IT Certifications Home > microsoft > mcse

MICROSOFT/MCSE

MCSA Short Course
Exam 70-218:
Managing a Microsoft
Windows 2000 Network Environment

MCSE BOOT CAMPS
First Edition � 4.15.02

Document Outline

Standard Choices: Computer

Standard Computer Configuration Choices: Administrative Templates

User Configuration

MCSA Short Course: Exam 70-218
Copyright All rights reserved. No part of this manual shall be reproduced, stored in a retrieval
system, or transmitted by any means, electronic, mechanical, photocopying,
recording, or otherwise, without written permission from the owner. No patent
liability is assumed with respect to the use to the information contained herein.
Although every precaution has been taken in the preparation of this manual, the
owner and author assume no responsibility for errors or omissions. Neither is any
liability assumed for any damages resulting from the use of the information
contained herein.
Trademarks
All terms mentioned in this manual that are known to be trademarks or service
marks have been appropriately capitalized. The author cannot attest to the accuracy
of this information. Use of a term in this manual should not be regarded as affecting
the validity of any trademark or service mark.
Warning and Disclaimer
Every effort has been made to make this manual as complete and accurate as
possible, but no warranty or fitness is implied. The information provided is on an "as
is" basis. The author and owner shall have neither liability nor responsibility to any
person or entity with respect to any loss or damages arising from the information
contained in this manual.
Contact Information
For information about this manual or any complementary/associated test preparation
software it accompanies, use the following contact information:
Mercury Technical Solutions
1201 E. Fifth Street, Suite 1006
Anderson, IN 46012
Email queries can be sent to info@TechnicalContent.com.
MCSA Short Course: Exam 70-218
2

Introduction
Microsoft's 70-218 exam (Managing a Microsoft Windows 2000 Network
Environment) is the cornerstone of the recently unveiled MCSA (Microsoft Certified
System Administrator) certification. To become an MCSA, you must pass this exam
as well as 70-210 (Installing, Configuring, and Administering Microsoft Windows
2000 Professional), 70-215 (Installing, Configuring, and Administering Microsoft
Windows 2000 Server), and an elective.
Exam 70-218 is intended for an audience with at least six months of experience with
Windows 2000 and Active Directory. The exam consists of five major categories, also
known as skill sets, beneath each of which are a number of objectives.
Creating, Configuring, Managing, Securing, and Troubleshooting File, Print,
and Web Resources
Publish resources in Active Directory. Types of resources include printers and
shared folders.
Perform a search in Active Directory Users and Computers.
Configure a printer object.
Manage data storage. Considerations include file systems, permissions, and
quotas.
Implement NTFS and FAT file systems.
Enable and configure quotas.
Implement and configure Encrypting File System (EFS).
Configure volumes and basic and dynamic disks.
Configure file and folder permissions.
Manage a domain-based distributed file system (DFS).
Manage file and folder compression.
Create shared resources and configure access rights. Shared resources
include printers, shared folders, and Web folders.
Share folders and enable Web sharing.
Configure shared folder permissions.
Create and manage shared printers.
Configure shared printer permissions.
Configure and troubleshoot Internet Information Services (IIS).
Configure virtual directories and virtual servers.
Troubleshoot Internet browsing from client computers.
MCSA Short Course: Exam 70-218
3

Troubleshoot intranet browsing from client computers.
Configure authentication and SSL for Web sites.
Configure FTP services.
Configure access permissions for intranet Web servers.
Monitor and manage network security. Actions include auditing and detecting
security breaches.
Configure user-account lockout settings.
Configure user-account password length, history, age, and complexity.
Configure Group Policy to run logon scripts.
Link Group Policy objects.
Enable and configure auditing.
Monitor security by using the system security log file.
Configuring, Administering, and Troubleshooting the Network Infrastructure
Troubleshoot routing. Diagnostic utilities include the tracert command, the
ping command, and the ipconfig command.
Validate local computer configuration by using the ipconfig, arp, and
route commands.
Validate network connectivity by using the tracert, ping, and pathping
commands.
Configure and troubleshoot TCP/IP on servers and client computers.
Considerations include subnet masks, default gateways, network IDs, and
broadcast addresses.
Configure client computer TCP/IP properties.
Validate client computer network configuration by using the winipcfg,
ipconfig, and arp commands.
Validate client computer network connectivity by using the ping
command.
Configure, administer, and troubleshoot DHCP on servers and client
computers.
Detect unauthorized DHCP servers on a network.
Configure authorization of DHCP servers.
Configure client computers to use dynamic IP addressing.
Configure DHCP server properties.
Create and configure a DHCP scope.
MCSA Short Course: Exam 70-218
4

Configure, administer, and troubleshoot DNS.
Configure DNS server properties.
Manage DNS database records such as CNAME, A, and PTR.
Create and configure DNS zones.
Troubleshoot name resolution on client computers. Considerations include
WINS, DNS, NetBIOS, the Hosts file, and the Lmhosts file.
Configure client computer name resolution properties.
Troubleshoot name resolution problems by using the nbtstat, ipconfig,
nslookup, and netdiag commands.
Create and configure a Hosts file for troubleshooting name resolution
problems.
Create and configure an Lmhosts file for troubleshooting name
resolution problems.
Managing, Securing, and Troubleshooting Servers and Client Computers
Install and configure server and client computer hardware.
Verify hardware compatibility by using the qualifier tools.
Configure driver signing options.
Verify digital signatures on existing driver files.
Configure operating system support for legacy hardware devices.
Troubleshoot starting servers and client computers. Tools and methodologies
include Safe Mode, Recovery Console, and parallel installations.
Interpret the startup log file.
Repair an operating system by using various startup options.
Repair an operating system by using the Recovery Console.
Recover data from a hard disk in the event that the operating system
will not start.
Restore an operating system and data from a backup.
Monitor and troubleshoot server health and performance. Tools include
System Monitor, Event Viewer, and Task Manager.
Monitor and interpret real-time performance by using System Monitor
and Task Manager.
Configure and manage System Monitor alerts and logging.
Diagnose server health problems by using Event Viewer.
Identify and disable unnecessary operating system services.
MCSA Short Course: Exam 70-218
5

Install and manage Windows 2000 updates. Updates include service packs,
hot fixes, and security hot fixes.
Update an installation source by using slipstreaming.
Apply and reapply service packs and hot fixes.
Verify service pack and hot fix installation.
Remove service packs and hot fixes.
Configuring, Managing, Securing, and Troubleshooting Active Directory
Organizational Units and Group Policy
Create, manage, and troubleshoot User and Group objects in Active Directory.
Create and configure user and computer accounts for new and existing
users.
Troubleshoot groups. Considerations include nesting, scope, and type.
Configure a user account by using Active Directory Users and
Computers. Settings include passwords and assigning groups.
Perform a search for objects in Active Directory.
Use templates to create user accounts.
Reset an existing computer account.
Manage object and container permissions.
Use the Delegation of Control wizard to configure inherited and explicit
permissions.
Configure and troubleshoot object permissions by using object access
control lists (ACLs).
Diagnose Active Directory replication problems.
Diagnose problems related to WAN link connectivity.
Diagnose problems involving replication latency. Problems include
duplicate objects and the LostandFound container.
Deploy software by using Group Policy. Types of software include user
applications, antivirus software, line-of-business applications, and software
updates.
Use Windows Installer to deploy Windows Installer packages.
Deploy updates to installed software including antivirus updates.
Configure Group Policy to assign and publish applications.
Troubleshoot end-user Group Policy.
Troubleshoot Group Policy problems involving precedence, inheritance,
filtering, and the No Override option.
MCSA Short Course: Exam 70-218
6

Manually refresh Group Policy.
Implement and manage security policies by using Group Policy.
Use security templates to implement security policies.
Analyze the security configuration of a computer by using the secedit
command and Security Configuration and Analysis.
Modify domain security policy to comply with corporate standards.
Configuring, Securing, and Troubleshooting Remote Access
Configure and troubleshoot remote access and virtual private network (VPN)
connections.
Configure and troubleshoot client-to-server PPTP and L2TP
connections.
Manage existing server-to-server PPTP and L2TP connections.
Configure and verify the security of a VPN connection.
Configure client computer remote access properties.
Configure remote access name resolution and IP address allocation.
Troubleshoot a remote access policy.
Diagnose problems with remote access policy priority.
Diagnose remote access policy problems caused by user account group
membership and nested groups.
Create and configure remote access policies and profiles.
Select appropriate encryption and authentication protocols.
Implement and troubleshoot Terminal Services for remote access.
Configure Terminal Services for remote administration or application
server mode.
Configure Terminal Services for local resource mapping.
Configure Terminal Services user properties.
Configure and troubleshoot Network Address Translation (NAT) and Internet
Connection Sharing.
Configure Routing and Remote Access to perform NAT.
Troubleshoot Internet Connection Sharing problems by using the
ipconfig and ping commands.
MCSA Short Course: Exam 70-218
7

Chapter 1
Creating, Configuring, Managing, Securing, and
Troubleshooting File, Print, and Web Resources
This chapter discusses the exam's first objective, "Creating, Configuring, Managing,
Securing, and Troubleshooting File, Print, and Web Resources."
1.1 � Publishing Resources in Active Directory
The two types of resources this objective refers to are shared folders and printers.
The important thing to know about folders is that they must first be shared, and then
they can be published in Active Directory. This is in contrast to printers, which by
default are published in Active Directory when first shared from Windows 2000-based
machines.
The folder is shared in the standard, Windows Explorer, method:
1. Right-click the folder, and click Sharing.
2. At the Sharing tab, click Share this folder.
To publish the folder:
1. Open Active Directory Users and Computers.
2. Find the OU (Organizational Unit) that holds the folder you want to publish
(beneath the Domain), and right-click it.
3. Choose New, and then Shared Folder.
4. Enter a name in the Name: text box and a UNC path in the Network path:
text box.
5. Click OK.
Printers are published automatically unless the List in the Directory check box is
unchecked on the Sharing tab of their properties. To publish a pre-Windows 2000
printer (Windows NT, for example), you must first share it, and then:
1. Open Active Directory Users and Computers.
2. Find the folder where you want to publish the printer (beneath the domain
node in the console tree).
3. Choose New, and then Printer.
4. Enter the network path on the print share.
5. Click OK.
MCSA Short Course: Exam 70-218
8

1.2 � Managing Data Storage
Because this objective is of significant importance both on the exam and in the real
world, the bulk of this article will be devoted to it. There are three topics beneath
data storage: file systems, permissions, and quotas. Although the topics might
appear to be separate issues, they are actually all an extension of the file system
chosen. The file system that is appropriate for Windows 2000 depends on the needs
of the specific environment in which it will be used. In an environment that requires
dual-booting to another operating system, Microsoft recommends using a FAT-
formatted file system. They recommend NTFS for situations in which security is a
concern, however.
This section will help you determine which file system is appropriate in a given
situation. First, you should review the characteristics of the three files systems that
Windows 2000 supports.
FAT
FAT (File Allocation Table) was the standard file system in use throughout older
operating systems. Windows 2000 supports it, as does Windows NT, Windows 98,
Windows 95, and DOS. In the first versions of DOS and the first release of Windows
95, FAT was your only choice. With the advent of Windows 95b and Windows 98,
however, you were given the choice of using FAT or FAT32. With Windows NT, the
choice has traditionally been between FAT and NTFS. That means most machines
today use FAT as their only file system--or at least have the choice of using it.
NOTE: Windows 95b (or OSR2) released a new version of FAT called FAT32. Windows
NT 4.0 was not compatible with FAT32 and offered no way to convert a FAT32
partition to a FAT partition. Windows 2000 supports FAT32 and allows you to install
on it as well as convert to it.
The advantages of using FAT in a Windows NT environment include the following:
� Required file system for floppy disks
� Compatible with DOS, Windows 95, and other operating systems
The following are disadvantages of using FAT in a Windows 2000 environment:
� No security support
� Poor support for volumes larger than 512MB
� No support for disks larger than 4GB
� Typically unable to format disks larger than 2GB
NOTE: Because FAT is limited to 65,535 clusters, it must make the cluster sizes
larger and larger for large volumes. The result is that as the cluster sizes get larger,
more disk space is wasted because FAT allocates a minimum of one full cluster to
every file (even if the file is only 5 bytes in size), even if it doesn't need it. The
remainder of the cluster is wasted.
MCSA Short Course: Exam 70-218
9

As a general rule, any disk larger than 400MB should be formatted with a file system
other than FAT so that the cluster size can be kept small.
The FAT file system is the appropriate choice for Windows 2000 Professional
workstations that need to dual-boot to older operating systems and for formatting
floppy disks.
FAT32
FAT32 was introduced with the release of Windows 95b and is the default file system
there and in Windows 98. It addressed several problems that cropped up with FAT,
namely:
� FAT was limited to 512 entries in the root directory. All long filenames used
one entry for every 13 characters. FAT32 has no such limitation.
� FAT could not support large hard drives and stopped formatting at 2GB. FAT32
supports large hard drives and goes beyond the 2GB limit.
In Windows 95b and subsequent releases, as well as in Windows 98, when you
format a drive, you are asked if you want to enable large hard drive support.
Although it is not specifically spelled out, choosing Yes means you want to use
FAT32; choosing No means you want to use FAT.
NTFS
Before Windows NT was released, it had become apparent to Microsoft that a new
filing system was needed to handle growing disk sizes, security concerns, and the
need for more stability. NTFS (NT File System) was created to address those issues.
The following sections discuss the major attributes and features of NTFS.
Transaction Tracking
Although FAT was relatively stable if the systems that were controlling it kept
running, it didn't do so well when the power went out or the system crashed
unexpectedly. One of the benefits designed into NTFS was a transaction tracking
system. This made it possible for Windows NT to back out of any disk operations that
were in progress when Windows NT crashed or lost power.
This feature allows NTFS to be more resilient to problems than its predecessor, FAT
(and FAT32).
NOTE: Even NTFS is not crash-proof. It's highly recommended that you protect your
computer with a UPS, if possible. NT even includes UPS monitoring software as part
of the base product.
MCSA Short Course: Exam 70-218
10

Built-In Security
Another feature built into NTFS--and that FAT didn't have--is support for security
information. When FAT was designed back in the early 1980s, personal computers
were just that--personal. The concept of networking or sharing information between
personal computers was unheard of. Because no resources were shared, security
wasn't too important.
As the PC industry evolved, however, it became necessary to secure files from other
people--people using the PC directly and from across the network. To handle this,
layers of sharing security (such as the share-level security in Windows for
Workgroups) were added. In addition, special file encryption programs were
developed to encrypt data while it was stored on the hard disk.
Encryption is the process of taking a readable file and making it unreadable by
means of a process that can be reversed only with a special key. Still, these were
add-ons to an elderly (in PC terms) filing system, and they weren't integrated.
NTFS's security is flexible and built-in. Not only does NTFS track security in access
control lists (ACLs), which can hold permissions for local users and groups, but each
entry in the ACL can specify the type of access given--from Read-Only to Change to
Full Control, or anything in between.
NOTE: Certain DOS-based programs will read NTFS volumes without the limitations
of security that you might have defined on the disk. However, this requires physical
access to the computer, as well as enough knowledge to get one of these programs.
For testing purposes, you should assume that NTFS volumes cannot be seen from
any other operating system.
Large Disk Support
In addition to transaction tracking and security, NTFS also improves support for
larger disks. Because FAT was designed so long ago, it's support of large-sized
partitions (over 512MB) leaves a little to be desired in terms of speed and efficient
use of space.
NTFS was designed to handle volumes larger than 512MB without resorting to larger
and larger cluster sizes, as FAT does. When FAT allocates a file, it must allocate an
entire group of disk sectors, called a cluster. For FAT to support large volumes, the
cluster size must be made larger so that the file allocation table itself can fit within
64KB.
NTFS doesn't have a 64KB limitation for the way that it tracks files. Although it still
uses the concept of clusters, it does so only to balance the size of the allocation map
and the amount of wasted space at the end of a file.
Both FAT and NTFS allocate space for files in cluster lengths. If a file is 1KB and the
cluster size for the volume is 4KB, for example, 3KB at the end of the file will be
wasted because it will have been marked in the allocation table as having been used.
MCSA Short Course: Exam 70-218
11

File-Level Compression
One way to get around allocating a complete cluster for every file with NTFS is to use
the file compression attribute that was added with Windows NT 3.51. This attribute
allows NTFS to manage file compression on a per-file basis--unlike FAT-based file
compression schemes, which must compress an entire part of the drive.
NOTE: File-based compression is infinitely superior to partition-based compression,
because you can compress files you don't frequently use and leave those files you do
frequently use uncompressed. This enables you to control how much processor
overhead you trade for disk space.
Because today's programs require more and more disk space, there is a need to put
more and more on the hard disks we buy. Compression is the method by which you
get more data into the same amount of space. Unlike using a different tape speed in
your VCR, there is no difference between the compressed and uncompressed files
after the compressed files are decompressed. The only difference is that you must
perform an additional step on compressed files before you can use them.
Not too long ago, programs for DOS appeared on the scene that allowed you to
compress an entire volume or partition. These utilities, such as Stacker, allowed you
to store nearly twice as much data in the same amount of space. As the programs
improved, more data--as much as four times--could be stored.
Unfortunately, Windows NT didn't (and doesn't) support FAT-based compression
programs. And with continuing pressure to provide compression support in NT,
Microsoft released the changes to NTFS to allow it to support file-level compression.
This was a major leap forward in how file compression was handled. In the DOS
world, it was always a trade-off between the additional space that compression
would buy and the speed of using uncompressed files.
Because compressed files must be decompressed in memory before they can be
used, file compression meant a performance penalty on slower processors. With
NTFS supporting file-level compression, however, the files used most often can be
left uncompressed to get the speed of accessing without decompression, and the
files that are rarely used can be compressed so that they won't take up so much
space.
NOTE #1: Not all files can be compressed. In particular, some of the Windows NT
boot files and the paging file cannot be compressed; they must always remain
uncompressed. Windows NT will not allow you to set the Compress attribute on these
files.
NOTE #2: Using compression on files that are served by a file server can
dramatically increase the processor utilization of a server. If you are running low on
disk space, before you turn on compression, consider the impact it will have on the
processor.
MCSA Short Course: Exam 70-218
12

Feature Review
To review, the following specific features make it desirable to implement NTFS on a
Windows 2000 workstation:
� Transaction tracking
� File-level security support
� File-level compression support
� Large volume support
The following table summarizes the three file systems:
Feature FAT
FAT32
NTFS
(version
5)
Filename
length
255 255 255
Characters for disk label
11
11
32
8.3
compatibility Yes Yes Yes
Maximum files in root
512
No limit
No limit
directory
Maximum files in
No limit
No limit
No limit
non-root directory
Partition size
4GB
2TB
2EB
Local
security
No No Yes
Transaction
tracking
No No Yes
Hot
fixing
No No Yes
Overhead
Tiny
Small
>2MB (avg. 4.5�10)
Required for
Yes (with
Yes (with
No
dual-booting
many operating
Windows 95b

systems)
and Windows 98)
Required for
Yes
No
No
RISC-based
Accessible from DOS
Yes
Yes
No
Accessible from OS/2
Yes
No
No
Case-sensitive
No No POSIX
only
Case
preserving
Yes Yes Yes
Compression
No No Yes
Efficiency <200�400MB>
<400MB
>400MB
MCSA Short Course: Exam 70-218
13

Convertible to another file
To NTFS only
To NTFS only
No
system without data loss
Fragmentation
level High High Low
Supports
EFS
No No Yes
(file encryption)
Supports
disk
quotas
No No Yes
Extensible
attributes
No No Yes
Converting from One File System to Another
During the installation of Windows 2000, you can choose where to install the
operating system in a FAT, FAT32, NTFS, or unformatted partition. Immediately after
making your selection, you can choose to leave said file system intact (except, of
course, for the unformatted) or to change it to any other format.
Anytime after the installation, the CONVERT.EXE utility allows you to convert a FAT or
FAT32 file system to NTFS without data loss. The syntax for this command is as
follows:
CONVERT volume /FS:NTFS [/v]
volume is the drive to be converted, and /V is used to invoke verbose mode. Under
all conditions, the /FS parameter must be used to specify the file system, and the
only accepted file system is NTFS.
So, for example, to convert the C drive to NTFS from FAT/FAT32, you would use the
following command:
CONVERT C: /FS:NTFS
Any other conversion you might want to perform requires you to back up your data,
format the volume with the new file system, and then restore the data. This can be a
touchy subject because other operating systems offer a utility for converting FAT to
FAT32 without data loss. No such utility is included in Windows 2000 Professional,
however.
FAT/FAT32 File Attributes
The attributes that you can assign to a file vary greatly, depending on the file system
you choose. In both the FAT and FAT32 file systems, your choices are limited to the
following:
� Read-Only
� Hidden (from command-line listings and Explorer--if Explorer is configured to
not show all files)
� Archive (included in the next differential or incremental backup)
� System
MCSA Short Course: Exam 70-218
14

There is an interesting change between Windows NT 4.0 and Windows 2000 in the
way the System attribute is displayed. In Windows NT 4.0, the System attribute was
represented by a check box on the General tab of the Properties dialog box for a file.
In Windows 2000, that check box does not appear, but the fact that the file is flagged
as such is still displayed in the Explorer interface (as shown in the following figure).
NOTE: Explorer recognizes that the System attribute is enabled for this file. In
Windows 2000, there is no System check box.

