|
Installing, Configuring and Administering
Windows 2000 Server 120 minutes - 62 Questions -
660 Passing Score
Minimum requirements
Pentium 133 or greater.
128 MB RAM minimum (4GB Max) 256 min recommended.
1 Gig Free disk space on partition that will contain the
system files. (1 GB recommended)
Server supports up to 4 processors.
Features:
replaces NT4.0 Server. Windows 2000 Server supports
upgrades of NT4.0 server meaning all applications and settings
will be saved.
Windows 2000 does away with the concept of the PDC and the BDC
that we knew in the NT4.0 world. Windows 2000 simply has
domain controllers that are all created equal and all share a
writable copy of the directory database. All Windows 2000
servers are installed as member servers and can be promoted to
a domain controller by running dcpromo. A domain controller
can also be demoted to a member server by running dcpromo.
Increased Hardware Support (Plug and
Play). - Windows 2000 brings back Plug and Play
with a more stable version than the one we see in Win9.x.
Microsoft Management Console (MMC)
- You might be familiar with this from IIS4.0. This is the
new interface for all management tools in Windows 2000.
Snap-ins to the MMC interface provide you with one location to
go to for all administration.
Lightweight Directory Access Protocol (LDAP)
- Allows you to query an object in the active directory. This
allows you to do things like search for a computer or a
printer or a user.
Kerberos version 5 protocol -
In Kerberos authentication, a client is authenticated when
logging on to the network by a Key Distribution Center (KDC).
When a client needs to access a resource, the owner of that
resource contacts the KDC to verify that the client has
permissions to access the resource. The KDC issues a session
ticket. The next time the client accesses the resource, the
owner of the resource is able to authenticate the client
itself using this session ticket instead of going back to the
KDC thus cutting down a lot of overhead on the authentication
process.
Distributed File System (DFS) - Windows 2000
addresses the issue of having many share points on many
different servers by implementing DFS. DFS allows a user to
connect to one share point which may contain shares from many
different locations. ex. User connects to a share called
\\Server1\AccountingDocs and see two subfolders Spreadsheets
and Worddocs which contain files.
| Accounting Docs |
|
|
|
| |
Spreadsheets |
|
|
| |
|
Spreadsheet#1 |
|
| |
|
Spreadsheet#2 |
|
| |
Worddocs |
|
|
| |
|
Worddoc#1 |
|
| |
|
Worddoc#2 |
|
Spreadsheet#1, Spreadsheet#2, Worddoc#1 and Worddoc#2 may
be on totally different remote servers but the user will see
the shared folder on the DFS server as if it was local
Printing - Windows 2000 introduces Internet
Printing. Windows 2000 clients can use a URL to connect to
network printers. The print server must be running IIS.
Windows 2000 and NT4.0 check for an updated print driver each
time they connect to a printer. Win95 and 98 have to be
updated manually. (If you update the 95 and 98 drivers on the
server, the clients can easily update without needing floppy
or CD for drivers.)
Netware Connectivity - NWlink - Microsoft's
rendition of IPX/SPX - allows Microsoft clients to access
NetWare resources and NetWare clients to access NT
resources. NWlink alone allows you to connect to
applications running on a NetWare server.
Client Services for NetWare (CSNW) - Allows NT clients
to make direct connections to NetWare file and print servers.
Gateway Services for NetWare (GSNW) - used for
occasional access to a NetWare server by a Microsoft client.
The NT server connects to the NetWare File server and shares
a directory. Microsoft clients can then access the share on
the server running GSNW. This avoids having to install CSNW
on all of the clients.
- Set up a user account on the NetWare server with the
same name and password as the NT server running GSNW.
- Give the account the appropriate permissions on the
NetWare side.
- Create a group account called NTGateway on the NetWare
server.
- Place the user account that you set up on both the NT
and NetWare side in step one in the NTGateway group.
Installation - Upon install,
only the partition that will be used to install Windows 2000
should be created. All other partitions should be created
later using the Disk Management Utilities as Windows 2000 has
additional features that will be available to disks created
with this utility.
No start up floppies are created during the install. If you
wish to have the start-up floppies, you can run makeboot.exe
from the setup CD. this will create 4 setup floppies.
As in NT4.0, both winnt and winnt32.exe are available. winnt
is for straight DOS based machines. winnt32.exe is now used
for win9.x as well as NT systems.
WINNT
Performs an installation of or upgrade to
Windows 2000.
winnt [/s:sourcepath] [/t:tempdrive]
[/u:answer file][/udf:id [,UDB_file]]
[/r:folder][/rx:folder][/e:command][/a]
Parameters
/s:sourcepath
Specifies the source location of the Windows 2000 files. The
location must be a full path of the form x:\[path] or
\\server\share[\path].
/t:tempdrive
Directs Setup to place temporary files on the specified drive
and to install Windows 2000 on that drive. If you do not
specify a location, Setup attempts to locate a drive for you.
/u:answer file
Performs an unattended Setup using an answer file. The answer
file provides answers to some or all of the prompts that the
end user normally responds to during Setup. You must also use
/s.
/udf:id [,UDB_file]
Indicates an identifier (id) that Setup uses to specify
how a Uniqueness Database (UDB) file modifies an answer file
(see /u). The /udf parameter overrides values in
the answer file, and the identifier determines which values in
the UDB file are used. If no UDB_file is specified,
Setup prompts you to insert a disk that contains the $Unique$.udb
file.
/r:folder
Specifies an optional folder to be installed. The folder
remains after Setup finishes.
