DEFRAGMENTING HARD DISKS
** Windows 2000 includes a disk defragmenter

DYNAMIC STORAGE
- can't dual boot with this setup
- when setup for DYNAMIC STORAGE a volume:
- it can be extended to include noncontiguous space on available disks (you cannot extend the system or boot volume)
- Disk config info is stored on the disk rather than in the registry/etc.
- Dynamic storage and basic storage cannot be mixed on the same disk.

SPECIAL ACCESS PERMISSIONS
- 13 special access permissions - provide greater control
- Change Permissions permission
- Take Ownership permission
PROPERTIES of the file or folder, click security and then advanced

PERMISSION INHERITANCE
- NTFS by default, when permissions are changed on a folder, applies the change to all files and folders contained in the folder as well as all new files and folders created there.
- It is now possible to block this inheritance by UNCHECKING the "Allow inheritable permissions from parent to propagate to this object." in the properties of the file or folder to which you don't want permissions to be inherited.
- When doing this there are two options:
- copy previously inherited permissions to the object
- remove inherited permissions and keep only the permissions explicitly applied

DISK QUOTA
- based on size before any compression
- based on file & folder ownership
- tracked independently for each NTFS volume - even if on the same physical disk
- can only be used on Win2K formatted NTFS volumes

DISTRIBUTED FILE SYSTEM
- Creating a logical directory structure on network file systems of multiple servers
- Using "link" in place of subfolder it redirects to a map point on another server
*** This allows creating a virtual directory structure that is abstracted from physical server. So user or application directory could be moved and re-mapped transparently
*** Could also create multiple views into different data for different purposes
*** Can have read only data available - load balanced between the servers and also automatically find the location on the server in user's own site.
*** in W2K, the DFS root can be integrated into Active directory to allow UNC by domain name.

DNS ROUND ROBIN
- can't load balance multiple addresses within same site.

MANAGING RESOURCES
- Can PUBLISH printers and folders in active directory for simpler selection by users
- OFFLINE FILES
- Manual Caching - user specifies
- Automatic Document caching - opened files are automatically made available offline - new versions overwrite old versions
- Automatic Caching for programs - happens for the entire shared folder - user doesn't have to open a file.

WINS
- To support clients and applications that need NETBIOS (suuuuuuck!)
- Thru DHCP can disable NETBIOS on TCP for all clients. This will expose any remaining NETBIOS apps for replacement/removal.
- WINS servers can have persistent connections to it's replication partners making replication faster & more efficient.
- Can set up to 12 WINS servers for clients to look at -- resulting in much greater fault tolerance.

AUTOMATIC PRIVATE IP ADDRESSING
- If no DHCP server responds, W2K client will randomly select an IP address from 169.254.0.0
- This behavior can be disabled by modifying registry
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\[GUID of adapter]
Add REG_DWORD entry named IPAutoconfigurationEnabled and give it a value of 0

DHCP MULTICAST SCOPE
- RFC 1112, RFC 2236
- DHCP can distribute setting for Multicast group
DHCP OPTION CLASSES
- Can define option classes for groups of users that need the same options

DHCP
- DHCP server must be authorized in Active Directory to be allowed to startup.
- for security to prevent "bad" DHCP services from being started
- DHCP does dynamic update of DNS
- (staticly setup machines will update DNS themselves.)

SECURITY
- Smart Card support
- Security Policy - settings for security
- Security Policy templates
- Security Configuration Analysis - allows what if analysis to compare current local settings with a security configuration in a template.
- can be configured from command line with SECEDIT

RAS features
- dial on demand router setup
- Can be setup with IP static routes to act as a router
- Connection sharing - not really proxy but sharing an outbound connection to internet
- NAT

BAP=Bandwidth Allocation Protocol
- Does dynamic configuration of multilink connections (ISND, modem lines, etc.)
- so additional connections will be established on demand and dropped when no longer necessary

L2TP (instead of PPTP)
LAYER 2 TUNNELING PROTOCOL
- Creates encrypted tunnel
- Uses PPP
- Does not require IP based transit network (like PPTP does)
- Does IPSec encryption instead of PPP encryption
- Tunnel Authentication available, but not necessary when IPSec is in use.