Although the System attribute no longer has a check box, the status still appears in
Explorer.
NTFS File Attributes
In NTFS, you can assign the same file attributes you could in FAT/FAT32, but
additional choices have been added. You can now perform the following tasks:
� Index the file for faster finding
� Compress the file
� Encrypt the file
The following figure shows the attributes that appear for the file on the Advanced
dialog box, beneath the General tab.
MCSA Short Course: Exam 70-218
15

NTFS offers additional (advanced) file attributes beneath the General tab.
Note that the distinction between the file systems does not end with the attributes
available from the General tab. Although the General tab is the only tab available
under FAT/FAT32, NTFS offers two additional tabs: Summary and Security.
The Summary tab merely allows you to enter or view information about the file's
description and origin. Such information can include the author, subject, category,
and comments.
The Security tab, shown in the following figure, allows you to assign permissions for
the file to individual users or groups, or combinations thereof.
MCSA Short Course: Exam 70-218
16

NTFS offers Security permissions that can be applied all the way down to the file
level.
NTFS offers five distinct rights, each of which can be specifically allowed or denied:
� Full Control (everything the others provide, plus the ability to change
permissions and take ownership)
� Modify (encompasses the Read and Execute permission and the Write
permission, and offers the ability to delete)
� Read and Execute
� (just) Read
� Write
Of crucial importance is the check box in the lower portion of the tab. It is chosen by
default, which means the permissions applied at one level will be inherited
(propagated) by lower levels. By default, permissions accumulate. The exact
opposite of normal operations is accomplished by using the Deny permission, which
overrides all other accumulated permissions for that right.
MCSA Short Course: Exam 70-218
17

NOTE: The No Access permission available in Windows NT does not exist in Windows
2000. Replacing it in functionality is the Deny permission, which can be applied to
any specific right but not to all rights (as could No Access).
The Advanced tab contains a slew of additional rights that can be allowed or denied
individually. To access them, go to the Advanced tab and double-click on a user or
group. You can assign the following rights:
� Traverse Folder / Execute File
� List Folder / Read Data
� Read Attributes
� Read Extended Attributes
� Create Files / Write Data
� Create Folders / Append Data
� Write Attributes
� Write Extended Attributes
� Delete Subfolders and Files
� Delete
� Read Permissions
� Change Permissions
� Take Ownership
These attributes/permissions will be discussed in later sections as the topics apply.
For now, it is important that you see two things:
� None of these are available with any file system other than NTFS.
� Not only do these attributes/permissions exist, the ability to see and change
them is a permission in and of itself--as noted by the bolded selections in the
preceding list.
Finally, NTFS also allows for auditing and ownership--two other features that were
completely overlooked in FAT and FAT32.
Picking a File System on the Exam
There are three main issues for deciding which file system to choose on the exam.
The first issue is dual-booting. Rule of thumb: Select a file system other than NTFS
only when dual-booting is needed.
When the system will be dual-booting to DOS, Windows 95a, or OS/2, the FAT file
system must be used. FAT is the only file system supported by both Windows 2000
and almost all other operating systems. If the question involves dual-booting with
Windows 98 or Windows 95b and using large hard drive support (larger than 2GB),
MCSA Short Course: Exam 70-218
18

the answer is FAT32. Any time the partition size is larger than 32GB, NTFS should be
chosen over FAT32, if possible, due to size constraints.
NOTE: When Windows 95 is installed after Windows 2000, the 2000 installation must
be repaired before 2000 will be accessible again.
During the installation of Windows 95, it overwrites the boot sector on the hard
drive. Using the Windows 2000 boot disks, however, you can repair the 2000
installation by investigating and fixing the boot sector.
The second issue that the test addresses is security. Security is supported on NTFS
only. If the test requires that the solution support file-level security, NTFS is
required. If the question deals with access via a network, however, remember that
some share-level security can be set up. Share-level security works with FAT, FAT32,
and NTFS.
Finally, the test requires you to know that FAT/FAT32 file systems can be
automatically converted to NTFS with the CONVERT command, but NTFS file systems
can't be converted to FAT. The partition would need to be backed up, deleted, and
reformatted as FAT, and then the data would have to be restored.
Quotas
The Quota tab, which appears only if the drive is NTFS, allows you to configure the
storage limits for users (see the following figure). By default, quota management is
disabled; you must enable it before you can set any other options. The Deny Disk
Space to Users Exceeding Quota Limit check box prevents users from saving their
files; when the option is not checked, users merely get a warning. With the last two
options, you can specify what happens when a user exceeds the limit: The program
can log events or give warnings. (You can configure these two values independently
from one another).
NOTE: If quotas are enabled after user accounts have already been in place and
users are currently exceeding the amount of the quota, warning messages will be
generated the next time the user attempts to save and/or they will be prevented
from using any additional space.
MCSA Short Course: Exam 70-218
19

The Quota tab enables you to configure storage limitations.
1.3 - Creating Shared Resources and Configuring Access
Rights
Sharing of printers and folders was mentioned in objective 1.1 and alluded to in 1.2
as well. The key thing to know is that share permissions differ significantly from
NTFS permissions in a number of ways:
� They apply to users accessing the resource remotely and not locally.
� They work with Windows- and DOS-based file systems (NTFS, FAT, or FAT32).
� They work in conjunction with other permissions.
Sharing is done at the folder level; it cannot be done individually at the file level. The
only requirement is that you must install the File and Printer Sharing for Microsoft
Networks service. A folder can be shared from the command line (difficult) or from
within the graphical interface (simple). To share a folder graphically, highlight it
within your browser and right-click it. Choose Sharing from the popup menu, and
then click the Share This Folder option button. The name of the shared folder
automatically appears in the Share Name text box. You can keep this value or
change it to any other value. The share name should be 15 characters or fewer (8 or
fewer if you will be servicing DOS clients). The Comment field is completely optional,
but it can be used to display information about the folder's contents to users.
MCSA Short Course: Exam 70-218
20

NOTE: Users must use Details view in order to see the comments.
From this dialog box, you can also set the maximum number of users who can
access the folder concurrently. The default is unlimited, but you can specify a
number if you must limit the access for licensing, design, or other reasons.
Clicking the Permissions button brings up the dialog box shown in the following
figure:

Share permissions default to Everyone having Full Control (which includes Change
and Read).
Because the permissions apply to the entity only when it is accessed remotely, these
are known as Access Through Share (ATS) permissions. The following table
summarizes the share permissions that can be assigned.
NTFS Permission
Meaning
Full Control
Gives the user all the other choices and
the ability to change permissions and take
ownership (if NTFS).
Change
Gives the user Read, Execute, Write and
Delete permissions to the share.
MCSA Short Course: Exam 70-218
21

Read
Allows the user Read and Execute
permissions to the share.
You can add individual users and groups to or remove them from the permissions
list. Click Add, and the dialog box shown in the next figure appears:

You can set permissions for users and groups independently.
By default, all the Allow check boxes are selected. When you deselect Change or
Read, it automatically unchecks Full Control, because Full Control requires having
those other permissions. When the permissions are properly configured, click OK to
exit. The folder icon now appears with a hand beneath it, indicating that the folder is
shared.
A folder can be shared more than once, each time having a different share name
associated with it. This is useful if you are combining folders - for example, if you are
placing what accounting used to call REPORTS in with what marketing used to call
DATA. To share the folder under a different name, right-click it and then choose
Sharing from the popup menu.
On the Sharing tab of the Properties dialog box, note that the text box for Share
Name is now a drop-down box. Notice, as well, that a new command button appears
at the bottom of the box: New Share. By clicking this button, you can specify
another name for the share, as well as comments, permissions, and user limits.
Note: Both Windows NT and Windows 2000 allow for multiple share names to point
to the same folder and have different permissions. As a result, the sales department
can be allowed to access files within a folder DATA by the share name SALES and
automatically have Read-Only rights, while the accounting department can access
the same files under the share name REPORTS and have Full Control. It sounds
simplistic, but it is an often-overlooked means of adding simple security to data files.
MCSA Short Course: Exam 70-218
22

Sharing from the Command Prompt
The NET command used with the SHARE parameter enables you to create shares
from the command prompt, using this syntax:
NET SHARE <share_name>=<drive_letter>:<path>
To share the C:\EVAN directory as SALES, for example, you would use the following
command:
NET SHARE SALES=C:\EVAN
You can use other parameters with NET SHARE to set other options. The following
table summarizes the most commonly used parameters:
Parameter Use
/DELETE
To stop sharing a folder
/REMARK
To add a comment for browsers
/UNLIMITED
To set the user limit to Maximum Allowed
/USERS
To set a specific user limit
Hidden Shares
Whether you create a share with My Computer, with Explorer, or from the command
prompt, you can "hide" it (prevent it from appearing in My Network Places) by
adding a dollar sign ($) to the end of the share name, as shown here:
NET SHARE SALES$=C:\EVAN
This does not prevent a user from connecting to the share. In order to do so, the
user must explicitly supply the entire path (including the $).
Every Windows 2000-based computer has three hidden shares that are created
automatically:
� C$. The root of the computer's drive. A similar share (such as D$, E$, and so
on) will be created for each hard drive partition on a system.
� ADMIN$. The root of the partition on which Windows 2000 has been
installed.
� IPC$. The remote IPC (InterProcess Connect) share used for networking.
These shares offer Full Control access to Administrators and Deny access to regular
users. They provide a means by which administrators can easily access key
directories across the network.
Accessing the Share
The shared directory and its contents can be accessed through My Network Places,
Network Neighborhood (Windows NT) or the Find command.
MCSA Short Course: Exam 70-218
23

Working with Web Resources
If, and only if, Web services are installed on the same machine you have created the
share on, an additional tab--Web Sharing--appears under Properties. The following
figure shows a server on which a folder has been shared.

Web sharing can also be enabled for folders.
By default, Web sharing is not enabled. When you choose to share it, you can create
an alias (which appears as the share name by default). Then, you can specify Read,
Execute, and/or Scripts permissions.
1.4 � Configuring and Troubleshooting Internet Information
Services (IIS)
Internet Information Server (IIS) version 5.0 is installed automatically on Windows
2000 during the operating system installation. If you do not want to have it on your
server, you can remove it via Add/Remove Programs. You can also use this utility to
add any additional components via the Configure Windows/Components options.
Management of the HTTP/FTP sites is done locally through the Internet Services
Manager utility. The web service, by default, runs at port 80; the FTP service runs at
port 21. Virtual servers enable you to have one physical server appear as several
web servers. Detailed information about virtual servers in IIS 5.0 can be found at
http://www.networkcomputing.com/netdesign/iisadmin2.html#6.
MCSA Short Course: Exam 70-218
24

Virtual directories, on the other hand, are used to create aliases to locations where
web content exists, which may be on the machine or even on another (remote)
server. The default directory for web content under IIS 5.0 is c:\inetpub\wwwroot
and for FTP is c:\inetpub\ftproot. Among the primary reasons for using virtual
directoris is to allow for load balancing, to increase security, and to place data where
it be most easily administered (backed up, updated, etc.). The steps involved in
creating a virtual directory can be walked through at
http://www.networkcomputing.com/netdesign/iisadmin13.html#14.
1.5 � Monitoring and Managing Network Security
You can configure auditing on nine pre-defined system events through the Local
Security Policy shortcut within the Administrative Tools folder of the Control Panel.
When configured, entries are written to the Security log, which you can view and
configure with the Event Viewer tool, as shown below:

On all nine events, you can choose to log entries (audit) based on a successful
attempt, a failure, or both. The events are as follows:
� Audit Account Logon Events
� Audit Account Management
� Audit Directory Service Access
� Audit Logon Events
� Audit Object Access
� Audit Policy Change
� Audit Privilege Use
� Audit Process Tracking
MCSA Short Course: Exam 70-218
25

� Audit System Events
Security will be revisited in objective 4.6. For now, it's important to understand a few
basics and differences between System Policies and Group Policies. System Policies
exist in Windows 95, Windows 98, and Windows NT. Windows 2000 changed "System
Policy" to "Group Policy." The change is far more than just a name change, however.
In a nutshell, all the functionality of the System Policy has been maintained, but the
capabilities of a Group Policy greatly exceed those of a System Policy.
To begin with, System Policy provided a window into the Registry and functioned as a
component of it. Group Policies are windows into the Registry, but they also now
encompass security, scripts, folder redirection, and software instructions.
System Policies were read each time a user logged on. If changes were made to the
policy, they were reflected the next time--and each time--the user logged on. Group
Policies are read each time a user logs on and are refreshed every 90 minutes by
default. On a domain controller (which 2000 Professional cannot be), the default
refresh time is every five minutes.
There are two other primary differences: System Policies could be configured but
were optional; Group Policies are required. In addition, System Policies could be
configured for individual computers; Group Policies cannot drop to the individual
computer level.
Beneath the Computer Configuration setting are choices for Software Settings
(usually empty on a new system), Windows Settings, and Administrative Templates.
Windows Settings are broken down into Scripts and Security Settings. The Scripts
options are divided into Startup and Shutdown. Both allow you to configure items
(.EXE, .CMD, .BAT files, and so on) to run when starting and stopping the computer.
The Security Settings option is divided into Account Policies, Local Policies, Public Key
Policies, and IP Security Policies on Local Machines. The Security Options section
contains 38 options, most of which are Registry keys. The default for each is "Not
defined," but you can assign two other definitions (Enabled and Disabled) or a
physical number (such as the number of previous logons to cache).
MCSA Short Course: Exam 70-218
26

Chapter 2
Configuring, Administering, and Troubleshooting the
Network Infrastructure
2.1 � Troubleshooting Routing
Although this objective includes the qualifier "routing," the definition of it is broad
enough that it truly should be "troubleshooting connectivity." The focus, which is on
diagnostic utilities, is an extension of topics that appear in objective 2.2 and some of
objective 2.3. You might want to read them first, and then jump back to this section.
You can use a number of tools to help troubleshoot and isolate the source of TCP/IP
problems. Each tool gives you a different view of the process used to resolve an IP
address to a hardware address and then route the IP packet to the appropriate
destination. As a general rule of thumb, however, the following statements apply to
the tools listed here:
� If TCP/IP cannot communicate from a Microsoft host to a remote host system,
the utilities discussed in this section will not work correctly.
� If the systems are on different subnets and cannot communicate, remember
that TCP/IP requires routing to communicate between subnets.
� If the systems were able to communicate previously but can no longer
communicate, suspect either your router(s) or changes in software
configuration.
Some of the tools described in the following sections are troubleshooting tools,
whereas others fall more into the category of applications. The applications can be
used to signify that a problem exists or to see whether the problem lies within one
application and not within the connection.
ARP
After the name has been resolved to an IP address, your computer must resolve the
IP address to a MAC address. This is handled by the Address Resolution Protocol
(ARP).
ARP, as a utility, can be used to see the entries in the address resolution table, which
maps network card addresses (MAC addresses) to IP addresses. You can check to
see whether the IP addresses you believe should be in the table are there and if they
are mapped to the computers they should be. You usually don't know the MAC
addresses of the hosts on your network. If you cannot contact a host, or if a
connection is made to an unexpected host, however, you can use the ARP command
to check this table and begin isolating which host is actually assigned an IP address.
MCSA Short Course: Exam 70-218
27

Event Viewer
The Event Viewer in Windows 2000 is used to examine events and errors that were
written to log files. All critical system messages are stored in the System event log in
Windows 2000 Professional--not just those related to TCP/IP. (Other log files include
Application and Security.)
With Windows 2000, the Event Viewer (formerly a standalone utility) has been
moved into the Computer Management MMC snap-in, as shown in the following
figure:

Event Viewer can display the System log--one of the first places to look for errors
and event information.
FTP and TFTP
The File Transfer Protocol (FTP) is used to actively download or upload files from one
host to another. A deviation of it--Trivial File Transfer Protocol (TFTP)--allows the
operations to be in an unattended state.
HOSTNAME
One of the simplest of all utilities, HOSTNAME returns the name that the current host
is known as. This utility does not support any parameters.
MCSA Short Course: Exam 70-218
28

IPCONFIG
At it simplest, IPCONFIG can display IP configuration data. The /ALL parameter
shows all data; the /RELEASE parameter gives up the DHCP lease; and the /RENEW
parameter attempts to extend the life of the lease.
Windows 2000 offers the following new parameters for the IPCONFIG utility:
Parameter Function
/DISPLAYDNS
Shows the contents of the DNS cache
/FLUSHDNS
Flushes the contents of the DNS cache
/REGISTERDNS
Renews all leases and DNS configuration
/SETCLASSID
Changes the DHCP class ID
/SHOWCLASSID Shows
the
DHCP
class ID for all adapters
NBTSTAT
NBTSTAT is a command-line utility that enables you to check the resolution of
NetBIOS names to TCP/IP addresses. Using NBTSTAT, you can check the status of
current NetBIOS sessions. You can also add entries to the NetBIOS name cache from
the LMHOSTS file, or check your registered NetBIOS name and the NetBIOS scope
assigned to your computer, if any.
Whereas NETSTAT deals with all the connections between your system and other
computers, NBTSTAT deals only with the NetBIOS connections. NBTSTAT also enables
you to verify that name resolution is taking place by providing a method to view the
name cache.
NETSTAT
NETSTAT is a command-line utility that enables you to check the status of current IP
connections. Executing NETSTAT without switches displays protocol statistics and
current TCP/IP connections.
After determining that your base-level communications are working, you need to
verify the services on your system. This involves looking at the services that are
listening for incoming traffic and/or verifying that you are creating a session with a
remote station. The NETSTAT command allows you to do this.
NSLOOKUP
NSLOOKUP is a command-line utility that enables you to verify entries on a DNS
server. You can use NSLOOKUP in two modes: interactive and non-interactive. To
look up only a single piece of data, use non-interactive mode. To make another
query, you must type another non-interactive command. If you want to look up more
than one piece of data, use interactive mode.
MCSA Short Course: Exam 70-218
29

One of the key issues regarding the use of TCP/IP is the ability to resolve a host
name to an IP address--an action typically performed by a DNS server.
PING
The PING command--one of the most useful commands in the TCP/IP protocol suite -
-sends a series of packets to another system, which in turn sends back a response.
This utility can be extremely useful for troubleshooting problems with remote hosts.
The PING command indicates whether the host can be reached and how long it took
for the host to send a return packet. On a local area network, the time is indicated as
less than 10 milliseconds. Across wide area network links, however, this value can be
much greater.
ROUTE
The ROUTE command-line utility enables you to see the local routing table and add
entries to it. Occasionally, it is necessary to see how a system will route packets on
the network. Normally, your system will simply send all packets to the default
gateway. However, sometimes (such as when you are having problems
communicating with a group of computers) ROUTE can provide an answer.
TELNET
The TELNET utility enables you to turn your workstation into a dumb client and
establish a session with a remote host.
TRACERT
TRACERT is a command-line utility that enables you to verify the route to a remote
host. Execute the command TRACERT hostname, where hostname is the computer
name or IP address of the computer whose route you want to trace. TRACERT
returns the different IP addresses the packet was routed through to reach the final
destination. The results also include the number of hops needed to reach the
destination. If you execute the TRACERT command without any options, you will see
a help file that describes all the TRACERT switches.
The TRACERT utility determines the intermediary steps involved in communicating
with another IP host. It provides a roadmap of all the routing an IP packet takes to
get from host A to host B.
As with the PING command, TRACERT returns the amount of time required for each
routing hop.
Troubleshooting Summary
As a general rule, the tools in this section can be broken into the following categories
(and are presented in the order they are most likely to be used per task):
Troubleshooting Only
Application
MCSA Short Course: Exam 70-218
30

IPCONFIG FTP
PING TELNET
TRACERT TFTP
NETSTAT
ARP
Event Viewer
ROUTE
NBTSTAT
HOSTNAME
Microsoft recommends that you approach a possible connectivity problem by taking
the following steps:
1. Run IPCONFIG to verify that there is a valid IP address (whether it's manually
configured or supplied by DHCP).
2. Ping the loopback address (127.0.0.1). This will verify that the TCP/IP stack is
functioning properly but will not go out across the wire.
3. Ping your own IP address. A success should show that duplicate addresses are
not a problem.
4. Ping the default gateway.
5. Ping a remote host.
If all these steps are completed successfully, the problem lies in something other
than the TCP/IP protocol and connectivity.
2.2 � Configuring and Troubleshooting TCP/IP on Servers
and Client Computers
With the release of Windows 2000, TCP/IP has become the required networking
protocol to use in the creation of your network. In previous versions, it was the
default choice from among three possibilities -with NWLink (IPX/SPX-compatible)
and NetBEUI being the other two - but it could always be deselected and not used.
With Windows 2000, you can install any other protocol you want, but you must
install TCP/IP; the check box for it cannot be deselected during installation and
configuration. Much of the necessity of having TCP/IP installed is based on Active
Directory and its use of DNS.
Configuring Windows 2000 Professional as a TCP/IP Client
Supported by most computer operating systems, TCP/IP is the protocol required for
connectivity to the Internet. There are two methods by which you can configure
TCP/IP information. The first method is to do it manually. Manual configuration, as
the name implies, requires you to walk to each machine separately and enter the key
MCSA Short Course: Exam 70-218
31

pieces of information. The problem with this method is that it is very time consuming
and leaves a great deal of room for error.
The alternative to manual configuration is to use a DHCP server, which issues
configuration information to clients when they need it (and is the focus of objective
2.3).
When you manually configure a computer as a TCP/IP host, you must enter the
appropriate settings, which are required for connectivity with your network. To reach
the configuration tabs, choose the Network and Dial-Up Connections applet from the
Control Panel, right-click on the network in question (typically named Local Area
Connection), then choose Properties from the pop-up menu. On the General tab
(shown in the following figure), select Internet Protocol (TCP/IP) and click the
Properties button.

