|
Managing a Microsoft
Windows 2000 Network Environment
Abstract:
This
Guide has been created to aid you in the basics of preparing
for the new MCSA title from Microsoft. As with all
study guides, never use one guide as your sole source of
study.
Preparation Tools:
In addition to your
hands-on experience working with the product, you may want to
use the following tools and training to help you prepare for
this exam:
The Step-by-Step Guide
describes a concise, six-step approach to preparing for an MCP
exam, and is also a compendium of MCP exam-preparation
resources.
The Microsoft Official
Curriculum (MOC) consists of courses designed by Microsoft
product groups that support the certification exam process.
You can choose from instructor-led classroom training,
self-paced training kits, and online training.
Visit Microsoft Press, your
online bookstore, for books and CD-ROMs to help you get the
most out of Microsoft products. Microsoft Press offers a full
line of study materials for MCP exams.
Practice tests offered by
Microsoft Approved Practice Test Providers enable you to
assess and receive feedback on your level of knowledge and
exam-readiness prior to taking a certification exam. Although
your score on a practice test doesn't necessarily indicate
what your score will be on a certification exam, a practice
test gives you the opportunity to answer questions that are
similar to those on the certification exam and can help you
identify your areas of greatest strength and weakness.
Audience Profile:
Candidates for this exam
work in medium to very large computing environments that use
Microsoft Windows 2000 network and directory services.
Candidates have at least six months of experience
administering and supporting Windows 2000 server and client
operating systems that use Active Directory services in
environments that have the following characteristics.
q
From 200 to
26,000 users are supported.
q
From two to
100 physical locations are included.
q
Typical
network services and resources include messaging, file and
print, proxy server or firewall, Internet and intranet, remote
access, and client computer management.
q
Connectivity
needs include connecting branch offices and individual users
at remote locations to the corporate network and connecting
corporate networks to the Internet.
Active Directory Links
o
How to Deploy Active Directory
o
Best Practice Active Directory Deployment for Managing Windows
Networks
o
Guide to Active Directory Design
o
Active Directory Architecture
o
Building the Active Directory Tree
o
Extending Active Directory Schema and Preparing Forest for
Exchange Deployment
o
Active Directory Diagnostics, Troubleshooting and Recovery
o
Best Practices for Designing the Active Directory Structure
o
How to Analyze and Manage Active Directory Replication Network
Traffic on Your Windows 2000 Server
o
How to Deploy a Windows 2000 Server Active Directory in Your
Organization
o
IT Resources: Active Directory Branch Office Guide Series
Study
Notes:
Creating, Configuring,
Managing, Securing, and Troubleshooting File, Print, and Web
Resources
q
Publish
resources in Active Directory. Types of resources include
printers and shared folders.
o
You can
publish any shared network folder, including a distributed
file system (Dfs) folder, in Active Directory. Creating a
Shared folder object in Active Directory does not
automatically share the folder. It is a two-step process; you
must first share the folder, and then publish it in Active
Directory
o
Publishing a
Shared Folder in Windows 2000 Active Directory (Q234582)
o
To publish a
legacy printer in Active Directory you can go to the following
link to find step by step directions:
Here
o
To publish a
Normal printer in Active Directory you can go to the following
link to find step by step directions:
Here
q
Perform a
search in Active Directory Users and Computers.
o
Know how to
search for objects within the Directory for the exam.
q
Configure a
printer object.
o
Know how to
create a print object (which is pretty easy) in the directory.
Also know how to use Group Policy for print object control.
