Managing a Microsoft
Windows 2000 Network Environment
Guide has been created to aid you in the basics of preparing
for the new MCSA title from Microsoft. As with all
study guides, never use one guide as your sole source of
In addition to your
hands-on experience working with the product, you may want to
use the following tools and training to help you prepare for
The Step-by-Step Guide
describes a concise, six-step approach to preparing for an MCP
exam, and is also a compendium of MCP exam-preparation
The Microsoft Official
Curriculum (MOC) consists of courses designed by Microsoft
product groups that support the certification exam process.
You can choose from instructor-led classroom training,
self-paced training kits, and online training.
Visit Microsoft Press, your
online bookstore, for books and CD-ROMs to help you get the
most out of Microsoft products. Microsoft Press offers a full
line of study materials for MCP exams.
Practice tests offered by
Microsoft Approved Practice Test Providers enable you to
assess and receive feedback on your level of knowledge and
exam-readiness prior to taking a certification exam. Although
your score on a practice test doesn't necessarily indicate
what your score will be on a certification exam, a practice
test gives you the opportunity to answer questions that are
similar to those on the certification exam and can help you
identify your areas of greatest strength and weakness.
Candidates for this exam
work in medium to very large computing environments that use
Microsoft Windows 2000 network and directory services.
Candidates have at least six months of experience
administering and supporting Windows 2000 server and client
operating systems that use Active Directory services in
environments that have the following characteristics.
From 200 to
26,000 users are supported.
From two to
100 physical locations are included.
network services and resources include messaging, file and
print, proxy server or firewall, Internet and intranet, remote
access, and client computer management.
needs include connecting branch offices and individual users
at remote locations to the corporate network and connecting
corporate networks to the Internet.
Active Directory Links
How to Deploy Active Directory
Best Practice Active Directory Deployment for Managing Windows
Guide to Active Directory Design
Active Directory Architecture
Building the Active Directory Tree
Extending Active Directory Schema and Preparing Forest for
Active Directory Diagnostics, Troubleshooting and Recovery
Best Practices for Designing the Active Directory Structure
How to Analyze and Manage Active Directory Replication Network
Traffic on Your Windows 2000 Server
How to Deploy a Windows 2000 Server Active Directory in Your
IT Resources: Active Directory Branch Office Guide Series
Managing, Securing, and Troubleshooting File, Print, and Web
resources in Active Directory. Types of resources include
printers and shared folders.
publish any shared network folder, including a distributed
file system (Dfs) folder, in Active Directory. Creating a
Shared folder object in Active Directory does not
automatically share the folder. It is a two-step process; you
must first share the folder, and then publish it in Active
Shared Folder in Windows 2000 Active Directory (Q234582)
To publish a
legacy printer in Active Directory you can go to the following
link to find step by step directions:
To publish a
Normal printer in Active Directory you can go to the following
link to find step by step directions:
search in Active Directory Users and Computers.
Know how to
search for objects within the Directory for the exam.
Know how to
create a print object (which is pretty easy) in the directory.
Also know how to use Group Policy for print object control.
You can find a large amount of information on how to do this
with the following Q article
Policies to Control Printers in Active Directory (Q234270)
storage. Considerations include file systems, permissions, and
If you are a
member of the Administrators group, you can enable quotas on
NTFS volumes that already contain files, Windows calculates
the disk space used by all users who have copied, saved, or
taken ownership of files on the volume up to that point. The
quota limit and warning level are then applied to all current
users based on those calculations, and to users who begin
using the volume from that point on. You can then set
different quotas, or disable quotas, for individual or
multiple users. You can also set quotas for specific users who
have not yet copied, saved, or taken ownership of files on the
volume. For example, you might want to set a quota limit of 50
megabytes (MB) for all users of \\server\share, while making
sure two users who work with larger files on the server have a
100 MB limit. If both of these users already have files stored
on \\server\share, you can select both users and set their
quota limit to 100 MB. However, if one or both users do not
have files stored on the server when you enable quotas, you
need to select the users in the Quota Entries window and then
set their quota limit to a value higher than the default for
NTFS and FAT file systems.