The TCP/IP protocol appears on the General tab of the network connection's
properties.
Clicking the Properties button for the protocol lets you access the configuration
screen shown in the next figure.
MCSA Short Course: Exam 70-218
32

From the General tab of the protocol's Properties dialog box, you can obtain an IP
address automatically by using DHCP, or you can manually enter values.
Here, you configure the following network settings (the first two of which are
required):
� IP Address. A logical 32-bit address used to identify a TCP/IP host. Each
network adapter configured for TCP/IP must have a unique IP address, such
as 192.14.200.4. IP address values are 1-223.0-255.0-255.0-255, with the
exception of 127, which cannot be used in the first octet because it is a
reserved address. Familiarity with this topic is required for the 70-215
(Server) exam, which must also be taken for MCSA certification.
� Subnet Mask. A subnet is a division of a larger network environment,
typically connected by routers. Whenever a TCP/IP host tries to communicate
with another TCP/IP host, the subnet mask is used to determine whether the
other TCP/IP host is on the same network or a different network. If the other
TCP/IP host is on a different network, the message must be sent via a router
that connects to the other network. A typical subnet mask is 255.255.255.0.
All computers on a given subnet must have the same subnet mask value.
� Default Gateway (Router). This optional setting is the address of the
router. The router controls communication with all other subnets. If the
MCSA Short Course: Exam 70-218
33

router's address is not specified, this TCP/IP host can communicate only with
other TCP/IP hosts on its subnet.
NOTE: The Default Gateway box must be left blank if you are connecting to the
Internet through an Internet Service Provider (ISP). The ISP fills in that information
upon connection.
� Domain Name System (DNS) Server Address. DNS is an industry
standard distributed database that provides name resolution and a
hierarchical naming system for identifying TCP/IP hosts on the Internet and
on private networks. It is the focus of objective 2.4.
2.3 � Configuring, Administering, and Troubleshooting DCHP
on Servers and Client Computers
Client Perspective
Configuring TCP/IP manually involves a lot of administrative work and is not very
efficient. One way to avoid the possible problems of administrative overhead and
incorrect settings for the TCP/IP protocol is to set up your network so that all your
clients receive their TCP/IP configuration information automatically through Dynamic
Host Configuration Protocol (DHCP) servers.
DHCP automatically centralizes and manages the allocation of the TCP/IP settings
required for proper network functionality for computers that have been configured as
DHCP clients. TCP/IP settings that the DHCP client receives from the DHCP server are
only leased to it and must periodically be renewed. This lease-and-renewal sequence
enables a network administrator to change client TCP/IP settings, if necessary.
To configure a computer as a DHCP client, all you must do is select the Obtain an IP
Address Automatically option on the General tab of the TCP/IP properties box. If you
are moving to DHCP after having used manual configuration, you must first empty
the manual fields; otherwise, the information in them could override the DHCP
entries.
To determine the network settings that a DHCP server has leased to your computer,
type the following command at a command prompt:
IPCONFIG /all
The following is sample output from the IPCONFIG program:
C:\>ipconfig/all:
Windows 2000 IP Configuration
Host Name . . . . . . . . . : TEST1
DNS Servers . . . . . . . . : 192.14.200.4
Node Type . . . . . . . . . : Hybrid
NetBIOS Scope ID. . . . . . :
IP Routing Enabled. . . . . : No
WINS Proxy Enabled. . . . . : No
NetBIOS Resolution Uses DNS : No
Ethernet adapter CE31:
MCSA Short Course: Exam 70-218
34

Description . . . . . . . . : Xircom CE3 10/100 Ethernet Adapter
Physical Address. . . . . . : 00-10-45-81-5A-96
DHCP Enabled. . . . . . . . : Yes
IP Address. . . . . . . . . : 192.200.14.2
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 192.200.14.1
DHCP Server . . . . . . . . : 192.200.14.16
Primary WINS Server . . . . : 192.200.14.16
Lease Obtained. . . . . . . : Wednesday, December 01, 1999 12:31:29 PM
Lease Expires . . . . . . . : Thursday, December 02, 1999 6:31:29 PM
Note that IPCONFIG (with the /ALL parameter) also gives you full details on the
duration of your current lease. You can verify whether a DHCP client has connectivity
to a DHCP server by releasing the client's IP address and then attempting to lease an
IP address. You can conduct this test by typing the following sequence of commands
from the DHCP client at a command prompt:
IPCONFIG /release
IPCONFIG /renew
NOTE: On Windows 95/98 machines, you can get this information from a graphical
utility. Or, you can choose Start, Run and then type WINIPCFG, which will show
your IP configuration in an undocumented utility. Select the MORE INFO button to
see additional information.
Server Perspective
From the perspective of a server, the DHCP service must be installed, configured,
and authorized before it can be utilized. Installation is done via the Add/Remove
Programs applet and the Windows Components wizard on a machine that has a static
IP address assigned to it. If you are using Active Directory, then the server on which
DHCP is to be installed must be a domain controller or domain member server.
Within the wizard, choose Networking Services, as shown in the following figure:
MCSA Short Course: Exam 70-218
35

The first step of adding DHCP to a server is to select Networking Services on the
Windows Components wizard.
Click the Details... button and choose Dynamic Host Configuration Protocol (DHCP),
as shown below, and then click OK.

MCSA Short Course: Exam 70-218
36

Next, select Dynamic Host Configuration Protocol (DHCP), then provide a range of IP
addresses for the server to issue to DHCP clients.
For configuration, you must provide the server with a scope (a range of IP addresses
that it can issue). For authentication, right-click the server within the DHCP console
and choose Authenticate. This adds the server to the list maintained within Active
Directory of authorized DHCP servers.
Unauthorized DHCP servers are detected within Windows 2000 by examining the
DHCPINFORM message sent by the DHCP server when the service starts. This, as
well as a more detailed look at the authorization process, is explained in detail at
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=windows20
00/en/server/help/sag_DHCP_imp_AuthorizingServers.htm.
NOTE: In small Windows 2000 networks that lack a server, the Internet Connection
Sharing service can be used. This service acts as a DHCP server as well as a
Proxy/NAT server. Information on enabling it can be found at
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q237254.
2.4 � Configure, Administer, and Troubleshoot DNS
Client Perspective
A DNS address must be specified to enable connectivity with the Internet or with
UNIX TCP/IP hosts. You can specify more than one DNS address and the search
parameters that specify the order in which they should be used. The following figure
shows an example of the DNS configuration tab that appears when you click the
Advanced button on the General tab.
MCSA Short Course: Exam 70-218
37

Configuring DNS on the client side.
The DNS configuration tab allows you to specify search order, suffixes, and other
parameters.
Server Perspective
The process of installing a DNS server is identical to that of installing a DHCP server,
with the exception of the service you choose, as shown in the following figure:
MCSA Short Course: Exam 70-218
38

Installing a DNS server.
Configuring the server is detailed at
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/WINDOWS
2000/en/server/help/sag_DNS_pro_ConfigServerForDS.htm. The checklist for
integrating it with Active Directory is located at
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/WINDOWS
2000/en/server/hep/sag_DNSchecklist_ds.htm.
NOTE: On a very small network, you can use a static file named HOSTS to translate
host names to IP addresses in place of DNS.
2.5 � Troubleshooting Name Resolution on Client Computers
Name resolution entails translating text names to addresses. This can be done in any
of four ways:
� On a very small network that only uses Windows-based hosts, you can use a
static file named LMHOSTS to translate NetBIOS names to IP addresses in
place of WINS.
� On a very small TCP/IP network employing any type of hosts (UNIX, Linux,
Windows, etc.), you can use HOSTS files � text files that map host names to
IP addresses.
� Employ DNS, as discussed in objective 2.4.
� Employ Windows Internet Name Service (WINS). Computers use IP addresses
to identify one another. Users, however, generally find it easier to use other
means, such as computer names. Therefore, some method must be used to
MCSA Short Course: Exam 70-218
39

provide name resolution--the process by which references to computer names
are converted into the appropriate IP addresses. WINS provides name
resolution for Microsoft networks. If your network uses WINS for name
resolution, your computer needs to be configured with the IP address of a
WINS server. (The IP address of a secondary WINS server can also be
specified.) The following figure shows an example of the WINS address
configuration tab.

The WINS address configuration tab enables you to specify a server to resolve
NetBIOS names to IP addresses.
As stated earlier, name resolution is merely the process of translating user-friendly
computer names to IP addresses. If the settings for the TCP/IP protocol are specified
incorrectly, you will experience problems that keep your computer from establishing
communications with other TCP/IP hosts in your network. In extreme cases,
communications on your entire subnet can be disrupted.
MCSA Short Course: Exam 70-218
40

NOTE #1: Although host names (and thus DNS) are understood on all operating
systems running TCP/IP, NetBIOS names (and thus WINS) are understood only in the
world of Microsoft operating systems. Eventually, WINS will be completely phased
out in favor of DNS.

Both DNS and WINS are services: They can run only on a server (as in Windows
2000 Server). Configuration of the service and server is covered on the Windows
2000 Server exam.
NOTE #2: The Import LMHOSTS button allows WINS to convert your static file to the
WINS service.
MCSA Short Course: Exam 70-218
41

Chapter 3
Managing, Securing, and Troubleshooting Servers
and Client Computers
3.1 � Installing and Configuring Server and Client Computer
Hardware
The key to this objective is to know that hardware should be verified as being on the
Hardware Compatibility List (HCL) before being installed. If it is on the list,
installation should be easily accomplished via the Add/Remove Hardware applet. The
following sections discuss some of the other issues that you should be aware of.
Driver Signing
When Microsoft released Windows 95, they wanted to make sure that vendors who
wrote programs and applications for it followed a specific set of rules. To enforce this,
they came up with the following plan: Any vendor who plays properly is granted
permission to use a logo on their product to signify that it works properly. Those who
chose not to follow the rules do not get permission to use the logo. (It cannot be
verified that their programs won't harm other applications, interfere with system
services, and so on.)
After a while, Microsoft decided to use a different approach, because they feared the
granting/denying of the logo might not be significant enough. With Windows 2000, a
vendor of a third-party product is encouraged to submit the drivers and operating
system files (.dll, .exe, .fon, .ocx, .ttf, .sys) to Microsoft. If Microsoft can verify that
the files do not behave erratically or cause system problems or identifiable failures,
Microsoft signs the file digitally.
When an administrator or user attempts to install a new component, the system
automatically looks for the signature. If it does not find a signature, a dialog box
appears, prompting the user to decide whether he or she wants to continue (see the
following figure).
MCSA Short Course: Exam 70-218
42

By default, an unsigned driver triggers a dialog box that alerts you to the fact that
you're on your own.
In essence, this dialog box tells you that Microsoft has not verified the software and
that it might cause problems. If you continue, you do so at your own risk. In
addition, if you do continue, a warning message is written to the System log that can
be viewed with Event Viewer, as shown in the following figure:
MCSA Short Course: Exam 70-218
43

When you accept an unsigned driver, the System log records a warning entry
showing all files that are being added.
NOTE: By default, a system always looks for a driver signature; this feature is
known as System File Protection. The driver signature is ignored only when the user
is using one of the following programs:
Hotfix.exe
Update.exe
Windows Update
Winnt32.exe
These files are needed to install/repair all or portions of the operating system; thus,
the driver signature is ignored for them.
You can change the default actions that occur when a system encounters unsigned
files. To do so, follow these steps:
1. From Start, Settings, Control Panel, choose the System applet.
2. From the five tabs that appear in the System Properties window, choose
Hardware.
3. Beneath the Device Manager frame, choose the Driver Signing button.
4. You can choose from three options to indicate what should occur when the
system encounters an unsigned file: Ignore, Warn, and Block (see the
following figure).
MCSA Short Course: Exam 70-218
44

You can configure the system to block, ignore, or install unsigned drivers.
5. After making your selection, you can check the box to apply the setting to all
the system. (This option is available only if you are a member of the
Administrators group.) Then click the OK button.
6. Click OK again to exit the System applet.
Two command-line utilities can be used with driver signatures:
� SIGVERIF.EXE (File Signature Verification)
� SFC.EXE (System File Checker)
File Signature Verification
SIGVERIF.EXE looks for files that are not digitally signed. You can also customize the
verification options. By default, signature verification search results go to the log file
SIGVERIF.TXT, and you are notified when unsigned files are found during searches.
Information on an unsigned file that can be seen includes the name, version,
location, type, and modification date. The following figure shows an example of a
file's Signature Verification Results screen.
MCSA Short Course: Exam 70-218
45

Unsigned drivers are listed in the file's Signature Verification Results screen.
The Signature Verification Results screen shows only the unsigned drivers. If you
view the log file, you will see the status of all files checked and related information.
System File Checker
The purpose of this utility is to keep the operating system itself alive and well.
SFC.EXE is used to automatically verify system files after a reboot to see if they were
changed to unprotected copies. If an unprotected file is found, it is overwritten by a
stored copy of the system file from %systemroot%\system32\dllcache.
(%systemroot% is the folder into which the operating system was installed.)
NOTE: Storing system files (some of which can be quite large) in two locations
consumes a large amount of disk space. When you install Windows 2000
Professional, make sure you leave ample hard drive space on the %systemroot%
drive for growth.
Only users with the Administrator group permissions can run SFC.EXE. It also
requires the use of a parameter. The valid parameters are as follows:
Parameter Function
/CACHSIZE=
Sets the size of the file cache
/CANCEL
Stops all checks
/ENABLE
Returns to normal mode
/PURGECACHE
Clears the cache
/QUIET Replaces
files without prompting
/SCANBOOT
Checks system files on every boot
/SCANNOW
Checks system files now
/SCANONCE
Checks system files at next boot
MCSA Short Course: Exam 70-218
46

Updating Drivers
Hardware devices use drivers to communicate. With the release of new sets of files,
you can change drivers, fix related problems, or add functionality. Windows 2000
offers the ability to update device drivers in a very simple manner. To do so, follow
these steps:
1. Bring up the properties for the device (accessible through Device Manager,
Control Panel applets, and so on).
2. Access the Driver tab of the device's Properties dialog box.
3. Click the Update Driver command button. This starts the Upgrade Device
Driver Wizard.
4. You can either search for a suitable driver or choose the driver you want from
a list of known drivers. Searching is the recommended method. You can
search a specified location, CD, floppy, or (occasionally) through Microsoft
Windows Update.
5. Finish working through the wizard dialog boxes to complete the update.
Windows Update (mentioned in step 4 and objective 3.4) requires a connection to
the Internet and provides a single point of reference for all operating system-related
updates and additional features. The choice to initialize the update appears on the
Start menu.
3.2 � Troubleshooting Starting Servers and Client Computers
There are three topics to be aware of for this objective: Safe Mode, the Recovery
Console, and "parallel installations." We'll look at each of these in turn.
Safe Mode
If, when you boot, Windows 2000 will not come all the way up (it hangs or is
otherwise corrupt), you can often solve the problem by booting into Safe Mode. Safe
Mode is a concept borrowed from Windows 95 wherein you can bring up a part of the
operating system by bypassing the settings, drivers, or parameters that may be
causing trouble during a normal boot. The goal of Safe Mode is to provide an
interface with which you are able to fix the problems that occur during a normal boot
and then reboot in normal mode.
To access Safe Mode, press F8 when the operating system menu is displayed during
the boot process. The Windows 2000 Advanced Options menu of Safe Mode choices
appears, as listed in the following table. Select the mode into which you want to
boot.
Option Description
Safe Mode
Loads VGA monitor, Microsoft
mouse drivers, basic drivers for
keyboard (storage system services,
no networking). Programs in the
Startup Program group are not
started.
MCSA Short Course: Exam 70-218
47

Safe Mode with Networking
Same as Safe Mode only with
networking (which allows Group
Policy to be implemented).
Safe Mode with Command Prompt
Same as Safe Mode only without
the interface and drivers/services
associated with it
Enable Boot Logging
Creates NTBTLOG.TXT in the root
directory during any boot. After
choosing this, a normal boot is
attempted.
Enable VGA Mode
Normal boot with only basic video
drivers
Last Known Good Configuration
Uses the last backup of the
Registry to bypass corruption
caused during the previous session
Directory Services Restore Mode
Only an available option on domain
controllers
Debugging Mode
Sends information through the
serial port for
interpretation/troubleshooting at
another computer
Boot Normally
Bypasses any of the options here
Return to OS Choices Menu
Gives you an out in case you
pressed F8 by accident (you can
also press Esc to exit from Safe
Mode.)
Keep the following rules in mind when booting in different modes:
� If problems don't exist when you boot to Safe Mode but do exist when you
boot to normal mode, the problem is not with basic services/drivers.
� If the system hangs when you load drivers, the log file can show you the last
driver it attempted to load, which is usually the cause of the problem.
� If you can't solve the problem with Safe Mode, restore the Registry from the
emergency repair disk to a state known to be good. Bear in mind that doing
so will lose all changes that have occurred since the last ERD was made.
Recovery Console
The Recovery Console is a command-line utility used for troubleshooting. From it,
you can format drives, stop and start services, and interact with files. The latter is
extremely important because many boot/command-line utilities bring you to a
position in which you can interact with files stored on FAT or FAT32, but not NTFS.
The Recovery Console can work with files stored on all three of the file systems.
MCSA Short Course: Exam 70-218
48

The Recovery Console is not installed on a system by default. To install it, complete
the following steps:
1. Place the Windows 2000 Professional CD in the system.
2. From a command prompt, change to the i386 directory of the CD.
3. Type winnt32 /cmdcons.
4. A prompt appears, alerting you to the fact that 7MB of hard drive space is
required and asking if you want to continue. Click Yes. This only works if your
computer does not have a mirrored volume (if it does, you have to break the
mirror first, install RC, and then re-establish the mirrored volume.)
Upon successful completion of the installation, the Recovery Console (Microsoft
Windows 2000 Recovery Console) is added as a menu choice at the bottom of the
startup menu. To access it, you must choose it from the list at startup. If more than
one installation of Windows 2000 or Windows NT exists on the system, another boot
menu will appear, asking which you want to boot into. You must make a selection to
continue.
To perform this task, you must give the administrator password. You will then arrive
at a command prompt. You can give a number of commands from this prompt, two
of which are worth special attention: EXIT restarts the computer, and HELP lists the
commands you can give. The following table lists the other commands available,
most of which should be familiar to administrators who have worked with MS-DOS.
Recovery Console Commands
Command Purpose
ATTRIB
Shows the current attributes of a file or folder,
and lets you change them.
BATCH
Runs the commands within an ASCII text file.
CD
Used without parameters, it shows the current
directory. Used with parameters, it changes to
the directory specified.
CHDIR
Works the same as CD.
CHKDSK
Checks the disk for errors.
CLS
Clears the screen.
COPY
Copies a file (or files) from one location to
another.
DEL
Deletes a file.
DELTREE
Recursively deletes files and directories.
DIR
Shows the contents of the current directory.
DISABLE
Stops a service/driver.
MCSA Short Course: Exam 70-218
49

DISKPART
Shows the partitions on the drive and lets you
manage them.
ENABLE Starts
a
service/driver.
EXPAND
Extracts compressed files.
FIXBOOT
Writes a new boot sector.
FIXMBR
Checks and fixes (if possible) the master boot
record (MBR).
FORMAT
Formats a floppy or partition.
LISTSVC
Shows the services/drivers on the system, and is
used in conjunction with ENABLE/DISABLE.
LOGON
Lets you log on to Windows 2000.
MAP
Shows the maps currently created.
MD
Makes a new folder/directory.
MKDIR
Works the same as MD.
MORE Shows
only
one screen of a text file at a time.
RD
Removes a directory or folder.
REN
Renames a file or folder.
RENAME
Works the same as REN.
RMDIR
Works the same as RD.
SET
Shows the Recovery Console environment
variables
SYSTEMROOT
Works like the CD command but takes you to the
system root of whichever OS installation you are
logged on to.
TYPE
Displays the contents of an ASCII text file.
During the installation of the Recovery Console, a folder named Cmdcons is created
in the root directory to hold the executable files and drivers it needs. A file named
Cmldr, with attributes of System, Hidden, and Read-Only, is also placed in the root
directory.
If you want to delete the Recovery Console (to prevent users from playing around,
for example), you can do so by deleting the Cmldr file and the Cmdcons folder, and
removing the entry from the BOOT.INI file.
Parallel Installations
Simply put, a "parallel installation" is any machine that has two versions of the
operating system loaded on it. Not only do you install Windows 2000 once on the
machine, but you install it a second time as well--in a directory other than the
MCSA Short Course: Exam 70-218
50

default of C:\WINNT. The choice between which copy of the OS will appear in the
boot menu (courtesy of the BOOT.INI file), and if your primary installation goes bad,
you can always choose the second copy and still be able to access all of your files
and data.
The Microsoft Knowledge Base article Q266465 explains parallel installations specific
to Windows 2000. It can be found at
http://support.microsoft.com/support/kb/articles/q266/4/65.asp.
3.3 � Monitoring and Troubleshooting Server Health and
Performance
Monitoring is often the precursor to optimizing; you must know the current status
before you can take any significant action. Before you can optimize performance, you
first must place it within a framework. First and foremost, optimal performance from
a system is what you are always striving for. Optimal performance is attained when a
system is running (processing, responding, and so on) as fast as it possibly can,
given the resources available to it.
Those "resources" are a combination of everything internal to the system (CPU, disk,
and so on) and external determinants (such as network and modem). If you can
point to any one item and say that it's holding up all the others, that one item is
preventing the system from operating at optimal performance and is known as a
bottleneck. Assume, for example, that a workstation is used to open and append
lines to hundreds of document files or log files each day. If that workstation has
128MB RAM, a Pentium III processor, and an ultra-slow IDE hard drive, it's
reasonable to think that the hard drive is the bottleneck and files could be opened
faster throughout the day (thus increasing productivity) if a faster hard drive were
installed.
The primary tool for gathering usage information in Windows 2000 is the
Performance tool located in the Administrative Tools folder of Control Panel.
NOTE: The Performance Monitor (which existed in previous versions of Windows NT)
has become the Performance snap-in for MMC (Microsoft Management Console).
The Performance tool is divided into the following two sections:
� System Monitor. System Monitor enables you to gather real-time statistics
about what the system is doing right now in chart format (the default),
histogram format (similar to a bar chart), or report format.
� Performance Logs and Alerts. Performance Logs and Alerts enables you to
record data to create and compare with a baseline (to get a long-term look at
how the system is operating) or send administrative alerts when thresholds
are reached.
NOTE: Even if you're an analyst, it does you no good to turn on Performance to
monitor system activity when a problem is detected if you have no "normal" baseline
of activity against which to measure the problem.
MCSA Short Course: Exam 70-218
51

A baseline is a history of performance over time and is used to compare against
current activity. Using it, you can see if it is normal for your processor to be 80%
utilized, or determine that it is a current abnormality, etc.
System Monitor
Within the System Monitor, the workstation is divided into a number of different
objects. The number of objects depends on how the workstation is configured. As
more items are added to the workstation, more objects become available in System
Monitor. For example, if the workstation is running the NWLink protocol, a number of
NWLink-related objects will be present. The following objects are normally found in
System Monitor:
� Browser
� Cache
� IP
� LogicalDisk
� Memory
� Network Interface
� Objects
� Paging File
� PhysicalDisk
� Process
� Processor
� Redirector
� Server
� Server Work Queues
� System
� TCP
� Telephony
� Thread
� UDP
For each object, System Monitor has one or more counters--subsets of the overall
object. Those counters may be one of two types: actual (a true number or an
average) or a percentage (from 0 to 100). When looking at disk operations, for
example, you can see how many reads are performed per second, which might be
either a real number or the percent of time the disk is busy performing reads.
MCSA Short Course: Exam 70-218
52

When selecting counters, you want to avoid mixing and matching actual numbers
and percentages in the same report or chart. Because the highest number a
percentage counter can obtain is 100, and the highest number an actual counter can
obtain is unlimited, the scale will be confusing.
If the workstation has more than one like item, the multiples are known as
instances. For example, if you want to look at disk activity, you would view the object
called PhysicalDisk. A good counter to choose would be %Disk Read Time. If you
have more than one physical disk in the system, choose the instance (disk) that you
want to monitor. One of the instances that will always appear when there are
multiples is _Total. The _Total instance provides an aggregate measurement of all
instances for a full system view.
The following figure shows the dialog box for the Explorer process (instance) that
provides the percentage of processor time (counter) it utilizes. The figure that
follows it shows the real-time chart of the Explorer process and the idle process.