You can find a large amount of information on how to do this
with the following Q article
o
Using Group
Policies to Control Printers in Active Directory (Q234270)
q
Manage data
storage. Considerations include file systems, permissions, and
quotas.
o
If you are a
member of the Administrators group, you can enable quotas on
NTFS volumes that already contain files, Windows calculates
the disk space used by all users who have copied, saved, or
taken ownership of files on the volume up to that point. The
quota limit and warning level are then applied to all current
users based on those calculations, and to users who begin
using the volume from that point on. You can then set
different quotas, or disable quotas, for individual or
multiple users. You can also set quotas for specific users who
have not yet copied, saved, or taken ownership of files on the
volume. For example, you might want to set a quota limit of 50
megabytes (MB) for all users of \\server\share, while making
sure two users who work with larger files on the server have a
100 MB limit. If both of these users already have files stored
on \\server\share, you can select both users and set their
quota limit to 100 MB. However, if one or both users do not
have files stored on the server when you enable quotas, you
need to select the users in the Quota Entries window and then
set their quota limit to a value higher than the default for
new users.
q
Implement
NTFS and FAT file systems.
o
Comparing FAT and NTFS File Systems
o
Clusters
cannot be 64 kilobytes (KB) or larger. If clusters were 64 KB
or larger, some programs (such as Setup programs) might
calculate disk space incorrectly.
o
A volume must
contain at least 65,527 clusters to use the FAT32 file system.
You cannot increase the cluster size on a volume using the
FAT32 file system so that it ends up with less than 65,527
clusters.
o
The maximum
possible number of clusters on a volume using the FAT32 file
system is 268,435,445. With a maximum of 32 KB per cluster
with space for the file allocation table (FAT), this equates
to a maximum disk size of approximately 8 terabytes (TB).
o
Limitations
of FAT32 File System (Q184006)
o
Windows 2000
contain new features that are available only with the NTFS
file system. This article outlines the features and advantages
of converting to the NTFS file system with Windows 2000. These
features require on-disk data structures that make these
volumes unavailable to Windows NT 4.0-based computers. In
anticipation of dual- boot scenarios, upgrade Windows NT 4.0
to SP4 before starting the Windows 2000 installation. Windows
NT 4.0 cannot interpret the version of NTFS included with
Windows 2000 correctly. However, there is an updated Ntfs.sys
driver in Windows NT 4.0 Service Pack 4 that enables Windows
NT 4.0 to read from and write to NTFS volumes in Windows 2000.
·
Disk
quotas.
Administrators can limit the amount of disk space users can
consume on a per-volume basis. The three quota levels are:
Off, Tracking, and Enforced.
·
Encryption.
The NTFS file system can automatically encrypt and decrypt
file data as it is read and written to the disk.
·
Reparse
points. Programs
can trap open operations against objects in the file system
and run their own code before returning file data. This
feature can be used to extend file system features such as
mount points, which you can use to redirect data read and
written from a folder to another volume or physical disk.
·
Sparse
files. This
feature allows programs to create very large files, but to
consume disk space only as needed.
·
USN
Journal. This
feature provides a persistent log of all changes made to files
on the volume. This feature is one of the reasons that Windows
2000 domain controller must use an NTFS partition as the
system volume.
q
Implement and
configure Encrypting File System (EFS).
o
How to
Encrypt Data Using EFS in Windows 2000 (Q230520)
o
You can use
the Windows 2000 EFS to encrypt files to prevent unauthorized
individuals from viewing the contents of the files. To encrypt
and decrypt files, a user must have a file encryption
certificate. If the file encryption certificate is lost or
damaged, access to the files is lost.
o
Data recovery
is possible through the use of a recovery agent. A user
account of a trusted individual can be designated as a
Recovery Agent so that a business can retrieve files in the
event of a lost or damaged file encryption certificate or to
recover data from an employee that has left the company.
o
One of the
many advantages of using Windows 2000 domains is that you can
configure a domain EFS recovery policy. In a default Windows
2000 installation, when the first domain controller (DC) is
set up, the domain administrator is the specified recovery
agent for the domain. The domain administrator can log on to
the first DC in the domain, and then change the recovery
policy for the domain.
o
If you want
to create additional recovery agents, the user accounts must
have a file recovery certificate. If available, a certificate
can be requested from an enterprise CA that can provide
certificates for your domain. However, EFS does not require a
CA to issue certificates, and EFS can generate its own
certificates to user and to default recovery agent accounts.
q
Configure
volumes and basic and dynamic disks.
o
HOW TO: Use
Disk Management to Manage Basic and Dynamic Disks in Windows
2000 (Q308209)
o
Basic disk
storage supports partition-oriented disks. A basic disk is a
physical disk that contains basic volumes (primary partitions,
extended partitions, or logical drives). If you upgraded your
computer to Windows 2000 from Microsoft Windows NT 4.0, basic
disks may also contain spanned, mirrored, striped, and RAID-5
volumes if they were present in the previous operating system.