/rx:folder
Specifies an optional folder to be copied. The folder is
deleted after Setup finishes.
/e:command
Specifies a command to be executed at the end of GUI-mode
Setup.
/a
Enables accessibility options.
Winnt32
Sets up or upgrades Windows 2000 Server or Windows 2000
Professional. You can run the winnt32 command at a Windows 95,
Windows 98, or Windows NT command prompt.
winnt32 [/s:sourcepath] [/tempdrive:drive_letter]
[/unattend[num]:[answer_file]] [/copydir:folder_name]
[/copysource:folder_name] [/cmd:command_line]
[/debug[level]:[filename]] [/udf:id[,UDF_file]]
[/syspart:drive_letter] [/checkupgradeonly]
[/cmdcons] [/m:folder_name] [makelocalsource]
[/noreboot]
Parameters
/s:sourcepath
Specifies the source location of the Windows 2000 files. To
simultaneously copy files from multiple servers, specify
multiple /s sources. If you use multiple /s
switches, the first specified server must be available or
Setup will fail.
/tempdrive:drive_letter
Directs Setup to place temporary files on the specified
partition and to install Windows 2000 on that partition.
/unattend
Upgrades your previous version of Windows 2000,
Windows NT 4.0, Windows 3.51, Windows 95, or Windows 98 in
unattended Setup mode. All user settings are taken from the
previous installation, so no user intervention is required
during Setup.
Using the /unattend switch to automate Setup affirms
that you have read and accepted the Microsoft License
Agreement for Windows 2000. Before using this switch to
install Windows 2000 on behalf of an organization other than
your own, you must confirm that the end user (whether an
individual, or a single entity) has received, read, and
accepted the terms of the Windows 2000 Microsoft License
Agreement. OEMs may not specify this key on machines being
sold to end users.
/unattend[num]:[answer_file]
Performs a fresh installation in unattended Setup mode. The
answer file provides Setup with your custom specifications.
Num is the number of seconds between the time that
Setup finishes copying the files and when it restarts your
computer. You can use num on any computer running
Windows NT or Windows 2000.
Answer_file is the name of the answer file.
/copydir:folder_name
Creates an additional folder within the folder in which the
Windows 2000 files are installed. For example, if the source
folder contains a folder called Private_drivers that has
modifications just for your site, you can type /copydir:Private_drivers
to have Setup copy that folder to your installed Windows 2000
folder, making the new folder location C:\Winnt\Private_drivers.
You can use /copydir to create as many additional
folders as you want.
/copysource:folder_name
Creates a temporary additional folder within the folder in
which the Windows 2000 files are installed. For example, if
the source folder contains a folder called Private_drivers
that has modifications just for your site, you can type /copysource:Private_drivers
to have Setup copy that folder to your installed Windows 2000
folder and use its files during Setup, making the temporary
folder location C:\Winnt\Private_drivers. Unlike the folders
/copydir creates, /copysource folders are
deleted after Setup completes.
/cmd:command_line
Instructs Setup to carry out a specific command before the
final phase of Setup. This would occur after your computer has
restarted twice and after Setup has collected the necessary
configuration information, but before Setup is complete.
/debug[level]:[filename]
Creates a debug log at the level specified, for example,
/debug4:C:\Win2000.log. The default log file is C:\%Windir%\Winnt32.log,
with the debug level set to 2. The log levels are as follows:
0-severe errors, 1-errors, 2-warnings, 3-information, and
4-detailed information for debugging. Each level includes the
levels below it.
/udf:id[,UDB_file]
Indicates an identifier (id) that Setup uses to specify
how a Uniqueness Database (UDB) file modifies an answer file
(see the /unattend entry). The
/udf parameter
overrides values in the answer file, and the identifier
determines which values in the UDB file are used. For example,
/udf:RAS_user,Our_company.udb overrides settings
specified for the RAS_user identifier in the Our_company.udb
file. If no UDB_file is specified, Setup prompts the
user to insert a disk that contains the $Unique$.udb file.
/syspart:drive_letter
Specifies that you can copy Setup startup files to a hard
disk, mark the disk as active, and then install the disk into
another computer. When you start that computer, it
automatically starts with the next phase of the Setup. You
must always use the /tempdrive parameter with the /syspart
parameter.
/checkupgradeonly
Checks your computer for upgrade compatibility with
Windows 2000. For Windows 95 or Windows 98 upgrades, Setup
creates a report named Upgrade.txt in the Windows installation
folder. For Windows NT 3.51 or 4.0 upgrades, it saves the
report to the Winnt32.log in the installation folder.
/cmdcons
Adds to the operating system selection screen a Recovery
Console option for repairing a failed installation. It is only
used post-Setup.
/m:folder_name
Specifies that Setup copies replacement files from an
alternate location. Instructs Setup to look in the alternate
location first and if files are present, use them instead of
the files from the default location.
/makelocalsource
Instructs Setup to copy all installation source files to your
local hard disk. Use
/makelocalsource when installing
from a CD to provide installation files when the CD is not
available later in the installation.
/noreboot
Instructs Setup to not restart the computer after the file
copy phase of winnt32 is completed so that you can execute
another command.
Unattended Install from CD-ROM-
- The computer must support booting from a CD-ROM, and
must adhere to the El-Torito non-emulation specification.
- The unattended answer file must be renamed to Winnt.sif
and copied to a floppy disk so Setup can access it.
- The answer file must contain a valid [Data] section.
