Level 1

Requirements
P133, VGA, CD-ROM, 1 Gigabyte Harddrive (640 Free), 32 MM, Floppy, NIC, Mouse, and Keyboard.
Dual Boot - Separate partitions install oldest OS to newest OS.
WINNT.EXE 16-bit use for DOS
WINNT32.EXE 32-Bit use from Windows GUI to install

Creating a custom install toolkit
- 98 Bootdisk
- GDISK (Norton Utility)
- PCI Network Card
- Network Drive Disk
- Network Dist Share on Server

Tools

- \Support\Tools
- Admin Tools, Replication Monitor, and ADSI Editor.
- Setup Manager (Use this for creating unattained answer files)
Provide defaults, Full automated, hide pages.
-RIS Remote Installation Server ( Allows you to distribute W2K Installs on PXE complainant machines)
- Sysprep (This utility allows you to create images of the machine and recreate a SID on next bootup)
- Fully automated install from CD created unattended answer file from Setup Manager and rename to WINNT.SIF and copy to file disk. You will also need to provide the section [Data] ProductID=

Level 3 - Installing W2K using RIS

RIS Requirements
- DNS (dynamic), DHCP, ADSI.
Implementing RIS on Server
- Run RISSETUP
- Select folder for structure (not system/boot - only NTFS F:\ (Default))
- Clients Support - Respond or/and respond unknown
- Enter path of cd-rom
- Enter Folder (win2000pro Default)
- Friendly name and Help Text
- Authorize Server using DHCP enter name and authorize (this is required)
- Need to create a computer account in domain. right click domain - security - add group - advanced - add group -create computer object.
Viewing and Verifying RIS Server
- Right click Domain Controller and select Remote Install
- Verify Server
- Show Clients
- Advanced - New Clients / Images / Tools / Objects / Security
Installing
- Installing is done through Add/Remove Windows Components
- BINL Listens for requests
- TFTP downloads the files
- CIS - Allows multiple images to be installed.
- Create image with workstation (access file called RISPREP on Server)
- PXE Network Card .99 or greater
- You may also use RBFR.EXE
Limitations
- Only 2KPRO, no Laptops, and only can Image C:\ Drive
RIS Directory on the Server
- \REMINST
- \Admin\I386 - RFBG.EXE (Create floppy for clients) RISPREP (create Images from clients)
- \OSCHOOSER\ - Welcome.osc (Edit this file for clients)
- \Setup\English\Images - Where all the images are stored.

Creating .msi files for legacy devices.
- Installing WInstall can be done from the CD from SWIADMLE.MSI
- Locate the file in WINSTL directory called Winstall.msi. Doubleclick and install.
- Create snapshot with discoz.exe specify app name
- Select drives to scan changes.
- Create snapshot after run discoz.exe again.

Level 4 - MMC Install, Configure Devices.

All files with .MSC extension are mostly located in c:\winnt\system32\*.msc you can run these files by typing the file name in with the .mmc extension. Example: Diskmgmt.msc

Differrent Types of Disk Windows 2000 Professional has no support for Fault Tolerance.
Basic Primary and Logical
Dynamic are now called Volumes
Simple or Spanned

Level 5 - File Systems, Network Dial-Up, and Logoning on Domains

Available File Systems
- NTFS Compression and File Encryption (Can only use one of the two)
- General /Sharing/Security
- Advanced - Index/Archives/Compress/Encrypt
- Security - Add/Change - Advanced - Permissions/Audit/Owner
- FAT32, FAT16 - Limited File Size, no security, no file encryption
Disk Management (Diskmgmt.msc)
- Disk Defrag, Fault Tolerance, Format, FDISK, View Status, etc..
Dial-Up connections
- Add new connection - connect to private network/dial-up to the internet/Connecte to VPN/Accept Incoming Conenections.
Personal Web Manager - Setup - Setting Mail/Tour/Advanced

Users Profiles - Viewing /Properties/Users Profiles
- Romaing - Install setup and UNC path
- MSIEXEC switches - MSIEXEC /a administrate /f repair or /I install or configure
Offline Sync - CSC - Client Side Caching
- Starting - Share Folder - Caching Tab - Cache Folder
- Accessing - c:\winnt\csc - Add new network place
- Offline - make available offline
- Synchronize settings - Logon/Logoff
RunAS
- Using MMC right click and choose RunAs
- CMD Line Run As Runas /profile /User:\Password "mmc c:\mmc"

Backing Up
- NTBACKUP.EXE
- Manual or Wizard - Welcome/Backup/Restore/Scheduled Jobs.
- System State or ERD (ERD creates autoexec.nt, config.nt, and setup.log) You also have the choose to create system state which is copied to c:\winnt\system32\regback
- Removable store - Zip, Tape, QIC

System Monitor -
- Starting run perfmon - System Monitor / Counter / Trace / Alerts

Local Policies
- Configure using secpol.msc
- Account policies - Password - account lockout, etc.
- Local Policies - audit policy user right assignments
- Public Key Policies - encrypt data recovery

Disk Quotas
- Requires NTFS - per group
- Enable at the volume level - set min/max for alerts add Quota entries

Level 6 - windows Installers - Systems Tools - Monitor - Security Settings and Policies

Windows Installer - MSI Install and manager services with msiexec.exe

Level 7
Registry
- Starting with regedit/regedt32
- Keys local_machine/users/current_config/class_root
- Regedt32 - Registry / edit / tree / view / security / options
- Hive Files c:\winnt\repair\regback (system state)
- c:\winnt\system32\config (registry)

System State
- Registry, bootfiles, com+ - c:\winnt\repair\regback

Print Server
- Start right click on print folder - forms/ports/drivers/advanced

Troubleshooting
-Safe Mode - No network - 16 colors - limited drivers
-Recover Console install by typing winnt32/cmdcons

- Upgrading to 2000 Remember to Uncompress, Disconnect UPS, and Backup.
Supports up to 4 CPU
Support for software RAID versions 1 and 5 (Disk Mirroring and Disk Striping with Parity)

-NT 4.0 Compared to 2000
File Server - Improved Disk Management (Defragmentor)
Print Server - Web Based
Web Server - HTTP Compression for increased performance

-Active Directory
Decrease Total Cost of Operation or TCO
Group Polices,LDAP,Centralized,Standard base of protocols.

Master Replication - All Controls Replicate
Trees and Forests
Multiple Trees make a Forest
Global Catalog - Index of Forest

- Web Services
Share documents for access across the Internet, ASP Support,

DCPROMO (Active Directory Setup Wizard)

Level 2 - Deploying Windows 2000 Servers

- Modes of Operation (Right Click Domain Controller to Change)
Native - Pure Windows 2000 Environment No more downlevel domain controllers, no pdc emulator, expanded group nesting available. Once changed you cannot change back. Active Directory domains and trusts.
Mixed - Provides support for NT 4.0 Machines. First installed ADSI 2k will act as a PDC Emulator. Limited Directory mode, and global into local.

-Domain Models
Single domain, master domain - root child domains, multiple master domains - create OUs, move user accounts and resources into root, remove AD from child domains.

Level 3 Administrating W2K Server, intro into ADSI, network protocols and printing services.

- ADSI standards and naming conventions
Benefits
- Directory Services provide organized manage control
- Centralized management - single point of administrating (one logon access to entire forest)
Standards
- DNS/DHCP/TCP/IP/SNTP/LDAP/LDIF/Kerberos/X.509
Naming Conventions
- Distinguished names - DC=net,DC=Keystone,CN=Users,CN=John Paul
- Relative Distinguished Names = John Paul
GUID or Global Unique Identifier - Each object has one this is a uniqueness of names.