You can create up to four primary partitions on a basic disk,
or up to three primary partitions and one extended partition.
You can also use free space on an extended partition to create
logical drives.
o
Dynamic disk
storage supports volume-oriented disks. A dynamic disk is a
physical disk that contains dynamic volumes. With dynamic
disks, you have the ability to create simple volumes, volumes
that span multiple disks (spanned and striped volumes), and
fault-tolerant volumes (mirrored and RAID-5 volumes). Dynamic
disks can contain an unlimited number of volumes.
q
Manage a
domain-based distributed file system (DFS).
o
How to
Install Distributed File System (DFS) on Windows 2000 (Q241452)
o
Distributed
file system (DFS) is used to make files distributed across
multiple servers appear to users as if they reside in one
place on the network. Because of this, users no longer need to
know or specify the actual physical location of files in order
to obtain access to them. Dfs can be implemented as
stand-alone or domain-based. Domain-based Dfs has the
following advantages:
o
Windows 2000
automatically publishes the Dfs topology in the Active
Directory, making it visible to users on all servers in the
domain.
o
The
administrator has the ability to replicate the Dfs roots and
shared folders to multiple servers in the domain. By doing so
users are permitted to obtain access to their files even if
one of the physical servers on which the files reside becomes
unavailable.
q
Manage file
and folder compression.
o
HOW TO:
Compress and Expand Files and Folders in Windows 2000 (Q314958)
o
Compact.exe
is the command-line version of the file and folder compression
feature in Windows 2000. Use Compact to compress, to
decompress, or to display the compression state of files and
folders on NTFS file system-formatted volumes.
o
Compress.exe
is a command-line utility that you can use to compress one or
more files. This tool is included in the Microsoft Windows
2000 Resource Kit.
o
When you use
Compress to compress files, you must use Expand.exe to expand
the compressed file before you can open it.
q
Create shared
resources and configure access rights. Shared resources
include printers, shared folders, and Web folders.
o
Know how to
share objects out. Then assign Rights to them
o
Know how to
share folders and enable Web sharing
q
Configure and
troubleshoot Internet Information Services (IIS).
o
IT Resources for Supporting and Maintaining IIS
o
Deploying Microsoft IIS
o
Deploying Windows 2000 with IIS 5.0 for Dot Coms: Best
Practices
q
Configure
virtual directories and virtual servers.
o
Internet Information Server 5.0 Resource Kit
o
Internet Information Server 4.0 Resource Kit
q
Troubleshoot
Internet browsing from client computers.
o
Know how to
troubleshoot the Internet Explorer client inside and out. Know
how to check the proxy settings if using a proxy server and
how they should be configured. Know the basic error codes you
would get from the web server if not reachable like 400 and
500 errors
q
Troubleshoot
intranet browsing from client computers.
o
Same as
above. Know how to configure the browser to bypass the proxy
for Intranet servers
q
Configure
authentication and SSL for Web sites.
o
SSL will be
configured within the IIS web server properties to have Secure
Socket Layer transmission
o
HOW TO:
Configure IIS 5.0 Web Site Authentication in Windows 2000 (Q310344)
o
Anonymous
access: When
Anonymous access is enabled, no credentials are required to
access the site unless NTFS permissions are placed on the Web
site folders to control access. To edit the properties of the
anonymous user account, click Edit in the Anonymous access
box.