- UnattendedInstall=Yes - Value must be set to "yes"
- MSDosInitiated=No - Value must be set to "no" or Setup
stops during the graphical portion of Setup
- AutoPartition=1 - If the value is set to 1, the
installation partition is automatically selected. If the
value is set to 0 (zero), you are prompted for the
installation partition during the text portion of Setup.
Windows 2000 Disk Types
Basic Disks
The typical disk structure supporting primary partitions,
extended partitions and logical drives. You will be able to
repair and delete mirror and RAID 5 volumes but you cannot
create them on a Basic disk.
Repairing Basic Volumes
- Repair Basic Mirror
- Use the repair volume command to create
and resynch a new mirror on a healthy disk.
- If the mirror does not report as healthy,
use the Resynchronize mirror command to resynch it manually.
- Repair Basic RAID 5 volume
- Use the repair volume command to relocate
the failed part of a RAID 5 volume to a healthy disk and
regenerate parity.
Dynamic Disks
Windows 2000 introduces dynamic disks. All disks are basic
disks on install, You can upgrade your disks from basic to
dynamic through the MMC. You can't go from dynamic back to
basic disks without repartitioning and losing your data.
Dynamic disks allow you to manage disks and volumes without
having to reboot. Dynamic disks are not readable to any other
operating systems that are installed on the same box. Fault
tolerant disk sets will only be able to be created on a
dynamic disk.
Repairing Dynamic Volumes
- If a disk is not online, use the reactivate disk command
first as the disk will automatically attempt to repair
itself if this command works. mirror will automatically
resynch, RAID 5 will automatically regenerate.
- If the disk comes online but does not report as healthy,
use the reactivate volume command.
- If the disk does not come online, you will need to
replace the disk.
- If you have a failed mirror volume, use the remove
mirror command to break the mirror, then use the add mirror
command to create the mirror on a new disk.
- If you have a failed RAID 5 volume, use the repair
volume command.
File Systems - Windows 2000
supports FAT16, FAT32, NTFS. Choose NTFS if you are only
running Windows 2000 on your system as it has many security
and performance improvements.
- FAT16 is necessary to dual boot Windows 2000 with DOS,
Win3.x, WIN95 or Win98.
- FAT32 could also be used to dual boot with Win2000 and
Win98.
- If you have an NT4 box that you want to dual boot with
Windows 2000, make sure the NT box has service pack 4 or
later or it will not be able to read an NTFS5 partition.
Windows 2000 NTFS advantages:
Disk Compression - NTFS5 offers disk compression.
Windows 2000 can not read drives compressed with an earlier
operating system so be sure to uncompress drives before
upgrading.
Disk Quotas - Windows2000 features built-in disk quota
management. Users can be limited to a certain amount of disk
space on the file server on a volume by volume basis. You can
customize how much space and can configure warnings when a
certain amount is used. You can also not allow the user to
save any additional data when their limit is reached.
Encrypting File System (EFS) -
allows files to be stored encrypted on the hard disk. This
protects against people booting from a floppy or logging into
a machine locally and gaining access to your files. They will
be denied access to the files as they will not have the proper
encryption key.
- Only files and folders on an NTFS volume can be
encrypted.
- Compressed files or folders cannot be encrypted.
- Encrypted files cannot be shared.
- Encrypted files will become unencrypted if copied or
moved to a non-NTFS volume.
- System files cannot be encrypted.
- Other than the user that encrypted the files, only a
designated recovery agent can unencrypt the files.
Encrypted information includes a key that will allow a
recovery agent to decrypt the file. By default, the domain
administrator is the recovery agent. You can assign
additional recovery agents. Be aware that the recovery
information is built into the encrypted file so you cannot
make someone a recovery agent for a file that was already
encrypted.
Sharing Data:
The main reason we have networks is for the
sharing of data and printers. Lets take a look at data
sharing.
When a folder is shared, permissions are given
to users that need to access the folder. The two types of
permissions are Share level and NTFS permissions.
Share Level Permissions:
By default, the everyone group is given full
control permissions when a file is shared. Share Level
permissions are only in effect when a folder is accessed over
the network. If a user logs on locally, Share level
permissions will have no effect., only NTFS permissions will
be in effect.
- Full Control - Allows user to
change permissions, take ownership of NTFS files, Perform
all tasks permitted by change permissions
- Change - Create folders and add
files, Manipulate data in files, change file attributes,
Delete Folders and files, Perform all tasks permitted by the
read permission.
- Read - Display names of folders
and files, Display data and attributes of files, Run program
files, Manipulate subfolders.
- These permissions can either be allowed or denied.
Share level permissions can be applied on a
user or on a group level. When a user attempts to access a
shared folder, all of the permissions for that user are
combined If a user is in one group with Full Control, one
group with Change and the user himself has read, The combined
permissions will be the least restrictive or Full control.
Any time the user is explicitly denied access whether it is a
user or group permission, this overrides all other
permissions. A user can be in one group with Full Control,
one group which is denied access and the user himself can have
Change permissions, the effective permissions will be no
access as this overrides all of the other permissions. Always
assign the most restrictive permissions you can to a user.
You don't want them to be able to do anything more than they
need to. The easiest and most efficient way to assign
permissions is to do it on a group basis. If everyone in your
accounting department needs certain permissions to several
folders, assign the permissions to a group called accounting,
then when a new employee joins the accounting team, all you
have to do is place this employees user account in the
accounting group and all of their permissions will be there.