Active Directory Structure
- Master Replication
Global Catalog Server
- Stores and processes queries
- first domain controller on-line
- enables users to logon network
- indexes all objects in forest
ADSI Requirements
- 2KSRV, ADV, or DATA
- 1 NTFS Volume for NTDS
- At least 1 G or greater
- TCP/IP with DNS installed
- Correct time and time zone settings
Logical Structure
- Domains / Origination Units / Trees and Forests / Mixed or Native Mode
- Organization Unit or OU
- b.cisco c.cisco
- Trees and Forests
- 1st W2K on-line is the root domain
Physical Structure
- Sites and Domain Controllers
Install on ADSI
- NTFS Volume required
- convert to NTFS from cmd line c:\> convert c: /fs:ntfs (restart) fix permissions after restart Q237399 (FAT32, using SECEDIT)

Promoting to Domain controller using DCPROMO
- Start by using DCPROMO or Configure your Server wizard
- First Domain create tree
- New Forest
- FQDN development.net
- NetBIOS development

RRAS Configuration
- Enable user by choose dial-in tab and select allow access
- Policies will be applied first when user is connected

Printing Services
- Web Based Printing Requires that IIS is installed and can be accessed by default at http://ipaddress/printers
- View - list/properties/all printers actions - pause/resume/cancel document actions - pause/resume/cancel

Level 4 - Administrating NT 4.0 Terminal Services - DFS - NTFS - Hardware Devices

Terminal Server Requirements - 2KSRV/ADV/DATA
- License Types (TSCAL) each client requires one (TSICL) anonymous Internet connections - not cals!, (Built-in) 2 are provided for remote administration, (Temporary Licenses) are provided for 90 days.
Administrating Licenses
- Select server, right click, install licensing (enter key-pack)
License Server
- This can be installed through add/remove components in control panel
Activate Server
- right click- activate server- wizard -select method
Types of Terminal Server installations
- Remote or Application Server (requires licenses for application mode)

MMC Terminal Server Console
- Manager/Client Creator
- Terminal Server Configurations - connections/server settings
- Terminal Server Manager - Displays Users/Processes
Permissions for Terminal Server
- Users must be able to logon locally / add user under connections / (Change under local security settings, user right assignments)

DFS (Distributed File System, for load balancing and fault tolerance)
- creating DFS root Right click domain based or stand-alone (no replication on stand alone)
-New DFS Link (allows you to access a share that is located in another location from the server)
right click choose New DFS Link Enter - Link Name / Send User to / Comment
-New Replica (Allows you to replicate a share to 2 different locations) Enter - share to send user (Choose manual or automatic replication).

-Security can also be implemented and managed with policies.

Level 5 - Monitor Performance - Task Manager - NT Backup and Troubleshooting

- Collect new data current or log
- Viewing over the Internet can be accomplished by saving the file as a webpage and accessing via the web server (requires IIS to be installed)
- Viewing log files - when you create a log file to view you will need to install the same counters that were used to gather the information.

Task Manager
- Ctrl-alt-del or type Taskmgr from run command
- Application / Process/ Performance You can also start or kill processes or applications. And change priority of applications or processes to low/below normal/normal/above normal or high.

NTBACKUP.EXE
- Manual or Wizard - Welcome/Backup/REsotre/Scheduled Jobs.
- System State or ERD (ERD creates autoexec.nt, config.nt, and setup.log) You also have the choice to create system state which is copied to c:\winnt\system32\regback. System State backups all the neccessary files (ADSI, SYSVOL, REGISTRY) to restore a Windows 2000 Machine (this file going to be at least 100MB).
- Removable storage - Zip, Tape, QIC
- Cmd Line Example c:\>ntbackup backup "c:\test.bks" /um /p "tarvan" /c:on
- System state will also backup the ADSI interface structure
Troubleshooting
- F8 Safe Mode / Safe mode -networking /safe-mode command prompt/ last known good configuration (LKGC)/
- Recover Console winnt32/cmdcons (will add setup to boot.ini)
Logon as administrator type "help" fixmbr/fixboot/diskpart/listsvc (enable or disable services).
- Enable bootlogging - log all events to a boot file (c:\winnt\ntbtlog.txt
- Last Known Good Config - last time system was shutdown successfully
- Directory Service Repair Mode - Repair ADSI

Level 6 - User Profiles - Disk Structures - Basic and Advanced

Profiles
- Local user profile
Documents and settings \profile \user config \data NTUSER.DAT contains all registry information
- Manage right click my computer / user profiles / delete/changetype/copy
- Roaming Profiles always users to logon to any machine in the domain (most effective with NT clients) with the same profile (desktop settings, etc.)
- Roaming Profiles configuring and starting - under the users profile path enter the UNC name for the server and profile directory.
- When creating a profile start with default and customize, copy to users directories.
- Mandatory Profiles - All settings and configurations will be lost after user logs off. This is used mainly for temporary users or guests.

Hard Disk Structures

Basic - Primary and Logical Disk
- compatible with most OSs that support FAT16/32/NTFS, cannot contain 2000 mirrored/striped/or raid-5 sets.
Dynamic Disk - Stored in Volumes Simple/Spanned/Striped/Mirrored/RAID-5
- cannot access from 95/98 clients, needed for RAID types, cannot contain logical or primary partitions.
- creating right-click on drive and "upgrade to dynamic disk"

Dynamic Disk - Fault Tolerance
- RAID 1 Mirroring requires 2 physical disks
- RAID 3 Disk Striping with 3 Parity requires 3 Physical Disks
- RAID 5 Disk Striping with Parity requires 3 physical disks

- revert to basic (requires that you delete all partitions) and select revert

Advanced Disk Configurations
Disk Quotes
- Requires NTFS - per group
- Enable at the volume level - set min/max for alerts add Quota entries
Hotfixes
- installing after OEM install put into directory $OEM$ add to cmdlines.txt file under [commands] hotfix.exe -Q (quiet)

Level 7 Encrypting File Systems - Local Account Policies

Encrypting File System
- Notes on encryption:
NTFS Only, compress or encryption, anyone can delete (NTFS permissions), can not share encrypted file, unencrypted when moved or copied to FAT or floppy, stay encrypted when moved or copied to compressed.
- 3 Certificates
User Key private key - master key this key will also be deleted if user is deleted.
Recover Agent Key - public key (issued 1st time paired with master a copy is with each file)
File Encryption Key - unique encrypted
Data Recover Agent - DRA local admin on both 2K PRO/SRV - domain controllers - ADSI domain admin (no local)

CMD line - cipher /e: encrypt /d: decrypt

Certificate Server
- install in root domain cannot rename or remove from domain
- enter organizations info will operate in backgroup
- run under services - adsi sites and services - view with mmc

Local Accounts and Policies
- Default users administrator/guest(disabled) [general/member of/profile/dial-in/environment/sessions/remote control/terminal services profile]
- new user or group a SID will be created.
Local Security policy - domains are set to override
- Audit policy / user rights assignment / security options
- User Rights Assignment [logon locally/shutdown/changetime]
- Security Options [disable ctrl-alt-del]

Public Key Policies
- encrypted data recover agents

IP Security Policies on Local Machine
- client/server/secure server

Security Configuration and Analysis
- 5 Different Levels Basic/Compatible/Secure/High Secure/Dedicated Domain Controller
- 7 groups - Admin/Users/Power Users/Backup Ops/Interactive/Network/Terminal Server
- Users Group most secure may shutdown local - full control on user cannot install apps for others
- Power Users in between users and admin install apps that don't change system config, create and manage local users and groups, stop and start services (not started by default)
- Backups Ops logon local and backup system
- Security tool - config and tools
- Analyze right click name open import template right click open / open database / analyze /configure view settings save export

CMD line security tool secedit.exe
- secedit /configure /db secedit.sdb /cfg /security.inf
- viewing logs through c:\winnt\security\logs

IIS is installed by default and is version 5.0, this will also allow you to share folders to be browsable via web browser.

Level 2 - TCP/IP Transmission Control Protocol/Internet Protocol

Layers of Operation
* Application - Provides Netbios and Windows socket applications
* Transport - TCP/UDP provides control of packets and error correction
* Internet - ICMP/IGMP provides routing of protocol packets
* Network - LAN Ethernet, Token Ring, FDDI WAN ATM, Frame, and Serial lines to name a few mediums they will transfer over.

IP - address/routes, connectionless, non guaranteed, depends on high protocols.
ARP - Resolves IP to Hardware addresses (MAC), uses local broadcast, stores in a cache.
IGMP - used when a packet is addressed to a large group
ICMP - Internet error correction and troubleshooting controller message protocol.

