4701-1 FM.f.

qc 4/24/00 12:28 Page i

Windows 2000 MCSE

Study System

Alan R. Carter

IDG Books Worldwide, Inc.

An International Data Group Company
Foster City, CA ▼ Chicago, IL ▼ Indianapolis, IN ▼ New York, NY
4701-1 FM.f.qc 4/24/00 12:28 Page ii

Windows 2000 MCSE Study System

®
For general information on IDG Books Worldwide’s books in the
Published by U.S., please call our Consumer Customer Service department at
IDG Books Worldwide, Inc. 800-762-2974. For reseller information, including discounts and pre-
An International Data Group Company mium sales, please call our Reseller Customer Service department at
919 E. Hillsdale Blvd., Suite 400 800-434-3422.
Foster City, CA 94404 For information on where to purchase IDG Books Worldwide’s
www.idgbooks.com (IDG Books Worldwide Web site) books outside the U.S., please contact our International Sales depart-
Copyright © 2000 IDG Books Worldwide, Inc.All rights reserved. ment at 317-596-5530 or fax 317-572-4002.
No part of this book, including interior design, cover design, and For consumer information on foreign language translations, please
icons, may be reproduced or transmitted in any form, by any means contact our Customer Service department at 800-434-3422, fax
(electronic, photocopying, recording, or otherwise) without the prior 317-572-4002, or e-mail [email protected].
written permission of the publisher. For information on licensing foreign or domestic rights, please
ISBN: 0-7645-4701-1 phone +1-650-653-7098.
Printed in the United States of America For sales inquiries and special prices for bulk quantities, please con-
10 9 8 7 6 5 4 3 2 1 tact our Order Services department at 800-434-3422 or write to the
address above.
1?/SW/QW/QQ/FC
For information on using IDG Books Worldwide’s books in the
Distributed in the United States by IDG Books Worldwide, Inc. classroom or for ordering examination copies, please contact our
Distributed by CDG Books Canada Inc. for Canada; by Transworld Educational Sales department at 800-434-2086 or fax 317-572-4005.
Publishers Limited in the United Kingdom; by IDG Norge Books For press review copies, author interviews, or other publicity infor-
for Norway; by IDG Sweden Books for Sweden; by IDG Books mation, please contact our Public Relations department at
Australia Publishing Corporation Pty. Ltd. for Australia and New 650-653-7000 or fax 650-653-7500.
Zealand; by TransQuest Publishers Pte Ltd. for Singapore, Malaysia,
Thailand, Indonesia, and Hong Kong; by Gotop Information Inc. for For authorization to photocopy items for corporate, personal, or
Taiwan; by ICG Muse, Inc. for Japan; by Intersoft for South Africa; by educational use, please contact Copyright Clearance Center, 222
Eyrolles for France; by International Thomson Publishing for Rosewood Drive, Danvers, MA 01923, or fax 978-750-4470.
Germany,Austria, and Switzerland; by Distribuidora Cuspide for Library of Congress Cataloging-in-Publication Data
Argentina; by LR International for Brazil; by Galileo Libros for Carter,Alan R.
Chile; by Ediciones ZETA S.C.R. Ltda. for Peru; by WS Computer Windows 2000 MCSE study system / Alan R. Carter.
Publishing Corporation, Inc., for the Philippines; by Contemporanea p. cm.
de Ediciones for Venezuela; by Express Computer Distributors for ISBN 0-7645-4701-1 (alk. paper)
the Caribbean and West Indies; by Micronesia Media Distributor, Inc. 1. Electronic data processing personnel--Certification.
for Micronesia; by Chips Computadoras S.A. de C.V. for Mexico; by 2. Microsoft software--Examinations--Study guides.
Editorial Norma de Panama S.A. for Panama; by American 3. Microsoft Windows (Computer file) I.Title.
Bookshops for Finland. QA76.3. C35 2000
005.4'4769--dc21 00-025648
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND AUTHOR HAVE USED THEIR BEST
EFFORTS IN PREPARING THIS BOOK.THE PUBLISHER AND AUTHOR MAKE NO REPRESENTATIONS OR WAR-
RANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS BOOK AND
SPECIFICALLY DISCLAIM ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICU-
LAR PURPOSE.THERE ARE NO WARRANTIES WHICH EXTEND BEYOND THE DESCRIPTIONS CONTAINED IN
THIS PARAGRAPH. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES OR
WRITTEN SALES MATERIALS. THE ACCURACY AND COMPLETENESS OF THE INFORMATION PROVIDED
HEREIN AND THE OPINIONS STATED HEREIN ARE NOT GUARANTEED OR WARRANTED TO PRODUCE ANY
PARTICULAR RESULTS, AND THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE
FOR EVERY INDIVIDUAL. NEITHER THE PUBLISHER NOR AUTHOR SHALL BE LIABLE FOR ANY LOSS OF
PROFIT OR ANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDEN-
TAL, CONSEQUENTIAL, OR OTHER DAMAGES.

Trademarks: All brand names and product names used in this book are trade names, service marks, trademarks, or registered trademarks of
their respective owners. IDG Books Worldwide is not associated with any product or vendor mentioned in this book.
IDG Books Worldwide, Inc. is an independent entity from Microsoft Corporation, and not affiliated with Microsoft Corporation in any
manner.This publication and CD-ROM may be used in assisting students to prepare for a Microsoft Certified Professional Exam. Neither
Microsoft Corporation, its designated review company, nor IDG Books Worldwide, Inc. warrants that use of this publication and CD-ROM
will ensure passing the relevant Exam. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States
and/or other countries.

is a registered trademark or trademark under exclusive license

to IDG Books Worldwide, Inc. from International Data Group, Inc.
in the United States and/or other countries.
4701-1 FM.f.qc 4/24/00 12:28 Page iii

Welcome to the world of IDG Books Worldwide.

IDG Books Worldwide, Inc., is a subsidiary of International Data Group, the world’s largest publisher of
computer-related information and the leading global provider of information services on information technology.
IDG was founded more than 30 years ago by Patrick J. McGovern and now employs more than 9,000 people
worldwide. IDG publishes more than 290 computer publications in over 75 countries. More than 90 million
people read one or more IDG publications each month.
Launched in 1990, IDG Books Worldwide is today the #1 publisher of best-selling computer books in the
United States. We are proud to have received eight awards from the Computer Press Association in recognition
of editorial excellence and three from Computer Currents’ First Annual Readers’ Choice Awards. Our best-
selling ...For Dummies® series has more than 50 million copies in print with translations in 31 languages. IDG
Books Worldwide, through a joint venture with IDG’s Hi-Tech Beijing, became the first U.S. publisher to
publish a computer book in the People’s Republic of China. In record time, IDG Books Worldwide has become
the first choice for millions of readers around the world who want to learn how to better manage their
businesses.
Our mission is simple: Every one of our books is designed to bring extra value and skill-building instructions
to the reader. Our books are written by experts who understand and care about our readers. The knowledge
base of our editorial staff comes from years of experience in publishing, education, and journalism —
experience we use to produce books to carry us into the new millennium. In short, we care about books, so
we attract the best people. We devote special attention to details such as audience, interior design, use of
icons, and illustrations. And because we use an efficient process of authoring, editing, and desktop publishing
our books electronically, we can spend more time ensuring superior content and less time on the technicalities
of making books.
You can count on our commitment to deliver high-quality books at competitive prices on topics you want
to read about. At IDG Books Worldwide, we continue in the IDG tradition of delivering quality for more than
30 years. You’ll find no better book on a subject than one from IDG Books Worldwide.

John Kilcullen
Chairman and CEO
IDG Books Worldwide, Inc.

Eighth Annual Eleventh Annual

Computer Press Computer Press
Awards 1992 Ninth Annual Tenth Annual Awards 1995
Computer Press Computer Press
Awards 1993 Awards 1994

IDG is the world’s leading IT media, research and exposition company. Founded in 1964, IDG had 1997 revenues of $2.05
billion and has more than 9,000 employees worldwide. IDG offers the widest range of media options that reach IT buyers
in 75 countries representing 95% of worldwide IT spending. IDG’s diverse product and services portfolio spans six key areas
including print publishing, online publishing, expositions and conferences, market research, education and training, and
global marketing services. More than 90 million people read one or more of IDG’s 290 magazines and newspapers, including
IDG’s leading global brands — Computerworld, PC World, Network World, Macworld and the Channel World family of
publications. IDG Books Worldwide is one of the fastest-growing computer book publishers in the world, with more than
700 titles in 36 languages. The “...For Dummies®” series alone has more than 50 million copies in print. IDG offers online
users the largest network of technology-specific Web sites around the world through IDG.net (http://www.idg.net), which
comprises more than 225 targeted Web sites in 55 countries worldwide. International Data Corporation (IDC) is the world’s
largest provider of information technology data, analysis and consulting, with research centers in over 41 countries and more
than 400 research analysts worldwide. IDG World Expo is a leading producer of more than 168 globally branded conferences
and expositions in 35 countries including E3 (Electronic Entertainment Expo), Macworld Expo, ComNet, Windows World
Expo, ICE (Internet Commerce Expo), Agenda, DEMO, and Spotlight. IDG’s training subsidiary, ExecuTrain, is the world’s
largest computer training company, with more than 230 locations worldwide and 785 training courses. IDG Marketing
Services helps industry-leading IT companies build international brand recognition by developing global integrated marketing
programs via IDG’s print, online and exposition products worldwide. Further information about the company can be found
at www.idg.com. 1/26/00
4701-1 FM.f.qc 4/24/00 12:28 Page iv

CREDITS
Acquisitions Editors Project Coordinators
Joyce Pepple Linda Marousek
Jennifer Humphreyville Fusilero Danette Nurse
Project Editors Louigene A. Santos
Brian MacDonald Graphics & Production Specialists
Linda Turnowski Robert Bihlmayer
Technical Editor Jude Levinson
Donald E. Dillenburg, MCSE, Michael Lewis
CNE, CNX, CCNA, CCNP Victor Pérez-Varela
Dina F Quan
Copy Editor
Ramses Ramirez
Ami Knox
Book Designer
Media Development Specialist
Kurt Krames
Joe Kiempisty
Illustrators
Permissions Editor
Mary Jo Richards
Leonora Chin Sell
Gabriele McCann
Media Development Manager
Karl Brandt
Stephen Noetzel
Proofreading and Indexing
York Production Services
Cover Design
?????

iv
4701-1 FM.f.qc 4/24/00 12:28 Page v

ABOUT THE AUTHOR

Alan R. Carter is an MCSE + Internet (Microsoft Certified Systems
Engineer + Internet) and a Microsoft Certified Trainer. He has been teach-
ing Microsoft Official Curriculum, Novell courses, and custom courses
throughout the United States for over ten years.Alan has also installed and
supported complex networks while working on staff for national and
regional value-added resellers. Alan holds a Bachelor of Science degree in
Computer Information Science from Troy State University. In addition to
his Microsoft certifications, Alan is also an i-Net+ Certified Professional, a
Certified Network Professional, a Certified Technical Trainer, a Novell
Master CNE, and a Certified Novell Instructor. Alan is the author of the
following books published by IDG Books Worldwide, Inc.: Windows NT
4.0 MCSE Study Guide, Windows NT Workstation 4.0 MCSE Study System,
Windows NT Server 4.0 MCSE Study System, and Windows NT Server 4.0
in the Enterprise MCSE Study System.

v
4701-1 FM.f.qc 4/24/00 12:28 Page vi

This book is dedicated to my readers,

who make it possible for me to do the work I love.
4701-1 FM.f.qc 4/24/00 12:28 Page vii

ACKNOWLEDGMENTS
I never tire of thanking the many people who make it possible for me to
be an author. More people than I can count play a part in the writing
process that starts when I turn on my computer and ends with this nice,
hefty book in your hands.
First of all, I owe a huge debt of gratitude to my lovely wife Pat for the
thousands of hours you spent working with me on this project. I don’t know
how to thank you enough.
Thanks to everyone at IDG Books Worldwide, Inc., including Judy
Brief, Acquisitions Manager; Joyce Pepple, Acquisitions Editor; Jennifer
Humphreville Fusilero, Associate Acquisitions Editor; Brian MacDonald
and Linda Turnowski, Project Editors; and Ami Knox, Copy Editor. Special
thanks to Catalin Dulfu and Kurt Krames for the awesome design — you
did a fantastic job! Thanks also to the unsung heroes in the marketing, pub-
lic relations, sales, and production departments. Finally, many thanks to
Michelle Baxter, Publishing Manager; and to Richard Swadley, Senior Vice
President,Technical Publishing.
A very hearty thank you to Don Dillenburg, MCSE, CNE,ASE, for the
many painstaking hours you spent reviewing this book technically. I’d also
like to sincerely thank Curt Simmons, MCSE, MCT, and Steve Cline for
their hard work and valuable contributions that made it possible to get this
book out on time. I owe you guys.
And last but not least, thanks to my family and friends for their tremen-
dous support during this project.
4701-1 FM.f.qc 4/24/00 12:28 Page viii

CONTENTS AT A GLANCE
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Part I  Introduction to Windows 2000 . . . . . . . . . . . . . . 2

Chapter 1 Overview of Windows 2000 . . . . . . . . . . . . . . . . . . . . 5
Chapter 2 Overview of Active Directory . . . . . . . . . . . . . . . . . . . 43

Part II  Installation and Configuration . . . . . . . . . . . . 84

Chapter 3 Installing Windows 2000 . . . . . . . . . . . . . . . . . . . . . 87
Chapter 4 Upgrading to Windows 2000 . . . . . . . . . . . . . . . . . . 143
Chapter 5 Using Control Panel . . . . . . . . . . . . . . . . . . . . . . . 179
Chapter 6 Working with File Systems and Disks. . . . . . . . . . . . . 327
Chapter 7 Installing and Configuring DNS and Active Directory . . . 415

Part III  Managing and Securing Resources . . . . . . . . 506

Chapter 8 Administering and Securing Active Directory . . . . . . . . 509
Chapter 9 Managing Users and Groups . . . . . . . . . . . . . . . . . . 551
Chapter 10 Using System Policy and Group Policy . . . . . . . . . . . . 657
Chapter 11 Sharing, Securing, and Accessing Files and Folders . . . 729
Chapter 12 Managing Printing . . . . . . . . . . . . . . . . . . . . . . . . 805
Chapter 13 Auditing and Security . . . . . . . . . . . . . . . . . . . . . . 861
Chapter 14 Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . 909

Part IV  Networking and Interoperability . . . . . . . . . . 956

Chapter 15 Creating and Configuring Network and
Dial-up Connections . . . . . . . . . . . . . . . . . . . . . . . 959
Chapter 16 Networking with TCP/IP . . . . . . . . . . . . . . . . . . . . 1033
Chapter 17 Managing Remote Access . . . . . . . . . . . . . . . . . . . 1149
Chapter 18 Managing Web and Certificate Services . . . . . . . . . . 1207
Chapter 19 Deploying Windows 2000 on Your Network . . . . . . . . 1263
Chapter 20 Managing Terminal Services . . . . . . . . . . . . . . . . . 1319

viii
4701-1 FM.f.qc 4/24/00 12:28 Page ix

Contents at a Glance ix

Part IV  Monitoring, Optimizing, and Troubleshooting . 1362

Chapter 21 Monitoring, Optimizing, and
Troubleshooting Performance . . . . . . . . . . . . . . . . 1365
Chapter 22 Managing, Optimizing, and
Troubleshooting Active Directory Performance . . . . . . 1413

Part IV  Resources . . . . . . . . . . . . . . . . . . . . . . . 1461

Appendix A Windows 2000 MCSE Core Exam Objectives . . . . . . . 1463
Appendix B What You Need to Know to Prepare for the Exams . . . 1487
Appendix C What’s on the CD-ROM . . . . . . . . . . . . . . . . . . . . 1493

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1499
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1500
4701-1 FM.f.qc 4/24/00 12:28 Page x

CONTENTS
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Part I  Introduction to Windows 2000 . . . . . . . . . . . . . . 2

Chapter 1 Overview of Windows 2000 . . . . . . . . . . . . . . . . . . . . . . 5
Windows 2000 Operating Systems . . . . . . . . . . . . . . . . . . . . . . 7
New Common Features . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Windows 2000 Professional . . . . . . . . . . . . . . . . . . . . . . . . . 9
Windows 2000 Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Windows 2000 Advanced Server . . . . . . . . . . . . . . . . . . . . . 13
Windows 2000 Datacenter Server . . . . . . . . . . . . . . . . . . . . 14
Windows 2000 User Interface . . . . . . . . . . . . . . . . . . . . . . . . . 15
The Windows 2000 Desktop . . . . . . . . . . . . . . . . . . . . . . . 16
Close, Minimize, and Maximize Buttons . . . . . . . . . . . . . . . . . . 20
Windows Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Understanding Application Environments . . . . . . . . . . . . . . . . . . . 21
MS-DOS Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Win16 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Win32 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
POSIX Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
OS/2 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Hardware Platforms Supported . . . . . . . . . . . . . . . . . . . . . . 25
Summary of Supported Applications . . . . . . . . . . . . . . . . . . . 26
Architecture of Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . 26
User Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Kernel Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Windows 2000 Memory Model . . . . . . . . . . . . . . . . . . . . . . 30
Workgroups, Domains, and Active Directory . . . . . . . . . . . . . . . . . 31
Workgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . . 40
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Chapter 2 Overview of Active Directory . . . . . . . . . . . . . . . . . . . . . 43
What Is Active Directory? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Understanding the Features of Active Directory . . . . . . . . . . . . . . . 46
Fully Integrated Security . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Ease of Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Ease of Locating Resources . . . . . . . . . . . . . . . . . . . . . . . . 47
4701-1 FM.f.qc 4/24/00 12:28 Page xi

Contents xi

Scalability to Any Size Network . . . . . . . . . . . . . . . . . . . . . . 47

Flexibility and Extensibility . . . . . . . . . . . . . . . . . . . . . . . . . 48
Understanding the Structure of Active Directory . . . . . . . . . . . . . . . 48
Objects and Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Global Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Hierarchical Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Forests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Names and Naming Conventions . . . . . . . . . . . . . . . . . . . . . 58
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Understanding How Active Directory Is Implemented . . . . . . . . . . . . 60
Installing Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Global Catalog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Flexible Single Master Operations . . . . . . . . . . . . . . . . . . . . . 64
The Domain Name System . . . . . . . . . . . . . . . . . . . . . . . . . 68
Using Clients with Active Directory . . . . . . . . . . . . . . . . . . . . 69
Planning for Active Directory on Your Network . . . . . . . . . . . . . . . . 71
Planning a Domain Design . . . . . . . . . . . . . . . . . . . . . . . . . 71
Planning Naming Conventions . . . . . . . . . . . . . . . . . . . . . . . 73
Planning for Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . . 82
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Part II  Installation and Configuration . . . . . . . . . . . . 84

Chapter 3 Installing Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . 87
Hardware Requirements for Installation . . . . . . . . . . . . . . . . . . . . 89
Minimum Hardware Requirements . . . . . . . . . . . . . . . . . . . . . 89
Maximum Hardware Limitations . . . . . . . . . . . . . . . . . . . . . . 90
Getting Ready to Install Windows 2000 . . . . . . . . . . . . . . . . . . . 91
Source File Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Third-party SCSI or RAID Drivers . . . . . . . . . . . . . . . . . . . . . 92
Hard Disk Partition Information . . . . . . . . . . . . . . . . . . . . . . . 92
File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Installation Folder/Dual Boot . . . . . . . . . . . . . . . . . . . . . . . . 94
Regional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Product Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Licensing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Computer Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Administrator Password . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4701-1 FM.f.qc 4/24/00 12:28 Page xii

xii Contents

Typical or Custom Networking Settings . . . . . . . . . . . . . . . . . 101

Workgroup/Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
The Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Starting Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Setup Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Installing Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . 111
Uninstalling Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . 120
Removing Windows 2000 from a FAT or FAT32 Partition . . . . . . . 120
Removing Windows 2000 from an NTFS Partition . . . . . . . . . . . 121
Troubleshooting Common Installation Problems . . . . . . . . . . . . . . 123
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Lab Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Using a Separate, Dedicated Hard Disk . . . . . . . . . . . . . . . . . 130
Lab Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . . 139
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Chapter 4 Upgrading to Windows 2000 . . . . . . . . . . . . . . . . . . . . 143
Preparing to Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Questions to Ask Yourself . . . . . . . . . . . . . . . . . . . . . . . . . 145
Installing the Directory Service Client . . . . . . . . . . . . . . . . . . 148
Preparing a Computer to Meet Upgrade Requirements . . . . . . . . 149
Special Considerations for Existing Windows NT 4.0 Networks . . . 153
Upgrading to Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . 155
Upgrading to Windows 2000 Professional . . . . . . . . . . . . . . . 155
Upgrading to Windows 2000 Server . . . . . . . . . . . . . . . . . . 160
Recommended Order to Upgrade Computers . . . . . . . . . . . . . 162
Upgrading a Windows NT 4.0 Domain Structure . . . . . . . . . . . . . . 163
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Lab Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . . 173
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Chapter 5 Using Control Panel . . . . . . . . . . . . . . . . . . . . . . . . . 179
Overview of Control Panel . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Accessibility Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Configuring Accessibility Options . . . . . . . . . . . . . . . . . . . . 184
Troubleshooting Accessibility Options . . . . . . . . . . . . . . . . . . 186
Add/Remove Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Adding Plug and Play Devices . . . . . . . . . . . . . . . . . . . . . . 188
Adding Non–Plug and Play Hardware Devices . . . . . . . . . . . . . 189
4701-1 FM.f.qc 4/24/00 12:28 Page xiii

Contents xiii

Removing Hardware Devices . . . . . . . . . . . . . . . . . . . . . . . 193

Using Add/Remove Hardware to Troubleshoot Devices . . . . . . . . 197
Add/Remove Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Adding a Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Removing a Program . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Adding or Removing Optional Windows 2000 Components . . . . . 200
Administrative Tools Folder . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Date/Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Configuring a Display Background . . . . . . . . . . . . . . . . . . . . 203
Working with Screen Savers . . . . . . . . . . . . . . . . . . . . . . . 205
Configuring Energy Saving Features . . . . . . . . . . . . . . . . . . . 207
Configuring an Appearance Scheme . . . . . . . . . . . . . . . . . . 207
Displaying a Web Page on Your Desktop . . . . . . . . . . . . . . . . 208
Configuring Desktop Effects . . . . . . . . . . . . . . . . . . . . . . . 209
Configuring Display Settings and Multiple-Display Support . . . . . . 209
Troubleshooting Desktop Settings and Video Adapters . . . . . . . . 213
Fax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
The Fax Service Management Console . . . . . . . . . . . . . . . . . 215
Troubleshooting Fax Problems . . . . . . . . . . . . . . . . . . . . . . 218
Folder Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Making Configurations on the General, View, and File Types Tabs . . 220
Configuring and Troubleshooting Offline Files . . . . . . . . . . . . . 221
Fonts Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Game Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Internet Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Mouse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Network and Dial-Up Connections Folder . . . . . . . . . . . . . . . . . . 236
Phone and Modem Options . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Power Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Configuring Power Schemes, Advanced Options, and Hibernation . 238
Configuring Advanced Power Management (APM) . . . . . . . . . . 239
Configuring a UPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Printers Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Regional Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Configuring Local Settings . . . . . . . . . . . . . . . . . . . . . . . . 247
Adding Support for Your Language and Location . . . . . . . . . . . 248
Configuring Support for Multiple Languages and Locations . . . . . 249
Scanners and Cameras . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Adding, Removing, and Configuring Scanners and Cameras . . . . . 252
Troubleshooting Scanners and Cameras . . . . . . . . . . . . . . . . 254
Scheduled Tasks Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Configuring and Managing a Task . . . . . . . . . . . . . . . . . . . . 256
4701-1 FM.f.qc 4/24/00 12:28 Page xiv

xiv Contents

Troubleshooting Scheduled Tasks . . . . . . . . . . . . . . . . . . . . 259

Sounds and Multimedia . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Changing Network Identification . . . . . . . . . . . . . . . . . . . . . 262
Managing System Hardware . . . . . . . . . . . . . . . . . . . . . . . 265
Working with User Profiles . . . . . . . . . . . . . . . . . . . . . . . . 283
Configuring Advanced System and Environment Settings . . . . . . 284
Users and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Wireless Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Troubleshooting Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Troubleshooting Common Hardware Problems . . . . . . . . . . . . . 295
Recommended Hardware Troubleshooting Tools . . . . . . . . . . . 296
Using System Information . . . . . . . . . . . . . . . . . . . . . . . . . 297
Hardware Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . 301
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Lab Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . . 322
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Chapter 6 Working with File Systems and Disks . . . . . . . . . . . . . . 327
Working with File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 329
FAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
FAT32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
NTFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Which File System Should I Use? . . . . . . . . . . . . . . . . . . . . 336
CDFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
UDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
HPFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Converting from FAT or FAT32 to NTFS . . . . . . . . . . . . . . . . . 337
Understanding Disks and Volumes . . . . . . . . . . . . . . . . . . . . . . 339
Disk Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Partition Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Volume Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Using Disk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Creating and Formatting Partitions . . . . . . . . . . . . . . . . . . . . 352
Upgrading a Disk from Basic to Dynamic . . . . . . . . . . . . . . . . 358
Reverting from a Dynamic Disk to a Basic Disk . . . . . . . . . . . . 362
Creating a Simple Volume . . . . . . . . . . . . . . . . . . . . . . . . 363
Creating a Spanned Volume . . . . . . . . . . . . . . . . . . . . . . . 367
Creating a Striped Volume . . . . . . . . . . . . . . . . . . . . . . . . 370
Creating a Mirrored Volume . . . . . . . . . . . . . . . . . . . . . . . . 373
Creating a RAID-5 Volume . . . . . . . . . . . . . . . . . . . . . . . . 384
4701-1 FM.f.qc 4/24/00 12:28 Page xv

Contents xv

Using Disk Defragmenter . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Using Logical Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Troubleshooting Disks and Volumes . . . . . . . . . . . . . . . . . . . . . 392
Recovering from Disk Failure . . . . . . . . . . . . . . . . . . . . . . . . . 397
Recovering a Simple Volume . . . . . . . . . . . . . . . . . . . . . . . 398
Recovering a Spanned Volume . . . . . . . . . . . . . . . . . . . . . . 399
Recovering a Striped Volume . . . . . . . . . . . . . . . . . . . . . . . 400
Recovering a Mirrored Volume . . . . . . . . . . . . . . . . . . . . . . 401
Recovering a RAID-5 Volume . . . . . . . . . . . . . . . . . . . . . . . 403
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Troubleshooting Disks and Volumes . . . . . . . . . . . . . . . . . . . 407
Recovering from Disk Failure . . . . . . . . . . . . . . . . . . . . . . . 408
Lab Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . . 411
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Chapter 7 Installing and Configuring DNS and Active Directory . . . . . 415
What Is DNS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
What Does DNS Have to Do with Active Directory? . . . . . . . . . . 417
DNS Domain Names and Naming Conventions . . . . . . . . . . . . 418
How Host Name Resolution Works Using DNS . . . . . . . . . . . . 419
Zones and DNS Server Roles . . . . . . . . . . . . . . . . . . . . . . 421
Installing, Configuring, Managing, and Troubleshooting DNS . . . . . . . 424
Installing the DNS Server Service . . . . . . . . . . . . . . . . . . . . 424
Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Configuring Clients to Use a DNS Server . . . . . . . . . . . . . . . 462
Installing DNS for Active Directory . . . . . . . . . . . . . . . . . . . . 463
Testing, Monitoring, and Troubleshooting DNS . . . . . . . . . . . . . 463
Installing Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Installing Active Directory for the First Time . . . . . . . . . . . . . . . 472
Installing Active Directory on Additional Servers in a Domain . . . . . 476
Creating a New Child Domain . . . . . . . . . . . . . . . . . . . . . . 478
Creating a New Tree in the Forest . . . . . . . . . . . . . . . . . . . . 480
Creating a New Forest . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Removing Active Directory . . . . . . . . . . . . . . . . . . . . . . . . 483
Verifying and Troubleshooting an Active Directory Installation . . . . 484
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Lab Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . . 502
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
4701-1 FM.f.qc 4/24/00 12:28 Page xvi

xvi Contents

Part III  Managing and Securing Resources . . . . . . . . 506

Chapter 8 Administering and Securing Active Directory. . . . . . . . . . 509
Implementing an Organizational Unit (OU) Structure . . . . . . . . . . . 511
Creating OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Configuring OU Properties . . . . . . . . . . . . . . . . . . . . . . . . 515
Managing Active Directory Objects . . . . . . . . . . . . . . . . . . . . . 516
Locating Objects in Active Directory . . . . . . . . . . . . . . . . . . 516
Publishing Resources in Active Directory . . . . . . . . . . . . . . . . 524
Moving Objects in Active Directory . . . . . . . . . . . . . . . . . . . 526
Controlling Access to Active Directory Objects . . . . . . . . . . . . 528
Delegating Administration of Active
Directory Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Lab Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . 548
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Chapter 9 Managing Users and Groups. . . . . . . . . . . . . . . . . . . . 551
Creating and Managing User Accounts . . . . . . . . . . . . . . . . . . . 553
Understanding User Authentication . . . . . . . . . . . . . . . . . . . 553
Built-in User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Configuring and Managing User Account Properties . . . . . . . . . 564
Copying User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Renaming and Deleting User Accounts . . . . . . . . . . . . . . . . . 580
Managing User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . 582
Managing Account Policies . . . . . . . . . . . . . . . . . . . . . . . . 596
Managing User Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Troubleshooting User Accounts, User Rights, Account Policies, and
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Creating and Managing Group Accounts . . . . . . . . . . . . . . . . . . 614
Groups on the Local Computer . . . . . . . . . . . . . . . . . . . . . 614
Groups in Active Directory . . . . . . . . . . . . . . . . . . . . . . . . 620
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Lab Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . . 650
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
Chapter 10 Using System Policy and Group Policy . . . . . . . . . . . . . 657
Overview of Policies in Windows 2000 . . . . . . . . . . . . . . . . . . . 659
Managing System Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
User System Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
Group System Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 662
4701-1 FM.f.qc 4/24/00 12:28 Page xvii

Contents xvii

Computer System Policy . . . . . . . . . . . . . . . . . . . . . . . . . 662

How System Policy Is Applied . . . . . . . . . . . . . . . . . . . . . . 664
Creating a System Policy File . . . . . . . . . . . . . . . . . . . . . . 665
Using System Policy Editor to Manage the Local Windows 2000
Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Troubleshooting System Policy . . . . . . . . . . . . . . . . . . . . . . 667
Managing Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
How Group Policy Is Applied . . . . . . . . . . . . . . . . . . . . . . . 670
Managing Local Group Policy . . . . . . . . . . . . . . . . . . . . . . 672
Creating Group Policy Objects in Active Directory . . . . . . . . . . . 674
Configuring and Modifying Group Policy Objects . . . . . . . . . . . 676
Linking an Existing Group Policy Object . . . . . . . . . . . . . . . . 683
Modifying the Order in Which Group Policy Is Applied . . . . . . . . 685
Configuring Group Policy Settings to Manage User Environments . . 686
Configuring Group Policy Settings to Manage Scripts . . . . . . . . 691
Configuring Group Policy Settings to Manage Security . . . . . . . . 694
Configuring Group Policy Settings to Redirect Folders . . . . . . . . 697
Configuring Group Policy Settings to Manage Software Deployment 700
Troubleshooting Group Policy . . . . . . . . . . . . . . . . . . . . . . 710
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Lab Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . . 724
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . 725
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
Chapter 11 Sharing, Securing, and Accessing Files and Folders . . . . 729
Managing File and Folder Attributes . . . . . . . . . . . . . . . . . . . . . 731
Windows 2000 File and Folder Attributes . . . . . . . . . . . . . . . . 731
Assigning Attributes to Files or Folders . . . . . . . . . . . . . . . . . 733
Managing Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . 735
Sharing a Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
Connecting to Shared Folders . . . . . . . . . . . . . . . . . . . . . . 740
Shared Folder Permissions . . . . . . . . . . . . . . . . . . . . . . . . 743
How User and Group Permissions Combine . . . . . . . . . . . . . . 746
Modifying a Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
Administrative Shares . . . . . . . . . . . . . . . . . . . . . . . . . . . 751
Configuring and Managing the Distributed File System . . . . . . . . . . 753
Creating and Configuring a Dfs Root . . . . . . . . . . . . . . . . . . 754
Creating and Configuring a Domain Dfs Root Replica . . . . . . . . . 756
Creating and Configuring a Dfs Link and a Dfs Link Replica . . . . . 759
Configuring Client Computers to Use Dfs . . . . . . . . . . . . . . . 763
Managing NTFS File and Folder Security . . . . . . . . . . . . . . . . . . 763
NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
Assigning NTFS Permissions to Files and Folders . . . . . . . . . . . 765
4701-1 FM.f.qc 4/24/00 12:28 Page xviii

xviii Contents

How User and Group NTFS Permissions Combine . . . . . . . . . . 772

How NTFS Permissions Are Applied to New, Moved, and Copied Files
and Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
How NTFS and Share Permissions Interact . . . . . . . . . . . . . . . 774
Taking Ownership of Files and Folders . . . . . . . . . . . . . . . . . . . 775
Configuring and Monitoring Disk Quotas . . . . . . . . . . . . . . . . . . 778
Optimizing Access to Files and Folders . . . . . . . . . . . . . . . . . . . 782
Troubleshooting Common Resource Access and Permission Problems . 785
Problem 1: A User Can’t Access Files in a Shared Folder . . . . . . 785
Problem 2: A New Group Member Can’t Access a Share That Other
Group Members Can Access . . . . . . . . . . . . . . . . . . . . . 785
Problem 3: A User Is Unable to Access a File After
It Has Been Moved . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
Problem 4: Users Report Slow Server Response When They
Access a Shared Folder That Was Recently Compressed . . . . . 786
Problem 5: Users Report That Their Files Are No Longer Encrypted
After You Compress an NTFS Volume . . . . . . . . . . . . . . . . 786
Problem 6: A User Reports That He Can’t Locate a File That
He Saved to a Domain Dfs Root Yesterday . . . . . . . . . . . . . 786
Problem 7: Users Report That They Are Unable to Connect to a
Stand-alone Dfs Root . . . . . . . . . . . . . . . . . . . . . . . . . 786
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Lab Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . . 801
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . 801
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802
Chapter 12 Managing Printing . . . . . . . . . . . . . . . . . . . . . . . . . 805
Printing Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Windows 2000 Printing Overview . . . . . . . . . . . . . . . . . . . . . . 807
The Print Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Using EMFs in Network Printing . . . . . . . . . . . . . . . . . . . . . 810
Adding and Connecting to Printers . . . . . . . . . . . . . . . . . . . . . 810
Adding Local Plug and Play Printers . . . . . . . . . . . . . . . . . . . 811
Adding Other Local Printers . . . . . . . . . . . . . . . . . . . . . . . 814
Adding a Printer on a Remote Computer . . . . . . . . . . . . . . . . 820
Connecting to Shared Network Printers . . . . . . . . . . . . . . . . 820
Connecting to Internet Printers . . . . . . . . . . . . . . . . . . . . . . 823
Sharing a Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 826
Configuring Printer Properties . . . . . . . . . . . . . . . . . . . . . . . . 829
Configuring Printer Pools . . . . . . . . . . . . . . . . . . . . . . . . . 830
Scheduling Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832
Setting Printer Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . 833
Assigning a Separator Page . . . . . . . . . . . . . . . . . . . . . . . 835
Configuring Printer Permissions . . . . . . . . . . . . . . . . . . . . . 836
Assigning Forms to Paper Trays . . . . . . . . . . . . . . . . . . . . . 839
4701-1 FM.f.qc 4/24/00 12:28 Page xix

Contents xix

Configuring Print Server Properties . . . . . . . . . . . . . . . . . . . . . 840

Creating Forms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
Managing Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842
Managing Printer Drivers . . . . . . . . . . . . . . . . . . . . . . . . . 844
Changing the Location of the Spool Folder . . . . . . . . . . . . . . . 845
Managing Print Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846
Using the Printers Folder to Manage Print Jobs . . . . . . . . . . . . 846
Using Internet Explorer to Manage Print Jobs . . . . . . . . . . . . . . 847
Redirecting Print Jobs to Another Print Device . . . . . . . . . . . . . 849
Troubleshooting Common Printing Problems . . . . . . . . . . . . . . . . 850
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 855
Lab Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . . 858
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . 859
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
Chapter 13 Auditing and Security . . . . . . . . . . . . . . . . . . . . . . . 861
Managing Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863
Enabling and Configuring System Access Auditing . . . . . . . . . . 863
Enabling and Configuring Object Access Auditing . . . . . . . . . . 868
Monitoring and Analyzing Security Events . . . . . . . . . . . . . . . . . . 876
Using Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 881
Creating a Security Template . . . . . . . . . . . . . . . . . . . . . . . 882
Implementing a Security Template . . . . . . . . . . . . . . . . . . . . 885
Using Security Configuration and Analysis . . . . . . . . . . . . . . . . . 887
Creating and Opening a Database . . . . . . . . . . . . . . . . . . . 888
Analyzing a Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . 888
Configuring a Computer . . . . . . . . . . . . . . . . . . . . . . . . . 890
Using the Command-Line Version of Security Configuration and
Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 891
Troubleshooting Auditing and Security . . . . . . . . . . . . . . . . . . . 892
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 895
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 897
Lab Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 898
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . 904
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . 905
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906
Chapter 14 Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . 909
Managing and Optimizing the Availability of User Data and
System State Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
Backing Up User Data and System State Data . . . . . . . . . . . . . . . 912
What to Back Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912
Backup Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
4701-1 FM.f.qc 4/24/00 12:28 Page xx

xx Contents

Backup Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914

Using Backup to Perform a Backup . . . . . . . . . . . . . . . . . . . 917
Scheduling Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
Using Backup to Create an Emergency Repair Disk . . . . . . . . . . 924
Recovering User Data and System State Data . . . . . . . . . . . . . . . 925
Using Backup to Restore User Data . . . . . . . . . . . . . . . . . . . 926
Using Backup to Restore System State Data . . . . . . . . . . . . . . 927
Recovering from a System Failure . . . . . . . . . . . . . . . . . . . . . . 933
Using Safe Mode to Troubleshoot and Restore a System . . . . . . . 933
Using the Recovery Console to Restore a System . . . . . . . . . . . 935
Using the Emergency Repair Disk to Restore a System . . . . . . . . 938
Monitoring and Configuring Removable Media . . . . . . . . . . . . . . . 939
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945
Lab Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 946
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . . 951
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . 952
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 953

Part IV  Networking and Interoperability . . . . . . . . . . 956

Chapter 15 Creating and Configuring Network and
Dial-up Connections . . . . . . . . . . . . . . . . . . . . . . . . 959
Creating Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 961
Creating New Connections by Installing Network Adapters . . . . . 962
Installing and Configuring Modems . . . . . . . . . . . . . . . . . . . 962
Creating a Dial-up Connection to the Internet . . . . . . . . . . . . . 965
Creating a Dial-up Connection to a Remote Access Server . . . . . 968
Creating a Connection to Another Computer . . . . . . . . . . . . . . 969
Creating a VPN Connection . . . . . . . . . . . . . . . . . . . . . . . 972
Configuring Connection Properties . . . . . . . . . . . . . . . . . . . . . 974
Configuring Modem Properties . . . . . . . . . . . . . . . . . . . . . . 974
Configuring Internet Connection Sharing . . . . . . . . . . . . . . . . 980
Installing, Configuring, and Troubleshooting Protocols . . . . . . . . 984
Installing and Configuring Network Clients and Services for
Interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988
Configuring Other Connection Properties . . . . . . . . . . . . . . . 1012
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . 1018
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1020
Lab Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . 1027
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1027
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . 1028
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029
4701-1 FM.f.qc 4/24/00 12:28 Page xxi

Contents xxi

Chapter 16 Networking with TCP/IP . . . . . . . . . . . . . . . . . . . . . 1033

Overview of TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035
IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035
Subnet Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036
Default Gateway Addresses . . . . . . . . . . . . . . . . . . . . . . 1039
DNS Server Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 1040
Configuring TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1040
Manually Configuring TCP/IP . . . . . . . . . . . . . . . . . . . . . . 1040
Configuring TCP/IP by Using a DHCP Server . . . . . . . . . . . . 1042
Troubleshooting TCP/IP Configuration Problems . . . . . . . . . . 1044
Installing and Configuring a DHCP Server . . . . . . . . . . . . . . . . 1046
Installing the DHCP Service . . . . . . . . . . . . . . . . . . . . . . 1047
Authorizing a DHCP Server in Active Directory . . . . . . . . . . . . 1047
Configuring DHCP for DNS Integration . . . . . . . . . . . . . . . . 1048
DHCP Scopes, Superscopes, and Multicast Scopes . . . . . . . . 1050
Monitoring a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . 1059
Troubleshooting DHCP . . . . . . . . . . . . . . . . . . . . . . . . . 1061
NetBIOS Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . 1062
Using Lmhosts Files to Resolve NetBIOS Names . . . . . . . . . . 1063
Using a WINS Server to Resolve NetBIOS Names . . . . . . . . . 1064
Configuring NetBIOS Name Resolution Options on
Client Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . 1072
Routing TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1074
Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1075
Configuring a Router . . . . . . . . . . . . . . . . . . . . . . . . . . . 1078
Managing Ports, Interfaces, and Demand-Dial Routing . . . . . . . 1082
Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1086
Monitoring TCP/IP Routing . . . . . . . . . . . . . . . . . . . . . . . 1109
Troubleshooting TCP/IP Routing . . . . . . . . . . . . . . . . . . . . 1111
Configuring TCP/IP Packet Filters . . . . . . . . . . . . . . . . . . . . . 1112
Configuring and Troubleshooting IPSec . . . . . . . . . . . . . . . . . . 1115
Enabling IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116
Creating and Customizing IPSec Policies . . . . . . . . . . . . . . . 1118
Monitoring IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1124
Troubleshooting IPSec . . . . . . . . . . . . . . . . . . . . . . . . . 1126
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . 1129
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1131
Lab Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1133
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . 1145
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1145
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . 1146
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1147
4701-1 FM.f.qc 4/24/00 12:28 Page xxii

xxii Contents

Chapter 17 Managing Remote Access . . . . . . . . . . . . . . . . . . . . 1149

Overview of Remote Access . . . . . . . . . . . . . . . . . . . . . . . . 1151
Remote Access Connection Types . . . . . . . . . . . . . . . . . . . 1152
Connection Protocols Supported by Remote Access . . . . . . . . 1153
Transport Protocols Supported by Remote Access . . . . . . . . . 1154
Enabling and Configuring Remote Access . . . . . . . . . . . . . . . . 1155
Configuring the Properties of the Remote Access Server . . . . . . 1158
Adding and Configuring Inbound Connection Ports . . . . . . . . . 1168
Using Remote Access Policies to Control Access . . . . . . . . . . . . 1171
Specifying Conditions for a Remote Access Policy . . . . . . . . . . 1174
Configuring Remote Access Permission Options . . . . . . . . . . . 1175
Configuring a Profile for a Remote Access Policy . . . . . . . . . . 1179
How Remote Access Policies Are Applied . . . . . . . . . . . . . . 1186
Monitoring Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . 1189
Troubleshooting Remote Access . . . . . . . . . . . . . . . . . . . . . . 1192
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . 1196
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1198
Lab Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1199
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . 1203
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1203
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . 1204
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205
Chapter 18 Managing Web and Certificate Services . . . . . . . . . . . 1207
Managing Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . 1209
Installing IIS Components . . . . . . . . . . . . . . . . . . . . . . . . 1210
Configuring a Web Site . . . . . . . . . . . . . . . . . . . . . . . . . 1211
Using Personal Web Manager . . . . . . . . . . . . . . . . . . . . . 1216
Publishing Web Content . . . . . . . . . . . . . . . . . . . . . . . . 1217
Managing Web Server Security . . . . . . . . . . . . . . . . . . . . . 1223
Monitoring Access to Files and Folders in Web Sites . . . . . . . . 1229
Troubleshooting Web Services . . . . . . . . . . . . . . . . . . . . . 1230
Using the Indexing Service . . . . . . . . . . . . . . . . . . . . . . . . . 1231
Managing Certificate Services . . . . . . . . . . . . . . . . . . . . . . . 1234
Installing and Configuring Certificate Services . . . . . . . . . . . . 1236
Creating and Issuing Certificates . . . . . . . . . . . . . . . . . . . . 1238
Revoking Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 1242
Managing Encrypting File System (EFS) Recovery Agents . . . . . 1243
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . 1250
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1252
Lab Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1253
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . 1259
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1259
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . 1260
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1261
4701-1 FM.f.qc 4/24/00 12:28 Page xxiii

Contents xxiii

Chapter 19 Deploying Windows 2000 on Your Network . . . . . . . . . 1263

Overview of Windows 2000 Deployment . . . . . . . . . . . . . . . . . 1265
Using Setup Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1265
Creating an Answer File by Using Setup Manager . . . . . . . . . . 1266
Using an Answer File to Perform an Unattended Installation . . . . 1271
Using Sysprep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1272
Installing Windows 2000 and Applications on the
Master Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . 1273
Using Sysprep to Prepare the Master Computer for Duplication . . 1274
Duplicating the Master Computer’s Hard Disk . . . . . . . . . . . . 1278
Using Remote Installation Services (RIS) . . . . . . . . . . . . . . . . . 1278
Installing and Configuring RIS . . . . . . . . . . . . . . . . . . . . . 1279
Managing RIS Images . . . . . . . . . . . . . . . . . . . . . . . . . . 1292
Prestaging RIS Clients . . . . . . . . . . . . . . . . . . . . . . . . . 1298
Installing a RIS Image on a Client Computer . . . . . . . . . . . . . 1300
Troubleshooting RIS Problems . . . . . . . . . . . . . . . . . . . . . 1302
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . 1304
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1306
Lab Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1307
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . 1314
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1314
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . 1314
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1315
Chapter 20 Managing Terminal Services . . . . . . . . . . . . . . . . . . 1319
What Is Terminal Services? . . . . . . . . . . . . . . . . . . . . . . . . . 1321
Installing and Configuring Terminal Services . . . . . . . . . . . . . . . 1322
Installing Applications for Use with Terminal Services . . . . . . . . . . 1324
Configuring Terminal Services Clients . . . . . . . . . . . . . . . . . . . 1328
Installing Terminal Services Client Software . . . . . . . . . . . . . . 1329
Establishing a Terminal Services Session . . . . . . . . . . . . . . . 1331
Managing Terminal Services Sessions . . . . . . . . . . . . . . . . . . . 1335
Monitoring Terminal Services Usage . . . . . . . . . . . . . . . . . . 1338
Using Remote Control . . . . . . . . . . . . . . . . . . . . . . . . . . 1342
Terminal Services Licensing Requirements . . . . . . . . . . . . . . . . 1345
Installing Terminal Services Licensing . . . . . . . . . . . . . . . . . 1346
Managing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . 1347
Troubleshooting Terminal Services . . . . . . . . . . . . . . . . . . . . . 1350
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . 1353
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1355
Lab Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1356
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . 1360
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1360
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . 1360
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1361
4701-1 FM.f.qc 4/24/00 12:28 Page xxiv

xxiv Introduction

Part V Monitoring, Optimizing, and Troubleshooting . . . 1362

Chapter 21 Monitoring, Optimizing, and
Troubleshooting Performance . . . . . . . . . . . . . . . . . 1365
Monitoring Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 1367
Using System Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . 1367
Using Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . 1375
Using Windows Task Manager . . . . . . . . . . . . . . . . . . . . . 1384
Monitoring Shared Folders . . . . . . . . . . . . . . . . . . . . . . . 1386
Optimizing and Troubleshooting Performance . . . . . . . . . . . . . . 1388
Optimizing and Troubleshooting Memory Performance . . . . . . . 1389
Optimizing and Troubleshooting Processor Performance . . . . . . 1390
Optimizing and Troubleshooting Disk Performance . . . . . . . . . . 1391
Optimizing and Troubleshooting Network Performance . . . . . . . 1392
Optimizing and Troubleshooting Application Performance . . . . . . 1393
Optimizing Performance of the Server . . . . . . . . . . . . . . . . . 1396
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . 1401
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1403
Lab Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1404
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . 1408
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1408
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . 1409
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1409
Chapter 22 Managing, Optimizing, and
Troubleshooting Active Directory Performance . . . . . . . 1413
Overview of Active Directory Replication . . . . . . . . . . . . . . . . . 1415
Replication Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . 1416
Intrasite Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . 1416
Intersite Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . 1418
Managing Components that Affect Replication . . . . . . . . . . . . . . 1418
Creating Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1419
Creating Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1421
Creating Site Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1422
Creating Site Link Bridges . . . . . . . . . . . . . . . . . . . . . . . 1426
Creating Global Catalog Servers . . . . . . . . . . . . . . . . . . . . 1428
Moving Server Objects Between Sites . . . . . . . . . . . . . . . . 1429
Managing and Maintaining Operations Master Roles . . . . . . . . 1432
Managing Active Directory Replication . . . . . . . . . . . . . . . . . . . 1437
Managing Intrasite Replication . . . . . . . . . . . . . . . . . . . . . 1437
Managing Intersite Replication . . . . . . . . . . . . . . . . . . . . . 1441
Managing Active Directory Performance . . . . . . . . . . . . . . . . . . 1442
Monitoring Performance of Domain Controllers and Other Active
Directory Components . . . . . . . . . . . . . . . . . . . . . . . . 1442
Optimizing Active Directory Performance . . . . . . . . . . . . . . . 1447
4701-1 FM.f.qc 4/24/00 12:28 Page xxv

Contents xxv

Troubleshooting Active Directory Components, Replication, and

Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1448
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . 1451
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1453
Lab Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1455
Answers to Chapter Questions . . . . . . . . . . . . . . . . . . . . . . . 1457
Chapter Pre-Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1457
Assessment Questions . . . . . . . . . . . . . . . . . . . . . . . . . 1457
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1458

Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1461
Appendix A Windows 2000 MCSE Core Exam Objectives . . . . . . . 1463
Appendix B What You Need to Know to Prepare for the Exams . . . . 1487
Appendix C What’s on the CD-ROM . . . . . . . . . . . . . . . . . . . . . 1493

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1499
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1500
End-User License Agreement . . . . . . . . . . . . . . . . . . . . PG#to come
CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PG#to come
4701-1 FM.f.qc 4/24/00 12:28 Page xxvi
4701-1 FM.f.qc 4/24/00 12:28 Page xxvii

INTRODUCTION
Welcome to the Windows 2000 MCSE Study System! This book is designed
to help you acquire the knowledge, skills, and abilities you need to pass the
four core Microsoft Windows 2000 MCSE certification exams:
■ Exam 70-210: Installing, Configuring, and Administering
Microsoft Windows 2000 Professional
■ Exam 70-215: Installing, Configuring, and Administering
Microsoft Windows 2000 Server
■ Exam 70-216: Implementing and Administering a Microsoft
Windows 2000 Network Infrastructure
■ Exam 70-217: Implementing and Administering a Microsoft
Windows 2000 Directory Services Infrastructure
Alternatively, if you’ve already passed the three Windows NT 4.0 exams
(Exams 70-067, 70-068, and 70-073), and you want to take the Microsoft
Windows 2000 Accelerated Exam for MCPs Certified on Microsoft
Windows NT 4.0 (Exam 70-240), you’ll also find everything you need
to know in this volume.
This book is designed to be the only book or course you need to pre-
pare for and pass these Windows 2000 exams. For many people, there’s no
need to spend big bucks to sit in a classroom for several weeks — although
I teach those courses and I’m sure I’d enjoy having you as a student. But in
all honesty, as long as you have access to a computer, some time, and some
self-motivation, most of you can get the knowledge and experience you
need from the text, the numerous labs, the exam-style assessment ques-
tions, and the other carefully designed study guide elements in this book.
If you’re not planning to take one or more of these exams, but you want
to develop a comprehensive working knowledge of Windows 2000
Professional and Windows 2000 Server, then this book is also for you. I’ve
endeavored to explain — in clear, plain English — how Windows 2000
really works, both on stand-alone computers and in real-life network situ-
ations. It’s one thing to read a product help file; it’s another to actually
implement a feature on a live network.This book moves way beyond basic
theory to the practical “how to get the job done” that’s a necessity for net-
work administrators in today’s competitive workplace.

xxvii
4701-1 FM.f.qc 4/24/00 12:28 Page xxviii

xxviii Introduction

My hope is that you’ll find this book the most helpful Windows 2000
product reference you’ve ever read, and that you’ll use it not only to pre-
pare for the Windows 2000 exams, but that you’ll come back to it again
and again as you perform your day-to-day Windows 2000 tasks.