The System Monitor divides the system into objects, counters, and instances.
MCSA Short Course: Exam 70-218
53

The Chart view shows real-time statistics on system activity.
Sessions can be saved (default format is .htm) and viewed later, and can be
configured via the Properties options. The following six tabs offer properties options:
� General. Enables you to configure which view you are looking at, the update
interval (default is one second), and the appearance.
� Source. Enables you to choose between current activity and logged files.
� Data. Enables you to add and remove counters.
� Graph. Enables you to add titles, grids, and scale numbers.
� Colors. Enables you to select the colors you want to use.
� Fonts. Enables you to add styles and effects.
Performance Logs and Alerts
As opposed to real-time monitoring, the Performance Logs and Alerts tool breaks into
three sections:
MCSA Short Course: Exam 70-218
54

� Counter logs. Counter logs enable you to automatically or manually record
data on system usage, which you can then view with System Monitor, a
spreadsheet, or any other tool.
� Trace logs. Trace logs are tied to events that are written when an activity
(error) occurs.
� Alerts. Alerts are messages sent when an administrator-defined threshold is
reached (such as when the hard disk reaches 90% full).
Most often, five areas tend to become bottlenecks: memory, processor, disk,
network, and applications. The following sections examine each of these areas in
detail.
Memory
Windows 2000 offers two types of memory: RAM and virtual memory. RAM is the
physical (hardware) amount of memory installed by means of chips. Virtual memory
can be comprised of RAM and the hard drive (paging file); it allows Windows 2000 to
run more applications than it has physical RAM for. In an ideal situation, Windows
2000 would have enough RAM for all the applications currently running with a small
amount of space to use for file caching. In other words, you can seldom go wrong by
adding RAM, because it can improve disk performance by allowing you to hold more
files in RAM, which allows for quicker access than from the hard drive. However, this
will increase performance only when Windows 2000 has memory that isn't being
used by applications.
You can use a couple of utilities to identify memory problems. The first is the
Performance tool. The object to monitor is Memory, and the counters to watch
include the following:
� Committed Bytes. This counter shows how much memory (virtual and
physical) is in use. If this number always exceeds the physical RAM by more
than a few megabytes, you probably don't have sufficient RAM. As the
counter's value increases, the system will have to page memory in and out
more frequently to keep the running programs with applications that are in
memory.
� Pages/Sec. This counter indicates how many pages per second are being
moved to and from memory to satisfy requests. This number should be less
than 100; a higher value can indicate that the system is probably RAM-
starved. The counter won't drop to 0 even on a system that has plenty of RAM
because some activity must always occur.
You can also gather memory statistics by using Task Manager. Right-click on the
taskbar and choose Task Manager from the pop-up menu, or hold down Ctrl+Shift
and press Esc. The Performance tab shows current utilization and a graph of recent
history.
The bar-graph icon that appears in the System Tray when Task Manager is running is
an active link to the CPU Usage graph on the Performance tab and can be used to
visually gauge CPU activity even when Task Manager is minimized.
You can configure virtual memory parameters from the System applet in Control
Panel. To access these settings, follow these steps:
MCSA Short Course: Exam 70-218
55

1. Double-click on the System Applet in Control Panel.
2. Choose the Advanced tab.
3. In the Performance frame, click on the Performance Options button. A small
dialog box appears inside the Virtual memory frame, showing the total paging
file size for all drives.
4. Click on the Change button. The Virtual Memory dialog box appears.
The initial paging file size is the amount of contiguous space claimed at each boot.
The paging file is dynamic and can always grow. If it grows into noncontiguous
space, however, performance can be greatly degraded. It is, therefore, preferable to
have the initial size set to a number larger than you expect the file size to grow to. If
the initial size is 48MB, and the amount currently used is 52MB, for example, the file
is most likely noncontiguous, and performance is suffering.
The recommended initial size is equal to RAM + (RAM/2). If the file reaches that
maximum size, errors will occur because your system is unable to expand the paging
file as needed. You can also choose to move the location of the paging file to another
drive, or you can split it across multiple drives. Each option can be advantageous at
times, as outlined here:
� Moving the paging file to a drive not used by the system can increase
response time because the system does not have to read OS files and the
paging file from the same drive, and it can split the operations. This can be
useful when RAM is limited.
� Placing the paging file on more than one drive divides the amount of
contiguous space needed across the array and reduces the amount needed on
any one drive. For example, instead of requiring 200MB on the C: drive, the
number can be dropped to 100MB if another 100MB is also stored on D:. This
can be useful when hard drive free space is limited.
You must reboot to activate the changes made to the initial size or location.
NOTE: If the amount of RAM you want to allot to the operating system is less than
what is installed in your system, you must use the /MAXMEM switch in the BOOT.INI
file. The parameter would follow the operating system specification in the [operating
systems] section.
Processor
The Processor object in the System Monitor tool has three primary counters:
� % Processor Time. This counter measures the total amount of processor
time used on non-idle (LOW priority) threads. This includes both application
processing and operating system processing.
� % User Time. This counter reports the total amount of processor time used
in non-idle threads of user applications (not including system operations).
MCSA Short Course: Exam 70-218
56

� % Privileged Time. This counter measures the total amount of processor
time used in non-idle threads of the operating system. The % Privileged Time
plus the % User Time is the same as the % Processor Time.
When you are trying to determine whether processing is a bottleneck, it's important
that you include all processors in the chart if you have more than one, or that you
use the counters from the System object instead of the Processor object, because it
summarizes the numbers.
As a rule of thumb, you should upgrade the processor if it consistently reports
utilization in excess of 80%. Utilization of 100% is not a problem, as long as it is
spiked and inconsistent. If you never reach 100%, the full power of the processor is
not being utilized, which is indicative of anything but a bottleneck.
Disk
The disk is as important a contributor--if not more important--as any other
component in the system. Even if a system has a fast processor and a lot of memory,
a drive that's performing poorly can bring the system to its knees.
Disks objects are divided into physical disks and logical disks. The physical disk is the
actual hard disk, including any individual partitions it contains. The LogicalDisk object
represents individual drive partitions on a physical disk. The PhysicalDisk and
LogicalDisk objects are almost identical, each having the following five counters:
� Avg. Disk Sec/Transfer. This counter shows the average amount of time
needed for disk I/O to complete. You can use the counter with the Memory
object's Pages/Sec counter to determine whether paging is excessive.
� Current Disk Queue Length. This counter represents the number of
requests for disk I/O that are waiting to be serviced; generally, it should be
less than two. Consistently high numbers indicate that the disk is being
overused or should be upgraded to a faster access disk.
� Disk Bytes/Sec. This counter indicates the rate at which data is transferred
during disk I/O. The higher the value, the more efficient the performance.
� Avg. Disk Bytes/Transfer. This counter shows the average number of bytes
of data that are transferred during disk I/O. As with Disk Bytes/Sec, the
larger the value, the more efficient the disk transfer.
� %Disk Time. This counter represents the amount of time spent servicing
disk I/O requests or a measurement of how busy Windows 2000 believes the
drive to be. A consistently high number indicates that the disk is used heavily.
Network
Network activity is one of the most difficult components of system activity to monitor
and analyze. You can use certain network-related objects and counters to determine
the performance of network-related processes on the computer itself. These include
Server, Redirector, and entries for the protocols installed on the computer.
As additional network services are installed (such as RAS, DHCP, and WINS), objects
and counters relating to those services are added to the Performance tool. Protocol
counters include Bytes Total/Sec, Datagrams/Sec, and Frames/Sec. In general, a
MCSA Short Course: Exam 70-218
57

high value is desired; it indicates a high rate of throughput for network activity.
When values are too high, however, it can indicate excessive generation of traffic,
such as excessive frames due to browser broadcasts.
NOTE: TCP/IP counters are fully enabled only if the SNMP (Simple Network
Management Protocol) service agent is installed on the computer.
You can monitor the workstation service on a computer by charting Redirector object
counters. One counter of interest is Redirector>Network Errors/Sec. This counter
indicates the number of errors detected by the workstation service as it attempts to
direct frames onto the network. The higher this number goes, the more serious the
problem may be. Use Network Monitor to observe and detect network traffic as a
whole, especially to and from this computer.
Two other Redirector counters are Redirector>Reads Denied/Sec and
Redirector>Writes Denied/Sec. If this number rises significantly, it could mean that
the server with which this computer is communicating might be having difficulty
handling the number of network requests for resources it is receiving. You want to
monitor activity on that server to pinpoint the problem and find a solution.
Application
For every application that is run and every service that is loaded, a process is
created--a process that can be monitored. Each process is considered an instance in
this case, and for each Process object instance, several counters can be charted.
One counter, %Processor Time, can be tracked for each process instance. It enables
you to determine which specific process is driving the processor to higher-than-
normal usage.
Another useful process counter is Process>Working Set. This counter tracks the
amount of RAM required by the process and can be used to help determine when
additional RAM is necessary. For example, if paging appears to be excessive, you
might monitor the working sets of the processes suspected of causing the increased
paging.
Task Manager
As previously mentioned, Task Manager is one of the most overlooked utilities of
Windows 2000. It does not appear anywhere on the Start menu options, but you can
bring it up in one of three ways:
� Press Ctrl+Alt+Del and choose Task Manager from the Windows Security
Dialog box.
� Right-click on the taskbar and choose Task Manager from the popup menu.
� Hold down the Ctrl+Shift keys and press Esc.
The utility has three tabs: Applications, Processes, and Performance. The
Applications tab shows applications that the current user is running (not those
started by Task Scheduler) and lets you start new ones, switch between them, or end
them.
MCSA Short Course: Exam 70-218
58

The Performance tab was mentioned earlier in this article relative to its showing
memory and CPU utilization and a number of statistics. Among the statistics found
on this tab are the amount of Physical and Kernel memory, as well as what is
currently available.
The Processes tab is a Pandora's box of possibilities. Here, it shows all running
processes--those the current user is interacting with as well as the system, the Task
Scheduler, and anything else. The columns can change, but the most common after
the name are:
� PID. The Process ID number. This number can be used by some applications
to interact directly with the process (as in running KILL from the command
line, etc.).
� CPU. The percentage of CPU utilization the process is currently using. Adding
all the entries together will always total 100%, as the System Idle Process
always adjusts for any non-usage.
� CPU Time. The actual amount of processor time.
� Mem Usage. The amount of memory the process is utilizing.
You can highlight any of the processes and click on the End Process button to stop a
process from running. You can also right-click on a process and see four choices on a
popup menu:
� End Process
� End Process Tree (Ends not just the process, but all processes associated
with it.)
� Debug (Usually not available, but when it is, it allows interaction with the
process.)
� Set Priority (The dangerous one.)
Almost all processes start at Normal priority, which means they compete for the
attention of the processor equally with other processes. Once a program has been
started, there is only one way to change its priority without adding additional
utilities: through the Task Manager. The six priorities, from lowest to highest, are as
follows:
� Low. For applications that need to complete sometime, but you don't want
them interfering with other applications. On a numerical scale from 0 to 31,
this equates to a base priority of 4.
� BelowNormal. A new entry with Windows 2000 for applications not needing
to drop all the way down to Low. This equates to a base priority of 6.
� Normal. The default priority for most applications. This equates to a base
priority of 8.
� AboveNormal. A new entry for Windows 2000 for applications that don't
need to boost all the way to High. This equates to a base priority of 10.
MCSA Short Course: Exam 70-218
59

� High. For applications that must complete soon when you don't want other
applications to interfere with the applications' performance. This equates to a
base priority of 13.
� Realtime. For applications that must have the processor's attention to handle
time-critical tasks. Only members of the Administrators group can run
applications at this priority. This equates to a base priority of 24.
If you decide to change the priority of an application, you'll be warned that changing
the priority may make it unstable. You can generally ignore this option when
changing the priority to Low, BelowNormal, AboveNormal, or High, but you should
heed this warning when changing applications to the Realtime priority. Realtime
means that the processor gives precedence to this process over all others--over
security processes, over spooling, over everything--and is sure to make the system
unstable.
Task Manager changes the priority only for that instance of the running application.
The next time the process is started, priorities revert back to that of the base
(typically Normal).
3.4 � Installing and Managing Windows 2000 Updates
Upgrades to the core of Windows 2000 come in the form of service packs. Each
service pack contains patches and fixes to operating system components needing
such, as well as additional features. A service pack is a self-running program that
modifies your operating system. It's not uncommon within the lifetime of an
operating system to have two or three service packs.
Successive service packs include all files that have been in previous service packs. If
you perform a new installation and the latest service pack is Service Pack Four, you
do not need to install Service Packs One, Two, and Three. You need install only
Service Pack Four after the installation to bring the operating system up to the
current feature set.
As they are released, service packs are shipped monthly for all Microsoft Operating
Systems with TechNet. TechNet is a subscription CD service available through
Microsoft.
The operating system also includes a choice on the main menu called Windows
Update, as shown below:
MCSA Short Course: Exam 70-218
60

The Windows 2000 Start menu offers an automatic Windows Update option.
This option is a link to http://windowsupdate.microsoft.com/, a site from which you
download the service packs, as well as upgrades to Explorer, Media Player, and other
incidentals.
MCSA Short Course: Exam 70-218
61

Chapter 4
Configuring, Managing, Securing, and
Troubleshooting Active Directory Organizational Units
and Group Policy
With this objective, the exam takes a nasty turn into exam 70-217 territory
(Implementing and Administering a Microsoft Windows 2000 Directory Services
Infrastructure). Although there can be no argument that knowledge of Active
Directory is important for anyone working with Windows 2000, you can argue that
knowledge of this magnitude is better suited to an engineer/designer than to an
administrator. For that reason, rather than short-change the topic in the interest of
cramming a lot into a few pages, this chapter contains a number of links and
references for Active Directory, while a magnifying glass is aimed at group policies,
which are rarely documented well anywhere. I highly recommend that you follow the
links and read the additional material while preparing for this portion of the 70-218
exam.
For basic information on installing and configuring Active Directory, see Appendix A,
"Installing and Configuring Active Directory." This appendix covers installing Active
Directory; creating sites, subnets, site links, and connection objects; configuring
server objects (OUs, users, groups, printers, shares, GPOs); working with operations
master roles; verifying/troubleshooting Active Directory installations; and
implementing an OU structure. Reading this file should be a precursor to any
discussion here.
4.1 � Creating, Managing, and Troubleshooting User and
Group Objects in Active Directory
The creation of user and group objects in Active Directory is accomplished--assuming
the appropriate permissions have been granted--via the Active Directory Users and
Groups MMC snap-in, as shown in the following figure.
MCSA Short Course: Exam 70-218
62

You can add a plethora of new objects with the Active Directory Users and
Computers snap-in.
"Appropriate permissions" generally means that you are a member of the
Administrators group, although members of the Enterprise Admins, Domain Admins,
or Account Operators groups can also create user and group objects.
Regardless of the option you choose from the popup menu, a dialog box appears to
walk you through the creation of the new account. The following figure shows the
first screen that appears when you add a new user. After this screen, you must also
specify a password.
MCSA Short Course: Exam 70-218
63

Adding a new user is a straightforward process.
When adding a group, you must choose the type of group that it will be, as shown in
the following figure:

When adding a new group, you must specify both the scope and type.
The group can be either a security group or a distribution group, and can fall into the
category of local, global, or universal. Security groups exist solely to control access
to resources, whereas distribution groups exist for e-mail distribution. Local groups
and global groups, which have existed since Windows NT, define the range of the
group. Universal groups are stored in the global catalog server and, therefore, are
available anywhere within the forest.
MCSA Short Course: Exam 70-218
64

Details on the management of accounts can be found on the Microsoft help site,
based on type. The following table lists the type of account and the link where the
information on management is located:
Computer http://www.microsoft.com/windows2000/en/server/help/dsadmin_computers_top.htm
Group
http://www.microsoft.com/windows2000/en/server/help/dsadmin_groups_top.htm
User
http://www.microsoft.com/windows2000/en/server/help/sag_ADmanageUsers.htm
NOTE: Information on how to create a site is available at
http://www.microsoft.com/windows2000/en/server/help/dssite_create_a_site.htm;
information on how to configure the settings can be found at
http://www.microsoft.com/windows2000/en/server/help/dssite_site_topics.htm.
4.2 � Managing Object and Container Permissions
Read the sample chapter, "Active Directory Services and Windows 2000 Domains,"
available at http://www.microsoft.com/mspress/books/sampchap/3173.asp. Know
that you can choose the Security tab of any object to be able to access its
permissions, as shown in the following figure.

The Security tab is used to configure permissions.
Clicking the Advanced... button bring up the three tabs shown in the following
figure.
MCSA Short Course: Exam 70-218
65

You can configure the permissions as well as auditing from the Advanced button of
the Security tab.
Of note for this objective is the "Allow inheritable permissions from parent to
propagate to this object" check box. For all practical purposes, there are only two
types of entities as far as this objective is concerned: containers and non-containers.
For every container, you can check the box and have the permissions that are
assigned to it filter down to all containers and non-containers beneath it. To use an
analogy, think of a directory to which you apply the Read permission; by default, that
permission is inherited by the files and subdirectories beneath the directory to which
you made the assignment.
Clicking the View/Edit button enables you can change the access control entries
(ACEs) at a very granular level. Not only that, but you can choose the scope of
inheritance in a multitude of ways. This is documented in Knowledge Base article
Q220167 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;q220167).
4.3 � Diagnosing Active Directory Replication Problems
Information on configuring replication, including configuring the site link cost and
adding a site to a site link, is located at
http://www.microsoft.com/windows2000/en/server/help/dssite_connection_topics.ht
m. Active Directory disaster recovery is the topic of the white paper posted at
http://www.microsoft.com/windows2000/techinfo/administration/activedirectory/add
rstep.asp.
You must know Windows 2000 employs a multi-master model (versus the older,
domain-based model of Windows NT 4.0), and changes can be made at any domain
controller. Replication is done via SMTP, IP, or RPC-- depending on the type of
MCSA Short Course: Exam 70-218
66

replication. RPC (which depends on IP) is used for replication traffic within a site, and
the data it sends is uncompressed. When the data is sent between sites, however, it
is always compressed.
RPC is synchronous, whereas SMTP (used for replication traffic over WAN links) is
asynchronous. Site links can use IP (for higher-speed connections) or SMTP (for
slower-speed connections). The Knowledge Consistency Checker (KCC) is responsible
for generating the replication information within a forest; it runs on each domain
controller automatically.
4.4 � Deploying Software by Using Group Policy
An introduction to Group Policy can be found at
http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppol
icyintro.asp. A more detailed white paper on the topic is located at
http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppol
wp.asp.
For this objective, you must understand the differences between publishing and
assigning software. Software can be assigned to either users or computers, but can
be published only to users. This is well explained in the article available at
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9625 and Microsoft's
KnowledgeBase article #Q302430
(http://support.microsoft.com/default.aspx?scid=kb;EN-US;q302430).
Group Policies can be applied at any level of the network structure via the Group
Policy tab, as shown in the following figure.