Comparing FAT and NTFS File Systems
cannot be 64 kilobytes (KB) or larger. If clusters were 64 KB
or larger, some programs (such as Setup programs) might
calculate disk space incorrectly.
A volume must
contain at least 65,527 clusters to use the FAT32 file system.
You cannot increase the cluster size on a volume using the
FAT32 file system so that it ends up with less than 65,527
possible number of clusters on a volume using the FAT32 file
system is 268,435,445. With a maximum of 32 KB per cluster
with space for the file allocation table (FAT), this equates
to a maximum disk size of approximately 8 terabytes (TB).
of FAT32 File System (Q184006)
contain new features that are available only with the NTFS
file system. This article outlines the features and advantages
of converting to the NTFS file system with Windows 2000. These
features require on-disk data structures that make these
volumes unavailable to Windows NT 4.0-based computers. In
anticipation of dual- boot scenarios, upgrade Windows NT 4.0
to SP4 before starting the Windows 2000 installation. Windows
NT 4.0 cannot interpret the version of NTFS included with
Windows 2000 correctly. However, there is an updated Ntfs.sys
driver in Windows NT 4.0 Service Pack 4 that enables Windows
NT 4.0 to read from and write to NTFS volumes in Windows 2000.
Administrators can limit the amount of disk space users can
consume on a per-volume basis. The three quota levels are:
Off, Tracking, and Enforced.
The NTFS file system can automatically encrypt and decrypt
file data as it is read and written to the disk.
can trap open operations against objects in the file system
and run their own code before returning file data. This
feature can be used to extend file system features such as
mount points, which you can use to redirect data read and
written from a folder to another volume or physical disk.
feature allows programs to create very large files, but to
consume disk space only as needed.
feature provides a persistent log of all changes made to files
on the volume. This feature is one of the reasons that Windows
2000 domain controller must use an NTFS partition as the
configure Encrypting File System (EFS).
Encrypt Data Using EFS in Windows 2000 (Q230520)
You can use
the Windows 2000 EFS to encrypt files to prevent unauthorized
individuals from viewing the contents of the files. To encrypt
and decrypt files, a user must have a file encryption
certificate. If the file encryption certificate is lost or
damaged, access to the files is lost.
is possible through the use of a recovery agent. A user
account of a trusted individual can be designated as a
Recovery Agent so that a business can retrieve files in the
event of a lost or damaged file encryption certificate or to
recover data from an employee that has left the company.
One of the
many advantages of using Windows 2000 domains is that you can
configure a domain EFS recovery policy. In a default Windows
2000 installation, when the first domain controller (DC) is
set up, the domain administrator is the specified recovery
agent for the domain. The domain administrator can log on to
the first DC in the domain, and then change the recovery
policy for the domain.
If you want
to create additional recovery agents, the user accounts must
have a file recovery certificate. If available, a certificate
can be requested from an enterprise CA that can provide
certificates for your domain. However, EFS does not require a
CA to issue certificates, and EFS can generate its own
certificates to user and to default recovery agent accounts.
volumes and basic and dynamic disks.
HOW TO: Use
Disk Management to Manage Basic and Dynamic Disks in Windows
storage supports partition-oriented disks. A basic disk is a
physical disk that contains basic volumes (primary partitions,
extended partitions, or logical drives). If you upgraded your
computer to Windows 2000 from Microsoft Windows NT 4.0, basic
disks may also contain spanned, mirrored, striped, and RAID-5
volumes if they were present in the previous operating system.
You can create up to four primary partitions on a basic disk,
or up to three primary partitions and one extended partition.
You can also use free space on an extended partition to create
storage supports volume-oriented disks. A dynamic disk is a
physical disk that contains dynamic volumes. With dynamic
disks, you have the ability to create simple volumes, volumes
that span multiple disks (spanned and striped volumes), and
fault-tolerant volumes (mirrored and RAID-5 volumes). Dynamic
disks can contain an unlimited number of volumes.
domain-based distributed file system (DFS).