TCP/UDP create a session (one or the other)
* connection - oriented (established before exchange)
* reliable delivery - sequence # and ACK (Acknowledgment)
* Byte stream communication
* Uses port # as end points to communicate

UDP
* example of use would be a net meeting session
* connectionless no session is established
* no guarantee, no acks or sequence numbers.
* Reliability is the responsibility of the application
* uses port number as ways to communicate
Application Layer protocols
* TFTP, WEB, FTP Server, etc...
* Process network, IP, TCP, Port # - pass alone 1-1024 reserved
* Name Process - specify computer name must be resolved by IP - IP resolved to MAC (Media Access Control)

IP Addressing
* configure IP address by right clicking on "My Network Places", next right click on connection, choose properties of TCP/IP and assign STATIC or DYNAMIC ip address.
* binary uses 0 and 1 decimal is 0-9
* using calc you can find out the binary, hex, or decimal number of an IP address
* 4 octets 8 bits per octet provide a total of 32 bits
* class A 128-191 B 192-223 C 224-239
* host names and WINS names (LMHOSTS c:\winnt\system32\drivers\etc\lmhosts

Level 3 - DNS installing and maintaining (DNSMGMT.MSC, will start the DNS console)

DNS - uses FQDNS (Fully qualified domain names)
* maps FQDN to IP Address
* WINS uses a flat structure like red, blue, green
* DNS uses a heirachly structure north.west.blue, south.east.red, or east.north.blue.
* IPconfig allows the following options for DNS /registerdns, flushdns, displaydns
* WINS is not needed for a pure 2000 network or if you use WINS lookup on DNS server.

Installing DNS
* DNS Requirements - static IP/DNS Name/W2K Server/Advanced
* Changes made after DNS install c:\winnt\system32\dns - \backup \samples
* Files cache.dns,boot, and zone files -
* cache.dns contains root dns server, boot file provides compatibility for BIND zone.
* service DNS

Root Zone File - cache.dns
* points to root servers in DNS
* leave alone if connecting to Internet
* modify if DNS is internal only

Creating 3 types of Zone Files
* Standard primary - manual entry - original
* Standard secondary - no entry - dupe
* Active Directory Integrated - dynamically add cpu - name

Create 2 records
* SOA start of authority cpu that owns zone file
* NS name server - computer that owns a copy

Adding Records
* New host - name and ip, may use for NETBIOS name \\name\share
* PTR - point to record
* Alias - record one name maps to another - can't use as netbios name
* MX - provides a name and IP for a mail xchange also will need to set priority 10/20/30
* CNAME - provides example www.microsoft.com
Dynamic Register with DNS - client side
* First client register DNS
* Select option under TCP/IP/DNS "register this connection with DNS
* default will not allow dynamic updates

Secondary Zone Files will receive copy from primary

Forwarder Server -
* forwards all request to another server make only recursive queries
* use if you have a slow WAN link

DNS Server Monitoring

* logging - server properties select logging or use event viewer.
* Performance monitor provide a wealth of objects to monitor

Level 4 WINS (Windows Naming Service) NetBIOS to IP Address

Management Console or MMC WINSMGMT.MSC
* not needed if you running in a pure 2000 environment (DNS will take it's place)
* not needed if you have DNS server setup to forward WINS request

Types of resolutions
* Broadcast - will not travel over router (different subnets)
* LMHOSTS - edit the file @ c:\winnt\system32\drivers\etc\lmhosts
* WINS - Windows Internet Name Server

NT and Windows 98
* Netbios used for these names
* host method used for those names
* can avoid WINS if only 1 subnet
* WINS was foundation of name resolution

Netbios and Host resolution
* Netbios - Flat structure, all names shared, no reference to org.

DNS - hierachal
* common name
* name reflects organization

Netbios methods to resolve

* cache/name server/broadcast/lmhosts/dns
Host name
* local/host file/dns/netbios server/broadcast/lmhosts

WINS Process
* Builds database when clients bootup computer system
* client request sends a acknowledgment or negative ack when half time reach WINS server. Will then send out another TTL (time to live)

* When client shutdown it will notify server and mark off-line
* client will try primary 3 times the secondary server next it will broadcast.

Implementing, Installing and Configuring WINS
* requires 2000 or 4.0 server, static IP address, default gateway (not required), and clients be 2000/nt 4.0/98/95/3.1/UNIX/MAC or DOS.
* WINS configuring - server status/general/update interval (server name) properties/general/interval/database verification/advanced (active registrations) /new mapping/import lmhosts/delete owner (replication partners)/replicate now/new partner properties/general/push rep/pull rep/advanced.

Advanced WINS topics add WINS server extra clients

* Non-WINS clients
* Add static mappings
* WINS proxy agents registry (regedit) \hkey_local\system\current\services\netbt\parameters\enable proxy = 1
* Add a static mapping - right click server/new mapping/name-scope-type-ipaddress
* Setting ttl right click server select intervals - renew/extinction/extinction timeout/verification
* Tombstone will be tombstone after 6 days
* WINS replication PUSH - new entry PULL - send me your entry
* Secondary will only be used if primary is shutdown
* Configure replication right click replication partners-click new/enter name, properties general/advanced /type pull(triggered on time interval)/push(based on changes)/or push and pull
* WINS database backup and restore backup-right click WINS server/select backup/enter location restore-stop/click restore
* Monitor WINS and configuring WINS properties display by name or ip Server Status-display status/check time/statistics/scavenge db/kill old records/verify consistency/backup/restore.
* Compacting Database - stop run (c:\winnt\system32\WINS\jetpack wins.mdb tmp.mdb then start WINS
* Checking consistency - right click server select verify database consistency.
* Automatically backing up - general server now set the path.
* Monitor WINS - event viewer/system log Performance monitor.

DNS to use WINS
* must strip hierachal info to lookup WINS
* done through DNS
* each zone independent
* done by DNS server
* transparent to DNS client

Forward Lookup Zones
* right click properties /wins/check lookup/enter ip address/advanced/cache timeout/lookup timeout

Level 5 - DHCP install, configure, and troubleshoot

DHCP server
* Display statistics/new scope/new multicast scope/reconcile scope/authorize/define user classes/define vendor classes/set predefined options/all task-stop or start/properties

Scope
* address pool - available ip address
* address leases - current ip addresses being leased
* reservations - custom reservations

DHCP Process
* request - offer selection - ip lease ACK
* uses broadcast to talk to server 255.255.255.255
* will use ip 0.0.0.0 until IP given
* half way through TTL client sends out another request for renewal

Server Requirements
* Static IP address
* Subnet Mask and Default Gateway
* W2K Server/Advanced

Client Requirements
* almost any machine that will support TCP/IP

Installing
* control panel/add/remove/Windows Components/Network Services

DHCP backup - DHCP is automatically backed up
* c:\winnt\system32\dhcp
* j50.log contains all DHCP transactions (used torecover data if needed)
* j50xxxx.log
* j50.chk
* dhcp.mdb contains all mappings
* dhcptmp.mdb

* do not deactivate scope until your ready to retire it.

When planning a scope think of the following
* servers,printers,routers,clients, and subnets

Convert database to 2000 from 4.0
* will usually convert when dhcp starts by using jetconv.exe
* old db preserved under \dhcp\versiondb
* manual update from 4.0 use upgversiondb
* once db is converted you will not be able to convert back

Scope Requirements
* IP address/subnetmask/excluded address/cannot modify after creation/subnet mask

* Compact DHCP database using the jetpack utility

Relay Agents
* use when you have multiple DHCP servers on different subnets
* use for fault tolerance

Rogue Servers
* these are servers that aren't authorized
* 80/20 rule client 1 will replay 80% of time
* good for load balancing

Advanced Options

Superscope allow support for more then one scope to clients on one network.
* A 211.0.0.1 - 211.0.0.254
* A 212.0.0.1 - 211.0.0.254 exclude 212.0.0.1 - 212.0.0.254
* B 212.0.0.1 - 211.0.0.254
* B 211.0.0.1 - 212.0.0.254 exclude 211.0.0.1 - 212.0.0.254

* Global scope will override all other scopes

Scope Options
* 4 Server level - define for all - most general
* 3 Scope level - will override only conflicts at server level
* 2 Class level - specify OS or machine
* 1 Reserved client level - will be most specific

Classes
* user - RRAS and BOOTP
* vendor - OS w2K and W98

Managing Scopes
* click add server / specify name/select scopes

Multicast Scope - Class D addresses
* computer needs to talk to a group of computers at once (Audio or Video)
* create by right clicking server/new multicast scope/name/enter ip's/exclusions/limit time then activate.