EAP
- allows client & server to negotiate authentication method
- Supports: Token cards, MD5-CHAP, TLS
- Ensures support of future authentication methods via an API
RFP 2284

RAS
W2K supports
- EAP=extensible authentication protocol
- RADIUS=Remote Authenticatoin Dial-in User Service
- L2TP =Layer 2 Tunneling Protocol (vs PPTP)
- BAP =bandwidth allocation protocol

TERMINAL SERVICES
- integrated with W2K
- client uses RDP protocol - based on ITU T.120 stde for multi-channel conferencing
- 3 levels of encryption: low, medium, & high. All use RSA RC4 encryption

SOFTWARE MANAGEMENT
Group Policy Object can assign what app to use with what file extension and prioritize applications to install when selecting an extension that may be used by multiple applications.

SOFTWARE MANAGEMENT POLICY CONFLICTS
computer assignments override user assignments

UPGRADING SOFTWARE
- Mandatory upgrade or optional upgrade
- "Upgrade" means uninstall old, install new -- so it can also be used to replace a software application
- can also do a forced or optional removal

SOFTWARE MANAGEMENT
- Non packaged apps - if it can't be packaged, can use ZAP file - text file read by installer
Limitations:
- can only be published, cannot be assigned
- do not do self-repair
- require user intervention to install
- cannot be installed with elevated privileges (users must do it themselves.)

SOFTWARE MANAGEMENT
Repackaging an application: (if MSI not included with application)
WinINSTALL LE - on Win2K Server CD under \VALUEADD\3RDPARTY\MGMT\WINSTLE
- Before snapshot
- Install & configure - TIP wait a few minutes after installing to ensure that application installer has removed all temp files that it will.
- After snapshot
- copy new package folder to a network location from which to install

TIPS
- *** use a vanilla reference computer - OS only. - re-image reference machine between doing snapshots

SOFTWARE MANAGEMENT
- Some software will come with a MSI file (Windows installer package)
- If not, use WinInstall to create MSI
- Deploy to a TEST OU for testing by test users
- ** Installation can be launched by file extension activation
ASSIGNING Applications
Assign to user - the sw installs the first time user launches it. - application is "advertised" but not installed
Assign to computer - next time computer is started the application will be installed

SOFTWARE MANAGEMENT
- using Group Policy
- not intended to replace SMS
- WMI - Windows Installer
- package installs into MSI
- can perform self-repair
- can be cleanly removed

GROUP POLICY EXCEPTIONS
- to NOT apply a policy
- set "prevent inheritence" on lower level OU's
- put user in group and go to Policy properties-Security tab, and select to deny apply policy.

GROUP POLICY
-different from previous versions of Windows: W2K will automatically remove the Group Policy settings from the registry when the GPO that implemented it no longer applies.

RECONCILING CONFLICTING PERMISSIONS

SHARE: R
NTFS: W
Adds up to: NO PERMISSIONS

"Common Permission" applies

Recommended: FULL CONTROLL at SHARE, restrictions at NTFS level

GROUP POLICIES
Computer starts: computer settings applied from Group Policy, startup scripts run
User login: User settings aplied from group policy, logon scripts run
Policy is refreshed on client every 90 minutes, DC's every 5 min

USING GROUP POLICIES
*** Planning for this feature is also relevant to AD planning.
- applied to all objects in an OU, site, or domain
- could be applied to groups by assigning Group Policy Object at a higher OU level and at each sub OU specifying the policy applies only to a particular group

RIS
- Requires that the install packages be stored on an NTFS partition that is neither the boot nor the system partitoin

- RIPrep wizard: eliminates unique settings such as SID's, creates an answer file and associates the answer file with the image, creates the image file on the server

RIS
- Can create either CD-based image (OS only - full OS install)
- Can also be used to distribute OS w/core applications called a RIPrep image.

RIS
- Can "pre-stage" computers to prevent unauthorized computers from being RIS installed
- this is based on built in GUID on PC's (For PC's that are PXE compliant -- "Preboot Execution Environment")
- by default only automatic setup is available.
- Need rights to add computer account to AD.
- Create answer file to automate setup by using the Setup Manager Wizard
- by default RemoteInstall will delete all partitions and setup the drive with one NTFS partition
- Can control access by setting NTFS permissions on answer file to prevent access for unauthorized users.
- Create RIS startup disk -- requires PXE compliant machines. Can use same startup disk for any of the compatible NIC's -- don't need different ones.
-

MISC NOTES
*** TaskPad can be created for a simple interface into one or two administration tasks for less experienced people
*** "Prevent Permission Inheritance" option now available to require granting specific rights to objects below current level.

GROUPS
*** review Module 5 - Page 21 Table for group content limits in each mode.

GROUP STRATEGY
DO NOT "skip" global groups. Adding all user accounts to Universal groups will drastically bloat replication traffic.
Because: Global Catalog Server stores all details for Universal Groups. This means more data is replicated and it is replicated more often (on every group change.)
Global Catalog Server stores only references for Global Groups offloading this to DC's. This means that user member changes does not require a change to the Global Catalog Server.