How This Book Is Organized

This book is organized into six major parts, followed by a robust glossary,
an index, and two compact discs.
Here’s what you’ll find in this book:

Part I: Introduction to Windows 2000

Part I presents basic information about Windows 2000. It introduces each
of the operating systems in the Windows 2000 family, explains what’s new
in Windows 2000, takes you through a tour of the Windows 2000 user
interface, and covers the basic architecture of Windows 2000. Part I also
introduces Active Directory, a core new feature of Windows 2000.

Part II: Installation and Configuration

Part II covers the basics of installing and configuring Windows 2000.This
part presents detailed instructions on how to install Windows 2000 and
how to upgrade to Windows 2000 from previous Windows operating sys-
tems. Part II also explores how to use the many Control Panel applications
on Windows 2000 computers. Finally, this part explains how to work with
file systems and configure disks in a Windows 2000 environment, and how
to install and configure DNS and Active Directory.

Part III: Managing and Securing Resources

Part III is all about administering and securing resources on a Windows
2000 computer. This part begins by explaining how to administer and
secure Active Directory. It also presents detailed instructions on how to
create and manage users and groups, and how to use System Policy and
Group Policy to manage users and computers. Part III explores the ins and
4701-1 FM.f.qc 4/24/00 12:28 Page xxix

Introduction xxix

outs of sharing, securing, and accessing files and folders, and spells out the
important stuff you need to know about managing printing.This part also
shows you how to establish and manage auditing. Finally, Part III explains
how to back up and recover systems and data, including how to back up
and restore Active Directory.

Part IV: Networking and Interoperability

Part IV takes the administration of Windows 2000 up a notch to the net-
work level. This part addresses your Windows 2000 networking and con-
nectivity concerns. Part IV explains how to create and configure network
and dial-up connections. It also covers networking with TCP/IP, managing
remote access, and working with Internet Information Services (IIS), the
Indexing Service, and Certificate Services. Finally, Part IV shows you how
to efficiently deploy Windows 2000 on a network, and how to work with
and manage Terminal Services.

Part V: Monitoring, Optimizing, and

Troubleshooting
Part V explains how to use various Windows 2000 tools and techniques to
monitor, optimize, and troubleshoot the performance of a specific
Windows 2000 computer or an entire network. It explores how to opti-
mize and troubleshoot memory, processor, disk, and application perfor-
mance on a Windows 2000 computer, as well as how to monitor and
optimize usage of system resources and network traffic. Part V also explains
how to manage, optimize, and troubleshoot Active Directory replication
and performance.

Part VI: Resources

Part VI features several valuable appendixes.You’ll find a table of the actual
exam objectives for each of the four core Microsoft Windows 2000 MCSE
certification exams (including cross-references to the section in this book
where each objective is covered), important information and tips on how
to prepare for the exams, and a complete listing and description of the
contents of the compact discs included with this book.
4701-1 FM.f.qc 4/24/00 12:28 Page xxx

xxx Introduction

CD-ROMs
The two compact discs included with this book contain some really excel-
lent resources. First, a 120-day evaluation copy of Microsoft Windows 2000
Server is included for you.You and I both know that having access to the
Windows 2000 product is absolutely essential if you’re going to learn how
to use it.You’ll also find a test engine and practice test questions for each of
the four core Microsoft Windows 2000 MCSE certification exams. Next,
you’ll find a complete electronic version of this book, in PDF format,
along with Adobe Acrobat Reader so you can easily navigate this resource.
Finally, an evaluation copy of Diskeeper Server, a premier defragmentation
utility for use on Windows 2000 and Windows NT NTFS partitions, is
included.

How Each Chapter Is Structured

When this book was designed, a lot of thought went into its structure, and
particularly into the specific elements that would provide you with the
best possible learning and exam preparation experience.

Here are the elements you’ll find in each chapter:

■ The specific exams for which this chapter helps you prepare
■ A list of exam objectives (by exam) covered by this chapter
■ A Chapter Pre-Test
■ Clear, concise text on each topic
■ Step-by-step instructions on how to perform Windows 2000 tasks
■ Screen shots and graphics that are worth more than a thousand words
■ A Key Point Summary
■ A comprehensive Study Guide that contains:
 Exam-style Assessment Questions

 Scenario problems for you to solve, as appropriate

 Lab Exercises to perform on your computer, as appropriate

 Answers to Chapter Pre-Test questions,Assessment Questions, and

Scenarios
4701-1 FM.f.qc 4/24/00 12:28 Page xxxi

Introduction xxxi

How to Use This Book

This book can be used either by individuals working independently or by
groups in a formal classroom setting.
For best results (and we both know that the only acceptable results are
passing scores on the MCSE exams), I recommend the following plan of
attack as you use this book. First, take the Chapter Pre-Test, then read the
chapter and the Key Point Summary. Use this summary to see if you’ve
really got the key concepts under your belt. If you don’t, go back and
reread the section(s) you’re not clear on. Then do all of the Assessment
Questions and Scenarios at the end of the chapter. Finally, do the Lab
Exercises. Remember, the important thing is to master the tasks that are
tested by the exams. There’s really no way to master tasks without seeing
the various Windows 2000 screens over and over again.
The chapters of this book have been designed to be studied sequentially.
In other words, it would be best if you complete Chapter 1 before you
proceed to Chapter 2.A few chapters could probably stand alone, but all in
all, I recommend a sequential approach.The Lab Exercises have also been
designed to be completed in a sequential order, and often depend on the
successful completion of the previous labs.
After you’ve completed your study of the chapters and reviewed the
Assessment Questions and Lab Exercises in the book, use the test engine
on the compact disc included with this book to get some experience
answering practice questions. The practice questions will help you assess
how much you’ve learned from your study and will also familiarize you
with the type of exam questions you’ll face when you take the real exams.
Once you identify a weak area, you can restudy the corresponding chapters
to improve your knowledge and skills in that area.

Prerequisites
Although this book is a comprehensive study and exam preparation guide,
it does not start at ground zero. I assume you have the following knowl-
edge and skills at the outset:
■ Basic terminology and basic skills to use a Microsoft Windows
product. (This could be Windows 95,Windows 98, or a Windows
NT product.)
4701-1 FM.f.qc 4/24/00 12:28 Page xxxii

xxxii Introduction

■ Basic mouse skills: being able to left-click, right-click, double-click,

use the pointer, and so on.
■ Networking knowledge or experience equal to the scope required
to pass an industry networking certification exam, such as
CompTIA’s Network+ exam.
If you meet these prerequisites, you’re ready to begin this book.
If you don’t have the basic Windows experience or mouse skills, I rec-
ommend you work through a self-study book, such as Windows 98 for
Dummies (IDG Books Worldwide, Inc.) or Windows 2000 Professional for
Dummies (IDG Books Worldwide, Inc.).
If you don’t have the networking knowledge or experience, I recom-
mend you use a book such as Networking Essentials MCSE Study Guide
(IDG Books Worldwide, Inc.) or Networking for Dummies (IDG Books
Worldwide, Inc.) to obtain this knowledge before you begin this book.

How to Determine What You Should Study

Your individual certification goals will ultimately determine which parts of
this book you should study. If you want to pass two or more of the
Microsoft Windows 2000 MCSE certification exams, or simply want to
develop a comprehensive working knowledge of Windows 2000, I recom-
mend you study, in sequential order, the entire book.
If you are preparing only for the Workstation exam, I suggest you follow
the recommended study plan shown in Table 1.
If you are preparing only for the Server exam, I suggest you follow the
recommended study plan shown in Table 2.
If you are preparing only for the Network exam, I suggest you follow
the recommended study plan shown in Table 3.
If you are preparing only for the Directory Services exam, I suggest you
follow the recommended study plan shown in Table 4.
TABLE 1 Chapters that Prepare You for Exam 70-210: Installing, Configuring,
and Administering Microsoft Windows 2000 Professional
Chapter Number Chapter Title

1 Overview of Windows 2000

3 Installing Windows 2000
4 Upgrading to Windows 2000
4701-1 FM.f.qc 4/24/00 12:28 Page xxxiii

Introduction xxxiii

Chapter Number Chapter Title

5 Using Control Panel

6 Working with File Systems and Disks
9 Managing Users and Groups
10 Using System Policy and Group Policy
11 Sharing, Securing, and Accessing Files and Folders
12 Managing Printing
13 Auditing and Security
14 Backup and Recovery
15 Creating and Configuring Network and Dial-Up Connections
16 Networking with TCP/IP
18 Managing Web and Certificate Services
19 Deploying Windows 2000 on Your Network
21 Monitoring, Optimizing, and Troubleshooting Performance

TABLE 2 Chapters that Prepare You for Exam 70-215: Installing, Configuring,
and Administering Microsoft Windows 2000 Server
Chapter Number Chapter Title

1 Overview of Windows 2000

2 Overview of Active Directory
3 Installing Windows 2000
4 Upgrading to Windows 2000
5 Using Control Panel
6 Working with File Systems and Disks
9 Managing Users and Groups
10 Using System Policy and Group Policy
11 Sharing, Securing, and Accessing Files and Folders
12 Managing Printing
13 Auditing and Security
14 Backup and Recovery

Continued 
4701-1 FM.f.qc 4/24/00 12:28 Page xxxiv

xxxiv Introduction

TABLE 2 (continued)
Chapter Number Chapter Title

15 Creating and Configuring Network and Dial-up Connections

16 Networking with TCP/IP
17 Managing Remote Access
18 Managing Web and Certificate Services
19 Deploying Windows 2000 on Your Network
20 Managing Terminal Services
21 Monitoring, Optimizing, and Troubleshooting Performance

TABLE 3 Chapters that Prepare You for Exam 70-216: Implementing and
Administering a Microsoft Windows 2000 Network Infrastructure
Chapter Number Chapter Title

1 Overview of Windows 2000

3 Installing Windows 2000
(Although technically there are no Network exam objectives
covered in this chapter, you’ll need to install Windows 2000
in order to perform the labs in the later chapters.)
7 Installing and Configuring DNS and Active Directory
15 Creating and Configuring Network and Dial-up Connections
16 Networking with TCP/IP
17 Managing Remote Access
18 Managing Web and Certificate Services
21 Monitoring, Optimizing, and Troubleshooting Performance

TABLE 4 Chapters that Prepare You for Exam 70-217: Implementing and
Administering a Microsoft Windows 2000 Directory Services Infrastructure
Chapter Number Chapter Title

1 Overview of Windows 2000

2 Overview of Active Directory
3 Installing Windows 2000
(Although technically there are no Directory Services exam
objectives covered in this chapter, you’ll need to install
Windows 2000 in order to perform the labs in the later
chapters.)
4701-1 FM.f.qc 4/24/00 12:28 Page xxxv

Introduction xxxv

Chapter Number Chapter Title

7 Installing and Configuring DNS and Active Directory

8 Administering and Securing Active Directory
9 Managing Users and Groups
10 Using System Policy and Group Policy
12 Managing Printing
13 Auditing and Security
14 Backup and Recovery
19 Deploying Windows 2000 on Your Network
22 Managing, Optimizing, and Troubleshooting Active Directory
Replication and Performance

Hardware and Software You’ll Need

You’ll need access to various hardware and software to be able to do the
Lab Exercises in this book. It’s extremely important that you do these labs
to acquire the skills tested by the Microsoft Windows 2000 exams.

CAUTION
Some of the Lab Exercises in this book have the potential to erase or cor-
rupt data on existing hard disks. Make sure you back up all important
data and programs before you attempt to perform the labs. Better yet, do
the labs on a computer that doesn’t contain any vital data or programs.

Here are the minimum hardware requirements:

■ Intel-based computer with Pentium/133MHz processor, 256MB
of RAM, and 2GB of hard disk space.
■ Keyboard
■ CD-ROM drive
■ Mouse or other pointing device
■ VGA monitor and graphics card
■ Network adapter card
4701-1 FM.f.qc 4/24/00 12:28 Page xxxvi

xxxvi Introduction

I strongly recommend that you only use hardware found on the

Microsoft Windows 2000 Hardware Compatibility List (HCL). This list,
which is updated periodically, ships with the Windows 2000 product.The
HCL is named HCL.txt, and is located on the Windows 2000 compact
disc in the \Support folder.

Optional equipment that you might benefit from using includes:

■ Printer
■ Tape drive
■ Modem and Internet connection (so you can access online resources)
Here is the software you’ll need:
■ Microsoft Windows 2000 Professional (particularly if you’re prepar-
ing for the Professional exam)
■ Microsoft Windows 2000 Server

TIP
The compact disc included with this book contains an evaluation copy of
Windows 2000 Server.

Conventions Used in This Book

Every book has its own set of conventions, so I’ll explain the ones I’ve used
in this book to you right up front.

Windows 2000 is Windows 2000

Windows 2000 encompasses four operating systems:
■ Windows 2000 Professional
■ Windows 2000 Server
■ Windows 2000 Advanced Server
■ Windows 2000 Datacenter Server
There are some differences between these four Windows 2000 operat-
ing systems, but because they’re all based on the same kernel, they are fun-
damentally the same operating system.When you learn how to perform a
4701-1 FM.f.qc 4/24/00 12:28 Page xxxvii

Introduction xxxvii

task using Windows 2000 Server, it’s usually the same as learning how to
perform the same task using Windows 2000 Professional. So, if you’re won-
dering how I can prepare you for four Windows 2000 exams in one book,
it’s for this reason:Windows 2000 is Windows 2000.
Because of the similarities of the Windows 2000 operating systems,
throughout this book, except where differences are noted, when you read
“Windows 2000” you can assume I’m referring to all three of the most
commonly used Windows 2000 operating systems: Windows 2000
Professional,Windows 2000 Server, and Windows 2000 Advanced Server.

New Terms
How could I talk about Windows 2000 and other computer stuff without
using all kinds of fancy acronyms and terms? You know, the alphabet soup
you throw into everyday conversation around the dinner table that causes
your family members to roll their eyes?
I’ve chosen to italicize new or potentially unfamiliar terms, such as
Active Directory, as I define them. Normally, I’ll define a new term right
after its first mention. If you happen to see an unfamiliar word that’s itali-
cized, such as application programming interface (API), but it’s not followed by
a definition, you can flip to the glossary to read the definition of the term.

Navigating Menus and Other Important Stuff

When navigating the menus in Windows 2000, I use an arrow symbol —
➪ — to tell you which menu item to point to next.
For example, if I say you can access Windows Explorer by selecting
Start ➪ Programs ➪ Accessories ➪ Windows Explorer, what I mean is that
you should click the Start button, then point to Programs, then point to
Accessories, and finally point to Windows Explorer and release the mouse
button.
One particular term I use a lot when explaining the commands and
steps to perform a task is the word highlight.When I say you should high-
light an item, I mean that you should select or click it so that Windows
2000 causes the item to be highlighted when all of the other items in the
list or box remain displayed in normal next.
Finally, when you do the Lab Exercises and are asked to type something,
the text you are instructed to type will be printed in bold, like this:
domain1.mcse
4701-1 FM.f.qc 4/24/00 12:28 Page xxxviii

xxxviii Introduction

Code
All code listings and uniform resource locators (URLs) in this book are
presented in monospace font, like this:
http://www.microsoft.com

I’ve also used this type of font to identify names of files, folders, network
drives, paths to network resources, fully qualified domain names (FQDNs),
and character-based screen content when presented verbatim.
When you see monospace font presented in italics, the italicized text
represents a variable that could actually have a different name. For example,
I frequently use the term SystemRoot to indicate the drive and folder that
Windows 2000 is installed in on your computer, which, by default, is usu-
ally C:\Winnt.This folder, however, can actually be named anything you
want to call it.
When a variable consists of two or more words, I use underscores to
connect the words. An example of this type of variable is found in the
naming structure of an FQDN, which is server_name.domain_
name.root_domain_name. In this example, the variables “server name,”
“domain name,” and “root domain name” are separated by underscores to
convey the fact that the connected words represent a single variable.
Lastly, some command-line utilities have optional switches.When I refer
to such an optional switch, I show the switch in a pair of brackets, like this:
[/V]

Icons
Several different icons are used throughout this book to draw your atten-
tion to matters that deserve a closer look:
 Professional
 Server
EXAM  Network
MATERIAL
 Active Directory

You’ll see an icon similar to this at the beginning of each chapter and at
the beginning of each Lab Exercise. It will let you know, at a glance, exactly
which exams the chapter or lab is designed to help you prepare for.
4701-1 FM.f.qc 4/24/00 12:28 Page xxxix

Introduction xxxix

CAUTION
This icon is used to warn you that something unfortunate could happen if
you’re not careful. It also points out information that could save you a lot
of grief. It’s often easier to prevent a tragedy than to fix it afterwards.

CROSS-REFERENCE
This icon points you to another place in this book for more coverage of a
particular topic. It may point you back to a previous chapter where impor-
tant material has already been covered, or it may point you ahead to let
you know that a topic will be covered in more detail later on.

EXAM TIP
This icon points out important information or advice for those preparing
to take any of the four core Microsoft Windows 2000 MCSE certification
exams.

IN THE REAL WORLD

Sometimes things work differently in the real world than books — or prod-
uct documentation — say they do. This icon draws your attention to the
author’s real-world experiences, which will hopefully help you on the job
if not on the Windows 2000 exams.

TIP
This icon is used to draw your attention to a little piece of friendly advice,
a helpful fact, a shortcut, or a bit of personal experience that might be of
use to you.

How to Contact Me
I’ve done my very best to make sure the contents of this book are techni-
cally accurate and error free. My technical reviewer and editors have also
worked hard toward this goal.
However, I know that perfection isn’t a possibility in the real world, and
if you find an error, or have some other comment or insight, I’d appreciate
hearing from you.You can contact me via the Internet at alan_carter@
usa.net.
I always read all of my readers’ e-mail messages, and, when possible,
include your corrections and ideas in future printings. However, because of
4701-1 FM.f.qc 4/24/00 12:28 Page xl

xl Introduction

the high volume of e-mail I receive, I can’t respond to every message.

Please don’t take it personally if I don’t respond to your e-mail message.
Also, one last note: although I enjoy hearing from my readers, please
don’t write to me for product support or for help in solving a particular
Windows 2000 problem you’re experiencing on your computer or net-
work. I think that Microsoft does a far better job of product support than I
could ever do, so I leave this arena entirely to the men and women specif-
ically trained to answer your technical questions.
I guess that about wraps up the general comments. From here you can
get started on the nuts and bolts of learning about Windows 2000, and get
ready to pass those exams. I wish you great success!
4701-1 FM.f.qc 4/24/00 12:28 Page xli

Windows 2000 MCSE

Study System
4701-1 ch01.f.qc 4/24/00 09:01 Page 4

 Professional
 Server
EXAM  Network
MATERIAL
 Directory Services

EXAM OBJECTIVES

The content of this chapter doesn’t map directly to any one spe-
cific exam objective, but that doesn’t mean it’s not important. The
basics presented in this chapter are crucial to your understanding
of Windows 2000.
So, no matter which of the four core Windows 2000 exams you’re
preparing for, read on. You owe it to yourself to get a firm grasp of
the Windows 2000 fundamentals early on, so you can dive into the
rest of the chapters with confidence.
4701-1 ch01.f.qc 4/24/00 09:01 Page 5

C HAP TE R

1
Overview of
Windows 2000

T his chapter explores the basics of the four new Windows 2000 operat-
ing systems. Ever wondered which operating system to choose for a
given situation? Or whether to choose a workgroup or a domain model?
These issues are explained and answered in this chapter. You’ll want to read
this chapter no matter which of the four core Microsoft Windows 2000 exams
you’re preparing for, because it spells out fundamental concepts you’ll need to
know, including:

■ Basic descriptions and features of the four new Windows 2000 operat-
ing systems: Professional, Server, Advanced Server, and Datacenter
Server
■ How the Windows 2000 user interface looks and feels
■ Application environments supported by Windows 2000
■ Fundamentals of Windows 2000 architecture
■ Explanations of basic Windows 2000 concepts: workgroups, domains,
and an introduction to Active Directory

5
4701-1 ch01.f.qc 4/24/00 09:01 Page 6

6 Part I ▼ Introduction to Windows 2000

Chapter Pre-Test
1. List the four new Windows 2000 operating systems.
2. Does Windows 2000 support Plug and Play?
3. What are the five application types supported by Windows 2000?
4. Which hardware platforms are supported by Windows 2000?
5. What are the two primary modes in the Windows 2000
architecture?
6. What is Active Directory?
4701-1 ch01.f.qc 4/24/00 09:01 Page 7

Chapter 1 ▼ Overview of Windows 2000 7

Windows 2000 Operating Systems

This overview begins by taking a look at the Microsoft Windows 2000
operating system family.The operating systems that make up this family are:
■ Windows 2000 Professional
■ Windows 2000 Server
■ Windows 2000 Advanced Server
■ Windows 2000 Datacenter Server
These four operating systems share a common user interface, share
many common features and utilities, and are all 32-bit operating systems.
In fact, all of these operating systems use the same kernel, which is based
on Windows NT technology.

TIP
When you hear the name “Windows 2000,” you might think this operat-
ing system is a revised version of Windows 98. However, Windows
2000 is really the latest and greatest version of Windows NT, and was
originally called Windows NT 5.0 before Microsoft changed its name to
Windows 2000.

Although based on the same kernel, each of the four operating systems
that make up the Windows 2000 operating system family is optimized for
use in a specific environment.
The following section explores some of the new common features
shared by the four Windows 2000 operating systems.

New Common Features

The Windows 2000 operating systems share several common features and
utilities. A few of the more significant features that have changed from
Windows NT 4.0 to Windows 2000 are:
■ New security protocol: Windows 2000 includes the Kerberos
version 5 protocol.This is an Internet standard authentication proto-
col that provides a higher level of security and faster, more efficient
authentication than the Windows NT/LAN Manager protocol.
4701-1 ch01.f.qc 4/24/00 09:01 Page 8

8 Part I ▼ Introduction to Windows 2000

■ Plug and Play: The Windows 2000 operating systems, unlike

their Windows NT 4.0 predecessors, fully support Plug and Play
architecture. Plug and Play automatically detects new hardware in a
computer, and then automatically loads the appropriate device dri-
vers and configures the device. Plug and Play also enables you to
physically change a PC card in a laptop computer without turning
the computer off.
■ New file system support: Windows 2000 supports two new file
systems: the FAT32 file system and the Encrypting File System
(EFS).The FAT32 file system, which is supported by Windows 95
OSR2 and Windows 98, but was not supported by earlier versions
of Windows NT, allocates disk space in a more efficient manner
than previous versions of the FAT (file allocation table) file system,
and supports drives as large as two terabytes. EFS enables you to
store files on an NTFS partition in an encrypted format, so that
even if an unauthorized user removes a hard disk from your com-
puter, that user will be unable to access the sensitive data contained
in the encrypted file.
■ Power Options in Control Panel: This application enables you
to configure energy saving settings for your computer. Primarily
designed for use on laptop computers, Power Options help you get
the most life out of your laptop’s battery.
■ Internet Explorer 5: Microsoft’s newest Web browser, Internet
Explorer 5, is an integral part of the Windows 2000 operating sys-
tems. Internet Explorer 5 sports several new features designed to
save time and make browsing tasks easier to perform, including a
Search Assistant, automatic configuration, and AutoComplete.
Internet Explorer 5 also includes Microsoft Outlook Express 5, an
e-mail and newsgroup client that enables multiple users to main-
tain individual e-mail accounts on the same computer.
These are just a few of the many new features of Windows 2000, but in
my opinion, the most important. As you might guess, each of these com-
ponents will be covered in depth in later chapters in this book. But first,
allow me to introduce you to each of the new Windows 2000 operating
systems.
4701-1 ch01.f.qc 4/24/00 09:01 Page 9

Chapter 1 ▼ Overview of Windows 2000 9

Windows 2000 Professional

Microsoft Windows 2000 Professional is a 32-bit operating system that is
optimized for use on desktop computers.Windows 2000 Professional picks
up where Windows NT Workstation left off. It contains not only the features
and functionality of Windows NT Workstation, but also the best features of
Windows 98.
Windows 2000 Professional is typically not a good choice of operating
system for a server in a business environment, because it supports only ten
concurrent connections from other computers.

Hardware Requirements
As with all new versions of operating systems, Windows 2000 Profes-
sional requires significantly more hardware resources than did either of its
predecessors — Windows NT Workstation or Windows 98.The minimum
hardware required to successfully install and run Windows 2000
Professional on an Intel-based computer includes:
■ A Pentium/133MHz processor
■ 32MB of RAM (64MB are recommended)
■ 650MB of free hard disk space
In order to ensure operational success, all hardware should be on the
Windows 2000 Hardware Compatibility List (HCL) that is shipped with the
product and is also posted on Microsoft’s Web site.

CROSS-REFERENCE
For more information on the Hardware Compatibility List, including Web
site information, see Chapter 3. For detailed information on the hardware
requirements for installing Windows 2000 Professional, also see
Chapter 3.

Application Support
Windows 2000 Professional supports most MS-DOS–based applications,
most 16-bit and 32-bit Windows-based applications, POSIX 1.x applica-
tions, and most OS/2 1.x applications. Specifically, Windows 2000
Professional supports many Windows 95/Windows 98 applications that
were not supported by Windows NT Workstation 4.0. Windows 2000
Professional does not support applications that require direct hardware
access (bypassing the Hardware Abstraction Layer [HAL]) because this
4701-1 ch01.f.qc 4/24/00 09:01 Page 10

10 Part I ▼ Introduction to Windows 2000

could compromise Windows 2000 Professional’s security. It also does not

support software applications that require an MS-DOS terminate-and-stay-
resident (TSR) program or a virtual device driver.
I’ll discuss the various application environments supported by Windows
2000 in more detail a bit later in this chapter.

Multiprocessing, Multithreading, and Multitasking

Windows 2000 Professional supports symmetric multiprocessing with up
to two processors. Multiprocessing refers to the capability of an operating
system to use more than one processor in a single computer simultane-
ously. Symmetric multiprocessing is a type of multiprocessing in which system
processes and applications can be run on any available processor.This is the
most efficient form of multiprocessing currently available, because it does
not tie a particular process or application to a specific, assigned processor.
Windows 2000 Professional also supports multithreading and preemp-
tive multitasking. A thread is the smallest unit of processing that can be
scheduled by the Windows 2000 kernel. All applications require at least
one thread.When an application has more than one thread, each thread can
be executed independently of the others.This is referred to as multithread-
ing. Individual threads within a single application can even be run on dif-
ferent processors in the same computer. In preemptive multitasking, the
operating system allocates processor time between applications. Because
Windows 2000 — not the application — allocates processor time between
multiple applications, one application can be preempted by the operating
system, and another application allowed to run. When multiple applica-
tions are alternately paused and then allocated processor time, they appear
to run simultaneously to the user.

Security
Windows 2000 Professional supports a high level of security. User logon
and authentication are required in order to use the operating system and in
order to access local or network resources. Windows 2000 Professional
supports a local user account database, and can also support either a
Windows NT Server 4.0 domain user account database or user accounts
from the Windows 2000 Active Directory.
Two other security features of Windows 2000 Professional are smart card
support and Internet Protocol Security.A smart card is a security device that
contains a unique, encrypted set of authentication credentials.When used in
4701-1 ch01.f.qc 4/24/00 09:01 Page 11

Chapter 1 ▼ Overview of Windows 2000 11

conjunction with a smart card reader that has been installed on a computer,
smart cards eliminate the need for users to transmit user names and pass-
words across the network when logging on. Internet Protocol Security (IPSec)
encrypts TCP/IP traffic between two computers, thus preventing unautho-
rized users who capture network traffic from viewing or modifying sensi-
tive data.

Windows 2000 Server

Microsoft Windows 2000 Server is a powerful 32-bit operating system that
is optimized for network file, print, application, and Web servers.Windows
2000 Server is the next generation of Windows NT Server. It contains all
of the features and functionality of Windows 2000 Professional, plus several
additional features that make it the operating system of choice for most
business server applications.

Hardware Requirements
The minimum hardware required to successfully install and run Windows
2000 Server on an Intel-based computer includes:
■ A Pentium/133MHz processor
■ 64MB of RAM (128MB are recommended)
■ 950MB of free hard disk space (more disk space is required if the
computer contains more than 64MB of RAM)
All hardware should be on the Windows 2000 HCL.

CROSS-REFERENCE
For more detailed information on hardware requirements for installing
Windows 2000 Server, see Chapter 3.

File Management
Windows 2000 Server supports two new file management tools, the
Distributed file system (Dfs) and disk quotas.
The Distributed file system (Dfs) is a file system that enables an adminis-
trator to make shares that are stored on various servers on the network
appear to users as though they are stored within a single share on a single
server. The use of Dfs makes finding network resources easier for users,
because users don’t have to know which server physically contains the
shared resource they are trying to access.
4701-1 ch01.f.qc 4/24/00 09:01 Page 12

12 Part I ▼ Introduction to Windows 2000

Disk quotas is a volume management tool that is enabled on a volume-

by-volume basis. Once enabled, disk quotas automatically track disk space
usage on a user-by-user basis, and prevent individual users from exceeding
the disk space limitations that they have been assigned by administrators.
Disk quotas can also be used on Windows 2000 Professional computers,
but it seems unlikely to me that they will be widely used on desktop client
computers.

Application Support
Windows 2000 Server supports the same software applications as Windows
2000 Professional. In addition,Windows 2000 Server is optimized to support
the Microsoft BackOffice suite of products, including SQL Server, Systems
Management Server, Internet Information Server, Exchange Server, and
SNA Server, as well as many third-party server-based applications.
Windows 2000 Server also supports Terminal Services. This application
service, when run on a network server, enables users of client computers to
remotely perform processor-intensive or network-intensive tasks from
their client computers. The application runs on the server running
Terminal Services, so the user can take advantage of the processing power
and network connectivity of the server, while fully controlling the applica-
tion from the client computer’s keyboard and monitor.

CROSS-REFERENCE
Chapter 20 is devoted entirely to managing Terminal Services.

Multiprocessing, Multithreading, and Multitasking

Like Windows 2000 Professional,Windows 2000 Server supports symmetric
multiprocessing, but Windows 2000 Server accommodates up to four
processors instead of only two. Also like Windows 2000 Professional,
Windows 2000 Server supports multithreading and preemptive multitasking.

Security
Windows 2000 Server includes all of the security features of Windows
2000 Professional, and has additional security features of its own.
Windows 2000 Server supports a local user account database, and can also
support either a Windows NT Server 4.0 domain user account database, or
user accounts from the Windows 2000 Active Directory. In addition,
Windows 2000 Server can be configured as a domain controller, which
4701-1 ch01.f.qc 4/24/00 09:01 Page 13

Chapter 1 ▼ Overview of Windows 2000 13

contains a read/write copy of the Active Directory data store. Active Directory
is a directory service that stores information about various types of network
objects, including printers, shared folders, user accounts, and computers.
These objects are placed in a hierarchical structure that can be organized to
simplify administration.With Active Directory, users can gain access to any
network resource (that the user has permissions to) with a single logon.

CROSS-REFERENCE
Active Directory is an important feature of Windows 2000. It is dis-
cussed briefly later in this chapter, and is the primary focus of Chapter 2.

Windows 2000 Server also includes support for Remote Authentication

Dial-In User Service (RADIUS). RADIUS is an industry standard authen-
tication service that provides centralized management of user authentica-
tion and authorization for remote access servers.

Networking
Windows 2000 Server supports routing of the IP, IPX, and AppleTalk pro-
tocols over both LAN and WAN interfaces. Both the Routing Information
Protocol (RIP) version 2 and the Open Shortest Path First (OSPF) routing
protocols are supported for IP routing.
Another new networking feature of Windows 2000 Server is the sup-
port this operating system provides for asynchronous transfer mode (ATM)
network adapter cards. ATM technology makes possible the simultaneous
transport of voice, data, video, and images over the network.

Windows 2000 Advanced Server

Microsoft Windows 2000 Advanced Server is a powerful 32-bit operating
system that is optimized for servers in an enterprise network environment.
This operating system is often also a good intermediate choice for a heav-
ily used server, such as a SQL server, when you need a more powerful
hardware platform than Windows 2000 Server supports, but don’t need the
capabilities (or the added hardware and software expense) associated with
Windows 2000 Datacenter Server.
Windows 2000 Advanced Server provides more scalability than
Windows 2000 Server. Windows 2000 Advanced Server supports up to
eight processors, and up to 8GB of RAM. Windows 2000 Server, on the
other hand, only supports up to four processors and up to 4GB of RAM.
4701-1 ch01.f.qc 4/24/00 09:01 Page 14

14 Part I ▼ Introduction to Windows 2000

The minimum hardware requirements of Windows 2000 Advanced

Server are virtually the same as those for Windows 2000 Server. As noted
previously, however, Windows 2000 Advanced Server can support more
processors and more RAM than Windows 2000 Server.
Windows 2000 Advanced Server includes all of the features of Windows
2000 Server. In addition, Windows 2000 Advanced Server includes
Windows Clustering. A cluster is a group of computers that, from a client
and application point of view, appear as a single computer. Windows
Clustering is a technology which, when implemented on 2 to 32 Windows
2000 Advanced Server computers, provides two important features:
■ High availability: This feature is important for mission-critical
applications. In Windows Clustering, if a computer in the cluster
that is running a critical application fails, another computer in the
cluster will automatically start the application, and users will be
seamlessly directed to the computer that takes over running the
application.
■ Load balancing: This feature refers to spreading utilization across
multiple computers. For example, if a Web server experiences more
utilization than a single computer can handle, it can be run on all
of the computers in the cluster. Users will be seamlessly directed to
the computer with the lowest utilization.
Windows Clustering is implemented on Windows 2000 Advanced Server
by installing the Cluster Service.

Windows 2000 Datacenter Server

Microsoft Windows 2000 Datacenter Server is the most powerful of the
Windows 2000 operating systems.Also a 32-bit operating system,Windows
2000 Datacenter Server is optimized for enterprise applications, such as
extremely large databases and real-time online transaction processing, or
other industrial applications that require phenomenal amounts of processor
power.
Windows 2000 Datacenter Server provides more scalability than
Windows 2000 Advanced Server.Windows 2000 Datacenter Server supports
up to 32 processors, and up to 64GB of RAM. Windows 2000 Advanced
4701-1 ch01.f.qc 4/24/00 09:01 Page 15

Chapter 1 ▼ Overview of Windows 2000 15

Server, on the other hand, only supports up to eight processors and up to

8GB of RAM.
The minimum hardware requirements of Windows 2000 Datacenter
Server are the same as those for Windows 2000 Server.As noted previously,
however, Windows 2000 Datacenter Server can support more processors
and more RAM than either Windows 2000 Server or Windows 2000
Advanced Server.
The features of Windows 2000 Datacenter Server are identical to the
features of Windows 2000 Advanced Server. The only advantage of
Windows 2000 Datacenter Server is its capability to utilize more proces-
sors and more RAM.

Windows 2000 User Interface

If you’re familiar with the Windows 98 user interface, or the Windows NT
4.0 user interface with Active Desktop installed, you can probably skip this
section. The Windows 2000 user interface looks and feels just like the
Windows 98 user interface.

TIP
Because of the similarities of the Windows 2000 operating systems,
throughout this book, except where differences are noted, when you read
“Windows 2000” you can assume I’m referring to all three of the most
commonly used Windows 2000 operating systems: Windows 2000
Professional, Windows 2000 Server, and Windows 2000 Advanced
Server. Windows 2000 Datacenter Server is beyond the scope of this
book, and its differences will not be discussed in this book.

If this is your first exposure to the newer Windows operating systems,

Figure 1-1 shows the appearance of the Windows 2000 Server desktop
interface.
The following is a brief explanation of the Windows 2000 user inter-
face, including the desktop and Windows Explorer. Because the user inter-
faces of the Windows 2000 operating systems are identical, I haven’t
described each desktop individually.
4701-1 ch01.f.qc 4/24/00 09:01 Page 16

16 Part I ▼ Introduction to Windows 2000

FIGURE 1-1 The Windows 2000 Server desktop

The Windows 2000 Desktop

After your computer boots Windows 2000, the screen displayed is the desk-
top. Figure 1-1 shows the Windows 2000 Server desktop. The Windows
2000 desktop is nearly identical to the desktop of the Windows 98 and
Windows NT 4.0 (with Active Desktop installed) operating systems.
As with previous versions of Windows and Windows NT, you can create
shortcuts to programs you use frequently and place them on your desktop.
The simplest way to create a shortcut is to highlight the desired program in
your Start menu, then right-click the highlighted program, and drag it to
your desktop. When you release the right mouse button, select Create
Shortcut(s) Here from the menu that is displayed.
You can also customize the desktop to display selected Web pages
directly on the desktop by right-clicking anywhere on the desktop and
then selecting Active Desktop ➪ Customize My Desktop.
As with previous versions of Windows and Windows NT, you can con-
figure the display properties, including background, screen saver, appear-
ance, Web content, visual effects, display resolution, and color depth. To
configure the display properties, right-click anywhere on the desktop and
then select Properties.
4701-1 ch01.f.qc 4/24/00 09:01 Page 17

Chapter 1 ▼ Overview of Windows 2000 17

There are several icons on the desktop, as well as a taskbar. Each of these
items is discussed in the following sections.

My Documents
The My Documents icon represents the My Documents folder of the
logged-on user.This folder is the default storage location for user-created
documents. Double-clicking the My Documents icon displays the con-
tents of the My Documents folder.

My Computer
Double-clicking the My Computer icon displays the My Computer dialog
box. This dialog box graphically represents every drive on the computer
(including network drives, if any), as well as the Control Panel folder. If
you double-click any icon in the My Computer dialog box, a dialog box is
displayed showing the contents of the drive or folder you clicked.

TIP
Windows 2000 offers you a choice of whether to single-click or double-
click to open an item, such as My Computer. The default setting is
double-click. If you want to change this setting, open My Computer, then
select Tools ➪ Folder Options. In the Folder Options dialog box, select
the “Single-click to open an item” option. This setting applies not only to
My Computer, but to the other items on the desktop, and also to all items
displayed in Windows Explorer.

My Network Places
If you double-click the My Network Places icon, a dialog box is displayed
that contains an icon for Add Network Place, an icon for Computers Near
Me, and an icon for the Entire Network.
Use the Add Network Place icon when you want to connect to a shared
folder on the network, or connect to an FTP or Web site. This icon is a
simplified wizard for mapping a network drive or connecting to a Web site,
and creating a shortcut to this drive or Web site in the My Network Places
folder.
If you double-click the Computers Near Me icon, all of the computers
in your workgroup or domain are displayed.You can double-click any of
these computers to display the shared folders and shared printers on that
computer.The Printers and Scheduled Tasks folders on the selected com-
puter are also displayed.
4701-1 ch01.f.qc 4/24/00 09:01 Page 18

18 Part I ▼ Introduction to Windows 2000

The Entire Network icon, when double clicked, opens a dialog box that
gives you three options.You can select a link that will search for a particu-
lar computer on the network.You can also select a link that will search for
specific files or folders located anywhere on the network. Finally, you can
select a link that will let you view and browse all of the workgroups,
domains, and computers on your network.

Recycle Bin
The Recycle Bin icon is a politically correct version of the Macintosh
trash can icon.When you delete files, the files are moved from their origi-
nal location into the Recycle Bin folder. If you later want those files back,
you can move them from the Recycle Bin to another location.When you
delete items in the Recycle Bin, the items are removed permanently from
your computer. It’s normally a good idea to periodically empty your
Recycle Bin so that a large amount of valuable disk space is not taken up
by deleted files.

Internet Explorer
When you double-click the Internet Explorer icon, Microsoft Internet
Explorer 5 starts.You can use this application to browse Web pages located
on the Internet or on your company’s intranet.

Connect to the Internet

When you double-click the Connect to the Internet icon, the Internet
Connection Wizard starts. You can use this wizard to sign up for a new
account with an Internet service provider (ISP), to transfer your existing
Internet account settings to the computer you’re working on, or you can elect
to bypass this wizard and manually configure your Internet connection.
A tutorial that explains in more detail how to use the Internet
Connection Wizard is included. You can access this tutorial by clicking
tutorial on the first screen in the wizard.

Taskbar
The taskbar at the bottom of the desktop contains the Start button, a
Quick Launch toolbar, a button for each program that is currently run-
ning, and a clock.
I’ll get to the Start button and Quick Launch toolbar in a minute, but
first let me explain how you can use the other elements in the taskbar.
4701-1 ch01.f.qc 4/24/00 09:01 Page 19

Chapter 1 ▼ Overview of Windows 2000 19

You can use the taskbar to quickly switch between two or more appli-
cations that are running by clicking the button that represents the applica-
tion you want to use.You can configure the properties of the taskbar by
right-clicking anywhere on the taskbar, and then selecting Properties.
Finally, you can easily set the time and date by double-clicking the clock in
the taskbar.

Start Button The Start button is located on the left side of the taskbar at
the bottom of the desktop. Clicking the Start button opens a menu that
enables you to quickly access programs, recently used documents, favorites,
settings (such as the Control Panel and Printers folders), and Help. The
menu also includes a Windows Update option, which is a link to
Microsoft’s Web site where you can download new Windows features and
operating system updates. In addition, this menu enables you to run appli-
cations from a command line, find a document, log off, and shut down
your computer.
You can customize your Start menu by dragging and dropping program
icons from one Start menu folder to another location in the Start menu.
For example, when I select Start ➪ Programs ➪ Accessories ➪ Windows
Explorer, I can click Windows Explorer, and drag and drop it directly in
the Programs folder in my Start menu. From then on, when I want to run
Windows Explorer, I will select Start ➪ Programs ➪ Windows Explorer.
I could also have dropped Windows Explorer directly on the top section
of my Start menu, above Programs. If I had dropped Windows Explorer
here, I would select Start ➪ Windows Explorer to run this program.

Quick Launch Toolbar The Quick Launch toolbar is located directly to the
right of the Start button in the taskbar. By default, the Quick Launch tool-
bar consists of the Show Desktop icon, the Internet Explorer icon, and the
Outlook Express icon. The purpose of the Quick Launch toolbar is to
enable you to easily start any of the applications whose icons appear in the
toolbar by clicking the icon for the desired application.You can customize
the Quick Launch toolbar by dragging and dropping shortcuts from your
desktop, the Start menu, or Windows Explorer on the toolbar. You can
place the Quick Launch toolbar anywhere on your desktop by clicking the
left end of the toolbar, and then dragging and dropping it to the desired
location on your desktop.
4701-1 ch01.f.qc 4/24/00 09:01 Page 20

20 Part I ▼ Introduction to Windows 2000

Close, Minimize, and Maximize Buttons

The Windows 2000 user interface, like the Windows 98 and Windows NT
user interfaces, makes use of the close, minimize, and maximize buttons.All
three of these buttons are shown in Figure 1-2.

FIGURE 1-2 The close, minimize, and maximize buttons in the

My Computer dialog box

At the upper right-hand corner of every window is a button, marked

with an X. This button is called the close button and is used to close the
window and exit the application.
Many windows have two additional buttons located adjacent to the
close button: the minimize and maximize buttons. The minimize button
looks like an underscore on a button. Clicking this button will minimize
the application to its icon on the taskbar. The maximize button looks like
either a single box with a dark line across the top, or like two overlapping
boxes, each with a dark line across the top. Clicking the maximize button
switches between a small view of the window and a full screen view of the
window.

Windows Explorer
A discussion of the Windows 2000 user interface wouldn’t be complete
without mentioning Windows Explorer. You can access any file, folder,
printer, or application on your computer or on the network in Windows
Explorer. Windows Explorer replaces Windows NT Explorer from earlier
versions of Windows NT. Windows Explorer is a useful tool for copying,
moving, and deleting files.You can also share folders and configure file and
folder security by using this program.
4701-1 ch01.f.qc 4/24/00 09:01 Page 21

Chapter 1 ▼ Overview of Windows 2000 21

To access Windows Explorer, select Start ➪ Programs ➪ Accessories ➪

Windows Explorer.
That pretty much wraps up the Windows 2000 user interface.The next
sections discuss, in detail, the various application environments supported
by Windows 2000.

Understanding Application Environments

Before I jump into the architecture of Windows 2000, I need to discuss
how Windows 2000 supports applications that are written for various
operating system environments. Once you have a clear understanding of
the types of supported applications and how they run, the Windows 2000
architecture will be less confusing to you because you’ll already be familiar
with the application environment subsystems that comprise a large portion
of the operating system’s architecture.

EXAM TIP
A basic understanding of the application environments will serve you well
when you’re optimizing and troubleshooting applications, and also when
you sit down to take the Windows 2000 Professional exam, which has a
stated objective on this very topic. For now I’ll begin by laying the ground-
work, and later I’ll present more detailed information on optimizing and
troubleshooting applications in Chapter 22.

Windows 2000 is designed to run applications created for several differ-

ent types of operating system environments.Windows 2000 supports these
different application types by using multiple environment subsystems. These
subsystems each include the application programming interface (API) of the
operating system or environment that the subsystem is designed to sup-
port.The subsystems enable applications to run in the Windows 2000 envi-
ronment as if they were running in the operating system environment they
were designed for.
The application types and operating system environments supported by
Windows 2000 include:
■ MS-DOS applications (MS-DOS environment)
■ 16-bit Windows applications, such as those written for Windows
3.x and Windows for Workgroups (Win16 environment)
4701-1 ch01.f.qc 4/24/00 09:01 Page 22

22 Part I ▼ Introduction to Windows 2000

■ 32-bit Windows applications, such as those written for Windows

95,Windows 98,Windows NT, and Windows 2000 (Win32
environment)
■ POSIX applications, such as those written for POSIX-compliant
UNIX operating systems (POSIX environment)
■ OS/2 applications, such as those written for OS/2 1.x (OS/2
environment)
Each of these environments is discussed in the following sections.

MS-DOS Environment
Applications designed for the MS-DOS environment are typically legacy
applications that use a character-based, command-line interface. A charac-
ter-based, command-line interface is one that relies on keyboard input
rather than mouse input.Additionally, the screen display does not necessar-
ily match the printed output — it’s not What You See Is What You Get
(WYSIWYG). Many utilities designed for MS-DOS are still useful even
though they haven’t been rewritten for use in the Windows graphical
environment.
Windows 2000 includes support for MS-DOS applications via a subsys-
tem called a Virtual DOS Machine (VDM). A VDM is a Win32 applica-
tion that emulates an Intel 486 computer running the MS-DOS operating
system.
Most MS-DOS applications are supported by Windows 2000 in a VDM.
However, MS-DOS applications that make direct calls to hardware are not
supported by Windows 2000. These applications could compromise the
NTFS file and folder security provided by the Windows 2000 operating
system if they were permitted to directly access the computer’s hard disk.
The other reason direct calls to hardware are not permitted is to protect
against the possibility of an application accessing and modifying memory
that is in use by Windows 2000, and thereby causing the system to crash.
Windows 2000 enables multiple VDMs to be run, and each MS-DOS
application runs in its own separate VDM. Because each application runs in
its own separate VDM, if an MS-DOS application crashes, other applica-
tions are not affected.Additionally,Windows 2000 can preemptively multi-
task multiple MS-DOS applications.
4701-1 ch01.f.qc 4/24/00 09:01 Page 23

Chapter 1 ▼ Overview of Windows 2000 23

VDMs have three threads.Two of these threads are used to maintain the
VDM environment.The third thread is used by the application. An appli-
cation that runs in a VDM is referred to as a singled-threaded application,
because only one thread is used by the application.
Some MS-DOS applications require environmental settings that would
normally be configured in the MS-DOS computer’s Autoexec.bat or
Config.sys files. For example, a path to the application may need to be
specified, or a terminate-and-stay-resident (TSR) program may need to be
loaded prior to starting the application.To provide the same environmental
settings in a Windows 2000 environment, you can edit the Autoexec.nt
and Config.nt files to include any necessary instructions. Settings con-
tained in the Autoexec.nt and Config.nt files are executed each time a
VDM is started.These files are edited in the same manner as you would edit
an Autoexec.bat or Config.sys file. The Autoexec.nt and
Config.nt files are stored in the SystemRoot\System32 folder. The
default Autoexec.nt and Config.nt files contain instructions for editing
and configuring these files.

TIP
Throughout this book, I use the term SystemRoot to refer to the folder
that Windows 2000 is installed in. The default installation folder for
Windows 2000 is C:\Winnt.

Win16 Environment
Win16 environment applications consist of 16-bit Windows applications
designed for Windows 3.x and Windows for Workgroups.These applications
are graphical applications that accept input from both a mouse and key-
board. Often the screen display matches the printed output (WYSIWYG).
Windows 2000 provides support for 16-bit Windows applications via a
special subsystem called WOW, for Win16-on-Win32. The WOW subsys-
tem is a special purpose VDM, called a Win16 VDM, that emulates an Intel
486 computer running MS-DOS and Windows 3.1.
Most 16-bit Windows applications are supported by Windows 2000.
However, 16-bit Windows applications that make undocumented calls to
the operating system or that require specific device drivers that make direct
calls to hardware may not run correctly on Windows 2000.
4701-1 ch01.f.qc 4/24/00 09:01 Page 24

24 Part I ▼ Introduction to Windows 2000

By default, when multiple Win16 applications are run at the same time,
they all run in a single Win16 VDM.This means that, by default, all Win16
applications share the same memory space. Because the Win16 applications
share the same memory space, if one application crashes, other Win16 appli-
cations may also crash. Because multiple Win16 applications share a single
Win16 VDM,Windows 2000 can’t preemptively multitask multiple Win16
applications.
To prevent a rogue Win16 application from crashing all of your other
Win16 applications, and to allow Win16 applications to be preemptively
multitasked,Windows 2000 permits Win16 applications to be run in sepa-
rate Win16 VDMs.This is referred to as running Win16 applications in sep-
arate memory spaces.

CROSS-REFERENCE
For details on how to configure a Win16 application to run in a separate
memory space, see the section on optimizing applications in Chapter 22.

Win32 Environment
The Win32 environment is Windows 2000’s native application environ-
ment. It is the preferred and fastest environment for running applications
on Windows 2000, because no emulation or workarounds are required.
Win32 environment applications consist of 32-bit Windows applications
written specifically for Windows 95, Windows 98, Windows NT, and
Windows 2000. Windows 2000 provides support for Win32 applications
via the Win32 subsystem.
Each Win32 application runs in its own separate memory space. Because
of this, if a Win32 application crashes, other applications are not affected.
Windows 2000 can preemptively multitask multiple Win32 applications.