Windows 2000 shares some folders by default
for administrative purposes. These shares will show up with a
$ behind the name. The dollar sign signifies that the share
is hidden from the browse list, these default administrative
shares are only accessible by users with administrative
rights. If you want to hide any of the shares that you
create, simply put a $ after the name (i.e. Share$)
NTFS Permissions:
When a volume is formatted with the NTFS
file system, NTFS permissions can be used to secure
resources. NTFS permissions allow you to assign permissions
at the folder and file level while Share permissions are
limited to the folder level. NTFS permissions are also a lot
more granular than Share level permissions allowing you to
permission such things as traverse folders, write attributes
and much more.
Applying NTFS Permissions:
Users can be assigned permissions directly
or can be put into groups that have permissions assigned. All
individual permissions and group permissions are combined to
find out the users effective permissions. It is highly
recommended to put users into groups and give permissions to
the groups.
No access overrides all other permissions.
File permissions take precedence over folder
permissions. If you have no access to folder but have full
control to a file in that folder, you can still access the
file using the full UNC path to that file.
Combining Share and NTFS permissions.
When figuring permissions, look at share and
NTFS separately. Take the least restrictive share permission
and the least restrictive NTFS permission. Now take the most
restrictive of the two and that is your effective
permission.
ex.
Joe is in Accounting Group and also in IT
group.
Accounting Group has Full control on the
share 'RedSox'
IT group has read access on the share 'RedSox
Joe's cumulative permissions on the share 'RedSox'
would be full control.
Accounting Group has read access NTFS
permissions on the directory 'RedSox
IT group has change access NTFS permissions
on the directory 'stuff'
Joe's cumulative NTFS permissions on the
directory 'RedSox' are Change
Now we take the most restrictive of the two
results which is change which is the access Joe has when
accessing 'RedSox' over the network.
Keep in mind that if Joe is logged on locally
to the machine holding the 'RedSox' directory, you will only
be using NTFS permissions and not regarding share
permissions. Share permissions are only used when coming
across the network share.
Also keep in mind that if Joe is explicitly
denied access anywhere, he automatically gets no access
regardless of what other permissions he has elsewhere with
the exception of no access to a folder but access to a file
within the folder that can be accessed through a UNC path.
By default the everyone group is given full
control. This should be removed or else anyone who is able to
log on locally to a system will have full control.
Permissions and Moving/Copying files on
NTFS volumes:
When copying folders or files either from
one partition to another or on the same partition, the
permissions will be inherited from the target folder.
When moving files to another partition, the
permissions will be inherited from the target folder.
When moving files or folders on the same
partition, the permissions will remain intact. This is the
only time permissions are retained and not inherited.
One easy way to remember this is: MRS -
Move Retains Same (partition)
Whenever files are moved or copied to a fat
partition, all permissions are lost as FAT does not support
NTFS permissions.
Recovery and Protection:
Boot Disk - If your system is unable to boot, you
may need to use the Emergency Repair Disk or the Recovery
console. To do this, you will need to either boot from floppy
disks or from the setup CD. To make a set of boot disks, get
four floppy disks and run makeboot.exe from the bootdisk
folder of your setup CD. After booting from these disks, you
will be able to do an emergency repair or run the recovery
console. Boot disks made on a system running Windows 2000
Professional can only be used to start a system running
Windows 2000 Professional. boot disks made on a system
running Windows 2000 Server can only be used to boot a system
running Windows 2000 Server.
Recovery Console - Windows
2000 has a recovery console to help when you have trouble
booting. The recovery console is not installed by default.
Install the recovery console by running winnt32.exe /cmdcons
from the I386 directory of the CD. You will now see an option
to enter the Windows 2000 recovery console at boot up. (or it
can be run by booting from the setup floppies or CD and
choosing repair)
The recovery console is limited to administrators (you will be
authenticated when entering) and will allow you to do such
things as:
- Use, copy, rename or replace operating system files and
folders.
- Enable or disable services or devices from starting when
you next start your computer.
- Repair the file system boot sector or the Master Boot
Record (MBR).
- Create and format partitions on drives.
You are fairly restricted as to what you are able to do.
You can't throw files on a floppy or removable media, only
copy them to the hard drive from the floppy or removable
media.
Emergency Repair Disk (ERD) - Windows 2000 ERD's are
created through the backup program (you will see an option to
create an ERD on the welcome screen). RDISK (from NT4.0) is
no longer available. The repair process will attempt to
repair system files, the partition boot sector on your system
disk, and your startup environment if you have a dual boot
system. To run the repair process, boot either from the
Windows 2000 CD or from the setup floppies. Choose the
'repair or recover' option when prompted. Fast repair will
attempt to repair everything, manual repair will allow you to
choose.
Driver Signing - Microsoft digitally signs all
drivers that are qualified to run with Windows 2000. You have
the option to install only drivers that have been signed, see
a warning when drivers haven't been signed so you can decide
then, or never allow unsigned drivers to be installed. This
can be set from control panel, system on the hardware tab.
System File Checker - System File Checker (sfc.exe)
is a command line utility that scans and verifies the versions
of all protected system files after you restart your computer.
If System File Checker discovers that a protected file has
been overwritten, it retrieves the correct version of the file
from the %systemroot%\system32\dllcache folder,
and then replaces the incorrect file.
Windows File Protection - runs in the background and
watches for applications trying to replace your system files
such as .sys, .dll, .ocx, .ttf, .fon, and .exe files. If an
application attempts to replace a system file with one that is
not signed, Windows file protection replaces it back with one
stored in dllcache and logs the attempt in the Event log.
