continued)

Design Tip:

Design Tip Use separator and banner pages sparingly because they can add to paper costs

Security Properties:

Security Properties The printer Properties Security tab enables you set up: Printer permissions Special permissions Auditing Ownership

Printer Share Permissions:

Printer Share Permissions Table 11-3 Printer Share Permissions

Security Properties (continued):

Security Properties (continued) Figure 11-13 Configuring security

Printer Events That Can Be Audited:

Printer Events That Can Be Audited The successful or failed activities that can be audited are: Print jobs Manage printers Manage documents Read printer share permissions Change printer share permissions Take ownership of the printer

Design Tip:

Design Tip Periodically use the Security Configuration and Analysis MMC snap-in to review analyze the security and group policies that are set up for printers, accounts, and other objects

Printer Device Properties:

Printer Device Properties The Device Settings tab in the printer Properties is used to configure: Printer trays Printer memory Paper size Fonts Specialized features of a printer

Printer Device Properties (continued):

Printer Device Properties (continued) Figure 11-14 Configuring printer device settings

Troubleshooting Tip:

Troubleshooting Tip If a PostScript printer seems slow, use the Device Settings tab in that printer’s properties to set up virtual memory for the printer

Configuring a Nonlocal or Internet Printer:

Configuring a Nonlocal or Internet Printer You can set up and even manage a printer that is not physically connected to the server by: Starting the Add Printer Wizard and selecting to configure a network printer Locating the printer on the network or through the Internet (or specifying the printer’s name or URL) Completing the steps as prompted by the Wizard

Configuring a Printer by IP and MAC Addresses:

Configuring a Printer by IP and MAC Addresses Configure print server cards by using the IP and MAC address to identify the card: Start the Add Printer Wizard Select to install a local printer without PnP Select to create a new port and use the Standard TCP/IP Port option Specify the print server’s IP address Specify the type of print server Complete the remaining steps under the guidance of the Wizard

Configuring a Printer by IP and MAC Addresses (continued):

Configuring a Printer by IP and MAC Addresses (continued) Figure 11-15 Configuring a TCP/IP port

Configuring a Printer by IP and MAC Addresses (continued):

Configuring a Printer by IP and MAC Addresses (continued) Figure 11-16 The new TCP/IP port

Design Tip:

Design Tip If you are configuring a print server that is a mainframe, UNIX, or other similar computer, use the LPR print monitor in the setup

Managing a Printer:

Managing a Printer You can manage a printer in the Printers folder through its icon Example activities that you can manage are: To make a printer the default To pause a printer To set printing preferences To configure the printer’s properties

Managing a Printer (continued):

Managing a Printer (continued) Figure 11-17 Designating a default printer

Managing Print Documents:

Managing Print Documents You can also manage documents sent to a printer by opening that printer’s icon in the Printers folder Example activities that you can manage include: Pausing a print job Restarting a print job Viewing the properties of a print job (including resetting the priority of the hob)

Troubleshooting Tip:

Troubleshooting Tip If a printer malfunctions, move the jobs in its queue to another printer by one of two methods: Move the jobs to a port already configured for multiple or pooled printers connected to the same computer Add a new port on the broken printer’s setup that points to a printer that is working

Troubleshooting Tip:

Troubleshooting Tip If all printing stops or hangs on computers connected to a Windows 2000 print server, try stopping and starting the Print Spooler service (but warn users that their print jobs will be deleted)

Chapter Summary:

Chapter Summary A Windows 2000 Server can be turned into a print server to manage printers connected to it and shared printers connected to other computers Learn how to use the appropriate print monitors and data types for specific kinds of printer setups

Chapter Summary:

Chapter Summary A new printer can be installed using the Add/Remove Hardware Wizard, the Add Printer Wizard, or both There are a full range of printer properties that you can configure for all kinds of purposes such spooling parameters, printer drivers, printer ports, print monitors, data types, printer scheduling, security, and many others

Chapter Summary:

Chapter Summary Windows 2000 Server includes options to manage a printer, such as pausing it, as well as options to manage documents, such as pausing or deleting documents

Network Monitoring and Tuning :

Network Monitoring and Tuning

Learning Objectives:

Learning Objectives Establish network benchmarks Install Network Monitor Driver Install, configure, and use Network Monitor, including setting up filters and triggers Install and configure SNMP service

Learning Objectives (continued):

Learning Objectives (continued) Use System Monitor to monitor a network Troubleshoot and tune a network

Network Monitoring:

Network Monitoring Networks are dynamic with changing patterns of activity and rapid growth toward more high-bandwidth demand Monitoring a network is important to be able to distinguish between problems due to the network and problems due to servers connected to the network

Network Benchmarks:

Network Benchmarks Plan to obtain network benchmarks to help with problem diagnosis and planning, such as: Slow, average, and peak network activity in relation to the work patterns of an organization Network activity that is related to specific protocols Network activity that is related to specific servers and host computers

Network Benchmarks (continued):

Network Benchmarks (continued) Network activity that is related to workstations Network activity on individual subnets or portions of a larger network Network traffic related to WAN transmissions Network traffic created by particular software

Windows 2000 Network Monitoring Tools:

Windows 2000 Network Monitoring Tools Network monitoring and management tools in Windows 2000 include: Network Monitor Driver Network Monitor SNMP service System Monitor

Network Monitor Driver and Network Monitor:

Network Monitor Driver and Network Monitor Network Monitor Driver: Enables a Microsoft-based server or workstation NIC to gather network performance data for assessment by the Microsoft Network Monitor Network Monitor: A Windows NT and Windows 2000 network monitoring tool that can capture and display network performance data

Server Activities to Monitor :

Server Activities to Monitor Figure 15-1 Using Network Monitor Driver to gather network performance information on two separate networks

Installing Network Monitor Driver:

Installing Network Monitor Driver To install Network Monitor Driver: Open the Network and Dial-Up Connections tool Right-click Local Area Connection Click Properties Click Install Double-click Protocol Double-click Network Monitor Driver

Installing Network Monitor Driver (continued):

Installing Network Monitor Driver (continued) Figure 15-2 Installing Network Monitor Driver

Using Network Monitor:

Using Network Monitor Network Monitor tracks information such as: Percent network utilization Frames and bytes transported per second Network station statistics Statistics captured for a specific interval of time Transmissions per second

Using Network Monitor (continued):

Using Network Monitor (continued) Broadcast, unicast, and multicast information NIC statistics Error data Addresses of network stations Other network computers running Network Monitor and Network Monitor Driver

Installing Network Monitor :

Installing Network Monitor The general steps to install Network Monitor are: Open the Add/Remove Programs tool Double-click the component, Management and Monitoring Tools Check Network Monitor Tools

Installing Network Monitor (continued) :

Installing Network Monitor (continued) Figure 15-3 Installing Network Monitor tools

Starting Network Monitor :

Starting Network Monitor The general steps for starting a capture session in network monitor are: Start Network Monitor from the Administrative Tools menu Select the network to monitor Click the Capture button to start capturing information Click the Stop Capture button to stop capturing information

Capturing Network Data:

Capturing Network Data Figure 15-4 Network Monitor capturing data Total pane Graph pane Session pane Station pane

Monitoring Tip :

Monitoring Tip As is true of other monitoring tools, Network Monitor can create an extra load on a server

Network Monitor Display :

Network Monitor Display Data captured in Network Monitor is displayed interactively in four window panes, but can be customized to show only one, two, or three panes

Network Monitor Panes :

Network Monitor Panes

Viewing a Line-by-Line Report:

Viewing a Line-by-Line Report After data is captured, you can view a line-by-line capture summary report by clicking the Stop and View Capture button

Viewing a Line-by-Line Report :

Viewing a Line-by-Line Report Figure 15-5 Viewing capture summary data

Capture Summary Window Information:

Capture Summary Window Information Table 15-2 Capture Summary Window Information

Capture Summary Window Information (continued):

Capture Summary Window Information (continued)

Finding Specific Capture Summary Information:

Finding Specific Capture Summary Information Use the Find button in the capture summary display to find specific information

Using Find:

Using Find Figure 15-6 Finding Transmission Events Associated with Server Lawyer

Monitoring Filter :

Monitoring Filter Network Monitor has a built-in ability to configure a filter Filter: A capacity in network monitoring software that enables a network or server administrator to view only designated protocols, network events, network nodes, or other specialized views of the network

Creating a Filter:

Creating a Filter To create a filter in network monitor: Click the Edit Capture Filter button and click OK Set the specific parameters by double-clicking any of: SAP/ETYPE, Address Pairs, and Pattern Matches Click OK Continue Capturing data

Selecting Filter Options:

Selecting Filter Options Figure 15-7 Creating a filter

Configuring SAPs and ETYPEs:

Configuring SAPs and ETYPEs Figure 15-8 Selecting a protocol to capture in a filter

SAP and ETYPE:

SAP and ETYPE Server Access Point (SAP): A service access point, which specifies the network process that should accept a frame at the destination, such as TCP/IP Ethertype (ETYPE): A property of an Ethernet frame that includes a specialized two-byte code used for particular vendor functions

Capture Trigger:

Capture Trigger Besides filtering, Network Monitor supports using capture triggers Capture trigger: Used as a way to have Network Monitor perform a specific function when a predefined situation occurs, such as stopping a capture of network data when the capture buffer is 50% full

Setting up a Trigger :

Setting up a Trigger Figure 15-9 Setting up a trigger

Troubleshooting Tip:

Troubleshooting Tip Check the Graph pane for a quick assessment of performance statistics for: % Network Utilization Frames Per Second Bytes Per Second Broadcasts Per Second Multicasts Per Second

Diagnosing Common Problems:

Diagnosing Common Problems Use Network Monitor to diagnose problems such as: A NIC creating a broadcast storm Inefficient multimedia applications Problems with bridges, switches, and routers Problems with particular a workstation An overloaded server

Finding a Broadcast Storm:

Finding a Broadcast Storm A broadcast storm is a situation in which one or more devices, such as a failing NIC, are saturating the network with traffic Use the Network Monitor Broadcasts Per Second statistic to help determine if there is a broadcast storm and then check the Session and Station panes for the device(s) sending the broadcast(s)

Locating Unauthorized Network Monitor Users:

Locating Unauthorized Network Monitor Users Network Monitor can create problems when it is used by network intruders or unauthorized users You can view all of the Network Monitor users by clicking the Tools menu and then clicking Identify Network Monitor users

Viewing Network Monitor Users:

Viewing Network Monitor Users Figure 15-10 Identifying all Network Monitor users

SNMP:

SNMP The Simple Network Management Protocol (SNMP) is used to gather standardized network performance information and to control network devices

SNMP Stations:

SNMP Stations SNMP uses two kinds of network stations: Network Management Station (NMS): Monitors and manages devices configured with SNMP and collects information Agent: Any device configured for SNMP from which an NMS can collect data – SNMP agents include servers, workstations, routers, switches, and hubs

Microsoft Systems Compatible with SNMP:

Microsoft Systems Compatible with SNMP The following systems can be managed through SNMP: Windows 2000 and NT servers Windows 2000 and NT workstations WINS servers DHCP servers IIS servers Microsoft RAS and IAS servers

Installing SNMP:

Installing SNMP To install SNMP: Open the Add/Remove Programs tool Click Add/Remove Windows Components Double-click Management and Monitoring tools Check Simple Network Management Protocol and click OK Click Next and then click Finish

Configuring SNMP:

Configuring SNMP After installing SNMP, configure one or more community names for security Community name: In SNMP communications, a password used by network agents and the network management station so that their communications cannot be easily intercepted by an unauthorized workstation or device

Configuring SNMP (continued):

Configuring SNMP (continued) Figure 15-11 Configuring the community name

SNMP Trap:

SNMP Trap SNMP enables you to configure a trap Trap: A specific situation or event detected by SNMP that a network administrator may want to be warned about or to track via a network management station, such as when a network device is unexpectedly down or offline

Troubleshooting Tip:

Troubleshooting Tip If a trap that you set does not work, make sure that the SNMP Trap Service is started and set to start automatically in Windows 2000 Server

Monitoring a Network with System Monitor:

Monitoring a Network with System Monitor System Monitor contains a wide range of objects for monitoring a network Some objects only appear in System Monitor if you have a particular protocol installed

System Monitor Network Monitoring Objects:

System Monitor Network Monitoring Objects Table 15-3 System Monitor Network Monitoring Objects

System Monitor Network Monitoring Objects (continued):

System Monitor Network Monitoring Objects (continued)

System Monitor Network Monitoring Objects (continued):

System Monitor Network Monitoring Objects (continued)

System Monitor Network Monitoring Objects (continued):

System Monitor Network Monitoring Objects (continued)

Monitoring NICs, Servers, and Network Devices:

Monitoring NICs, Servers, and Network Devices System Monitor can be used to monitor the NIC at the server to make sure that it is working properly System Monitor is also used to monitor for network problems at the server and between the server and network devices

Using System Monitor Objects to Monitor the NIC, Server, and Network Devices:

Using System Monitor Objects to Monitor the NIC, Server, and Network Devices Table 15-4 Using System Monitor Objects and Counters to Monitor the NIC, Server, and Network Devices

Using System Monitor Objects to Monitor the NIC, Server, and Network Devices (continued):