POSIX Environment
Portable Operating System Interface for Computing Environments (POSIX) was
developed as a set of accepted standards for writing applications for use on
various UNIX computers. POSIX environment applications consist of
applications developed to meet the POSIX standards. These applications
are sometimes referred to as POSIX-compliant applications.
4701-1 ch01.f.qc 4/24/00 09:01 Page 25

Chapter 1 ▼ Overview of Windows 2000 25

Windows 2000 provides support for POSIX-compliant applications via

the POSIX subsystem.To fully support POSIX-compliant applications, at
least one NTFS partition is required on the Windows 2000 computer.
Each POSIX application runs in its own separate memory space.
Because of this, if a POSIX application crashes, other applications are not
affected.Windows 2000 can preemptively multitask POSIX applications.

OS/2 Environment
OS/2 environment applications consist of 16-bit, character-based applica-
tions designed for OS/2 version 1.x. Applications designed for other ver-
sions of OS/2, including OS/2 2.x, 3.x, and Presentation Manager
applications, are not supported by Windows 2000.Windows 2000 provides
support for OS/2 applications via the OS/2 subsystem.
Some OS/2 applications, called real-mode applications, can be run in an
MS-DOS environment. Because Windows 2000 supports MS-DOS
VDMs, real-mode OS/2 applications can be run in a VDM by using the
Forcedos.exe command to start the application.
Each OS/2 application runs in its own separate memory space. This
means that if an OS/2 application crashes, other applications are not
affected.Windows 2000 can preemptively multitask OS/2 applications.

Hardware Platforms Supported

Windows 2000 supports several different types of applications on the Intel
Pentium/166MHz (and higher) platform. Originally,Windows 2000 was also
to be supported on the Compaq Alpha platform. However, shortly after
Windows 2000 Release Candidate 1 was released, both Compaq and
Microsoft withdrew support for the Compaq Alpha platform. Therefore,
Windows 2000 is only supported on the Intel Pentium (and higher) platform.
Windows NT 4.0 supported four hardware platforms: the Intel plat-
form, the Compaq Alpha platform (previously known as the DEC Alpha
platform), the PowerPC platform, and the MIPS R4000 platform.
However, the manufacturers of the PowerPC and MIPS R4000 processors
stopped supporting Windows NT after Service Pack 1 for Windows NT
4.0 was released, and Compaq stopped supporting Windows NT for the
Compaq Alpha platform after Service Pack 6. Consequently, none of these
platforms are supported by Windows 2000.
4701-1 ch01.f.qc 4/24/00 09:01 Page 26

26 Part I ▼ Introduction to Windows 2000

Summary of Supported Applications

Because I’ve just introduced a lot of new concepts and terminology, I want
to provide you with a visual summary of how various supported applica-
tions run in Windows 2000.Table 1-1 shows this summary.
TABLE 1-1 How Supported Applications Run in Windows 2000
Application Type How the Application Runs

MS-DOS Runs in a Virtual DOS Machine (VDM)

Win16 Runs in a Win16 VDM
Win32 Runs in Win32 subsystem
POSIX Runs in POSIX subsystem
OS/2 1.x character-based Runs in OS/2 subsystem; only OS/2 1.x character-
based applications are supported. Some real-mode
OS/2 applications can be run in an MS-DOS VDM
by using the Forcedos.exe command to start the
application.

Architecture of Windows 2000

An overview of Windows 2000 wouldn’t be complete without discussing
its architecture. If you develop a basic understanding of the operating sys-
tem’s architecture now, you’ll have a framework on which to “hang” all of
the concepts and facts presented throughout the rest of this book.

EXAM TIP
An understanding of the Windows 2000 architecture will also help you to
become a good troubleshooter — and all four of the core Windows 2000
exams contain numerous troubleshooting objectives.

Windows 2000 uses a modular architecture. This means each compo-

nent (or module) within the architecture has sole responsibility for the
function it is designed to provide. In addition, no other module repeats the
functions performed by another. Figure 1-3 illustrates the modular archi-
tecture of Microsoft Windows 2000. Notice that the operating system has
two parts, or modes: user mode and kernel mode.
4701-1 ch01.f.qc 4/24/00 09:01 Page 27

Chapter 1 ▼ Overview of Windows 2000 27

OS/2 Virtual DOS Win32 POSIX Logon

application Machine (VDM) application application process

OS/2 Win32 POSIX Security

subsystem subsystem subsystem subsystem

User mode
Kernel mode

Executive Services

I/O Window Security Virtual Object Plug and Power IPC

Manager Manager Reference Memory Manager Play Manager Manager
Monitor Manager Manager

Cache Graphics Process Local

Manager Device Manager Procedure
Drivers Call (LPC)
File Facility
System
Drivers Remote
Procedure
Call (RPC)
Device
Facility
Drivers

Microkernel

Hardware Abstraction Layer (HAL)

Hardware

FIGURE 1-3 Microsoft Windows 2000 modular architecture

User Mode
Applications and their subsystems run in user mode.This mode is referred to
as a less-privileged processor mode because it does not have direct access to
hardware. User mode applications are limited to assigned memory address
spaces and can’t directly access other memory address spaces. User mode
uses specific application programming interfaces (APIs) to request services from
a kernel mode component.
The purpose of separating the applications in user mode from the hard-
ware, of restricting the memory address spaces that applications can access,
and of forcing the applications to run all requests for services through the
kernel mode, is to protect against the possibility of an application crashing
the system, and also to protect against unauthorized user access.
4701-1 ch01.f.qc 4/24/00 09:01 Page 28

28 Part I ▼ Introduction to Windows 2000

Examine Figure 1-3 again, and notice that there are four main subsys-
tems in user mode: the OS/2 subsystem, the Win32 subsystem, the POSIX
subsystem, and the Security subsystem.
The OS/2 subsystem is required to run OS/2 1.x–compatible applica-
tions. The OS/2 subsystem obtains its user interface and its screen func-
tions from the Win32 subsystem, and requests Executive Services in kernel
mode to perform all other functions for it. (Executive Services is covered
in the next section of this chapter.)
The Win32 subsystem is the primary application subsystem. All 32-bit
Windows applications run in this subsystem. The Win32 subsystem pro-
vides its own screen and keyboard functions, and requests Executive
Services in kernel mode to perform all other functions for it.The Win32
subsystem also provides screen and keyboard functions for all of the other
subsystems.
The POSIX subsystem is designed to run POSIX 1.x–compatible appli-
cations. It functions very much like the OS/2 subsystem.The POSIX sub-
system uses the Win32 subsystem to provide all of its screen and graphical
displays, and it requests Executive Services in kernel mode to perform all
other functions for it.
Finally, the Security subsystem, which is also referred to as the Integral sub-
system, supports the logon process.This subsystem also supports and provides
the security for Active Directory. The Security subsystem obtains its user
interface and its screen functions from the Win32 subsystem, and requests
Executive Services in kernel mode to perform all other functions for it.
In addition to the four formal subsystems, a Virtual DOS Machine
(VDM) is a feature of user mode. Its function is to run MS-DOS–based
and Windows 3.x–based (all 16-bit) applications. Because the VDM is a
Win32 application, all of its services, including screen and keyboard func-
tions, are provided by the Win32 subsystem.

Kernel Mode
Kernel mode refers to a highly privileged mode of operation. It is called
“highly privileged” because all code that runs in kernel mode can access
the hardware directly, and can also directly access memory. A process run-
ning in kernel mode is not restricted to its own specific memory address
space as is an application running in user mode.
The entire set of services that comprise kernel mode is called Executive
Services (or sometimes the Windows NT Executive, or the Executive, for
4701-1 ch01.f.qc 4/24/00 09:01 Page 29

Chapter 1 ▼ Overview of Windows 2000 29

short). Executive Services provide kernel mode services as requested by

applications in user mode.

TIP
Notice that I mentioned that Executive Services is sometimes called the
Windows NT Executive. Because Windows 2000 is the next version of
Windows NT, the name Windows NT will periodically crop up in descrip-
tions of Windows 2000 operating system components and processes.

Notice how Figure 1-3 graphically presents the pieces of kernel mode.
Kernel mode is made up of numerous components integral to the major
Windows 2000 operating system functions.
The Executive Services component functions as an interface between user
mode and kernel mode. Its purpose is to pass information between user
mode subsystems and kernel mode components. In addition, Executive
Services is responsible for the transfer of information and instructions
between the various kernel mode components. Executive Services can be
thought of as the “glue” that holds Windows 2000 together. As mentioned
earlier, Executive Services is also called the Windows NT Executive, or the
Executive, for short.
The I/O Manager is responsible for all input and output to disk storage
subsystems.As it manages input and output, the I/O Manager also serves as a
manager and supporter of communication between the various drivers.The
I/O Manager can communicate directly with system hardware if it has the
appropriate hardware device drivers. Subcomponents of the I/O Manager
include a Cache Manager, File System Drivers, and Device Drivers.
Window Manager is responsible for providing the graphical user inter-
face. Window Manager communicates directly with the graphics device
drivers, which in turn communicate directly with the hardware. In the
early days of Windows NT (versions 3.51 and earlier), Window Manager
was an integral part of the Win32 subsystem in user mode.When Windows
NT 4.0 came along, the developers moved Window Manager from user
mode to kernel mode. This change enabled faster access to the graphics
device drivers and eliminated the need for user mode applications to
switch back and forth between kernel mode and user mode to make calls
for graphics services. For these reasons,Window Manager continues to be
a kernel mode component in Windows 2000.
There are six other kernel mode subsystems: the Security Reference
Monitor, the Virtual Memory Manager, the Object Manager, the Plug and
4701-1 ch01.f.qc 4/24/00 09:01 Page 30

30 Part I ▼ Introduction to Windows 2000

Play Manager, the Power Manager, and the IPC Manager. Each one of
these subsystems communicates directly with the Microkernel.
The Microkernel is the very heart of the Windows 2000 operating sys-
tem. It handles interrupts, schedules threads, and synchronizes processing
activity. The Microkernel, in turn, communicates with the Hardware
Abstraction Layer (HAL).
The HAL is designed to hide the varying characteristics of hardware so
that all hardware platforms appear the same to the Microkernel.As a result,
only the HAL, and not the entire Microkernel, needs to address each and
every hardware platform. The HAL can communicate directly with the
computer’s hardware.
Now that you’ve been introduced to user mode and kernel mode,
you’re ready to move on to the last major architecture topic: the Windows
2000 memory model.

Windows 2000 Memory Model

Windows 2000 uses a virtual memory model. Virtual memory is the physi-
cal space on a hard disk (usually in the form of a paging file) that Windows
2000 treats as though it was RAM.Virtual memory can also be thought of
as an extension of RAM, or “fake” RAM.
The virtual memory model used by Windows 2000 is a demand-paged
system based on a flat, linear, 32-bit memory address space. Through the
use of virtual memory, each application is given access to what appears to
the application as 4GB of memory address space. Half of the 4GB is
reserved for Windows 2000 kernel mode operating system data, and the
remaining 2GB are reserved for application data.
By using this scheme, the operating system is able to allocate more
memory to applications than is actually contained in the computer. The
advantage of this is that users can run more applications at one time than
the computer’s RAM would otherwise physically permit.
The Virtual Memory Manager manages memory in the Windows 2000
environment by using demand paging. (You may recall that the Virtual
Memory Manager is a kernel mode component. It is included in Figure
1-3.) Here’s how the Virtual Memory Manager (and demand paging)
works: When the Virtual Memory Manager receives a request from an
application to retrieve specific pages of memory, it redirects this request to
the actual physical location where those pages are stored. This location
could be in RAM, or it could be stored in a paging file on the hard disk as
4701-1 ch01.f.qc 4/24/00 09:01 Page 31

Chapter 1 ▼ Overview of Windows 2000 31

virtual memory. If it is in a paging file on the hard disk, the Virtual

Memory Manager will move some pages of memory that have not
recently been used from RAM to a paging file on the hard disk. It will
then recover the pages that were requested by the application from the
paging file on the hard disk and move them back into RAM, where the
application can access them.

Workgroups, Domains, and Active

Directory
Before this overview of Microsoft Windows 2000 can be complete, it’s
important that you get good and comfortable with three key concepts:
workgroups, domains, and Active Directory. First, I’ll tackle workgroups
and domains, and then I’ll discuss Active Directory.
Workgroups and domains are two methods of grouping networked
computers for common purposes. Computers and their users may be
grouped based on common usage requirements or on departmental or
geographical traits. For example, all the members of an accounting depart-
ment or all the computers on the third floor of a building may be grouped
together.

Workgroups
A workgroup is a logical grouping of networked computers in which one or
more of the computers has one or more shared resources, such as a shared
folder or a shared printer.
In a Windows 2000 (or Windows NT) workgroup environment, user
account security is maintained individually at each separate computer
through the use of a local user account database. Resources and adminis-
tration are distributed throughout the computers that make up the work-
group. In a workgroup configuration there is no centrally maintained user
accounts database, nor any centralized security.This means that a user must
have a user account on each computer in the workgroup that contains a
shared resource that the user needs to access. Figure 1-4 illustrates how
user account security is distributed throughout a workgroup environment.
Notice that user account security is maintained individually at each sepa-
rate computer in the workgroup.
4701-1 ch01.f.qc 4/24/00 09:01 Page 32

32 Part I ▼ Introduction to Windows 2000

User account
security
maintained
at local PC
Shared
hard disk
User account PC User account
security security
maintained maintained
at local PC at local PC

PC PC
Accounting

Shared Shared
printer printer
PC

User account
security
maintained Shared
at local PC hard disk

FIGURE 1-4 User account security in a workgroup environment

Typically, all of the computers in a workgroup run desktop operating

systems, such as Windows 2000 Professional or Windows NT Workstation.
Computers in a workgroup may also run Windows 95 or Windows 98, but
these operating systems do not support a local user account database.
Workgroups are most often implemented in small networks where no
centralized security or administration is desired. When a workgroup is
used, the user of each computer controls access to the specific resources
that are shared by that user’s computer, and also maintains the computer’s
local user account database. It stands to reason, then, that the larger the
workgroup, the more time and effort users must spend administering their
local computers.
Because a workgroup requires each user to be somewhat proficient in
managing local user account security and the shared resources the user is
responsible for, a workgroup is ideal for a small group of developers or
other technically-savvy users. A workgroup is probably not be a good
choice if the users are not comfortable with or do not have the skills nec-
essary to administer their own computers.
4701-1 ch01.f.qc 4/24/00 09:01 Page 33

Chapter 1 ▼ Overview of Windows 2000 33

As a network becomes larger and more complex, administration and secu-

rity become harder to manage. In these situations a domain (which is the
subject of the next section) will most likely be used instead of a workgroup.

Domains
A domain is a logical grouping of networked computers in which one or more
of the computers has one or more shared resources, such as a shared folder or
a shared printer, and in which all of the computers share a common central
domain directory database that contains user account security information.
One distinct advantage of using a domain, particularly on a large network,
is that administration of user account security for the entire network can be
managed from a centralized location. In a domain, a user has only one user
account, which is stored in the domain directory database.This user account
enables the user to access shared resources (that the user has permissions to
access) located on any computer in the domain. Figure 1-5 illustrates how
user account security is centralized in a domain environment. Note that all
user account security is maintained by the domain controller.

User account
security maintained
at domain
PC controller

Windows 2000
Shared
Server domain
printer
controller or
Windows NT 4.0
Primary Domain
Controller (PDC)
PC
Sales.com Domain

Shared
printer

PC
Shared Shared
hard disk printer

Shared
hard disk

FIGURE 1-5 User account security in a domain environment

4701-1 ch01.f.qc 4/24/00 09:01 Page 34

34 Part I ▼ Introduction to Windows 2000

Domains are implemented differently in Windows 2000 than they are in

Windows NT 4.0.The following sections explore the similarities and dif-
ferences between Windows NT 4.0 domains and Windows 2000 domains.

Windows NT 4.0 Domains

In a Windows NT 4.0 domain, at least one of the networked computers is
a server that runs Windows NT Server 4.0. This server is configured as a
primary domain controller (PDC), which maintains the domain directory
database. Typically, there is at least one additional server that also runs
Windows NT Server. This additional server (or servers) is usually config-
ured as a backup domain controller (BDC).The other computers on the net-
work normally run a client operating system, such as Windows 95,
Windows 98, or Windows NT Workstation. Resources, such as hard disks
and printers, can be shared from any computer on the network.

Windows 2000 Domains

In a Windows 2000 domain, at least one of the networked computers is a
server that runs Windows 2000 Server.This server is configured as a domain
controller, which maintains the Active Directory data store.Typically, there is
at least one additional server computer that also runs Windows 2000
Server. This additional computer is also usually configured as a domain
controller, which contains a read/write copy of the Active Directory data
store. The purpose of the additional server (or servers) is to provide fault
tolerance and load balancing for the Active Directory data store.The other
computers on the network normally run a client operating system, such as
Windows 2000 Professional, Windows NT Workstation, Windows 95, or
Windows 98 (although they may utilize Windows 2000 Server or other
operating systems).As in Windows NT 4.0 domains, resources, such as hard
disks and printers, can be shared from any computer on the network.
At first glance, it appears that there’s not much difference between
Windows NT 4.0 domains and Windows 2000 domains. However, the two
types of domains are significantly different.The main reason for these dif-
ferences is Active Directory, which is briefly introduced in the next sec-
tion, and is the entire focus of Chapter 2.

Active Directory
Active Directory is the directory service used by Windows 2000. A directory
service is a centralized, hierarchical database that contains information about
4701-1 ch01.f.qc 4/24/00 09:01 Page 35

Chapter 1 ▼ Overview of Windows 2000 35

users and resources on a network. In Windows 2000, this database is called

the Active Directory data store.The Active Directory data store contains infor-
mation about various types of network objects, including printers, shared
folders, user accounts, groups, and computers. In a Windows 2000 domain, a
read/write copy of the Active Directory data store is physically located on
each domain controller in the domain.
Three primary purposes of Active Directory are:
■ To provide user logon and authentication services
■ To enable administrators to organize and manage user accounts,
groups, and network resources
■ To enable authorized users to easily locate network resources,
regardless of where they are located on the network
Active Directory is a complex subject. Volumes can be written about
Active Directory — in fact, it’s so important that the entire next chapter is
devoted to this topic. Active Directory topics are also woven throughout
several other chapters in this book. I think you’ll find this new feature of
Windows 2000 to be both exciting and challenging.

KEY POINT SUMMARY

Chapter 1 covered several fundamental Windows 2000 concepts.

■ The four new Windows 2000 operating systems are:
 Windows 2000 Professional: Optimized for use on desktop computers
 Windows 2000 Server: Optimized for use on network file, print, applica-
tion, and Web servers
 Windows 2000 Advanced Server: Optimized for servers in an enter-
prise network environment
 Windows 2000 Datacenter Server: Optimized for enterprise applica-
tions, such as extremely large databases and real-time online transaction
processing
■ Some of the new features common to all of the Windows 2000 operating sys-
tems are:
 New security protocol — Kerberos version 5 protocol
 Fully supports Plug and Play
4701-1 ch01.f.qc 4/24/00 09:01 Page 36

36 Part I ▼ Introduction to Windows 2000

 Supports two new file systems: FAT32 and the Encrypting File System
(EFS)
 Power Options in Control Panel
■ The application environments supported by Windows 2000 include the MS-
DOS environment, the WIN16 environment, the Win32 environment, the
POSIX environment, and the OS/2 environment.
■ Windows 2000 supports only the Intel Pentium/166MHz (and higher) hard-
ware platform.
■ Fundamental terms relating to the Windows 2000 architecture include user
mode, kernel mode, and the Windows 2000 virtual memory model. User mode
does not have direct access to hardware. In contrast, all code that runs in ker-
nel mode can access the hardware directly, and can also directly access mem-
ory. The Windows 2000 virtual memory model utilizes demand paging.
■ Three other important Windows 2000 concepts are workgroups, domains, and
Active Directory.
 A workgroup is a logical grouping of networked computers in which one
or more of the computers has shared resources, such as a shared folder
or a shared printer.
 A domain is a logical grouping of networked computers in which one or
more of the computers has one or more shared resources and in which all
of the computers share a common central domain directory database that
contains user account security information.
 Active Directory is the directory service used by Windows 2000.
4701-1 ch01.f.qc 4/24/00 09:01 Page 37

37

STUDY GUIDE
This section contains several exam readiness questions designed to test
your knowledge and help you prepare for the exams. You can find the
answers to these questions at the end of this chapter.

EXAM TIP
I urge you to take the time to answer the questions in the Assessment
Questions section at the end of each chapter. These questions are
specifically designed to help you to apply the facts and concepts you’ve
just learned. Your investment of time now will pay off later when you take
the exams!

Assessment Questions
1. You are choosing a Windows 2000 operating system to use on a new
computer at your company.This new computer will be used exclu-
sively as an employee’s desktop computer.Which operating system
should you choose?
A. Windows 2000 Professional
B. Windows 2000 Server
C. Windows 2000 Advanced Server
D. Windows 2000 Datacenter Server
2. You are choosing a Windows 2000 operating system to use on a new
computer at your company.This new computer will be used exclu-
sively as a network file server.Which operating system should you
choose?
A. Windows 2000 Professional
B. Windows 2000 Server
C. Windows 2000 Advanced Server
D. Windows 2000 Datacenter Server
4701-1 ch01.f.qc 4/24/00 09:01 Page 38

38

3. You are choosing a Windows 2000 operating system to use on a new

computer at your company.This new computer will be a heavily used
SQL server in your enterprise network environment.Which operat-
ing system should you choose?
A. Windows 2000 Professional
B. Windows 2000 Server
C. Windows 2000 Advanced Server
D. Windows 2000 Datacenter Server
4. Which hardware platform (or platforms) are supported by Windows
2000? (Choose all that apply.)
A. The Intel Pentium/166MHz (and higher) platform
B. The Compac Alpha platform
C. The PowerPC platform
D. The MIPS R4000 platform
E. All hardware platforms
5. Which component in the Windows 2000 architecture supports the
logon process and Active Directory?
A. User mode
B. Microkernel
C. Win32 subsystem
D. Security subsystem
6. In which part of the Windows 2000 architecture do applications run in?
A. User mode
B. Kernel mode
C. Window Manager
D. Executive Services
7. Several factors must be weighed when deciding whether to use a
workgroup or a domain.Which factors, when present, indicate that a
workgroup may be the best choice? (Choose two.)
A. When the network consists of a small number of computers, and all
of the computers run Windows-based desktop operating systems
B. When the network consists of a large number of computers, and
all of the computers run Windows 2000 Server
4701-1 ch01.f.qc 4/24/00 09:01 Page 39

39

C. When management does not desire centralized security or

administration, and users are technically savvy
D. When centralized network administration and security is desired,
and users have minimal computer skills and are not comfortable
administering their own computers
8. Figure 1-6 is a partially filled-in chart illustrating the Windows 2000
modular architecture. Fill in the missing titles to solidify your under-
standing of the Windows 2000 architecture.

Virtual DOS
OS/2 Win32 POSIX Logon
application application process
(VDM)

OS/2 POSIX
subsystem

Services

I/O Security Object and Power IPC

Reference Manager Manager Manager
Monitor Manager

Cache Process
Manager Manager
(LPC)
File Facility
System
Drivers
(RPC)
Facility

Microkernel

Hardware (HAL)

Hardware

FIGURE 1-6 Windows 2000 architecture exercise

4701-1 ch01.f.qc 4/24/00 09:01 Page 40

40

Answers to Chapter Questions

Chapter Pre-Test
1. The four new Windows 2000 operating systems are Windows 2000
Professional,Windows 2000 Server,Windows 2000 Advanced Server,
and Windows 2000 Datacenter Server.
2. Yes,Windows 2000 fully supports Plug and Play.
3. The five application types supported by Windows 2000 are MS-DOS
applications, 16-bit Windows applications, 32-bit Windows applica-
tions, POSIX applications, and OS/2 applications.
4. Windows 2000 is supported on only the Intel Pentium (and higher)
platform.
5. The two primary modes in the Windows 2000 architecture are user
mode and kernel mode.
6. Active Directory is the directory service used by Windows 2000.

Assessment Questions
1. A. Windows 2000 Professional is optimized for use on desktop
computers.
2. B. Windows 2000 Server is optimized for use on network file, print,
application, and Web servers.
3. C. Windows 2000 Advanced Server is optimized for use on servers
(such as SQL servers) in an enterprise network environment.
4. A. The Intel Pentium/166MHz (and higher) platform is the only
hardware platform supported by Windows 2000.
5. D. The Security subsystem, which is also referred to as the Integral
subsystem and is a user mode component, supports the logon process.
It also supports and provides the security for Active Directory.
6. A. Applications and their subsystems run in user mode.
4701-1 ch01.f.qc 4/24/00 09:01 Page 41

41

7. A, C. Several factors, when present, indicate that a workgroup may

be a better choice than a domain for a particular situation.These fac-
tors include when the network consists of just a few computers, when
all of the computers run desktop operating systems, when neither
centralized security nor administration is desired, and when users are
technically savvy.
8. Figure 1-7 displays the answers to this question.

OS/2 Virtual DOS Win32 POSIX Logon

application Machine (VDM) application application process

OS/2 Win32 POSIX Security

subsystem subsystem subsystem subsystem

User mode
Kernel mode

Executive Services

I/O Window Security Virtual Object Plug and Power IPC

Manager Manager Reference Memory Manager Play Manager Manager
Monitor Manager Manager

Cache Graphics Process Local

Manager Device Manager Procedure
Drivers Call (LPC)
File Facility
System
Drivers Remote
Procedure
Call (RPC)
Device
Facility
Drivers

Microkernel

Hardware Abstraction Layer (HAL)

Hardware

FIGURE 1-7 Answers to Question 8

4701-1 ch02.f.qc 4/24/00 09:02 Page 42

 Directory Services
EXAM
MATERIAL

EXAM OBJECTIVES

This chapter kicks your preparation for the Directory Services

exam into high gear. Although the basics covered in this chapter
don’t apply to any one specific exam objective, they’re the
fundamental cornerstones on which you’ll build your Active
Directory knowledge and skills.
Active Directory is new for Windows 2000 and has its own unique
set of terminology and components. In this chapter, you’ll master
that terminology, as well as basic Active Directory concepts. With
the basics firmly under your belt, you’ll be ready to meet head-on the
more advanced Active Directory topics covered in later chapters.
4701-1 ch02.f.qc 4/24/00 09:02 Page 43

C HAP TE R

2
Overview of Active
Directory

N o overview of Windows 2000 would be complete without a discussion

of Active Directory. In this chapter, I’ll define what Active Directory is
and discuss some of its important features. Next I’ll explain in detail the
structure of Active Directory, including its many components. I’ll go over some
of the practicalities of how Active Directory is implemented. Finally, I’ll introduce
some food for thought when planning for Active Directory on your Windows
2000 network.

43
4701-1 ch02.f.qc 4/24/00 09:02 Page 44

44 Part I ▼ Introduction to Windows 2000

Chapter Pre-Test
1. Two key features of Active Directory are _____________ and
_____________.
2. What are the fundamental units that make up Active Directory?
3. What is the difference between a domain tree and a forest?
4. What service is Active Directory dependent on?
5. What is the primary purpose of organizational units (OUs)?
4701-1 ch02.f.qc 4/24/00 09:02 Page 45

Chapter 2 ▼ Overview of Active Directory 45

What Is Active Directory?

Active Directory is the directory service used by Windows 2000. It is a core
new feature of the Windows 2000 operating systems.
A directory service consists of two parts — a centralized, hierarchical
database that contains information about users and resources on a network,
and a service that manages the database and enables users of computers on
the network to access the database. In Windows 2000, the database is called
the Active Directory data store, or sometimes just the directory.The Active
Directory data store contains information about various types of network
objects, including printers, shared folders, user accounts, groups, and
computers.Windows 2000 Server computers that have a copy of the Active
Directory data store, and that run Active Directory are called domain
controllers. In a Windows 2000 domain, a read/write copy of the Active
Directory data store is physically located on each domain controller in the
domain. A domain is a logical grouping of networked computers in which
one or more of the computers has shared resources, such as a shared folder
or printer, and in which all of the computers share a common Active
Directory data store.
The three primary purposes of Active Directory are:
■ To provide user logon and authentication services
■ To enable administrators to organize and manage user accounts,
groups, and network resources
■ To enable authorized users to easily locate network resources,
regardless of where they are located on the network

CROSS-REFERENCE
This chapter is basically a theoretical and planning discussion about
Active Directory. Later chapters in this book address installing Active
Directory (Chapter 7), administering and securing Active Directory
(Chapter 8), and managing and optimizing Active Directory operations
and replication (Chapter 22).

So why is Active Directory so cool? I’ll answer that question in the next
section by discussing some of the features of Active Directory.
4701-1 ch02.f.qc 4/24/00 09:02 Page 46

46 Part I ▼ Introduction to Windows 2000

Understanding the Features of

Active Directory
Active Directory is a major step forward for the Windows NT/Windows
2000 operating systems. Just a few of the key features and benefits offered
by Active Directory are:
■ It provides fully integrated security.
■ It provides ease of administration by using group policies.
■ It makes resources easier to locate.
■ It is scalable to any size network.
■ It is flexible and extensible.
Because each of these features is fundamental to your understanding of
Active Directory, I’ll discuss them individually in the following sections.

Fully Integrated Security

When I say that Active Directory provides fully integrated security, I am
actually expressing two important concepts. First,Active Directory (working
in conjunction with the Windows 2000 Security subsystem, in which Active
Directory resides) provides network security by managing the logon
and authentication processes. Second, Active Directory (and the Security
subsystem) provides security by controlling access to objects (such as user
accounts, shared folders, and printers) in the directory data store.What makes
this access control so powerful is that it can be defined precisely — not only
on each and every object in the directory data store, but on each separate
property of each object, as well.

Ease of Administration
The logical, hierarchical structure of Active Directory, in conjunction with
group policies, makes for greater ease in administering a Windows 2000
Server network.
You can think of the structure of Active Directory as being like the
hierarchical structure of a file system. When working with a file system,
you can assign a particular user administrative rights to a folder and to all of
that folder’s contents. In Active Directory, you can delegate, to a particular
4701-1 ch02.f.qc 4/24/00 09:02 Page 47

Chapter 2 ▼ Overview of Active Directory 47

user, administrative rights to a specific part of Active Directory, and to all of

that part’s contents.
The hierarchical structure of Active Directory also lends itself to the
application of group policies. A group policy is a policy that contains rules,
settings, or both that are applied to all users or computers located in a
specific part of Active Directory. For instance, a group policy can be used to
define a set of programs that will appear on the desktops of the users whose
user accounts are located in a particular part of Active Directory.This part
could be a department, a floor in a building, a geographic location, or the
entire company. In Active Directory, you can apply a group policy to your
entire network, or to the largest unit of your organization to which you
want the policy to apply. Administration is easier because you manage
settings that apply to many users by implementing a small number of
policies, rather than by manually configuring settings individually for a large
number of users and computers.

Ease of Locating Resources

Because Active Directory stores information on all network resources in a
centralized data store, it stands to reason that it should be easier for a user
to locate a resource than if this information were distributed throughout
numerous databases on the network.And it really is easier.
Active Directory also enables administrators and users alike to quickly
locate an object anywhere on the network by searching for any known
property of the object. For example, suppose I want to find the e-mail
address of a particular user on my network. I can use the Search menu, My
Network Places, or Active Directory Users and Computers to search for
this user by the user’s first or last name, telephone number, or other known
property of that user account.Assuming I have the appropriate permissions
to view the user’s account information, all information about that user,
including the user’s e-mail address, will be displayed.

Scalability to Any Size Network

The hierarchical structure of Active Directory lends itself to scalability.
Because Active Directory can include multiple domains, it is scalable to any
size network.
4701-1 ch02.f.qc 4/24/00 09:02 Page 48

48 Part I ▼ Introduction to Windows 2000

Flexibility and Extensibility

Active Directory can evolve as your business does. It is not a static structure
that, once implemented, can never be changed.
Active Directory is said to be extensible. This means that new classes of
objects can be added, and new attributes can be added to classes of objects
already present.
Now that you have a basic understanding of what Active Directory is and
an awareness of some of its key benefits, it’s time to wade in a little deeper
to the actual structure of Active Directory and its many components.

Understanding the Structure of

Active Directory
To review: Active Directory has a hierarchical, tree-like structure.
Information about network users and resources is stored in the Active
Directory data store, which is a structured, centralized database. A read/write
copy of the Active Directory data store is physically located on each domain
controller in a Windows 2000 domain.This data store is commonly referred
to as the directory.

EXAM TIP
If you don’t have a solid understanding of the structure of Active
Directory and its components, don’t even think of taking the Directory
Services exam! Nailing down these concepts is vitally important to your
success on this exam.

In order to talk in greater depth about the structure of Active Directory,

I need to introduce and define several new terms. Many of these terms are
components of Active Directory, and some of the terms are used to define
relationships between the components. In the following sections I’ll discuss
objects and classes, schema, the global catalog, and the hierarchical structure
of Active Directory, including domains, organizational units, trees, trust
relationships, and forests. I’ll also discuss Active Directory names and
naming conventions, as well as security. When I’m finished, you’ll have a
much better picture of how Active Directory is structured.
4701-1 ch02.f.qc 4/24/00 09:02 Page 49

Chapter 2 ▼ Overview of Active Directory 49

Objects and Classes

An Active Directory object is a record in the directory that is defined by a
distinct set of attributes. The attributes of an object are the same as the
object’s properties.The terms are synonymous; however, the term properties
is more prevalent throughout the Windows 2000 user interface.
The specific attributes that an object can have are defined by the object’s
class. A class is simply a template that is used to define the attributes of
an object when it is created. A class defines the required and optional
attributes of the objects that are instances of that class. For example, the
Computer class contains a list of the required and optional attributes that
are used when a computer object is created. All computer objects will be
created using the same Computer class definition.
There are many classes of Active Directory objects. Some of the classes are:
■ Computer
■ Contact
■ Group
■ Organizational Unit
■ Domain
■ Printer
■ User
■ Shared Folder

Schema
In Active Directory terminology, the schema is a formal definition — a set
of rules, if you wish — of all of the classes of objects and their attributes
that are stored in the directory. The schema governs the structure of the
directory, including how various objects in the directory fit into the direc-
tory’s hierarchical structure.
The schema is what makes Active Directory extensible.As organizations
change, it may be necessary to add or modify object attributes, or even to
create new classes.The use of certain applications, in particular, may require
these kinds of modifications. Microsoft anticipates that application vendors
will provide the means to modify the schema when necessary to support
their application’s specific requirements.
4701-1 ch02.f.qc 4/24/00 09:02 Page 50

50 Part I ▼ Introduction to Windows 2000

Windows 2000 Server includes a tool to modify the schema. It is

a Microsoft Management Console (MMC) snap-in that is only available
after installing the Windows 2000 Administration Tools (ADMINPAK)
on a Windows 2000 computer. The name of the snap-in is Active
Directory Schema.

CROSS-REFERENCE
For information on Installing the ADMINPAK, see the sidebar titled
“Installing the ADMINPAK” in Chapter 8.

Because the schema is the heart of Active Directory, it’s important that
it be protected from accidental or unauthorized modification. For this
reason, Microsoft created a special Security Group for Windows 2000
called Schema Admins. Only users with this permission can run programs
that will modify the schema.

Global Catalog
The global catalog is a master, searchable index that contains information
about every object in every domain in a forest. For now, you can think of
a forest as all of the domains that make up a company’s network. Forests will
be covered in more technical detail later in this chapter.
The global catalog, in conjunction with various search tools, is what
enables administrators and users to search for and quickly locate an object,
regardless of where the object is located on the network.
Windows 2000 automatically creates, by default, a global catalog on the
first domain controller that is installed in a forest.You can configure other
domain controllers to maintain a copy of the global catalog, as well. The
global catalog contains a full copy, or replica, of all objects in its host
domain, and a partial replica of all objects in all other domains in the
forest. A partial replica includes the most common properties of every
object, but not all of the properties of every object.

Hierarchical Structure
By now you’ve read the term “hierarchical structure” a zillion times. But
what does it mean, exactly? A hierarchical structure refers to a manner of
organizing a group of interrelated elements in which the elements are
ranked or stacked, one above the other. An example of a hierarchical
4701-1 ch02.f.qc 4/24/00 09:02 Page 51

Chapter 2 ▼ Overview of Active Directory 51

structure that you are probably familiar with is an organizational chart.

Figure 2-1 shows an organizational chart for ABC Bank.

President

Vice President Vice President

Region #1 Region #2

Manager Manager Manager Manager

Branch A Branch B Branch C Branch D

Teller1 Teller2 Teller3 Teller4 Teller5 Teller6 Teller7 Teller8

FIGURE 2-1 Organization chart of ABC Bank

In the organizational chart of this regional bank, the President is at the

top of the chart, and beneath the President is a level consisting of two Vice
Presidents.After the Vice President level is a layer of management staff, and
beneath this layer is a level that represents the numerous bank tellers.The
hierarchical structure typically has at the top a single element, which
branches into lower layers that contain progressively more elements the
farther down you go.
The key building blocks in the Active Directory hierarchical structure
are domains, which are the focus of the next section.

Domains
Domains are the fundamental units that make up Active Directory. As
stated previously, a domain is a logical grouping of networked computers in
which one or more of the computers has shared resources, such as a shared
folder or printer, and in which all of the computers share a common Active
Directory data store that contains user account, resource, security, and
other information.Active Directory consists of one or more domains.
A domain is a natural security boundary in a Windows 2000 network.
Users from other domains cannot pierce this boundary to access shared
resources unless trust relationships are created between the domains to
4701-1 ch02.f.qc 4/24/00 09:02 Page 52

52 Part I ▼ Introduction to Windows 2000

permit user access. More information about trust relationships is provided

later in this chapter.
A domain can span several geographic locations of a company, or a
domain can be created for every location. Sometimes the needs of the
departments, divisions, or subsidiaries of an organization determine the
number and structure of the domains needed to effectively manage the
organization’s network.

TIP
When possible, I recommend using a single domain, because this greatly
simplifies the administration of your network.

The domains that make up Active Directory usually correspond to the

network’s DNS domains, and typically use the same FQDN naming
convention used by DNS servers. FQDN stands for fully qualified domain
name, and is the naming convention used on the Internet.The format for an
FQDN is server_name.domain_name.root_domain_name. I’ll discuss
names and naming conventions in a bit more detail later in this chapter.
Domains contain objects, and can also contain organizational units,
which are discussed in the next section.

Organizational Units
Organizational units are a type of Active Directory object, and are sometimes
called container objects.They contain objects and other organizational units
from their own domain. Organizational units are often called by their
abbreviated name ( OUs.
An organizational unit is used to organize related objects and other
organizational units in Active Directory in much the same way that a
folder is used to organize related files and other folders in a volume. Also,
the organizational unit is the smallest container component of Active
Directory to which you can delegate administrative authority or assign
group policy. The primary purpose of an organizational unit, then, is the
organization of related objects and other organizational units to simplify
administration.
For example, suppose an administrator wants to delegate network
administration of the Sales department to an assistant administrator. The
administrator decides to group together all of the objects associated with
the Sales department (including users, computers, printers, shared folders,
and groups). Then the administrator creates an organizational unit and
4701-1 ch02.f.qc 4/24/00 09:02 Page 53

Chapter 2 ▼ Overview of Active Directory 53

places all of the objects associated with the Sales department into this
organizational unit. Completing these steps enables the administrator to
delegate administration for the Sales department by assigning the assistant
administrator the permissions required to administer the organizational
unit and its contents.

Trees
In Active Directory terminology, a domain tree is a hierarchical grouping of
one or more domains that must have a single root domain, and may have
one or more child domains. In a domain tree, the root domain is the
domain at the top (or root) of the tree.
Domains in a domain tree are often spoken of in terms of parent
domains and child domains. A parent domain is any domain that is above
another domain in the domain tree hierarchy.A child domain is any domain
that is below another domain in the tree. A domain can be a parent to a
domain below it and a child to the domain above it. In a multidomain tree,
the root domain is always a parent domain. Figure 2-2 illustrates a domain
tree. Notice that there is only one root domain in the tree, but that the tree
contains more than one child domain.

root1.com

child1.root1.com child2.root1.com

grandchild.child2.root1.com

FIGURE 2-2 A domain tree

Also notice the naming structure used in Figure 2-2. In a domain tree,
the domains that make up the tree have contiguous DNS domain names.
The root domain’s name forms the basis of (and will be a part of) the
4701-1 ch02.f.qc 4/24/00 09:02 Page 54

54 Part I ▼ Introduction to Windows 2000

FQDNs of all of the other domains in the tree.A child domain’s FQDN is
created by appending the name of the parent domain to its own NetBIOS
name by using the child_domain.parent_domain.root_domain.
com format. For example, in Figure 2-2, the domain with a NetBIOS
name of child1 appends the name of its parent domain, root1.com., to its
own name, resulting in an FQDN of child1.root1.com. The root
domain in a domain tree also takes its name in this way, by appending the
name of the first-level DNS domain that it is a member of to its own
NetBIOS name. In Figure 2-2, the root domain with a NetBIOS name of
root1 appends the name of the first-level DNS domain, com, to its own
name, resulting in an FQDN of root1.com.
In organizations that require multiple domains, a domain tree enables
any permitted user in any domain in the tree to access shared resources in
any domain in the tree.This user access is made possible by the special trust
relationships that exist between the domains in the tree.

Trust Relationships
To manage the interaction between multiple domains, trust relationships
are necessary. A trust relationship, or trust, is an agreement between two
domains that enables users in one domain to be authenticated by a domain
controller in another domain, and therefore to access shared resources in
the other domain.
The terminology used to discuss trusts is sometimes confusing, so a
good portion of this section is dedicated to explaining and clarifying these
terms. Once you’ve mastered the terminology, trust concepts are much
easier to understand.

Trusting Domain vs. Trusted Domain Two terms are commonly used to
refer to a trust between two domains: trusting domain and trusted domain.
The trusting domain is the domain that has resources to share with user
accounts in the trusted domain. The trusting domain trusts the trusted
domain. The trusted domain is the domain that contains the user accounts
that want to access the shared resources in the trusting domain.The trusted
domain is trusted by the trusting domain.
A trust relationship between two domains is depicted in diagrams by
using an arrow to point from the trusting (resource) domain to the trusted
(user accounts) domain. Figure 2-3 illustrates a trust relationship between
the west.com domain and the east.com domain.The west.com domain
4701-1 ch02.f.qc 4/24/00 09:02 Page 55

Chapter 2 ▼ Overview of Active Directory 55

is the trusting domain, and the east.com domain is the trusted domain.
Notice that the arrow points toward the domain with the user accounts.
This trust relationship enables users from the east.com domain to
access shared resources located in the west.com domain.

west.com east.com
(resources) (user accounts)

FIGURE 2-3 The west.com domain trusts the east.com domain

Intransitive and Transitive Trusts An intransitive trust is a trust relationship

between two domains that does not extend beyond these two domains to
other domains.An intransitive trust is a one-way trust, meaning that a single
trust relationship exists between the two domains.
Suppose that the a.com domain trusts the b.com domain. Further suppose
that the b.com domain trusts the c.com domain. Figure 2-4 shows these
trust relationships.

a.com b.com c.com

FIGURE 2-4 Intransitive trusts

At first glance, it might appear that the user accounts in the c.com
domain are able to access resources in the a.com domain, but this is not
the case.A trust relationship does not exist between the a.com domain and
the c.com domain. Therefore, users in the c.com domain can’t access
resources in the a.com domain.
It is possible to establish a two-way trust relationship between two
domains by creating two, one-way trusts between those domains. In a two-
way trust relationship, two domains trust each other.
A transitive trust is a trust relationship between two Windows 2000
domains in the same domain tree (or forest) that can extend beyond these
two domains to other trusted domains within the same domain tree
(or forest).A transitive trust is always a two-way trust, meaning that both of
4701-1 ch02.f.qc 4/24/00 09:02 Page 56

56 Part I ▼ Introduction to Windows 2000

the domains trust each other. By default, all Windows 2000 trusts within a
domain tree (or forest) are transitive trusts.
Transitive trusts are depicted in diagrams by a single line with an arrow
at each end. Figure 2-5 illustrates transitive trusts in a Windows 2000
domain tree.

parent.com

child1.parent.com child2.parent.com

FIGURE 2-5 Transitive trusts

Notice that in Figure 2-5, transitive trust relationships exist between

each child domain and the parent domain, but that no trust relationship
exists directly between the two child domains. Nonetheless, the transitive
trust relationships make it possible for users in the child1.parent.com
domain to access resources located in both the parent.com domain and
in the child2.parent.com domain. Likewise, users in the
child2.parent.com domain can access resources located in both the
parent.com domain and in the child1.parent.com domain because
of the transitive trusts that connect the three domains.
In Windows 2000 domain trees, Windows 2000 Server automatically
creates two-way, transitive trust relationships between a parent domain and
a child domain when the child domain is created in the domain tree.The
presence of transitive trust relationships between all of the domains in a
Windows 2000 domain tree makes it possible for a user in one domain to
access a shared resource located in any domain in the tree, regardless of
how many domains separate the user and the shared resource.
Windows NT Server 4.0 doesn’t support transitive trusts — it only
supports intransitive trusts.This means that the only type of trust relationship
possible between a Windows 2000 domain and a Windows NT domain is an
intransitive trust.
4701-1 ch02.f.qc 4/24/00 09:02 Page 57

Chapter 2 ▼ Overview of Active Directory 57

Explicit Trusts An explicit trust is a trust that an administrator creates, versus

a trust that is automatically created by Windows 2000.An explicit trust can
be either transitive or intransitive. Explicit trusts are sometimes used when
you need to manage trusts between a Windows 2000 domain and a
Windows NT domain. Explicit trusts are also used in large, multidomain
forests to shorten the path between two domains to shorten the time
required for authentication and logon.

Forests
Earlier in this chapter I said you could think of a forest as being all of the
domains that compose a company’s network. A more technically accurate
definition of a forest is a group of one or more domain trees, linked by
transitive trusts, that shares a common schema and global catalog.
A forest begins with one domain and one domain tree. It’s kind of a
difficult concept to grasp, but when you install Active Directory on the
first domain controller on your network,Windows 2000 creates a domain,
a domain tree, and a forest all at the same time. So, even though you’ve
only installed Active Directory on one computer, you’ve got all of these
big-picture elements created and ready to go. Now the forest can grow as
you add additional domains and domain trees.

IN THE REAL WORLD

There are no tools that enable you to work on two forests at the same
time. If you have a multi-domain network, it can be good to have a root
domain that only contains the administrator account so that changes to
domain structures can be easily made.

Figure 2-6 illustrates a forest that consists of two domain trees. Notice
that this forest contains two root domains, each of which forms the basis
for its own domain tree. Also notice that a single, transitive trust connects
the two domain trees.
Take another look at Figure 2-6, and notice the domain names. By
definition, the domains in a domain tree have contiguous DNS domain
names. In this example, rootA.com is contained in the name of every
domain in its tree. Likewise, rootB.org is contained in the name of every
domain in its tree. However, that’s as far as it goes. The two domain trees
themselves do not have contiguous DNS domain names, even though they
have been joined together in a forest.
4701-1 ch02.f.qc 4/24/00 09:02 Page 58

58 Part I ▼ Introduction to Windows 2000

rootA.com rootB.org

childA.rootA.com childB.rootA.com childA.rootB.org childB.rootB.org

FIGURE 2-6 A forest

A forest takes its name from the root tree, which is the first tree created
in the forest.

Names and Naming Conventions

Names are of critical importance in Active Directory. In this section, I’ll
explain the types of names and naming conventions used by Active Directory.
Within Active Directory, each object has a name. When you create an
object in Active Directory, such as a user or a computer, you assign the
object a name.This name must be unique within the domain — you can’t
assign an object the same name as any other object (regardless of its type)
in that domain. If you have a user named AlanC, for example, you can’t
create a computer account in the domain that is also named AlanC.
For more information on developing names for domains, organizational
units, users, groups, and computers, see the section titled “Planning
Naming Conventions” later in this chapter.
At the same time that you create an object, not only do you assign a
name to the object, but Active Directory also assigns identifiers to the
object. Active Directory assigns every object a globally unique identifier
(GUID), and assigns many objects a security identifier (SID). A GUID is
typically a 32-digit hexadecimal number that uniquely identifies an object
within Active Directory. A SID is a unique number created by the
Windows 2000 Security subsystem that is assigned only to security principal
objects (users, groups, and computers) when they are created. Windows
2000 uses SIDs to grant or deny a security principal object access to other
objects and network resources.
Active Directory uses a hierarchical naming convention that is based on
Lightweight Directory Access Protocol (LDAP) and DNS standards.
4701-1 ch02.f.qc 4/24/00 09:02 Page 59

Chapter 2 ▼ Overview of Active Directory 59

Objects in Active Directory can be referenced by using one of three Active

Directory name types:
■ Relative distinguished name (RDN)
■ Distinguished name (DN)
■ User principal name (UPN)
A relative distinguished name (RDN) is the name that is assigned to the
object by the administrator when the object is created. For example, when
I create a user named AlanC, the RDN of that user is AlanC. The RDN
only identifies an object — it doesn’t identify the object’s location within
Active Directory. The RDN is the simplest of the three Active Directory
name types, and is sometimes called the common name of the object.
A distinguished name (DN) consists of an object’s RDN, plus the object’s
location in Active Directory. The DN supplies the complete path to the
object. An object’s DN includes its RDN, the name of the organizational
unit(s) that contains the object (if any), and the FQDN of the domain. For
example, suppose that I create a user named AlanC in an organizational
unit called US in a domain named Exportsinc.com.The DN of this user
would be:
[email protected]

A user principal name (UPN) is a shortened version of the DN that is

typically used for logon and e-mail purposes.A UPN consists of the RDN
plus the FQDN of the domain. Using my previous example, the UPN for
the user named AlanC would be:
[email protected]

Another way you can think of a UPN is as a DN stripped of all organi-

zational unit references.

Security
As mentioned previously, Active Directory resides in the Windows 2000
Security subsystem.Together,Active Directory and the Security subsystem
protect Active Directory against unauthorized access. The Active
Directory/Security subsystem team uses access control lists (ACLs) to
determine who can access (and/or modify) an object. An ACL is a list of
SIDs and the associated access privileges assigned to each SID. Each object
and network resource has an ACL associated with it.
4701-1 ch02.f.qc 4/24/00 09:02 Page 60

60 Part I ▼ Introduction to Windows 2000

Another security feature of Active Directory is delegation. As stated

previously, you can delegate administrative privileges for a container object
(such as an organizational unit or domain) and all of its contents to a user
or group.This feature enables you to distribute administrative tasks among
several employees without having to give each of these employees admin-
istrative privileges to the entire network.

Understanding How Active Directory

Is Implemented
My goal in this section is to explain how Active Directory is actually
implemented on a network. I know you’re up to your eyeballs in theory
right now, but hang in there just a little longer and I think you’ll begin to
understand how the pieces fit together.
In the next sections I’ll talk a bit about what happens when Active
Directory is installed, how the global catalog server works to provide
Active Directory information about every object in every domain in a
forest, and what Active Directory replication is and how it’s implemented
on a Windows 2000 network. I’ll also introduce the concept of flexible
single master operations (FSMO) and discuss the various roles that domain
controllers can play. Finally, I’ll explain how Active Directory is dependent
on DNS and cover some of the limitations that non-Windows 2000 client
computers have in terms of using the features of Active Directory.