Install Distributed File System (DFS) on Windows 2000 (Q241452)
file system (DFS) is used to make files distributed across
multiple servers appear to users as if they reside in one
place on the network. Because of this, users no longer need to
know or specify the actual physical location of files in order
to obtain access to them. Dfs can be implemented as
stand-alone or domain-based. Domain-based Dfs has the
automatically publishes the Dfs topology in the Active
Directory, making it visible to users on all servers in the
administrator has the ability to replicate the Dfs roots and
shared folders to multiple servers in the domain. By doing so
users are permitted to obtain access to their files even if
one of the physical servers on which the files reside becomes
and folder compression.
Compress and Expand Files and Folders in Windows 2000 (Q314958)
is the command-line version of the file and folder compression
feature in Windows 2000. Use Compact to compress, to
decompress, or to display the compression state of files and
folders on NTFS file system-formatted volumes.
is a command-line utility that you can use to compress one or
more files. This tool is included in the Microsoft Windows
2000 Resource Kit.
When you use
Compress to compress files, you must use Expand.exe to expand
the compressed file before you can open it.
resources and configure access rights. Shared resources
include printers, shared folders, and Web folders.
Know how to
share objects out. Then assign Rights to them
Know how to
share folders and enable Web sharing
troubleshoot Internet Information Services (IIS).
IT Resources for Supporting and Maintaining IIS
Deploying Microsoft IIS
Deploying Windows 2000 with IIS 5.0 for Dot Coms: Best
virtual directories and virtual servers.
Internet Information Server 5.0 Resource Kit
Internet Information Server 4.0 Resource Kit
Internet browsing from client computers.
Know how to
troubleshoot the Internet Explorer client inside and out. Know
how to check the proxy settings if using a proxy server and
how they should be configured. Know the basic error codes you
would get from the web server if not reachable like 400 and
intranet browsing from client computers.
above. Know how to configure the browser to bypass the proxy
for Intranet servers
authentication and SSL for Web sites.
SSL will be
configured within the IIS web server properties to have Secure
Socket Layer transmission
Configure IIS 5.0 Web Site Authentication in Windows 2000 (Q310344)
Anonymous access is enabled, no credentials are required to
access the site unless NTFS permissions are placed on the Web
site folders to control access. To edit the properties of the
anonymous user account, click Edit in the Anonymous access
If Basic authentication is enabled, the user credentials are
sent in clear text. This format provides a low level of
security because almost all protocol analyzers can read the
password. However, it is compatible with the widest number of
Web clients. If Basic authentication is enabled, you can click
Edit and set a default domain for user accounts.
Digest authentication works for Internet Explorer 5.0 and
later Web clients and for Web servers that belong to a Windows
2000 domain. It has the advantage of not sending user
credentials in clear text.
Integrated Windows authentication can use both the Kerberos v5
authentication protocols and its own challenge/response
authentication protocol. This option is a more secure
authentication option. However, it only works for Internet
Explorer 2.0 or later and Kerberos authentication does not
work over HTTP connections.
Know how to
configure basic FTP services within IIS
access permissions for intranet Web servers.
Secure Internet Information
Services 5 Checklist
manage network security. Actions include auditing and
detecting security breaches.
Enable and Apply Security Auditing in Windows 2000 (Q300549)
important that you protect your information and service
resources from people who should not have access to them, and
at the same time make those resources available to authorized
users. This article describes how to use Windows 2000 security
features to audit access to resources.
configure the security logs to record information about either
directory and file access or server events. You can set this
level of auditing by using Audit Polices in Microsoft
Management Console (MMC). These events are logged in the
Windows Security log. The Security log can record security
events, such as valid and invalid logon attempts, as well as
events that are related to resource use, such as creating,
opening, or deleting files. You need to log on as an
administrator to control what events are audited and displayed
in the Security log.
Before Windows 2000 can audit access to files and folders, you
must use the Group Policy snap-in to enable the Audit Object
Access setting in the Audit Policy. If you do not, you receive
an error message when you set up auditing for files and
folders, and no files or folders are audited. After you enable
auditing in Group Policy, view the Security log in Event
Viewer to review successful or failed attempts to access the
audited files and folders.
and Troubleshooting the Network Infrastructure
routing. Diagnostic utilities include the tracert
command, the ping command, and the ipconfig
To test a
TCP/IP configuration by using the ping command
obtain the TCP/IP configuration of a computer, open Command
Prompt, and then type ipconfig. From the display of the
ipconfig command, ensure that the network adapter for the
TCP/IP configuration you are testing is not in a Media
command prompt, ping the loopback address by typing ping
Ping the IP
address of the computer.