GROUP STRATEGY
Was AGLP in NT
Now, A->G->G->U->DL<-P (or AGUDLP)
For example, accounts are in global group Accts Payable. Accts Payable is member of global group Accounting
Accounting is member of Universal Group "Worldwide Accounting." This group can be added to Domain Local group AnnualReport which has permissions to access files in AnnualReport directory.
(nesting global groups)

Only need to mess with Universal groups if we create multiple domains.

GROUP SCOPE
- domain local group
- members from any domain in forest
- Use for access to resources in one domain
*** does not require setup of local groups to grant permissions to local resources -- can be used by local admin
- In Native mode, domain local groups can be nested
- global group
- Members from own domain only
- Use for access to resources in any domain
- In Native mode, global groups can be nested.
- universal group (in Native mode only)
- Members from any domain in forest
- Use for access to resources in any domain

GROUPS
- Security groups - assing or deny rights & permissions
*** AND can send e-mail to these groups from Exchange 2000
- Distribution Groups - used only for e-mail to these users.
- PERFORMANCE
- select a distribution group unless you must setup security rights/perm
- because Security Groups increases the size of the access token.

KCC=Knowledge Consistency Checker
- takes care of AD replication automatically
- user intervention not normally required to setup replication
- a replication path to each site is all that is required. NO requirement to connect connect every site to every other site.

MONITORING AD PERFORMANCE
Performance Monitor has new counters for DRA=Directory Replication Agent
New tool, Replication Monitor-REPLMON - on support tools directory on W2K CD - run SETUP

NOTE
Press SHIFT and Right Click on item and choose RUNAS to run an application as someone else.
OR START-RUN RUNAS /user:domain\user "command ... "

SITE LINKS
Default time is 180 minutes
Must be at least 15 minutes
Maximum replication time is 10080 minutes (1 week.)

SIDE NOTE
Exchange 2000 doesn't support SMTP, POP, etc
All those items are now handled by IIS, so IIS must be running.

PHYSICAL STRUCTURE OF AD
-Default First Site Name can be changed to whatever you want without consequences.
REPLICATION
-Within a site
- uses RPC over IP
- change notification
- Uncompressed traffic
- Urgent replication
- newly locked out account
- changes to Local Security Authority (LSA) secret
- RID master state changes between W2K DC's
- Interdomain trust passwords (between PDC emulator & NT BDC's)
- Between sites
- uses RPC over IP for another site of the same domain OR SMTP could be used between domains
- Scheduled
- Copmressed to 10-15% of it's original size

CREATING PHYSICAL STRUCTURE OF ACTIVE DIRECTORY
-SITE - one or more well connected subnets.
-Subnets cannot span sites.
-Sites are used to define more controlled replication over slower links.
-Replication within a site takes place at 5 minute intervals (to a max of 3 hops so all changes are
propagated to every DC in a site within 15 minutes.)
-Initial physical structure named "Default-First-Site-Name"

TREE=domain with subdomains-share contiguous DNS name space
FOREST=collection of trees that do not share contiguous DNS name space, but share a common schema.
DNS=provide name services to find DC's & SMO's.

INSTALLATION REQUIREMENTS FOR ACTIVE DIRECTORY
- Win2K server
- NTFS partition
- 1GB or more free space for the directory data
- TCPIP installed and configured to use DNS
- A DNS server that supports SRV (server resource records)

SINGLE MASTER OPERATIONS
- DC owning a SMO role
- Roles
- Schema Master (one in entire forest)
- Domain Naming Master (one in entire forest)
- RID Master
-RID=allocates sequences of RID's to each DC in it's domain
- When a new object is created the RID is used to create the SID(security identifier)
-One per domain
- PDC Emulator (one per domain) - supports clients other than Windows 2000 for domain operations
- Infrastructure Master (one per domain)

GLOBAL CATALOG SERVER
- Global Catalog=repository of info containing a subset of attributes for all objects in Active Directory from all domains and sites.
- Global Catalog Server=DC with copy of global catalog. Processes queries to global catalog.
- First DC created in Active Directory is a global catalog server.
- Recommend one Global Catalog Server per site.
- User cannot logon without access to Global Catalog Server (unless that user has logged on there before and credentials remain cached.)