Installing Active Directory

You have to install Active Directory on all Windows 2000 Server computers
that you want to function as domain controllers for a domain — Active
Directory is not installed by default.When you first install Active Directory
in a domain, Windows 2000 performs two tasks: First, it promotes the
computer on which you’re installing Active Directory to a domain
controller; and second, it creates the Active Directory data store (for that
domain) on the newly created domain controller. When you install Active
Directory on an additional Windows 2000 Server computer in that domain,
Windows 2000 promotes that computer to a domain controller and copies a
read/write replica of the Active Directory data store from one of the other
existing domain controllers in the domain. A Windows 2000 Server
4701-1 ch02.f.qc 4/24/00 09:02 Page 61

Chapter 2 ▼ Overview of Active Directory 61

computer can be a domain controller for only one domain; however, a

domain can have multiple domain controllers..
Active Directory is installed by using the Active Directory Installation
Wizard that is available in the Configure Your Server tool in the
Administrative Tools folder.You can also start this wizard by selecting
Start ➪ Run, typing Dcpromo.exe, and pressing Enter.

CROSS-REFERENCE
I’ll give detailed instructions for installing Active Directory in Chapter 7.
However, I strongly recommend that you read the rest of this chapter,
including the “Planning for Active Directory on Your Network” section,
before you install Active Directory.

Global Catalog Server

A global catalog server is a domain controller that has an additional duty — it
maintains a global catalog.You may recall that a global catalog is a master,
searchable database that contains information about every object in every
domain in a forest. The global catalog contains a complete replica of all
objects in Active Directory for its host domain, and contains a partial replica
of all objects in Active Directory for every other domain in the forest.
A global catalog server performs two important functions:
■ Provides group membership information during logon and
authentication
■ Helps users locate resources in Active Directory
I’ll discuss both of these functions in the next section. A global catalog
server provides universal group membership information during a user’s
logon and authentication process. (A universal group is one that can contain
users and other groups from any domain in the forest.) Determining group
membership information is a critical part of the logon process, because the
groups a user is a member of help determine that user’s rights and
permissions. The global catalog server provides this group membership
information in a highly efficient manner because a global catalog server can
respond to the request, instead of having to query a domain controller from
each domain in the forest. If a global catalog server is not available, the user
will not be able to log on to the domain unless that user is a member of the
Domain Admins group.
4701-1 ch02.f.qc 4/24/00 09:02 Page 62

62 Part I ▼ Introduction to Windows 2000

A global catalog server helps users locate Active Directory objects,

regardless of which domain in the forest contains the object. Users can
browse the global catalog for available services and resources. In addition,
because the global catalog contains information on every object in every
domain in the forest, users can search the global catalog for a specific object
or resource. For example, suppose I want to locate the e-mail address of
another employee in my company. I know the employee’s name, so I can
query the global catalog by the employee’s name, and, assuming I have the
appropriate permissions, view pertinent data about the employee I’m
searching for, including his or her e-mail address.
A global catalog server, then, provides unified Active Directory informa-
tion across all domains in the forest; whereas domain controllers only con-
tain information about objects in their own domain. Global catalog servers
are a critical part of a multidomain network.
Each domain maintains its own global catalog server. And, by default,
there is only one global catalog server in each domain. Normally this is a
good idea, but occasionally there may be a valid reason for having more
than one global catalog server in a domain.

CROSS-REFERENCE
For more information on optimizing global catalog servers, see Chapter 22.

By default, the first domain controller established in a domain serves as the

global catalog server. To move the global catalog to a different server or to
add an additional global catalog server, you can use the Active Directory Sites
and Services tool. This tool, which is contained in the Administrative
Tools folder, is available after Active Directory is installed.

Replication
The term replication, as applied to Active Directory, refers to the process of
copying information and information updates from the Active Directory data
store on one domain controller to other domain controllers. The purpose
of replication is to synchronize Active Directory data among the domain
controllers in the domain and forest. Several types of Active Directory
information get replicated:
■ The schema: The schema is replicated to all domain controllers in
the forest.
4701-1 ch02.f.qc 4/24/00 09:02 Page 63

Chapter 2 ▼ Overview of Active Directory 63

■ Configuration data: This data, which includes high-level

forest/tree/domain structure, trust, and configuration information,
is replicated to all domain controllers in the forest.
■ Domain data: This complete, detailed information about every
object in the domain is replicated only to the domain controllers
within this domain.
Replication of Active Directory data is usually partial, meaning that only
updated information (versus a complete copy of the Active Directory data
store) is copied from one domain controller to other domain controllers.
Typically the only time a complete replication is performed is when you
install a new domain controller on the network.
Windows 2000 automatically performs replication. Many administrators of
small to medium-sized networks will never have to configure replication.
That said, replication uses a fair amount of network bandwidth, so sometimes
it is beneficial to manage when and how replication takes place, particularly
over slow WAN links.You can manage Active Directory replication by using
sites, and by using Active Directory Sites and Services.

Sites
A site consists of one or more TCP/IP subnets, which are specified by an
administrator. Additionally, if a site contains more than one subnet, the
subnets should be connected by high-speed, reliable links. Sites do not
correspond to domains: You can have two or more sites within a single
domain, or you can have multiple domains in a single site.A site is solely a
grouping based on IP addresses. Figure 2-7 shows two sites connected by a
slow WAN link.

Seattle Indianapolis

256 Kbps WAN Link

• Consists of specified TCP/IP • Consists of specified TCP/IP

subnets ranging from subnets ranging from
10.0.0.1 to 10.127.255.254 10.128.0.1 to 10.255.255.254

• All subnets connected by 100 • All subnets connected by 10

Mbps Ethernet links Mbps Ethernet links

FIGURE 2-7 Two sites

4701-1 ch02.f.qc 4/24/00 09:02 Page 64

64 Part I ▼ Introduction to Windows 2000

The purpose of sites is to enable servers that regularly copy data to other
servers (such as Active Directory replication data) to distinguish between
servers in their own site (which are connected by high-speed links) and
servers in another site (which are connected by slower-speed WAN links).
Replication between domain controllers in the same site is fast, and
typically administrators can permit Windows 2000 to automatically
perform this task. Replication between a domain controller in one site and
domain controllers in other sites is slower (because it takes place over a
slow WAN link) and often should be scheduled by the administrator so
that use of network bandwidth for replication is minimized during the
network’s peak-activity hours.
Sites and Active Directory replication can be configured by using Active
Directory Sites and Services.

CROSS-REFERENCE
For detailed information on how to manage and optimize Active Directory
replication, including how to use sites, see Chapter 22.

Flexible Single Master Operations

When Microsoft designed Windows 2000, its goal was to have every
domain controller equal; instead of having a primary domain controller
(PDC) and backup domain controllers (BDCs) like Windows NT 4.0 had,
Microsoft wanted to have one class of domain controller that could
perform every domain controller–related task. The advantages of this
design would be the distribution of server load; the elimination of the need
to connect (sometimes across multiple WAN links) to a specific server for
the creation of users, change of passwords, and so on; and the elimination
of the need to have one server always available to all users.

TIP
When more than one domain controller is able to perform a specific task,
that task is referred to as a multiple master operation. When only one
domain controller can perform a specific task, that task is called a single
master operation.

So, things were going along pretty smoothly, and then, when Microsoft
implemented Active Directory and all of its associated processes, it
discovered that a purely multiple master design just wasn’t going to work
for Windows 2000. Although most domain controller–related tasks can be
4701-1 ch02.f.qc 4/24/00 09:02 Page 65

Chapter 2 ▼ Overview of Active Directory 65

performed by any domain controller, a few critical tasks had to be limited to

one domain controller in a domain, or to one domain controller in a forest,
or utter mayhem and havoc would result.What we’ve ended up with, then,
is a largely multiple master design, with some restricted single master oper-
ations. These operations are called flexible single master operations (FSMO).
The term flexible refers to the fact that an administrator can choose which
domain controller will perform each restricted single master operation.
There are five different types of flexible single master operations roles
(sometimes called master roles) that a domain controller can perform:
schema master, domain naming master, PDC emulator, relative ID master,
and infrastructure master. Each of these roles defines a specific set of
flexible single master operations that only the domain controller assigned
to that role can perform.
When you first install Active Directory on the first domain controller in
the forest, that domain controller automatically assumes all five of the
flexible single master operations roles. As you add domain controllers, you
can manually reassign or transfer these master roles to other domain
controllers as needed.

Schema Master
The schema master is the only domain controller that can make changes to
the schema. When you, as an administrator, use an application to change
the schema, you don’t necessarily need to sit down at the schema master to
run this application, nor do you need to know which computer is
functioning as the schema master.Windows 2000 seamlessly connects the
application to the schema master (across the network) in order to make the
desired change.
Because the schema is identical throughout the forest, there can be only
one schema master in a forest.
If the computer that is functioning as the schema master is not available
when you want to make a change to the schema, you won’t be able to
change the schema until the schema master becomes available, or until you
assign the schema master role to a different domain controller in the forest.

Domain Naming Master

The domain naming master is the only domain controller that can add or
remove domains to or from the forest. The primary reason for isolating
these tasks is to ensure that when a domain is created, its name is unique
within the forest.
4701-1 ch02.f.qc 4/24/00 09:02 Page 66

66 Part I ▼ Introduction to Windows 2000

When you create a new domain in an existing forest by installing Active

Directory on the first domain controller in the new domain, the new
domain controller contacts the domain naming master to verify that the
new domain name is not already in use in the forest, and then, once the
domain naming master determines that the domain name is unique, it adds
the new domain to the forest.
There can be only one domain naming master in a forest.
If the computer that is functioning as the domain naming master is not
available when you want to add or remove a domain, you won’t be able to
add or remove the domain until the domain naming master becomes
available, or until you assign the domain naming master role to a different
domain controller in the forest.

PDC Emulator
The PDC emulator performs one of two different roles, depending on how
Active Directory is implemented on your network.
When Active Directory is configured to interact with Windows NT 4.0
backup domain controllers (BDCs), or to interact with computers that
don’t have Windows 2000 Directory Service Client software, Active
Directory is said to be operating in mixed-mode. When Active Directory
operates in mixed-mode, the PDC emulator acts like a Windows NT
primary domain controller (PDC). In this situation, the PDC emulator
synchronizes user account information (such as user names and passwords)
with the existing Windows NT 4.0 BDCs. In addition, when administrators
or users of computers that don’t run Windows 2000 client software need
to make a user account change, that computer must contact the PDC
emulator to make the desired change.
When Active Directory is configured to interact only with Windows 2000
domain controllers and computers that run Windows 2000 Directory Service
Client software, Active Directory is said to be operating in native-mode.
When Active Directory operates in native-mode, the PDC emulator receives
password changes more quickly than other domain controllers in the domain.
When this occurs, the PDC emulator is said to receive preferential treatment
for replication of password changes. Because of this preferential treatment, the
PDC emulator is the domain controller that is most likely to have the most
current version of a user’s password.Therefore, if another domain controller
fails to authenticate a user due to an apparently incorrect password, it will
forward the user’s authentication request to the PDC emulator, and then
4701-1 ch02.f.qc 4/24/00 09:02 Page 67

Chapter 2 ▼ Overview of Active Directory 67

convey the PDC emulator’s authentication response (either accept or deny) to

the user.
There can be only one PDC emulator in each domain in a forest.
If the computer that is functioning as the PDC emulator is not available
when you want to perform tasks that require it, you won’t be able to
perform these tasks until the PDC emulator becomes available, or until you
assign the PDC emulator role to a different domain controller in the domain.

Relative ID Master
You may recall that when security principal objects (users, groups, and
computers) are created, Active Directory assigns each of these objects a
security identifier, or SID.An SID consists of two parts: a domain SID and
a relative ID.The domain SID identifies the domain in which the object is
created, and is the same for all objects created in the domain. The relative
ID identifies the object in the domain, and is unique for each object
created in the domain.
The relative ID master (sometimes called the RID master) is the domain
controller in the domain that assigns a range of relative IDs to each domain
controller in the domain for use in creating SIDs. Because of this assignment
by the relative ID master, the potential for domain controllers issuing
duplicate SIDs to newly created security principal objects is eliminated.
There can be only one relative ID master in each domain in a forest.
If the computer that is functioning as the relative ID master is not
available when a domain controller exhausts its assigned range of relative
IDs, that domain controller won’t be able to issue SIDs until the relative ID
master becomes available, or until you assign the relative ID master role to
a different domain controller in the domain.

Infrastructure Master
The infrastructure master is the domain controller in the domain that updates
group membership information when group members (who are users
from other domains) are renamed or moved. For example, say that you
have a group named Accounting in your domain. PatL, a user from another
domain, is a member of the Accounting group. PatL recently changed her
name due to marriage, so you change her user name to PatC. The
infrastructure master is responsible for updating the Accounting group
membership information to reflect the change in the user’s name. (I know
the description of this master role sounds bizarre, but this is really how
it works.)
4701-1 ch02.f.qc 4/24/00 09:02 Page 68

68 Part I ▼ Introduction to Windows 2000

There can be only one infrastructure master in each domain in a forest.

If the computer that is functioning as the infrastructure master is not
available when you perform tasks that require it, group membership
information won’t be correctly updated until the infrastructure master
becomes available, or until you assign the infrastructure master role to a
different domain controller in the domain.

CROSS-REFERENCE
For information on optimizing flexible single master operations and
master roles, see Chapter 22.

The Domain Name System

On the Internet, host names are stored in various domains and subdomains
that form a hierarchical tree structure called the Domain Name System
(DNS). A Windows 2000 computer that has the Domain Name System
service installed on it is referred to as a DNS server. (More detail about the
DNS service appears later in this chapter.)
Active Directory uses the same hierarchical naming conventions as DNS.
Because of this, client computers use DNS servers to locate Active Directory
domain controllers. Without DNS, Active Directory couldn’t function,
because client computers wouldn’t be able to locate domain controllers.
The Domain Name System (DNS) service that ships with Windows
2000 supports the dynamic update of the DNS database — this feature was
not supported by the Microsoft DNS Server service in Windows NT Server
4.0. When I use the phrase “dynamic update of the DNS database,” what
I mean is that client computers and servers can dynamically register their
host names and IP addresses with the DNS server, without administrator
intervention. Previous versions of DNS required the administrator to
manually enter host names and their associated IP addresses for each
computer on the network.
You’re probably getting the idea about now that Active Directory is
dependent on DNS. In fact, Active Directory requires a DNS server that
supports SRV (service) resource records (RFC 2052). If you have an
existing DNS server on your network that meets these requirements, you
can use this DNS server for your Windows 2000 network. If you don’t
have an existing DNS server on your network (or have a DNS server but
it doesn’t meet these requirements), you can either install a Windows 2000
stand-alone server with the Domain Name System (DNS) service installed
4701-1 ch02.f.qc 4/24/00 09:02 Page 69

Chapter 2 ▼ Overview of Active Directory 69

on it to function as your network’s DNS server; or you can choose to

install the Domain Name System (DNS) service during the installation of
Active Directory on the first domain controller on your Windows 2000
network, and thereby make that domain controller into your Windows
2000 network’s DNS server.

CROSS-REFERENCE
I’ll cover DNS in more depth, including detailed installation instructions,
in Chapter 7.

Using Clients with Active Directory

When Active Directory is implemented on a Windows 2000 network,
different types of client computers have varying degrees of functionality
with Active Directory.
In the most ideal of situations (from Microsoft’s point of view, at least),
you would have a pure Windows 2000 network, consisting entirely of
Windows 2000 Server computers and client computers that run Windows
2000 Professional. In this scenario, all of the client computers (assuming
their users had the appropriate permissions) would be able to log on to the
domain; locate shared printers, files, and folders; and browse and search
Active Directory for available resources. In addition, the administrator
could efficiently manage the users and computers of this network by using
group policies — one of the key benefits of Active Directory.
However, in reality, a lot of network administrators aren’t going to
upgrade all of their computers to Windows 2000 (at least not right away,
and maybe never). In this case,Active Directory is configured to operate in
mixed-mode, and client computers retain the same functionality they had
in a Windows NT 4.0 network, but typically they aren’t able to use many
of the new features of Active Directory.
For example, when functioning as client computers on a Windows 2000
network, Windows NT 4.0 computers (both Server and Workstation)
retain the same functionality they have always had.Assuming the users have
the necessary permissions, users are still able to log on to the domain;
access shared printers, files, and folders; and browse the network (but not
browse or search Active Directory). There is currently no Directory
Service Client software available for Windows NT 4.0 computers.
Windows NT 4.0 computers on a Windows 2000 network can’t be
4701-1 ch02.f.qc 4/24/00 09:02 Page 70

70 Part I ▼ Introduction to Windows 2000

managed by using group policy — they can only be managed by using

Windows NT 4.0 system policy.
Windows 98 and Windows 95 computers retain the functionality they
had when they composed a Windows NT 4.0 network, and in addition,
when Directory Service Client software is installed (assuming the users
have the appropriate permissions), users are able to browse and search
Active Directory. However,Windows 98 and Windows 95 computers can’t
be managed by using group policy — they can only be managed by using
Windows 98 or Windows 95 system policies.
What the whole client issue boils down to is this:
■ If your network consists of only Windows 2000 Server and Windows
2000 Professional computers, all computers on the network can
use the features of Active Directory and can be managed by using
group policy.
■ If your network consists of only Windows 2000 Server,Windows
2000 Professional,Windows 98, and Windows 95 computers, all
computers on the network can use the features of Active Directory
(provided Directory Service Client software is installed on the
Windows 98 and Windows 95 computers). However, only the
Windows 2000 computers can be managed by using group
policy — the Windows 98 and Windows 95 computers can’t.
■ If your Windows 2000 network includes Windows NT 4.0
computers, the Windows NT 4.0 computers can’t use the features
of Active Directory — unless you upgrade them to Windows 2000.
In addition, only the Windows 2000 computers can be managed
by using group policy — the Windows NT 4.0 computers can’t.
By not providing Directory Service Client software for Windows NT
4.0 computers, Microsoft appears to be saying that customers must
upgrade Windows NT 4.0 computers to Windows 2000 if they want to
take advantage of the benefits of Active Directory.

CROSS-REFERENCE
I’ll cover installing the Directory Service Client in Chapter 4.
4701-1 ch02.f.qc 4/24/00 09:02 Page 71

Chapter 2 ▼ Overview of Active Directory 71

Planning for Active Directory on

Your Network
Like any other major network change, implementing Active Directory on
your network deserves an appropriate amount of careful planning to
ensure a smooth transition.
There are several things you should consider when planning the imple-
mentation of Active Directory. Three important matters that should be
carefully thought out are your domain design, the naming conventions
you’ll use, and how existing client computers will fit into your overall plan.
I’ll cover some planning considerations for each of these elements in the
sections that follow.

Planning a Domain Design

Planning an Active Directory domain design for your network is one of
the most important tasks you may ever be called on to perform. The
domain design is where it all starts — and ultimately, the decisions you
make here can have wide-ranging effects on your company.
When you plan a domain design, you not only determine the domain
structure you want to use, but also you plan an organizational unit (OU)
structure and you plan for the upgrade of any previous domains. The
following sections discuss these topics.

Planning a Domain Structure

In most situations, in terms of ease of network administration, the best
possible Active Directory domain structure for a Windows 2000 network is
a single domain.When a single domain is used, nearly every administrative
task is simpler than when multiple domains are used, and there are none of
the additional administrative tasks associated with a multidomain structure,
such as managing trust relationships. In addition, when a single domain is
used, users can locate resources easier and more consistently because every
object’s attribute is present in the domain’s global catalog, while not every
attribute of every object is replicated to every global catalog server in a
multidomain design.
A speaker at a conference I recently attended stated that anyone who
didn’t choose a single domain structure for the implementation of Windows
2000 Active Directory was stupid.While for the most part I agree with the
4701-1 ch02.f.qc 4/24/00 09:02 Page 72

72 Part I ▼ Introduction to Windows 2000

sentiment behind the statement, there are situations where a multiple

domain structure deserves some consideration. You might find that the
benefits of using multiple domains outweigh the disadvantages when:
■ The management structure of your organization is very decentral-
ized, and no one individual has control over the company’s network
design and implementation. Instead of a single individual managing
the company’s global network plan, many individuals in different
departments plan for their own department, division, or location.
■ A parent company has several subsidiaries and does not want
to integrate the network or the management structure of the
subsidiaries into the parent company’s structure.
■ Your organization has multiple divisions and it is likely that
one or more of the divisions may be sold or spun off as an
independent entity.
■ You have multiple locations and some of the locations don’t have
a reliable WAN link to corporate headquarters.You must have a
reliable WAN link to keep Active Directory updated when a
single domain spans multiple locations.
■ Your existing network uses a multiple domain structure, and you
don’t have the necessary time, money, or manpower to change the
domain structure at this time.
■ Your company is so large that you anticipate that a single domain
in Active Directory would contain millions of objects.

TIP
Windows NT 4.0 had a functional limitation of about 40,000 objects
(or 40MB of disk space) in a single domain. So, while there is still some
limitation, Windows 2000 can accommodate many more objects in a
single domain than Windows NT 4.0 could.

Planning an Organizational Unit Structure

Organizational units (OUs), in my opinion, are meant to serve exactly one
purpose: to make network administration easier. They’re not meant to
mimic the company’s organizational chart (although if you administer your
network in this manner, then it makes perfect sense to structure OUs in
the same way). Organizational units make it easy to delegate authority to
assistant administrators and to administer the network in manageable
4701-1 ch02.f.qc 4/24/00 09:02 Page 73

Chapter 2 ▼ Overview of Active Directory 73

chunks. Therefore, organizational unit structure should be designed with

delegation in mind.
If you administer your network floor-by-floor and building-by-building,
then you would probably want your OUs to consists of floors and buildings.
If you administer your network by departments and location, you might
want to use OUs that consist of departments and geographic locations.
I think you get the picture.

CAUTION
Naming an OU after a geographic location can be a risky thing — just
think of all of the cities and countries that have changed their names in
the past 10 years.

One last note on OUs. OUs are not security principal objects. Because
of this, OUs can’t be used in the same way that a group can be used to
assign rights and permissions to users or groups contained within the OU.
If you want to assign rights and permissions to multiple users, use a group.

Planning the Upgrade of Previous Domains

If your network is not a brand new Windows 2000 network, you may need
to plan for upgrading previously existing Windows NT 4.0 domains to
Windows 2000 domains.
In many cases, you may want to move from a single or multiple master
domain model (that consists of several domains) to a single domain model.
If this is your situation, you must decide where all of the objects from each
existing domain will be placed in the new Windows 2000 domain.
For example, you might want to place all of the users, groups, and com-
puters from each existing domain into OUs in the new Windows 2000
domain that correspond to the previous Windows NT 4.0 domains.
Or, since you’re taking the time to redesign your network anyway, you
might want to totally reorganize your network — one user, computer, and
group at a time. Sometimes this is the best way to go, particularly if the
network has been added to, patched, and otherwise monkeyed with by
numerous administrators over the years.

Planning Naming Conventions

When planning the naming conventions you’ll use on your Windows 2000
network, there are several decisions to be made.You’ll need to plan how
4701-1 ch02.f.qc 4/24/00 09:02 Page 74

74 Part I ▼ Introduction to Windows 2000

domains, organizational units (OUs), users, groups, and computers will

be named.

TIP
When planning and implementing any naming convention, I recommend
that you attempt to keep all names intuitive, short, and simple. This will
make everyone’s life (especially yours) much easier.

Naming Domains
First of all, you’ll need to name your Active Directory domain (or domains).
When you do this, you’ll need to consider if the name you assign to your
domain will be the same when accessed by users on your company’s
intranet as it will when accessed by external users over the Internet.
As was previously stated, Active Directory domains use DNS domain
names. Keep in mind that the maximum length of a fully qualified domain
name (FQDN), including periods and all extensions, is 63 characters.
Allowed characters include uppercase letters (A–Z), lowercase letters (a–z),
numbers (0–9), and the hyphen (-).
If your domain name will be the same for both internal and external users,
I recommend choosing a domain name that is as close to your company’s
name as possible so it will be easily recognized and located by Internet users
and by Internet search engines.
If you decide you want to further isolate your company’s private
intranet behind a firewall, you might choose to use one domain name for
internal use, and use a different domain name for external users on the
Internet. In this case, the domain name for internal use can be anything
you want, and the domain name that external users on the Internet use
should be as close to your company’s name as possible.
Before you choose your domain name, you should consider using an
Internet search engine to determine if the name you want to use is already
registered to someone else. Currently, DNS domain names are managed by
InterNIC (which stands for Internet Network Information Center).
Finally, if your network is connected to the Internet, you must register
your company’s DNS domain name (as accessed by users over the Internet)
with the appropriate naming authority (InterNIC in the United States).
Your Internet service provider will usually perform this task for you.
4701-1 ch02.f.qc 4/24/00 09:02 Page 75

Chapter 2 ▼ Overview of Active Directory 75

Naming Organizational Units

After you’ve named your domain, you’ll want to plan how to name your
organizational units (OUs).The key point about working with OUs is that
they should represent the portion of the organization that is being
managed. For example, if you use OUs to manage the users, groups, and
computers in your company that are located on a particular floor or in a
certain building, the name of the OU should readily identify the floor or
building being managed.
Depending on the number of OUs in your organization, you may not
need a formal naming scheme for OUs. Instead, you can choose intuitive
names for the OUs that represent the particular grouping of objects
they contain.

Naming Users, Groups, and Computers

If you have more than a few people in your organization, you’ll need to
plan a naming convention to use for users, groups, and computers.
When you create user, group, and computer accounts, keep in mind a
few rules for these names:
■ Length: User logon names can be from one to 20 characters long.
Computer names should be limited to 15 characters in length for
backward compatibility with NetBIOS applications and older
client operating systems, such as Windows 95,Windows 98,
Windows NT Workstation 4.0, and so on.
■ Uniqueness: Names created in a domain must be unique within
the domain. If you have a user named AlanC, for example, you
can’t create a computer account in the domain that is also
named AlanC.
■ Unacceptable characters: The following characters can’t be used
in user and group account names:
“ / \ [ ] :;| = ,+ * ? < >
In addition, a user or group account name can’t consist entirely of
spaces or periods.
■ Acceptable characters: As stated previously, computer names can
consist of only the following allowed characters: uppercase letters
(A–Z), lowercase letters (a–z), numbers (0–9), and the hyphen (-).
4701-1 ch02.f.qc 4/24/00 09:02 Page 76

76 Part I ▼ Introduction to Windows 2000

There are probably as many naming schemes for users, groups, and
computers as there are network administrators. Often, the overall length of
a name is limited to eight characters so that the name is compatible with
MS-DOS directory name limitations. This eight-character limitation is
common, but certainly not mandatory, especially on most of today’s
networks.
A few common naming conventions for user names include:
■ The first seven letters of the user’s first name plus the first letter of
the user’s last name
■ The first letter of the user’s first name plus the first seven letters of
the user’s last name
■ The user’s initials plus the last four digits of the user’s employee
number
■ Various hybrid combinations of the preceding schemes
Finally, you’ll need to come up with a way to handle exceptions. It’s
quite common, for example, for two users to have the same first name and
last initial, such as Mike Sinclair and Mike Saunders. If you choose to adopt
the first naming scheme in the preceding list, you will need to have a way
to resolve these potentially duplicate user names. You could resolve the
problem by assigning Mike Sinclair the user account name of MikeS
(assuming he was hired first), and assigning Mike Saunders the user
account name of MikeSa.

Planning for Clients

Earlier in this chapter, I discussed the limitations that non-Windows 2000
client computers have in terms of their ability to use many of the new
features of Active Directory. Well, it’s important to consider how your
existing client computers will fit into your overall Windows 2000 Active
Directory implementation plan.
As I see it, you’ve basically got four options:
■ To achieve optimum functionality of client computers with Active
Directory, you can upgrade all of the client computers on your
network to Windows 2000 Professional.
4701-1 ch02.f.qc 4/24/00 09:02 Page 77

Chapter 2 ▼ Overview of Active Directory 77

■ To achieve moderate functionality of client computers with

Active Directory, you can install the Directory Service Client
on all Windows 98 and Windows 95 computers and upgrade all
other client computers (including Windows NT 4.0 computers)
to Windows 2000 Professional.
■ To achieve limited functionality of client computers with
Active Directory, you can install the Directory Service Client
on all Windows 98 and Windows 95 computers, and upgrade all
other client computers (including Windows NT 4.0 computers)
to Windows 2000 Professional only as they are replaced.
■ To achieve minimal functionality of client computers with Active
Directory, you can do nothing to existing client computers now,
and later upgrade client computers to Windows 2000 Professional
as they are replaced.
The choice you make will depend on many factors, including manage-
ment desires, the amount of funding you have to implement the project,
the amount of support manpower available, and how important full Active
Directory functionality is to you and your organization.

KEY POINT SUMMARY

This chapter introduced several key Active Directory terms and concepts:
■ Active Directory is the directory service used by Windows 2000. In Windows
2000, the directory service database is called the Active Directory data store.
A read/write copy of the Active Directory data store is physically located on
each domain controller in a Windows 2000 domain.
■ Active Directory has many key features. It provides fully integrated security,
provides ease of administration by using group policies, makes resources
easier to locate, is scalable to any size network, and is flexible and extensible.
■ Numerous Active Directory terms and concepts were defined and discussed in
this chapter:
 Object: A record in the directory that is defined by a particular set
of attributes
4701-1 ch02.f.qc 4/24/00 09:02 Page 78

78 Part I ▼ Introduction to Windows 2000

 Class: A template used to create a specific type of object

 Schema: A formal definition of all of the classes of objects and their
attributes stored in the directory
 Global catalog: A master, searchable index that contains information
about every object in every domain in a forest
 Hierarchical structure: A manner of organizing a group of interrelated
elements in which the elements are ranked or stacked, one above the other
 Domain: A logical grouping of networked computers in which one or
more of the computers has shared resources and in which all of the
computers share a common Active Directory data store
 Organizational unit (OU): A type of Active Directory object, sometimes
called a container object, that can contain objects and other organizational
units
 Domain tree: A hierarchical grouping of one or more domains that must
have a single root domain, and may have one or more child domains
 Trust relationship or trust: An agreement between two domains that
enables users in one domain to be authenticated by a domain controller
in another domain, and therefore to access shared resources in the
other domain
 Forest: A group of one or more domain trees, linked by transitive trusts,
that shares a common schema and global catalog
 Global catalog server: A domain controller that maintains a global catalog
 Replication: The process of copying information and information updates
from the Active Directory data store on one domain controller to other
domain controllers
 Site: One or more TCP/IP subnets, specified by an administrator; if a
site contains more than one subnet, the subnets should be connected
by high-speed, reliable links
 Flexible single master operations: Operations that can only be
performed by one specific domain controller
■ You must install Active Directory on all Windows 2000 Server computers that
you want to function as domain controllers — Active Directory is not installed
by default.
4701-1 ch02.f.qc 4/24/00 09:02 Page 79

Chapter 2 ▼ Overview of Active Directory 79

■ Active Directory is dependent on the Domain Name System (DNS). Both

Active Directory and DNS use the same hierarchical naming conventions.
In addition, on a Windows 2000 network, client computers use DNS servers
to locate Active Directory domain controllers.
■ When Active Directory is implemented on a Windows 2000 network,
different types of client computers have varying degrees of functionality
with Active Directory.
■ When getting ready to implement Active Directory on your Windows 2000
network, there are several elements you should consider planning for, including
your domain design, naming conventions, and how your existing client comput-
ers will fit into your overall Windows 2000 Active Directory implementation plan.
4701-1 ch02.f.qc 4/24/00 09:02 Page 80

80

STUDY GUIDE
This section contains several exam readiness questions designed to test
your knowledge of Active Directory terms and concepts and help you
prepare for the Directory Services exam.You can find the answers to these
questions at the end of this chapter.

Assessment Questions
1. Which of the following is not a feature of Active Directory?
A. It is flexible and extensible.
B. It is scalable to any size network.
C. It provides ease of administration by utilizing group policies.
D. It eliminates the need for trust relationships between domains.
2. Which of the following are classes of Active Directory objects?
(Choose all that apply.)
A. User
B. Group
C. Domain
D. Workgroup
E. Organizational Unit
3. What is the minimum number of domains that a domain tree
can contain?
A. 1
B. 2
C. 3
D. 4
4. By default, what type of trust are all Windows 2000 trust relationships
within a domain tree or forest?
A. Explicit trust
B. One-way trust
C. Transitive trust
D. Non-transitive trust
4701-1 ch02.f.qc 4/24/00 09:02 Page 81

81

5. Which master role causes the domain controller that performs this
role to be the only domain controller in the forest that can add a new
domain to the forest?
A. PDC emulator
B. Schema master
C. Relative ID master
D. Infrastructure master
E. Domain naming master
6. For most large companies, in terms of ease of network administration,
what is the optimum number of Active Directory domains to use on
their Windows 2000 network?
A. 1
B. 2
C. 3
D. More than 3
7. Which of the following are true statements about organizational units
(OUs)? (Choose all that apply.)
A. They are security principal objects.
B. They are sometimes called container objects.
C. They should mimic the company’s organization chart.
D. They should be used to make network administration easier.
E. They can contain objects and other organizational units from
their own domain.
8. You want to implement Active Directory on your Windows 2000
network.Your network consists of Windows 2000 Server computers,
Windows 2000 Professional computers,Windows NT Workstation
4.0 computers, and Windows 98 computers.You want to achieve
optimum functionality of all of the client computers with Active
Directory.What should you do?
A. Install the Directory Service Client on all of the Windows 98
computers.
B. Upgrade all of the Windows 98 computers to Windows 2000
Professional.
4701-1 ch02.f.qc 4/24/00 09:02 Page 82

82

C. Upgrade all of the Windows NT Workstation 4.0 computers and

Windows 98 computers to Windows 2000 Professional.
D. Nothing.Windows 2000 will automatically detect all client
computers and optimize them to function with Active Directory.

Answers to Chapter Questions

Chapter Pre-Test
1. The correct answer consists of any two of the following key Active
Directory features:
 It provides fully integrated security.

 It provides ease of administration by utilizing group policies.

 It makes resources easier to locate.

 It is scalable to any size network.

 It is flexible and extensible.

2. Domains are the fundamental units that make up Active Directory.

3. A domain tree is a hierarchical grouping of one or more domains
that must have a single root domain, and may have one or more
child domains. In contrast, a forest is a group of one or more domain
trees, linked by transitive trusts, that shares a common schema and
global catalog.
4. Active Directory is dependent on DNS.
5. The primary purpose of OUs is the organization of related objects
and other organizational units to simplify administration.

Assessment Questions
1. D. Active Directory does not eliminate the need for trust relationships.
2. A, B, C, E. Of the items listed, only “Workgroup” is not a formal
class of Active Directory objects.
3. A. A domain tree is a hierarchical grouping of one or more domains
that must have a single root domain, and may have one or more
child domains.
4701-1 ch02.f.qc 4/24/00 09:02 Page 83

83

4. C. By default, all Windows 2000 trusts within a domain tree or forest

are transitive trusts.
5. E. The domain naming master is the only domain controller that
can add or remove domains to/from the forest.
6. A. Using a single domain greatly simplifies the administration of
your network.
7. B, D, E. Organizational units (OUs), which are sometimes called
container objects, can contain objects and other OUs from their
own domain, and should be used primarily to make network
administration easier. OUs are not security principal objects,
and should not mimic the company’s organizational chart unless
that is how the network is administered.
8. C. To achieve optimum functionality of the client computers, you
must upgrade all of them to Windows 2000. Upgrading some of
them and/or installing the Directory Service Client will gain some
functionality, but the question specifically states that “optimum
functionality” is the required result.
4701-1 ch03.f.qc 4/24/00 09:04 Page 86

 Professional
EXAM  Server
MATERIAL

EXAM OBJECTIVES

Professional  Exam 70-210

■ Perform an attended installation of Windows 2000 Professional.
■ Troubleshoot failed installations.

Server  Exam 70-215

■ Perform an attended installation of Windows 2000 Server.
■ Troubleshoot failed installations.
4701-1 ch03.f.qc 4/24/00 09:04 Page 87

C HAP TE R

3
Installing Windows 2000

I n this chapter, I’ll explore how to install Windows 2000. I’ll describe the
hardware required to install the various Windows 2000 operating systems,
and walk you through a comprehensive preinstallation checklist. Next, I’ll
explain the actual installation process, including the different ways you can
start the installation, what takes place during each phase of the installation,
and a detailed listing of the steps involved in a typical attended installation of
Windows 2000. Then, I’ll cover how to uninstall Windows 2000. Finally, I’ll
present some tips on troubleshooting common Windows 2000 installation
problems.

87
4701-1 ch03.f.qc 4/24/00 09:04 Page 88

88 Part II ▼ Installation and Configuration

Chapter Pre-Test
1. What is the HCL?
2. Your computer has a Pentium/100MHz processor, 32MB of RAM,
and 2GB of free hard disk space. Do you have the minimum
hardware required to install Windows 2000 Professional?
3. By default, in which folder is Windows 2000 installed?
4. What’s the difference between per server and per seat licensing?
5. Which method of starting Setup should you use to perform an
over-the-network installation of Windows 2000?
4701-1 ch03.f.qc 4/24/00 09:04 Page 89

Chapter 3 ▼ Installing Windows 2000 89

Hardware Requirements for Installation

Before you can install Windows 2000, you need to make sure you have the
appropriate hardware. To avoid problems, only use hardware that appears
on the Windows 2000 Hardware Compatibility List (HCL).The HCL, which
is updated periodically, ships with each of the Windows 2000 products.The
file that contains the HCL, which is named HCL.txt, is located on the
Windows 2000 compact disc in the \Support folder.

TIP
You can also access the most recent Hardware Compatibility List by vis-
iting Microsoft’s Web site at http://www.microsoft.com/hcl.

If you have hardware that is not listed on the HCL, contact the manu-
facturer of your equipment to see if the correct Windows 2000 drivers for
that device can be obtained.

IN THE REAL WORLD

Many hardware manufacturers don’t go to the effort of getting their hard-
ware certified. However, I have found that most hardware will work with
Windows 2000, and does not require special drivers — the drivers that
come with the operating system work well in most situations.

Minimum Hardware Requirements

Table 3-1 shows the minimum hardware required to install Windows 2000
Professional and Windows 2000 Server/Advanced Server. Windows 2000
Server and Windows 2000 Advanced Server have virtually the same mini-
mum hardware requirements for installation.
TABLE 3-1 Minimum Hardware Required to Install Windows 2000
Hardware Windows 2000 Windows 2000 Server/
Component Professional Advanced Server

Processor Pentium/133MHz Pentium/133MHz

Memory 64MB of RAM 256MB of RAM
Hard disk space 1GB 1GB
Display VGA or better VGA or better
Keyboard Required Required

Continued 
4701-1 ch03.f.qc 4/24/00 09:04 Page 90

90 Part II ▼ Installation and Configuration

TABLE 3-1 (continued)

Hardware Windows 2000 Windows 2000 Server/
Component Professional Advanced Server

Mouse or other Strongly recommended Strongly recommended

pointing device
CD-ROM drive Required (Unless Required (Unless
performing an over-the- performing an over-the-
network installation.) network installation.)
Floppy disk drive 3.5-inch high-density 3.5-inch high-density
(Unless booting from (Unless booting from
CD-ROM drive or CD-ROM drive or
performing an over-the- performing an over-the-
network installation.) network installation.)
Network adapter card Optional (Required Optional (Required
for over-the-network for over-the-network
installation) installation)

Table 3-1 shows the minimum hardware required for installation pur-
poses only, as published by Microsoft.
More hard disk space is needed for applications and data files. In addition,
extra hard disk space — up to 100MB more — may be needed if the FAT
file system is used. Other factors to consider are that over-the-network
installations require more disk space than installing from a CD-ROM, and
that upgrades typically require more disk space than new installations.
Additional RAM may be required for some applications, and to speed
up operations while running applications.

Maximum Hardware Limitations

Up to this point I’ve focused on the minimum hardware required to install
Windows 2000. However, I should point out that there are some maxi-
mum hardware limitations, as well. The following maximum hardware is
supported by the Windows 2000 operating systems:
■ Windows 2000 Professional supports a maximum of two processors
and up to 4GB of RAM.
■ Windows 2000 Server supports a maximum of four processors and
up to 4GB of RAM.
4701-1 ch03.f.qc 4/24/00 09:04 Page 91

Chapter 3 ▼ Installing Windows 2000 91

■ Windows 2000 Advanced Server supports a maximum of eight

processors and up to 8GB of RAM.

Getting Ready to Install Windows 2000

A fair amount of user input is required during the Windows 2000 installa-
tion process.To make the installation go smoother and to avoid the possi-
bility of having to redo it, I recommend that you gather all the information
you will need before doing the installation.This will enable you to give the
appropriate responses as you are prompted by the Windows 2000 installa-
tion program.
Because Windows 2000 supports Plug and Play, you don’t have to gather
as much hardware-specific information prior to installing Windows 2000 as
you would need to gather before installing Windows NT 4.0.Windows 2000
does a fairly good job of auto-detecting the various hardware components in
a computer, and can automatically configure hardware interrupts and I/O
addresses to avoid conflicts.
Because Windows 2000 automatically detects the hardware components
in your computer during installation, there is no longer a need for the NT
Hardware Qualifier (NTHQ) that was included with Windows NT 4.0.
This utility, which examined and identified an individual computer’s hard-
ware configuration and produced a text file of configuration data, is not
included with Windows 2000.
The rest of this section is devoted to assisting you in gathering and doc-
umenting information about your computer and network environment so
you can successfully complete the installation. A detailed explanation
accompanies each item you need to consider.You might even want to con-
sider using the section as a worksheet and “filling in the blanks” as you go.

Source File Location

Path to Windows 2000 source files: ______________________________

If you use Winnt.exe or Winnt32.exe to install Windows 2000, the instal-

lation program will prompt you to enter the location of the Windows 2000
source files. Provide the full local or network path to these source files.
Winnt.exe and Winnt32.exe are covered in detail later in this chapter.
4701-1 ch03.f.qc 4/24/00 09:04 Page 92

92 Part II ▼ Installation and Configuration

Third-party SCSI or RAID Drivers

Do you need to install third-party SCSI/RAID drivers? Yes ____ No ____

If you use mass storage devices that make use of third-party SCSI or RAID
drivers, you should have the disk that contains these drivers on hand when
performing an installation of Windows 2000.The Windows 2000 installa-
tion program will prompt you for these drivers during installation.

Hard Disk Partition Information

Complete one of the following: Drive to install Windows 2000 on (C:,
D:, and so on): __________
Or, number (1, 2, 3, and so on) of the hard disk with enough
unpartitioned space for installation of Windows 2000: __________
The space on hard disks is divided into areas called partitions. Partitions are
represented by drive letters, for example, C:, D:, and so on.The Windows
2000 installation program requires you to choose which partition or area
of unpartitioned space you will use for the Windows 2000 installation. If
you select an area of unpartitioned space, the Windows 2000 installation
program will create a partition in the unpartitioned area, format the newly
created partition, and assign a drive letter to this new partition. Refer to
Table 3-1 to make sure the partition or area of unpartitioned space you
choose has enough available free space to install Windows 2000.
There are several utilities you can use to gather information about the
partitions on your computer’s hard disk(s). You can run the Fdisk.exe
utility from MS-DOS, Windows 95, or Windows 98 command line to
view your computer’s hard disk partition information. On a Windows NT
4.0 computer, you can use Disk Administrator to obtain this information.
You can also use the DIR command at a command prompt in MS-DOS,
Windows 95, Windows 98, or Windows NT to view the amount of free
space in a formatted partition. Alternately, you can use Windows Explorer
(on a Windows 95 or Windows 98 computer) or Windows NT Explorer
(on a Windows NT Workstation 4.0 or Windows NT Server 4.0 com-
puter) to view the amount of free space in a formatted partition.
4701-1 ch03.f.qc 4/24/00 09:04 Page 93

Chapter 3 ▼ Installing Windows 2000 93

File System
File system to be used for installation (choose one): FAT ____
FAT32 ____ NTFS ____
Windows 2000 supports three file system types: FAT, FAT32, and NTFS.
The file allocation table (FAT) file system (sometimes called the FAT16 file
system) is supported by Windows 2000 and many other operating systems,
including MS-DOS, OS/2, Windows 3.x, Windows 95, Windows 98, and
Windows NT. Normally, if you want your computer to dual boot between
Windows 2000 and one of these other operating systems (and both oper-
ating systems are located on the same hard disk partition), choose the FAT
file system. The FAT file system supports neither extended attributes nor
file-level security. For planning purposes, you should be aware that the
maximum size FAT partition supported by Windows 2000 is 4GB.While
Windows NT also supports FAT partitions up to 4GB in size, all other
operating systems that support the FAT file system only support FAT par-
titions up to 2GB in size.
The FAT32 file system is supported by Windows 95 OSR2,Windows 98,
and Windows 2000. If you want your system to dual boot between
Windows 2000 and one of these other Windows operating systems, you
can use the FAT32 file system instead of the FAT file system.The FAT32
file system is more efficient than the FAT file system and supports larger
partition sizes.Windows 2000 will format FAT32 partitions up to 32GB in
size.Windows 2000 supports the use of FAT32 partitions larger than 32GB
that have been formatted by other operating systems.
The Windows NT file system (NTFS) is supported only by Windows
2000 and Windows NT. In general, choose NTFS if you do not want your
computer to dual boot between Windows 2000 and another operating sys-
tem and you want the added advantages provided by NTFS, including
extended attributes, file-level security, and partitions larger than 32GB.The
maximum practical size of an NTFS partition is 2 terabytes (TB).

TIP
I recommend you use the NTFS file system unless you require dual boot
capability.

You should carefully consider your choice of file system before installing
Windows 2000. If you select the FAT or FAT32 file system during your
installation of Windows 2000, you can easily convert the file system to
4701-1 ch03.f.qc 4/24/00 09:04 Page 94

94 Part II ▼ Installation and Configuration

NTFS at a later date if you change your mind. However, if you select the
NTFS file system during your installation of Windows 2000 and then later
want to convert to FAT or FAT32, the process is much more difficult.To
convert from NTFS to any other file system, you must back up all data,
repartition and format the computer’s hard disk with FAT or FAT32, rein-
stall Windows 2000, and then restore all the files from backup.
Windows 2000 does not support the high performance file system (HPFS)
used by OS/2. If you want to install Windows 2000 on a computer that
uses HPFS, you must back up all data, repartition and format the com-
puter’s hard disk with FAT, FAT32, or NTFS, and then restore all the files
from backup before you can install Windows 2000.

CROSS-REFERENCE
For a more in-depth discussion of file systems, see Chapter 6.

Installation Folder/Dual Boot

Name of folder to install Windows 2000 in: ________________________

By default, the Windows 2000 installation program installs Windows 2000

in the \Winnt folder on the selected partition (this is usually C:\Winnt).
If the installation program detects another operating system in this folder,
you will be prompted to choose whether to use this folder for the current
installation and delete the existing operating system, or to install Windows
2000 in another folder.

CAUTION
If you choose to install Windows 2000 in the folder containing another
operating system, Windows 2000 will delete the previously installed
operating system. Do not select this option unless you’re sure you will
never need to boot to your old operating system again.

If you choose to install Windows 2000 in another folder, the installation

program will prompt you to enter the name of the folder you want to use.
When you install Windows 2000 in a different folder than the previously
installed operating system,Windows 2000 will automatically configure the
computer to dual boot between Windows 2000 and the previously installed
operating system.
4701-1 ch03.f.qc 4/24/00 09:04 Page 95

Chapter 3 ▼ Installing Windows 2000 95

Regional Settings
Complete one of the following: Accept English (United States) defaults
for system and user locales and keyboard layout _____
Or, use the following custom settings:
__________________________________________________________
Regional settings enable you to customize Windows 2000 for your specific
region and language. The default option for both the system locale and
user locale is English (United States).The default keyboard layout is the US
keyboard layout.
If you work in the United States and use English for your primary lan-
guage, you will most likely be able to accept the defaults in this section and
continue on.
If you live in another part of the world, have a primary language other
than English, or prefer a different keyboard layout, you can customize
Windows 2000 to meet your needs.
If you don’t want to bother with selecting regional settings during the
installation process, you can accept the default options during the install,
and then use the Regional Options application in Control Panel to con-
figure your regional settings at a later time.

CROSS-REFERENCE
For more details on using the Regional Options application in Control
Panel, see Chapter 5.

Product Key
25-Character Product Key: ______ - ______ - ______ - ______ - ______

During installation, you need to enter the 25-character product key that is
located on the back of the Windows 2000 compact disc case.This entry is
required.

Licensing Mode
This section applies only to Windows 2000 Server and Windows 2000
Advanced Server.
Choose one: Per server ____ Per seat ____
If per server, number of client access licenses: __________
4701-1 ch03.f.qc 4/24/00 09:04 Page 96

96 Part II ▼ Installation and Configuration

Windows 2000 Server (and Advanced Server) has two licensing modes: per
server and per seat.
■ Per server: In the per server licensing mode, you must have one
client access license for each concurrent connection to the server.
For example, if you have 150 client computers (workstations), but
only 100 of them will be logged on to the Windows 2000 Server
(or Advanced Server) computer at any one time, then you would
need 100 client access licenses. If you select the Per server option
during installation, enter the number of client access licenses you
have purchased for this server in the “Number of concurrent con-
nections” spin box.The minimum number of client access licenses
is 5, and the maximum number is 9,999.
I recommend you choose the per server licensing mode when you
have only one server, and not all of your client computers will
access the server at the same time.
■ Per seat: In the per seat licensing mode, you must have one client
access license for each client computer that will ever connect to a
Windows 2000 Server or Windows 2000 Advanced Server com-
puter on your network.
In general, I recommend you choose the per seat licensing mode
when you have more than one server on your network, particularly
when client computers will access multiple servers simultaneously.

WHEN USING PER SEAT LICENSING MAKES SENSE

The advantage to using the per seat licensing mode becomes apparent when you
have multiple servers on a network. In such a situation, you only have to buy one
client access license for each client computer, even if a client computer accesses
multiple servers at the same time.

For example, suppose you have 500 client computers and 6 Windows 2000 Server
computers on a network, and the client computers access several servers at a time.
If you choose the per seat licensing mode, you only need to purchase 500 client
access licenses, whereas if you choose the per server licensing mode, you probably
need to have more than one client access license per client computer.
4701-1 ch03.f.qc 4/24/00 09:04 Page 97

Chapter 3 ▼ Installing Windows 2000 97

Computer Name
What will this computer’s name be? ____________________________

During the installation of Windows 2000, you are prompted to enter the
name your computer will use on the network. The computer name is also
used as the computer’s NetBIOS name. NetBIOS names can be up to 15
characters long.You can use a computer name that is longer than 15 char-
acters, but Windows 2000 will only use the first 15 characters for the com-
puter’s NetBIOS name.
All computers on the network must use different names. Uniqueness is
the key here. If you have a small network, you can probably get by with
naming the computers after the characters in your favorite movie, televi-
sion series, or comic strip. If you have a large network, however, you will
probably want to use some type of systematic naming scheme to ensure
that each computer has a unique name.

Administrator Password
You may not want to write down the password for the Administrator
account here, but you will need to enter an administrator password during
the installation process.

CAUTION
Don’t forget the password for the Administrator account — you’ll need it
to log on and to perform administrative tasks once the system is up and
running. If you forget the administrator password, you’ll probably have to
reinstall Windows 2000.