The Group Policy tab enables you to create a policy for a site, domain, or OU.
MCSA Short Course: Exam 70-218
67

NOTE: Group Policies replace, and are a superset of, the System Policies, which
existed in previous incarnations of the operating system. Group Policies work with
Windows 2000, but not with lower-level operating systems, which still expect System
Policies.
In addition to the site, domain, and OU, every Windows 2000 computer can
optionally have one local policy assigned to it. The following discussion focuses on
the local policy, but applies to both it and Group Policies. (Remember that the only
difference is where they are applied.)
The Group Policy MMC snap-in resembles the following figure:
The Group Policy snap-in divides the policy into sections.
Notice that the two primary divisions of a policy are Computer Configuration and
User Configuration. Settings configured under Computer Configuration apply to the
computer, regardless of who is using it. Conversely, the settings configured under
User Configuration apply only if the specified user is logged on.
Beneath both Computer Configuration and User Configuration, the policy is divided
further into three subsections:
� Software Settings. Contains settings pertinent to applications.
MCSA Short Course: Exam 70-218
68

� Windows Settings. Divides into Scripts (Startup/Shutdown for Computer
Configuration and Logon/Logoff for User Configuration) and Security Settings.
For the user, it can also offer Internet Explorer settings.
� Administrative Templates. Contains Registry settings that affect the
desktop, printing, networking, and so on.
Settings beneath Computer are applied whenever the computer is on, whereas
settings for users are applied only when the user logs on.
Before you delve into the process of creating a Group Policy, you must have a firm
grasp on what one is. To make sure you do, I'll use an analogy. When you purchase a
television set and connect it to the subscription cable coming through your living
room wall, you get all channels that you subscribe to. If you pay approximately $50
a month (depending on where you live), you get somewhere around 100 channels,
including a handful of premium ones.
When you turn on the television, you are free to watch any channel you want,
regardless of whether the content is questionable or racy. And when you are gone,
your children are free to do the same. Enter the V-chip. Before leaving, you enable
the V-chip on the television, and suddenly your kids can't watch all the channels. In
fact, they can't watch anything that has questionable or racy content. The V-chip
restricts the total number of channels coming into your television set, taking away
channel choices that were otherwise there for the kids.
Now let's relate this to an operating system. On Windows 2000 Professional, you can
do just about anything you want. You can delete programs and never be able to run
them again; you can send huge graphic files to a tiny printer that can print only one
page every 30 minutes; you can delete your Registry and never be able to use the
system again; and so on. Enter the Group Policy. A Group Policy places restrictions
on what a user or computer is allowed to do. It takes away liberties that were
otherwise there. Technically, they are never implemented for the benefit of the user
(restrictions do not equal benefits), but they are always there to simplify
administration for the administrator.
From an administrator's standpoint, if you take away the ability to add new software,
you don't have to worry about supporting non-tested applications. If you remove the
ability to delete installed printers (accidentally, of course), you don't have to waste
an hour installing the printer again when someone accidentally deletes it. In other
words, by reducing what the users can do, you reduce what you must support and,
therefore, the overall administrative cost of supporting the network, computer, and
user.
Standard Choices: Computer
Beneath the Computer Configuration setting are choices for Software Settings
(usually empty on a new system), Windows Settings, and Administrative Templates.
Windows Settings are broken down into Scripts and Security Settings. The Scripts
options are divided into Startup and Shutdown. Both allow you to configure items
(.EXE, .CMD, .BAT files, and so on) to run when starting and stopping the computer.
MCSA Short Course: Exam 70-218
69

The Security Settings option is divided into Account Policies, Local Policies, Public Key
Policies, and IP Security Policies on Local Machines. The following sections examine
those choices in greater detail.
Account Policies
Account Policies is further divided into Password Policy and Account Lockout Policy
(actions to take when a number of incorrect attempts have been made). Beneath
Password Policy are the following seven choices, the majority of which previously
appeared in the Account Policy menu of User Manager:
� Enforce Password History. This option allows you to require unique
passwords for a certain number of iterations. The default number is 0, but it
can go as high as 24. When set to 0, a user can change his expiring password
of "bubba" to a new password of "bubba," as no uniqueness is required. If the
value is set to 3, however, "bubba" cannot be used again until three other
passwords have been used.
� Maximum Password Age. The default is 42 days, but the value can range
from 0 to 999.
� Minimum Password Age. The default is 0 days, but the value can range
from 0 to 999.
� Minimum Password Length. The default is 0 characters (meaning no
password is required), but you can specify a number up to 14 characters.
� Passwords Must Meet Complexity Requirements of the Installed
Password Filter. By default, this option is disabled.
� Store Password Using Reversible Encryption for All Users in the
Domain. By default, this option is disabled.
� User Must Log On to Change the Password. By default, this option is
disabled, which means a user with an expired password can specify a new
password during the logon process.
With all seven of these settings, if a domain-level policy is in place, it will override
these settings.
The Account Policy Lockout section contains the following three options:
� Account Lockout Counter. The number of invalid attempts it takes before
lockout occurs. The default is 0 (meaning the feature is turned off). Invalid
attempt numbers range from 0 to 999. A number greater than 0 changes the
values on the following two options to 30 minutes; otherwise, they are "not
defined."
� Account Lockout Duration. A number of minutes ranging from 1 to 99,999.
(A value of 0 is also allowed here; it signifies that the account never unlocks
itself. Administrator interaction is always required.)
� Reset Account Lockout Counter After _____. A number of minutes
ranging from 1 to 99,999.
MCSA Short Course: Exam 70-218
70

As with the Password Policy settings, if a domain-level policy is in place, it will
override these settings.
Local Policies
The Local Policies section is broken into three subsections: Audit Policy, User Rights
Assignment, and Security Options.
Audit Policy
The Audit Policy determines whether event auditing (adding entries to a log file) is
used. The options include nine settings, which can be configured independently of
each other:
The default value for each option is "No auditing." However, valid options include
"Success" and "Failure." The following figure shows the configuration options for the
Audit Directory Service Access option.
The Group Policy Editor allows for configuration of auditing options based on success,
failure, or both.
When auditing is turned on for a particular event, the entries are logged in the
Security Log file, which is viewed with Event Viewer.
MCSA Short Course: Exam 70-218
71

User Rights Assignment
The User Rights Assignment section contains the meat of the old System Policies.
This section contains 34 options, most of which are self-explanatory.
When you work on any of the policy settings, a dialog box similar to the one in the
following figure appears. Notice that you can add additional groups and users to the
list but you cannot remove them. That functionality is not needed. If you want to
"remove" a user or group from the list, remove the check mark from the box
granting it access.

Policy settings allow you to add (but not remove) additional users and groups to the
list.
Security Options
The Security Options section contains 38 options, most of which are Registry keys.
The default for each is "Not defined," but you can assign two other definitions
(Enabled and Disabled) or a physical number (such as the number of previous logons
to cache).
Public Key Policies
The Public Key Policies section pertains to security and authentication. By default, it
has only one subsection: Encrypted Data Recovery Agents. Beneath that, issued
MCSA Short Course: Exam 70-218
72

certificates appear. Double-click on a certificate to access its properties. The next
figure shows the Certificate dialog box.
You can access the properties for issued certificates through the Encrypted Data
Recovery Agents settings.
IP Security Policies on Local Machine
The IP Security Policies on Local Machine section does not show policies; it shows
rules. In this case, the rules dictate how the workstation interacts with servers and
clients. Three rules are in place by default:
� Server (Request Security) Properties. This rule requests security using
Kerberos trusts for all IP traffic. It allows unsecured communications with
clients that do not respond to the request, however.
� Secure Server (Require Security) Properties. This rule always requires
security using Kerberos trust for all IP traffic and does not allow unsecured
communications with untrusted clients (see the next figure).
MCSA Short Course: Exam 70-218
73

� Client (Respond Only) Properties. This rule allows for normal (unsecured)
communications and negotiation with servers that request security. Only the
protocol and port traffic in question are secured.

The Secure Server rules dictate that communications between the client and servers
be Kerberos-trusted.
With any of the rules, you can click the Add button at the bottom of the Rules tab to
access the Security Rule Wizard. The wizard walks you through defining a new rule
as it relates to IP tunneling attributes, authentication methods, and filtering. If you
choose not to use the wizard (you're a glutton for punishment), you can create the
new rule by interacting directly with the five property tabs shown in the next figure.
You can edit, remove, or modify a rule at any time.
MCSA Short Course: Exam 70-218
74

You can create new rules by using the Security Rule Wizard or by directly interacting
with the five property tabs for a rule.
Standard Computer Configuration Choices: Administrative Templates
Beneath the Administrative Templates section, four subsections appear on all
systems. By default, the four subsections are System, Network, Printers, and
Windows Components. You can add others (right-click and choose Add/Remove
Templates from the pop-up menu), or delete any of these four.
System
The System settings are divided into four additional areas: Logon, Disk Quotas,
Group Policy, and System File Protection.
Logon
The 12 policies beneath Logon all have a default setting of "Not Configured."
However, there are three valid radio button choices for each: Enabled, Disabled, and
Not Configured. Two tabs, Policy and Explain, also appear, as shown in the next
MCSA Short Course: Exam 70-218
75

figure. Microsoft has gone to great lengths to make the definitions that appear on the
Explain tab understandable and logical. Although in almost all cases the name of the
policy explains its purpose, it is highly recommended that you run through the
Explain tab for each before you attempting the exam.

Each Logon policy can be left at the default value (Not Configured) or can be Enabled
or Disabled.
A nice feature that exists on the properties of these policies, and that is not available
on others, is the inclusion of the Previous Policy and Next Policy command buttons on
the dialog box. In many other policy locations within the Group Policy Editor, you
must close one policy before moving to another. The Previous Policy and Next Policy
buttons let you navigate a bit more smoothly through the often-connected policies.
Disk Quotas
There are six policies for disk quotas. Again, the default value is "Not Configured."
The disk quotas allow you to restrict the amount of data storage used by individual
users. Choosing to enforce the limit denies storage space to users who have
exceeded their limit. By default, settings apply only to fixed-media NTFS volumes,
MCSA Short Course: Exam 70-218
76

but the choice Apply Policy to Removable Media allows you to extend that to all NTFS
media.
Group Policy
As you may surmise, these settings are extremely important. In essence, you can
think of them as a superset of other choices because they dictate the way the Group
Policy will be implemented, and the Group Policy, in turn, holds all other settings.
System File Protection
The handful of policies here relate to caching, transaction logs, and other aspects of
protection for the system files.
Network
There are two subdivisions beneath Network: Offline Files, and Network and Dial-Up
Connections. Network and Dial-Up Connections has only one policy by default:
Display and Enable the Internet Connection Sharing Properties Tab and Wizard Page.
It is worth noting that almost every option visible to the user when creating offline
files can be removed from the site.
Printers
The Printers Administrative Template includes key policies for interacting with
printers.
Windows Components
The Windows Components section can hold variables for every key component of the
operating system. By default, three entries appear here: Task Scheduler, Windows
Installer, and Internet Explorer. The policies for each are listed in the following
sections. Pay particular attention to those regarding the Installer.
Task Scheduler
The Task Scheduler contains seven policies, all of which are set to Not Configured, by
default, but can be changed to Enabled or Disabled.
Windows Installer
The Windows Installer is used to move applications, files, and portions of install and
upgrade routines to the local computer. Also known as IntelliMirror, Windows Installer
can replace needed files on a local system if a user accidentally (or purposely)
deletes them by copying them from a server. This section contains the following
policy choices:
� Disable Windows Installer. The default setting is Not Configured but can be
changed to Enabled or Disabled. If you choose Enabled, you must then
MCSA Short Course: Exam 70-218
77

choose from three choices: Never, For Non-Managed Apps Only (only those an
administrator has not assigned), and Always.
� Always Install with Elevated Privileges. This also must be enabled in the User
Configuration section to truly work.
� Disable Browse Dialog Box for New Source
� Disable Patching. The act of replacing only those files that have changed and
not all files associated with a program.
� Disable IE Security Prompt for Windows Installer Scripts. Upgrade from the
Web without the user knowing about it.
� Enable User Control Over Installs
� Logging. If enabled, you have many choices from which to choose; a letter is
used to signify each. With the letters "iwearucmpvo," it logs everything; the
default is "iweap." The following table outlines the complete set of choices:
a
Start up actions
c
Initial UI parameters
e
All error messages
i Status
messages
m Out-of-memory
messages
o
Out of disk space messages
p Terminal
properties
r Action-specific
records
u User
requests
v Verbose
output
w Non-fatal
warnings
Internet Explorer
Because the browser is so integral to the operating system, the eight policy options
here can greatly change the way the user interacts with the program.
User Configuration
A number of the policies under Computer Configuration also exist under User
Configuration. Understand that those under the Computer portion run on the
machine regardless of who is running it, whereas those beneath the User section run
only when the user is logged on.
MCSA Short Course: Exam 70-218
78

By default, User Configuration settings are divided into three sections: Software
Settings, Windows Settings, and Administrative Templates. The Software Settings
section is empty.
Windows Settings
This section is further divided into Internet Explorer Maintenance, Scripts
(Logon/Logoff), and Security Settings. Scripts (as the full name implies) has only
two polices--one for logon and one for logoff. Security Settings, by default, is empty.
The five divisions of Internet Explorer Maintenance are Browser User Interface,
Connection, URLs, Security, and Programs. The Browser User Interface settings allow
you to change the title on the browser and to use a custom log, toolbar, or animated
bitmaps. The Connection category allows you to configure connection settings,
browser configuration, proxy settings, and agent strings.
The URLs category allows you to populate and configure Favorites and Links,
Important URLS, and Channels. Security offers two policies: Security Zones and
Content Ratings, and Authenticode Settings. Programs allows you to import or
customize the default programs used for HTML editing, email, newsgroups, and the
like.
Administrative Templates
Administrative Templates is broken into six key categories: Start Menu & Taskbar,
Desktop, Control Panel, Network, System, and Windows Components. The following
sections cover these categories in greater detail.
Start Menu & Taskbar
The vast majority of options here are a carryover from the days of System Policies.
By default, all options are Not configured but can be Enabled or Disabled.
Desktop
The Desktop settings affect what the user can interact with. Pay particular attention
the fact that there are now settings available to control interaction with the Active
Desktop.
Control Panel
You must be careful here because the Control Panel holds four subfolders but also
contains two options:
� Don't Run Specified Control Panel Applets
� Only Run Specified Control Panel Applets
The four folders are:
� Add/Remove Programs
MCSA Short Course: Exam 70-218
79

� Display
� Printers
� Regional Options
There is only one policy beneath Regional Options: Restrict Selection of Windows
2000 Menus and Dialogs Language. If this is enabled, you can specify that the items
must come up in a language of your choosing (English being the default).
Network
The Network folder is divided into two subfolders: Offline Files and Network and Dial-
Up Connections. For Offline Files, the following policies are available:
� Automatic Synchronization at Logoff
� Action on Server Disconnect
� Non-Default Server Disconnect Actions
� Disable User Synchronization of Folders and Files
� Disable 'Make Available Offline'
� Disable User Configuration of Cache
� Prevent Use of Offline Files Folder
� Disable Reminder Balloons
� Reminder Balloon Frequency
� Initial Reminder Balloon Lifetime
� Reminder Balloon Lifetime
� Event Logging Level. This option offers four possibilities:
0 Nothing
logged
1
Only log "server offline"
2
Log "server offline," "net stopped," and
"net started"
3
Log "server offline," "net stopped," "net
started," and "server available for reconnection"
Under the Network and Dial-Up Connections folder, the following policies appear:
� Enable Deletion of RAS Connections
� Enable Connecting and Disconnecting a RAS Connection
� Enable Connecting and Disconnecting a LAN Connection
� Enable Access to Properties of a LAN Connection
MCSA Short Course: Exam 70-218
80

� Enable Access to Properties of RAS Connections Belonging to the Current User
� Enable Access to Properties of RAS Connections Available to All Users
� Enable Renaming of Connections, If Supported
� Enable Renaming of RAS Connections Belonging to the Current User
� Enable Adding and Removing Components for a RAS or LAN Connection
� Enable the Check Box for Enabling and Disabling Components of a Connection
� Enable Access to Properties of Components of a LAN Connection
� Enable Access to Properties of Components of a RAS Connection
� Display and Enable the Network Connection Wizard
� Enable Status Statistics for an Active Connection
� Enable the Dial-Up Preferences Item on the Advanced Menu
� Enable the Advanced Settings Item on the Advanced Menu
� Display and Enable the Internet Connection Sharing Properties Tab and
Wizard Page
� Enable Deletion of RAS Connections Available to All Users
� Enable Usage of Cleartext Passwords
� Allow TCP/IP Advanced Configuration
System
As was the case with Control Panel, the parent folder here (System) holds both
subfolders and policies. The subfolders are Logon/Logoff and Group Policy. The
following are the policy settings:
� Century Interpretation for Year 2000
� Code Signing for Device Drivers
� Custom User Interface
� Disable the Command Prompt
� Disable Registry Editing Tools
� Run Only Allowed Windows Applications
� Don't Run Specified Windows Applications
� Disable Windows Welcome at Logon
� Run These Applications at Startup
� Disable the RunOnce at Startup
MCSA Short Course: Exam 70-218
81

� Disable Legacy Run at Startup
The following policy settings are available for Logon/Logoff:
� Disable Task Manager
� Disable Lock Computer
� Disable Change Password
� Disable Logoff
� Run Logon Scripts Synchronously
� Run Legacy Logon Scripts Hidden
� Run Logon Scripts Visible
� Run Logoff Scripts Visible
� Limit Profile Size
� Exclude Directories in Roaming Profile
For Group Policy, the following settings are available:
� Group Policy Refresh Interval for Users
� Group Policy Slow Link Detection
� Group Policy Domain Controller Selection
� Create New Group Policy Object Links Disabled by Default
� Enforce Show Policies Only
� Disable Automatic Update of ADM Files
� Download Missing COM Components
Note the policy titled "Disable Automatic Update of ADM Files." Files with an
extension of .adm that are housed in the %SystemRoot%\inf folder are the
templates used by Group Policy (%SystemRoot% being the folder into which
Windows 2000 was installed). When you bring up the Group Policy Editor, the choices
presented to you for policies you can implement are a direct result of the template
files (.adm) stored in this folder.
The .adm files are ASCII text, usually defining Registry keys and any changes that
are made when you modify a policy setting. Therefore, you can edit and add to the
files as needed. Changes to the .adm files do not change the policy settings already
in effect; they only change what options you can see in the Group Policy Editor.
MCSA Short Course: Exam 70-218
82

By default, two templates are loaded: inetres and system. You can add and remove
from the list by right-clicking on Administrative Templates (under either Computer
Configuration or User Configuration) and interacting with the dialog box that appears
(see the following figure).