DOMAIN CONTROLLER ROLES
- Global catalog server
- Single master operations

PHYSICAL STRUCTURE
Purpose of Sites:
- when logging on a client seeks a DC in the same site to authenticate
- to manage replication takes place between sites
- totally separate concept from OU's NO necessary correlation between domain structure and physical structure.
Changes within a site are replicated between DC's every 5 minutes over a max of 3 hops so changes within a site will be propagated within 15 minutes.

ACTIVE DIRECTORY SCHEMA
- Dynamically available, dynamically updateable, can use DACL=discretionary control lists to protect all classes and attributes
- stored in a directory partition which is a unit of replication
- Schema is stored in an AD object with the distinguished name:
CN=schema, CN=configuration, DC=domain_name, DC=domain_root
-Schema admin has control of the schema of the forest.

TREES & FORESTS
Goal: as few domains as administratively possible.
[ROOT] - first domain on system

ORGANIZATIONAL UNITS=OU
IM
IND
USERS
COMPUTERS
PRINTERS
CHI
USERS
COMPUTERS
PRINTERS
WDC
USERS
COMPUTERS
PRINTERS

DOMAINS
- Security Bondary - administered by domain
- Unit of replication
- Domain Modes:
- Mixed - if *any* DC's are NT
- Native - all DC's are Windows 2000
- ONE WAY - after changing to Native you can't change back

SHARED BY TREES IN A FOREST
Common schema
Transitive trusts
Common Global Catalog

ACTIVE DIRECTORY-CATALOG
- Comprehensive Global Catalog =- contains all objects in "forest"
- replicated between trees
NETWORK TOPOLOGY
- Site=one or more IP subnets connected by a high speed link
- client seeks a login server in it's own site

ACTIVE DIRECTORY AND DNS
- DNS is method for resolving names to IP numbers
- NAMESPACE = "Win2000 Domain" can be the same as the DNS domain
- LOCATING LOGON SERVER = DNS provides client machines information needed to find a DC or catalog server to logon
MULTIMEDIA VIDEO ON CD - reviewing concepts of AD

ACTIVE DIRECTORY - Installing Active Directory
- Defined: Does all directory services for NT. Primary location of Exchange setup info. Can publish shares on AD.
- Integrates with: DHCP, DNS, Kerberos V5 or X.509 certificates.
- Requires TCPIP
Naming conventions:
- Distinguished Name MUST be unique
CN=Lloyd Petrey, CN=Users, DC=Ind, DC=IM
- Relative Distinguished Name.
- User Principal Name (e.g. petrey@icemiller.com) MUST be unique
- Globally Unique Identifier (GUID) assigned to an object upon creation

SETUP AND TEST DNS!

TESTING DNS
- DNS server can be setup to perform scheduled queries to be sure the service is working properly
- NSLOOKUP

CONFIGURING ZONES FOR DYNAMIC UPDATES
- Allows clients to automatically updates DNS servers - can be used in conjuction with DHCP.
- Have option to only allow "secure" updates. = this means only authenticated users that are granted this ability
- DHCP server can also be configured to notify the DNS server with these updates.

Active Directory Integrated Zones
- stores info in Active Directory instead of in a text file - so text file will go away when this is enabled.
- replicated as part of domain replication so zone transfers are not needed.
- this makes all DNS machines "primary" "master" DNS servers

INSTALLING DNS SERVER SERVICE
- Install only on a server with a fixed IP address
- control panel, add-remove, windows components, networking services, DNS
Configure Zone Transfers
- Full zone transfer (AXFR)
- Incremental zone transfer (IXFR)
- "Serial Number" = increases by one when changes take place. If secondary is pulling changes it will compare
Serial number to last query and if it's changed it will do a zone transfer.
- "Master" DNS is the source of update for secondary DNS's (it could itself be a secondary DNS.)
- Master DNS can be configured to notify secondary servers of updates.
- TTL = how long a DNS server will continue to respond to queries for a particular name
without verifying it is still fresh via a zone transfer.

DNS - background continued.
Zone Transfer
Secondary DNS - Primary DNS pushes all zone records to secondary DNS where there are changes.
Newer processes allow incremental Zone transfers.

DNS - basic tutorial video on training CD.
Components
- Domain Name Space (the hierarchical structure - root domain above top level domains...)
- FQDN = Fully qualified domain name. E.g. HOST.DOMAIN.COM
- Zones of Authority - a list of hosts whose names are served by that name server
- Name server - has authority over Zone
Name resolution process
- resolver ("client") sends FQDN to be resolved.
makes a "recursive" query which means the server will request it on resolvers behalf rather than referring
the resolver to another DNS.
- forward lookup query - request to resolve a name to an ip address
- the DNS server makes "iterative" query of higher level DNS server which means the higher level server
will provide a reference to another server if it doesn't have the answer. Then the first DNS server will
make a request to the next server until it arrives at the authoritative name server for the zone containing the name
Use NSLOOKUP to perform DNS queries and investigate how process works.