Routed Network Relay Agents
* DHCP server on each subnet may have problems with APIP
* DHCP relay agent
* Configure Router for BOOTP relay

RRAS
* Create IP routing protocol enter ip address
* remove DHCP server

Authorizing DHCP server - only in ADSI environment

Level 6 - Installing, Configuring, Maintaining and Troubleshooting Remote Access:

Define: Remote Access is part of Windows 2000 Server/ADV. Remote Access is different from Remote Control in several ways. Remote Access establishes a connection to allow clients to use Network Shares and transfer data over the network. Remote Control can be very server intense unlike using Remote Access.

LAN Protocols: TCP/IP is an example of a LAN protocol (also WAN)

Remote Access Protocol: PPP and PPTP are examples of Remote Access Prototols

Building Remote Access Connections:

Hardware: Network Cards and/or Modems, etc..
Connection Methods: PSTN (Public Switched Telephone Network), ISDN, X.25, Direct Connection (Serial connection, very limited in length and bandwidth), Cable Modem, and DSL.
Drivers: Needed for Network Hardware
Protocols: Used to translate and manage communication packets
Clients: Access remote server

Remote Access Clients: Almost any client that supports PPP will allow to connect to a 2000 Server
Remote Access Server: Windows 2000 Server and above accepts remote connection and fowards packet between remote access clients and the network to which remote access server is established.

Remote Access Protocols: PPP, SLIP, and AsyBeui.

Security Access Protocols: EAP, MC-CHAP ver. 1 & ver. 2, CHAP, SHAP, and MPPE.

Encryption: End-to-End encryption can be obtained by using IPSec. When a user connects to a server using IPSec it establishes a key that is only known to the server and client created during the user authneication.

Other Security: Caller-ID and Callback are some other security methods that can be used to ensure security:

Using the Internet as a Remote connection Method: This is also called a VPN (Virtual Private Network.
Protocols that are used for this type of connection: PPTP and L2TP.
PPTP (Point to Point Tunneling Protocol):
* Must be IP Based
* No Header Compression
* No Tunnel Authenication
* May use IPSec in a Windows 2000 Enviroment
* Built-in PPP Encryption

L2TP (Layer 2 Tunneling Protocol) Much more robust and versitile
* Internetworking can be TCP/IP, Frame, X.25, or ATM based.
* Header compression
* Tunnel Authenication
* USing IPSec Encryption

Type of Remote Access: Dial-Up Internet, Dial-Up Remote Computer, Connect to VPN (Requires an Internet Connection), Accept Incoming Connections, and Connect Directory to another computer (uses Parallel or Serial Cable)
Remote Access Connection (Dial-Up)
Right Client "My Network Places" select "Properties" Add New Connection Select first Option "Connect to another computer using Modem". Enter Phone Number, Select Users and Name.
Remote Access Connection (VPN)
Right Client "My Network Places" select "Properties" Add New Connection Select third option connect to another computer using existing Internet Connection." IP Address or Hostname, Select Users and Name.

Options available for Remote Clients:
General / Options / Security / Networking / Sharing
General: Phone Number or IP Address and Dialing Rules
Options:
Security: Typical or Advanced Select Authenication types and Protocols used.
Networking: Select Networking Protocols
Sharing: Setting Up ICS or Dial-on Demand.

Configuring L2TP/IPSec

* Routing and Remote Access to accept incoming L2TP Calls
* Client that supports remote access with L2TP/IPSec
* IPSec Policies on Server and Client

Windows 2000 machines will support L2TP/IPSec. Windows 98 on the otherhand requires you d/l an upgrade for accessing remote machines with L2TP. That upgrade can be found on Microsoft's website free of charge - click here

IPSec policies can be managed through the MMC snapin SECPOL.

Here are the client and server IPSec policies that are requried to connect to a Windows 2000 Server running RRAS with L2TP/IPSec:

Server: IP

IP Filter List > Filter Properties > Addressing >

Source: My IP Address
Destination: Any IP Address

Filter Properties > Protocol >
UDP
From this port: 1701
To any port:

Filter Action > Request Security

Client:

IP Filter List > Filter Properties > Addressing >

Source: My IP Address
Destination: L2TP Server IP Address

Filter Properties > Protocol >
UDP
From this port: Any
To any port: 1701

Filter Action > Request Security

Microsoft L2TP Policies for L2TP: http://support.microsoft.com/default.aspx?scid=KB;EN-US;q248750&
Registry Patch for Windows 2000: http://support.iglou.com/fom-serve/cache/510.html
More L2TP Links: http://vpn.shmoo.com/

IPTABLES rules for PPTP & L2TP

# allow IPsec
# # IKE negotiations iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encrypton and authentication
iptables -A INPUT -p 50 -j ACCEPT iptables -A OUTPUT -p 50 -j ACCEPT
# uncomment for AH authentication header
iptables -A INPUT -p 51 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT
echo "VPN Access"
iptables -t nat -A PREROUTING -p 47 -i eth0 -j DNAT --to 192.168.2.1
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 1723 -j DNAT --to 192.168.2.1:1723
iptables -t nat -A PREROUTING -p udp -i eth0 --sport 500 --dport 500 -j DNAT --to 192.168.2.1:500
iptables -t nat -A PREROUTING -p udp -i eth0 --sport 1701 --dport 1701 -j DNAT --to 192.168.2.1:1701

Use IPSECMON to view your current IPSec connection and also to debug any errors you may receive.

Server Configuration:
Installing: Start the MMC console and Add Routing and Remote Access Right-Click and Configure and Enable Routing and Remote Access.

Right Click for Properties or Server:
General / Security / IP / Appletalk / PPP / Event Logging
General: Router or Remote Access Server
Security: Select Windows or RADIUS
IP: Enable IP Routing Select DHCP or setup IP Address Pool Also can Select LAN Adapter to USE.
Appletalk:
PPP: Select Compression methods
Event Logging: Select types of event logging

Routing Interfaces:
Appletalk Routing:
IP Routing:
General:
Static:
IGMP:
NAT :
Remote Access Logging:
Remote Access Policies: Used to specify how a user willl connect to the server (Not part of ADSI).
Adding: Right Click and select new Policy, select Name, Add Type and set options.
Policy is applied and Dial-In Permissions is then checked.

(ADSI) Allow Users: Users - Dial-In Type (Default is to deny Access)
(Non-ADSI) Computer Management Find Users and Groups Right Click User and Modify then Select Dial-In tab and deny/allow

Level 7 Using ICS, NAT,

(ICS or Internet Connection Sharing) Shared Access: Configure any interface and include shared access. This will do the following:
* Assign Static IP Address to sharing device.
* Assign DHCP to clients connecting to shared access.
* Use DNS for name resolution

Configuring Shared Access: Select Routing and Remote Access then select ICS and enable. Then select properties of your device connection you wish to share and enable.

Settings of Sharing Tab allows you to setup Services and Applicaitons to be used by computers sharing the device.

Protocols that will not work using ICS:
IPSec, COM, DCOM, RPC, LDAP, and SNMP

(NAT or Network Address Translator) Connection Sharing:

Configuring: Open up Remote Access in MMC and select IP Routing and then Select NAT
Right Click gives you the options: New Interface / Show DHCP Allocator Information / Show DNS Proxy Information / Properties.
Properties: General / Translation / Address Assignment / Name Resolution
General: Allows you to setup logging
Translation: Remove TCP/UDP mappings setup
Address Assignments: Configure Remote IP Address Configurations
Name Resolution: Setup DNS for remote clients that translate through NAT.