When it comes time to type in the Administrator password, be aware

that passwords are case sensitive in Windows 2000.You’ll want to make sure
your Caps Lock key is off.

Components
If you’re only interested in installing Windows 2000 Professional, you can
skip this section — it applies only to Windows 2000 Server and Windows
2000 Advanced Server.
4701-1 ch03.f.qc 4/24/00 09:04 Page 98

98 Part II ▼ Installation and Configuration

This list represents a myriad of optional components that can be selected

or deselected during the Windows 2000 Server (or Advanced Server) instal-
lation process. Note that several components have subcomponents that can
be individually selected, and that some of the subcomponents have sub-
components, as well.
If you’re not sure exactly which components to select, you can accept
the default selections, and use the Add/Remove Programs application in
Control Panel to change the components installed in your computer at a
later time.
Choose the components you want to install during the Windows
2000 Server (or Advanced Server) installation:

Accessories and Utilities Yes _____ No _____

If yes, select subcomponents:
Accessibility Wizard ____
Accessories ____ If selected, choose subcomponents:
Calculator ____
Character Map ____
Desktop Wallpaper ____
Document Templates ____
Mouse Pointers ____
Object Packager ____
Paint ____
Screen Savers ____
WordPad ____
Communications ____ If selected, choose subcomponents:
Chat ____
HyperTerminal ____
Phone Dialer ____
Games ____ If selected, choose subcomponents:
Freecell ____
Minesweeper ____
Pinball ____
Solitaire ____
4701-1 ch03.f.qc 4/24/00 09:04 Page 99

Chapter 3 ▼ Installing Windows 2000 99

Multimedia ____ If selected, choose subcomponents:

CD Player ____
Media Player ____
Sample Sounds ____
Sound Recorder ____
Utopia Sound Scheme ____
Volume Control ____

Certificate Services Yes _____ No _____

If yes, select subcomponents:
Certificate Services CA ____
Certificate Services Web Enrollment Support ____

Cluster Service (Windows 2000 Advanced Server only) Yes _____

No _____

Indexing Service Yes _____ No _____

Internet Information Services (IIS) Yes _____ No _____

If yes, select subcomponents:
Common Files ____
Documentation ____
File Transfer Protocol (FTP) Server ____
FrontPage 2000 Server Extensions ____
Internet Information Services Snap-In ____
Internet Services Manager (HTML) ____
NNTP Service ____ If selected, choose subcomponents:
NNTP Service ____
NNTP Service Documentation ____
SMTP Service ____ If selected, choose subcomponents:
SMTP Service ____
SMTP Service Documentation ____
Visual InterDev RAD Remote Deployment Support ____
World Wide Web Server ___
4701-1 ch03.f.qc 4/24/00 09:04 Page 100

100 Part II ▼ Installation and Configuration

Management and Monitoring Tools Yes _____ No _____

If yes, select subcomponents:
Connection Manager Components ____
Network Monitor Tools ____
Simple Network Management Protocol ____

Message Queuing Services Yes _____ No _____

Networking Services Yes _____ No _____

If yes, select subcomponents:
COM Internet Services Proxy ____
Directory Service Migration Tool ____
Domain Name System (DNS) ____
Dynamic Host Configuration Protocol (DHCP) ____
Internet Authentication Service ____
QoS Admission Control Service ____
Simple TCP/IP Services ____
Site Server ILS Services ____
Windows Internet Name Service (WINS) ____

Other Network File and Print Services Yes _____ No _____

If yes, select subcomponents:
File Services for Macintosh ____
Print Services for Macintosh ____
Print Services for Unix ____

Remote Installation Services Yes _____ No _____

Remote Storage Yes _____ No _____

Script Debugger Yes _____ No _____

4701-1 ch03.f.qc 4/24/00 09:04 Page 101

Chapter 3 ▼ Installing Windows 2000 101

Terminal Services Yes _____ No _____

If yes, select subcomponents:
Client Creator Files ____
Enable Terminal Services ____

Terminal Services Licensing Yes _____ No _____

Typical or Custom Networking Settings

Choose one: Typical ____ Custom ____
During the installation of Windows 2000, you are prompted to choose one
of two options to use for network settings and options: typical settings or
custom settings.
■ Typical settings: If you select typical settings, a predefined set of
network components and settings are automatically installed and
configured.The network components that are installed are Client for
Microsoft Networks, File and Print Sharing for Microsoft Networks,
and the TCP/IP protocol.TCP/IP is configured to automatically
receive configuration data from a DHCP server on your network.
The typical settings option is often selected for installations of
Windows 2000 Professional when the computer will function as a
client computer on a Windows 2000 Server network. If the typical
settings aren’t the settings you want, you can select the custom set-
tings option.
■ Custom settings: If you select custom settings, you can manually
add, remove, and configure networking components.
The types of components you can add, remove, and configure are
clients, services, and protocols.The specific networking compo-
nents that you can select are:
■ Clients:
 Client for Microsoft Networks

 Gateway (and Client) Services for NetWare (Windows 2000

Server/Advanced Server only)

 Client Service for NetWare (Windows 2000 Professional only)
4701-1 ch03.f.qc 4/24/00 09:04 Page 102

102 Part II ▼ Installation and Configuration

■ Services:
 Network Load Balancing (Windows 2000 Advanced Server only)

 File and Printer Sharing for Microsoft Networks

 QoS Packet Scheduler

 SAP Agent

■ Protocols:
 Internet Protocol (TCP/IP)

 AppleTalk Protocol

 DLC Protocol

 NetBEUI Protocol

 Network Monitor Driver

 NWLink IPX/SPX/NetBIOS Compatible Transport Protocol

Although choosing the custom settings option permits you

to manually add, remove, and configure components, I should
point out that you don’t really have to configure anything if
you select this option. By default,Windows 2000 installs and con-
figures Client for Microsoft Networks, File and Printer Sharing for
Microsoft Networks, and Internet Protocol (TCP/IP). In addition,
on a Windows 2000 Advanced Server computer, Network Load
Balancing is also installed by default, but is not configured.
Once you add a particular client, service, or protocol, you can
enter specific configuration information for that client, service, or
protocol by configuring the component’s properties. Or, you can
let Windows 2000 apply its predefined default configurations for
each networking component.
If you decide that you want different networking components installed
after the installation process, or you want to change the configuration of an
installed network component, you can use the Network and Dial-up
Connections application in Control Panel to make these changes.

CROSS-REFERENCE
For detailed information on installing, configuring, and removing these
networking components, see Chapter 16.
4701-1 ch03.f.qc 4/24/00 09:04 Page 103

Chapter 3 ▼ Installing Windows 2000 103

Workgroup/Domain
Make this computer a member of (choose one):
Workgroup ____ Domain ____
Workgroup or domain name: ___________________________
If domain, authorized user name: _______________________
If domain, authorized user password: ____________________
You must choose to participate in either a workgroup or a domain.
■ Workgroup: In general, if your computer is not on a network, or
is on a network that does not have a domain, select workgroup. If
you elect to make this computer a member of a workgroup, only
users that have user accounts physically located in this computer’s
user account database will be able to log on to this computer
locally, or access this computer’s shared resources over the network.
■ Domain: If you want this computer to participate in an existing
domain on your network, choose the domain option. If you decide
to make this computer a member of a domain, two kinds of users
will be able to log on to this computer locally and to access this
computer’s shared resources over the network: users that have
accounts in this computer’s user account database, and users that
have user accounts in the Active Directory data store.
If you select the domain option, during installation you will need
to enter the user name and password of a user (often the adminis-
trator) who is authorized to join this computer to the domain.
Whether you choose to make this computer a member of a workgroup
or a domain, you should be prepared to enter the name of the workgroup
or domain during the installation process.

CROSS-REFERENCE
For more information on choosing between workgroups and domains, see
the “Workgroups, Domains, and Active Directory” section in Chapter 1.
4701-1 ch03.f.qc 4/24/00 09:04 Page 104

104 Part II ▼ Installation and Configuration

The Installation Process

Now that you understand the hardware required to install Windows 2000
and have all the information necessary to perform the installation, you’re
ready to move on to the actual installation process.

EXAM TIP
Both the Professional and Server exams have objectives on performing
an attended installation of Windows 2000. Be sure to study the installa-
tion process carefully and do the labs at the end of this chapter.

In this section, I’ll begin by explaining the three different ways you can
start Setup, the Windows 2000 installation program. Then I’ll discuss the
setup flow in general, including the three distinct phases that take place
during the installation process. Finally, I’ll detail the specific steps necessary
to perform an installation of Windows 2000.

CROSS-REFERENCE
This chapter focuses on how to perform a single, attended, “clean” instal-
lation of Windows 2000. For details on performing an upgrade to
Windows 2000, see Chapter 4. For information on automating the instal-
lation of Windows 2000 and on using Remote Installation Services to
deploy Windows 2000 on a larger scale, see Chapter 19.

Starting Setup
The Windows 2000 user interface refers to the Windows 2000 installation
program by several different names during the installation process. It’s
called Windows 2000 Setup, Setup, and the Windows 2000 Setup Wizard.
For now, I’ll just call the program Setup.
There are three ways to start the installation process:
■ From a CD-ROM drive
■ Using Winnt.exe
■ Using Winnt32.exe
4701-1 ch03.f.qc 4/24/00 09:04 Page 105

Chapter 3 ▼ Installing Windows 2000 105

In the following sections I’ll explain how to use each of these three meth-
ods to begin the Windows 2000 installation process.

Starting from a CD-ROM Drive

The most common way to start Setup is from a CD-ROM drive.To start
Setup from a CD-ROM drive, your computer must have a local CD-ROM
drive that is listed on the HCL. Place the Windows 2000 compact disc in
the CD-ROM drive.Then boot the computer from the CD-ROM drive,
or by using the Windows 2000 Setup Boot Disks if your computer does not
support booting directly from the CD-ROM drive.
If you want to make the Windows 2000 Setup Boot Disks, you will
need the Windows 2000 product compact disc; four blank, formatted,
high-density floppy disks; and access to a computer that currently runs
MS-DOS,Windows 95,Windows 98,Windows NT Workstation or Server,
or Windows 2000.To make the Windows 2000 Setup Boot Disks, run the
Makeboot.exe utility from an MS-DOS command prompt, or on a
Windows 95 or Windows 98 computer. Optionally, you can run the
Makebt32.exe utility from a Windows NT Workstation or Server 4.0 or
Windows 2000 computer. The Makeboot.exe and Makebt32.exe files
are located in the \Bootdisk folder on the Windows 2000 compact disc.

Using Winnt.exe
You can use Winnt.exe to start Setup from an unsupported CD-ROM
drive (a CD-ROM drive that is not listed on the HCL), or to start an over-
the-network installation.
Before you can use Winnt.exe, you must partition and format your
computer’s hard disk using either MS-DOS or Windows 95/Windows 98
DOS. Then boot the computer to DOS, and load either the CD-ROM
drivers or network drivers (depending on the type of installation you’re
doing).You should also run SmartDrive (Smartdrv.exe) to significantly
speed up the installation process. (Detailed steps to perform each of these
tasks are listed in the “Installing Windows 2000 by Using Winnt.exe” step-
by-step section later in this chapter.) Then you’re ready to begin an instal-
lation of Windows 2000 by using Winnt.exe.
4701-1 ch03.f.qc 4/24/00 09:04 Page 106

106 Part II ▼ Installation and Configuration

Winnt.exe has several optional command-line switches that enable cus-

tomization of the setup process.The syntax for the Winnt.exe command is:
winnt [/s:sourcepath] [/t:tempdrive]
[/u:answer_file] [/udf:id[,UDF_file]]
[/r:folder] [/rx:folder] [/e:command] [/a]

The various switches are not case sensitive — you can type them in either
uppercase or lowercase.To install Windows 2000 by using Winnt.exe, you
don’t really need to use these optional command-line switches.They’re pri-
marily used when performing unattended/automated installations of
Windows 2000.Table 3-2 lists each command-line switch, and its function.
TABLE 3-2 Winnt.exe Command-Line Switches
Switch What the Switch Does

/s:sourcepath Specifies the source location of Windows 2000 files.

You must specify a full path, in the form x:\path, or
\\server\share\path. The default sourcepath is the
current folder.
/t:tempdrive Specifies the drive that will contain the Windows 2000
temporary setup files during the installation process. If
not specified, Setup uses the first drive it finds that has
enough free space to function as the tempdrive. The
drive that is used for the tempdrive is also the drive on
which Windows 2000 will be installed.
/u:answer_file Specifies that an automated installation of Windows
2000 be performed. You must specify the complete
path to the answer file that will be used to automate
the installation. For more information on automating the
setup process, see Chapter 19.
/udf:id[,UDF_file] Specifies that a uniqueness database file (UDF) will be
used in conjunction with the answer file to automate
the setup.
/r:folder Specifies that an optional folder be copied to the local
hard disk during installation.
/rx:folder Specifies an optional folder to be copied to the local
hard disk during installation, and removed when the
installation process is complete.
/e:command Specifies a command to be executed at the end of the
setup process.
/a Specifies that accessiblity options be enabled.
4701-1 ch03.f.qc 4/24/00 09:04 Page 107

Chapter 3 ▼ Installing Windows 2000 107

Using Winnt32.exe
Winnt32.exe is used to upgrade a previous installation of Windows 95,
Windows 98, Windows NT Workstation, or Windows NT Server to
Windows 2000; or to perform a fresh installation of Windows 2000 in a
different folder than the previously installed operating system. Installing
Windows 2000 in a different folder will automatically configure Windows
2000 to dual boot between the previously installed operating system and
Windows 2000. Because Winnt32.exe is used only to perform upgrades,
no preparation of your computer is necessary prior to performing the
installation.
You can either use the Winnt32.exe command to perform the upgrade,
or you can use the autorun feature to automatically start the installation
when you insert the compact disc into the CD-ROM drive of the computer
to be upgraded. The primary advantage of using Winnt32.exe is that it
enables you to perform an unattended installation of Windows 2000,
whereas the autorun feature does not.

TIP
Unless you’re planning on performing an unattended or automated instal-
lation, I recommend you use the autorun feature to automatically start
the install when upgrading from a previous version of Windows to
Windows 2000.

Like Winnt.exe, Winnt32.exe has several optional command-line

switches that enable customization of the setup process.The syntax for the
Winnt32.exe command is:

winnt32 [/s:sourcepath] [/tempdrive:drive_letter]

[/unattend[num]:[answer_file]] [/copydir:folder_name]
[/copysource:folder_name] [/cmd:command_line]
[/debug[level]:[filename]] [/udf:id[,UDF_file]]
[/syspart:drive_letter] [/checkupgradeonly] [/cmdcons]
[/m:folder_name] [/makelocalsource] [/noreboot]

Again, the switches are not case sensitive — you may type them in either
uppercase or lowercase. To install Windows 2000 by using Winnt32.exe,
you don’t really need to use these optional command-line switches.They’re
primarily used when performing unattended/automated installations of
Windows 2000.Table 3-3 lists each command-line switch, and its function.
4701-1 ch03.f.qc 4/24/00 09:04 Page 108

108 Part II ▼ Installation and Configuration

TABLE 3-3 Winnt32.exe Command-Line Switches

Switch What the Switch Does

/s:sourcepath Specifies the source location of Windows

2000 files. You must specify a full path, in
the form of x:\path, or \\server\share\path.
The default sourcepath is the current folder.
/tempdrive:drive_letter Specifies the drive that will contain the
Windows 2000 temporary setup files during
the installation process. If not specified,
Setup uses the first drive it finds that has
enough free space to function as the
tempdrive. The drive that is used for the
tempdrive is also the drive on which
Windows 2000 will be installed.
/unattend Specifies that an automated upgrade of the
existing operating system will be performed,
and that all user settings are taken from the
existing operating system.
/unattend[num]:answer_file Specifies that an automated installation of
Windows 2000 be performed. You must
specify the complete path to the answer file
that will be used to automate the installation.
You can also specify the number of seconds
that Setup will wait before rebooting the
computer at the end of the file copy process.
For more information on automating the
setup process, see Chapter 19.
/copydir:folder Specifies that an optional folder be copied
to the local hard disk during installation.
/copysource:folder Specifies an optional folder to be copied to
the local hard disk during installation, and
removed when the installation process is
complete.
/cmd:command_line Specifies a command to be executed at the
end of the setup process.
/debug[level]:[filename] Specifies that a debug log will be created.
You can specify the level of detail from 1 to
4, with 1 representing the least level of detail,
and 4 representing the highest. The log is
created using the filename you specify.
/udf:id[,UDF_file] Specifies that a uniqueness database file
(UDF) will be used in conjunction with the
answer file to automate the setup.
4701-1 ch03.f.qc 4/24/00 09:04 Page 109

Chapter 3 ▼ Installing Windows 2000 109

Switch What the Switch Does

/syspart:drive_letter Specifies that the sourcefiles will be copied

to the partition specified by the /tempdrive
switch, and that the partition will be marked
active. Use this option when you plan to run
the copy portion of the installation on one
computer, and then install the drive in another
computer to complete the installation.
/checkupgradeonly Specifies that setup will check the computer
for compatability with Windows 2000.
/cmdcons Specifies that the recovery console be
installed on this computer, and added as an
option to the start menu.
/makelocalsource Specifies that the source files be copied to
the local hard disk. Use this option when the
Windows 2000 compact disc will not be
available after the computer is restarted, or
when running Setup from a network share.
/noreboot Specifies that Setup will not reboot the
computer after the file copy phase is
complete.

Setup Flow
An attended installation of Windows 2000 takes place in two to three dis-
tinct phases, depending on the installation method you use. For ease of ref-
erence, I call these three phases the MS-DOS–based/file copy phase, the
text mode phase, and the Windows 2000 Setup Wizard phase. During each
phase you respond to various prompts and enter requested information.
The Windows 2000 installation program is called Windows 2000 Setup
or Setup in the first two phases, and is usually referred to as the Windows
2000 Setup Wizard in the third phase.The Windows 2000 installation pro-
gram either prompts you to reboot your computer or automatically
reboots your computer at the end of each of these three phases.
Here’s a brief description of what takes place during each phase of a
typical Windows 2000 installation.
4701-1 ch03.f.qc 4/24/00 09:04 Page 110

110 Part II ▼ Installation and Configuration

MS-DOS–Based/File Copy Phase

The MS-DOS–based/file copy phase is the initial phase of the Windows
2000 installation process.This phase applies only when the Winnt.exe or
the Winnt32.exe installation options are used. Setup prompts you to
enter the location of Windows 2000 files, and then copies files to your
computer’s hard disk. Finally, Setup prompts you to restart your computer
to continue the installation.

Text Mode Phase

The text mode phase begins when you boot the computer with the Win-
dows 2000 Setup Boot Disk to perform an installation from a CD-ROM
drive, when you boot the computer directly from the CD-ROM drive, or
after you reboot the computer at the end of the MS-DOS–based phase
when using Winnt.exe or Winnt32.exe. I call this phase the text mode
phase because all of the screens are presented in a traditional DOS-like,
character-based format.
During the text mode phase, Windows 2000 Setup inspects your com-
puter’s hardware configuration, and prompts you to install third-party SCSI
or RAID drivers as necessary.The Windows 2000 Licensing Agreement is
displayed and must be agreed to in order to continue. Setup prompts you to
choose the partition you want to install Windows 2000 on and the file sys-
tem you want to use on this partition.
Finally, Setup examines your computer’s hard disk(s) for corruption,
then copies files to the Windows 2000 installation folders. Setup automati-
cally reboots your computer at the end of this phase.

Windows 2000 Setup Wizard Phase

In this phase the Windows 2000 Setup Wizard, which has a graphical user
interface, starts.This wizard begins by automatically detecting and installing
hardware devices on your computer.
The Windows 2000 Setup Wizard prompts you to supply quite a bit of
information during this phase.You are prompted to configure regional set-
tings, and to type in your name and the name of your organization. If you are
installing Windows 2000 Server or Advanced Server, you are prompted to
select a licensing mode.Then, you enter a computer name and Administrator
password. Next, if you are installing Windows 2000 Server or Advanced
Server, you select which components will be installed.Then, you can adjust
the date and time settings if they are not correctly displayed.
4701-1 ch03.f.qc 4/24/00 09:04 Page 111

Chapter 3 ▼ Installing Windows 2000 111

At this point the Windows 2000 Setup Wizard installs networking com-
ponents.Then you choose to use either typical or custom settings for the
installation. Next, you choose whether to make your computer a member
of a workgroup or a domain.
The last part of this phase takes a fair amount of time to complete.The
Windows 2000 Setup Wizard installs and configures various components.
Then, the wizard installs Start menu items, registers components, saves set-
tings, and removes any temporary files used for the installation.
Finally, you are prompted to remove the compact disc from your
CD-ROM drive, and to restart your computer.

Installing Windows 2000

Now that you have a basic understanding of how to start Setup and how
the Windows 2000 installation/setup process flows, I’ll move on to the
nitty-gritty steps of installing Windows 2000.
In this section, I present the basic steps to perform an attended installa-
tion of Windows 2000 by using Winnt.exe. As you may recall, this
method is typically used to start an over-the-network installation, or to
start Setup from an unsupported CD-ROM drive.You can use these steps
as a general guide, but don’t be surprised to see different screens or
prompts when you perform your own installation, because the Windows
2000 Setup Wizard adapts itself to the particular hardware it detects in each
different computer. Also, depending on the components you choose to
install, different options and screens will be displayed for you to respond to.
I used the following steps to install Windows 2000 Server on my laptop
computer. When performing the installation, I chose the default options
presented. Although these steps detail an installation of Windows 2000
Server, I have noted any different steps or options displayed when per-
forming an installation of Windows 2000 Professional or Windows 2000
Advanced Server. Unless otherwise noted, the steps in this section apply to
all three Windows 2000 operating systems.
If you use either the Winnt.exe or the Winnt32.exe methods to
install Windows 2000, follow the steps as listed below. If you start an instal-
lation of Windows 2000 by booting with a Setup Boot Disk or from a
CD-ROM drive, skip the first two sections below and begin directly with
the text mode phase.
4701-1 ch03.f.qc 4/24/00 09:04 Page 112

112 Part II ▼ Installation and Configuration

STEP BY STEP

INSTALLING WINDOWS 2000 BY USING WINNT.EXE: PREPARING YOUR

COMPUTER FOR THE WINDOWS 2000 INSTALLATION
1. Boot your computer to MS-DOS from a floppy disk.
2. Use the MS-DOS Fdisk.exe command-line utility to partition your computer’s
hard disk. Then reboot your computer to MS-DOS from a floppy disk.
3. Use the MS-DOS Format.exe command-line utility to format your computer’s
hard disk. Use the /s switch with Format.exe to copy the MS-DOS system
files from the floppy disk to your computer’s hard disk. For example, to format the
C: drive, type format c: /s at an MS-DOS command prompt and press Enter.
4. Follow your CD-ROM manufacturer’s instructions to install the drivers for your
CD-ROM drive. You might have to reboot your computer at the end of this step to
cause the drivers to load.
5. At an MS-DOS command prompt, run SmartDrive by typing smartdrv.exe and
pressing Enter.
6. Make sure the Windows 2000 product compact disc (Server, Professional, or
Advanced Server) is in your CD-ROM drive.

PHASE 1 OF 3 — MS-DOS–BASED/FILE COPY PHASE

1. Change the default drive to your CD-ROM drive by typing in the CD-ROM drive
letter followed by a colon (for example, D:). Press Enter.
2. Type cd I386 and press Enter.
3. Type winnt and press Enter.
4. Windows 2000 Setup prompts you to enter the path where Windows 2000 files
are located. Press Enter.
5. Setup copies files to your computer’s hard disk. (This process takes a few min-
utes.) The Windows 2000 [Server or Professional] Setup screen appears, notify-
ing you that the MS-DOS–based portion of Setup is complete, as shown in
Figure 3-1. If there is a floppy disk in drive A:, remove it. Then press Enter to
restart your computer and continue the installation.

PHASE 2 OF 3 — TEXT MODE PHASE

1. During the reboot process, Windows 2000 Setup inspects your computer’s hard-
ware configuration. If you have third-party SCSI or RAID drivers that need to be
installed, Setup prompts you to press F6 during this process. Be quick about
this — Setup only gives you about five seconds to respond. If you miss this screen,
you can power off your computer and power it back on to have another chance to
respond to this screen.
At this point, Windows 2000 Setup loads numerous files and drivers, then starts
Windows 2000.
4701-1 ch03.f.qc 4/24/00 09:04 Page 113

Chapter 3 ▼ Installing Windows 2000 113

STEP BY STEP Continued

FIGURE 3-1 Completing the MS-DOS–based portion of Setup

2. The Windows 2000 [Server or Professional] Setup screen appears, welcoming

you to Setup. Press Enter.
3. The Windows 2000 Licensing Agreement is displayed. After reading the agree-
ment, press F8 to accept the terms of the licensing agreement and to continue
the installation.
4. Setup searches for previously installed versions of Windows 2000. If it detects a
previously installed version, Setup prompts you to either repair the previous ver-
sion or to continue installing a fresh copy of Windows 2000. Press R to repair or
Esc to continue installing a fresh copy.
5. The Windows 2000 [Server or Professional] Setup screen appears, listing the
partitions and unpartitioned space on your computer’s hard disk, as shown in
Figure 3-2. Highlight the partition on which you want to install Windows 2000,
and press Enter. Make sure the partition you select has enough free space for the
installation. You can also create or delete a partition by using this screen.
6. If you chose to install Windows 2000 on a partition on which another operating
system is installed, Setup prompts you to either press C to continue the installa-
tion, or to press Esc to choose another partition on which to install Windows
2000. If you press Esc, you will be returned to Step 5 and prompted to select the
partition on which you want to install Windows 2000.
4701-1 ch03.f.qc 4/24/00 09:04 Page 114

114 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 3-2 Selecting a partition on which to install Windows 2000

7. Setup prompts you to select the file system you want on the partition you
selected in Step 5, as shown in Figure 3-3. Highlight the file system you want,
and then press Enter.

FIGURE 3-3 Selecting a file system

8. If you are installing Windows 2000 on a partition that contains another operating
system in the \Winnt folder, Setup asks you to choose whether to use this folder
for the current installation and delete the existing operating system, or to install
Windows 2000 in another folder. If you choose to install Windows 2000 in another
folder, Setup will prompt you to enter the name of the folder you want to use.
4701-1 ch03.f.qc 4/24/00 09:04 Page 115

Chapter 3 ▼ Installing Windows 2000 115

STEP BY STEP Continued

9. Setup examines your computer’s hard disk(s) for corruption, then copies files to
the Windows 2000 installation folders. (This process takes a few minutes.) Setup
then initializes and saves the Windows 2000 configuration. Then Setup reports
that this portion of Setup has been successfully completed. If there is a floppy
disk in drive A:, remove it. Setup automatically reboots your computer.

PHASE 3 OF 3 — WINDOWS 2000 SETUP WIZARD PHASE

1. When your computer reboots, Windows 2000 displays a “Starting up . . .” screen.

Then, the Windows 2000 Setup Wizard starts, and, after a couple of minutes,
displays the initial Windows 2000 Setup Wizard welcome screen, as shown in
Figure 3-4. Click Next to continue.

FIGURE 3-4 The Windows 2000 Setup Wizard

2. The Windows 2000 Setup Wizard automatically detects and installs hardware
devices on your computer. This takes several minutes, and your display may flicker
during this time. If your computer stops during this process for a long period of
time (more than an hour) or displays an error, reboot your computer and Setup
will resume automatically.
3. The Regional Settings screen is displayed. You can configure your system locale
and user locales, and select from various input languages and keyboard layout
options on this screen. By default, the system and user locales are set to English
(United States), and the keyboard layout is the US keyboard layout. When you fin-
ish customizing these options, click Next to continue.
4701-1 ch03.f.qc 4/24/00 09:04 Page 116

116 Part II ▼ Installation and Configuration

STEP BY STEP Continued

4. The Personalize Your Software screen is displayed. Type in your name and the
name of your company or organization. Click Next.
5. The Licensing Modes screen is displayed (for installations of Windows 2000
Server and Advanced Server only). Select the licensing mode you want to use.
If you select the Per Server mode, enter the number of Client Access Licenses
you have for this server. Click Next.
6. The Computer Name and Administrator Password screen is displayed, as shown
in Figure 3-5. You can either accept the default computer name presented, or
type in another name of your own choosing. After you choose a computer name,
type in a password for the Administrator account, and confirm that password by
retyping it. Click Next.

FIGURE 3-5 Entering a computer name and Administrator password

7. The Windows 2000 Components screen is displayed (for installations of

Windows 2000 Server and Advanced Server only), as shown in Figure 3-6.
This screen is not displayed for installations of Windows 2000 Professional.
In this screen, you select which components will be installed. Some of the com-
ponents listed in the Components list box have subcomponents, which can be
selected individually. To display a list of subcomponents, highlight a component
and click Details. Select the desired components and subcomponents you want
to install by selecting the check box next to the component or subcomponent.
When you are finished, click Next.
4701-1 ch03.f.qc 4/24/00 09:04 Page 117

Chapter 3 ▼ Installing Windows 2000 117

STEP BY STEP Continued

FIGURE 3-6 Selecting optional Windows 2000 components

8. The Date and Time Settings screen is displayed. You can set the correct day,
date, time, and time zone if they do not appear correctly. Click Next.
9. The Networking Settings screen is displayed, and Windows 2000 installs the net-
working components you selected. Next, you are prompted to choose whether to
use typical or custom settings. Select the option you want, then click Next.

TIP
If you select the custom settings option, you may want to enter configu-
ration information for various networking clients, protocols, and services.
Detailed configuration information for these components is presented in
later chapters.

10. The Workgroup or Computer Domain screen is displayed. Select whether to

make this computer a member of a workgroup or a domain, and then either
accept the default or type in the name of a workgroup or domain. Click Next. (If
you choose to make this computer a member of a domain, after you click Next you
will be prompted to enter the user name and password of a user that is autho-
rized to join this computer to the domain.)
11. The Installing Components screen is displayed, and Setup installs and configures
various components. This takes a few minutes.
4701-1 ch03.f.qc 4/24/00 09:04 Page 118

118 Part II ▼ Installation and Configuration

STEP BY STEP Continued

12. The Performing Final Tasks screen is displayed, as shown in Figure 3-7. Here
Setup installs Start menu items, registers components, saves settings, and
removes any temporary files used during the installation. This process takes
several minutes to complete.

FIGURE 3-7 Windows 2000 performs final tasks

13. The Completing the Windows 2000 Setup Wizard screen appears. If there is a
CD in your CD-ROM drive, remove it now. Then click Finish to restart your com-
puter. This completes the installation of Windows 2000.
The next two sections of steps deal with running Windows 2000 for the first time
after an installation is performed. The first of these sections covers what to do
when running Windows 2000 Server or Windows 2000 Advanced Server for the
first time. The last section explains the steps to run Windows 2000 Professional
for the first time.

AFTER THE INSTALLATION — RUNNING WINDOWS 2000 SERVER OR

ADVANCED SERVER FOR THE FIRST TIME

1. When your computer reboots and Windows 2000 starts, press Ctrl+Alt+Delete.
Then type in the password you selected earlier for the Administrator account.
Click OK.
2. The Windows 2000 Configure Your Server screen appears, as shown in Figure
3-8. Select the type of network environment you have (I selected “I will configure
my server later”), then click Next.
4701-1 ch03.f.qc 4/24/00 09:04 Page 119

Chapter 3 ▼ Installing Windows 2000 119

STEP BY STEP Continued

FIGURE 3-8 The Windows 2000 Configure Your Server screen

Because this chapter focuses on installing Windows 2000, I have deferred a

detailed discussion of many configuration options until Chapters 5 through 7.
3. The Configure Your Server screen appears. You can configure your server now
if you want to. Or, you can close this window now and reopen it at any time by
selecting Start ➪ Programs ➪ Administrative Tools ➪ Configure Your Server.
By default, the Configure Your Server screen will be shown each time you start
Windows 2000. Close this window to exit.

AFTER THE INSTALLATION — RUNNING WINDOWS 2000

PROFESSIONAL FOR THE FIRST TIME

1. When your computer reboots, the Network Identification Wizard starts. Click Next.
2. The Users of This Computer screen is displayed, as shown in Figure 3-9. In this
screen, you select from two options: users must enter a user name and password
each time they use this computer, or Windows 2000 will automatically log on all
users of this computer by using a predefined user name and password. If you
select the second option (which is the default option), type in a user name and
password, and confirm the password by retyping it. Click Next.
4701-1 ch03.f.qc 4/24/00 09:04 Page 120

120 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 3-9 Configuring the Users of This Computer screen

3. The Completing the Network Identification Wizard screen is displayed. Click

Finish.
4. If you selected the default option in Step 2, Windows 2000 Professional starts
and automatically logs you on at this point.

Uninstalling Windows 2000

If you have incorrectly installed Windows 2000, or want to remove it from
your computer for any other reason, this section outlines the necessary steps.

Removing Windows 2000 from a FAT or

FAT32 Partition
If your computer is configured to dual boot between Windows 2000 and
MS-DOS (or to dual boot between Windows 2000 and Windows 95 or
Windows 98), it is fairly easy to uninstall Windows 2000.
4701-1 ch03.f.qc 4/24/00 09:04 Page 121

Chapter 3 ▼ Installing Windows 2000 121

STEP BY STEP

REMOVING WINDOWS 2000 FROM A FAT OR FAT32 PARTITION

1. Boot your computer to MS-DOS (or Windows 95 or Windows 98) from a floppy
disk that has the Sys.com utility on it.
2. At the command prompt type Sys a: c: (and press Enter). This will replace the
Windows 2000 boot sector with the boot sector for your other operating system
(MS-DOS, Windows 95, or Windows 98).
3. Remove the floppy disk from drive A: and reboot the computer. MS-DOS,
Windows 95, or Windows 98 should start automatically.
4. Now that you have disabled Windows 2000, you can complete the removal of
Windows 2000 files from your computer. Free up hard disk space by removing
Pagefile.sys, Ntldr, Boot.ini, Ntdetect.com, Bootsect.dos,
and, if it exists on your computer, Ntbootdd.sys. (Because some of these files
have attributes of hidden, system, and read-only, you will have to remove the file
attributes before you can delete these files.) You can also remove the entire
Windows 2000 installation folder (usually C:\Winnt), and the \Program
files\Windows NT folder. This completes the removal of Windows 2000.

Removing Windows 2000 from an NTFS Partition

If you want to remove Windows 2000 from an NTFS partition, you may
want to delete that partition, because most other operating systems do not
support NTFS.
Depending on your situation, to accomplish this you need to either
delete an NTFS primary partition, or delete NTFS from an extended par-
tition. In a nutshell, a primary partition is a disk partition that can be config-
ured as the active partition, and that can only be formatted as a single
logical drive.An extended partition is a disk partition that can be subdivided
into one or more logical drives, but cannot be the active partition.

CROSS-REFERENCE
For more information on primary and extended partitions, see Chapter 6.
4701-1 ch03.f.qc 4/24/00 09:04 Page 122

122 Part II ▼ Installation and Configuration

Deleting an NTFS Primary Partition

There are several ways to delete an NTFS primary partition:
■ You can use the Fdisk.exe utility that is included with MS-DOS
6.x,Windows 95, or Windows 98.
To do this, boot your computer to one of these operating systems
by using a bootable floppy disk.Then run Fdisk.exe from a
command prompt.
■ You can use the Delpart.exe utility from an MS-DOS 6.x,
Windows 95, or Windows 98 command prompt.

TIP
The Delpart.exe utility is not included in the Windows 2000 prod-
uct. However, you can download this utility via the Internet by accessing
ftp://ftp.teleprint.ch/pub/ms. The filename at this location
is Delpart.exe.

To use the Delpart.exe utility, boot your computer to MS-DOS

6.x,Windows 95, or Windows 98 by using a bootable floppy disk.
Then run Delpart.exe from a command prompt.
■ You can use the Windows 2000 Setup Boot Disks.
Boot the computer from the Windows 2000 Setup Boot Disks. Go
through the installation process until you get to the disk partition
information section. Highlight the NTFS partition you want to
delete, and press D. Follow the instructions displayed onscreen to
finish deleting the partition.Then press F3 to exit Setup.
Other operating systems also have partitioning utilities that are capable
of deleting an NTFS partition.

Deleting NTFS from an Extended Partition

You can’t use Fdisk.exe to delete NTFS from an extended partition.You
must either use Delpart.exe or the Windows 2000 Setup Boot Disks, as
described previously.
4701-1 ch03.f.qc 4/24/00 09:04 Page 123

Chapter 3 ▼ Installing Windows 2000 123

Troubleshooting Common Installation

Problems
There are many common problems that can cause your installation of
Windows 2000 to fail. Most of these problems occur because of hardware
incompatibilities and/or misconfigured hardware.
When troubleshooting an installation problem, your first troubleshoot-
ing step should generally be to ensure that all of your hardware is on the
HCL or is supported by the manufacturer. Next, ensure that there are no
hardware conflicts, such as interrupt or I/O address conflicts.
Table 3-4 lists some common Windows 2000 installation problems and
their possible causes and solutions.
TABLE 3-4 Troubleshooting Common Installation Problems
Problem Possible Cause/Solution

You have the recommended amount of The most likely cause of this problem
free disk space, but still run out of disk is that your partition is formatted using
space during the installation. larger sectors than were anticipated
by the engineers who developed the
minimum hardware requirements. Either
use a larger partition for the installation,
or free up disk space on your existing
partition and restart the installation.
A blue screen or STOP message is This can be caused by several things.
displayed during installation or after Some of the most common causes are
a reboot. a corrupt boot sector, a boot sector virus,
a failed hardware device, or a hardware
configuration conflict. On another
Windows 2000 computer, start Windows
2000 Help (Start ➪ Help) and search for
the specific STOP message displayed.
Windows 2000 Help contains, for many
specific STOP messages, the most likely
cause of the problem and a detailed
recommended solution.
You can’t install from your CD-ROM drive. This could be caused by an unsupported
CD-ROM or by an unsupported SCSI
adapter card. Some SCSI adapter cards,
such as PC card SCSI adapters, are
not supported during installation, but
you can install the drivers for them after
the installation is complete. Try installing
over the network using Winnt.exe.

Continued 
4701-1 ch03.f.qc 4/24/00 09:04 Page 124

124 Part II ▼ Installation and Configuration

TABLE 3-4 (continued)

Problem Possible Cause/Solution

You can’t join a domain during installation. The most common causes of this problem
are incorrect TCP/IP configuration
settings on the computer being installed,
a bad or incorrect network adapter driver,
loose or failed network connections, or an
incorrectly typed user name, password, or
domain name. Verify the TCP/IP settings
on your computer. Ensure that you have
the correct network adapter driver. Check
network cables and connections. Confirm
that you have correctly typed in the user
account name, password, and domain
name. (All passwords in Windows 2000
are case sensitive.)
Network services don’t start correctly. Common causes of this problem include
incorrect TCP/IP configuration settings,
a bad or incorrect network adapter driver,
and duplicate computer names. Verify the
TCP/IP settings on your computer. Ensure
that you have the correct network adapter
driver. Confirm that the newly assigned
computer name is unique — that it does
not match any other computer, domain,
or workgroup name used on the network.

Microsoft has some valuable resources for troubleshooting installation

(and other Windows 2000) problems, such as the Microsoft Technical
Support Web site, which you can access at http://www.microsoft.
com/support.This Web site features links to several searchable knowledge
bases, some of which are free, and some of which require that you sub-
scribe and pay a fee to access.

KEY POINT SUMMARY

This chapter explored numerous Windows 2000 installation topics:

■ The minimum hardware required to install Windows 2000 Professional
includes a Pentium/133MHz processor, 64MB of RAM, and 1GB of free hard
disk space.
4701-1 ch03.f.qc 4/24/00 09:04 Page 125

Chapter 3 ▼ Installing Windows 2000 125

■ The minimum hardware required to install Windows 2000 Server/Advanced

Server includes a Pentium/133MHz processor, 256MB of RAM, and 1GB of
free hard disk space.
■ There are three methods that can be used to start an installation of Windows
2000:
 From a CD-ROM drive: This is the most common way to start Setup.
 By using Winnt.exe: This method is used to start Setup from an
unsupported CD-ROM drive, or to start an over-the-network installation.
 By using Winnt32.exe: This method is used to upgrade a previous
installation of Windows 95, Windows 98, Windows NT Workstation, or
Windows NT Server to Windows 2000; or to perform a fresh installation
of Windows 2000 in a different folder than the previously installed operat-
ing system.
■ A typical attended installation of Windows 2000 takes place in two to three
distinct phases, depending on the installation method you use. I call these
three phases the MS-DOS–based/file copy phase, the text mode phase, and
the Windows 2000 Setup Wizard phase.
■ There are many common problems that can cause your installation of Windows
2000 to fail. Most of these problems occur because of hardware incompatibili-
ties, misconfigured hardware, or both.
4701-1 ch03.f.qc 4/24/00 09:04 Page 126

126

STUDY GUIDE
This section contains several exercises that are designed to cement your
knowledge and help your prepare for the Professional and Server exams:
■ Exam readiness questions: These questions test your knowledge
of the Windows 2000 installation topics covered in this chapter.You
can find the answers to these questions at the end of this chapter.
■ Scenario: The situation-based questions in scenarios challenge you
to apply your understanding of the material to solve a hypothetical
problem. In a scenario, you may be asked to decide “why” or “how,”
to design a structure or strategy, or to devise a solution to a prob-
lem.You don’t need to be at a computer to do scenarios.Answers to
this chapter’s scenario are presented at the end of this chapter.

EXAM TIP
Since many questions on Microsoft certification exams are scenario-
based, the Scenario exercises will help you prepare for the types of com-
plex questions you’re likely to encounter when you take the Windows
2000 exams.

■ Lab Exercises: These exercises are hands-on practice activities

that you perform on a computer.The labs in this chapter give you
an opportunity to install Windows 2000 Professional and Windows
2000 Server.

EXAM TIP
The labs in this book are extremely important for your exam preparation.
Don’t even think about skipping them! There’s no substitute for using the
Windows 2000 products to master the skills that the Microsoft Certified
Professional exams test.
4701-1 ch03.f.qc 4/24/00 09:04 Page 127

127

Assessment Questions
1. You want to install Windows 2000 Professional on a computer.What
are the minimum hardware requirements to install this operating
system?
A. Pentium/75MHz processor, 16MB of RAM, 400MB of free hard
disk space
B. Pentium/100MHz processor, 32MB of RAM, 500MB of free
hard disk space
C. Pentium/133MHz processor, 64MB of RAM, 1GB of free hard
disk space
D. Pentium/166MHz processor, 128MB of RAM, 1GB of free hard
disk space
2. You want to install Windows 2000 Server on a computer.What are
the minimum hardware requirements to install this operating system?
A. Pentium/75MHz processor, 16MB of RAM, 400MB of free hard
disk space
B. Pentium/100MHz processor, 32MB of RAM, 500MB of free
hard disk space
C. Pentium/133MHz processor, 256MB of RAM, 1GB of free hard
disk space
D. Pentium/166MHz processor, 128MB of RAM, 2GB of free hard
disk space
3. You are preparing to install Windows 2000 on a computer, and you
want this computer to be able to dual boot between Windows 2000
and Windows 98.Which file system should you use?
A. FAT (or FAT32)
B. NTFS
C. HPFS
D. You can use either FAT or NTFS.
4701-1 ch03.f.qc 4/24/00 09:04 Page 128

128

4. You want to install Windows 2000 Professional on a new computer

you just purchased for your home.The computer was sold to you
without an operating system installed.Which method will you
attempt to use first to start the Windows 2000 installation?
A. From a CD-ROM drive
B. By using Winnt.exe
C. By using Winnt32.exe
D. By using a network installation startup disk
5. You are preparing to install Windows 2000 Server on a new com-
puter at your office.You want to perform an over-the-network
installation.Which method will you use to start the installation?
A. From a CD-ROM drive
B. By using Winnt.exe
C. By using Winnt32.exe
D. By using a network installation startup disk
6. You are installing Windows 2000 on a computer that already has
another operating system installed on it.You choose to install
Windows 2000 in a different folder than the previously installed
operating system.What will Windows 2000 do?
A. Abort the installation process.
B. Delete the previously installed operating system.
C. Display an error message indicating that Windows 2000 cannot
be installed in a different folder.
D. Cause the computer to dual boot between Windows 2000 and
the previously installed operating system.
7. You are performing an attended installation of Windows 2000 Server.
During the installation you choose “Custom settings” for network
settings and options.Which types of components can you select when
configuring “Custom settings”? (Choose all that apply.)
A. Accessories
B. Clients
C. Protocols
D. Services
E. Utilities
4701-1 ch03.f.qc 4/24/00 09:04 Page 129

129

8. You are installing Windows 2000 Professional on a computer that is

not on a network.When prompted by Windows 2000 Setup during
the installation, what should you “Make this computer a member of ”?
A. Domain
B. Active Directory domain
C. E-mail group
D. Workgroup

Scenarios
Scenarios provide you with an opportunity to apply the knowledge you’ve
gained in this chapter. In this particular scenario, you’ll get to practice
applying the facts you’ve learned about troubleshooting failed Windows
2000 installations.
A Windows 2000 installation can fail for a number of reasons. For each
of the following problems, consider the given facts and answer these ques-
tions:What do you think the possible causes of the failed installation are?
What course of action would you take to try to resolve the problem?
1. You attempt to perform an attended installation of Windows 2000
Professional on a new computer at your office. During the installa-
tion, the process stops and a blue screen is displayed.
2. You are performing an attended installation of Windows 2000 Server.
During the installation, you try to join a domain, but an error mes-
sage is displayed indicating that the domain controller for this domain
cannot be located.

Lab Exercises
The objective of these labs is to provide you with hands-on experience
installing Windows 2000 Server and Windows 2000 Professional.

CAUTION
You need to have access to a dedicated computer (or a dedicated hard
disk) to perform the labs in this book, because installing Windows 2000
and converting to NTFS will render your computer unbootable by any
other operating system (such as Windows 95, Windows 98, and so on).
4701-1 ch03.f.qc 4/24/00 09:04 Page 130

130

If you’re using a home computer or office computer (or any other com-
puter that other people use), I strongly recommend that you obtain a sep-
arate hard disk to use to perform the labs in this book.That way, you’ll be
able to do the Windows 2000 labs, and the other people who use the com-
puter will be able to continue using it the way they always have, without
change to their operating system, applications, or data. Using a separate
hard disk will also ensure that your labs will not corrupt existing data or
programs on the computer’s original hard disk.

Using a Separate, Dedicated Hard Disk

Short of having access to a dedicated computer to perform the labs in this
book, the next best thing is having your own separate, dedicated hard
disk — one that only you use. With the way hardware prices have been
dropping lately, this is a very inexpensive way to promote harmony in your
home (or office, or anywhere that you share a computer with someone
else). (Have you ever changed the settings on a computer that your spouse
or coworker uses? If you have, you’ve probably experienced the pain and
suffering I’m trying to prevent.) Using a dedicated hard disk can also pro-
tect your original disk from potential data corruption or loss.
Working with a dedicated hard disk is fairly painless. I recommend that
(with your computer powered off) you bolt the new hard disk (the one
you will use only to perform the labs in this book and to practice with
Windows 2000) into an empty drive bay in your computer near your
existing primary hard disk (C:).Then, when you want to use the computer
to perform a lab, with the computer powered off, disconnect the cables
from the existing hard disk and connect them to the new, dedicated hard
disk. Since most computers now autodetect hard disks, you shouldn’t have
to reconfigure your computer’s BIOS or change jumper settings each time
you swap hard disks. When you’re finished working with Windows 2000,
power off the computer, then move the cables on the dedicated hard disk
back to the original hard disk.
4701-1 ch03.f.qc 4/24/00 09:05 Page 131

131

Lab Exercises
Lab 3-1 Performing an Attended Installation of
Windows 2000 Server
 Server

EXAM
MATERIAL

The objective of this lab is for you to practice performing an attended

installation of Windows 2000 Server and develop the skills used to perform
this task. In this lab, you install Windows 2000 Server by starting Setup
from a CD-ROM drive.
I make a few assumptions about the hardware you’ll be using to perform
the labs in this book. I assume that:
■ You plan to use a dedicated hard disk (or a dedicated computer).

CAUTION
If you don’t use a dedicated hard disk or dedicated computer, I strongly
recommend that you back up all important data and programs before
performing any of the labs in this book.

■ Your hard disk is not yet partitioned and does not contain any data.
■ Your computer meets the minimum hardware requirements speci-
fied in the “Hardware and Software You’ll Need” section in the
Preface of this book.
■ Your computer is configured to boot directly to its CD-ROM
drive. (If it is not configured in this way, or can’t be configured
to boot this way, you’ll need to create the Windows 2000 Setup
Boot Disks as explained in the “Starting from a CD-ROM drive”
section earlier in this chapter.)
This lab consists of three parts:
■ Part 1: Starting Setup from a CD-ROM Drive
■ Part 2: Running the Windows 2000 Setup Wizard
■ Part 3: Running Windows 2000 Server for the First Time
4701-1 ch03.f.qc 4/24/00 09:05 Page 132

132

Follow the steps presented here carefully.

Part 1: Starting Setup from a CD-ROM Drive

1. Place the Windows 2000 Server compact disc in your computer’s

CD-ROM drive.
2. Power the computer on and boot from the CD-ROM drive.
(Your computer may prompt you to press a key to boot from
the CD-ROM drive.)

TIP
If your computer can’t be configured to boot from its CD-ROM drive, boot
the computer by using the Windows 2000 Setup Boot Disks. Follow the
instructions presented on-screen until Windows 2000 Setup begins.

3. Windows 2000 Setup begins. Setup inspects your computer’s hard-

ware configuration. If you have third-party SCSI or RAID drivers
that need to be installed, press F6 during this process. (If you don’t
have these drivers, just ignore this screen.) Then Windows 2000 Setup
loads numerous files and drivers, and starts Windows 2000.
4. If you’re using an evaluation copy of Windows 2000, a screen may
appear notifying you that you are installing such a version. Press Enter.
5. The Windows 2000 Server Setup screen appears, welcoming you to
Setup. Press Enter.
6. The Windows 2000 Licensing Agreement is displayed. Press F8 to
accept the terms of the licensing agreement and to continue the
installation.
7. The Windows 2000 Server Setup screen appears, listing the unparti-
tioned space on your computer’s hard disk. Highlight the largest area
of unpartitioned space and press Enter. (This space should be at least
2GB in size to perform all of the labs in this book.)
8. Setup prompts you to select the file system you want to use. Highlight
“Format the partition using the FAT file system” and press Enter.
9. Setup notifies you that because of the size of the partition, it will
format the partition using the FAT32 file system. Press Enter.
4701-1 ch03.f.qc 4/24/00 09:05 Page 133

133

10. Setup formats the new partition. (This process takes a few minutes.)
Then Setup examines your computer’s hard disk(s) for corruption,
and copies files to the Windows 2000 installation folders. (This
process also takes a few minutes.) Setup then initializes and saves the
Windows 2000 configuration. Finally, Setup reports that this portion
of Setup has been successfully completed.At this point, remove the
Windows 2000 Server compact disc from the CD-ROM drive. In
addition, if there is a floppy disk in drive A:, remove it. Setup then
automatically reboots your computer.