Using System Monitor Objects to Monitor the NIC, Server, and Network Devices (continued)

Using System Monitor Objects to Monitor the NIC, Server, and Network Devices (continued):

Using System Monitor Objects to Monitor the NIC, Server, and Network Devices (continued)

Using System Monitor Objects and Counters to Monitor Protocols:

Using System Monitor Objects and Counters to Monitor Protocols Table 15-5 Using System Monitor Objects and Counters to Monitor Protocols

Using System Monitor Objects and Counters to Monitor Protocols (continued):

Using System Monitor Objects and Counters to Monitor Protocols (continued)

Using System Monitor Objects and Counters to Monitor Server and Network Bottlenecks:

Using System Monitor Objects and Counters to Monitor Server and Network Bottlenecks Table 15-6 Using System Monitor Objects and Counters to Monitor Server and Network Bottlenecks

Using System Monitor Objects and Counters to Monitor Server and Network Bottlenecks (continued):

Using System Monitor Objects and Counters to Monitor Server and Network Bottlenecks (continued)

Using System Monitor Objects and Counters to Monitor a Web Server:

Using System Monitor Objects and Counters to Monitor a Web Server Table 15-7 Using System Monitor Objects to Monitor a Web Server

Using System Monitor Objects and Counters to Monitor a Web Server (continued):

Using System Monitor Objects and Counters to Monitor a Web Server (continued)

Using System Monitor Objects and Counters to Monitor a Web Server (continued):

Using System Monitor Objects and Counters to Monitor a Web Server (continued)

Using System Monitor Objects and Counters to Monitor SMTP Services:

Using System Monitor Objects and Counters to Monitor SMTP Services

Using System Monitor Objects and Counters to Monitor SMTP Services (continued):

Using System Monitor Objects and Counters to Monitor SMTP Services (continued)

Network Tuning Tips:

Network Tuning Tips Keep NIC drivers updated Replace slow NICs Tune the network access order Implement TCP/IP exclusively, if possible Purchase servers that are equipped to keep up with the server load

Network Tuning Tips (continued):

Network Tuning Tips (continued) Monitor for excessive BPDU broadcasts Monitor the network for saturation from broadcast storms Replace aging, slower network devices with newer, faster devices Use multimedia applications that support multicasting Upgrade bandwidth to match the load

Chapter Summary:

Chapter Summary Monitoring a network is as important as monitoring a server Establish network benchmarks to help in preventing and diagnosing problems Install the Network Monitor Driver and Network Monitor together to enable network monitoring from Windows 2000 Server

Chapter Summary:

Chapter Summary Install Microsoft SNMP service to take advantage of SNMP-based network management station monitoring Use the System Monitor’s network-related objects, counters, and instances for in-depth network monitoring, particularly of protocols

Chapter 8: Managing Accounts and Client Connectivity :

Chapter 8: Managing Accounts and Client Connectivity

Learning Objectives:

Learning Objectives (continued):

Account Policies:

Setting Account Policies:

Setting Account Policies Figure 8-1 Account policies

Password Policy Options:

Password Policy Options (continued):

Account Lockout Policy Options:

Account Lockout Policy Options (continued):

Kerberos Policy Options :

Creating Accounts:

Creating an OU:

Delegating Authority in an OU:

Delegation of Control Options:

Delegation of Control Options

Using Find to Locate an Account:

Using Find to Locate an Account To locate a particular account in order to maintain it: Right-click the domain Click Find Enter the username or the account holder’s name Click Find Now

Account Maintenance Activities:

Account Maintenance Activities (continued):

Sample Events that Can be Audited for an Account:

Troubleshooting Tip:

User Profiles:

Local vs. Roaming User Profile:

Mandatory User Profile:

Associating a Profile with an Account:

Associating a Profile with an Account Figure 8-9 Setting a roaming profile in an account’s properties

Active Directory Support for Non-Windows 2000 Clients:

Setting Up Client Desktops Using Group Policy and Security Policy:

Remote Installation Services:

RIS Pre-Installation Steps:

RIS Installation Steps:

RIS Installation Steps Installing RIS is a two stage process: First install RIS using the Control Panel Add/Remove Programs tool Configure RIS from the Add/Remove Programs tool

Installing RIS on the Client:

Installing RIS on the Client After booting and contacting the RIS server, the user is presented with a menu to select which RIS image to load.

Chapter Summary:

Chapter Summary Manage clients by setting up group policies or system policies Use RIS to install multiple Windows 2000 Professional clients in order to reduce your TCO