Setting UP Modem for NAT:
Start Remote Access Wizard for NAT, Select Dial-UP Interface, First Enter Name, Specify Modem, Specify Phone Number, Type of packets being routed. Next Enter Username, Password and Domain.

NAT Remote Router Configuration: SNMP, LDAP, COM, RPC, and IPSec will not work through this type of interface.

Remote Interface: Show Mappings / General - Translate TCP/UDP Connected to the Internet / Address Pool This allows you to setup incoming connections / Special Ports - Select Interface Port # IP Address and Outgoing Port

Public Interface: Show Mappings / Properties Public Interface selected to Interface

Security Levels: Clients Respond Only - Server Mode Request Security - Secured Server Required to use IPSec.

IPSec (Internet Protocol Security): Two machines talk with each other, first make sure that they're authenticated first! Next once the authentication has been accomplished you will have all your data encrypted.

IPSec Policies for Workstation: Properties of your connection select Advanced - Options - Optimal Settings - IP Security - Properties.

Using Authentication: Use Kerberos, Digital Certificate, or Password.

Setting Up Mode:
Transport Mode; 2 computers communicating with each other this is the default config.
Tunnel Mode; PPTP or L2TP are protocols that use IPSec for all Internet Traffic.

IPSec Policies are used in ADSI too make things much easier and automated.

Windows Active Directory Services

Authentication: SHA MD5
Encryption: 56-Bit DES 40-Bit DES or 3DES

IPSec Interfaces: (secpol.msc)
Configured through MMC IP Security Management Will start Wizard - Select what to manage

Client / Server / Secure Server
Properties: Rules / General
Rules: Setup IP Security Rules - Authentication - Security - Connection Type
Assign: Was policy is configured you will need to choose tasks - ASSIGN


Certificate Authority with Windows 2000 Service
Certificate Authority allows 2 computers to create a session that is secure and trusted.

Roles of Certificate Authority

* Authentication
* Confidentiality
* Integrity

Setting up the Certificate Authority

* Internal
- Enterprise Root CA
- Enterprise Subordinate CA (Will get a copy from the root and generate a certificate for each client)

* External
- Stand-alone Root CA (Generate the original seeds where certificates are sent out to also.)
- Stand-alone subordinate CA (This will generate individual certificates based on what the Stand-alone Root CA gave it.)

Installing Certificate Authority

* Add/Remove Programs/Components/Certificate Services
- Stand-alone do not recover ADSI, enterprise does require ADSI.

Backing up Certificate Authority

* Open Certification Authority Console - Right click on Server and choose "All Tasks" there you can select what type of backup.

Windows 2000 Routing Capabilities (Not efficient as a hardware router)

* Routing allows you to build more complex networks and connect them through TCP/IP
* Routing Protocols RIP (Routing Information Protocol) and OSPF (Open Shortest Path First).
* Route tables consistent of Dynamic and Static Routes
* Route command will allow you to setup static routes.
* Multicast Routers allow you to broadcast to a group of computers.

Creating a Router
* Requires you to have 2 network cards that will separate and route machines.
* Adding routes
- Cmd prompt using ROUTE command Dest/Netmask/Gateway/Interface/Metric
- Graphical Interface using MMC (RRASMGMT.msc) - Static Route (Interface/Dest/NetMask/Gateway/Metric).
* Protocols
- Adding IP Routing / General / New Routing Protocol
- (DHCP Relay Agent/IGMP Ver 2, Router and Proxy/Network Address Translation NAT/OSPF/RIP)
- RIP is ideal for small networks (will transmit entire route table each 30 minutes)
- OSPF is ideal for large networks (will only transmit changes)

Custom Subnetting and Supernetting
Class A 255.0.0.0
Class B 255.255.0.0
Class C 255.255.255.0

Custom Subnetting
* Use bits reserved for host extra subnets
* How many bits
- Number of hosts needed
- Number of subnets needed
* Use Calculator Decimal
- Class B Address Receives
- Need 60 Subnets 1000 Hosts per subnets
- Insert 60 in Decimal and Convert it to Binary
- Count Number of Bits which equals 6
- 2 to the 10th power and subtract 2

- Finding out the subnet mask, enter the total number of bits (60=6 1's and 0's) in binary then enter the rest of the octect which is two more 0's. Next click decimal.

Determining custom mask

- Convert host/subnets from decimal to binary
- Count the bits
- Double-check enough hosts/subnets
- Convert mask to decimal
- Compute subnet

Subnet Example
- 131.107.x.y
- 60 subnets, 1000 hosts
- mask 255.255.252.0
- 11111100
- Lowest 1 in mask is 4's

Range of Subnets
- 00000100 if first subnet
- 11111000 is last subnet
- 00000100 00000001 is first client
- 00000111 11111110 is last client

Ranges
131.107.4.1 to 131.107.7.254
131.107.8.1 to 131.107.11.254

Supernetting -
- Subnetting in reverse, steal Network bits for more hosts, this is done because there isn't enough addresses. This can combine a group of class C addresses.
- Represented by a network ID and mask 192.168.16.0/20 stole 4 bits for hosts.
- Mask is 11110000
- Lowest bit is 16's
- Addresses from 192.68.16.x to 192.68.31.x are on the same network
- Client range
- 192.68.16.1
- 192.168.31.254

Implementing and Administrating ADSI

Level 1

What Active Directory is?

Active Directory is one the main features of W2K server family. It replaces SAM file of Windows NT 4.0 with a directory service that is designed to act as a cetrailized depository of network computer user objects.

Active directory can hold millions of objects, unlike SAM file which was limited to 40 Megabytes of Users and Groups.

* Benefits and Features
- Organize
- Manage
- Control

* Embraces these features
- DHCP, DNS, SNTP, TCP/IP, X.509, Kerberos, LDIF, and LDAP.

* More benefits
- Fault tolerance
- Scalable
- Interoperable with NT, Netware, and Unix

* Active Directory relays on simple standards such as
- Distinguished Name DC=net, DC=usatoday, CN=Users, CN=John Paul
- Relative Distiguished Name = John Paul
- Users Principal Name (similar to email) jpaul@usatoday
- Downlevel (NetBIOS) Log on Name (backwards compatibility) Usatoday\Jpaul
- Globally Unique Identifiers (GUIDs) 128-bit, never changes, unique to each object, and assigned automatically from the OS.
- Uniqueness of Names

* Naming Standards
- AD Domains employ the Domain Name Systems (DNS and must all follow DNS rules
- All objects in a domain must have unique names.
- Objects include such things as Users, Groups, Computers, Printers, and Folers, etc.

Overview of ADSI Logical Structure
* Organizational Units
* Domains / Doman Trees
* Forest
Logical Organization
* Defines how AD is structured
* The domain is the Parent Container
* Organizational units (OU's) can create different levels of authority in a hierachical fasion
* Scalability
- Multiple domains can form a tree
- Multiple Trees can combine to create a Forest.

Active Directory Domains
* Security Boundary
* Unit of Replications

* Domain Modes
- Mixed Modes (NT 4.0 and 2000)
- Native Mode (Completely 2000 controllers)

* Organizational Units
- Delegate Administrative Control at OU Level
- OUs Enable Single Domain Model

* Trees within a forest
- Forest Domain to come online is considered the Root Domain
- Within a forest an automatically created Two-Way Transitive Trust
- NT 4.0 Domains can have One-Way Non-Transitive Trusts

Active Directory Physical Structure
* Segement Directories into Sites
* Sites
* Domain Controllers

* Layout
- The site is the main component in the physical organization of AD
- Sites are defined by IP subnet addresses
- Sites are connected via site links
- By creating sites, you can control the amount of replication traffic AD sends across slower WAN connections.