Part 2: Running the Windows 2000 Setup Wizard

1. After your computer reboots, place the Windows 2000 Server com-
pact disc back in your computer’s CD-ROM drive when prompted,
and click OK.
2. After a couple of minutes, Setup displays the initial Windows 2000
Setup Wizard welcome screen. Click Next to continue. (If you don’t
click Next immediately,Windows 2000 automatically continues on to
the next step.)
3. The Windows 2000 Setup Wizard automatically detects and installs
hardware devices on your computer.This takes several minutes, and
your display may flicker during this time. If your computer stops dur-
ing this process for a long period of time (more than an hour) or dis-
plays an error, reboot your computer and Setup will resume
automatically.
4. The Regional Settings screen is displayed. Click Next.
5. The Personalize Your Software screen is displayed.Type your name in
the Name text box. If applicable, type the name of your company or
organization in the Organization text box. Click Next.
6. The Licensing Modes screen is displayed. Click Next.
7. The Computer Name and Administrator Password screen is displayed.
In the “Computer name” text box, type Server01. (If you’re doing this
lab in a classroom with multiple computers on a network, your instruc-
tor will provide you with the appropriate computer name to use.) In
the “Administrator password” text box, type password. Confirm the
password by typing password in the “Confirm password” text box.
Click Next.
4701-1 ch03.f.qc 4/24/00 09:05 Page 134

134

8. The Windows 2000 Components screen is displayed.Accept the

default selections, and click Next.
9. The Date and Time Settings screen is displayed. Set the correct day,
date, time, and time zone if they do not appear correctly. Click Next.
10. The Networking Settings screen is displayed, and Windows 2000
installs networking components.When prompted, select the “Custom
settings” option and click Next.
11. In the Networking Components screen, highlight Internet Protocol
(TCP/IP). Click Properties.
12. In the Internet Protocol (TCP/IP) Properties dialog box, select the
“Use the following IP address” option.
If you are on a network that uses TCP/IP, in a classroom environment,
or if you are connected to the Internet, obtain an IP address, subnet mask,
and default gateway address from your network administrator or instructor.
Otherwise, type an IP address of 192.168.59.101 and a subnet mask
of 255.255.255.0 in the appropriate text boxes. Click OK.
13. In the Networking Components screen, click Next.
14. The Workgroup or Computer Domain screen is displayed.Accept the
default option of “No, this computer is not on a network, or is on a
network without a domain.”Also accept the default workgroup name
WORKGROUP, and click Next.
15. The Installing Components screen is displayed, and Setup installs and
configures various components.This takes a few minutes.
16. The Performing Final Tasks screen is displayed. Here Setup installs
Start menu items, registers components, saves settings, and removes
any temporary files used during the installation.This process takes
several minutes to complete.
17. The Completing the Windows 2000 Setup Wizard screen appears.
Remove the Windows 2000 Server compact disc from your CD-ROM
drive.Then click Finish to restart your computer.This completes the
installation of Windows 2000 Server.
4701-1 ch03.f.qc 4/24/00 09:05 Page 135

135

Part 3: Running Windows 2000 Server for the First Time

1. When your computer reboots and Windows 2000 Server starts, press
Ctrl+Alt+Delete.When prompted, enter a password of password.
Click OK.
2. The Windows 2000 Configure Your Server screen appears. Select the
“I will configure this server later” option, then click Next.
Because this chapter focuses on installing Windows 2000, I have
deferred a detailed discussion of many configuration options until
Chapters 5 through 7.
3. The Configure Your Server screen appears. Clear the check box next
to “Show this screen at startup.” Close this window.

Lab 3-2 Performing an Attended Installation of

Windows 2000 Professional and Configuring Dual
Boot with Windows 2000 Server
 Professional

EXAM
MATERIAL

The objective of this lab is for you to practice performing an attended

installation of Windows 2000 Professional and develop the skills used to
perform this task.After you complete this lab, you will be able to dual boot
your computer between Windows 2000 Server and Windows 2000
Professional.

TIP
Before you can successfully complete this lab, you should complete
Lab 3-1.

This lab consists of four parts:

■ Part 1: Starting Setup from a CD-ROM Drive
■ Part 2: Completing the Text Mode Phase
■ Part 3: Running the Windows 2000 Setup Wizard
■ Part 4: Running Windows 2000 Professional for the First Time
4701-1 ch03.f.qc 4/24/00 09:05 Page 136

136

Follow the steps in this lab carefully.

Part 1: Starting Setup from a CD-ROM Drive

1. Start Windows 2000 Server on your computer, and log on as

Administrator. (Remember the password? It’s password.)
2. Place the Windows 2000 Professional compact disc in your com-
puter’s CD-ROM drive.
3. The Microsoft Windows 2000 CD dialog box appears. Click “Install
Windows 2000” from the list on the left side of the box.
4. A warning message appears, notifying you that you can’t upgrade from
Windows 2000 Server to Windows 2000 Professional. Click OK.
5. The Windows 2000 Setup wizard begins. Click Next to install a new
copy of Windows 2000.
6. The Windows 2000 License Agreement is displayed. Select the option
next to “I accept this agreement” and click Next.
7. The Select Special Options screen appears. Click Advanced Options.
8. In the Advanced Options dialog box, replace the text in the “Windows
installation folder” text box with \WINNTPRO. Select the check
box next to “Copy all Setup files from the Setup CD to the hard
drive.” Click OK.
9. In the Select Special Options screen, click Next.
10. The Upgrading to the Windows 2000 NTFS File System screen
appears. Select the option next to “No, do not upgrade my drive”
and click Next. Setup copies files from the compact disc to your
hard disk. (This takes a few minutes.)
11. Setup notifies you that this portion of setup has completed success-
fully.When this happens, remove the Windows 2000 Professional
compact disc from your CD-ROM drive.Windows 2000 automati-
cally reboots your computer.

Part 2: Completing the Text Mode Phase

1. When your computer reboots, Setup inspects your computer’s hard-

ware configuration. If you have third-party SCSI or RAID drivers
that need to be installed, press F6 during this process. (If you don’t
4701-1 ch03.f.qc 4/24/00 09:05 Page 137

137

have these drivers, just ignore this screen.) Then Windows 2000
Setup loads numerous files and drivers, and starts Windows 2000.
2. If you’re using an evaluation copy of Windows 2000, a screen may
appear notifying you that you are installing such a version. Press Enter.
3. The Windows 2000 Server Setup screen appears, welcoming you to
Setup. Press Enter.
4. The Windows 2000 Professional Setup screen appears. Press Esc.
5. On the next Windows 2000 Professional Setup screen that appears,
ensure that the partition you installed Windows 2000 Server on
(usually C:) is highlighted. Press Enter.
6. On the next Windows 2000 Professional Setup screen that appears,
press C to continue.
7. On the next Windows 2000 Professional Setup screen that appears,
ensure that “Leave the current file system intact (no changes)” is
highlighted. Press Enter.
8. Setup examines your hard disk(s), then copies files to the Windows
2000 installation folders.This can take a few minutes. Setup initializes
and saves your Windows 2000 configuration, and then automatically
reboots your computer.

Part 3: Running the Windows 2000 Setup Wizard

1. When your computer reboots, Setup displays the Windows 2000

Setup Wizard welcome screen. Click Next to continue. (If you don’t
click Next immediately,Windows 2000 automatically continues on to
the next step.)
2. The Windows 2000 Setup Wizard automatically detects and installs
hardware devices on your computer.This takes several minutes, and
your display may flicker during this time. If your computer stops during
this process for a long period of time (more than an hour) or displays
an error, reboot your computer and Setup will resume automatically.
3. The Regional Settings screen is displayed. Click Next.
4. The Personalize Your Software screen is displayed.Type your name in
the Name text box. If applicable, type the name of your company or
organization in the Organization text box. Click Next.
4701-1 ch03.f.qc 4/24/00 09:05 Page 138

138

5. The Computer Name and Administrator Password screen is displayed.

In the “Computer name” text box, type Professional01. (If you’re
doing this lab in a classroom with multiple computers on a network,
your instructor will provide you with the appropriate computer name
to use.) In the “Administrator password” text box, type password.
Confirm the password by typing password in the “Confirm pass-
word” text box. Click Next.
6. The Date and Time Settings screen is displayed. Set the correct day,
date, time, and time zone if they do not appear correctly. Click Next.
7. The Networking Settings screen is displayed, and Windows 2000
installs networking components.When prompted, select the “Custom
settings” option and click Next.
8. In the Networking Components screen, highlight Internet Protocol
(TCP/IP). Click Properties.
9. In the Internet Protocol (TCP/IP) Properties dialog box, select the
“Use the following IP address” option.
If you are on a network that uses TCP/IP, in a classroom environment,
or if you are connected to the Internet, obtain an IP address, subnet mask,
and default gateway address from your network administrator or instructor.
Otherwise, type an IP address of 192.168.59.101 and a subnet mask
of 255.255.255.0 in the appropriate text boxes. Click OK.
10. In the Networking Components screen, click Next.
11. The Workgroup or Computer Domain screen is displayed.Accept the
default option of “No, this computer is not on a network, or is on a
network without a domain.”Also accept the default workgroup name
WORKGROUP, and click Next.
12. The Installing Components screen is displayed, and Setup installs and
configures various components.This takes a few minutes.
13. The Performing Final Tasks screen is displayed. Here Setup installs
Start menu items, registers components, saves settings, and removes
any temporary files used during the installation.This process takes
several minutes to complete.
14. The Completing the Windows 2000 Setup Wizard screen appears.
Click Finish to restart your computer.This completes the installation
of Windows 2000 Professional.
4701-1 ch03.f.qc 4/24/00 09:05 Page 139

139

Part 4: Running Windows 2000 Professional for the First Time

1. When your computer reboots, the Network Identification Wizard

starts. Click Next.
2. The Users of This Computer screen is displayed. Select the option
next to “Users must enter a user name and password to use this
computer.” Click Next.
3. The Completing the Network Identification Wizard screen is dis-
played. Click Finish.
4. In the Log On to Windows dialog box, type the Administrator pass-
word (remember — it’s password) in the Password text box. Click
OK.Windows 2000 Professional logs you on, brings up the desktop,
and displays the Getting Started with Windows 2000 dialog box. (If
you don’t want this dialog box to appear each time you start Windows
2000 Professional, clear the check box next to “Show this screen at
startup,” and click Exit.)

Answers to Chapter Questions

Chapter Pre-Test
1. The HCL is the Windows 2000 Hardware Compatibility List.
2. No.The minimum hardware required to install Windows 2000
Professional includes a Pentium/133MHz processor, 64MB of RAM,
and 1GB of hard disk space.The computer in question does not have
an adequate processor or enough RAM. See Table 3-1.
3. By default, the Windows 2000 installation program installs Windows
2000 in the \Winnt folder on the selected partition.
4. Per server licensing requires one client access license for each concur-
rent connection to the server, and is useful when you have only one
server. Per seat licensing requires one client access license for each
client computer that will ever connect to a Windows 2000 Server/
Advanced Server computer, and is useful when you have more than
one server on the network and client computers will access multiple
servers simultaneously.
5. Use Winnt.exe to start an over-the-network installation of
Windows 2000.
4701-1 ch03.f.qc 4/24/00 09:05 Page 140

140

Assessment Questions
1. C. See Table 3-1.
2. C. See Table 3-1.
3. A. If you want your computer to dual boot between Windows 2000
and Windows 98, you should choose the FAT or FAT32 file system,
because Windows 98 does not support NTFS or HPFS, and Windows
2000 does not support HPFS.
4. A. The most common way to install Windows 2000 on a new com-
puter is from a CD-ROM drive.
5. B. Winnt.exe is used to start an over-the-network installation of
Windows 2000.
6. D. When Windows 2000 is installed in the same folder as the other
operating system,Windows 2000 will delete the previously installed
operating system.When Windows 2000 is installed in a different folder
than the other operating system, it will automatically configure the
computer to dual boot between Windows 2000 and the previously
installed operating system.
7. B, C, D. The types of components you can select from in “Custom
settings” are clients, services, and protocols.
8. D. In general, if your computer is not on a network, make the com-
puter a member of a workgroup.

Scenarios
1. Some possible causes of the failed installation are hardware conflicts
(or incompatibilities), a failed hardware device, a corrupt boot sector,
or a boot sector virus.
Possible courses of action to resolve the problem include starting
Windows 2000 Help on another Windows 2000 computer and
searching for the specific STOP message displayed on the computer
with the blue screen, checking for two pieces of hardware with the
same settings (I/O port, interrupt, and so on) and reconfiguring hard-
ware if conflicts are found, and repairing the boot sector by using
Fdisk/mbr from MS-DOS or by using a virus detection utility.
4701-1 ch03.f.qc 4/24/00 09:05 Page 141

141

2. Probably the most common cause of this type of failed installation is

that the domain name or the user’s name or password has been typed
incorrectly, or typed in the wrong case. Remember that all passwords
in Windows 2000 are case sensitive. Is the Caps Lock feature on?
Other possible causes of this failed installation are incorrect TCP/IP
configuration settings, a bad or incorrect network adapter driver, a
bad network cable or connection, or a domain controller that is
inaccessible.
Possible courses of action you could take to resolve this problem
include retyping the domain name, user’s name, or password (making
sure to use the proper case and making sure the Caps Lock key is
turned off), and ensuring that all TCP/IP settings on the computer are
correct.You might also check to make sure you have the correct net-
work adapter driver, check the network cable and connections, and
verify that the domain controller is up and accessible on the network.
4701-1 ch04.f.qc 4/24/00 09:05 Page 142

 Professional
EXAM  Server
MATERIAL

EXAM OBJECTIVES

Professional  Exam 70-210

■ Upgrade from a previous version of Windows
to Windows 2000 Professional.
■ Apply update packs to installed software applications.
■ Prepare a computer to meet upgrade requirements.

Server  Exam 70-215

■ Upgrade a server from Microsoft Windows NT 4.0.
4701-1 ch04.f.qc 4/24/00 09:05 Page 143

C HAP TE R

4
Upgrading to
Windows 2000

T his chapter focuses on upgrading a computer to Windows 2000. You’ll

learn how to prepare a computer for upgrade and how to perform the
upgrade. Specifically, I’ll show you how to upgrade a Windows 95, Windows
98, or Windows NT Workstation computer to Windows 2000 Professional. I’ll
also show you how to upgrade a Windows NT Server computer to Windows
2000 Server. Finally, I’ll spend some time explaining how to upgrade an entire
network to Windows 2000.

143
4701-1 ch04.f.qc 4/24/00 09:05 Page 144

144 Part II ▼ Installation and Configuration

Chapter Pre-Test
1. Can you upgrade a Windows for Workgroups computer
to Windows 2000 Professional?
2. Can you upgrade a Windows NT Workstation 4.0 computer
to Windows 2000 Server?
3. How can you tell if your computer’s current hardware is adequate
for upgrading to Windows 2000?
4. What should you do if some of your existing software applications
aren’t compatible with Windows 2000?
5. When upgrading your existing Windows NT Server 4.0 network
to Windows 2000, which computer should you upgrade first?
4701-1 ch04.f.qc 4/24/00 09:05 Page 145

Chapter 4 ▼ Upgrading to Windows 2000 145

Preparing to Upgrade
Before you upgrade a computer to Windows 2000, there are several steps you
should take to prepare for the upgrade. First of all, you should ask yourself
numerous questions to make sure that upgrading to Windows 2000 makes the
best sense for your situation. If you don’t decide to upgrade, you may decide
to install the Directory Service Client on the computer. If you decide to go
ahead with the upgrade, you’ll need to prepare the computer by making sure
it has sufficient, compatible hardware to run Windows 2000.You may also
need to obtain upgrade packs for some of your installed software programs.
Finally, there are a few special considerations you should note if you’re plan-
ning to upgrade computers on an existing Windows NT 4.0 network. All
these questions are discussed in the following sections.

Questions to Ask Yourself

Before you rush right out to upgrade a computer to Windows 2000 (or to
any new version of an operating system), there are several questions you
should consider:

Do I Need to Upgrade This Computer?

Sometimes we automatically assume that just because we can do something,
like upgrade a computer to a newer version, we should do that thing. But, if
the computer is currently doing everything you want it to do, maybe there’s
no need to upgrade it. On the other hand, if the new version will provide
features and functionality that you want or need to use, upgrading may
make a lot of sense.Also, if upgrading this computer is part of an overall plan
to upgrade several or all computers on your network to Windows 2000, the
answer to this question is probably “yes.”
If you’re not sure you need to upgrade this particular computer (and the
computer runs Windows 95 or Windows 98), but you have other computers
on your network that run Windows 2000 and have Active Directory
installed, you may decide that you only need to install the Directory Service
Client on this computer to take advantage of the added Active Directory
functionality this client provides.
For details on how to install the Directory Service Client, see the
“Installing the Directory Service Client” section later in this chapter.
4701-1 ch04.f.qc 4/24/00 09:05 Page 146

146 Part II ▼ Installation and Configuration

Is the Computer’s Current Operating System Upgradeable to

Windows 2000?
You can upgrade the following operating systems to Windows 2000
Professional:Windows 95,Windows 98,Windows NT Workstation 3.51, and
Windows NT Workstation 4.0.The only operating systems you can upgrade
to Windows 2000 Server are Windows NT Server 3.51 and Windows NT
Server 4.0.
You probably noticed that I didn’t mention Windows for Workgroups
(and Windows 3.x) in the last paragraph.You can’t upgrade directly from
these operating systems to Windows 2000. If you need to upgrade a com-
puter running either of these operating systems, you’ll need to perform a
clean install of Windows 2000 on the computer, or perform the upgrade in
steps — first upgrading to Windows 95, Windows 98, or Windows NT
Workstation, and then upgrading to Windows 2000. Personally, I recom-
mend that you bypass this last option and replace the computer in question
because the hardware typically found on a Windows 3.x computer isn’t
adequate to run Windows 2000.

If This Computer’s Operating System Is Upgradeable, Would

It Be Better to Perform an Upgrade or Better to Do a Clean
Install of Windows 2000?
There’s no one right answer to this question, but there are some general
guidelines to go on. One key consideration is that Windows NT Workstation
and Windows NT Server are vastly easier to upgrade to Windows 2000 than
Windows 95 or Windows 98.This is because Windows NT Workstation and
Windows NT Server have a registry structure that is nearly identical to the
Windows 2000 registry structure, while Windows 95 and Windows 98 have
a different registry structure. Windows NT Workstation and Windows NT
Server tend to have fewer hardware and software compatibility problems
during an upgrade because Windows 2000 is the next generation/version of
Windows NT.
Another key factor to weigh is the amount of time it takes to perform an
upgrade versus the amount of time it takes to perform a clean install, and
then reinstall and configure all of the applications used on the computer. If
there are numerous applications on the computer that you want to continue
using, it might be faster to upgrade.
4701-1 ch04.f.qc 4/24/00 09:05 Page 147

Chapter 4 ▼ Upgrading to Windows 2000 147

Is the Computer’s Hardware Sufficient for (and Compatible

with) Windows 2000?
Windows 2000 requires more hardware resources than previous versions of
Windows.A lot more.To determine if the hardware in a computer is satis-
factory for an upgrade to Windows 2000, you can use a Windows 2000
utility to produce a hardware and software upgrade report. If the com-
puter’s existing hardware is not sufficient for (or not compatible with)
Windows 2000, consider whether you will upgrade hardware, buy a new
computer that is better and faster, or retain the old computer as it is and
not upgrade it to Windows 2000.

IN THE REAL WORLD

Just because your computer meets the minimum hardware requirements
to install Windows 2000 doesn’t mean that it will run Windows 2000
acceptably. It’s been my experience that a computer’s processor and
RAM should significantly exceed the minimum hardware requirements to
produce performance that is satisfactory to users.

See Table 4-1 for the minimum processor, RAM, and hard disk space
required to install Windows 2000 Professional and Windows 2000 Server.
See the “Preparing a Hardware and Software Upgrade Report” step-by-step
section later in this chapter for detailed instructions on how to determine
whether a computer’s hardware is adequate for and compatible with
Windows 2000.

Are All of the Existing Applications on This Computer

Compatible with Windows 2000?
Windows 2000 includes a utility that you can use to produce a hardware
and software upgrade report.This report indicates whether the applications
installed on your computer will run correctly with Windows 2000. If some
of your existing applications are not compatible with Windows 2000,
check with the application’s manufacturer to see if an upgrade pack can be
obtained. Apply the upgrade pack during the upgrade process when
prompted by the Windows 2000 Setup program.
See the “Preparing a Hardware and Software Upgrade Report” step-by-
step section later in this chapter for detailed instructions on how to determine
whether a computer’s software is compatible with Windows 2000.
4701-1 ch04.f.qc 4/24/00 09:05 Page 148

148 Part II ▼ Installation and Configuration

Installing the Directory Service Client

If, for whatever reason, you decide not to upgrade an individual Windows
95 or Windows 98 computer to Windows 2000, but you run Windows 2000
(and Active Directory) on servers and other computers on your network,
you may decide to install the Directory Service Client on this computer.
When the Directory Service Client is installed on a Windows 95 or
Windows 98 client computer, the client computer is able to:
■ Access fault-tolerant Dfs shares
■ Search Active Directory
■ Change passwords on any domain controller
You can install the Directory Service Client on any Windows 95 or
Windows 98 computer.The Directory Service Client is also called the DS
Client for Windows 98. I’ll go through the steps to install the Directory
Service Client in the next section.

TIP
Before you install the Directory Service Client on a Windows 95 com-
puter, you should ensure that Internet Explorer 4.01 or later is installed
and that Active Desktop is enabled — otherwise the wizard used to install
the Directory Service Client won’t run.

STEP BY STEP

INSTALLING THE DIRECTORY SERVICE CLIENT

1. Boot your computer to its existing operating system (Windows 95 or Windows 98).
Log on as Administrator.
2. Place the Windows 2000 Server compact disc in your computer’s CD-ROM drive.
3. Windows 2000 displays a message indicating that the compact disc contains a
newer version of Windows than you are currently running. Click No.
4. Close the Microsoft Windows 2000 CD dialog box.
5. Select Start ➪ Programs ➪ MS-DOS Prompt.
6. At the MS-DOS prompt, type the drive letter of your CD-ROM drive, followed by
a colon — for example, D: — and press Enter. Then type cd \clients\win9x and
press Enter. Type dsclient and press Enter.
7. Windows 2000 extracts files and then displays the Directory Service Client Setup
Wizard as shown in Figure 4-1. Click Next.
4701-1 ch04.f.qc 4/24/00 09:05 Page 149

Chapter 4 ▼ Upgrading to Windows 2000 149

STEP BY STEP Continued

FIGURE 4-1 The Directory Service Client Setup Wizard

8. The “Ready to install” screen appears. Click Next.

9. The Installation screen appears. The wizard detects your system configuration
and copies files to your hard disk. Click Next.
10. The installation is completed. Click Finish.
11. Windows prompts you to restart your computer. Click Yes to reboot.

Preparing a Computer to Meet

Upgrade Requirements
When you prepare a computer to meet Windows 2000 upgrade require-
ments, you’re basically focusing on two things: hardware and software. The
following sections explain how to determine if your computer meets the
minimum Windows 2000 upgrade requirements, and what to do if it doesn’t.

Determining If Hardware Is Adequate

Windows 2000 is somewhat of a hardware hog. It requires better, faster
hardware than previous versions of Windows just to run, and more than
that if you want it to perform satisfactorily.
4701-1 ch04.f.qc 4/24/00 09:05 Page 150

150 Part II ▼ Installation and Configuration

Table 4-1 reviews the minimum processor, memory (RAM), and available
hard disk space required to install Windows 2000 Professional and Windows
2000 Server. Keep in mind that these are the bare-bones minimum require-
ments, and that you’ll probably want to use better components for your
upgrade if at all possible.
TABLE 4-1 Minimum Processor, Memory, and Disk Space Required to Install
Windows 2000
Hardware Windows 2000 Windows 2000 Server/
Component Professional Advanced Server

Processor Pentium/133MHz Pentium/133MHz

Memory 64MB of RAM 256MB of RAM
Available hard 650MB 1GB
disk space
(minimum
recommended
hard disk
size — 2GB)

So how do you tell if your current hardware is sufficient for (and

compatible with) Windows 2000? Microsoft has conveniently provided
a command-line switch for the Winnt32.exe utility to help you out.
It’s called /checkupgradeonly, and when run from an MS-DOS or
command prompt on a computer you want to upgrade, it analyzes the
computer’s hardware and software, and then prepares an upgrade report
summarizing all detected compatibility issues you may encounter when
running Windows 2000.
The Winnt32.exe utility ships with Windows 2000 Professional and
Windows 2000 Server, and is located in the \I386 folder on the compact
disc.
When the upgrade report is created on a Windows 95 or Windows 98
computer, it is named Upgrade.txt, and is automatically saved to your
Windows installation folder — normally C:\Windows.When the upgrade
report is created on a Windows NT Workstation or Windows NT Server
computer it is not automatically saved. However, you can manually save the
report as a text file.
Following are detailed steps on how to use this utility to prepare your
own upgrade report.
4701-1 ch04.f.qc 4/24/00 09:06 Page 151

Chapter 4 ▼ Upgrading to Windows 2000 151

STEP BY STEP

PREPARING AN UPGRADE REPORT

1. Boot your computer to its existing operating system (Windows 95, Windows 98,
Windows NT Workstation, or Windows NT Server). Log on as Administrator.
2. Place the product compact disc of the operating system you want to upgrade to
(either Windows 2000 Professional or Windows 2000 Server) in your computer’s
CD-ROM drive.
3. Windows 2000 displays a message indicating that the compact disc contains a
newer version of Windows than you are currently running. Click No.
4. Close the Microsoft Windows 2000 CD dialog box.
5. Select Start ➪ Programs ➪ MS-DOS Prompt (for Windows 95/98 computers).
If you’re using a Windows NT computer, select Start ➪ Programs ➪ Command
Prompt.
6. At the MS-DOS/command prompt, type the drive letter of your CD-ROM drive,
followed by a colon — for example, D: — and press Enter. Then type cd \i386
and press Enter. Then type winnt32 /checkupgradeonly and press Enter.
7. Windows 2000 prepares an upgrade report. This takes a few minutes.
8. The Windows 2000 Readiness Analyzer displays the upgrade report, as
shown in Figure 4-2. The upgrade report shown in this figure was created
on a Windows 98 computer.

FIGURE 4-2 Upgrade report for a Windows 98 computer

4701-1 ch04.f.qc 4/24/00 09:06 Page 152

152 Part II ▼ Installation and Configuration

STEP BY STEP Continued

When the upgrade report is created on a Windows 95 or Windows 98 computer,

it is named Upgrade.txt, and is automatically saved to your Windows installa-
tion folder — normally C:\Windows. If you’re running this utility on a Windows 95
or Windows 98 computer, print the report if you want to, and click Finish.
When the upgrade report is created on a Windows NT Workstation or Windows
NT Server computer, it is not automatically saved. However, you can manually
save the report as a text file.
If you’re running this utility on a Windows NT Workstation or Windows NT Server
computer, click Save As to save the report. (You can open the report later using
Notepad and view or print the report.) You can also highlight any item listed on
the screen and click Details if you want to view specific information about the
item. Click Finish.
9. At the MS-DOS/command prompt, type exit and press Enter.

After you’ve generated your upgrade report, you can review it to deter-
mine how your computer’s hardware stacks up, and whether or not your
computer’s software applications will work with Windows 2000.

Obtaining Upgrade Packs for Software

Don’t be surprised if the upgrade report indicates that several of your installed
software applications are either incompatible with or may not work with
Windows 2000.You may need to apply upgrade packs in order to run these
applications with Windows 2000.

EXAM TIP
One of the exam objectives for the Professional exam mentions applying
“update packs to installed software applications.” The Windows 2000
user interface uses the terms upgrade pack and update pack inter-
changeably, although upgrade pack seems to be the most frequently
used term.

It’s possible that there may not be an upgrade pack or other way to
make an application compatible with Windows 2000. If there isn’t a way to
upgrade the application, you have three options:
■ Remove the application and discontinue using it.
■ Replace the application with a similar program that is compatible
with Windows 2000.
4701-1 ch04.f.qc 4/24/00 09:06 Page 153

Chapter 4 ▼ Upgrading to Windows 2000 153

■ If you must continue using the old application, you shouldn’t upgrade
this computer.
I recommend that you contact the manufacturer of all software applica-
tions that the upgrade report indicates will not or may not work with
Windows 2000 to request upgrade packs before you upgrade to Windows
2000.Then, when you perform the actual upgrade, supply the location of
the upgrade packs (on your computer or network) when prompted by
Windows 2000 Setup.

Testing Software Applications before the Upgrade

If you plan to upgrade a whole network of computers, it’s a good idea to test
all of your applications on a Windows 2000 test computer before upgrading
all of your computers. Some applications, even though they are reported as
being compatible with Windows 2000 or have upgrade packs, may lose func-
tionality after a computer is upgraded to Windows 2000. For example, an
application may no longer support a specific hot key combination or may not
support importing a specific file type that you were previously able to import.
I recommend that you test all applications (including all of the application’s
individual features that are critical to your users) in a Windows 2000 test envi-
ronment before you upgrade.

Special Considerations for Existing Windows NT

4.0 Networks
Upgrading an entire network to Windows 2000 is a whole different ballgame
than upgrading one or two computers.A fair amount of planning and testing
should be done before the upgrade is performed, and several issues need to be
considered as part of your overall network upgrade plan.

Planning Your Domain Structure

Planning a domain structure is fairly straightforward. Basically, you need to
plan an interim domain structure (that you will use during the upgrade
process) and a final Windows 2000 domain structure.
Because of the Windows NT Server 4.0 limitation of 40,000 objects per
domain, your interim domain structure should mirror your existing domain
structure. For example, if you currently use a Windows NT 4.0 single mas-
ter domain model that consists of three domains, your interim domain
structure should consist of a root domain and two child domains.The root
4701-1 ch04.f.qc 4/24/00 09:06 Page 154

154 Part II ▼ Installation and Configuration

domain is typically formed by upgrading your existing master domain, and

then the child domains are formed by upgrading your existing resource
domains.There are several third-party migration tools to help you migrate a
multiple-domain structure into a single domain structure. For example,
both Mission Critical Software (http://www.missioncritical.com)
and Fastlane (http://www.fastlane.com) have tools specifically
designed for this purpose.
As far as your final Windows 2000 domain structure is concerned, in most
cases, a single domain design is the best way to go. If you need additional
guidance in determining a domain structure, I recommend you review the
“Planning a Domain Design” section in Chapter 2.

Evaluating Infrastructure and Hardware

When you plan your network upgrade to Windows 2000, it’s a good idea
to evaluate your network infrastructure and hardware. Is your current net-
work infrastructure fast enough to support Windows 2000 and your future
network needs? For example, you might want to consider upgrading from
10 Mbps Ethernet to 100 Mbps Ethernet, or installing higher speed WAN
links, and so on.
In addition to making sure your client hardware is adequate for
Windows 2000, it’s also important to evaluate your server hardware.You
should consider replacing your current PDC with a bigger, faster box
before you upgrade it to Windows 2000, because Windows 2000 requires
more hardware than Windows NT 4.0 and the PDC will form the back-
bone of your new Windows 2000 network.

Testing Server-Based Applications

Prior to upgrading any servers on your network to Windows 2000, it’s
imperative that you test all of your server-based applications (such as
Microsoft Systems Management Server, Microsoft Exchange Server,
Microsoft SQL Server, and so on) on a Windows 2000 test network to
ensure that these applications function flawlessly in the new environment
you plan to use.

IN THE REAL WORLD

I can’t urge you strongly enough to test all of your server-based applica-
tions thoroughly before upgrading. Woe to the network administrator
who upgrades his network only to discover afterwards that data in a
server’s database can no longer be accessed, or that users can no
longer send and receive e-mail.
4701-1 ch04.f.qc 4/24/00 09:06 Page 155

Chapter 4 ▼ Upgrading to Windows 2000 155

Planning for Your DNS Server

Windows 2000 Active Directory requires a DNS server that supports the
DNS dynamic update protocol (RFC 2136) and SRV (service) resource
records (RFC 2052). If you have an existing DNS server on your network
that meets these requirements, you can use this DNS server for your
Windows 2000 network. If you don’t have an existing DNS server on your
network (or have a DNS server but it doesn’t meet these requirements),
you can either install a Windows 2000 stand-alone server with the Domain
Name System (DNS) service installed on it to function as your network’s
DNS server; or you can choose to install the Domain Name System
(DNS) service on your primary domain controller (PDC) during the
upgrade process, and thereby make the PDC into your Windows 2000 net-
work’s DNS server. Alternatively, you can use QIP by Lucent Technology
to provide fault-tolerant DHCP and DNS on large networks — especially
if your IT department refuses to use any operating system other than
UNIX for these services. Lucent is making the current version of QIP
(6.0) compatable with Windows 2000 for DNS and DHCP.

CROSS-REFERENCE
For more information on installing and configuring a DNS server, see
Chapter 7.

Upgrading to Windows 2000

Now that you’ve prepared your computer for the upgrade, you’re ready to
perform the actual upgrade process.This section explains the steps involved
in upgrading to Windows 2000 Professional and to Windows 2000 Server.
If you are interested in upgrading an entire network, I’ll also cover the
order in which you should upgrade existing computers, and how to
upgrade your domain structure.

Upgrading to Windows 2000 Professional

You can upgrade to Windows 2000 Professional from Windows 95,Windows
98, Windows NT Workstation 3.51, or Windows NT Workstation 4.0. The
next two sections explain, in detail, first how to upgrade from Windows 98 to
Windows 2000 Professional, and then how to upgrade from Windows NT
Workstation 4.0 to Windows 2000 Professional.
4701-1 ch04.f.qc 4/24/00 09:06 Page 156

156 Part II ▼ Installation and Configuration

STEP BY STEP

UPGRADING FROM WINDOWS 98 TO WINDOWS 2000 PROFESSIONAL

TIP
This section lists the steps I used to upgrade Windows 98 to Windows
2000 Professional. The steps to upgrade Windows 95 are nearly identical.

1. Boot your computer to Windows 98. Log on as Administrator.

2. Place the Windows 2000 Professional compact disc in your computer’s
CD-ROM drive.
3. Windows 2000 displays a message indicating that the compact disc contains a
newer version of Windows than you are currently running. Click Yes to upgrade to
Windows 2000.
4. The Windows 2000 Setup Wizard starts. Accept the default option to upgrade to
Windows 2000, and click Next.
5. The License Agreement screen appears. Select the “I accept this agreement”
option, and click Next.
6. The Your Product Key screen appears. Type in the 25-character product key from
the back of your Windows 2000 compact disc case. Click Next.
7. The Preparing to Upgrade to Windows 2000 screen appears. Click Next.
8. The Provide Upgrade Packs screen appears, as shown in Figure 4-3.

FIGURE 4-3 Providing upgrade packs

4701-1 ch04.f.qc 4/24/00 09:06 Page 157

Chapter 4 ▼ Upgrading to Windows 2000 157

STEP BY STEP Continued

If you have upgrade packs for installed applications, select the “Yes, I have upgrade
packs” option, and click Add. Windows 2000 prompts you to browse your computer
or network for the location of the upgrade pack(s). In the browse list, highlight the
location the upgrade packs are located in and click OK. Go on to Step 9.
If you don’t have upgrade packs, select the “No, I don’t have any upgrade packs”
option, and click Next.
9. The Upgrading to the Windows 2000 NTFS File System screen appears.
If you don’t need to dual boot this computer between Windows 2000 and
Windows 95, Windows 98, or MS-DOS, select the “Yes, upgrade my drive”
option, and click Next. Go on to Step 10.
If you want this computer to be able to dual boot, select the default option of “No,
do not upgrade my drive,” and click Next.
10. Windows 2000 prepares an upgrade report. (This is the same upgrade report
I discussed earlier in the “Determining If hardware Is Adequate” section.) This
process takes a few minutes.
11. Windows 2000 may prompt you to supply updated files for Plug and Play hardware
in your computer. If it does, either click Provide Files and follow the instructions pre-
sented on-screen, or click Next if you want to complete the upgrade now and go
back and provide the updated files later.

TIP
I recommend that you don’t complete the upgrade until you have the nec-
essary files and upgrade packs for the hardware and software installed in
your computer. If you continue the upgrade without providing these
files/upgrade packs, you may find that some of your hardware and/or
software won’t work after Windows 2000 is installed.

12. Windows 2000 displays the Upgrade Report. You can read, save, and print this
report. Click Next.
13. If Windows 2000 determined that some of your hardware or software is not com-
patible with Windows 2000 (and you did not supply updated files or upgrade
packs), Windows 2000 Setup prompts you to either review the upgrade report
again, continue with the upgrade, or quit setup. If you choose to continue the
upgrade in spite of these potential incompatibilities, click Continue.
14. The Ready to Install Windows 2000 screen is displayed. Click Next. Windows
2000 will automatically install itself and perform all necessary upgrades and file
system conversions. The process takes a long time — up to an hour or more. Your
computer will restart several times during the upgrade process.
4701-1 ch04.f.qc 4/24/00 09:06 Page 158

158 Part II ▼ Installation and Configuration

STEP BY STEP Continued

15. After your computer finishes the upgrade and performs its final reboot, the
Password Creation dialog box is displayed. Type a password for the Administrator
in the New Password text box. Confirm this password by retyping it in the Confirm
New Password text box. Click OK.
16. Log on to Windows 2000 Professional by typing in your user name and password
and clicking OK. The upgrade is complete.

Upgrading from Windows NT Workstation to Windows 2000 Professional

is similar to upgrading from Windows 98, but the steps are different enough to
warrant listing them separately.

STEP BY STEP

UPGRADING FROM WINDOWS NT WORKSTATION TO

WINDOWS 2000 PROFESSIONAL

1. Boot your computer to Windows NT Workstation. Log on as Administrator.

TIP
These are the steps I used to upgrade a Windows NT Workstation 4.0
computer to Windows 2000 Professional. The steps to upgrade Windows
NT Workstation 3.51 are nearly identical.

2. Place the Windows 2000 Professional compact disc in your computer’s

CD-ROM drive.
3. Windows 2000 displays a message indicating that the compact disc contains a
newer version of Windows than you are currently using. Click Yes to upgrade to
Windows 2000.
4. The Windows 2000 Setup Wizard starts. Accept the default option to upgrade to
Windows 2000, and click Next.
5. The License Agreement screen appears. Select the “I accept this agreement”
option, and click Next.
6. The Your Product Key screen appears. Type in the 25-character product key from
the back of your Windows 2000 compact disc case. Click Next.
7. The Upgrading to the Windows 2000 NTFS File System screen appears. (This
screen won’t appear if your computer is already configured to use NTFS.)
If you want to use NTFS, accept the default option of “Yes, upgrade my drive,”
and click Next. (I recommend using NTFS for most upgrade situations.)
4701-1 ch04.f.qc 4/24/00 09:06 Page 159

Chapter 4 ▼ Upgrading to Windows 2000 159

STEP BY STEP Continued

If for some reason you don’t want to use NTFS, select the “No, do not upgrade
my drive” option, and click Next.
8. Windows 2000 Setup checks your computer for compatibility with Windows
2000, and displays the Report System Compatibility screen if it detects any
incompatible hardware or software, as shown in Figure 4-4. If you want more
information about any item displayed in this screen, highlight the item and click
Details. To save this report, click Save As and provide a file name.

FIGURE 4-4 Upgrade report for a Windows NT 4.0 computer

Click Next.
9. Windows 2000 Setup copies installation files to your computer’s hard disk.
Then Windows 2000 restarts your computer.
10. After your computer reboots, Windows 2000 Setup inspects your computer’s
hardware configuration. If you have third-party SCSI or RAID drivers that need
to be installed, press F6 during this process. (If you don’t have these drivers,
just ignore this screen.)
11. Windows 2000 Setup examines your hard disk(s) and copies files to the Windows
2000 installation folders. Then Setup initializes your Windows 2000 configuration,
and restarts your computer.
12. Windows 2000 Professional starts. If you chose to convert your file system to
NTFS, Windows 2000 converts the drive to NTFS. Windows 2000 restarts your
computer again.
4701-1 ch04.f.qc 4/24/00 09:06 Page 160

160 Part II ▼ Installation and Configuration

STEP BY STEP Continued

13. Windows 2000 Setup detects and installs devices on your computer. This takes
several minutes, and your display may flicker during this time. If your computer stops
during this process for a long period of time (more than an hour) or displays an error,
reboot your computer and Setup will resume automatically.
14. Windows 2000 Setup installs networking components. Then Windows 2000 Setup
installs additional Windows 2000 components. Finally, Setup performs a final set of
tasks. During this process, it installs Start menu items, registers components, saves
settings, and removes any temporary files used. This process takes quite a bit of
time. Then Windows 2000 automatically restarts your computer.
15. Log on to Windows 2000 Professional by typing in your user name and password
and clicking OK. The upgrade is complete.

Upgrading to Windows 2000 Server

In the following section, I explain how to upgrade from Windows NT
Server to Windows 2000 Server.

CAUTION
As you might expect, during the upgrade process your server will be
restarted several times. Because of this fact, I recommend that you
perform the upgrade at a time when you are able to reboot the server
without disrupting service to users of client computers.

STEP BY STEP

UPGRADING FROM WINDOWS NT SERVER TO WINDOWS 2000 SERVER

1. Boot your computer to Windows NT Server. Log on as Administrator.

TIP
These are the steps I used to upgrade a Windows NT Server 4.0 computer
to Windows 2000 Server. The steps to upgrade from Windows NT Server
3.51 are similar.

2. Place the Windows 2000 Server compact disc in your computer’s CD-ROM drive.
3. Windows 2000 displays a message indicating that the compact disc contains a
newer version of Windows than you are currently using. Click Yes to upgrade to
Windows 2000.
4701-1 ch04.f.qc 4/24/00 09:06 Page 161

Chapter 4 ▼ Upgrading to Windows 2000 161

STEP BY STEP Continued

4. The Windows 2000 Setup Wizard starts. Accept the default option to upgrade to
Windows 2000, and click Next.
5. The License Agreement screen appears. Select the “I accept this agreement”
option, and click Next.
6. The Your Product Key screen appears. Type in the 25-character product key from
the back of your Windows 2000 compact disc case. Click Next.
7. The Upgrading to the Windows 2000 NTFS File System screen appears. (This
screen doesn’t appear if your computer is already configured to use NTFS.)
If you want to use NTFS, accept the default option of “Yes, upgrade my drive,”
and click Next. (I recommend using NTFS for most upgrade situations.)
If for some reason you don’t want to use NTFS, select the “No, do not upgrade
my drive” option, and click Next.
8. Windows 2000 Setup checks your computer for compatibility with Windows 2000,
and displays the Report System Compatibility screen if incompatible hardware or
software is detected. If you want more information about any item displayed in this
screen, highlight the item and click Details. To save the report, click Save As and
provide a filename. Click Next.
9. Windows 2000 Setup copies installation files to your computer’s hard disk. Then
Windows 2000 restarts your computer.
10. After your computer reboots, Windows 2000 Setup inspects your computer’s
hardware configuration. If you have third-party SCSI or RAID drivers that need to
be installed, press F6 during this process. (If you don’t have these drivers, just
ignore this screen.)
11. Windows 2000 Setup examines your hard disk(s) and copies files to the Windows
2000 installation folders. Then Setup initializes your Windows 2000 configuration,
and restarts your computer.
12. Windows 2000 Server starts. If you chose to convert your file system to
NTFS, Windows 2000 converts the drive to NTFS. Windows 2000
restarts your computer again.
13. Windows 2000 Setup detects and installs devices on your computer. This takes
several minutes, and your display may flicker during this time. If your computer
stops during this process for a long period of time (more than an hour) or
displays an error, reboot your computer and Setup will resume automatically.
14. Windows 2000 Setup installs networking components. Then Windows 2000 Setup
installs additional Windows 2000 components. Finally, Setup performs a final set of
tasks. During this process, it installs Start menu items, registers components, saves
settings, and removes any temporary files used. This process takes quite a bit of
time. Then Windows 2000 automatically restarts your computer.
4701-1 ch04.f.qc 4/24/00 09:06 Page 162

162 Part II ▼ Installation and Configuration

STEP BY STEP Continued

15. If you are upgrading a stand-alone server or a member server, log on to Windows
2000 Server by typing in your password and clicking OK. The upgrade is complete.
If you are upgrading a domain controller (either a PDC or a BDC), Windows 2000
Setup automatically logs you on as Administrator and starts the Active Directory
Installation Wizard. Configure each of the screens in this wizard as appropriate to
complete the upgrade. You must restart your computer at the end of this process.

CROSS-REFERENCE
For detailed information on using the Active Directory Installation Wizard,
see the “Installing Active Directory” section in Chapter 7.

Recommended Order to Upgrade Computers

When upgrading an existing Windows NT Server 4.0 network to
Windows 2000, you should upgrade computers in a specific order.
When upgrading from a single domain model:
1. Upgrade the primary domain controller (PDC) to Windows 2000
before upgrading any other computers.The PDC must be the first
computer upgraded.
2. Upgrade all backup domain controllers (BDCs) and members servers
to Windows 2000. Upgrade client computers as appropriate, or install
the Directory Service Client on these computers.
When upgrading from any multiple domain model (single master, multiple
master, or complete trust):
1. Upgrade the PDC of the Windows NT 4.0 domain that will become
the root domain of your Windows 2000 network.This must be the
first computer upgraded. Once the PDC from this domain has been
upgraded, you can upgrade BDCs, member servers, and client com-
puters from this domain to Windows 2000 whenever you want to,
and in any order you choose.
2. Upgrade the PDC from each remaining Windows NT 4.0 domain.The
PDC must be the first computer in the domain that is upgraded. Once
the PDC from a domain has been upgraded, you can upgrade BDCs,
member servers, and client computers in that domain to Windows 2000
whenever you want to, and in any order you choose.
4701-1 ch04.f.qc 4/24/00 09:06 Page 163

Chapter 4 ▼ Upgrading to Windows 2000 163

Upgrading a Windows NT 4.0

Domain Structure
If your existing Windows NT 4.0 network has a single domain structure
and you’re upgrading the entire network to Windows 2000, upgrading
your domain structure is as simple as upgrading your domain controllers.
If your existing Windows NT 4.0 network has a multiple domain structure
(single master, multiple master, or complete trust), upgrading your domain
structure is more complex. As discussed ealier in this chapter, you’ll need to
plan an interim domain structure as well as your ultimate Windows 2000
domain design.
Due to the Windows NT 4.0 limitation of 40,000 objects per domain, you
can’t upgrade directly from a Windows NT 4.0 multiple domain structure to
a Windows 2000 single domain structure.You have to upgrade in steps:
1. Determine which of your existing Windows NT 4.0 domains will
form the root domain of your new Windows 2000 domain structure.
Normally, this is the master domain that contains the user accounts
(or the majority of the user accounts) for your company.
2. Upgrade the primary domain controller (PDC) of the Windows NT
4.0 domain that will form the root domain.
3. Upgrade the other servers on your existing network to Windows
2000. See the “Recommended Order to Upgrade Computers”
section in this chapter for details. During the server upgrade
process, you should use an interim domain structure, which
should mirror your Windows NT 4.0 domain structure.
4. Switch each Windows 2000 domain from mixed mode to native mode.
This can be done only after all domain controllers are upgraded to
Windows 2000.
5. Use the various Windows 2000 domain consolidation tools to restruc-
ture your domains to match your Windows 2000 domain design.You
can merge domains only after all domain controllers on the network
are upgraded to Windows 2000 and after each Windows 2000 domain
is switched to native mode.
I intended this section to be a high-level overview of how domains are
upgraded to Windows 2000. For details on switching domains from mixed
mode to native mode, or on using Windows 2000 domain consolidation
tools, see Chapter 9.
4701-1 ch04.f.qc 4/24/00 09:06 Page 164

164 Part II ▼ Installation and Configuration

KEY POINT SUMMARY

This chapter explored numerous Windows 2000 upgrade topics. Some of the key
points are:
■ You can upgrade the following operating systems to Windows 2000
Professional: Windows 95, Windows 98, Windows NT Workstation 3.51,
and Windows NT Workstation 4.0.
■ You can upgrade the following operating systems to Windows 2000 Server:
Windows NT Server 3.51 and Windows NT Server 4.0.
■ If you decide not to upgrade a Windows 95 or Windows 98 computer to
Windows 2000, but you run Windows 2000 (and Active Directory) on servers
and other computers on your network, you may decide to install the Directory
Service Client on this computer.
■ When you prepare a computer to meet upgrade requirements, you need
to determine if hardware is adequate, obtain necessary upgrade packs
for software, and test software applications before the upgrade.
 Windows 2000 is somewhat of a hardware hog. Table 4-1 shows the
minimum hardware required to install Windows 2000.
 To determine if hardware is adequate and if software is compatible with
Windows 2000, you can use the /checkupgradeonly switch for the
Winnt32.exe command-line utility to create an upgrade report.
■ There are some special considerations for upgrading an existing Windows NT
4.0 network to Windows 2000, including planning your domain structure,
evaluating infrastructure and hardware, testing server-based applications,
and planning for your DNS server.
■ When upgrading an existing Windows NT Server 4.0 network to Windows 2000,
you should upgrade computers in a specific order.
 When upgrading from a single domain model, the primary domain controller
(PDC) must be upgraded first.
 When upgrading from a multiple domain model, you should upgrade the
PDC of the Windows NT 4.0 domain that will become the Windows 2000
root domain first.
■ If you upgrade an existing multiple domain Windows NT 4.0 network to a single
Windows 2000 domain, the domain structure can’t be upgraded directly, but is
upgraded by performing a series of sequential steps.
4701-1 ch04.f.qc 4/24/00 09:06 Page 165

165

STUDY GUIDE
This section contains several exercises that are designed to cement your
knowledge and help you prepare for the exams:
■ Assessment questions: These questions test your knowledge of
the upgrade topics covered in this chapter. You can find the answers
to these questions at the end of this chapter.
■ Lab Exercises: These two labs give you the opportunity to practice
upgrading a Windows 98 computer to Windows 2000 Professional,
and upgrading a Windows NT Server 4.0 computer to Windows
2000 Server.