There are 4 instances where File protection will allow the
files to be replaced:
- Windows 2000 Service Packs using Update.exe
- Hotfix distributions using Hotfix.exe
- Operating system upgrades using Winnt32.exe
- Windows Update
Task Scheduler - allows you to automate running
commands, scripts or programs at a set time. This is accessed
through the scheduled tasks folder in control panel. It
offers the ability to choose a user account for each task.
Offline Files - Windows 2000 offers the ability to
use files offline. Any files that you set up to have
available offline will be there when you disconnect from the
network. Your permissions will be the same as if you were
connected to the network. When you connect back to the
network, the files are synchronized with the network.
Performance Monitor - This chart shows some of the
common counters and their acceptable ranges.
| Resource |
Object\ Counter |
Suggested threshold |
Comments |
| Disk |
PhysicalDisk\ % Disk Time |
90% |
|
| Disk |
PhysicalDisk\ Disk Reads/sec, PhysicalDisk\ Disk
Writes/sec |
Depends on manufacturer's specifications |
Check the specified transfer rate for your disks to
verify that this rate doesn't exceed the specifications.
In general, Ultra Wide SCSI disks can handle 50 I/O
operations per second. |
| Disk |
Physical Disk\ Current Disk Queue Length |
Number of spindles plus 2 |
This is an instantaneous counter; observe its value
over several intervals. For an average over time, use
Physical Disk\ Avg. Disk Queue Length. |
| Memory |
Memory\ Available Bytes |
Less than 4 MB |
Research memory usage and add memory if needed. |
| Memory |
Memory\ Pages/sec |
20 |
Research paging activity. |
| Network |
Network Segment\ % Net Utilization |
Depends on type of network |
You must determine the threshold based on the type of
network you are running. For Ethernet networks, for
example, 30% is the recommended threshold. |
| Paging File |
Paging File\ % Usage |
99% |
Review this value in conjunction with Available Bytes
and Pages/sec to understand paging activity on your
computer. |
| Processor |
Processor\ % Processor Time |
85% |
Find the process that is using a high percentage of
processor time. Upgrade to a faster processor or install
an additional processor. |
| Processor |
Processor\ Interrupts/sec |
Depends on processor. |
A dramatic increase in this counter value without a
corresponding increase in system activity indicates a
hardware problem. Identify the network adapter causing the
interrupts. |
Transmission Control Protocol/Internetworking protocol
(TCP/IP) - TCP/IP is the default protocol used with
Windows 2000. In the NT 4.0 world, TCP/IP was a separate
topic and exam. In the Windows 2000 world it was incorporated
into the core exams so expect to see it in every exam you sit.
History -
Protocol suite designed for Wide Area Networks (WAN's)
Originally used by the department of defense back in the late
60's, TCP/IP is now the common Protocol used for the
Internet. All major operating systems offer support for
TCP/IP.
The standards for TCP/IP are published in a series of
documents called Request for Comments (RFC's).
TCP/IP utilities
FTP - File Transfer Protocol - provides file transfers between
TCP/IP hosts with one running FTP software.
Telnet - Provides Terminal Emulation to a TCP/IP host running
Telnet server software.
RSH - Remote Shell - runs commands on a UNIX host.
REXEC - Remote Execution - Runs a process on a remote
computer.
LPR - Line Printer Remote - Prints a file to a host running
the LPD Service.
LPQ - Line Printer Queue - Obtain status of a print queue on a
host running the LPD Service.
LPD - Line Printer Daemon - Services LPR requests and submits
print jobs to a printer device.
PING - Packet Internet Groper - Verifies that TCP/IP is
configured correctly and that another host is available.
IPCONFIG - Verifies TCP/IP information. with a /all switch
will give DHCP, DNS and WINS addresses. WINIPCFG is used in
Win9.x
NSlookup - examines entries in the DNS database pertaining to
a particular host or domain.
Hostname - returns the local computers host name.
Netstat - Displays Protocol statistics and the current state
of TCP/IP connections.
NBTstat - Checks the state of current NetBIOS over TCP/IP
connections, updates LMHOSTS cache, determines registered
name.
Route - views or modifies the local routing table.
Tracert - verifies the route used from the local host to the
remote host.
ARP - Address Resolution Protocol - displays a cache of
locally resolved IP addresses to Media Access Control(MAC)
addresses.
Finger - Retrieves system info from a remote computer that
supports the TCP/IP finger service.
TCP/IP Address Properties.
IP Address - 32 bit address used to uniquely
identify a TCP/IP host. The address has two parts. The
network ID and the host ID. The network ID identifies all
hosts that are on the same logical network. The host ID
identifies the host. Hosts can be workstations, Servers,
Routers, ex.. A sample IP address is 24.128.102.7
Lets compare this to the Calendar. We have 12 Networks:
January, February, March.... On each Network, we have hosts:
1,2,3,4...
January 1 and January 14 are unique hosts on the same
network. March 4 and June 17 are on different networks.
Subnet Mask - Blocks part of the IP address
to distinguish the network ID from the Host ID. This will
determine if the TCP/IP clients are on the same network or on
a remote network. An example of a subnet mask is
255.255.255.0. An improper Subnet mask can cause
connectivity problems.
Default Gateway - If a packet is determined
not to be on the same network, it is sent to the default
gateway. This is usually a router. An incorrect default
gateway will produce errors when trying to communicate outside
of your network.
A TCP/IP client must at least have an IP address and a subnet
mask for communications to work.
A TCP/IP client must have a minimum of IP address, Subnet mask
and default gateway for TCP/IP to work through a router.