o
Basic
authentication:
If Basic authentication is enabled, the user credentials are
sent in clear text. This format provides a low level of
security because almost all protocol analyzers can read the
password. However, it is compatible with the widest number of
Web clients. If Basic authentication is enabled, you can click
Edit and set a default domain for user accounts.
o
Digest
authentication:
Digest authentication works for Internet Explorer 5.0 and
later Web clients and for Web servers that belong to a Windows
2000 domain. It has the advantage of not sending user
credentials in clear text.
o
Integrated
Windows authentication:
Integrated Windows authentication can use both the Kerberos v5
authentication protocols and its own challenge/response
authentication protocol. This option is a more secure
authentication option. However, it only works for Internet
Explorer 2.0 or later and Kerberos authentication does not
work over HTTP connections.
q
Configure FTP
services.
o
Know how to
configure basic FTP services within IIS
q
Configure
access permissions for intranet Web servers.
o
Secure Internet Information
Services 5 Checklist
q
Monitor and
manage network security. Actions include auditing and
detecting security breaches.
o
HOW TO:
Enable and Apply Security Auditing in Windows 2000 (Q300549)
o
It is
important that you protect your information and service
resources from people who should not have access to them, and
at the same time make those resources available to authorized
users. This article describes how to use Windows 2000 security
features to audit access to resources.
o
You can
configure the security logs to record information about either
directory and file access or server events. You can set this
level of auditing by using Audit Polices in Microsoft
Management Console (MMC). These events are logged in the
Windows Security log. The Security log can record security
events, such as valid and invalid logon attempts, as well as
events that are related to resource use, such as creating,
opening, or deleting files. You need to log on as an
administrator to control what events are audited and displayed
in the Security log.
o
IMPORTANT:
Before Windows 2000 can audit access to files and folders, you
must use the Group Policy snap-in to enable the Audit Object
Access setting in the Audit Policy. If you do not, you receive
an error message when you set up auditing for files and
folders, and no files or folders are audited. After you enable
auditing in Group Policy, view the Security log in Event
Viewer to review successful or failed attempts to access the
audited files and folders.
Configuring, Administering,
and Troubleshooting the Network Infrastructure
q
Troubleshoot
routing. Diagnostic utilities include the tracert
command, the ping command, and the ipconfig
command.
o
To test a
TCP/IP configuration by using the ping command
o
To quickly
obtain the TCP/IP configuration of a computer, open Command
Prompt, and then type ipconfig. From the display of the
ipconfig command, ensure that the network adapter for the
TCP/IP configuration you are testing is not in a Media
disconnected state.
o
At the
command prompt, ping the loopback address by typing ping
127.0.0.1.
o
Ping the IP
address of the computer.
o
Ping the IP
address of the default gateway.
o
If the ping
command fails, verify that the default gateway IP address is
correct and that the gateway (router) is operational.
o
Ping the IP
address of a remote host (a host that is on a different
subnet).
o
If the ping
command fails, verify that the remote host IP address is
correct, that the remote host is operational, and that all of
the gateways (routers) between this computer and the remote
host are operational.
o
Ping the IP
address of the DNS server
o
If the ping
command fails, verify that the DNS server IP address is
correct, that the DNS server is operational, and that all of
the gateways (routers) between this computer and the DNS
server are operational.
o
To display
the basic TCP/IP configuration: ipconfig
o
To display
the full TCP/IP configuration for all adapters, type: ipconfig
/all
o
To renew a
DHCP-assigned IP address configuration for only the Local Area
Connection adapter, type: ipconfig /release and /renew
o
To flush the
DNS resolver cache when troubleshooting DNS name resolution
problems, type: ipconfig /flushdns
q
Configure and
troubleshoot TCP/IP on servers and client computers.