Assessment Questions
1. Which operating system(s) can you upgrade to Windows 2000
Professional? (Choose all that apply.)
A. Windows 95
B. Windows 98
C. Windows for Workgroups
D. Windows NT Workstation 4.0
E. Windows NT Server 4.0
2. Which operating system(s) can you upgrade to Windows 2000 Server?
(Choose all that apply.)
A. Windows 95
B. Windows 98
C. Windows for Workgroups
D. Windows NT Workstation 4.0
E. Windows NT Server 4.0
3. You are considering upgrading a Windows NT Workstation 4.0 com-
puter on your network to Windows 2000 Professional.The computer
has 12 applications installed in addition to the operating system.All
the applications are compatible with Windows 2000.The end user
would benefit from the additional features Windows 2000 provides.
What action should you take?
4701-1 ch04.f.qc 4/24/00 09:06 Page 166

166

A. Upgrade the Windows NT Workstation 4.0 computer to

Windows 2000 Server.
B. Upgrade the Windows NT Workstation 4.0 computer to
Windows 2000 Professional.
C. Perform a clean install of Windows 2000 Professional on the
Windows NT Workstation 4.0 computer.
D. Don’t upgrade the Windows NT Workstation 4.0 computer, but
install the Directory Service Client on it instead.
4. You want to upgrade a Windows 98 computer to Windows 2000
Professional.What is the minimum processor, amount of memory
(RAM), and amount of available disk space that the Windows 98
computer must have for you to perform the upgrade?
A. Pentium/75MHz processor, 16MB of RAM, 400MB of free hard
disk space
B. Pentium/100MHz processor, 32MB of RAM, 500MB of free
hard disk space
C. Pentium/133MHz processor, 64MB of RAM, 1GB of free hard
disk space
D. Pentium/166MHz processor, 128MB of RAM, 1GB of free hard
disk space
5. You want to upgrade a Windows NT Server 4.0 computer to
Windows 2000 Server.What is the minimum processor, amount
of memory (RAM), and amount of available disk space that the
Windows NT Server 4.0 computer must have for you to perform
the upgrade?
A. Pentium/75MHz processor, 16MB of RAM, 400MB of free hard
disk space
B. Pentium/100MHz processor, 32MB of RAM, 500MB of free
hard disk space
C. Pentium/133MHz processor, 256MB of RAM, 1GB of free hard
disk space
D. Pentium/166MHz processor, 128MB of RAM, 2GB of free hard
disk space
4701-1 ch04.f.qc 4/24/00 09:06 Page 167

167

6. You are preparing a Windows 95 computer to be upgraded to

Windows 2000 Professional.What action(s) should you take
before you perform the upgrade? (Choose all that apply.)
A. Determine if the computer’s hardware is adequate.
B. Use the Winnt32.exe /checkupgradeonly utility to prepare
an upgrade report.
C. Contact Microsoft for upgrade packs for your non-Microsoft
software applications.
D. Test all applications on a Windows 2000 test computer.
7. You are preparing to upgrade a Windows NT Server 4.0 computer to
Windows 2000 Server.You recently obtained upgrade packs for several
software applications installed on this computer.When should you
apply the upgrade packs?
A. Before the upgrade
B. During the upgrade
C. After the upgrade
D. You can install the upgrade pack at any time.
8. You are upgrading your single master Windows NT Server 4.0 network
to Windows 2000.Which computer should you upgrade first?
A. The stand-alone server in the Windows NT 4.0 domain that will
become the root domain in your Windows 2000 network
B. The primary domain controller (PDC) in the Windows NT 4.0
domain that will become a child domain in your Windows 2000
network
C. The backup domain controller (BDC) in the Windows NT 4.0
domain that will become a child domain in your Windows 2000
network
D. The primary domain controller (PDC) in the Windows NT 4.0
domain that will become the root domain in your Windows 2000
network
4701-1 ch04.f.qc 4/24/00 09:06 Page 168

168

Lab Exercises
The following labs provide you with hands-on experience upgrading to
Windows 2000 Professional and Windows 2000 Server.

Lab 4-1 Upgrading from Windows 98

to Windows 2000 Professional
 Professional

EXAM
MATERIAL

This lab is optional because it requires a Windows 98 computer. If you have a

Windows 98 computer that you’ve been wanting to upgrade to Windows
2000, here’s your opportunity.
The purpose of this lab is to give you hands-on experience in upgrading
a computer from Windows 98 to Windows 2000 Professional.
This lab has two parts:
■ Part 1: Preparing your computer to meet upgrade requirements
■ Part 2: Upgrading from Windows 98 to Windows 2000 Professional
(including applying update packs to installed software applications)
Follow the steps in this lab exercise carefully.

Part 1: Preparing Your Computer to Meet Upgrade

Requirements
1. Boot your computer to Windows 98. Log on as Administrator.
2. Place the Windows 2000 Professional compact disc in your computer’s
CD-ROM drive.
3. Windows 2000 displays a message indicating that the compact
disc contains a newer version of Windows than you are currently
running. Click No.
4. Close the Microsoft Windows 2000 CD dialog box.
5. Select Start ➪ Programs ➪ MS-DOS Prompt.
4701-1 ch04.f.qc 4/24/00 09:06 Page 169

169

6. At the MS-DOS prompt, type the drive letter of your CD-ROM drive,
followed by a colon — for example, D: — and press Enter.Then type cd
\i386 and press Enter.Then type winnt32 /checkupgradeonly and
press Enter.
7. Windows 2000 prepares an upgrade report.This takes a few minutes.
8. The Windows 2000 Readiness Analyzer displays the upgrade report.
Print the upgrade report. Click Finish.
9. At the MS-DOS prompt, type exit and press Enter.
10. Read the upgrade report you printed in Step 8. If the report indi-
cates your hardware is inadequate to run Windows 2000, perform
any necessary hardware upgrades. If the report indicates that some
of your computer’s hardware or software may be incompatible
with Windows 2000, obtain the appropriate updated files or
upgrade packs from the hardware or software manufacturer.
If you have hardware or software installed in your computer for which
you are unable to obtain updated files or upgrade packs for Windows
2000, and you no longer require the use of this hardware or software,
remove the hardware or software from your computer before upgrad-
ing to Windows 2000.

Part 2: Upgrading from Windows 98 to Windows 2000

Professional (Including Applying Update Packs to Installed
Software Applications)
1. Boot your computer to Windows 98. Log on as Administrator.
2. Place the Windows 2000 Professional compact disc in your computer’s
CD-ROM drive.
3. Windows 2000 displays a message indicating that the compact disc
contains a newer version of Windows than you are currently running.
Click Yes.
4. The Windows 2000 Setup Wizard starts.Accept the default option to
upgrade to Windows 2000, and click Next.
5. The License Agreement screen appears. Select the “I accept this
agreement” option, and click Next.
6. The Your Product Key screen appears.Type in the 25-character
product key from the back of your Windows 2000 compact disc
case. Click Next.
4701-1 ch04.f.qc 4/24/00 09:06 Page 170

170

7. The Preparing to Upgrade to Windows 2000 screen appears.

Click Next.
8. The Provide Update Packs screen appears.
If you have upgrade packs for installed applications, select the “Yes, I
have upgrade packs” option, and click Add.Windows 2000 prompts
you to browse your computer or network for the location of the
upgrade pack(s). In the browse list, highlight the location of the
upgrade packs and click OK. Go on to Step 9.
If you don’t have upgrade packs, select the “No, I don’t have any
upgrade packs” option, and click Next.
9. The Upgrading to the Windows 2000 NTFS File System
screen appears.
If you don’t need to dual boot this computer between Windows 2000
and Windows 95,Windows 98, or MS-DOS, select the “Yes, upgrade
my drive” option, and click Next. Go on to Step 10.
If you want this computer to be able to dual boot, select the default
option of “No, do not upgrade my drive,” and click Next.
10. Windows 2000 prepares an upgrade report.This process takes a
few minutes.
11. If Windows 2000 prompts you to supply updated files for Plug and
Play hardware in your computer, either click Provide Files and follow
the instructions presented on-screen, or click Next if you want to
complete the upgrade now and go back and provide the updated
files later.
12. Windows 2000 displays the Upgrade Report. Click Next.
13. If Windows 2000 determined that some of your hardware or software
is not compatible with Windows 2000 (and you did not supply updated
files or upgrade packs),Windows 2000 Setup prompts you to either
review the upgrade report again, continue with the upgrade, or quit
setup. If you choose to continue the upgrade in spite of these potential
incompatibilities, click Continue.
14. The Ready to Install Windows 2000 screen is displayed. Click Next.
Windows 2000 will automatically install itself and perform all necessary
upgrades and file system conversions.The process takes a long time — up
to an hour or more.Your computer will restart several times during the
upgrade process.
4701-1 ch04.f.qc 4/24/00 09:06 Page 171

171

15. After your computer finishes the upgrade and performs its final reboot,
the Password Creation dialog box is displayed.Type a password for the
Administrator in the New Password text box. Confirm this password by
retyping it in the Confirm New Password text box. Click OK.
16. Log on to Windows 2000 Professional by typing in your password
and clicking OK.The upgrade is complete.

Lab 4-2 Upgrading a Windows NT Server 4.0

Computer to Windows 2000 Server
 Server

EXAM
MATERIAL

This lab is optional because it requires a Windows NT Server 4.0 computer that
is configured as a stand-alone server. If you have a Windows NT Server 4.0
computer that you’ve been wanting to upgrade to Windows 2000, here’s
your opportunity.
The purpose of this lab is to give you hands-on experience in upgrading
a Windows NT Server 4.0 stand-alone server to Windows 2000 Server.
Follow the steps in this lab exercise carefully.
1. Boot your computer to Windows NT Server 4.0. Log on
as Administrator.
2. Place the Windows 2000 Server compact disc in your computer’s
CD-ROM drive.
3. Windows 2000 displays a message indicating that the compact disc
contains a newer version of Windows than you are currently using.
Click Yes.
4. The Windows 2000 Setup Wizard starts.Accept the default option
to upgrade to Windows 2000, and click Next.
5. The License Agreement screen appears. Select the “I accept this
agreement” option, and click Next.
6. The Your Product Key screen appears.Type in the 25-character
product key from the back of your Windows 2000 compact
disc case. Click Next.
4701-1 ch04.f.qc 4/24/00 09:06 Page 172

172

7. The Upgrading to the Windows 2000 NTFS File System screen

appears. (This screen won’t appear if your computer is already
configured to use NTFS.)
If you want to use NTFS, accept the default option of “Yes, upgrade
my drive,” and click Next. (I recommend using NTFS for most
upgrade situations.)
If for some reason you don’t want to use NTFS, select the “No, do
not upgrade my drive” option, and click Next.
8. Windows 2000 Setup checks your computer for compatibility with
Windows 2000, and displays the Report System Compatibility screen
if it detects any incompatible hardware or software.To obtain more
information about any item displayed in this screen, highlight the
item and click Details. Click Next.
9. Windows 2000 Setup copies installation files to your computer’s hard
disk.Then Windows 2000 restarts your computer.
After your computer reboots,Windows 2000 Setup inspects your
computer’s hardware configuration. If you have third-party SCSI or
RAID drivers that need to be installed, press F6 during this process.
(If you don’t have these drivers, just ignore this screen.)
10. Windows 2000 Setup examines your hard disk(s) and copies files to
the Windows 2000 installation folders.Then Setup initializes your
Windows 2000 configuration, and restarts your computer.
Windows 2000 Server starts. If you chose to convert your file system
to NTFS,Windows 2000 converts the drive to NTFS.Windows 2000
restarts your computer again.
Windows 2000 Setup detects and installs devices on your computer.
This takes several minutes, and your display may flicker during this
time. If your computer stops during this process for a long period of
time (more than an hour) or displays an error, reboot your computer
and Setup will resume automatically.
11. Windows 2000 Setup installs networking components.Then Windows
2000 Setup installs additional Windows 2000 components. Finally, Setup
performs a final set of tasks. During this process, it installs Start menu
items, registers components, saves settings, and removes any temporary
files used.This process takes quite a bit of time.Then Windows 2000
automatically restarts your computer.
12. Log on to Windows 2000 Server by typing in your user name and
password and clicking OK.The upgrade is complete.
4701-1 ch04.f.qc 4/24/00 09:06 Page 173

173

Answers to Chapter Questions

Chapter Pre-Test
1. No, you can’t upgrade directly from Windows for Workgroups to
Windows 2000 Professional.
2. No, the only operating systems you can upgrade to Windows 2000
Server are Windows NT Server 3.51 and Windows NT Server 4.0.
3. Use the /checkupgradeonly command-line switch for the
Winnt32.exe utility to prepare an upgrade report.
4. Contact the manufacturer of all software applications that aren’t
compatible with Windows 2000 to request upgrade packs before
you upgrade to Windows 2000.
5. When upgrading from a single domain model, upgrade the primary
domain controller (PDC) to Windows 2000 before upgrading any
other computers.When upgrading from a multiple domain model,
the first computer you should upgrade is the PDC of the Windows
NT 4.0 domain that will become the root domain of your Windows
2000 network.

Assessment Questions
1. A, B, D. The only operating systems that can be upgraded to Windows
2000 Professional are Windows 95,Windows 98, and Windows NT
Workstation. Neither Windows for Workgroups nor Windows NT
Server can be upgraded to Windows 2000 Professional.
2. E. The only operating systems that can be upgraded to Windows
2000 Server are Windows NT Server 3.51 and Windows NT Server
4.0. E is the only correct answer.
3. B. Upgrading the computer to Windows 2000 Professional is probably
the best choice given that the current operating system is Windows NT
Workstation 4.0 (which upgrades easily to Windows 2000 Professional)
and the fact that the computer has 12 additional applications installed
on it that would need to be reinstalled and reconfigured if a clean install
was performed.
4. C. See Table 4-1.
5. C. See Table 4-1.
4701-1 ch04.f.qc 4/24/00 09:06 Page 174

174

6. A, B, D. C is incorrect because you should contact the manufacturer(s)

of the application(s) that may not work with Windows 2000 (not
Microsoft) and ask them for an upgrade pack
7. B. During the upgrade process, the Windows 2000 Setup program
will prompt you to provide any upgrade packs you have for installed
software applications.
8. D. When upgrading from a Windows NT 4.0 single master domain
model to Windows 2000, the first computer you should upgrade is
the PDC of the Windows NT 4.0 domain that will become the root
domain of your Windows 2000 network.
4701-1 ch04.f.qc 4/24/00 09:06 Page 175
4701-1 ch05.f.qc 4/24/00 09:10 Page 176

 Professional
EXAM  Server
MATERIAL

EXAM OBJECTIVES

Professional  Exam 70-210

■ Install, configure, and manage DVD and CD-ROM devices.
■ Implement, manage, and troubleshoot display devices.
■ Configure multiple-display support.
■ Install, configure, and troubleshoot a video adapter.
■ Implement, manage, and troubleshoot mobile computer hardware.
■ Configure Advanced Power Management (APM).
■ Configure and manage card services.
■ Implement, manage, and troubleshoot input and output (I/O)
devices.
■ Monitor, configure, and troubleshoot I/O devices, such as print-
ers, scanners, multimedia devices, mouse, keyboard, and smart
card reader.
■ Monitor, configure, and troubleshoot multimedia hardware,
such as cameras.
■ Install, configure, and manage Infrared Data Association (IrDA)
devices.
■ Install, configure, and manage wireless devices.
■ Install, configure, and manage USB devices.
4701-1 ch05.f.qc 4/24/00 09:10 Page 177

C HAP TE R

5
■ Update drivers.
■ Monitor and configure multiple processing units.
■ Install, configure, and troubleshoot network adapters.
■ Manage and troubleshoot driver signing.
■ Configure, manage, and troubleshoot the Task Scheduler.
■ Manage and troubleshoot the use and synchronization of offline
files.
■ Manage hardware profiles.
■ Configure support for multiple languages or multiple
locations.
■ Enable multiple-language support.
■ Configure multiple-language support for users.
■ Configure local settings.
■ Configure Windows 2000 Professional for multiple
locations.
■ Configure and troubleshoot desktop settings.
■ Configure and troubleshoot fax support.
■ Configure and troubleshoot accessibility services.

Continued 
4701-1 ch05.f.qc 4/24/00 09:10 Page 178

 Professional
EXAM  Server
MATERIAL

EXAM OBJECTIVES Continued

Server  Exam 70-215

■ Configure hardware devices.
■ Configure driving signing options.
■ Update device drivers.
■ Troubleshoot problems with hardware.
■ Install, configure, and troubleshoot network adapters and drivers.
4701-1 ch05.f.qc 4/24/00 09:10 Page 179

C HAP TE R

5
Using Control Panel

I t seems that Control Panel just gets bigger and better with every new
release of Windows — and Control Panel in Windows 2000 is no excep-
tion. Windows 2000 Control Panel is so robust that I could write a whole book
about it alone. But I’ll try to contain my enthusiasm and boil it down to the
basics you need to prepare for the Microsoft Windows 2000 certification
exams and to use Windows 2000 in the real world.
So, in this chapter, I’ll start with a brief overview of Control Panel. Then I’ll
work my way through Control Panel applications, one at a time. I’ll explain what
each application is used for, and then show you how to use many of the appli-
cations to configure a Windows 2000 computer. As you can tell by reading
the exam objectives for this chapter, a huge focus is placed on installing, con-
figuring, managing, and troubleshooting specific hardware devices on a
Windows 2000 computer. You’ll see that same focus throughout this chapter,
with a lot of emphasis placed on using Add/Remove Hardware, Device
Manager, and various troubleshooting tips and tools.

179
4701-1 ch05.f.qc 4/24/00 09:10 Page 180

180 Part II ▼ Installation and Configuration

Chapter Pre-Test
1. What is Control Panel?
2. What application is used to install hardware devices on a
Windows 2000 computer?
3. What term is defined as “a special type of program that enables
an operating system, such as Windows 2000, to recognize and
work with a particular hardware device”?
4. How many displays can a Windows 2000 computer support
simultaneously?
5. What is driver signing?
6. What does IrDA stand for, and what does this organization do?
7. List three tools used to troubleshoot hardware devices on a
Windows 2000 computer.
4701-1 ch05.f.qc 4/24/00 09:10 Page 181

Chapter 5 ▼ Using Control Panel 181

Overview of Control Panel

Windows 2000 Control Panel is an exhaustive collection of applications,
sometimes called applets. These applications, which are automatically
installed during installation of Windows 2000, are used to install or config-
ure various components, applications, hardware, protocols, and services.
Each Control Panel application is used for a different task. Some soft-
ware packages and some installable services include their own Control
Panel icon, which is displayed in the Control Panel dialog box after the
new application or service is installed.
You can access Control Panel in several ways:
■ Select Start ➪ Settings ➪ Control Panel.
■ Open My Computer, and then double-click Control Panel.
■ Open Windows Explorer either by selecting Start ➪ Programs ➪
Accessories ➪ Windows Explorer, or by right-clicking My
Computer, and then selecting Explore from the menu that appears.
Then click Control Panel
Figure 5-1 shows a screen shot of Control Panel on a Windows 2000
Server computer. Notice that twenty-four icons are displayed. Also notice
that there are two Web links in the Control Panel dialog box: Windows
Update and Windows 2000 Support. Clicking these links will connect you
with Microsoft’s Windows update or Windows 2000 support Web sites.
Depending on the Windows 2000 operating system you are running
(Professional, Server, or Advanced Server), the hardware components in
your computer, and the services or options you chose to install during
your installation of Windows 2000, you may have either more or fewer
icons displayed in Control Panel.
To start any of the applications in Control Panel, double-click the appli-
cation’s icon.
If you plan to use Control Panel applications extensively, which many
administrators do, you might want to configure your Start menu so that
when you select Start ➪ Settings ➪ Control Panel, a complete list of
Control Panel applications is displayed in a menu.This enables you to start
an application directly, instead of having to start Control Panel first, and
then start the application. The following steps explain how to cause the
Control Panel applications to be displayed in the Start menu.
4701-1 ch05.f.qc 4/24/00 09:10 Page 182

182 Part II ▼ Installation and Configuration

FIGURE 5-1 Windows 2000 Server Control Panel

STEP BY STEP

CAUSING CONTROL PANEL APPLICATIONS TO APPEAR IN THE

START MENU

1. From the Windows 2000 desktop, right-click any blank area in the taskbar. Then
select Properties from the menu that appears.
2. In the Taskbar and Start Menu Properties dialog box, click the Advanced tab.
3. On the Advanced tab, select the check box next to Expand Control Panel, as
shown in Figure 5-2. Click OK.
4. Now, when you select Start ➪ Settings ➪ Control Panel, a full menu of Control
Panel applications is displayed on the desktop, as shown in Figure 5-3.

TIP
Control Panel applications look and feel the same in all of the Windows
2000 operating systems — Professional, Server, and Advanced Server.
4701-1 ch05.f.qc 4/24/00 09:10 Page 183

Chapter 5 ▼ Using Control Panel 183

STEP BY STEP Continued

FIGURE 5-2 Expanding the Control Panel menu

FIGURE 5-3 Control Panel applications in the Start menu

4701-1 ch05.f.qc 4/24/00 09:10 Page 184

184 Part II ▼ Installation and Configuration

It’s true that, depending on the Windows 2000 operating system you’re
running, you may have more or fewer Control Panel applications, and
more or fewer configurable options within an application, but basically, if
you know how to use a Control Panel application on one Windows 2000
computer, you’ll be able to use that application on other Windows 2000
computers.
In the next sections, I’ll describe each of the Control Panel applications
and show you how to use many of these applications to configure and
manage a Windows 2000 computer.

Accessibility Options
The Accessibility Options application is used to configure the keyboard,
sound, display, and mouse options on a computer to accommodate users
who are physically challenged, including people who have difficulty striking
multiple keys simultaneously on a keyboard, people who are visually or hear-
ing impaired, or people who have difficulty holding or clicking a mouse.
The Accessibility Options application is available unless you deselected
it during the installation of Windows 2000. Accessibility Options is nor-
mally installed by default, but if it’s not installed on your computer, you can
use the Add/Remove Programs application (discussed later in this chapter)
to install it.
In the following sections, I’ll explain first how to configure Accessibility
Options, and then how to troubleshoot Accessibility Options.

Configuring Accessibility Options

To start Accessibility Options, double-click the Accessibility Options icon
in Control Panel.The Accessibility Options dialog box is shown in Figure
5-4. Notice the five tabs available in this dialog box: Keyboard, Sound,
Display, Mouse, and General.
On the Keyboard tab, you can configure StickyKeys, FilterKeys,
ToggleKeys, and show extra keyboard help in programs. StickyKeys enables
a user to execute keyboard commands that normally require striking two
or more keys simultaneously by striking one key at a time. FilterKeys
instructs Windows 2000 to ignore quick or repeated keystrokes, or to slow
the repeat rate of a key when it is held down. FilterKeys can be helpful
when a user’s hands tremble while typing, or when a user cannot remove a
4701-1 ch05.f.qc 4/24/00 09:10 Page 185

Chapter 5 ▼ Using Control Panel 185

finger quickly once he or she has pressed a key. ToggleKeys causes Windows
2000 to play a tone every time the Caps Lock, Num Lock, or Scroll Lock
key is pressed. A high tone is played when the key is first pressed, and a
lower tone is played when Caps Lock, Num Lock, or Scroll Lock is pressed
again (and turned off).This feature is helpful for visually impaired users.

FIGURE 5-4 Accessibility Options

On the Sound tab, you can configure the SoundSentry and

ShowSounds. When the SoundSentry is enabled, Windows 2000 displays a
visual warning when the computer makes a sound. When ShowSounds is
enabled, applications display captions for the speech and sounds they gen-
erate. Both of the features on this tab can be helpful for users who are
hearing impaired.
On the Display tab, you can select the High Contrast option if you want
Windows 2000 to use colors and fonts designed to be read easily.You can
select from a white-on-black appearance scheme, a black-on-white
scheme, or a custom scheme that you specify.
On the Mouse tab, you can configure a Windows 2000 computer to use
MouseKeys. MouseKeys enable you to move the cursor by pressing the keys
on your keyboard’s 10-key pad instead of by using a mouse.
4701-1 ch05.f.qc 4/24/00 09:10 Page 186

186 Part II ▼ Installation and Configuration

TIP
MouseKeys only works when you have a numeric keypad on your key-
board, which some laptop computers don’t have.

On the General tab, you can configure Windows 2000 to turn off acces-
sibility features after the computer has been idle for a specified number of
minutes.You can also configure Windows 2000 to notify you, either visu-
ally or by making a sound, when an accessibility feature is turned on or off.
You can also configure SerialKey devices, such as numeric keypads or
other devices that augment the keyboard and mouse features, on this tab.
As the name implies, SerialKey devices are connected to a computer’s ser-
ial port. Finally, an administrator can choose to apply all selected
Accessibility Option settings to the computer’s default desktop that is dis-
played during logon, to new users that log on to this computer from this
point on, or both.
Making configuration changes in the Accessibility Options application
is fairly straightforward and self-explanatory. For example, suppose you
want to configure keyboard settings for an employee who is unable to
strike two keys simultaneously. Because many keyboard commands use the
Shift, Ctrl, or Alt keys in conjunction with another key, you’ll need to
select the Use StickyKeys option on the Keyboard tab. You can either
accept the default settings for this option, or click Settings for more
StickyKeys configuration options. When you’re finished configuring
Accessibility Options, click OK.

TIP
In the Accessibility Options dialog box (and in many other dialog boxes in
Windows 2000), you can click either OK or Apply. Clicking OK applies
the changes you made and closes the dialog box. Clicking Apply applies
the changes you made, but leaves the dialog box open. You don’t need to
click Apply first, and then OK. Just clicking OK will do the job.

Troubleshooting Accessibility Options

Troubleshooting Accessibility Options is typically a matter of finding the
best combination of settings to meet a particular user’s needs. This is nor-
mally not difficult once you have a good understanding of the various
Accessibility Options features, but sometimes it takes a bit of trial and error
to find the settings that best fulfill a user’s needs.That said, here are a couple
4701-1 ch05.f.qc 4/24/00 09:10 Page 187

Chapter 5 ▼ Using Control Panel 187

of tips you might want to keep in mind when troubleshooting Accessibility

Options:
■ If you have enabled the StickyKeys option on the Keyboard tab,
but don’t select the “Apply all settings to logon desktop” option on
the General tab, the user who requires the StickyKeys option will
probably be unable to press Ctrl+Alt+Delete to log on.
■ If users report that the Accessibility Options features they use often
stop working, examine the “Turn off accessibility features after idle
for” option on the General tab.You may need to increase the num-
ber of minutes the computer can be idle before the accessibility
features are turned off. (The range of minutes you can select from
are 5 to 30 minutes.)

Add/Remove Hardware
The Add/Remove Hardware application is a wizard that helps you add,
remove, unplug, and troubleshoot the hardware in your computer.
Hardware devices that you can add, remove, and troubleshoot include:
■ Display devices/video adapters
■ DVD and CD-ROM devices
■ Input/output (I/O) devices, such as:
 Cameras

 Keyboard

 Modems, including fax modems

 Mouse

 Multimedia devices

 Printers

 Scanners

 Smart card readers

 USB devices

 Wireless devices, such as infrared (IrDA) devices

■ Mobile computer hardware, such as PC Card devices

■ Network adapter cards
4701-1 ch05.f.qc 4/24/00 09:10 Page 188

188 Part II ▼ Installation and Configuration

TIP
When you add (or remove) hardware by using the Add/Remove
Hardware application, what you’re really doing is installing (or removing)
device drivers for hardware devices that are already installed in (or con-
nected to) the computer.

A device driver is a special type of program that enables an operating sys-

tem, such as Windows 2000, to recognize and work with a particular hard-
ware device.
You must be a member of the Administrators group (on the local com-
puter) to use the Add/Remove Hardware application.
To start the Add/Remove Hardware application, double-click the
Add/Remove Hardware icon in Control Panel. When you start the
Add/Remove Hardware application,Windows 2000 starts the Add/Remove
Hardware Wizard. This wizard takes you through the process of adding,
removing, unplugging, or troubleshooting a hardware device, one step at a
time. I’ll show you when and how to use this wizard to perform each of
these hardware tasks in the next several sections.

EXAM TIP
Because many of the Professional and Server exam objectives deal with
installing, configuring, and troubleshooting hardware devices, and
because Add/Remove Hardware is one of the primary tools used for
these tasks, I urge you to read these next few sections carefully and prac-
tice using this tool.

Adding Plug and Play Devices

If all of the hardware in your computer is Plug and Play, you don’t have to
use the Add/Remove Hardware application to install hardware devices.This
is because Windows 2000 automatically detects, installs, and configures
device drivers for Plug and Play hardware when the hardware is initially
installed in or connected to the computer.
The first time Windows 2000 automatically detects a Plug and Play
hardware device (such as a PC Card or USB device), it displays a Hardware
Found dialog box during the device installation process. It may also
prompt you to provide the location of the manufacturer’s device drivers.
After detection, installation, and configuration of the device is complete,
Windows 2000 may prompt you to restart your computer.
4701-1 ch05.f.qc 4/24/00 09:10 Page 189

Chapter 5 ▼ Using Control Panel 189

Adding Non–Plug and Play Hardware Devices

Unfortunately, not all hardware is Plug and Play. The Add/Remove
Hardware application is especially useful when:
■ You install Windows 2000, but Windows 2000 fails to install drivers
for all of the hardware in your computer.
■ You add a new hardware device to your Windows 2000 computer,
and Windows 2000 either doesn’t automatically detect the device,
or detects it but doesn’t correctly configure it.
Not long ago I installed Windows 2000 on a computer that contained
an old IDE CD-ROM controller. Windows 2000 didn’t detect the con-
troller, so I had to manually add it using the Add/Remove Hardware appli-
cation. Here are the steps I took, and that you can also use to install any
hardware device that Windows 2000 doesn’t automatically detect, install,
and configure:

STEP BY STEP

USING THE ADD/REMOVE HARDWARE APPLICATION TO ADD A DEVICE

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Add/Remove Hardware.
3. The Add/Remove Hardware Wizard starts. Click Next.
4. The Choose a Hardware Task screen appears, as shown in Figure 5-5. Notice the
two hardware task options in this screen. You can choose either to add or trou-
bleshoot a hardware device, or to uninstall or unplug a hardware device.
To add a new hardware device, select the “Add/Troubleshoot a device” option.
Click Next.
5. Windows 2000 attempts to detect the new hardware device. If Windows 2000 is
unable to detect the device, the Choose a Hardware Device screen appears. This
screen contains a list of all of the hardware devices in your computer that
Windows 2000 has detected and installed. If the device you want to add does
not appear on this list, click “Add a new device” in the Devices list box. Click Next.
6. The Find New Hardware screen appears. Windows 2000 prompts you to choose
whether to have Windows 2000 search for your new hardware device, or to per-
mit you to manually select the hardware device from a list. If you’ve gotten this far
along in the wizard, Windows 2000 probably can’t automatically detect your new
hardware device, so you should select the “No, I want to select the hardware
from a list” option. Click Next.
4701-1 ch05.f.qc 4/24/00 09:10 Page 190

190 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 5-5 Choosing a hardware task

7. The Hardware Type screen appears. Select the type of hardware device you want
to add. (I selected IDE ATA/ATAPI controllers from the Hardware types list
because I was installing an IDE CD-ROM controller.) Click Next.
8. The Select a Device Driver screen appears, as shown in Figure 5-6. Notice that a
list of manufacturers and a list of specific devices (models) are displayed.

FIGURE 5-6 Selecting a device driver

4701-1 ch05.f.qc 4/24/00 09:10 Page 191

Chapter 5 ▼ Using Control Panel 191

STEP BY STEP Continued

Select the manufacturer of the device you want to add, and then select the spe-
cific model. If the manufacturer or specific model does not appear in the lists, and
you have a manufacturer’s disk with drivers on it, click Have Disk and follow the
instructions presented on-screen. (Because I have a generic, industry standard
IDE controller, I selected a manufacturer of [Standard IDE ATA/ATAPI controllers],
and a model of Standard IDE/ESDI Hard Disk Controller.)
Click Next.
9. If the device you’re adding is not Plug and Play, Windows 2000 displays a warn-
ing dialog box informing you that Windows 2000 could not detect the settings of
the device. If this warning is displayed, click OK.
10. If Windows 2000 is unable to detect the settings of the device, a Resources tab is
displayed, as shown in Figure 5-7. Notice that the configuration for the device I am
adding (Basic configuration 0000) conflicts with devices already installed in the
computer. We know this because hardware conflicts are listed in the “Conflicting
device list” box at the bottom of the dialog box, and are also indicated by the inter-
national “no” symbol (the circle-and-slash) in the “Resource settings” box.

FIGURE 5-7 Device configuration conflicts

4701-1 ch05.f.qc 4/24/00 09:10 Page 192

192 Part II ▼ Installation and Configuration

STEP BY STEP Continued

In order to correctly configure this dialog box, you’ll need to know what settings
you configured (by jumpers or switches) on the hardware device you installed. For
example, for the IDE CD-ROM controller I installed, I configured the controller to
use the I/O range of 0168 — 016F, the I/O range of 036E — 036E, and an IRQ
(interrupt request) of 10. I chose these settings because that is how the jumpers
on the card itself were configured.
Then, what you have to do is to select, one at a time, the Basic configurations in
the “Settings based on” drop-down list box until you find one that displays the
correct settings (the settings that were manually configured on the card by using
jumpers or switches) in the “Resource settings” box. When you find the correct
setting, no conflicts should be listed in the “Conflicting device list” box. If conflicts
are listed, you must resolve them, either by physically changing the hardware set-
tings on the device you are adding or by using the System application in Control
Panel to change the resource settings on the conflicting device.

TIP
If you’re configuring a Plug and Play device, you don’t need to know the
resource settings for the device. Just try the Basic configuration options,
one at a time, until you find an option that displays no conflicts. Windows
2000 will then configure the Plug and Play device for you.

If you are unable to find a Basic configuration option that matches your hardware
configuration, select the Basic configuration option that most closely matches
your hardware configuration (the settings made on the card using jumpers or
switches). Then highlight the specific resource type in the “Resource settings”
box that does not match your hardware configuration, clear the check box next
to “Use automatic settings” if it is checked, and click Change Setting. If the
“Use automatic settings” check box is grayed out, you won’t be able to manually
change individual settings, but you will still be able to select from among the
Basic configuration options. Follow the instructions presented on-screen to make
the setting match your hardware configuration.
Click OK.
11. In the Start Hardware Installation screen, click Next.
12. In the Completing the Add/Remove Hardware Wizard screen, click Finish.
13. Depending on the type of device being added, a System Settings Change dialog
box may be displayed, notifying you that you must restart your computer before
the new settings will take effect.
4701-1 ch05.f.qc 4/24/00 09:10 Page 193

Chapter 5 ▼ Using Control Panel 193

Removing Hardware Devices

The Add/Remove Hardware application is also useful for removing hard-
ware devices.
Sometimes you may want to completely remove all drivers associated
with a hardware device that you plan to physically remove from the com-
puter. Windows 2000 refers to this as uninstalling. Other times, you may
want to stop all drivers that may be running for a particular hardware
device in preparation for disconnecting the device (such as a PC Card or
USB device) from a computer. Windows 2000 refers to the physical dis-
connecting of the device as unplugging, or sometimes ejecting, especially in
the case of PC Cards. When you prepare for unplugging or ejecting, it’s
somewhat different from uninstalling, because when you unplug or eject
you want to leave all of the drivers for the device installed, so that you can
plug the device back in again at a later time.
Here are the basic steps to use the Add/Remove Hardware application
to uninstall a hardware device. I used these steps to uninstall a network
adapter card, but you can use them to uninstall any hardware device.

STEP BY STEP

USING THE ADD/REMOVE HARDWARE APPLICATION TO

UNINSTALL A DEVICE

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Add/Remove Hardware.
3. The Add/Remove Hardware Wizard starts. Click Next.
4. In the Choose a Hardware Task screen, select the “Uninstall/Unplug a device”
option. Click Next.
5. The Choose a Removal Task screen appears. Select the “Uninstall a device”
option and click Next.
6. The Installed Devices on Your Computer screen appears. Click the device you
want to uninstall, and then click Next.
7. In the Uninstall a Device screen, review the device that is listed. If it’s the device
you want to uninstall, select the “Yes, I want to uninstall this device” option.
Click Next.
8. The Completing the Add/Remove Hardware Wizard screen appears. Click Finish.
4701-1 ch05.f.qc 4/24/00 09:10 Page 194

194 Part II ▼ Installation and Configuration

STEP BY STEP Continued

CAUTION
Don’t just reach back and unplug the device at this point — if you do, you
could damage the device or your computer because the device’s drivers
are still running in memory, even though they’ve been removed from the
hard disk.

Now you can shut down your computer and remove the hardware device.

After uninstalling a device, you should either shut down your computer
and remove the device, as I just mentioned, or use the steps that follow to
unplug a device and then remove the device from your computer.
There are two methods you can use to unplug or eject a device.You can
use the Add/Remove Hardware application in Control Panel, or you can
use the Unplug or Eject Hardware icon that Windows 2000 automatically
displays in the taskbar when a PC Card or USB device is installed. I’ll
explain how to use both methods in the steps that follow.

STEP BY STEP

USING THE ADD/REMOVE HARDWARE APPLICATION TO

UNPLUG A DEVICE

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Add/Remove Hardware.
3. The Add/Remove Hardware Wizard starts. Click Next.
4. In the Choose a Hardware Task screen, select the “Uninstall/Unplug a device”
option. Click Next.
5. The Choose a Removal Task screen appears. Select the “Unplug/Eject a device”
option and click Next.
4701-1 ch05.f.qc 4/24/00 09:10 Page 195

Chapter 5 ▼ Using Control Panel 195

STEP BY STEP Continued

6. The Select Device to Unplug screen appears, as shown in Figure 5-8. Notice
the devices that you can unplug. Also notice the icon that appears above the
“Hardware devices” box. This is the Unplug/Eject icon, and it will be mentioned
again in a later step.
Click the device you want to unplug. Click Next.

FIGURE 5-8 Using Add/Remove Hardware to unplug a device

7. The Confirm Device screen appears. In this screen, Windows 2000 lists the
device or devices it is preparing to unplug. In some cases more devices than the
one you selected will be listed. If additional devices are shown, it is because they
are dependent on the device you selected. To continue unplugging the device(s),
click Next.
8. The Completing the Add/Remove Hardware Wizard screen appears, as shown in
Figure 5-9. Note the Unplug/Eject icon in this screen, and notice where Windows
2000 displays this icon on the taskbar.
Click Finish. It is now safe to unplug or eject the device.
4701-1 ch05.f.qc 4/24/00 09:10 Page 196

196 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 5-9 The Unplug/Eject icon

Here’s a shortcut method you can use to unplug or eject a device. In

fact, it accomplishes the same job as the Add/Remove Hardware Wizard,
and it’s quicker to use.

STEP BY STEP

USING THE UNPLUG/EJECT ICON IN THE TASKBAR TO

UNPLUG A DEVICE

1. Double-click the Unplug/Eject icon on the taskbar (it’s located next to your system
clock).
2. The Unplug or Eject Hardware dialog box appears. Click the device you want to
unplug or eject. Click Stop.
3. The Stop a Hardware Device dialog box appears, listing the device (or devices) to
be unplugged. Click OK to continue.
4. Windows 2000 displays the Safe to Remove Hardware dialog box, indicating it is
now okay to remove the hardware device. Click OK, and unplug or eject the device.
4701-1 ch05.f.qc 4/24/00 09:10 Page 197

Chapter 5 ▼ Using Control Panel 197

Using Add/Remove Hardware to

Troubleshoot Devices
As I mentioned early on in this section, the Add/Remove Hardware appli-
cation can be used when troubleshooting numerous hardware devices. I
find this application particularly useful for identifying and resolving hard-
ware configuration problems and hardware device driver issues.The follow-
ing steps illustrate how to use the Add/Remove Hardware application for
troubleshooting a hardware device.

STEP BY STEP

USING THE ADD/REMOVE HARDWARE APPLICATION TO

TROUBLESHOOT A DEVICE

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Add/Remove Hardware.
3. The Add/Remove Hardware Wizard starts. Click Next.
4. In the Choose a Hardware Task screen, select the “Add/Troubleshoot a device”
option. Click Next.
5. The Choose a Hardware Device screen appears. This screen displays a list of all
hardware installed in your computer. If Windows 2000 is unable to start the device
driver for a particular device, it will display an exclamation point inside a yellow cir-
cle over the icon for the device. If Windows 2000 is unable to identify the device
driver for a device, it will display a question mark in place of a regular device icon.
Click the device you want to troubleshoot. Then click Next.
6. The Completing the Add/Remove Hardware Wizard screen appears. Pay special
attention to the device status displayed in this screen for the device you selected.
You may want to write down the device’s status in case you are unable to solve
your problem. Click Finish.
7. Depending on the type of device and the device status displayed, Windows 2000
may either:
 Start the Upgrade Device Driver Wizard and prompt you to install a new
device driver,
 Start Windows 2000 Help and display a specific error code for your device,
complete with a description of the problem and recommended solutions, or
 Start Windows 2000 Help and display a Troubleshooter for the selected
device. If the Troubleshooter is displayed, answer the series of questions pre-
sented to pinpoint your problem and find suggested solutions.
Follow the instructions presented on-screen to finish troubleshooting your device.
4701-1 ch05.f.qc 4/24/00 09:10 Page 198

198 Part II ▼ Installation and Configuration

Add/Remove Programs
The Add/Remove Programs application is used to install and remove third-
party software and to add and remove optional Windows 2000 components.
All users can use the Add/Remove Programs application to add and remove
third-party applications, but only members of the Administrators group can
use the portion of this application that enables you to add and remove
optional Windows 2000 components.
To start the Add/Remove Programs application, double-click the
Add/Remove Programs icon in Control Panel.

Adding a Program
One of the most common uses for the Add/Remove Programs application is
to add a new program or application.To add a new program, such as a word
processing application or a game, insert the application’s compact disc (or
first installation floppy disk) into your computer. In the Add/Remove
Programs application main dialog box, click Add New Programs. A dialog
box is displayed, as shown in Figure 5-10. Notice that you can either add a
program from a compact disc or a floppy disk, or you can connect to
Microsoft’s Web site over the Internet and download new or updated
Windows 2000 features, device drivers, service packs, and so on. If your
Windows 2000 computer is a member of a domain, another option is dis-
played in this dialog box that enables you to add programs from your corpo-
rate network. Follow the instructions presented on-screen to install the new
program.

Removing a Program
Another common use of this application is to remove an installed program,
perhaps because the program is not functioning properly, because you want
to free up disk space, or for any other reason.You can use the Add/Remove
Programs application to remove a program entirely, or to remove a discrete
component within a program.The following steps explain how to use the
Add/Remove Programs application to remove a program.
4701-1 ch05.f.qc 4/24/00 09:10 Page 199

Chapter 5 ▼ Using Control Panel 199

FIGURE 5-10 Adding a new program

STEP BY STEP

USING ADD/REMOVE PROGRAMS TO REMOVE A PROGRAM

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Add/Remove Programs.
3. The Add/Remove Programs dialog box appears, as shown in Figure 5-11. Notice
the three tasks you can perform by using this application: Change or Remove
Programs, Add New Programs, and Add/Remove Windows Components.
Also notice in Figure 5-11 that a list of programs that are currently installed in the
computer is displayed. Highlight (click) the application you want to remove. When
you highlight a program, Windows 2000 displays the amount of disk space the
program uses, how often the program is used, and the date the program was last
used. Click Change/Remove.
4. A warning dialog box may be displayed, asking you to insert the program’s com-
pact disc. Follow the instructions and click OK.
5. Follow the instructions presented on-screen to remove the program.
4701-1 ch05.f.qc 4/24/00 09:11 Page 200

200 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 5-11 The Add/Remove Programs dialog box

Although the stated purpose of this section (and the previous steps) is all
about removing a program, I should point out that many application setup
programs, when launched using the preceding steps, also enable you to add
components at this time.This can be a useful feature when you want to add
and delete components of a program, but don’t want to remove the program
entirely.

Adding or Removing Optional Windows 2000

Components
You can also use the Add/Remove Programs application to add or remove
any of the optional Windows 2000 components. You might want to add
components that you didn’t know you’d need when you installed Windows
2000, or you might want to remove components that you’ve determined
4701-1 ch05.f.qc 4/24/00 09:11 Page 201

Chapter 5 ▼ Using Control Panel 201

are unnecessary for you or your users. Here’s how to add or remove
optional Windows 2000 components:

STEP BY STEP

USING ADD/REMOVE PROGRAMS TO ADD/REMOVE OPTIONAL

WINDOWS 2000 COMPONENTS

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Add/Remove Programs.
3. In the Add/Remove Programs dialog box, click Add/Remove Windows
Components.
4. The Windows Components Wizard starts, as shown in Figure 5-12. Notice the
detailed list of optional Windows 2000 components.

FIGURE 5-12 Adding or removing optional Windows 2000 components

To add or remove a component, select or clear the check box next to that compo-
nent. The check boxes in this dialog box have three possible states:
 Checked: If the check box next to a component is checked when the dialog
box first appears, this component, and all of its subcomponents, is already
installed on this computer. If you select a check box that was previously
cleared, this component, and all of its subcomponents, will be installed dur-
ing this process.
4701-1 ch05.f.qc 4/24/00 09:11 Page 202

202 Part II ▼ Installation and Configuration

STEP BY STEP Continued

 Cleared: If the check box next to a component is cleared when the dialog
box first appears, this component, and all of its subcomponents, is not
installed on this computer. If you clear a check box that was checked or gray
checked, this component, and all of its subcomponents, will be removed by
this process.
 Gray Checked: If the check box next to a component is gray checked when
the dialog box first appears, this component and selected subcomponents
are already installed on this computer. If you highlight a component, click
Details, and then select or clear check boxes next to specific subcompo-
nents, Windows 2000 will make the requested changes by either adding or
removing selected subcomponents.
As you can tell from the preceding check box descriptions, you can control which
subcomponents of a component are added or removed. To configure specific
subcomponents, highlight a component and click Details. In the dialog box that
appears, select the check boxes next to the subcomponents you want to add,
clear the check boxes next to the subcomponents you want to remove, or both,
and then click OK.
Click Next.
5. Windows 2000 configures components, and makes the configuration change(s)
you requested. When the Completing the Windows Components Wizard screen
appears, click Finish.
6. Click Close to exit the Add/Remove Programs application.

Administrative Tools Folder

The Administrative Tools folder, like its name implies, is a folder
(located in Control Panel) that contains numerous Windows 2000 tools
that you can use to manage your Windows 2000 computer and network.
You must be a member of the Administrators group to perform most of
the tasks that can be done using the tools in the Administrative Tools
folder — that’s why they’re called administrative tools.
4701-1 ch05.f.qc 4/24/00 09:11 Page 203

Chapter 5 ▼ Using Control Panel 203

Date/Time
The Date/Time application is used to configure the date, time, time zone,
and optional adjustment for daylight saving time.You must be a member of
the Administrators group to use the Date/Time application.
To start the Date/Time application, double-click the Date/Time appli-
cation in Control Panel, or double-click the clock/time display in the
lower-right-hand corner of the taskbar on your desktop.
Because the configuration options and settings in this application are
straightforward and self explanatory, I won’t go into a detailed discussion of
how to use this application.

Display
The Display application is used to configure a computer’s desktop settings,
including background, screen saver options and computer power settings,
desktop appearance,Web pages that appear on the Active Desktop, desktop
icons and visual effects, and display adapter settings (including multiple-
display support).You can also configure the display to use large fonts, large
icons, and a high-contrast color scheme to accommodate a visually chal-
lenged user. In addition to configuring desktop and display settings, the
Display application is also useful for troubleshooting desktop settings and
video adapters.
To start the Display application, double-click the Display icon in Control
Panel; or, simply right-click the desktop and select Properties from the
menu that appears.
There are six tabs in the Display Properties dialog box: Background,
Screen Saver,Appearance,Web, Effects, and Settings.

Configuring a Display Background

When you first access the Display application, the Background tab appears
on top, as shown in Figure 5-13. Notice that you can select a wallpaper
background for your desktop on this tab.
There are several configurable options on the Background tab:
■ Select a background picture or HTML document as
Wallpaper: You can select any of the pictures or HTML docu-
4701-1 ch05.f.qc 4/24/00 09:11 Page 204

204 Part II ▼ Installation and Configuration

ments in this list box for your background wallpaper on your

desktop, or you can click Browse to browse your hard disk(s) for
additional pictures or HTML documents. (I really like the Snow
Trees wallpaper — check it out if you want to see the beauty of
winter without going out in the cold.)

FIGURE 5-13 The Background tab in Display Properties

■ Picture Display: In this drop-down list box, you can select one
of three appearance options to apply to the picture you choose for
your wallpaper: Center,Tile, or Stretch. If you select Center, the
picture you selected for your wallpaper will be centered on your
desktop. If you select Tile, multiple copies of the picture will be
tiled on your desktop. If you select Stretch, the picture will be
stretched to fit your entire desktop.
■ Pattern: Maybe you don’t want a picture on your desktop at all.
In this case, you can select a pattern to use as wallpaper, instead of
a picture. (In other words, the two choices, picture or pattern, are
mutually exclusive.) To select a pattern for your desktop, first select
a background picture of None in the “Select a background picture
or HTML document as Wallpaper” list box.Then click Pattern.
4701-1 ch05.f.qc 4/24/00 09:11 Page 205

Chapter 5 ▼ Using Control Panel 205

In the Pattern dialog box, select a pattern for your desktop, then
click OK.
Once you’ve configured the picture or pattern you want to use as wall-
paper on your desktop, click OK.

TIP
If you select an HTML document to use as wallpaper, and you have not
previously enabled Active Desktop, a dialog box is displayed, asking if
you want to enable Active Desktop now. Click Yes if you want to use the
HTML picture you’ve selected as wallpaper.

Working with Screen Savers

The next tab in the Display Properties dialog box is the Screen Saver tab,
which is shown in Figure 5-14. Notice that you can configure both screen
saver and energy saving features for your monitor on this tab.

FIGURE 5-14 The Screen Saver tab in Display Properties

Screen savers perform an important function — they prevent a static

image (such as your desktop) from becoming permanently burned into
your monitor screen. I generally recommend that you use some type of
4701-1 ch05.f.qc 4/24/00 09:11 Page 206

206 Part II ▼ Installation and Configuration

screen saver on all of the Windows computers on your network. Some

screen savers, I should point out, use more processor power than others.You
might want to consider using a screen saver that doesn’t use a lot of proces-
sor power — such as the Logon Screen Saver — on your network’s servers.

CAUTION
I don’t recommend that you use any of the “3D” screen savers on servers.
Using these screen savers can significantly slow server response time
because of the large amount of processor utilization these screen savers
need.

Here are the screen saver options you can configure on this tab:
■ Screen Saver: In this drop-down list box, you can select a screen
saver that will be displayed on your desktop after a specified num-
ber of minutes has passed without any user input. Once you’ve
selected a screen saver, then you can configure the following
optional settings:
■ Settings: Clicking Settings causes a Setup dialog box to be dis-
played that contains customizable settings for the specific screen
saver you’ve selected. In this dialog box, you can make configura-
tion changes, and then click OK.
■ Preview: If you want to preview your screen saver in full screen
mode now (as opposed to waiting the specified number of minutes
before it is scheduled to start), click Preview. Be careful to not
move your mouse after clicking Preview — moving your mouse
causes the preview to stop.
■ Password protected: This check box is a security feature of
Windows 2000.When selected,Windows 2000, once it runs your
screen saver, locks your computer and does not allow any user to
access your desktop without first entering either your password or
the Administrator’s password.
■ Wait: In this spin box, you can select the number of minutes you
want to pass without user input before Windows 2000 starts your
screen saver. If you select too low of a number, your screen saver
may become really annoying.
After you’ve selected and configured your screen saver, click OK.
4701-1 ch05.f.qc 4/24/00 09:11 Page 207

Chapter 5 ▼ Using Control Panel 207

Configuring Energy Saving Features

You can also configure the energy saving features of your computer by
clicking the Power button on the Screen Saver tab. This starts the Power
Options application, which is discussed in detail later in this chapter. For
now, I’ll say that this application, which enables you to select power
schemes, specify hibernation support, and configure a UPS, was originally
designed to address the needs of laptop and other mobile computers.

Configuring an Appearance Scheme

The next tab in the Display Properties dialog box is the Appearance tab,
which is shown in Figure 5-15. Notice that on this tab you can configure
the appearance of windows, dialog boxes, message boxes, and other items
that appear in the Item pull-down menu.