You can add and remove templates to change the options that appear within Group
Policy.
Windows Components
The Windows Components section differs greatly based on the operating system
components you have added to the Professional workstation. By default, this section
contains five subfolders: Windows Explorer, Microsoft Management Console, Task
Scheduler, Windows Installer, and Internet Explorer.
The Windows Explorer folder contains one subfolder, Common Open File Dialog, and
a number of policy settings. The policy settings are listed here:
� Enable Classic Shell
� Remove the Folder Options Menu Item from the Tools Menu
� Remove File Menu from Windows Explorer
� Remove the "Map Network Drive" and "Disconnect Network Drive" Options
� Remove Search Button from Windows Explorer
� Disable Windows Explorer's Default Context Menu
� Hides the Manage Item on the Windows Explorer Context Menu
� Only Allow Approved Shell Extensions
MCSA Short Course: Exam 70-218
83

� Do Not Track Shell Shortcuts During Roaming
� Hide These Specified Drives in My Computer
� Hide Hardware Tab
� Disable UI to Change Menu Animation Setting
� Disable UI to Change Keyboard Navigation Indicator Setting
� Disable DFS Tab
� No Workgroup Contents in My Network Places
� No Entire Network in My Network Places
� Maximum Number of Recent Documents
The Common File Open Dialog folder contains three policy settings:
� Hide the Common Dialog Places Bar
� Hide the Common Dialog Back Button
� Remove the Common Dialog MRU Dropdown
The Windows 2000 operating system depends on the Microsoft Management Console
for so much that it would be virtually impossible to administer the operating system
without it. The Microsoft Management Console folder contains one subfolder--
Restricted/Permitted Snap-Ins--and the following two policy settings:
� Restrict the User from Entering Author Mode
� Restrict Users to the Explicitly Permitted List of Snap-Ins
The Restricted/Permitted Snap-Ins folder contains a number of policy settings and
two subfolders: Extension Snap-Ins and Group Policy. The parent policies are listed
here:
� Active Directory Users and Computers
� Active Directory Domains and Trusts
� Active Directory Sites and Services
� Certificates
� DCOM Config
� Computer Management
� Device Manager
� Disk Management
� Disk Defragmenter
� Distributed File System
� Event Viewer
MCSA Short Course: Exam 70-218
84

� FAX Service
� Indexing Service
� Internet Authentication Service (IAS)
� IAS Logging
� Internet Information Services
� IP Security
� Local Users and Groups
� Performance Logs and Alerts
� QoS Admission Control
� Removable Storage Management
� Routing and Remote Access
� Security Configuration and Analysis
� Security Templates
� Services
� Shared Folders
� System Information
� Telephony
The Extension Snap-Ins folder contains the following policy settings:
� AppleTalk Routing
� Certification Authority
� Component Services
� Connection Sharing (NAT)
� Device Manager
� DHCP Relay Management
� Event Viewer
� FAX Service
� IGMP Routing
� IP Routing
� IPX RIP Routing
� IPX Routing
� IPX SAP Routing
MCSA Short Course: Exam 70-218
85

� Logical and Mapped Drives
� OSPF Routing
� Public Key Policies
� RAS Dialin - User Node
� Remote Access
� Removable Storage
� RIP Routing
� Routing
� Send Console Message
� Service Dependencies
� SMTP Protocol
� SNMP
� System Properties
The Group Policy folder contains the following policy settings. (Note that this is not
the first time this folder has appeared.)
� Group Policy Snap-In
� Group Policy Tab for Active Directory Tools
� Administrative Templates (Computers)
� Administrative Templates (Users)
� Folder Redirection
� Remote Installation Services
� Scripts (Logon/Logoff)
� Scripts (Startup/Shutdown)
� Security Settings
� Software Installation (Computers)
� Software Installation (Users)
The Task Scheduler is integral to running programs unattended. You can configure it
with the following properties:
� Hide Property Pages
� Prevent Task Run or End
� Disable Drag and Drop
� Disable New Task Creation
MCSA Short Course: Exam 70-218
86

� Disable Task Deletion
� Disable Advanced Menu
� Prohibit Browse
This Windows Installer folder contains only three policy settings because most of
them are stored under Computer Configuration. However, those that are listed here
must work in conjunction with those under Computer; a conflict between the two can
adversely affect operation.
� Always Install with Elevated Privileges
� Search Order
� Disable Rollback
The Internet Explorer folder contains five subfolders and a great many policies. The
subfolders are Internet Control Panel, Offline Pages, Browser Menus, Persistence
Behavior, and Administrator Approved Controls. The policy settings are listed here:
� Search: Disable Search Customization
� Search: Disable Find Files via F3 Within the Browser
� Disable External Branding of Internet Explorer
� Disable Creating Connect To the Internet Icon on Desktop
� Disable Importing and Exporting of Favorites
� Disable Changing Advanced Page Settings
� Disable Changing Home Page Settings
� Disable Changing Temporary Internet Files Settings
� Disable Changing History Settings
� Disable Changing Color Settings
� Disable Changing Link Color Settings
� Disable Changing Font Settings
� Disable Changing Language Settings
� Disable Changing Accessibility Settings
� Disable Internet Connection Wizard
� Disable Changing Connection Settings
� Disable Changing Proxy Settings
� Disable Changing Automatic Configuration Settings
� Disable Changing Ratings Settings
� Disable Changing Certificate Settings
MCSA Short Course: Exam 70-218
87

� Disable Changing Profile Assistant Settings
� Disable AutoComplete for Forms
� Do Not Allow AutoComplete to Save Passwords
� Disable Changing Messaging Settings
� Disable Changing Calendar and Contact Settings
� Disable the Reset Web Settings Feature
� Disable Changing Default Browser Check
� Disable Customizing Browser Toolbar Buttons
� Disable Customizing Browser Toolbars
� Identity Manager: Prevent Users from Configuring or Using Identities
For Internet Control Panel, the following policy settings are available:
� Disable Viewing the General Page
� Disable the Security Page
� Disable the Content Page
� Disable the Connections Page
� Disable the Programs Page
� Disable the Advanced Page
For Offline Pages, the following policy settings are available:
� Disable Adding Channels
� Disable Removing Channels
� Disable Adding Schedules for Offline Pages
� Disable Editing Schedules for Offline Pages
� Disable Removing Schedules for Offline Pages
� Disable Offline Page Hit Logging
� Disable All Scheduled Offline Pages
� Disable Channel User Interface Completely
� Disable Downloading of Site Subscription Content
� Disable Editing and Creating of Schedule Groups
� Subscription Limits
For Browser Menus, the following policy settings are available:
� File Menu: Disable Save As Menu Option
MCSA Short Course: Exam 70-218
88

� File Menu: Disable New Menu Option
� File Menu: Disable Open Menu Option
� File Menu: Disable Save As Web Page Complete
� File Menu: Disable Closing the Browser
� View Menu: Disable Source Menu Option
� View Menu: Disable Fullscreen Menu Option
� Hide Favorites Menu
� Tools Menu: Disable Internet Options Menu Option
� Help Menu: Remove 'Tip of the Day' Menu Option
� Help Menu: Remove 'For Netscape Users' Menu Option
� Help Menu: Remove 'Tour' Menu Option
� Help Menu: Remove 'Send Feedback' Menu Option
� Disable Context Menu
� Disable Open in New Window Menu Option
� Disable Save This Program to Disk Option
For Persistence Behavior, the following policy options are available:
� File Size Limits for Local Machine Zone
� File Size Limits for Intranet Zone
� File Size Limits for Trusted Sites Zone
� File Size Limits for Internet Zone
� File Size Limits for Restricted Sites Zone
The Administrator Approved Controls folder can hold many subfolders. By default,
three exist: Databinding, Internet Explorer, and MSN.
For Databinding, the following policy options are available:
� RDS
� TDC
� XML
For Internet Explorer, the following policy settings are available:
� Active Setup
� Media Player
� Extras
MCSA Short Course: Exam 70-218
89

� Menu Controls
� Microsoft Agent
� Microsoft Chat
� Webpost
And, lastly, for MSN, the following policy settings are available:
� Cache Preloader
� Carpoint
� Install
� Investor
� MSNBC
� Music
� Quick View Access
4.5 � Troubleshooting End-User Group Policy
Group Policies can be implemented at any location within the realm of network
possibilities � Site, Domain, or OU, and they operate in that order (remember
SDOU). If more than one policy is applied, one can overwrite the other. For example,
if a policy at the site level removes registry editing tools from all users, and a policy
at the OU level gives all users the ability to use the registry editing tools, then one
policy is in conflict with the other and the last one to run (OU, in this case) will win
out. If there is a local policy defined as well, it will run after all the others and thus
have the potential to override anything set at a higher level.
Most of the time you can solve the problems that users are having with Group
Policies by tracing their login operations and looking for such conflicts. Microsoft
documents the troubleshooting of Group Policy in the white paper located at
http://www.microsoft.com/windows2000/techinfo/howitworks/mangement/gptshoot.
asp.
4.6 � Implementing and Managing Security Policies by Using
Group Policy
Using Group Policy to implement security policies is documented at
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9169
The following figure shows the security settings, which were addressed earlier in the
discussion of local/group policies in objective 4.4:

MCSA Short Course: Exam 70-218
90

Security Settings can be applied beneath the Computer or User configurations.
Know that in Windows 2000 Professional, the Local Policies folder contains three
subfolders: Audit Policy, User Rights Assignment, and Security Options. The first two
were discussed earlier; the latter offers the following policies:
� Allow Server Operators to Schedule Tasks (domain controllers only)
� Allow System to Be Shut Down Without Having to Log On
� Allowed to Eject Removable NTFS Media
� Audit the Access of Global System Objects
� Audit Use of All User Rights Including Backup and Restore
� AutoDisconnect: Allow Sessions to Be Disconnected When They Are Idle
� AutoDisconnect: Amount of Idle Time Required Before Disconnecting Session
� Automatic Administrative Logon When Using Recovery Console
� Clear Virtual Memory Pagefile When System Shuts Down
� Digitally Sign Client Communication (Always)
� Digitally Sign Client Communication (When Possible)
� Digitally Sign Server Communication (Always)
MCSA Short Course: Exam 70-218
91

� Digitally Sign Server Communication (When Possible)
� Disable CTRL+ALT+DEL Requirement for Logon
� Do Not Allow Enumeration of Account Names and Shares by AnonymousUsers
� Do Not Display Last User Name in Logon Screen
� Encrypt Files in the Offline Folders Cache
� LAN Manager Authentication Level
� Message Text for Users Attempting to Log On
� Message Title for Users Attempting to Log On
� Number of Previous Logons to Cache (In Case Domain Controller Is Not
Available)
� Prevent System Maintenance of Computer Account Password
� Prevent Users from Installing Printer Drivers
� Prompt User to Change Password Before Expiration
� Rename Administrator Account
� Rename Guest Account
� Restrict CD-ROM Access to Locally Logged-On User Only
� Restrict Floppy Access to Locally Logged-On User Only
� Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)
� Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)
� Secure Channel: Digitally Sign Secure Channel Data (When Possible)
� Secure Channel: Require Strong (Windows 2000 or Later) Session Key
� Send Unencrypted Password to Connect to Third-Party SMB Servers
� Shut Down System Immediately If Unable to Log Security Audits
� Smart Card Removal Behavior
� Strengthen Default Permissions of Global System Objects (e.g. Symbolic
Links)
� Unsigned Driver Installation Behavior
� Unsigned Non-Driver Installation Behavior
The default setting for each is Not Defined, but typical options are Enabled and
Disabled. If the option requires a value (such as Rename Administrator Account), the
dialog box asks for the new value.
MCSA Short Course: Exam 70-218
92

Chapter 5
Configuring, Securing, and Troubleshooting Remote
Access
5.1 � Configuring and Troubleshooting Remote Access and
Virtual Private Network Connections
A Virtual Private Network (VPN) allows for secure communications with a private
network to take place across a public medium (the Internet). This is accomplished by
"tunneling" packets of data within other packets. There are two protocols available
for use in creating VPNs:
� PPTP (Point-to-Point-Tunneling Protocol). This protocol became available
in Microsoft operating systems starting with Windows NT 4.0. It is an
expansion of the PPP (Point-to-Point Protocol) and it uses MPPE (Microsoft
Point-to-Point Encryption) for data security.
� L2TP (Layer 2 Tunneling Protocol). The protocol is new to Microsoft
operating systems as of Windows 2000 (though it has used by other vendors
for a number of years). It uses IPSec (IP security) encryption.
In Windows 2000, remote access and VPN connections are configured through the
Routing and Remote Access MMC snap-in. Enabling the Routing and Remote Access
Service is detailed at
http://www.microsoft.com/windows2000/en/server/help/ras_how_enable_rras.htm.
For information on how to set up remote access for an intranet, point your browser
to http://support.microsoft.com/support/kb/articles/q301/1/93.asp.
In a nutshell, you must first access Start | Programs | Administrative Tools | Routing
and Remote Access. From there, you can choose a server, and elect to Configure and
Enable Routing and Remote Access, as shown in the following figure:

MCSA Short Course: Exam 70-218
93

A red arrow beside the server indicates that you must yet configure, and enable the
service.
This brings up the Routing and Remote Access Server Setup Wizard, as shown in the
following figure:

The Wizard guides you through the setup process.
MCSA Short Course: Exam 70-218
94

Within this wizard, you can choose to configure a remote access server or a VPN
server, as shown in the following figure:

You can choose to add a VPN server, RAS server, or a number of other choices within
the wizard.
NOTE: Before running this wizard, you must have already installed all the network
protocols to be used (via the Network and Dial-up Connections folder). You cannot
add additional protocols from within this wizard.
When clients connect to the server, you can automatically issue them DHCP
addresses and related IP information, as shown in the following figure:

MCSA Short Course: Exam 70-218
95

IP addresses can come from a DHCP server or from a pool located on this server.
The DHCP Relay Agent service is required for the clients to get the configuration data
they need properly.
Authentication can be done through RADIUS (Remote Authentication Dial-In User
Service), as shown in the following figure:

RADIUS can handle all the authentication requests.
MCSA Short Course: Exam 70-218
96

If you elect to use RADIUS, you must specify a primary and alternate RADIUS server
(already existing) to be used. When configuration is finished, the service will start, as
shown in the following figure:

The final step, after configuration, is to start the service.
After the configuration is finished, you can view--and change--the parameters by
accessing the properties for the server, as shown in the following figure:

The Properties page can be used for additional configuration and modification.
The first step in troubleshooting the service is to verify the current status. For more
information, point your browser to
http://www.microsoft.com/windows2000/en/server/help/mpr_tshoot_servstat.htm.
MCSA Short Course: Exam 70-218
97

5.2 � Troubleshooting a Remote Access Policy
A Remote Access Policy is nothing more than a rule, or set of rules, that governs
connections. There can be multiple policies, and all that apply to a particular user will
execute. The default Remote Access Policy is created when the Routing and Remote
Access service is added to the host, as shown in the following figure:

The default policy is created when Routing and Remote Access is enabled.
This profile can be edited, deleted, and modified in any way you choose, as shown in
the following figure:

MCSA Short Course: Exam 70-218
98

The default policy can be modified or even deleted.
Notice in the figure that you can grant or deny authorization by the time of day and
day of the week. You can also do so based on the group the remote access user
belongs to, the type of connection, and a number of other criteria.
Information on adding a Remote Access Policy can be found at
http://ww.microsoft.com/windows2000/en/server/help/sag_nap_add.htm. "Managing Remote
Access on a Per-group Basis Using Windows 2000 Remote Access Policies" is
discussed at
http://www.microsoft.com/windows2000/techinfo/administration/management/pgre
mote.asp.
For troubleshooting, memorize the flowchart found at
http://www.lsc.mnscu.edu/Academics/Programs/cis/gustafth/Homework/CIS2954/Ch
11.htm showing whether connections are accepted or rejected.

5.3 � Implementing and Troubleshooting Terminal Services
for Remote Access
Simply stated, Terminal Services adds the ability to run multiple terminal sessions on
a Windows 2000 Server. Terminal Services are included with Windows 2000 for both
16- and 32-bit Windows clients; this allows you to use a true "thin" client. If you only
use the service to connect to the server(s) and do administration (known as "remote
administration mode"), no additional licensing is needed. If, however, you use
Terminal Services for clients to connect (known as "application server mode"), then
additional licenses are needed. Know that the former minimizes performance hits on
MCSA Short Course: Exam 70-218
99

the server, whereas the latter is very server-intensive and requires a robust server to
handle the connections.
After the service has been added (via Add/Remove Programs), there are a number of
components to Terminal Services accessible from Start | Programs | Administrative
Tools, as shown in the following figure:

A number of menu options are available for working with Terminal Service
components.
Choosing Terminal Services Configuration, you can define settings for both the server
and the user connections. The server settings are truly just a policy, as shown in the
following figure:

MCSA Short Course: Exam 70-218
100

The default configuration is truly just a policy with minimal settings.
The Connections settings allow you to configure a plethora of options. Of key
importance are those options on the Client Settings tab and the Sessions tab. On the
Client Settings tab, you can choose to disable any of the following:
� Drive mapping
� Windows printer mapping
� LPT port mapping
� COM port mapping
� Clipboard mapping
� Audio mapping
On the Sessions tab, you can choose whether to override user settings, and allow
reconnection from any client or only from a previous client.
Information on how to install Terminal Services in application server mode, and
troubleshooting, is detailed at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q306626. The
counterpart--configuring for remote administration, and troubleshooting--can be
found at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300847.
Information on how to use client services is detailed at
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306566.
MCSA Short Course: Exam 70-218
101

5.4 � Configuring and Troubleshooting Network Address
Translation and Internet Connection Sharing
The Internet Connection Sharing service is available with both Professional and
Server operating systems. This tab, available on the Properties page of any existing
Internet connection, enables you to configure a workstation so that other computers
on the network can access the Internet through it. If this is configured on a non-
dedicated connection, on-demand dialing can also be turned on to establish a
connection. This allows a Windows 2000 Professional workstation, in essence, to
become a proxy server, as shown in the following figure:

On a connection's Internet Connection Sharing tab, you can configure the connection
to allow access from network users.
The "Enable Internet Connection Sharing for this connection" check box enables you
to turn on the feature. The drop-down box displays the different networks of which
MCSA Short Course: Exam 70-218
102

the workstation is a member. You can also specify whether the connection should be
utilized if there is not a session present (on-demand dialing).
The Settings button at the bottom of the dialog box allows you to configure
applications or services to be enabled for computers sharing the connection. The
following figure shows the configuration screen for applications.

Applications are configured by port number.
Common applications and their default port numbers are as follows:
WWW 80
FTP 21
Telnet 23
SMTP 25
Internet Connection Sharing is truly meant for small networks (home and small
offices) and is extremely unconfigurable. The host sharing the connection must use
the private address 192.168.0.1, and it must also function as a DHCP server (leasing
addresses in the 192.168.0.x range), and DNS server. Furthermore, the subnet
values must all be 255.255.255.0.
For larger networks, DHCP and DNS functions should be handled by another
server(s); instead of using ICS, the NAT (Network Address Translation) service
(available only with Server) can be used. NAT is far more flexible than ICS. With it,
you can use any private address range (not just 192.168.0.x) and any subnet value.
Multiple public addresses (thus, multiple public connections) can also be employed.
NAT is installed through the Routing and Remote Access Server Setup Wizard. Note
that the first option in the third figure in this article allowed you to choose to install
MCSA Short Course: Exam 70-218
103

an "Internet Connection Server." Once this option has been chosen, you can choose
ICS or NAT, as shown in the following figure:

The Routing and Remote Access Server Setup Wizard is used to install both ICS and
NAT.
Once NAT is chosen, you can choose to use an existing Internet connection or add a
new demand-dial connection. Information on how network address translation is
added to Routing and Remote Access is outlined at
http://www.microsoft.com/windows2000/en/server/help/mpr_how_nat_add.htm,
whereas the actual deploying of NAT is given at
http://www.microsoft.com/windows2000/en/server/help/sag_rras-ch3_06d.htm.
The wizard (troubleshooter) at
http://www.microsoft.com/windows2000/en/server/help/sag_RRAS-CH5_10.html
walks through the steps for troubleshooting common NAT problems.
MCSA Short Course: Exam 70-218
104

Appendix A
Installing and Configuring Active Directory
Before installing Active Directory, you should first understand what it is. Active
Directory is a database that stores information about objects in your network--such
as users, computers, printers, and shared folders--in a central location.
Active Directory relies on the following items to function properly:
� Lightweight Directory Access Protocol (LDAP). LDAP is used to look up
and add objects to Active Directory. Using LDAP, administrators, executives,
or anyone with appropriate access can query Active Directory for information
such as user names, addresses, or any other data stored in Active Directory.
� Domain Controller. A domain controller is a computer that holds a copy of
the Active Directory database. Domain controllers are also responsible for
authenticating user request.
� DNS. A hierarchical system of organizing name spaces as well as the service
that is responsible to resolving host names to IP addresses and resolving IP
addresses to host names.
� Objects. Any item stored in Active Directory is referred to as an object.
Users, computers, printers, shares, and so on are all considered objects
� The schema. The schema is responsible for what attributes about an object
are stored, such as a user's first and last name, address, and telephone
number, and can be edited to include a spouse's name or a even a user's
dog's name. The schema has predefined objects and attributes when you
install Active Directory, and can be edited only by a member of the Schema
Admin group.
� Domains. Domains are the central part of any network. Domains act as
security boundaries; different domains, even sub-domains, have their own
security settings Domains contain the Active Directory database of all the
network's users and computers.
� Domain trusts. Trust exists between two or more domains that do not share
a contiguous name space. It allows users in one domain to access resources
in another domain. By default, Windows 2000 uses a two-way transitive trust,
meaning that if DomainA trusts DomainB and DomainB trusts DomainC, then
DomainA also trusts DomainC and vice versa (DomainB trusts DomainA, and
DomainC trusts DomainB, and DomainC trusts DomainA).
� Trees. A tree is a hierarchical grouping of domains that share global catalog
servers, a contiguous namespace (corptech.com sales.corptech.com and
it.corptech.com, for example), and a common schema. Corptech.com could
not store a different set of attributes in its schema than it.corptech.com.

MCSA Short Course: Exam 70-218
105

corptech.com

\.

sales.corptech.com it.corptech.com
� Forests. A forest is a collection of trees that trust each other. The trees do
not need to share a common namespace but do require the same schema and
global catalog servers. A forest enables users in one domain to access
resources in another domain.

corptech.com
techiegeek.com
� Global catalog server. A global catalog server, as the name implies,
contains a copy of the global catalog, which is used to store the most
common queries against the Active Directory database and holds Universal
Group membership. The global catalog server, by default, is the first domain
controller that you create in a domain. The global catalog server is also
important because DNS will ask the global catalog which domain controller
should authenticate a user's logon request. If a user has never logged on to
the network before and the global catalog is down, the logon request will fail.
A user that has successfully logged on in the past would still be able to log on
using cached credentials but would only have access to resources in his or her
domain.
� Organizational units (OUs). OUs make up the logical structure of your
network. They contain objects such as user accounts, groups, printers,
applications, computers, file shares, and other OUs. The hierarchy of an OU
within a domain is independent of the structure of other domains; that is,
every domain can implement its own OU hierarchy.

Texas

IS

Admins

Sales

Marketing

� Sites. Sites are defined as a single subnet or group of subnets connected by
a high-speed, reliable connection. A single site could consist of multiple cities
that are connected by a T1 connection. Even though they are in separate
physical locations, they have a high-speed, reliable connection. You can use
MCSA Short Course: Exam 70-218
106

sites to define the actual physical structure of your network. You can use
them to break up your company by country, state, city, or even floors in a
building. The main benefit of using a site is that replication between domain
controllers can have a set schedule and the data is compressed.
Requirements for Installing Active Directory
� You must be using a computer that is running Windows 2000 Server, Windows
2000 Advanced Server, or Windows 2000 Datacenter Server.
NOTE: Make sure that the computer on which you are installing Windows 2000
Server meets the following minimum requirements:

Pentium 133MHz or higher
128MB RAM (256MB or more recommended)
2GB hard drive with at least 1GB free
VGA monitor (800x600 resolution or higher recommended)
CD-ROM drive
Keyboard
Pointing device (optional)
� You should have an additional 200MB for the Active Directory database and
50MB for log files on the FAT, FAT32, or NTFS partitions.
� You need a drive formatted with NTFS to store the SYSVOL folder.
NOTE: If you do not have any partitions formatted with NTFS and all drives are
currently in use, use the CONVERT command to change from FAT to NTFS.
� TCP/IP must be functioning.
� Finally, DNS should be installed, either a Windows 2000 DNS server or DNS
server, such as UNIX, running BIND 8.2.1. (Note that although BIND 8.2.1
supports dynamic updates, Windows 2000 dynamic updates require BIND
8.2.2 .. DNS is not required to start the Active Directory installation process.
If DNS is not installed when you are installing Active Directory, it will prompt
you to set up DNS before the Active Directory Installation wizard finishes.
Installing Active Directory
You have two options to install Active Directory. The first (and probably least used)
option is the Configure Your Server applet that first appears after you install
Windows 2000 Server or by clicking Start, Programs, Administrative Tools (see the
following figure).
MCSA Short Course: Exam 70-218
107

The Configure Your Server startup screen.
When you click the Active Directory link, the wizard asks whether you will be creating
an additional domain controller in an existing domain, creating a new domain or child
domain, or creating a new forest. Once you have decided, scroll to the bottom and
click Start, which launches the Active Directory Installation Wizard, as shown in the
following figure.