Considerations include subnet masks, default gateways, network
IDs, and broadcast addresses.
o
You need to
know the basics of troubleshooting here. Know how to configure
IP on a workstation or a server, subnet it, put a mask on it
and know the basic fundamentals of what makes up an IP
address.
q
Configure,
administer, and troubleshoot DHCP on servers and client
computers.
q
Dynamic Host Configuration Protocol for Windows 2000
q
Chapter 4 - Dynamic Host Configuration Protocol (Resource Kit
Chapter)
q
Windows 2000 Infrastructure Services Design and Deployment:
DNS, DHCP, and WINS Deployment within Microsoft
q
Managing TCP/IP Addresses On Your Network With DHCP
q
Windows 2000 Server Documentation - DHCP
q
Detect
unauthorized DHCP servers on a network.
o
Unauthorized
DHCP Server Detection
o
The Microsoft
DHCP server for Windows 2000 is designed to prevent
unauthorized DHCP servers from creating address assignment
conflicts. This solves problems that could otherwise occur if
naïve users created unauthorized DHCP servers that could
assign improper or unintended IP addresses to clients
elsewhere on the network. For example, a user could create
what was intended to be a local DHCP server, using non-unique
Net 10 addresses that could lease the addresses to unintended
clients requesting addresses from elsewhere on the network.
This is one reason to keep the number of DHCP servers deployed
at a minimum, as described in Best Practices, below. However,
most of these events are accidental, where a second DHCP
server is installed by someone who is unaware of other DHCP
servers already active on the network
o
The DHCP
server for Windows 2000 has management features to prevent
unauthorized deployments and to detect existing unauthorized
DHCP servers. In the past, anyone could bring up a DHCP server
on a network. Today, an authorization step is required. These
authorized personnel are usually the administrator of the
domain that the Windows 2000 Server platform belongs to or
someone to whom they have delegated the task of managing the
DHCP servers.
o
Protecting
Against Unauthorized DHCP Servers
o
Active
Directory is now used to store records of authorized DHCP
servers. When a DHCP server comes up, the directory can now be
used to verify the status of that server. If that server is
unauthorized, no response is returned to DHCP requests. A
network manager with the proper access rights has to respond.
The domain administrator can assign access to the DHCP folder
holding configuration data, to allow only authorized personnel
to add DHCP servers to the approved list.
o
The list of
authorized servers can be created in the Active Directory
through the DHCP snap-in. When it first comes up, the DHCP
server tries to find out if it is part of the directory
domain. If it is, it tries to contact the directory to see if
it is in the list of authorized servers. If it succeeds, it
sends out DHCPINFORM to find out if there are other directory
services running and makes sure that it is valid in others, as
well. If it cannot connect the directory, it assumes that it
is not authorized and does not respond to client requests.
Likewise, if it does reach the directory but does not find
itself in the authorized list, it does not respond to clients.
If it does find itself in the authorized list, it starts to
service client requests.
q
Configure
client computers to use dynamic IP addressing.
o
Know how to
set up a client to get an IP from a DHCP server. Pay attention
to any broadcasts that need to pass a router and to configure
a relay agent
q
Configure
DHCP server properties.
o
DHCP
Scopes: A DHCP
scope is an administrative grouping that identifies the full
consecutive ranges of possible IP addresses for all DHCP
clients on a physical Subnetwork. Scopes define a logical
Subnetwork for which DHCP services are to be offered, and also
allow the server to identify configuration parameters that are
given to all DHCP clients on the Subnetwork. A scope must be
defined before DHCP clients can use the DHCP server for
dynamic TCP/IP configuration.
o
Address
Pools: Once a
DHCP scope is defined and exclusion ranges are applied, the
remaining addresses form what is called an available address
pool within the scope. Pooled addresses may then be
dynamically assigned to DHCP clients on the network.
o
Exclusion
Ranges: An
exclusion range is a limited sequence of IP addresses within a
scope range that are to be excluded from DHCP service
offerings. Where exclusion ranges are used, they ensure that
any addresses within the defined exclusion range are not
offered to clients of the DHCP server.
o
Reservations:
Reservations allow permanent address lease assignment by the
DHCP server. Where reservations are used, they ensure that a
specified hardware device on the Subnetwork can always use the
same IP address.