Active Directory Installation Requirements
* Windows 2000 Server / Advanced / Data Center
* One NTFS Volume for the System & Directory Service Database (NTDS.dit)
* Sufficient Disk Space (>1 GB)
* TCP/IP Configured with DNS
* A DNS Server that supports (SRV) Service Resource records & DNS Dynamic Updates
* Correct Time Zone and Time Settings

* DNS
- DNS is the primary method for name resolution
- Users rely on DNS to locate objects within ADSI
- Windows 2000 still supports WINS for backward compatibility (NetBIOS)

* Installation Considerations
- DNS supports SRV, Dynamic Updates, and Incremental Zone Transfers (cut down on network traffic)

* Windows 9x Clients need the Windows 2000 Directory Service Client
- Install from \Clients\Win9x\Dsclient.exe (2000 Server CD)
- To change User Passwords on Active Directory Domains
- To Search Active Directory
- To Use Windows 2000 Distrubuted File System (DFS)

Different Active Directory Functions

* Active Directory Domain Controllers
- Replication between domains
- Any Windows 2000 Server may be promoted to Domain Controller Status
- Domain Controllers are responsible for maintaining all AD objects in a Domain
- Each DC maintains a complete READ/WRITE copy of the AD database on the Local Computer ( No more PDC or BDC just DC)
- Changes can be applies to any DC in the Domain

* Domain Controllers in the same domain authmatically repliate & synchronize AD database information whenever changes are made.
- Regular Interval Replication
- Urgent Replication

* Flexible Single Operation Masters (FSMOs)
- Are installed on the first Domain Controller that comes online.
* Global Catalog Server has a partial list of object attributes. Required for users to locate a Domain Controller.
- Only 1 Global catalog server exists in the entire forest by default.
- Additional Global Catalog servers can be added to a forest to speed up users queries for resources
- At least one Global Catalog server should be implemented per Active Directory Site/physical location.

* Manually configering a Computer to be a domain catalog
- Properties of NTDS Settings under Sites. There will be a check box for a global catalog.

* PDC Emulator
- One PDC Emulator exists in each Domain
- Designed for downlevel support of computers not running Windows 2000
- Processes password changes and replicates updates to BDCs running older versions of Windows NT
- Still exists in Native Mode
- PDC Emulator role can be seized by an Administrator in case of failure
- Loss of the PDC Emulator will not permit adding new User accounts
- Loss of PDC Emulator will not allow you to manage DOMAIN GPOs
* Seizure of PDC Emulator Role
- use NTDSUTIL to seize the role
- Seizure occure immediately and the role should be transferred if the current PDC Emulator will be off-line for any period of time
- When the orginal PDC Emulator is back online the role may be returned.

* Schema Master (Struture how the database is organized and which fields the database can changes, cannot be modified of deleted).
- Only 1 Schema Master in the entire forest
- Controls all updates and changes to the Active Directory Schema
- Schema Master role can be seized by an Administrator in case of failure
- A Schema MAster failure would not be noticed unless a Schema Modification were attempted by an Administrator.
* Drastic Mesures
- Seizure of the Schema Master role is a drastic step that should be considered only if the current Schema Master will never be available again/
- Before seizing the Schema Master role, make sure the current Schema Master has been removed from the network.
- Use the NTDSUTIL to seize the role
- The old Schema MAster must be formatted and reinstalled.


* Domain Naming Master (Reponsible for managing the additions or removal of domains in the forest.)
- There is only 1 Domain Naming Master per forest
- controls the addition or removal of Domains in the forest
- Domain Naming Master role can be seized by an Administrator in case of problems.
- A failure to the Domain Naming Master would be noticed by an Administrator when attempting to add a new domain to the forest.
* Drastic Mesures
- Seizing of the Domain Naming Master role is a drastic step that should be considered only if the current Domain Naming Master will never be available again.
- Before seizing the Domain Naming Master role, make sure the current Domain Naming Master has been removed from the network.
- Use the NTDSUTIL to seize the role
- Must be formatted and reinstalled.

* RID Master (Relative Identifier Master)
- Manages all assignments of SIDs to objects in Active Directory
- There is one RID Master in each domain
- the RID Master assigns group ranges of sequential RIDs to each DC in a domain for assignment to new objects.
* RID Master Role
- RID Master role can be seized by an Administrator FSMO Server goes down.
- A failure to the RID Master would not be noticed by and Administrator unless DCs run out of RIDs to assign.
* Drastic Mesures
- Seizing of the RID Master role is a drastic step that should be considered only if the current RID Master will never be available again.
- Before seizing the RID Master role, make sure the current RID Master has been removed from the network.
- NTDS Util to seize the role.
- Will need to reformat the reinstall

* Infrastructure Master
- There is 1 Infrastructure Master in each Domain
- Responsible for updating the Group-to-user references whenever group memberships change
- Infrastructure Master role can be seized by an Administrator in case of failure.
- A failure to the Infrastructure Master would not be realized by an Administrator unless attempting to update group memberships.
* Drastic Mesures
- Seizing of the Infrastructure Master role is a drastic step that should be considered only if the current RID Master will never be available again.
- Before seizing the Infrastructure Master role, make sure the current RID Master has been removed from the network.
- NTDS Util to seize the role.
- Will need to reformat the reinstall

* Viewing Operation Masters
- Users and Computers, Select View, Advanced Features, Right Click on the Domain and Select Operation Masters

* Changing Masters
- RID
- PDC
- Infrastructure

* Seizing Roles with NTDS Utility
- c:\winnt\system32\ntdsutil (help ?)
- NTDSUTIL: Roles = fsmo maintenance ( This allows you to Seize roles and Transfer Roles)

Domain Controller Performance Considerations
- Enough memory
- Provide a standby Operation Master Server
- May want to separate the RID Master and PDC Emulator in very large enviroments
- Do not separate Domain Naming Master and Schema Master
* Domain Controlers - One or more for each Physical location
* Global catalog server - One or more for each Physical location, Place as closer to users as possible, and Don't place Infrasturcture Master on GC Server
* FSMO
- All Operations Masters installed by default on FIRST Domain Controller (ROOT)
- Consider moving some roles for fault tolerance and load balancing.

Promoting a Domain Controller to an Active Directory Computer
* ADSI Install Requirements
- 2000 Server or Advanced
- NTFS with 1 G for NTDS
- TCP/IP
- DNS with Dynamic Updates and SRV Resource Records
- Correct Time and Time Zone Settings
* Installing using DCPROMO


Level 2 -DNS and Active Directory Work Together, Implement a strategy, work with groups.

Foundation of how Active Directory is built.

DNS
- Name Resolution Component of the TCP/IP Networking Protocol Suite
- AD Objects must follow standard DNS Naming Conventions
- DNS provides name resolution for networking objects
- Internet Standard
- Uses hierarchical structure
- AD relies on DNS as primary name resolution method for locating AD resources
DNS Naming Requirements
- Standards DNS character set - A-Z, a-z, 0-9, -
- Public Internet presence - must be registered with InterNIC
FQDN (Fully Qualified Domain Names)
Unique way to identify a object joe.names.american
DNS Resolution Types
- Hostname to IP Address (Forward Lookup)
- IP Address to Host Name (Reverse Lookup)
- Services to Host Name or IP Address
* Looks up Services (SRV) Records, especially important for locating Domain Controllers for Lookup Validation for clients.
DNS Zones
- Distinct and contiguous partition of Domain Name Space
- Multiple zones can provide salability for very large networks - Allow for Secondary DNS Service
- Permit delegation of control to more than one name server
- Each Zone has its own zone database file stored on a DNS Name Server
- Can be stored within Active Directory Active Directory Integrated Zone (Secure Updates and Replication between different zones).
Active Directory DNS Configuration
- DNS Server support for
* SRV Resource Records (required) rfc2052
* DDNS Dynamic Update Protocol (recommended) rfc2136
* Incremental Zone Transfers (recommended) rfc1995 AXFR = Full Zone Transfer IXFR = Incremental Zone Transfer
Using Non-Microsoft DNS Server
* Berkeley Internet Name Domain (BIND) 8.1.2 or above for UNIX Computers
Active Directory Interlarded Zones
* Zone is stored within Active Directory instead of the default location for non-intergrated zones (%systemroot%\system32\dns)
* Zone information is replicated as part of AD Domain Replication
* Secondary Zones Become Write-enabled.
Name Server Roles
- Primary Name Server
* Zone information is locally maintained files
* Start of Authority (SOA)
- Secondary Name Server
* Zone information downloaded from a master name server (primary)
- Master Name Server
* Source of information for a secondary server - can be a primary or secondary
- Caching Only
* Does not keep any zone information
DNS Name Resolution
(1) Client - Recursive Query (2) Local Name Server (3) Root Name Server (4) Outside Name Server (5) Send to Client