Hosts communicate by Media Access Control (MAC) address. If a
MAC address is not known then an ARP broadcast is sent out.
The destination hardware will respond with its MAC address and
its IP address and these are stored in the ARP cache. The ARP
cache is always checked before doing an ARP broadcast.
IP Addresses dissected.
The 32 bit IP Address is broken down into 4 8-bit fields
called octets separated by a period. Each octet represents a
number between 0 and 255.
To understand the addresses you must look at them in binary
form.
| Bit |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
| Decimal(powers
of 2) |
128 |
64 |
32 |
16 |
8 |
4 |
2 |
1 |
Lets look at IP address 24.128.102.7
In binary form this would translate to:
24=00011000(the bits at 16 + 8 are turned on)
128=10000000(the bit at 128 is turned on)
102=01100110(the bits at 64+32+4+2 are turned on)
7=00000111(the bits at 4+2+1 are turned on)
00011000 . 10000000 . 01100110 . 00000111
The Network portion of the IP is on the left side. The
host portion of the ID is on the right side.
Which part is the Network and which is the
Host?
In the early days things were simple and IP addresses fell
into classes. Let's start with the default classful IP
addresses. Class A or /8(pronounced slash 8) network, Class B
or /16 network, Class C or /24 network.
Class A or /8 network.
The first 8 bits to the left (the first octet) are the
network ID and the next 24 bits(3 octets) are the host ID.
The first bit in a class A address is always set to zero which
actually leaves us 7 bits to toggle for the network ID.
This leaves our first octet as 00000001 to 01111111or 1 to
127.
The 127 addresses are reserved for the loopback addresses
thus leaving us 1 to 126.
Class B or /16 network.
The first 16 bits(2 octets) to the left are the network ID
and the next 16 bits(2 octets) are the host ID. The first two
bits in a class B address are always set to 1-0 which actually
leaves us 14 bits to toggle for our Network ID.
This leaves our first octet as 10000000 to 10111111or 128
to 191.
Class C or /24 network.
The first 24 bits(3 octets) to the left are the network ID
and the next 8 bits(1octet) are the host ID. The first three
bits in a class C address are always set to 1-1-0 which
actually leaves us 21 bits to toggle for our network ID.
This leaves our first octet as 11000000 to 11011111or 192
to 223..
Class D network. Class D addresses are
reserved for multicasting. The first four bits in a class D
address are always set to 1-1-1-0.
This leaves our first octet as 11100000 to 11101111or 224
to 239..
Class E network. Class E addresses are
reserved for future and experimental use. The first four bits
in a class E address are always set to 1-1-1-1.
This leaves our first octet as 11110000 to 11111111or 240
to 255..
| IP Address Class |
Decimal Range |
# Networks available 2^x-2 |
# Hosts available 2^y-2 |
| Class A (/8) |
1 to 126 |
126 |
16777214 |
| Class B (/16) |
128 to 191 |
16382 |
65534 |
| Class C (/24) |
192 to 223 |
2097150 |
254 |
| Class D |
224 to 239 |
|
|
| Class E |
240 to 255 |
|
|
(1) - Number of available networks is determined by using
powers of 2. There are 2 possible positions for a bit.
On(1)and Off(0). Keeping in mind that the first bit is always
set to 0, we have 7 bits left to toggle. This means that
there are 2^7 networks available for a Class A. By rule
(because some older routers can't route them) the all(0)'s and
all (1)'s networks are not used which leaves us with 2^7-2
Networks available for the Class A. Using this same 2^x-2
formula we can determine the number of networks for Class B
and Class C. Remember that in Class B, the first two bits are
always set to 1-0 giving us 14 bits to toggle for a formula of
2^14-2. Remember that in Class C, the first three bits are
always set to 1-1-0 giving us 21 bits to toggle for a formula
of 2^21-2.
(2) - Number of Hosts is derived using the same formula as
the number of networks. Class A network uses 8 bits for the
Network ID leaving us 24 bits for the Host ID. Using our
formula 2^24-2, we get 16777214. We can calculate the Hosts
for Class B and Class C the same way.
I have two IP Addresses. Are they on the same
network?
To decide whether or not two IP addresses are on the same
network, we use a subnet mask. This is used to mask the
network portion of the IP Address. The network portion of the
IP address has a 1 in the corresponding bit of the subnet
mask. The host portion of the IP has a 0 in the corresponding
bit of the subnet mask. Lets take a look at the subnet mask
in binary form.
Class A addressing.
01110111 . 00100010 . 00010100 . 00010101 = 119.34.20.21
11111111 . 00000000 . 00000000 . 00000000 = 255.0.0.0 -
This is the default Subnet Mask for Class A networks.
01110111 . 00111000 . 00101011. 01000000 = 119.56.43.64
In the above example, 119 is the network ID because it
corresponds with the bits turned on in the subnet mask. Both
of the above IP's are on the same network.
Dynamic Host Configuration Protocol (DHCP)
– automatically assigns TCP/IP addresses and information to
client computers. The client requests an IP from the DHCP
server at startup. The DHCP server chooses an IP from a pool
and offers it to the client, along with the subnet mask,
default gateway, and many other optional items. If the client
accepts the offer the IP will be leased for a specified period
of time. A DHCP server must have a static IP address. Windows
2000 introduces us to authorized DHCP servers in which an
administrator has to give the OK for a DHCP server to run or
it will shut down its services. This prevents anyone from
setting up a DHCP server and handing out addresses that you
don't want. A scope is set up which is a range of valid IP
addresses that a DHCP server can assign. If you have multiple
DHCP servers, they must each have a unique scope to avoid
assigning duplicate IP addresses. You can have multiple scopes
on a DHCP server.