o
Superscopes: An
administrative feature included within the Microsoft DHCP
Manager tool can be used to create a number of distinct
scopes, which are grouped together into a single
administrative entity called a superscope. Superscopes are
useful for solving several different DHCP service issues.
o
Leases:
As noted, a lease is the length of time that that a DHCP
server specifies that a client computer can use an assigned IP
address. When a lease is made to a client, it is described as
active. At half-lease period, the client must renew its
address lease assignment with the server. The duration of
leases affects how often clients attempt to renew those they
have been assigned with the DHCP server.
o
DHCP
Options: DHCP
Options are other client-configuration parameters that a DHCP
server can assign when serving leases to DHCP clients. For
example, IP addresses for a router or default gateway, WINS
servers, or DNS servers are commonly provided for a single
scope or globally for all scopes managed by the DHCP server.
Many DHCP options are predefined through RFC 2132, but the
Microsoft DHCP server also allows defining and adding custom
options.
q
Create and
configure a DHCP scope.
o
A scope is an
administrative grouping of computers for a Subnetwork using
DHCP service. Administrators create a scope for each physical
Subnetwork, which is then used to define parameters used by
clients for this Subnetwork. Scopes can be planned based on
the needs of particular groups of users, with appropriate
lease durations defined for the related scopes. A scope has
the following properties:
§
A range of
possible IP addresses from which to include or exclude
addresses used in DHCP service lease offerings.
§
A unique
subnet mask to determine the subnet related to a given IP
address.
§
A scope name
assigned when the scope is created.
§
Lease
duration values to be assigned to DHCP clients that receive
dynamically allocated IP addresses.
§
Reservations.
§
Options.
o
A DHCP scope
consists of a pool of IP addresses on a Subnetwork, such as
10.0.0.1 to 10.0.0.100, that the DHCP server can lease to DHCP
clients. Each physical network can have only one DHCP scope or
a superscope with one or more ranges of IP addresses.
q
Configure,
administer, and troubleshoot DNS.
q
Configure DNS
server properties.
o
Download this
huge whitepaper. It will tell you everything you need to know
to configure all aspects of Windows 2000 DNS services:
Here
q
Other
networking Services
o
Know the
basics of HOST, LMHOSTS, WINS and DNS
q
Work on
Configuring, Managing, Securing, and Troubleshooting Active
Directory Organizational Units and Group Policy
q
Create,
manage, and troubleshoot User and Group objects in Active
Directory.
o
This URL
pretty much goes over the whole Active Directory Process:
Here
o
Linking Group
Policy Objects to Active Directory Containers
o
Any site,
domain, or OU may be associated with any Group Policy Object.
As shorthand, we will use the acronym SDOU to mean a site,
domain, or OU.
o
A given GPO
can be associated (linked) to more than one site, domain, or
OU. Conversely, a given site, domain, or OU can have multiple
GPOs linked to it. In the case where multiple GPOs are linked
to a particular site, domain, or OU, you can prioritize the
order of precedence in which these GPOs are applied.
o
By linking
GPOs to Active Directory sites, domains, and OUs, you can
implement Group Policy settings for as broad or as narrow a
portion of the organization as you want:
o
A GPO linked
to a site applies to all users and computers in the site.
o
A GPO applied
to a domain applies directly to all users and computers in the
domain and by inheritance to all users and computers in child
OUs. Note that policy is not inherited across domains.
o
A GPO applied
to an OU applies directly to all users and computers in the OU
and by inheritance to all users and computers in child OUs.
o
GPOs are
stored on a per-domain basis, however, you can link a site,
domain, or OU to a GPO in another trusted domain, although
this is not recommend in general for performance reasons.
Configuring, Securing, and
Troubleshooting Remote Access
q
Configure and
troubleshoot remote access and virtual private network (VPN)
connections.
o
All you need
to know on how to configure a
Win2K VPN | 