Create Zones of 2000 Server
* DNS Console [run] dnsmgmt.msc (snap-in)
- Forward Lookup Zones
* Name Zone - (1) right click / (2) wizard / (3) select type of zone (Primary / Secondary / ADSI) / (4) Standard Primary (5) Enter Zone Name - starvideo.com (6) New Zone File / Use Existing File starvideo.com.dns (7) complete summary.
Now the zone will contain SOA and NS both pointing to the default DNS Server you created it on. You now should have a file called starvideo.com.dns with all the information similar to a BIND setup.
* Change to ADSI Integrated (1) Select Change Button (2) Choose ADSI (3) Apply
* Tabs available General / SOA / Name Servers / WINS / Zone Transfers
* Zone Transfers ( add to name servers list)
* WINS Tabs - Enable WINS Forward Lookups use to find Names that DNS cannot resolve names.
- Reverse Lookup Zones
* Problems (forward request to Internet) cannot forward on root server.
- Enable forwarding - select root or . and delete. Now the root.hints should be read to domain and forwarding will be enabled.
- Will have to wait a few minutes for the changes to take effect.
Windows 2000 Active Directory Groups
- Universal Groups (New Group from NT 4.0)
* Only available in Native Mode
* Can contain Users and any Global or Universal groups from any Domain within the Forest
- Global Groups
* Can contain Users and other Global groups from the same Domain
- Domain Local Groups
* Can contain Users and other Domain Local Groups from the SAME Domain
* Can contain Global and Universal groups from any domain within the same Forest
- New Group
Mixed Mode Domains
- First installed Windows 2000 ADS acts as "PDC Emulator" for backward compatibility with 4.0
- Group nesting limited to GLOBAL and LOCAL
- Directory Size Limited (SAM)
- Transitive Trust not available to Downlevel clients (W9X or NT4.0 Clients)
- NT 4.0
- Functionary is limited FSMO NTLM replication manager.
Native Mode Domains
- No more downlevel DC Downlevel Member Servers & Clients are OK
- Expanded Group Nesting and Universal Groups become available
- NO PDC Replication
- Full group nesting
- Tree or Forest can mixed Native and Mixed mode domains
- Recreate System Policies using AD group policy objects
Adding a new group with ADSI
- (1) select users (2) right click new group (3) Group Name / Group Name (pre-Windows 2000) / Group Scope - Domain Local / Global / Universal (only in Native mode) Group Type - Security / Distribution (E-mail purposes)
Switch to Native from Mixed
- (1) right click domain under Users and Computers (2) select change mode (3) confirm and apply (may take 15 minutes) this process is not reversible)
- Group Proprieties (1) General Name / Descriptions / Scope / Group Type (2) Members (3) Members Of (4) Managed By - Messaging with integrated with Exchange Server 5.5 or 2000
- Working with Computer Accounts
- ADSI COMPUTERS Container Create New Before Joining Domain
* (1) Right Click Select New (2) Enter Name / (pre-2000) / User or Group (the following user or group can join this computer to a domain)
* Options for Computer Right Click Manage / Delete / Disable / Move / Properties
* Properties for Computer General (Name / DNS / ROLE) / Operating System (Service Pack OS Version) / Member Of (Groups) / Location / Managed By
* Trust for Delegation Use for Clients using Encryption

- Add New OU (can use for separate group policies)
* Right click ADSI in Users and Groups (1) New / OU (2) Enter Name
- Moving Objects into new domains
- Apply separate policy (1) Right Click OU (2) Proprieties (3) Group Policies

- Publish Shared Folders or Printers
* Share Folder must exist first. (1) Expand Domain (2) Select OU (3) Right Click Select New / Shared Folder (4) Name and Path
* Properties

- Modify Security ADSI Objects
* Select Advanced View from Menu to view permissions (General / Managed By / Object / Security)
* (1) Right Click Folder (2) Properties (3) Security Tab (4) Default Security Settings - Grey Permissions have been inherited
* Explicit or Inherited (White check box or Grayed out box)
* Full Control of Objects will all you to object / set permissions / and change owner

- Allow inheritance is checked by default.
* Set at the top level - (1) Change at the top level (2) The children will inherit
* Uncheck the box, you can copy all the inherit permissions or keep explicit permissions

Performance and Troubleshooting
- Guideline for Using Groups Under Active Directory
* Place User Accounts into Global Groups
* Place Global Groups into Domain Local Groups (NT 4.0 Local Groups)
* Assign Security Permissions to Domain Local Groups
- Universal Groups
* Universal groups can be used in lieu of Domain Local Groups and Global Groups NATIVE GROUP
* Universal groups require more storage space within Active Directory (use them just when necessary)
- Intra-Site Replication
* Default Intra-Site Replication - Default FIVE MINUTES
* You can edit this value in the registry.
* You can Force Replication for immediate synchronization with other Domain Controllers
- Intre-Site Replication
* Default Intre-Site replication - Default 3 HOURS
* You can modify Inter-Site Replication Interval changing Site Link settings
* You can also force replication at any time for immediate updates.
- How to Force Replication
* ADSI SITES AND SERVICES (1) Select one with site to output (2) NTDS (3) Select Partner (4) Right-Click (5) Replicate Now
- TRACKING PERFORMANCE WITH ADSI
* Locate Performance Console
* All Active Directory counters - NTDS object
- AD Performance Counters to Watch
* DRA Inbound object updates / DRA Pending Replication / LDAP Client Sessions / LDAP Bind Time
Support Tools - Use Help and Type Active Directory support tools.

Level 3 - Working with Group Policies and Objects (GPOs)
- Group Policies Objects GPOs
* Administrators can centrally manage user settings and computer settings under AD (enhancement to System Policies)
* Policy settings can be appliedn to either Users or Computer at the Site, Domain or OU level SDOU (Site Domain Orginational Unit)
* GPOs can lower TCO by locking down desktop settings and by automatically protecting again system errors and deletion caused by users.
* Software Installation Settings
* Scripts Startup/Shutdown Logon/Logoff
* Security Settings Desktop Settings / Auditing
* Manage Browser Settings
* Remote Installation Services
* Setup and Maintain Folder Redirection (My Documents)
* Administrative Templates
- Active Directory Users and Computers OU (1) Right Click OU (2) Group Policy
- Active Directory Users and Computers Domain (1) Right Click the Domain (2) Group Policy
* Default GPO setup by MS by default (1) Edit Change Settings Computers / Users
* Software Installation will use a MSI file to install software next time the user installs.
- Creating a new GPO for a OU (Organizational Unit) (1) Right-Click Properties (2) Group Policy Tab (3) Click new and enter name.
* Changing settings select 'edit' and will open an MMC console to change Computers / Users Settings
* Other options on Group Policy Menu - Options allows you to set Link Options - Properties Allows you to set permissions, links, or general including Disable User or Computer settings.
* Remember to thoroughly test GPOs
- Using Secedit
* /enforce Refreshes security settings, even if there have been no changes to the Group Policy object settings.
* /analyze This command analyzes system security
* /configure This command configures system security by applying a stored template
* /export This command exports a stored template from a security database to a security template file.
* /validate This command validates the syntax of a security template you want to import into a database for analysis or application to a system

- Group Policy Options and Permissions
* Exclude certain users or groups (1) Select GPO (2) Select Properties (3) Security Tab (4) Select USER and choose to apply or uncheck Apply Group Policy
* Options - No Override Will prevent objects from overriding any other policies Disable - Will not be applied within container use this for testing.
- Take an existing GPO and link to another GPO (1) Properties of Site (2) Click Add on GPO Object (3) Select Location either Domains/OUs/Sites/All
* Changing update interval under (1) GPO (2) Computer Configuration (3) System (4) Group Policy
- Folder Redirection -
* Application Data / Desktop / My Documents / Start Menu
* (Need to use a UNC)
* Target - May choose Advanced or Basic Advance will allow you to configure groups
* Settings - Grant the user exclusive rights to - Move the contents to a new location - Leave Folder at location when policy is removed - Redirect back to local policy
- Deploying a Software Package through MSI http://www.jsiinc.com/SUBH/tip3900/rh3999.htm
* (1) Setup Folder to Share and Permissions (2) Select Proper GPO (3) Edit GPO (4) Select Users Configuration / Software Configuration Right Click - New - Package (5) Now find MSI to install and select proper installation.
* Be sure that no other GPOs are conflicting
- Software Installation Options
* General / Deployment / Upgrades / Categories / Modifications / Security
* (Assignments or Publish) Asignments can happen per user or per machine / Published applications occur only per user.