MCSA Short Course: Exam 70-218
108

The Active Directory Installation Wizard start screen.
The other (and more commonly used) method of installing Active Directory is by
using the DCPROMO command, as follows:
1. Click Start, go to Run, and then type in DCPROMO, which will launch the
Active Directory Installation Wizard.
NOTE: For purposes of this study guide, we will be installing a new forest called
corptech.com.
2. Click Next to open the Domain Controller Type dialog box, which offers the
following two options:
Domain controller for a new domain. This option will create a new
forest, tree, or child domain.
Additional domain controller for an existing domain. This option
will add another domain controller to your existing domain.
3. Select the Domain controller for a new domain radio button, and then click
Next. The Create Tree or Child Domain screen appears, with the following two
options:
Create a new domain tree. This option will create a new domain and
forest.
Create a new child domain in an existing domain tree. This
option will create a new child domain, such as it.corptech.com or
sales.corptech.com.
4. Select Create a new domain tree, and then click Next. The Create or Join
Forest screen appears with the following options:
Create a new forest of domain trees. Select this option if you are
installing Active Directory on the first computer in your organization.
Place this new domain tree in an existing forest. Select this
option to add your new tree to an existing forest.
NOTE: Currently, there is no way in Windows 2000 to join two different forests that
have already been created.
5. Select the Create a new forest of domain trees radio button, and then click
Next. The next screen--New Domain Name--is where you enter the DNS
name for the new domain.
MCSA Short Course: Exam 70-218
109

NOTE: Even if your company is not planning an Internet presence, it's still a good
idea to register an Internet domain name before you start the installation process.
You can then set your internal domain name to have a name similar to the Internet
domain name. The internal domain name cannot easily be changed; you would have
to entirely remove your domain and re-run the Active Directory Installation wizard to
change your domain name. So if your company decides to change its plans in the
future, your name space would still be similar.
6. Enter the DNS name for your domain (corptech.com), and then click Next.
NOTE: For legacy support, Windows 2000 takes the first 15 letters of your domain
name as its NetBIOS name. If, at a later date, you try to install a child domain, the
first 15 letters must be different.
7. Click Next at the NetBIOS Domain Name screen to accept the default NetBIOS
name.
8. The next screen--Database and Log Locations--enables you to choose the
directory of the Active Directory database and log files. By default, both will
point to %systemroot%. Because the database is constantly being accessed
and the logs constantly being written to, it's a good idea to put them on
separate physical drives. Click Browse to choose a new location for the files,
or choose Next to accept the default location.
9. The Shared System Volume screen appears next, allowing you to change the
location of the SYSVOL folder. Remember that the SYSVOL folder must be
installed to an NTFS partition. Select the destination and click Next.
10. At this point, if you have not previously installed DNS, the wizard will inform
you that it "Can't contact the DNS server" for the desired domain. (If you
have already installed DNS, confirm that it's functioning. Or, you have the
option of installing DNS.) Click OK to open the Configure DNS dialog box.
11. Since we have not installed DNS, we now are given the option to do so, or we
can install it at a later date. (Isn't Windows 2000 trusting?) Select the Yes,
install and configure DNS on this computer radio button, and then click Next.
12. The next window--Permissions--prompts you to select the default permissions
for users and groups.
Permissions compatible with pre-Windows 2000 servers. Select
this option if you currently have legacy systems running applications
such as RAS or database hosting. You will notice an error stating that
anonymous users can read information on this domain. While this
could be a security concern, it is recommended that you select this
option in case problems arise with current applications or if a Windows
NT application server needs to be added in the future.
Permissions compatible only with Windows 2000 servers. Select
this option only if you are sure all current network applications can run
properly on Windows 2000. Only authenticated users will be able to
read information on this domain.
MCSA Short Course: Exam 70-218
110

13. Select the Permissions compatible with pre-Windows 2000 servers option, and
then click Next. The Directory Services Restore Mode Administrator Password
dialog box appears.
14. Assign the password for the administrator. Although there is no minimum
(you could just hit Enter and leave the field blank), the administrator
password should be at least 9 characters long and contain both letters and
numbers. For practice purposes, enter password, and then click Next.
15. The last dialog before the Active Directory installation begins is the Summary
screen, as shown in the figure. Make sure that you have selected all the
correct options, and then click Next. If there are any options you wish to
change, hit the back button to return to that screen and make the necessary
changes.
16. Active Directory will begin the installation process. The Configuring Active
Directory dialog box will display messages about the task in progress. When
the Completing the Active Directory Installation dialog box appears, click
Finish and reboot your computer.

The Active Directory Installation Wizard's Summary page.
Congratulations! You now have a Windows 2000 domain and domain controller.
MCSA Short Course: Exam 70-218
111

NOTE: If you use the Active Directory Installation Wizard to install DNS, it will
automatically create it as an Active Directory Integrated DNS Zone.
NOTE: If you need to configure a Windows NT 4 computer as a domain controller, be
sure you haven't switched from mixed mode to native mode (this is a one-time only
switch) and set it up as a backup domain controller in an existing domain. Before
starting the NT installation process, you need to create a computer account for it--
but not in Active Directory; you need to use Server Manager, the same utility you
would use in Windows NT.
Automating Domain Controller Installation
As with previous versions of Windows, Microsoft has created a method for
automating the installation of Active Directory using answer files. An answer file is
simply a text document--properly formatted, of course--that answers the questions
for the Active Directory Installation Wizard.
You can automate the installation in one of the following two ways:
If you are using an answer file to automate your installation of Windows 2000
Server, you can add the following command line to the [GuiRunOnce] section
of the server answer files:
Commandx = "dcpromo /answer:<answerfile>"
where x is the number of the command (0, 1, 2, etc.).
The other option is just to add the /answer switch after you type the
DCPROMO command in the Run box:
dcpromo /answer:<answerfile>.txt
The following are several keys that you should be aware of. (Note that this is not the
entire list. You can view information on automated installations by installing the
Resource Kit or by extracting the Unattended.doc from the deploy cab.)
� AdministratorPassword. By default, this is set to nothing. It's a good idea
to leave blank and change the password right away. This prevents any issues
should the answer file become compromised.
� AutoConfigDNS. By default, this value is set to yes and is used to tell the
Active Directory Installation Wizard if it should install DNS should it not find a
DNS server on the network. If you already have DNS configured and running
it may be a good idea to set this to No in case a connectivity problem has
arisen.
� CreateOrJoin. Specifies whether the domain being created is part of an
existing forest or creates a new forest.
� DatabasePath and LogPath. Specifies the path to the database or log files
� by default it is set to %systemroot%\NTDS but as we discussed earlier, it is
a good idea to have this and the log files on separate physical drives.
MCSA Short Course: Exam 70-218
112

� NewDomainDNSName. Specifies the name of a new tree a new forest � for
example � corptech.com. By default this is blank
� ParentDomainDNSName. Specifies the domain name of an existing domain
if a child domain is being created.
� ChildName. Specifies the child domain name. If the parent name is
corptech.com and the ChildName is "sales" then the new domain is
sales.corptech.com. This is blank by default
� ReplicaOrNewDomain. By default set to Replica, Specifies whether a new
domain controller should be installed as the first domain controller in a
domain or the new domain controller is installed as a Replica in the domain.
Again, this is not a complete list, just some of the more important items.
Active Directory Tools
There are several tools used to manage Windows 2000 and Active Directory. The
following is a list of the most useful.
NOTE: All of the following tools utilize MMC (Microsoft Management Console). You
can create custom MMCs by selecting Start | Run, and then typing MMC. Then click
on Console and Add/Remove snap in. Select the desired snap-ins and save.
� Active Directory Users and Computers. The main Active Directory utility
used to create OUs and Group Policies, and to manage user accounts (see the
figure).
MCSA Short Course: Exam 70-218
113

Active Directory Users and Computers.
� Active Directory Sites and Services. An important utility, especially if you
have an enterprise that spans several cities. (The following section discusses
sites in more detail.)
� Active Directory Domains and Trust. Used only in a multiple domain
environment where trust needs to be created manually.
NOTE: Remember that in Windows 2000, domains and their children automatically
create an implicit two-way transitive trust. An example of a two-way transitive trust
would be: If DomainA trusts DomainB and DomainB trust DomainC, then DomainA
also trusts DomainC and DomainC also trusts DomainA. This is not true in Windows
NT; DomainA and DomainC would have not trust unless trusts were directly created.
� Active Directory Replication Monitor. This is not installed by default. You
need to install the support tools from the Windows 2000 Installation CD or the
Resource Kit. You can type REPLMON in the Run box to start this utility.
Creating Sites, Subnets, Site Links, and Connection Objects
Before you learn how to create each of these, you should understand what they are
and what their purpose is.
MCSA Short Course: Exam 70-218
114

� Sites. Sites are used to define the actual physical structure of your network.
They can be used to break up your company by country, state, city, or even
floors on a building. A benefit of using a site is that replication between
domain controllers is compressed. We can also schedule replication to happen
at times that make effective use of slow bandwidth links
� Subnets. Subnets are a portion of a network that shares a common address.
In order to properly configure different sites, you should define the subnet
they are located on, and to associate physical location tracking for the finding
of printers.
� Site links. Site links are the protocols used to connect sites. By default, the
DefaultIPSiteLink is used. Each site link has the following attributes:
Transport. The protocol that will be used for the link.
Member Sites. The sites that will be included in the site link.
Cost. If there is more than one link between sites, the cost determines
which will be used. The lower the cost, the more likely it will be used.
The cost value can be between 1 and 32,767.
Schedule. Defines the time that replication can occur.
Replication Interval. Defines how often replication will occur.
� IP. Used when there is a reliable, high-speed link between sites.
� SMTP. Used when there is no reliable connection between sites. It functions
much the same as email servers sending messages back and forth. SMTP
cannot be used for inter-domain replication because the FRS (file replication
service) does not work over SMTP. File replication service is not used between
different domains.
� Connection objects. Connection objects are used to create direct links
between two domain controllers in a forest.
� Knowledge Consistency Checker (KKC). KCC creates the replication
topology for domain controllers in a single domain.
Creating Sites
By default, when you install Windows 2000 Active Directory, it creates the Default-
First-Site-Name and places all domain controllers in this site.
NOTE: Before you start creating new sites, it's a good idea to rename the Default-
First-Site-Name to something more pertinent, depending on how you are going to
name your site--either by city, state, country, etc.
To create a new site, perform the following:
1. Start the AD Sites and Services MMC by clicking Start, Programs,
Administrative tools.
MCSA Short Course: Exam 70-218
115

2. Right-click on Sites, and then choose New Site. The New Object � Site dialog
box appears.
3. Enter a name for the site, select the site link to use (by default the only site
link available is defaultsitelink � IP), and then click OK. You will see a
message stating the following:
Site <SiteName> has been created. To finish configuration of Denver:
Ensure that <SiteName> is linked to other sites with site links as
appropriate.
Add subnets for <SiteName> to the subnets container.
Install one or more domain controllers in <SiteName>, or move
existing domain controllers into the site.
Select the licensing computer for <SiteName>.
4. Click OK, and you will see your new site.
To ensure that the site links are configured properly:
1. Expand Inter-Site Transports.
2. Select the site link in the appropriate folder.
3. Double-click and ensure that both sites appear in the sites in this site link
box.
Creating Subnets
The next step is to add the subnet that is associated with that site. To add a new
subnet, complete the following steps:
1. Click on Start, Programs, Administrative Tools, Active Directory Sites and
Services.
2. Right-click the subnet container, and then select Create New Subnet. The New
Object � Subnet screen appears, as shown in the next figure.
3. Enter the subnet information, select a site to associate with the subnet, and
then click OK.
MCSA Short Course: Exam 70-218
116

The New Object � Subnet screen.
4. At this point, you should either install a new domain controller in the given
site, or, if that site already physically exists and has domain controllers in it,
click on the servers container under Default-First-Site-Name, right-click the
appropriate server, and then select Move. Select the site to which you want to
move the server, and then click OK.
5. If you need to change the server responsible for site licensing, click once on
the site container, and then double-click Site Licensing Settings in the main
window. When the Site Licensing Settings Properties dialog box opens, click
the Change button, and then select the appropriate server in the site.
Creating Site Links
You can create a site link for different sites. Although not required, site links help
replication (by controlling the schedule, replication interval, and cost), and you may
find it easier to control Active Directory replication between your sites if there were
only two sites for each site link, rather than all the sites in your enterprise sharing
the same site link. If you want to use SMTP rather the RCP/IP, for example, you have
to manually create a site link in the SMTP container.
MCSA Short Course: Exam 70-218
117

RCP is used for high-speed connections and can replicate all Active Directory
partitions.
SMTP would be used for lower speed connections, such as a 56k dial-up connection
between different domains. SMTP can only be used for global catalog replication and
replication of the configuration and schema partitions.
You can also create more than one site link for any site. This allows you to use only
certain links if the other was not available. To designate which site link it will use,
you adjust the cost of the link; the lower cost will always take precedence over the
higher cost. For example, you could configure a site link for your T1 line between two
sites with a cost of 100, and configure the site link utilizing a 56K-modem line with a
cost of 200. Now, whenever replication is scheduled to occur, it will try to use the T1
line first and only use the 56K-modem line if the T1 is unavailable.
To create a site link, perform the following steps:
1. Click on Start, Programs, Administrative Tools, Active Directory Sites and
Services
2. Expand the Inter-Site Transports container, and then right-click the desired
container--either IP or SMPT.
3. Select New Site Link. The New Object � Site Link window appears.
4. Enter the name you want to use for the site link, select the sites you want to
have in it (you must have at least 2 sites for each link), and then click Add.
5. Click OK.
Creating Connection Objects
Typically, connection objects are generated by the Knowledge Consistency Checker
(KCC). It may be beneficial to manually create connection objects as a backup,
however, in case one of the connection objects between sites fails--although the KCC
periodically checks to make sure it is using the best possible connections.
To create a connection object:
1. Click on Start, Programs, Administrative Tools, Active Directory Sites and
Services
2. Expand the Servers container for the given site.
3. Right-click NTDS Settings, and then select New Active Directory Connection.
The Find Domain Controllers window will open and display a list of domain
controllers and the sites they are in.
4. Select the desired server, and then click OK.
From here, you can control which server your domain controllers will replicate with,
the schedule it will go by to replicate information, and also switch the transport
protocol. The following figure shows the Server properties page.
MCSA Short Course: Exam 70-218
118

The Server Connection Properties page.
Configuring Server Objects
Windows 2000 looks at everything as objects. Users, groups, computers, printers,
shares, and group policy are all considered objects. We will briefly go over the
purposes of each and how to create them. In subsequent chapters, you will see how
to perform more advanced functions, such as publishing shares and how Group Policy
objects (GPOs) are linked and flow through your OU structure.
Organization Units (OUs)
OUs are new to Windows 2000. They provide a means to organize your users--very
similar to how File Manager works. They also provide some level of control over the
users or computer in the OU. On any OU you can create GPOs to define a secure
desktop, redirect folders, configure settings for Internet Explorer and many other
settings. OUs can have child OUs, and child OUs can have their own child OUs.
To create an OU:
1. Right-click where you want the OU to reside, under the domain or under
another OU.
MCSA Short Course: Exam 70-218
119

2. Select New, and then OU.
3. Name the OU, and then click OK.
Within OUs you can create user accounts, computer accounts, printers, or shares,
which will then be published in Active Directory.
NOTE: Many objects are published automatically, such as Windows 2000 computer
accounts and printers shared from Windows 2000 computers. You need to physically
publish a printer only if it is shared from another type of operating system, such as
Windows NT. Auto-published objects will not be seen in AD Users and Computers
unless your view is set to view objects as containers.
Users
Users are the most important part of any network structure. Without users, none of
the resources you have put together would be used. You use Active Directory Users
and Computers to create user accounts.
1. Open Active Directory Users and Computers, and then select the OU or
container in which you want to create the user account.
2. Right-click, select New, and then select User. The New Object � User screen
appears, as shown in the next figure.
3. Enter the user information (first, last, full, and logon name), and then click
Next.
4. Enter the password for the user. You can select whether the user needs to
change his or her password or not be allowed to change it. It is best to allow
users to change their passwords to something they can remember but is
difficult for others to guess.
5. Verify the user properties, and then click Finish to close the dialog box and
add the new user.
MCSA Short Course: Exam 70-218
120

The New Object � User dialog box.
NOTE: You can implement a Group Policy to enforce minimum password lengths, life,
and complexity. If the user you have created the account for a user that has not
started yet, you might also consider disabling the account so that a malicious user
could not try and user that account.
Groups
Groups are used to more easily assign permissions to a group or groups of people.
Imagine if you had to individually assign every user permission to a shared folder or
printer. Groups allow you to add users to a shared folder or printer, and then assign
permissions to the group. Instead of assigning permissions to individual user
accounts, you assign them to groups, and all users that are part of that group have
the set permissions.
Before discussing how to create groups, it is important to review the various group
types. (Note that we will be talking about security groups, not distribution groups.)
Domain local groups. You can add members from any domain but this type
of group can only be assigned permissions to resources within the domain it
belongs to. Using domain local groups, groups or users from your
is.corptech.com could be added to a domain local group in corptech.com and
assigned permissions to a printer in corptech.com.
MCSA Short Course: Exam 70-218
121

Global groups. Global groups are the reverse of domain local groups. A
global group can have only users or groups from its domain but can be used
to assign permissions in any domain.
Universal groups. Universal groups are a combination of both domain local
groups and global groups. They can contain users from any domain and can
be assigned permissions to resources in any domain. However, universal
groups are available only in native mode. Universal groups are also stored in
the global catalog, so any changes made directly to them cause the global
catalog to replicate to all global catalog servers. This is why you should
always nest global groups (place groups inside of groups). Suppose that a
universal group contains a global group called IS, and you add a new user to
the IS group. Because this is not considered a direct change to the universal
group, it will not need to replicate. If you add users individually to the
universal group, each time you add a user it would need to replicate its
changes to all other global catalog servers.
TIP: Group nesting should follow the "AGDLP" strategy. That is, put user accounts
into global groups. Put global groups into domain local groups and assign
permissions to the domain local group.
NOTE: Although the mode that your domain is in is not really considered an object,
it is important to understand the basic differences between mixed mode and native
mode.
Mixed mode. While in mixed mode (the Windows 2000 Server default setting), you
can keep a Windows NT 4 domain controller in your domain. Obviously, during an
upgrade you would want to remain in mixed mode until all your domain controllers
are upgraded. Once you change to native mode, you cannot revert back; it is a one-
shot change.
Native mode. In native mode, all of your domain controllers must have Windows
2000. (You can still have NT 4 member servers and other Microsoft down-level
clients, because a member server does not contain a copy of the Active Directory
database.) Native mode also allows for more complex nesting, which is very useful in
a multiple-domain environment.
To switch from mixed mode to native mode, perform the following steps:
1. Click on Start, Programs, Administrative Tools, Active Directory Users and
Computers or Active Directory Domains and Trust, right-click the domain name, and
then select Properties.
2. On the General tab, you will see Domain Mode section with a yellow exclamation
point stating to Change to native mode. Click the Change Mode button. (Note that
the operation cannot be reversed.)
You should click the Change Mode button only if you are sure all your domain
controllers are now running Windows 2000 and you will not need to add a Windows
NT 4 backup domain controller later.
You create groups almost the same way you create user accounts.
MCSA Short Course: Exam 70-218
122

1. Open Active Directory Users and Computers, and then select the OU or
container in which you want to create the group.
2. Right-click, select New and then Group. The New Object � Group dialog box
appears.
3. Enter the group name, select whether the group should be a domain local
group or a global group, and then select whether it should be a security group
or a distribution group.
4. Click OK.
NOTE: You cannot use distribution groups to assign permissions. You can, however,
use security groups to assign permissions and for distribution purposes.
To add users to the group, complete the following steps:
1. Right-click the group, and then select Properties. The Properties dialog box for
the group appears.
2. Click the Members tab, and then click the Add button in the lower-right corner
of the window. The Select Users, Contacts, Computers, Or Groups dialog box
appears.
3. Select the users and/or groups to add to this group, click Add, and then click
OK. (Notice that while you are in mixed mode, you cannot create universal
groups.)
4. Click OK again to close the Properties dialog box.
Printers
You can install printers on almost any computer, provided that the appropriate
software is available, of course. Remember that Windows 2000 defines a printer as
the software interface between a computer and the actual printer (which is referred
to as the print device). A print server is the computer from which the printer is
installed and shared.
NOTE: If you are setting up a print device to be shared, it is best to do so from one
computer and share it out to your users. Although it is possible to add a print device
on the network to every computer that needs it, it could be an administrative
nightmare; if problems arise, there isn't one central place from which to manage the
printer. Install the printer and share the printer out as \\servername\printername.
To install a printer on a print server:
1. Click Start, go to Settings, and then select Printers.
2. Double-click the Add Printer icon. When the Add Printer Wizard starts, click
Next.
MCSA Short Course: Exam 70-218
123