For redundancy, you should share part of
your scope with another DHCP server.
Ex. You have the subnet 222.222.222.x. You
can give a scope of 222.222.222.1 to 222.222.222.200 to your
primary DHCP server and a scope of 222.222.222.201 to
222.222.222.254 to a secondary server. This will allow clients
to obtain a lease if the primary DHCP server is down but will
avoid the leasing of duplicate IP’s. Microsoft’s
recommendation is to have 80% of the addresses in the primary
and 20% in the secondary. DHCP can also hand out many other
pieces of information including Routers, DNS Servers, and WINS
Servers… These can be configures on a global level, scope
level or client level.
Automatic Private IP addressing (APIPA) - This is a
feature that Windows 2000 offers that is similar to a mini
DHCP server. If a computer is set up to use DHCP and a DHCP
server is not available, Windows 2000 assigns an IP address
from the private range 169.254.0.1 - 169.254.255.254 with a
subnet mask of 255.255.0.0. This can be quite useful in a
home office or small company as there is no need to set up a
DHCP server. It is quite limited though in that you don't get
a default gateway so it is useless in a routed environment.
Another downside is that in a network in which the DHCP server
is unavailable a client will log on and wont get any error
messages so it might make troubleshooting a bit more difficult
when they can't access network resources.
Windows Internet Name Service (WINS) -
WINS is responsible for resolving NetBIOS names to IP
addresses. When a WINS client boots up it announces itself to
the WINS server. The WINS server stores the name and IP of the
client in the database to hand out on future requests. This
enables you to connect to a server named Appserver by name
instead of having to remember Appserver's IP address. The WINS
database is dynamic.
DNS (Domain Name System)
DNS is used to resolve fully qualified domain names (FQDN) to
IP addresses. i.e. CERTguide.com resolves to 24.128.102.7.
Windows 2000 uses DNS as its primary means of resolution
including locating domain controllers.
Query Types
Iterative Query - If the DNS server does not have the answer,
it will tell you that it can't help you.
Recursive Query - If the DNS server does not have the answer,
it will go to another DNS server that does.
Lookup Zone Files
Forward Lookup Zone - resolves hostname to IP address
Reverse Lookup Zone - resolves IP address to hostname.
Host File - manually updated text file that contains IP
address to host name combinations. This is how it was done
before DNS.
Zone Types
DNS is divided into zones so you can be responsible only for
your section or zone
Standard Primary - contains read/write copy of zone file
stored in a text file.
Standard Secondary - contains read only copy of zone file
stored in a text file. Changes are made on the primary and
replicated to the secondary.
Active Directory Integrated - stores zone info in Active
Directory. Changes update with Active directory replication
automatically.
Record Types
A record - hostname to IP address. You must add these manually
if your clients do not update. Also referred to as a host
record.
MX record (Mail Exchanger) - Specifies which server to deliver
mail to.
CNAME (canonical name) record - allows you to give additional
names to an A record. If the server patriots.CERTguide.com
hosts the website for www.CERTguide.com, create a CNAME to map
www to patriots. Also referred to as an alias record.
Start of Authority (SOA record) - controls how often and with
who replication takes place.
Zone Transfer - This is the process of replication data from
one DNS server to another.
Windows 2000 introduces incremental zone transfer. (IXFR)
which only transfers changes to the zone instead of the entire
zone.
Subdomain - also known as a child domain. located below the
domain. tips.CERTguide.com is a subdomain of CERTguide.com
DDNS (Dynamic DNS) - Windows 2000 includes DNS that is
dynamically updated to prevent having to manually keep the DNS
database current. When a Windows 2000 client boots up, it will
send its info straight to the DNS server to be added.
Windows9.x and NT clients can not pass their information
directly to the DNS server so the DHCP server forwards their
information along to allow them to take advantage of the
Dynamic DNS. Dynamic updates are configured at the zone level
so you can choose to update one or more zones manually if you
choose.
Caching only servers - look up queries for clients and cache
the information so the clients don't have to keep going to the
server. They are not authoritative for anything.
RAS (Remote Access Service)
Windows 2000 supports several remote access protocols
including:
PPP (Point to Point Protocol) - most common Remote
Access protocol. Allows for multivendor environments.
SLIP Serial Line Internet Protocol) - not supported on
the server, only the client. Mostly used for telnet.
Microsoft RAS - Clients must use NetBEUI. Server acts
as gateway to connect to NetBEUI, TCP/IP, or IPX/SPX.
ARAP (AppleTalk Remote Access Protocol) - A windows
2000 server running ARAP can accept connections from MAC
clients.
Windows 2000 RAS supports several LAN protocols including:
TCP/IP
NetBEUI
NWlink
AppleTalk
Permissions can be set to allow access, deny access or control
through Remote Access Policy. (control through RAS policy only
available in native mode)
Caller ID can be enabled to check for a specific number before
accepting connection. (only available in native mode)
RAS can be configured to call user back at a specific number
to complete connection.
RAS can be set to assign a static IP address if a client
requires a specific IP.
Windows 2000 RAS supports multilink in which several
connections can be combined to increase bandwidth. Both
client and server need to have multilink enabled.
BAP (bandwidth Allocation Protocol) - works with multilink to
provide bandwidth on demand by adding or dropping links as
needed.
Remote Access Authentication Protocols:
PAP (Password Authentication Protocol) - uses clear
text passwords. provides little security.