Ping the IP
address of the default gateway.
If the ping
command fails, verify that the default gateway IP address is
correct and that the gateway (router) is operational.
Ping the IP
address of a remote host (a host that is on a different
If the ping
command fails, verify that the remote host IP address is
correct, that the remote host is operational, and that all of
the gateways (routers) between this computer and the remote
host are operational.
Ping the IP
address of the DNS server
If the ping
command fails, verify that the DNS server IP address is
correct, that the DNS server is operational, and that all of
the gateways (routers) between this computer and the DNS
server are operational.
the basic TCP/IP configuration: ipconfig
the full TCP/IP configuration for all adapters, type: ipconfig
To renew a
DHCP-assigned IP address configuration for only the Local Area
Connection adapter, type: ipconfig /release and /renew
To flush the
DNS resolver cache when troubleshooting DNS name resolution
problems, type: ipconfig /flushdns
troubleshoot TCP/IP on servers and client computers.
Considerations include subnet masks, default gateways, network
IDs, and broadcast addresses.
You need to
know the basics of troubleshooting here. Know how to configure
IP on a workstation or a server, subnet it, put a mask on it
and know the basic fundamentals of what makes up an IP
administer, and troubleshoot DHCP on servers and client
Dynamic Host Configuration Protocol for Windows 2000
Chapter 4 - Dynamic Host Configuration Protocol (Resource Kit
Windows 2000 Infrastructure Services Design and Deployment:
DNS, DHCP, and WINS Deployment within Microsoft
Managing TCP/IP Addresses On Your Network With DHCP
Windows 2000 Server Documentation - DHCP
unauthorized DHCP servers on a network.
DHCP Server Detection
DHCP server for Windows 2000 is designed to prevent
unauthorized DHCP servers from creating address assignment
conflicts. This solves problems that could otherwise occur if
naïve users created unauthorized DHCP servers that could
assign improper or unintended IP addresses to clients
elsewhere on the network. For example, a user could create
what was intended to be a local DHCP server, using non-unique
Net 10 addresses that could lease the addresses to unintended
clients requesting addresses from elsewhere on the network.
This is one reason to keep the number of DHCP servers deployed
at a minimum, as described in Best Practices, below. However,
most of these events are accidental, where a second DHCP
server is installed by someone who is unaware of other DHCP
servers already active on the network
server for Windows 2000 has management features to prevent
unauthorized deployments and to detect existing unauthorized
DHCP servers. In the past, anyone could bring up a DHCP server
on a network. Today, an authorization step is required. These
authorized personnel are usually the administrator of the
domain that the Windows 2000 Server platform belongs to or
someone to whom they have delegated the task of managing the
Against Unauthorized DHCP Servers
Directory is now used to store records of authorized DHCP
servers. When a DHCP server comes up, the directory can now be
used to verify the status of that server. If that server is
unauthorized, no response is returned to DHCP requests. A
network manager with the proper access rights has to respond.
The domain administrator can assign access to the DHCP folder
holding configuration data, to allow only authorized personnel
to add DHCP servers to the approved list.
The list of
authorized servers can be created in the Active Directory
through the DHCP snap-in. When it first comes up, the DHCP
server tries to find out if it is part of the directory
domain. If it is, it tries to contact the directory to see if
it is in the list of authorized servers. If it succeeds, it
sends out DHCPINFORM to find out if there are other directory
services running and makes sure that it is valid in others, as
well. If it cannot connect the directory, it assumes that it
is not authorized and does not respond to client requests.
Likewise, if it does reach the directory but does not find
itself in the authorized list, it does not respond to clients.
If it does find itself in the authorized list, it starts to
service client requests.
client computers to use dynamic IP addressing.
Know how to
set up a client to get an IP from a DHCP server. Pay attention
to any broadcasts that need to pass a router and to configure
a relay agent
DHCP server properties.