3. Choose whether it is a local printer (hooked directly to the computer via a
parallel or USB cable) or a network printer (a printer with an NIC and its own
IP address).
4. Select Local Printer, and then click Next. Windows will try to find the printer.
(If you are doing this for testing purposes and do not have a printer hooked
up, just click OK when it gives you a message stating it cannot find the
printer.)
5. Select how the printer is interfaced. For testing purposes, click Create a New
Port, and then select Standard TCP/IP Port from the drop-down menu. All
printers will be assigned to a port on the print server regardless of whether it
is a local port or a network port.
6. Click Next. The add TCP/IP Printer Wizard appears. Click Next again.
7. Enter the IP address of the printer. (Use 192.168.200.20 for practice.)
8. Select the type of network card. (Typically, on all new print devices with NICs,
you would select Generic Network Card.) Click Next.
9. The TCP/IP wizard disappears, and the Add Printer wizard continues. Select
the type of printer from the list (use HP 2000c), and then click Next.
10. You can now name the printer. By default, it will be the type of printer that it
is, although you can decide on a naming convention for your printers. (You
should use meaningful names for your printers so that users can easily
identify and find them.) Accept the default, and then click Next.
11. You now have the opportunity to share the printer. Again, although you can
rename the printer, it's a good idea to keep the printer names the same. Click
Next.
12. You can now enter location information, which enables users to search for
printers by location. Enter CorpHQ, and then click Next.
13. Do not print a test page. Click Next.
14. Review the settings, and then click Finish.
Now when users want to add the printer, they can do so one of two ways. The first
method is as follows:
1. Click Start, go to Settings, and then select Printers.
2. Double-click the Add Printer icon. When the Add Printer Wizard starts, click
Next.
3. Select Network Printer, and then click Next.
4. Users can now search for printers by selecting Find a Printer in the Directory,
and then clicking Next to launch the Find Printers window. They could also
type the printer name, or click Next to browse for a printer. It will display a
list of all servers and the printers that are hooked up to them.
5. Select the printer, and then click Next.
MCSA Short Course: Exam 70-218
124

6. Choose whether it will be the default printer, click Next, and then click Finish.
The printer is now installed on their computer, although their print jobs are sent to
the print server rather than being spooled locally.
Your users could also access all the printers on a certain print server via Internet
Explorer by typing http://<servername>/printers/ and seeing a list of printers
on that server. Now all they have to do is click the desired printer and it will be
added to their computer (see the following figure).
The Web page for printers on corptech-srv.
NOTE: In order for users to access printers on a print server via Internet Explorer,
IIS 5 must be installed on the print server. (IIS is installed by default.)
Furthermore, you could, through Group Policy, publish the URL into a user's Favorites
folder in Internet Explorer so that if she ever needs to add a printer, she could do so
through her Web browser.
MCSA Short Course: Exam 70-218
125

Shares
Creating shares can still be done the same way as in previous Windows operating
systems:
1. Create a folder or volume.
2. Right-click, and then select Sharing.
3. Choose the Share this folder radio button, and then select the share name. To
minimize any potential confusion when trying to troubleshoot problems, it's a
good idea to keep the actual folder names the same.
4. Click OK to close the Sharing dialog box.
You also have the option of setting the permissions for the share. By default, the
Everyone group has full control permissions on the drive. You can change these
permissions, as needed.
Group Policy Objects (GPOs)
GPOs enable you to implement security policies, desktop policies, and so forth. There
are several things you need to understand before creating polices in Active Directory.
The first issue to understand is the order of inheritance. Group Policies flow through
the domain from the top down; the last policy applied is the one that will be
effective. Polices are applied in the following order: LSDOU (Local, Site, Domain, OU,
then Child OU if there are any).
You can choose to block inheritance of a GPO, certain OUs, or even specific users. To
block policy inheritance:
1. Open Active Directory Users and Computers.
2. Right-click the OU for which you want to block inheritance, and then select
Properties.
3. Click the Group Policy tab, select the Block Policy inheritance check box, and
then click OK (see the following figure).
MCSA Short Course: Exam 70-218
126

The Group Policy tab for blocking policy inheritance.
To block inheritance for only specific users or groups (groups being the preferred way
to handle it), you need to actually deny them read permissions on the GPO, as
follows. (This is known as policy filtering. You could also create a new OU, add the
desired users, and block policy inheritance.)
1. Go to the selected Group Policy, whether on the domain or OU, select the
Group Policy tab, and then click the Properties button.
2. Click the Security tab. You will notice that authenticated users have read
permissions.
3. Add the user account or groups you want to deny the policy, and then check
the Deny box for the read permissions.
Now those specific users will not be able to read the Group Policy, and, therefore, it
cannot be applied to their computers.
You can also choose not to allow people to block inheritance on an OU even if the
Block Policy Inheritance check box is selected:
1. Go to the selected Group Policy, whether on the domain or OU, select the
Group Policy tab, and then click the Options button.
MCSA Short Course: Exam 70-218
127

2. Select the No Override check box, and then click OK.
Now the only way to prevent users from having the policy apply is by denying their
account read access. Remember that domains are security boundaries. A child
domain will not inherit Group Policy from its parent domain, but one Group Policy can
be linked to multiple domains.
Operations Master Roles
In Windows 2000, there is not one domain controller that holds a write-able copy of
the Active Directory database. Instead, changes can be made to Active Directory on
any domain controller. If two people make conflicting changes on different machines
at the same time (I know its unlikely, but better safe than sorry), Windows 2000 has
a defined set of rules to work out the conflict. There are several conflicts that can
cause major problems on a network, however. To prevent this from happening,
Windows 2000 has created "operations masters" (also referred to as Flexible Single
Masters or Operations, or FSMOs). An operations master is the domain controller
responsible for certain changes or information.
There are two different types of operations masters: forest-wide (which have two
different operations master roles) and domain-wide (which have three). There can be
only one of each per forest and per domain.
Forest-Wide Operations Masters
Forest-wide operations masters are responsible for the entire forest. The first--the
schema master--controls all changes to the schema. Remember the schema is
responsible for what information is stored in Active Directory and the schema spans
all trees within a forest. Changes to the schema must go through this machine only,
and can only be performed by a member of the Schema Admin group. Also, before
you can make changes to the schema, you must run regsvr32.exe schmmgmt.dll.
After running this command, you will be able to create a custom MMC to edit the
schema. To do this:
1. Click on Start, go to Run, and enter MMC.
2. When the console window opens, click on Console, and then select
Add/Remove Snap-In.
3. Click the Add button in the Add/Remove Snap-In dialog box.
4. In the Add Standalone Snap-In box, select Active Directory Schema.
5. Click on Add, and then select Close.
6. Click OK to close the Add/Remove Snap-In dialog box.
7. Save the console. You can name it whatever you like, normally "Active
Directory Schema."
You can now edit the schema from this MMC (see the following figure).

MCSA Short Course: Exam 70-218
128

The Active Directory Schema MMC.
The other forest-wide operations master is known as the domain naming master. Its
job is to make sure that any domains added to your forest have unique names, as
well as to remove domains from your forest. Your domain will seem to perform fine if
the domain naming master is down, but as soon as you try to add another domain,
DCPROMO will fail to run because it needs to contact the domain naming master to
make sure the domain name is unique. You also need to keep the domain naming
master role on a global catalog server. The domain naming master works with the
global catalog to determine acceptable domain names.
Domain-Wide Operations Masters
Domain-wide operations masters, as the name implies, perform several important
functions for your domain. The most important role is arguably that of the PDC
emulator. The PDC emulator is responsible for replicating user and group information
to Windows NT 4 backup domain controllers. If you were still relying on NT 4 backup
domain controllers, and your PDC emulator was down, they would not be able to
receive updates made to Active Directory. Down-level clients would also be unable to
authenticate.
The PDC emulator is also responsible for checking failed logon attempts. When a
domain controller receives a password change, it will immediately send that
MCSA Short Course: Exam 70-218
129

information to the PDC emulator. If a user changes his password, sends those
changes to one domain controller, logs off, and then tries to log back on again, he
might be trying to validate with a different domain controller. If the domain controller
has not yet received the update for the changed password, it would normally fail.
Since passwords are important for network access and security, the domain
controller will contact the PDC emulator to see whether there have been any
changes.
NOTE: All other domain controllers synchronize their time with the primary domain
controller emulator. You should also try to synchronize your primary domain
controller time with an external time source so that all domain controllers have the
correct time.
The second domain-wide operations master is the relative ID (RID) master. All user
accounts, groups, computers, etc. have a unique SID. SIDs are made up of two
parts: the SID of the domain, and a relative identifier. The RID master is responsible
for assigning blocks of relative identifiers (RID) to all domain controllers. The domain
controllers then assign SIDs to security principals (A security principal is anything
that can be assigned permissions.). When a domain controller is out of IDs, it
requests a new block from the RID master.
NOTE: It is important to remember that IDs are never re-used. Even if you delete a
user account and re-create it with the same user name, it will not have the same the
same SID, and all permissions assigned to it will be lost.
The final domain-wide operations master is the infrastructure master. The
infrastructure master is responsible for replicating all changes made within Active
Directory to all the domain controllers in its domain. This is only important in multi-
domain environments, because even if you move an object within one domain, it will
retain the same SID; you don't have to worry about that object being referenced in
other domains. The most important option to consider is that the infrastructure
master is not on a global catalog server. The infrastructure master references the
global catalog to check for changes so that if the infrastructure master and global
catalog server are the same machine, it will not receive any updates.
Transferring Operations Master Roles
By default, the first domain controller you create in your domain holds all of the
roles, both forest-wide and domain-wide. Obviously, this is not the best thing to do.
Once you have other domain controllers in your domain, you can transfer any of the
roles to another domain controller.
There are two ways to transfer roles. The first is to use Active Directory Users and
Computers or Active Directory Domains and Trusts to transfer the role; the other is
to seize the role. When you seize the role, you are forcing the transfer of the role
without the current operations master knowing. When you transfer roles, both the
new computer and the current operations master are aware of the change. You
should seize a roll only if the computer that currently holds that role is down. When
that computer is brought back up, it cannot be restored from a backup because you
will have two computers trying to perform the same role. If your domain naming
MCSA Short Course: Exam 70-218
130

master is down and you need to add a new domain immediately, for example, you
should seize that role. Then, rather than restoring that system from a backup, you
should install Windows 2000, run DCPROMO to promote the old operations to a
domain controller, and install Active Directory.
Transferring Forest-Wide Operations Master Roles
To transfer the domain naming master role, complete the following steps:
1. Open Active Directory Domains and Trusts.
2. Right-click Active Directory Domains and Trusts, and then select the Connect
to Domain Controller. In the window, select the domain controller you wish to
transfer the roll to.
3. The MMC will connect to the selected domain controller. Right-click Active
Directory Domains and Trusts again, and then select Operations Master.
4. A window will open displaying the current domain naming master. From here
you can select to transfer the role to the computer you connected to.
To transfer the schema master role, complete the following steps. (Note that you first
must register the schmmgmt.dll.)
1. Open the Active Directory Schema MMC.
2. Right-click Active Directory Schema, and then select Change Domain
Controller.
3. A window will open displaying the current schema master. From here you can
select which system you want to transfer the role to. Click either Any DC or
Specify Name, and then click OK.
4. Right-click Active Directory Schema and select Operations Master (see the
figure that follows).
5. Click Change, and then OK.
MCSA Short Course: Exam 70-218
131

The Change Schema Master dialog box.
Transferring Domain-Wide Operations Master Roles
Unlike the forest-wide operations masters, all of the domain-wide operations master
roles can be transferred from one place--Active Directory Users and Computers. To
change any of these roles (PDC emulator, RID, or infrastructure master), perform the
following:
1. Open Active Directory Users and Computers.
2. Right-click on Active Directory Users and Computers, and then select Connect
to Domain Controller. In the window, select the domain controller you wish to
transfer the roll to, and then click OK.
3. Right-click on Active Directory Users and Computers, and then select
Operations Masters.
4. The Operations Masters dialog box will open with 3 tabs on the top--one for
each operations master. From here you can view and change which computer
holds that role.
Seizing the Operations Master Role
As previously discussed, seizing the role forces the transfer of a certain operations
master. This should be done only if the server that currently holds the roles is
unavailable and will not be brought back up online.
MCSA Short Course: Exam 70-218
132

To seize a role:
1. Click Start, go to Run, and enter CMD.
2. When the command prompt appears, type NTDSUTIL. The NTDSUTIL prompt
appears instead of the normal c:\> (see the next figure).
NTDSUTIL prompt after typing "help."
3. At the NTDSUTIL prompt, type roles. The FSMO maintenance prompt
appears.
4. Type Connections, hit Enter, and then type Connect to Server
SERVERNAME and hit Enter.
5. Type Quit at the connections prompt.
6. At the FSMO maintenance prompt, type any of the following to seize that role:
Seize PDC
Seize RID master
Seize infrastructure master
Seize schema master
Seize domain naming master
7. A dialog box will open and ask whether you're sure you want to seize the
specified role. Click OK.
8. Type quit at the following two prompts to go back to your command prompt.
9. Once you are finished, use Active Directory Users and Computers to make
sure any domain-wide masters have successfully switched. Or, use Active
Directory Domains and Trusts or Active Directory Schema to make sure
forest-wide masters have successfully switched.
MCSA Short Course: Exam 70-218
133

Verifying Active Directory Installations
After you complete the Active Directory installation process, you should verify that it
completed successfully. There are several ways to do this.
Verify the creation of SYSVOL and its subfolders:
1. Click Start, go to Run, and then type SYSVOL. The SYSVOL folder
should open.
2. Verify the creation of the following subfolders:
Domain
Staging
Staging Areas
SYSVOL � shared
Verify the creation of the NTDS folder and log files:
1. Click Start, go to Run, and then type NTDS, which will open the NTDS
folder and display the following contents:
Edb
Ntds.dit
Temp.edb
Verify the creation of SRV records in DNS. (This will work only after
you've added a second domain controller.)
1. Open the DNS MMC.
2. Expand <ServerName> (where <ServerName> is your DNS server)
and expand the forward lookup zone.
3. Double-click on the domain name. If you successfully installed Active
Directory, you will see the following folders:
_msdcs
_sites
_tcp
_udp
Troubleshooting Active Directory Installations
If your Active Directory installation fails, there are several things you can check. The
following are the most-common issues:
Drives not formatted with NTFS. Although the database and log files can
reside on a FAT drive, the SYSVOL folder must reside on a drive formatted
with NTFS.
MCSA Short Course: Exam 70-218
134

Permissions. You may receive an access denied permission while installing
Active Directory. If you receive this error message when you are creating your
first domain controller, you are logged in with an account that is not part of
the local administrator group. If you receive this error message when
installing another domain controller, you still need to be logged in as a local
administrator, but you must also be part of the Domain Admin group to join
the domain controller to the domain.
Domain name is not unique. If the domain name you have given is not
unique, you will not be able to create the domain. You must also make sure
that the first 15 letters of the name are unique, because Windows 2000 will
use the first 15 letters of the domain name to create the NetBIOS name. If
you have a domain name of technicalservices.com and try to create a child
domain named technicalservices1.com, the name would not be valid because
the first 15 letters match.
Domain naming master is down. If your domain naming master is
currently down, you will not be able to create child domains, although you will
still be able to create domain controllers in an existing domain.
Disk space. Remember from the system requirements, you need 200MB for
the Active Directory database, and 50MB for the log files on the FAT, FAT32, or
NTFS partition. If you don't have enough disk space, install a new drive.
Domain cannot be contacted. You will receive an error like this if your
computer is unable to find the domain. This is most commonly a result of the
wrong DNS server address being entered or the DNS server being down.
Verify that the DNS server is functioning properly by using a ping test. If you
can ping the DNS server by IP but not by name, there is a problem with
either the DNS server or an incorrectly specified DNS server.
Implementing an Organizational Unit (OU) Structure
Now that you have installed Active Directory and DNS (and verified that they were
installed properly), you need to consider how to create an OU structure. There are
three main types of OU design:
By location. Generally, this is the most stable of the three types. If the
company moves or adds another location, it does not require Active Directory
to be totally restructured, like some of the other designs. The downfall to this
design is that you might have thousands of users in one location, which can
become difficult to manage.
By department. This design is probably more popular and easier to manage,
but is more likely to have to be restructured. Generally, this design has fewer
users in each OU because departments are typically smaller than entire
locations. If you are delegating control to certain users, you can grant control
to a specific OU rather than to an entire location (which may be too much
control for the user).
By role. Very similar to the "by department" design, this design is broken
down one step further--by roles. Instead of having an IS OU, for example,
MCSA Short Course: Exam 70-218
135

you would have a Network Admin OU, a Technician OU, a Help Desk OU, and
so forth.
One other option is to use a combination of the three designs. For example, you
could create OUs by location, and then create OUs under each location by
department or by role to make it easier to administer and delegate control to.
Fast Facts
To install Active Directory, use DCPROMO or the Configure this Server applet
to start the Active Directory Installation Wizard.
Logon requests pass through the global catalog server.
Windows 2000 Server minimum requirements: Pentium 133, 128MB RAM,
2GB hard drive with 1GB free.
You can convert a drive formatted with the FAT file system to NTFS by using
the convert X: /FS:NTFS command.
DNS does not have to be installed before installing Active Directory. If the
Active Directory Installation wizard cannot find DNS, it will install it for you.
Windows 2000 uses the first 15 letters of your domain name for the NetBIOS
name.
Use SRVMGR to add computer accounts when installing a new Windows NT 4
backup domain controller.
Replication between sites is compressed. Create sites if you have slow WAN
links.
When nesting groups, use the AGDLP strategy. Put user accounts in global
groups; put global groups in domain local groups; and assign permissions to
the domain local group.
Switching from mixed mode to native mode is a one-way switch; you cannot
switch from native mode to mixed mode.
You cannot use distribution groups to assign permissions, but you can use
security groups to assign permissions and for distribution purposes.
Users can access printers by going to http://servername/printers only if IIS is
installed. (It is installed by default.)
There are 2 types of operations masters: forest-wide and domain-wide.
Forest-wide operations masters include the schema master and the domain
naming master. There can be only one of these per forest.
Domain-wide operations masters include the PDC emulator, the relative ID
(RID) master, and the infrastructure master. There can be only one of these
per domain, but there can be several per forest (multi-domain forest).
Use NTDSUTIL to seize operations master roles only if the current master will
not be brought back up in its current state.
MCSA Short Course: Exam 70-218
136

SYSVOL must be installed on an NTFS partition.
The database file requires 200MB free space; the log files require 50MB free
space on FAT or NTFS.
For best performance, place the database file and log files on separate drives.
Case Studies
Adding a Windows NT 4 BDC to a Windows 2000 Mixed-Mode
Domain
(Note that once your domain is in native mode, you cannot have Windows NT backup
domain controllers present.)
1. On a Windows 2000 domain controller, click on Start, and then go to Run.
2. Type SRVMGR to launch Server Manager. This is installed by default with
Windows 2000 Server.
3. When Server Manager opens, click on Computer and select Add to Domain.
The Add Computer To Domain dialog box appears, as shown in the followng
figure.

The Add Computer To Domain dialog box.
3. Select Windows NT Backup Domain Controller, and then name the computer.
4. Click on Add, and then Close. You will now see the computer in Server
Manager.
5. Close Server Manager.
6. Before you can begin installing Windows NT server, make sure there is a
functioning WINS server on your network.
7. You can now begin the installation of Windows NT 4 server on your machine.
As with any version of Windows, make sure that all the hardware is
compatible with the operating system.
8. Configure your copy name and license options, as needed.
MCSA Short Course: Exam 70-218
137

9. In the computer name box, enter the same name you entered in Server
Manager on the Windows 2000 domain controller, and then click Next.
10. Select Backup Domain Controller, and then click Next.
11. Configure the options, as needed, until you are prompted to enter the
appropriate domain name and administrator password. Enter the information,
and then click Next.
12. Finish configuring your server, as needed.
Installing and Using Terminal Services for Remote
Administration
Windows 2000 enables you to install Terminal Services on your servers, install client
software on your workstation, and administer your servers--all from your desk.
1. Click Start, and then go to Settings, Control Panel, Add/Remove Programs.
2. Click Add/Remove Windows Components.
3. Scroll down and select Terminal Services. Note that you only need to install
the Licensing option for Application Mode--where users connect to a Terminal
Server to run applications (see the next figure). Click Next.

Installing Terminal Services
4. The next screen prompts whether to run in Remote Administration or
Application mode. Select Remote Administration mode (Maximum of 2
concurrent connections), and then click Next.
MCSA Short Course: Exam 70-218
138

5. When finished, click OK. If prompted to restart, click Yes. Three tools are now
added to your Administrative Tools folder:
Terminal Services Manager
Terminal Services Client Disk Creator
Terminal Services Configuration
6. Open Terminal Services Client Disk Creator to create client disk for your
workstation (either 16- or 32-bit). You will need two blank floppies.
7. Once created, install the client software on your workstation.
8. Click Start, Programs, Terminal Server Client, and then open Terminal
Services Client.
9. Once the Terminal Services Client window opens, a list will appear of all the
machines with Terminal Services installed. Select the machine you want to
connect to, and start administering (see the next figure).

The Terminal Services Client window.

MICROSOFT/MCSE

MCSE INTRODUCTION

MCSE BOOT CAMPS

FREE MCSE PRACTICE

MCSE BOOKS

Document Outline