- Troubleshoot GPO and Software Deployment
* Confirm Access to MSI and Source Files.

- Applying Security Settings via GPO
* Computer Configuration Policy Only
* Policies can apply to the enter Active Directory environment or to individual Computers
* GPO Security Settings are inherited from the parent container downward just like all other GPOs
* Create a new Policy and Choose NO OVERRIDE under Options this will make this apply too all OUs
* (1) Select GPO and Choose Edit (2) Computer Configuration (3) Windows Settings (4) Security Settings Account Policies / Local Policies / Event Log / Restricted Group / System Services / Registry / File System.
- Using Security Configuration and Analysis Tools
* (1) Open Database *.sdb (2) Import Security Template Select Type of Workstation Settings (3) Configure or Compare (4) Right Click and Analyze or Configure

Level 4 - Setup and Work with Remote Installation Services Also Troubleshoot and Monitor ADSI
Remote Installation Services
- Require
* DNS, DHCP, and of course ADSI.
- RIS Image Types
* CD-ROM-based installation based on the Windows 2000 PRO source files and unattended answer file created with the Setup Manager located on the Windows 2000 CD-ROM
* Remote installation prepared image is a complete turnkey computer image setup containing the OS, Apps and customized settings.
- RIS Step-by-Step
(1) Workstation PC boots and requests an IP address from a DHCP server and make an installation request of a RIS Server
(2) DHCP assigns an IP address to the PC
(3) RIS Server checks AD to verify if client PC is pre-configured to download an image from a specific RIS Server
(4) User logs on to appropriate RIS Server
(5) User selects from a list of approved images to install
- RIS Console on Server
* (1) Right click server computer under "Domain Controlles". (2) Select Remote Install (3) Options * Client Support - Respond / Do not respond * Verify Server - Show Clients - * Advanced Settings (New Clients / Images / Tools)
- Clients Require
* A network adapter with PXE ver .99c or later or
* A supported network adapter and remote installation startup disk.
- Create RIS Images
* Run RISSETUP to create an image (setup file) will copy all files to server.
* Run RISPREP on a system which has a complete load, then copy image to server.
- RIS Server Requirements
* P166, 256MB RAM, 2G Disk Volume, CD-ROM, and 10 or 100MB.
- RIS Client Requirements
* P166, 32MB RAM, 800MB, PXE or compatibly adaptec card.
- RIS Deployment Limitations
* Only Delivers Windows 2000 Pro Images
* Must use compatible PCI Network Cards. Only certain PC Cards and selected Notebook computers with very recent BIOS revisions can utilize RIS
* Can Only Image the C:\ Drive.
- Installing RIS on Server
* Check Volumes (Cannot install on C:\WINNT\SYSTEM or FAT16/32)
* Click ADD/REMOVE components and select Remote Installation Services.
* (1) RISSETUP will start the installation. (2) Specify location of installation folder (cannot be on FAT16/32 or Root C:\%system%) (3) Setup Client Support (4) Specify Location of 2000 Installations. (5) Enter Folder where the Windows Files where be copied. (6) Enter Image Description and Help Text (7) Will display summary and image will be created.
- Must now authorize RIS Server
* Bring up DHCP Server Console (1) Right click and manage (2) Add Computer (3) Right Click and Authorize.

Deploying Computer using RIS Server
- Delegate Authority for Users to Install RIS
* (1) Create group in the OU (2) Delegate Authority to be able to add computer accounts (3) Right Click OU (4) Select Delegate Control (5) Add Group (6) Select Tasks for What User is allowed to delegate. (7) Create a custom task to delegate (8) Delegate control over this objects and others (9) Set Permissions to delegate (10) Create deletion of child objects (11) Select Create Computer
- Create a new computer in advance
* (1) Right click new computer in OU (2) Enter Name (3) Enter the GUID 17 zeros + MAC = 35 for GUID.
- Create boot disk that machines don't have PXE complaint cards.
* \\ServerName\REMINST (automatically created by default) \admin\i386\rfbg.exe - setup for client floppies.
* May create disk or view list of supported adapters. Will not be able to add ethernet cards.
* Create BIOS and view priority of devices change NETWORK device first.
* (1) Restart Computer (2) Welcome Screen (3) Enter Username/Password/Domain (4) CAUTION all data will be deleted. (5) Settings: Computer Account / GUID / Computer Supporting

- RISPREP
* (1) Create machine to customize (2) Locacate File on share \reminst\admin\i386\riprep (3) Preparation Wizard (4) Server Name (5) Folder name on remote installation folder (6) Friendly Description and Help Text (7) Settings (8) Wizard will copy files and system will restart (does not support multiple paritions.)

- Troubleshooting .
* Click PC stops at DHCP message - Make sure the RIS Server is online and verify that a DHCP server is available.
* Client PC cannot access a RIS Server using a boot disk - Check the list of supportted PCI Network cards in the boot disk generator tool.
* Verify configuration of RIS Server, DHCP Server, Client Setup, and Image configurations.
* Go To Windows 2000 Help for additional references.

Backup and Restore Active Directory
- Windows 2000 Backup Program
* NTBACKUP
* Backup System State
* Components Backed Up
- Active Directory database (NTDS.DIT), Root files, COM-classes, Registry and the SYSVOL
* Backup Media - Disk, Network, Removable Drives, and Tape

- Restoring Active Directory
* Automatic Recovery via Replication
* Non-Authoriative Restore
  Restore Entire Active Directory Database
  Restored Objects & Attributes will be Overwritten by Replicas that have higher USNs!
- Authoritative Restore
  Increases the Update Sequence Number (USN) for each Property Version Number of each Object by 100,000!
  Ensures that all the Restores Objects will be Replicated to Other DC's
* Create Massive Network Traffic
* Viewing Update Sequence Number (1) Right Click Group (2) Properities (3) Object (4) Orginal USN / Current USN

- Non-Authoritative Restores
* Restart Domain Controller
* Press the F8 key during startup to go to the Windows 2000 Advanced Options Menu (DIRECTORY SERVICES RESTORE MODE)
* Run the Windows 2000 backup program
* Restore the System State
- Authoritive Restores Step 2
* Run the NTDSUTIL and type AUTHORIATIVE RESTORE
* Type RESTORE DATABASE
* Manually FORCE Replication to update all DC's with the Restored Active Directory data!
* ADSI Restore Password is set during the ADSI install.

-Default Domain Policy
* Disable inherit of above policies check block inheritance on GPO menu.

-Delegate or Assign Users permission to change policies.
(1) Right Click OU (2) Select Delegate Control (3) Add (4) Locate Group/Users (5) Assign Permissions.
* Delegate Control to Users or Groups
(1) Right Click OU (2) Properities (3) Select GPO (4) Properities (5) Select Users/Groups (6) Permissions Apply Group Policy.(7) Advanced will all you to make modifications to GPOs.

-Setting up an Auditing Policy (Site, Domain or OU)
(1) Open ADSI Users and Computers (2) Right Click Domain (3) Properities (4) Select GPO Properities (5) Windows Settings / Security Settings / Local Policies