Scopes: A DHCP
scope is an administrative grouping that identifies the full
consecutive ranges of possible IP addresses for all DHCP
clients on a physical Subnetwork. Scopes define a logical
Subnetwork for which DHCP services are to be offered, and also
allow the server to identify configuration parameters that are
given to all DHCP clients on the Subnetwork. A scope must be
defined before DHCP clients can use the DHCP server for
dynamic TCP/IP configuration.
Pools: Once a
DHCP scope is defined and exclusion ranges are applied, the
remaining addresses form what is called an available address
pool within the scope. Pooled addresses may then be
dynamically assigned to DHCP clients on the network.
exclusion range is a limited sequence of IP addresses within a
scope range that are to be excluded from DHCP service
offerings. Where exclusion ranges are used, they ensure that
any addresses within the defined exclusion range are not
offered to clients of the DHCP server.
Reservations allow permanent address lease assignment by the
DHCP server. Where reservations are used, they ensure that a
specified hardware device on the Subnetwork can always use the
same IP address.
administrative feature included within the Microsoft DHCP
Manager tool can be used to create a number of distinct
scopes, which are grouped together into a single
administrative entity called a superscope. Superscopes are
useful for solving several different DHCP service issues.
As noted, a lease is the length of time that that a DHCP
server specifies that a client computer can use an assigned IP
address. When a lease is made to a client, it is described as
active. At half-lease period, the client must renew its
address lease assignment with the server. The duration of
leases affects how often clients attempt to renew those they
have been assigned with the DHCP server.
Options are other client-configuration parameters that a DHCP
server can assign when serving leases to DHCP clients. For
example, IP addresses for a router or default gateway, WINS
servers, or DNS servers are commonly provided for a single
scope or globally for all scopes managed by the DHCP server.
Many DHCP options are predefined through RFC 2132, but the
Microsoft DHCP server also allows defining and adding custom
configure a DHCP scope.
A scope is an
administrative grouping of computers for a Subnetwork using
DHCP service. Administrators create a scope for each physical
Subnetwork, which is then used to define parameters used by
clients for this Subnetwork. Scopes can be planned based on
the needs of particular groups of users, with appropriate
lease durations defined for the related scopes. A scope has
the following properties:
A range of
possible IP addresses from which to include or exclude
addresses used in DHCP service lease offerings.
subnet mask to determine the subnet related to a given IP
A scope name
assigned when the scope is created.
duration values to be assigned to DHCP clients that receive
dynamically allocated IP addresses.
A DHCP scope
consists of a pool of IP addresses on a Subnetwork, such as
10.0.0.1 to 10.0.0.100, that the DHCP server can lease to DHCP
clients. Each physical network can have only one DHCP scope or
a superscope with one or more ranges of IP addresses.
administer, and troubleshoot DNS.
huge whitepaper. It will tell you everything you need to know
to configure all aspects of Windows 2000 DNS services:
basics of HOST, LMHOSTS, WINS and DNS
Configuring, Managing, Securing, and Troubleshooting Active
Directory Organizational Units and Group Policy
manage, and troubleshoot User and Group objects in Active
pretty much goes over the whole Active Directory Process:
Policy Objects to Active Directory Containers
domain, or OU may be associated with any Group Policy Object.
As shorthand, we will use the acronym SDOU to mean a site,
domain, or OU.
A given GPO
can be associated (linked) to more than one site, domain, or
OU. Conversely, a given site, domain, or OU can have multiple
GPOs linked to it. In the case where multiple GPOs are linked
to a particular site, domain, or OU, you can prioritize the
order of precedence in which these GPOs are applied.
GPOs to Active Directory sites, domains, and OUs, you can
implement Group Policy settings for as broad or as narrow a
portion of the organization as you want:
A GPO linked
to a site applies to all users and computers in the site.
A GPO applied
to a domain applies directly to all users and computers in the
domain and by inheritance to all users and computers in child
OUs. Note that policy is not inherited across domains.
A GPO applied
to an OU applies directly to all users and computers in the OU
and by inheritance to all users and computers in child OUs.
stored on a per-domain basis, however, you can link a site,
domain, or OU to a GPO in another trusted domain, although
this is not recommend in general for performance reasons.
Configuring, Securing, and
Troubleshooting Remote Access
troubleshoot remote access and virtual private network (VPN)
All you need
to know on how to configure a