SPAP - (Shiva Password Authentication Protocol) - more
secure than PAP. use to connect to Shiva LANRover to Windows
2000. Medium Security.
CHAP - (Challenge Handshake Authentication Protocol) -
uses the industry standard MD5 1-way encryption scheme to
encrypt the response. Highly Secure.
MS-CHAP (Microsoft Challenge Handshake
Authentication Protocol)- 1-way encrypted password. This
is enabled by default on a windows 2000 server running RAS.
Highly Secure.
MS-CHAP v2 (Microsoft Challenge Handshake Authentication
Protocol v2)- Strong encryption. Windows 2000 clients use
this by default for dialup. Windows 2000,NT4 and Win98
clients use this by default for VPN. Highly Secure.
EAP (Extensible Authentication Protocol) - Client and
server negotiate the Authentication method to include MD5
username and password encryption, smart-cards, token cards,
retina or fingerprint scanners and other third party
authentication technologies.
Remote Access Data Encryption Protocols:
MPPE (Microsoft Point to Point Encryption) - Encrypts
data moving between a PPTP connection and a VPN server. Can
use 128-bit, 56-bit or 40-bit encryption.
IPSec (Internet Protocol Security)
- IPSec encrypts data traveling across the network. The
systems communicating via IPSec use keys to decipher data that
has been encrypted using algorithms. The key can be generated
using algorithms on the systems communicating so that the key
does not have to travel across the network. Key lengths can be
varied depending on how secure the data needs to be. Keys can
also be dynamically changed during a session in case a key is
captured and deciphered then the rest of the data will be
encrypted using a different key. IPSec can be forced on users
by using policies. IPSec communication can be assigned on a
group to group basis.
IP Addressing - RAS can hand out IP addresses using 3
methods:
- Static IP address - IP address is configured on
the client. Not recommended because of the administration.
- IP address Range - assign a range of addressees
to the RAS server to be able to give out.
- DHCP addressing - RAS will get addresses for its
clients from a DHCP server. Highly recommended as there is
only one pool of IP addresses to maintain.
Remote Access Policies - RAS Policies consist of
Conditions, permissions and profile.
Conditions - Conditions include things like time, user
groups, IP addresses, caller ID's that must be matched for
client to connect.
Permissions - RAS policy permissions work in
conjunction with a user's dial-in permissions in Active
Directory. Dial-n permissions will override RAS Policy
permissions. i.e. The sales group is a granted remote access
through a policy from 9:00 to 5:00. John, a member of the
sales group is given 24 hour access in active directory. John
will have 24 hour access.
Profiles - This contains settings such as time limits,
authentication and encryption protocols.
IAS (Internet Authentication Service) - IAS in
conjunction with Routing and Remote Access Service provide
support for RADIUS (Remote Authentication Dial-in User
Service). RADIUS is used for authentication of users outside
of the internal network. IAS also allows for tracking of
connections for things like usage for billing purposes and
auditing for security purposes.
VPN (Virtual Private Networks)
A VPN is a tunnel between two systems. The data that passes
between the systems is encrypted. This allows for secure
communication across a public network such as the Internet.
VPN's use either PPTP or L2TP encryption.
PPTP (point to point tunneling protocol) - only works
on IP network. Uses built-in PPP encryption
L2TP (Layer 2 Tunneling Protocol)- works on IP, Frame
Relay, X.25 or ATM. Uses IPSec encryption
Web Services - Windows 2000 includes Internet
Information Server (IIS) which is a full web hosting package
that will allow you to host either an Intranet or Internet
website. IIS also includes services for SMTP (E-mail) and
NNTP (news).
Hosting multiple domains on one server.
- Use unique IP addresses for reach domain
- Use one IP and unique host headers for each domain
- Use one IP and assign different ports to each domain.
Virtual directories – A web site can point at any directory
on any physical hard drive on the IIS computer or on another
computer in the same domain. It will appear to the surfer that
that directory is the www root.
Terminal Services
- Remote Administration Mode - allows remote
administration of the server from a remote PC.
- Application Server mode - Clients connect to the
server to run applications that are installed on the
server. All processing is done on the server and only
screen shots are passed to the client. This insures that
all clients are using the same versions of software. It
also makes for easier upgrades as you only need to upgrade
the software on the server. Older systems that couldn't
support modern applications will be able to use them as they
don't have to do any of the processing.
- Security - Logon attempts can be limited to
prevent unauthorized access. Terminal Server also supports
encryption.
Account Policies
- Password Policy - determines settings such as
length, expiration period, complexity.
- Kerberos V5 policy - Kerberos settings like
ticket lifetime, renewal, and user logon restrictions.
- Account Lockout Policy - determines how many
unsuccessful attempts before an account is locked out and
how long it will remain locked out.
Account Policies are set at the domain level. If multiple
account policies are needed, multiple domains must be formed.
Auditing
- Discretionary Access Control List (DACL)
- Attached to each object is a list of groups or users that
have permissions to use that object and the level of
permissions that they have.
- System Access Control List (SACL) - Also
attached to each object is the SACL which is a list of
groups and users whose access to audit and what events to
audit for these users.
- Files and folders can be audited to see
who took actions on them such as modifying files, changing
permissions, viewing attributes, etc.
- If you set auditing at the folder level,
the audit policy can be inherited by all files in the folder
if you choose.
- In addition to folder and file access,
events like Logons, Account management and directory service
access can also be audited.
- Whenever one of these audited events
occurs, an entry is made to the security log in Event
Viewer.
| 