NOTE: If doing network install partition must already be created on target machine.

HTTP://WWW.MICROSOFT.COM/HCL - to check compatibility list for specific hardware in question

*** DISK DUPLICATION
- install W2K and applications on test computer
- Run SYSPREP.EXE on test computer (rolls back to just prior to SID and custom info.)
- Restart test computer & run Ghost or other disk image utility
- Save image on share or CD
- Copy this image to multiple computers
-MINISETUP will run prompting for computer specific variables
*** HAL and mass storage controllers must be identical between test computer and distributed computers
SYSPREP.EXE
-quiet - no user interactoin
-pnp - force setup to detect PnP devices
-reboot - restarts test computer instead of shutting down
-nosidgen - use this when using as a backup vs using it to clone machine

SETUP MANAGER
- deploy.CAB under SUPPORT\TOOLS folder
- GUI tool to create answer file
- SYSPREP.EXE -

Use an Answer file for:
- installing W2K Pro or server
- Remote Installatoin Services
- Sysprep.exe - rolls back install to info requests for a "mini setup"
Use Setup Manager Wizard to specify:
- Configure for multiple network adapters
- Distribution share with customization files
- Hardware abstraction layer (=HAL)

SETUP PROBLEMS
Media errors - *** DON'T scratch to label side of CD
Nonsupported CD drive - *** Try creating W98 boot disk to support the CD drive
Insufficient Disk Space
Failure of dependency service to start
Inability to connect to DC
Failure of Win2K to install or start

INSTALLING W2K OVER NETWORK
- have install files setup on server share
- process - startup, connect to install share, run winnt.exe, setup restarts and begins install
WINNT.EXE
/a - enable accessibility
/e - execute command before final phase of setup
/i:inf_file - specify INF file name
/r:folder - create additional folder
/s:source_path - location of installation files
/t:temp_drive - specify temp drive
/u:answer_file - perform unattended installation with an answer file
/rx:[:folder] - creates additional folder under systemroot folder and delete after installation completes
USE makeboot.exe from bootdisk folder instead of startup switch to create installatoin disks.

RUNNING SETUP
- winnt or winnt32 (when running from win32 platform)
- follow Wizard: file/partition info.

PreInstall Checklist
- HCL - supported hardware
- Minimum hardware requirements
- 2GB disk space, at least 1GB available
- Select file system
- Select licensing mode (PER SEAT)
- Determine Domain/Workgroup name
- Create domain computer account - if nonadministrator will be adding the machine to the domain
- Create password for administrator account

JOINING A DOMAIN
- Requires:
- Domain Name & Computer Account
- Domain Controller and DNS server
ALSO
- There is no distinction of BDC, PDC - all DC
- Now you can change a server from a member server to DC and back to member server without requiring reinstall.

NTFS in W2K
- supports disk quotas based on file ownership
- Disk compressoin
- File encryption

Installation - 'fresh' allows creating/managing partition
Boot from CD
MAKEBOOT - make diskettes
Select file system
NTFS, FAT, FAT32
Always do NTFS exept to support dual boot
If using FAT or FAT32, install will automatically format >2GB partition as FAT32

Minimum Hardware Requirements
Pro - P133, min32MB, rec 64MB - really recommend 128MB RAM
Server - 256MB recommended for supporting up to 5 clients
2GB HD with 1GB free space on partition that will contain system files.
VGA - 800X600 recommended
NIC & Mouse

Advanced Server & Data Center
Load balancing & clustering capability
Enterprise Memory Architecture
- Advanced 8GB RAM
- Datacenter 64GB RAM
SMP - ** load balances at the thread level
- W2K Pro up to 2 CPU's
- Advanced up to 8 CPU's
- DataCenter up to 32 CPU's

Win2K Server
Active Directory
- single domain can hold 4 billion objects (vs NT 4 domain limit of 40000 users)
- LDAP compatible
Management
- Group Policy
- DNS dynamic update protocol
- Terminal Services

Win2K Pro features/enhancements
*** Synchronization Manager - sync a drive mapping/folder/e-mail.
*** Internet Printing Protocol - connect/print to printer via browser
Plug & Play Manager
Security:
Encrypting file system
Kerberos v5
IP Sec
Secondary Login -- "run as" ability. *** recommend login as end user and use "run as" to perform administration

DFS - Distributed File System -- use for user directories, install directory, etc.