FIGURE 5-15 The Appearance tab in Display Properties

On the Appearance tab, you can select a preconfigured appearance

scheme, such as Windows Standard (large) or High Contrast Black, that
Windows 2000 will apply to your desktop and to all windows, dialog boxes,
icons, message boxes, and so on.The default scheme is Windows Standard.
4701-1 ch05.f.qc 4/24/00 09:11 Page 208

208 Part II ▼ Installation and Configuration

Or, you can create and save your own custom scheme by selecting each
item individually and configuring the item’s appearance.

Displaying a Web Page on Your Desktop

The next tab in the Display Properties dialog box is the Web tab, which is
shown in Figure 5-16. Notice the check box next to “Show Web content
on my Active Desktop.”

FIGURE 5-16 The Web tab in Display Properties

The primary purpose of the Web tab is to configure Windows 2000 to

display a preselected Web page (or pages) on your desktop at all times. For
example, suppose that you want to be able to view, at all times, a Web-based
stock ticker that displays the current market price of your company’s pub-
licly traded stock.You can configure the Web tab so that the Web page that
contains this ticker will always be displayed on your desktop.
To configure your computer to display a Web page on your desktop at all
times, select the check box next to “Show Web content on my Active
Desktop,” and click New. In the New Active Desktop Item dialog box, type
the complete URL to the Web page you want to display, and click OK.
Once you’ve configured a Web page that will be displayed on your desktop,
4701-1 ch05.f.qc 4/24/00 09:11 Page 209

Chapter 5 ▼ Using Control Panel 209

you can configure the Web page’s properties on the Web tab by using the
Properties button (notice this is grayed out in Figure 5-16). When you’ve
finished configuring the Web tab, click OK.

Configuring Desktop Effects

The next tab in the Display Properties dialog box is the Effects tab, which
is shown in Figure 5-17.

FIGURE 5-17 The Effects tab in Display Properties

On the Effects tab you can change icons for items on your desktop, and
you can configure various visual effects. The configurable options on this
tab are pretty self explanatory.

Configuring Display Settings and

Multiple-Display Support
The last tab in the Display Properties dialog box is the Settings tab, which
is shown in Figure 5-18.This tab is used to configure numerous display set-
tings, including multiple-display support.
4701-1 ch05.f.qc 4/24/00 09:11 Page 210

210 Part II ▼ Installation and Configuration

FIGURE 5-18 The Settings tab in Display Properties

In the following section I’ll show you how to perform some of the most
common display configuration tasks, including configuring the number of
colors/color depth used by the display, configuring the display’s resolution,
and setting the monitor’s refresh frequency.

STEP BY STEP

CONFIGURING DISPLAY SETTINGS: COLORS, RESOLUTION, AND

REFRESH FREQUENCY
1. On the Settings tab in the Display Properties dialog box, select the number of col-
ors/color depth you want the display to use from the Colors drop-down list box.
Then, in the Screen area box, move the slider to select the appropriate display
resolution. The display resolution you choose will depend on the size of your
monitor and how large you want text and windows to appear on the monitor.

TIP
With some display adapters, you can either choose a very high color depth
(such as True Color) or a high resolution (such as 1024 × 768), but you may
not be able to choose both. For example, if you select True Color and then
select a high display resolution, Windows 2000 may automatically change
your color setting to a lower color depth setting (such as High Color).
4701-1 ch05.f.qc 4/24/00 09:11 Page 211

Chapter 5 ▼ Using Control Panel 211

STEP BY STEP Continued

2. To set the monitor’s refresh frequency, click Advanced.

3. In the dialog box that appears, click the Monitor tab.
4. On the Monitor tab, select the refresh frequency you want your monitor to use
from the drop-down list box. (In general, the higher a refresh frequency you select,
the less likely you are to experience flickering on your monitor.) Click OK.
5. In the Display Properties dialog box, click OK.

A Windows 2000 computer can support up to ten display devices (mon-

itors) at the same time. This feature is a huge benefit to users who com-
monly use multiple applications at the same time, because Windows 2000
permits those users to have a different application open on each monitor.
Users of large documents (such as spreadsheets or large graphics docu-
ments) also benefit from this feature because it enables them to display a
single document across multiple monitors.The next section explains how
to use the Settings tab in the Display application to configure multiple-dis-
play support.

STEP BY STEP

CONFIGURING MULTIPLE-DISPLAY SUPPORT

1. If your current video card does not support multiple outputs, install and configure
one or more additional display devices/video adapters in your Windows 2000
computer.
2. Start the Display application. (To do this, right-click anywhere on your desktop,
then select Properties from the menu that appears.)
3. Click the Settings tab.
4. The Settings tab appears, as shown in Figure 5-19. Notice that multiple monitor
icons are displayed in this dialog box.
Also notice in Figure 5-19 that the primary monitor is shown as a highlighted box
with a black frame around it. The primary monitor, by default, is monitor 1. The pri-
mary monitor is where the Logon dialog box will be displayed, and is also where
applications will open, by default. (You can select which monitor will be used as
the primary monitor in Step 6.)
4701-1 ch05.f.qc 4/24/00 09:11 Page 212

212 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 5-19 Configuring multiple-display support

TIP
By default, the primary monitor is the video adapter that is installed in the
card slot closest to the power supply in the computer.

To use multiple monitors, you must enable each additional monitor. To enable a
monitor, click its icon within the Settings tab, then select the check box next to
“Extend my Windows desktop onto this monitor.”
5. After each additional monitor is enabled, you can configure the color and resolution
of each monitor by first clicking the monitor’s icon, and then configuring the appro-
priate settings. You can configure different settings on each individual monitor.
6. Choose the monitor that will serve as your primary monitor. This does not have to
be monitor 1. To perform this configuration, click the icon of the monitor you want
to use as the primary monitor, then select the check box next to “Use this device
as the primary monitor.” If this check box is grayed out, the selected monitor is
already configured as the primary monitor.
7. Configure the monitor icons on the Settings tab to match the physical arrange-
ment of your monitors. For example, if you have two monitors, stacked one on top
of the other, you can click and drag one monitor under the other so that the pic-
ture on the screen coincides with the actual physical arrangement.
4701-1 ch05.f.qc 4/24/00 09:11 Page 213

Chapter 5 ▼ Using Control Panel 213

STEP BY STEP Continued

IN THE REAL WORLD

Implementing this nifty feature is not quite as simple as it sounds.
Windows 2000 only supports specific display adapters for use in a mul-
tiple-display configuration. Be sure to consult the Display Adapter
(Multimon) section in the Windows 2000 Hardware Compatibility List
before you start installing video adapter cards.

Troubleshooting Desktop Settings and

Video Adapters
Troubleshooting desktop settings is often a matter of finding the best com-
bination of settings to meet a particular user’s needs.This is normally not
difficult once you have a good understanding of the various Display fea-
tures, but sometimes it takes several attempts to find the settings that best
fulfill a user’s needs.That said, here are a few tips you might want to keep
in mind when troubleshooting desktop settings:
■ If a user reports that their monitor flickers, you can try increasing
the refresh frequency. (To do this, click the Advanced command
button on the Settings tab, then click the Monitor tab, and then
select a higher refresh frequency from the drop-down list box.)
■ If a user reports that the icons on their desktop are too small or too
hard to read, you can either decrease the monitor resolution or select
a different appearance scheme, such as one of the High Contrast
schemes, or one of the large schemes. (To do this, configure monitor
resolution on the Settings tab, or change the appearance scheme on
the Appearance tab.)
■ If a user reports that a monitor frequently turns off unexpectedly,
examine the energy saving features set for this monitor and con-
sider trying a different power scheme. (To do this, click the Power
command button on the Screen Saver tab.)
Windows 2000 includes a handy resource for troubleshooting video
adapters/display devices. It’s a special Help feature called the Display
Troubleshooter.To access the Display Troubleshooter, click the Troubleshoot
4701-1 ch05.f.qc 4/24/00 09:11 Page 214

214 Part II ▼ Installation and Configuration

command button on the Settings tab. Figure 5-20 shows the Display
Troubleshooter.

FIGURE 5-20 The Display Troubleshooter

The Display Troubleshooter takes you through a series of questions and

steps to help you identify and resolve various display problems. Follow the
instructions presented on-screen to resolve the particular problem you’re
experiencing.
Other resources you can also use to troubleshoot video adapters/display
devices include the Add/Remove Hardware application, Device Manager,
and System Information. Add/Remove Hardware was discussed earlier in
this chapter, and I’ll cover Device Manager and System Information later
in this chapter.

Fax
The Fax application appears in Control Panel only when a fax device, such
as a fax modem, is installed in the computer.The Fax application is used to
configure Fax properties, including cover pages and the Fax status monitor.
4701-1 ch05.f.qc 4/24/00 09:11 Page 215

Chapter 5 ▼ Using Control Panel 215

This application can also be used to access the Fax Service Management
Console and to add a Fax printer.
To access the Fax application, double-click the Fax icon in Control
Panel. There are four tabs in the Fax Properties dialog box: User
Information, Cover Pages, Status Monitor, and Advanced Options, as shown
in Figure 5-21.

FIGURE 5-21 The Fax Properties dialog box

Notice in Figure 5-21 that the User Information tab appears on top, by
default. On this tab you can configure your own personal user informa-
tion, such as your name, home and work telephone numbers, fax number,
and e-mail address.Windows 2000 uses this information to fill in the fields
on your fax cover page.

The Fax Service Management Console

One of the most common uses of the Fax application is to access the Fax
Service Management Console.This console, which is an MMC snap-in, is
used to configure fax devices and fax logging on the local computer.
To access the Fax Service Management Console, click the Advanced
Options tab, and then click the Open Fax Service Management Console
4701-1 ch05.f.qc 4/24/00 09:11 Page 216

216 Part II ▼ Installation and Configuration

button.You can also access the Fax Service Management Console from the
desktop by selecting Start ➪ Programs ➪ Accessories ➪ Communications ➪
Fax ➪ Fax Service Management.The Fax Service Management Console is
displayed, as shown in Figure 5-22. Notice that you can configure both
devices and logging in this console.

FIGURE 5-22 The Fax Service Management Console

Probably the most common use of the Fax Service Management

Console is to enable a fax device to receive faxes. By default, Windows
2000 configures fax devices to send faxes, but doesn’t enable these devices
to receive faxes.You must manually make this configuration change. Next,
I’ll explain the steps required to enable a fax device to receive faxes and to
set the station identifier.

STEP BY STEP

CONFIGURING A FAX DEVICE TO RECEIVE FAXES AND SETTING THE

STATION IDENTIFIER

1. Start the Fax Service Management Console. (In the Fax application, click the
Advanced Options tab, then click the Open Fax Service Management Console
button.)
2. The Fax Service Management dialog box appears. In the left pane, click Devices.
In the right pane, right-click the fax device you want to configure, and select
Properties from the menu that appears.
3. The fax device’s Properties dialog box appears, as shown in Figure 5-23. Notice
the check box next to “Enable receive.”
To configure a fax device to receive faxes, select the check box next to “Enable
receive.”
In this dialog box you can also configure the Transmitting Station Identifier (TSID),
which is a line of text that typically includes the company name and fax number of
the fax device you are configuring. You can also configure the Called Station
Identifier (CSID), which is a line of text that is usually identical to the TSID.
4701-1 ch05.f.qc 4/24/00 09:11 Page 217

Chapter 5 ▼ Using Control Panel 217

STEP BY STEP Continued

FIGURE 5-23 Configuring a fax device to receive faxes

TIP
The reason the TSID and the CSID are the same is because they both
identify the same fax device. The TSID identifies the fax device when it is
in a sending mode, and the CSID identifies the device when it is in a
receiving mode.

4. After you configure a fax device to receive faxes, you may want to configure what
Windows 2000 will do with received faxes. By default, Windows 2000 stores all
received faxes in the C:\Documents and Settings\All
Users\Documents\My Faxes\Received Faxes folder. To configure
how Windows 2000 treats received faxes, click the Received Faxes tab.
5. On the Received Faxes tab, you can configure Windows 2000 to take any or all
of the following actions with received faxes:
 Print received faxes to a specified printer.
 Save received faxes in a specified folder (either the default folder or any
folder you choose).
 Send received faxes to a local e-mail inbox.
4701-1 ch05.f.qc 4/24/00 09:11 Page 218

218 Part II ▼ Installation and Configuration

STEP BY STEP Continued

TIP
In order to configure a fax device to send received faxes to a local e-mail
inbox, you must first configure the Fax Service to log on to the computer
using a user account that is a member of the Administrators group. You
must also be using a MAPI-enabled client e-mail program, such as
Microsoft Outlook.

When you’re finished configuring the Received Faxes tab, click OK.
6. Close Fax Service Management.

Troubleshooting Fax Problems

Probably the most common fax problem reported by users is that they
have a fax modem installed and configured in their Windows 2000 com-
puter, but they can’t receive faxes.You should ensure that the computer is
configured to receive faxes, which, as was stated previously, it is not config-
ured to do by default.
Another common fax problem is that users aren’t able to configure faxes
to print to a network printer.To resolve this problem, you must configure
the Fax Service to log on using a user account that is a member of the
Administrators group.

CROSS-REFERENCE
For more information on configuring a service to log on using a user
account, see the “Configuring a service to log on using a user account”
step-by-step section in Chapter 15.

If you’re having fax problems on your computer that you are unable to
resolve, you might consider configuring Windows 2000 to write the max-
imum amount of information on fax error events to the Application Log
in Event Viewer.You can set logging levels in the Fax Service Management
Console.

CROSS-REFERENCE
I’ll cover how to use Event Viewer to view logged event information in
Chapter 13.
4701-1 ch05.f.qc 4/24/00 09:11 Page 219

Chapter 5 ▼ Using Control Panel 219

Other resources you can use to troubleshoot fax devices include the
Add/Remove Hardware application, Device Manager, and System
Information. Add/Remove Hardware was discussed earlier in this chapter,
and I’ll cover Device Manager and System Information later in this chapter.

Folder Options
The Folder Options application is used to customize the manner in which
files and folders are displayed, to change file associations (this term is
explained later on in the chapter), and to make network files available for
use offline.
To start the Folder Options application, double-click the Folder
Options icon in Control Panel. You can also access this application by
selecting Tools ➪ Folder Options in Windows Explorer.There are four tabs
in the Folder Options dialog box: General, View, File Types, and Offline
Files, as shown in Figure 5-24. Notice that the General tab appears on top
by default.

FIGURE 5-24 The General tab in Folder Options

4701-1 ch05.f.qc 4/24/00 09:11 Page 220

220 Part II ▼ Installation and Configuration

Making Configurations on the General,

View, and File Types Tabs
On the General tab, you can enable or disable Web content on your Active
Desktop, enable or disable Web content in folders (such as My Computer
or Windows Explorer), configure folder browsing options, and configure
whether items can be opened with either a single-click or double-click.
The next tab in Folder Options is the View tab, which is shown in
Figure 5-25. Notice that you can set all of your folders to the same view
on this tab.

FIGURE 5-25 The View tab in Folder Options

You can configure many advanced file and folder settings on the View
tab. For the average user, the default settings are generally appropriate, in
my opinion. However, as an administrator, I like to use several of the set-
tings in this dialog box to help me with managing and troubleshooting
tasks. For example, I often select the “Show hidden files and folders”
option so that I can view all files and folders on a particular disk or com-
puter. In addition, I clear the check boxes next to “Hide file extensions for
known file types” and “Hide protected operating system files.” Making
4701-1 ch05.f.qc 4/24/00 09:11 Page 221

Chapter 5 ▼ Using Control Panel 221

these three configuration changes allows me to view (and manage) all of

the files on a computer.
The next tab in Folder Options is the File Types tab. On this tab you can
specify the application Windows 2000 will use to open files with specified
file extensions.When an application is linked in this way to files with a par-
ticular file extension, a file association is said to exist. For example, files with
the .doc extension are normally opened, by default, by WordPad. Once
Microsoft Word is installed on a computer, the association is changed so
that files with the .doc extension are opened by Word. Because adminis-
trators normally don’t have to change file associations, you probably won’t
have to use this tab.

Configuring and Troubleshooting Offline Files

The last tab in Folder Options is the Offline Files tab, which is shown in
Figure 5-26. Notice the check box next to Enable Offline Files.

FIGURE 5-26 The Offline Files tab in Folder Options

4701-1 ch05.f.qc 4/24/00 09:11 Page 222

222 Part II ▼ Installation and Configuration

TIP
The Enable Offline Files check box is selected, by default, on Windows
2000 Professional computers, but you must manually enable offline files
on Windows 2000 Server computers.

Offline files are files, folders, or Web pages that are stored on a network
server and, in addition, are configured on the local computer so they can
be used when the computer is not connected to the network. Offline Files
is a more robust version of the briefcase feature that was introduced in pre-
vious versions of Windows.
Offline Files is a great feature for laptop computers. With offline files,
you can work on a document (that is stored on a network server) at the
office. Then, when you go home with your laptop for the night, you can
continue to work on that document just as though you were connected to
the network.The next morning, when you return to work and log on to
the network,Windows 2000 will synchronize the document on your lap-
top with the network server so that the server’s version of the document is
updated. By default, Offline Files is enabled in Windows 2000 Professional,
but is not enabled in Windows 2000 Server.
There are two or three primary tasks involved in configuring offline
files, depending on whether you’re running Windows 2000 Professional or
Windows 2000 Server. First (if you’re using Windows 2000 Server), you
need to enable offline files in the Folder Options application. Then, in
Windows Explorer, you select the specific files and folders you want to
make available for use offline. Alternatively, you can use Internet Explorer
if you want to make a Web page available for use offline. Then you can
configure custom synchronization settings of your offline files if necessary.
The following sections walk you through these tasks.

STEP BY STEP

ENABLING OFFLINE FILES (WINDOWS 2000 SERVER ONLY)

TIP
If the only type of files you want to make available offline are Web pages,
you don’t have to enable offline files.

1. In the Folder Options application, click the Offline Files tab.

2. On the Offline Files tab, select the check box next to Enable Offline Files. Click OK.
4701-1 ch05.f.qc 4/24/00 09:11 Page 223

STEP BY STEP Continued

Chapter 5 ▼ Using Control Panel 223

STEP BY STEP Continued

SELECTING OFFLINE FILES AND FOLDERS

1. Before you can work with files offline, you have to select the specific files or folders
(located on a network server) to make them available for offline use. To do this, start
Windows Explorer (select Start ➪ Programs ➪ Accessories ➪ Windows Explorer).
2. In Windows Explorer, right-click the file or folder on the network server you want
to make available for offline use, and select Make Available Offline from the menu
that appears.
3. Windows 2000 starts the Offline Files Wizard.

TIP
The Offline Files Wizard only runs the first time you make a file or folder
available for offline use. If you’ve previously run this wizard, Windows
2000 makes the file or folder available for use offline at this point, and
you’re done with this process.

Click Next.
4. Select the check box next to “Automatically synchronize the Offline Files when I
log on and log off my computer” if you want Windows 2000 to automatically syn-
chronize the selected offline file or folder at these times. If you want to manually
control synchronization, leave this check box blank. Click Next.
5. On the next screen, you can choose to enable periodic reminders that you are
currently working offline to be displayed. You can also choose whether to create a
shortcut to the Offline Files folder on your desktop. Select the check box
next to either or both of these configuration options, as appropriate. Click Finish.
6. Windows 2000 copies the selected offline files from the server to the Offline
Files folder on your computer.

MAKING A WEB PAGE AVAILABLE FOR OFFLINE USE

1. Start Internet Explorer. (On the desktop, double-click Internet Explorer.)

2. Connect to the Web site that contains the Web page you want to make available
offline.
3. Select Favorites ➪ Add to Favorites.
4. In the Add Favorite dialog box, select the check box next to “Make available offline.”
If you want to make Web pages linked to this page available offline or if you want to
schedule synchronization of this Web page, click Customize. The Offline Favorite
Wizard starts. Follow the instructions presented on-screen to customize the offline
Web page.
5. Click OK in the Add Favorite dialog box.
4701-1 ch05.f.qc 4/24/00 09:11 Page 224

224 Part II ▼ Installation and Configuration

If you selected the check box next to “Automatically synchronize the

Offline Files when I log on and log off my computer” when you ran the
Offline Files Wizard, Windows 2000 synchronizes offline files each time
you log on or off the network.This frequency of synchronization may be
all that you need. However, if you want to manually synchronize offline
files, or if you want offline files to be synchronized more frequently or at a
scheduled time, you can use the steps that follow to accomplish this.

STEP BY STEP

CONFIGURING SYNCHRONIZATION SETTINGS (OPTIONAL)

1. Open Windows Explorer. Then select Tools ➪ Synchronize.

2. The Items to Synchronize dialog box appears.
If you want to synchronize offline files now, click Synchronize.
If you want to view the synchronization status of files or folders (that is, whether or
not the file or folder is synchronized), highlight the file or folder and click Properties.
If you want to customize the synchronization of a Web page, highlight the Web
page and click Properties. In the Web page’s Properties dialog box, you can view
synchronization status, change the synchronization schedule for that particular
Web page, and configure the number of pages linked to this Web page, if any,
that are made part of the offline Web page.
If you want to schedule the synchronization of offline files, click Setup.
3. The Synchronization Settings dialog box appears, as shown in Figure 5-27. Notice
the three tabs in this dialog box: Logon/Logoff, On Idle, and Scheduled.
On the Logon/Logoff tab, select the check box next to the offline files that you
want to configure synchronization for. Then, select the check boxes next to “When
I log on to my computer” and “When I log off my computer” as appropriate for
your needs. You can also configure Windows 2000 to ask you before it synchro-
nizes your offline files if you want.
4. If you want Windows 2000 to synchronize your offline files when your computer
is idle for a specified amount of time, click the On Idle tab, which is shown in
Figure 5-28.
If you select the check box next to “Synchronize the selected items while my com-
puter is idle,” you may want to click the Advanced command button, which brings
up the Idle Settings dialog box, as shown in Figure 5-29.
4701-1 ch05.f.qc 4/24/00 09:11 Page 225

Chapter 5 ▼ Using Control Panel 225

STEP BY STEP Continued

FIGURE 5-27 Configuring synchronization settings for offline files

FIGURE 5-28 Configuring idle settings for offline files

4701-1 ch05.f.qc 4/24/00 09:11 Page 226

226 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 5-29 Configuring advanced idle settings

In this dialog box you can specify additional idle settings, such as the number of
idle minutes before synchronization occurs, how often synchronization will occur if
the computer remains idle, and whether Windows 2000 will perform synchroniza-
tion when the computer is running on battery power. Click OK when you’re fin-
ished configuring this dialog box.
5. To schedule when synchronization of offline files occurs, click the Scheduled tab,
which is shown in Figure 5-30. You can use this tab if you want Windows 2000
to synchronize offline files at specific times, days, or both.

FIGURE 5-30 Scheduling synchronization tasks

4701-1 ch05.f.qc 4/24/00 09:11 Page 227

Chapter 5 ▼ Using Control Panel 227

STEP BY STEP Continued

To add a synchronization task, click Add. The Scheduled Synchronization Wizard

begins. Click Next, and follow the instructions presented on-screen to schedule
the task. When you’ve finished configuring synchronization tasks, click OK.
6. Click Close in the Items to Synchronize dialog box.

If you want to make changes to the way Windows 2000 handles your
offline files after you’ve initially made them available offline, you can use
the Offline Files tab in Folder Options to configure these changes.

STEP BY STEP

CUSTOMIZING OFFLINE FILE SETTINGS AFTER THE OFFLINE

FILES WIZARD HAS RUN (OPTIONAL)

1. In the Folder Options application, click the Offline Files tab.

2. The Offline Files tab appears, as shown in Figure 5-31.

FIGURE 5-31 Customizing offline file settings

4701-1 ch05.f.qc 4/24/00 09:11 Page 228

228 Part II ▼ Installation and Configuration

STEP BY STEP Continued

On the Offline Files tab, there are several configuration settings you can change:
 You can disable offline files by clearing the check box next to Enable Offline
Files.
 You can enable or disable reminders to synchronize your offline files. (When
offline files are enabled, reminders are enabled, by default, to occur every 60
minutes unless you specifically disabled reminders in the Offline Files
Wizard.)
 You can place (or remove) a shortcut to the Offline Files folder on
your desktop.
 You can configure the maximum amount of hard disk space to use for tempo-
rary offline files.
 You can view the files stored in your Offline Files folder — these are
the files you’ve previously configured for offline use.
 You can delete temporary or permanent versions of offline files contained in
the Offline Files folder to free up disk space on your computer.
 You can configure (using the Advanced command button) how your com-
puter responds when it loses a connection to a server on your network that
contains the original copy of your offline files.
When you’re finished configuring this tab, click OK.

When troubleshooting offline files, several issues can arise. Most offline
file problems involve synchronization problems. Some common offline file
problems and potential solutions are:
■ If a user reports that he or she is unable to make a file available for
offline use, check the user’s permissions to the file or folder in
question.The user must have share and NTFS permissions that
enable the user to read, write, and delete the file or folder.
■ If users of laptop computers report that they don’t have the most
current versions of the offline files they work with, ensure that
each user’s mobile computer is configured to synchronize files both
when the user logs on and logs off the network.
■ If users report that they frequently don’t have enough free disk
space to perform tasks, consider decreasing the amount of disk
space allocated for temporary offline files, or replacing the hard
4701-1 ch05.f.qc 4/24/00 09:11 Page 229

Chapter 5 ▼ Using Control Panel 229

disk in the user’s computer. However, if the amount of disk space

allocated for temporary offline files is set too low, users might not
be able to download all of their offline files.
■ If users report slow network response, consider decreasing the fre-
quency of synchronization, or try scheduling synchronization to
occur during nonbusiness hours. Synchronization can take up a
large amount of network bandwidth.

Fonts Folder
The Fonts folder is actually a tool used to install, delete, and manage fonts.
To access the Fonts folder, double-click the Fonts icon in Control Panel.
When you open the Fonts folder, numerous fonts are displayed, as
shown in Figure 5-32.The Fonts folder displays every font that is installed
on the computer. Notice that in this figure each font is represented by an
icon that contains the letters TT, O, or A.

FIGURE 5-32 Fonts

4701-1 ch05.f.qc 4/24/00 09:11 Page 230

230 Part II ▼ Installation and Configuration

The letter contained in a font’s icon indicates what type of font it is.
There are three possibilities:
■ A: This letter indicates the font is either a vector, raster, or Adobe
Type 1 PostScript font.
■ O: This letter indicates the font is an OpenType font. OpenType
fonts are an extension of the TrueType standard.
■ TT: These letters indicate the font is a TrueType font.
Working with fonts is fairly simple. For example, to install a new font,
with the Fonts folder open, select File ➪ Install New Font, and then fol-
low the instructions presented on-screen. Or, you can install a new font by
opening Windows Explorer, and then dragging the new font and dropping
it on the \Winnt\Fonts folder. Windows 2000 will automatically install
the new font.
There are at least three easy ways to remove an installed font.You can
highlight the font and press Delete. Or, you can right-click the font’s icon,
and select Delete from the menu that appears. Or, you can highlight the
font, and select File ➪ Delete.
To view what a font looks like, double-click the font’s icon. You can
print a sample of the font by clicking Print in the font’s dialog box.

Game Controllers
The Game Controllers application is useful for managing game-related
hardware, such as joysticks and gamepads.With Game Controllers, you can
add, remove, and configure game controllers.You must be a member of the
Administrators group to perform many of the tasks that can be done using
the Game Controllers application.
To access Game Controllers, double-click the Game Controllers icon in
Control Panel.
Because working with the Game Controllers application is fairly
straightforward, and because most network administrators don’t have a lot
of game controllers to configure on the job, I won’t bore you with the
details of using Game Controllers.
4701-1 ch05.f.qc 4/24/00 09:11 Page 231

Chapter 5 ▼ Using Control Panel 231

Internet Options
The Internet Options application is a powerful tool that enables you to
configure temporary Internet files and a home page; configure security
levels for various Web content zones; manage content ratings, certificates,
and personal information; configure dial-up and LAN connections to the
Internet, including proxy server settings; specify which program Windows
2000 will use for each Internet service; and configure multiple advanced
settings.

TIP
If you’re familiar with Internet Explorer (version 5.x) on Windows 95,
Windows 98, or Windows NT, you’ll find that the Internet Options appli-
cation in Windows 2000 is the same as the Internet Options application
that is installed with Internet Explorer 5 on computers that run these
other operating systems.

To access Internet Options, double-click the Internet Options icon in

Control Panel. Or, you can open Internet Explorer, and then select Tools ➪
Internet Options.

Keyboard
The Keyboard application is used to configure specific keyboard features,
including speed of character repeat and cursor blink rate, input locale
(including keyboard layout), and keyboard device type.
To start the Keyboard application, double-click the Keyboard icon in
Control Panel.
There are three tabs in the Keyboard Properties dialog box: Speed, Input
Locales, and Hardware.The Speed tab is shown in Figure 5-33.
If you want to adjust the character repeat delay, the character repeat rate,
or the cursor blink rate, drag the slider to the desired speed, and click OK.
The Input Locales tab, which is shown in Figure 5-34, is used to config-
ure both the input locale (the language and locality of the language such as
English United States) and the keyboard layout.
4701-1 ch05.f.qc 4/24/00 09:11 Page 232

232 Part II ▼ Installation and Configuration

FIGURE 5-33 The Speed tab in Keyboard Properties

FIGURE 5-34 The Input Locales tab in Keyboard Properties

4701-1 ch05.f.qc 4/24/00 09:11 Page 233

Chapter 5 ▼ Using Control Panel 233

EXAM TIP
The Professional exam has five objectives on configuring a computer for
multiple languages and multiple locations. Multiple locations are config-
ured on the Input Locales tab in Keyboard or Regional Options (which is
covered later in this chapter), and multiple languages are configured in
Regional Options. I recommend that you know how to use both of these
applications in your sleep!

The default input locale is English (United States).You can add other
input locales (such as English [United Kingdom] or Dutch [Netherlands])
by clicking Add on the Input Locales tab, selecting the input locale you
want from the Input locale drop-down list box, and then clicking OK.You
can also remove an input locale on this tab by highlighting the input locale
and clicking Remove.

TIP
You can have multiple input locales installed on a single computer.

The default keyboard layout option is US.To configure keyboard layout

options, first highlight the input locale for which you want to modify the
keyboard layout.Then click Properties, and select the keyboard layout you
want from the “Keyboard layout/IME” drop-down list box, and click OK.
You can also use the Input Locales tab to configure hot key sequences to
switch between input locales, and to switch to a particular input locale.
The Hardware tab is used to configure the hardware properties of your
keyboard.This tab offers you the same configuration options that are avail-
able in Device Manager (which will be covered later in this chapter).

Licensing
The Licensing application is used to manage licensing and licensing repli-
cation on the local Windows 2000 Server computer.The Licensing appli-
cation is not available on Windows 2000 Professional computers.You must
be a member of the Administrators group to use the Licensing application.
A licensing mode (Per Server or Per Seat) is selected and the number of
client access licenses is configured during the installation of Windows 2000
Server. However, if you purchase additional client licenses, or decide after
installation to change your licensing mode, you can use the Licensing
application to accomplish this.
4701-1 ch05.f.qc 4/24/00 09:11 Page 234

234 Part II ▼ Installation and Configuration

CAUTION
It is a violation of the Windows 2000 licensing agreement to change the
licensing mode of a server from Per Seat to Per Server.

The Licensing application in Control Panel is useful only for managing

licensing on the local computer. If you want to manage licensing for your
network from a central location, you should use the Licensing tool in the
Administrative Tools folder.
To start Licensing, double-click the Licensing icon in Control Panel.
Two tasks you might want to use the Licensing application in Control
Panel to perform are adding client licenses and changing the licensing
mode of the local Windows 2000 Server computer. I’ll explain how to
make these changes in the next section.

STEP BY STEP

ADDING CLIENT LICENSES AND CHANGING THE LICENSING MODE

1. Start Licensing. (Select Start ➪ Settings ➪ Control Panel, and then double-click
Licensing.)
2. The Choose Licensing Mode dialog box appears, as shown in Figure 5-35.

FIGURE 5-35 Configuring licensing

If you use the Per Server license mode and want to add client licenses that you
have purchased, click Add Licenses.
3. In the New Client Access License dialog box, enter the number of new licenses
that you want to add in the Quantity spin box, and click OK.
4. In the Per Server Licensing dialog box, agree to the license agreement and click
OK. When the Choose Licensing Mode dialog box reappears, the number of con-
current connections is changed to reflect the number of client licenses you
added.
4701-1 ch05.f.qc 4/24/00 09:11 Page 235

Chapter 5 ▼ Using Control Panel 235

STEP BY STEP Continued

5. To change your licensing mode from Per Server to Per Seat, select the “Per seat”
option, and click OK.
6. In the Per Seat Licensing dialog box, agree to the license agreement and click OK.

Mouse
The Mouse application is used to configure a mouse or other pointing
device.
To start the Mouse application, double-click the Mouse icon in Control
Panel.
There are four tabs in the Mouse Properties dialog box, as shown in
Figure 5-36. Notice the Buttons, Pointers, Motion, and Hardware tabs.

FIGURE 5-36 Mouse Properties

On the Buttons tab, you can configure either a right-handed or left-

handed button configuration, whether a single-click or double-click will
open a file or folder, and double-click speed. The default settings in this
4701-1 ch05.f.qc 4/24/00 09:11 Page 236

236 Part II ▼ Installation and Configuration

dialog box are the right-handed button configuration, double-click to

open an item, and medium double-click speed.
The settings on the Buttons tab are pretty self explanatory, but do notice
the small box in the Test area.You can double-click this box to test your
double-click speed.When the system detects a double-click here, a clown
pops up like a jack-in-the-box. When you double-click again, the clown
disappears back into the box. If you double-click in the Test area and noth-
ing happens, you probably have your double-click speed set too high. Drag
the slider to a slower speed and retest your setting.
The Pointers tab is used to select and customize a pointer scheme.The
pointer is the arrow on your screen that moves as you move your mouse.
For laptops with dual scan displays, I recommend the Magnified scheme
because it’s easier to see the larger pointer on the screen. I also like this
scheme for teaching and for giving presentations.
The Motion tab is used to configure the speed and acceleration of your
pointer.You can also select an option on this tab that causes the pointer to
be automatically positioned over the default button in all dialog boxes
when they are first opened. This option is called the “Snap to default”
option.
The Hardware tab is used to configure the hardware properties of your
mouse or pointing device. This tab offers you the same configuration
options that are available in Device Manager (which will be covered later
in this chapter).

Network and Dial-Up Connections Folder

The Network and Dial-up Connections folder in Control Panel is
used to manage and configure local area and dial-up connections. Within
this folder you can create new local area or dial-up connections, delete
existing connections, and configure existing connections.

CROSS-REFERENCE
Because the Network and Dial-up Connections folder is pri-
marily used to perform networking tasks, I’ll explain how to use this folder
in Chapter 15.
4701-1 ch05.f.qc 4/24/00 09:11 Page 237

Chapter 5 ▼ Using Control Panel 237

Phone and Modem Options

The Phone and Modem Options application in Control Panel is used to
configure telephone dialing rules and modem properties.This application
is used to configure dialing rules for fax servers or for other applications
that use a modem to dial out, and is sometimes used to configure dialing
rules for dial-up connections when they are dialed from more than one
location.
Although any user can access and use the Phone and Modem Options
application, you must be a member of the Administrators group to add and
configure modems.

CROSS-REFERENCE
I’ll explain how to use Phone and Modem Options when I discuss dial-up
connections in Chapter 15.

Power Options
The Power Options application enables you to configure energy-saving
settings for your computer. This application was originally designed to
address the needs of laptop and other mobile computers. The battery life
limitations of these computers inspire us to think about saving energy.This
application is also useful for conserving energy used by desktop comput-
ers. If you’re thinking, “Who cares about saving energy?” consider this: I
recently saw a sign in a building of a Redmond, Washington–based soft-
ware company that indicated the company could save over $1,000,000 a
year if everyone turned off equipment when it was not in use.
The Power Options application also enables you to install and configure
an uninterruptible power supply (UPS). A UPS permits an orderly shut-
down of your computer to avoid data loss during a power outage.
Although all users can start the Power Options application, you must be
a member of the Administrators group to use this application.
To start the Power Options application, double-click the Power Options
icon in Control Panel. Figure 5-37 shows the Windows 2000 Professional
version of the Power Options Properties dialog box.
4701-1 ch05.f.qc 4/24/00 09:11 Page 238

238 Part II ▼ Installation and Configuration

FIGURE 5-37 Power Options Properties

As Figure 5-37 shows, there are five tabs in the Power Options Properties
dialog box: Power Schemes,Advanced, Hibernate,APM, and UPS.

TIP
The APM tab is only available on Windows 2000 Professional computers.

Configuring Power Schemes, Advanced Options,

and Hibernation
On the Power Schemes tab, you can select a power scheme for your com-
puter to use.There are several power schemes you can select from, includ-
ing home/office desk, portable/laptop, max battery, always on, and so on.
Each power scheme has its own preconfigured settings that determine how
long Windows 2000 will wait, with no user input, before it turns off the
computer’s monitor, hard disks, or both. Once you select a power scheme,
you can customize its default time settings for powering off the monitor
and hard disks to meet your needs.
On the Advanced tab, you can select a check box that will cause
Windows 2000 to always show the Power Options icon (which appears as
4701-1 ch05.f.qc 4/24/00 09:11 Page 239

Chapter 5 ▼ Using Control Panel 239

a power cord and plug) on the taskbar.You can then double-click this icon
in the taskbar to quickly access the Power Options application.
On the Hibernate tab, you can enable hibernation support.When hiber-
nation support is enabled, an additional option — Hibernate — is added to
the Shut Down Windows dialog box that is displayed when you select
Start ➪ Shut Down. When you select this method of shutting down, the
contents of the computer’s memory are saved to a file on its hard disk, and
then the computer is shut down.When you restart the computer, the con-
tents of memory are reloaded, and you can continue working in whatever
program was open when hibernation occurred.This feature is particularly
useful to users of laptop and other mobile computers who may frequently
need to shut down and restart their computers (such as prior to an aircraft’s
takeoff and landing). To enable hibernation support, select the “Enable
hibernate support” check box on this tab.

Configuring Advanced Power Management (APM)

Windows 2000 Professional has an additional tab in the Power Options
application:APM, which stands for Advanced Power Management.APM is an
older power management scheme that Windows 2000 supports only on
laptop and other mobile computers. APM should never be enabled on a
desktop or server computer.
In general,APM is useful on laptop computers that have BIOS support.
If for some reason APM is disabled in your computer’s BIOS, you must
enable it before you can configure APM in Windows 2000.
It’s important that you understand that APM is actually working in two
places — in your computer’s BIOS and in the Windows 2000 Professional
operating system.To ensure that you can control the functioning of APM
in the Windows 2000 Professional operating system, you should select the
APM setting in your computer’s BIOS that provides greatest system per-
formance — this is typically called “Maximum Performance” and is the
opposite of the Maximum Power Savings setting.
You can use the APM tab in Power Options to turn Advanced Power
Management on and off.To turn on Advanced Power Management, select
the check box next to “Enable Advanced Power Management support” on
the APM tab, and click OK.
Once APM is enabled on a Windows 2000 Professional computer, some
interesting changes occur in Power Management. Figure 5-38 shows the
Power Options Properties dialog box immediately after APM is enabled.
4701-1 ch05.f.qc 4/24/00 09:11 Page 240

240 Part II ▼ Installation and Configuration

Notice that two additional tabs — Alarms and Power Meter — have been
added to the dialog box.Also notice that the UPS tab is no longer present.
Microsoft assumes that if you’re using Advanced Power Management you
won’t be using a UPS with that computer.

FIGURE 5-38 Enabling APM

The Alarms tab, which is shown in Figure 5-39, enables you to specify
what actions are taken when the computer’s battery runs low. Notice that
there are two sections on this tab: “Low battery alarm” and “Critical bat-
tery alarm.”
The premise of this tab is that you might want Windows 2000 to per-
form certain actions when your computer’s battery charge drops to two dis-
tinct, predetermined (by you) levels.When the battery charge drops to the
first level (typically 10 to 20 percent of the battery’s total capacity), this is
said to be a “Low battery alarm.”When the battery charge drops to the sec-
ond level (typically 3 to 10 percent of its total capacity), this is said to be a
“Critical battery alarm.” On the Alarms tab, you can configure the specific
actions Windows 2000 will take when each of these two events occurs.
4701-1 ch05.f.qc 4/24/00 09:11 Page 241

Chapter 5 ▼ Using Control Panel 241

FIGURE 5-39 Configuring battery alarms

Some of the actions you can configure on the Alarms tab include:
■ Notification: You can have Windows 2000 do nothing; or you can
configure Windows 2000 to play a sound, display a message on
your screen, or do both to notify you of the alarm.
■ Power Mode: You can have Windows 2000 do nothing, go on
Stand by, or power off when the alarm occurs. Stand by is a low
power usage state where all unnecessary devices, such as monitors
and hard disks, are turned off.
■ Run Program: You can have Windows 2000 do nothing or run a
specified program, script, or batch file when the alarm occurs.
You can configure Windows 2000 to take one set of actions when a low
battery alarm occurs, and the same or a completely different set of actions
when a critical battery alarm occurs.
The Power Meter tab shows the current power source (AC power or
batteries) and the percentage of charge remaining in the computer’s battery.
Another change that occurs after APM is enabled is that a Stand by option
is added to the Shut Down Windows dialog box that is displayed when you
select Start ➪ Shut Down.When you select Stand by, the computer switches
4701-1 ch05.f.qc 4/24/00 09:11 Page 242

242 Part II ▼ Installation and Configuration

into its lowest power consumption mode. In Stand by mode, all unnecessary
hardware in the computer (such as monitors and hard disks) is turned off,
and the computer screen goes blank.The computer is still running, though,
and you can return it to its normal, active state by pressing any key or mov-
ing the mouse.
One other change that occurs after enabling APM is that an additional
option appears on the Advanced tab.This option configures Windows 2000
to prompt you for a password when the computer comes out of Stand by
mode, and this option is selected by default.
Finally, if you’ve selected the option on the Advanced tab to always
show the Power Options icon on the taskbar, this icon has an additional
feature. After APM is enabled, the Power Options icon automatically dis-
plays a power cord and plug icon when the computer is connected to AC
power, and displays a battery icon when the computer in running on bat-
tery power.

Configuring a UPS
The UPS tab is used to install, configure, and monitor an uninterruptible
power supply (UPS). The UPS tab is not present on Windows 2000
Professional computers on which APM has been enabled.

THE UPS IS YOUR FRIEND

I strongly recommend you use a UPS on any Windows 2000 Server or Windows
2000 Advanced Server computer, and on any other computer that is critical to your
operations. Not using a UPS can result in data loss and sometimes even hardware
damage if electrical power fails unexpectedly. The UPS is your friend because it
can save you from all of this. Of course, if you work somewhere that never has a
power outage, perhaps under the Hoover dam, you needn’t concern yourself about
using a UPS at all. . . .

Also remember that UPS batteries don’t last forever. Follow the manufacturer’s
recommendations for battery replacement and maintenance. There’s nothing so
dissatisfying as finding out that your UPS battery is dead after the power fails. I
know. I once spent an entire day during a big Seattle windstorm responding to cus-
tomer calls concerning damaged hardware and lost data problems that were the
direct result of failed UPS batteries.
4701-1 ch05.f.qc 4/24/00 09:11 Page 243

Chapter 5 ▼ Using Control Panel 243

TIP
The UPS tab in Power Options is a basic UPS management tool. Most
commercial quality UPS devices include software that is much more
sophisticated. I recommend you use the software that the manufacturer
supplies with your UPS.

The UPS tab is adequate for managing an inexpensive UPS that does
not include Windows 2000–compatible software. Figure 5-40 shows the
UPS tab in Power Options.

FIGURE 5-40 The UPS tab

Notice in Figure 5-40 that on the UPS tab you can view the status of a
UPS device.You can also select and configure a specific UPS device for
your computer under “Details.” Finally, you can view the status of the UPS
service (whether it is stopped or running). In the next section, I’ll explain
how to install and configure a UPS device on a Windows 2000 Server
computer.
4701-1 ch05.f.qc 4/24/00 09:11 Page 244

244 Part II ▼ Installation and Configuration

STEP BY STEP

INSTALLING AND CONFIGURING A UPS

1. Start Power Options. (Select Start ➪ Settings ➪ Control Panel, and then double-
click Power Options.)
2. In the Power Options Properties dialog box, click the UPS tab.
3. To install a UPS, click Select.
4. In the UPS Selection dialog box, select the manufacturer of your UPS device
from the “Select manufacturer” drop-down list box. The options you can choose
from in this box are American Power Conversion and Generic. (Gee, I wonder
who wrote this application?) If your UPS is not made by American Power
Conversion, select Generic. Then select the model of the device in the “Select
model” box. Finally, select the port this device will use. Click Next.
5. If you selected a generic UPS in Step 4, the UPS Interface Configuration On:
COMx dialog box appears, as shown in Figure 5-41.

FIGURE 5-41 Configuring UPS signal polarity

In this dialog box, select the appropriate type of signal polarity (either negative or
positive) for each of the three UPS events listed. Consult your UPS documenta-
tion before changing the default settings. Click Finish.
6. The UPS tab reappears. To configure the newly installed UPS, click Configure.
7. The UPS Configuration dialog box appears, as shown in Figure 5-42.
4701-1 ch05.f.qc 4/24/00 09:11 Page 245

Chapter 5 ▼ Using Control Panel 245

STEP BY STEP Continued

FIGURE 5-42 Configuring a UPS

In this dialog box, you can configure notifications and alarms. You can specify the
number of seconds Windows 2000 will wait, after a power failure, before it dis-
plays a dialog box indicating that the power has failed. You can also configure the
number of minutes Windows 2000 will run on a battery before generating a criti-
cal alarm, and configure a critical alarm procedure in this dialog box. A critical
alarm is an event that occurs when either the UPS battery is almost dead, or after
the computer runs for a specified number of minutes on battery power, whichever
occurs first. When the point of critical alarm is reached, Windows 2000 runs a
specified program, script, or batch file (if so configured), and then shuts down the
computer.
Configure the settings in this dialog box to meet your needs. Click OK.
8. In the Power Options Properties dialog box, click OK.
4701-1 ch05.f.qc 4/24/00 09:11 Page 246

246 Part II ▼ Installation and Configuration

Printers Folder
The Printers folder is a tool used to add, remove, and configure local
and network printers.Although all users can start the Printers folder and
can use this application to add a network printer, you must be a member of
the Administrators group to use this application to add a local printer.

CROSS-REFERENCE
The Printers folder is covered extensively in Chapter 12.

Regional Options
The Regional Options application is useful for configuring local settings,
and also for configuring support for multiple languages and multiple loca-
tions. For example, this application enables you to configure how certain
objects, such as numbers, currency, time, and date are displayed in applica-
tions. Regional Options also enables you to configure input locale, lan-
guage settings, and keyboard layout.

EXAM TIP
The Professional exam has five objectives on configuring a computer for
multiple languages and multiple locations. Ensure that you are extremely
familiar with the Regional Options application prior to taking this exam.

To start the Regional Options application, double-click the Regional

Options icon in Control Panel. Figure 5-43 shows the Regional Options
dialog box. Notice the six tabs in the Regional Options dialog box:
General, Numbers, Currency,Time, Date, and Input Locales.

TIP
The Input Locales tab in Regional Options is the same as the Input
Locales tab in the Keyboard application discussed earlier in this chapter.

In the following sections I’ll show you how to use the Regional
Options application to configure local settings and how to configure sup-
port for multiple languages and multiple locations.
4701-1 ch05.f.qc 4/24/00 09:11 Page 247

Chapter 5 ▼ Using Control Panel 247

FIGURE 5-43 Regional Options

Configuring Local Settings

Local settings are the way numbers, currency, time, and date are displayed
in applications for the currently selected location.Windows 2000 supports
international settings and applies a set of preselected settings for each of
these items depending on the selected location.
You can configure your location on the General tab in Regional
Options, which is shown in Figure 5-43. For example, suppose I work in
Guatemala. On the General tab, I select a location of Spanish (Guatemala)
in the “Your locale (location)” drop-down list box, and click OK. Once
this location is selected, Windows 2000 displays numbers, currency, time,
and date the way these items are normally presented in Guatemala. For
example,Windows 2000 changes the currency symbol to a Q, representing
the Guatemalan quetzal. In addition,Windows 2000 changes the measure-
ment system to metric.
Finally, if I want to customize the way numbers, currency, time, and date
appear for the currently selected location, I can easily make the appropri-
ate changes on the Numbers, Currency,Time, and Date tabs.
4701-1 ch05.f.qc 4/24/00 09:11 Page 248

248 Part II ▼ Installation and Configuration

Adding Support for Your Language and Location

Windows 2000 supports the use of many languages and the way these lan-
guages are used in different geographic locations. Language and location
settings for the computer are configured on the General tab in Regional
Options, which is shown in Figure 5-43.
If you speak and work in one language only, other than English as it is
spoken in the U.S., you may need to configure your language and location
on the General tab. By default, support for languages and locations in
Western Europe and the United States is enabled.
If your language and location combination is not listed in the “Your
locale (location)” drop-down list box, follow the steps in the next section
to install support for the language you use and the location in which you
live or work.

STEP BY STEP

ADDING SUPPORT FOR A NEW LANGUAGE AND LOCATION

1. Start the Regional Options application. (Select Start ➪ Settings ➪ Control Panel,
then double-click Regional Options.)
2. On the General tab, select the check box next to the language you want to add
support for in the “Language settings for the system” box. When you add support
for a particular language, you will be able to read and write (type) documents in
that language. Click OK.
3. If prompted, insert your Windows 2000 product compact disc into your com-
puter’s CD-ROM drive and click OK. When prompted by Windows 2000, click
Yes to restart your computer to make the change effective. If your Windows 2000
compact disc is in your CD-ROM drive, remove it now.
4. Start the Regional Options application. Examine the locations listed in the “Your
locale (location)” drop-down list box. Your location should now be listed. Select
your location and click OK.

TIP
Installing support for a new language, such as Chinese, only provides
language support in applications run on this computer — it doesn’t turn
your operating system into a Chinese version of Windows 2000.
4701-1 ch05.f.qc 4/24/00 09:11 Page 249

Chapter 5 ▼ Using Control Panel 249

Configuring Support for Multiple Languages and

Locations
Up to this point you’ve enabled support for a single language in a single
location. Now I’ll explain how to configure support for multiple languages
and multiple locations.
If you commonly work with documents created in different languages,
and you need to read or edit these documents, you can benefit from
installing support for multiple languages and multiple input locales. An
input locale consists of an input language and location combination (such as
English [United States]), a keyboard layout, and local settings for the pre-
sentation of numbers, currency, time, and date.
Configuring support for multiple languages and locations is basically a
two-step process. First, you configure multiple language support on the
General tab in Regional Options. Then, you configure multiple location
support on the Input Locales tab. I’ll show you how to perform these tasks
in the following section.

STEP BY STEP

CONFIGURING SUPPORT FOR MULTIPLE LANGUAGES AND

MULTIPLE LOCATIONS

1. Start the Regional Options application. (Select Start ➪ Settings ➪ Control Panel,
then double-click Regional Options.)
2. On the General tab, select the check box next to the language or languages you
want to add support for in the “Language settings for the system” box. Click OK.
3. If prompted, insert your Windows 2000 product compact disc into your com-
puter’s CD-ROM drive. When prompted by Windows 2000, click Yes to restart
your computer to make the change or changes effective.
4. Start the Regional Options application again (see Step 1). Click the Input
Locales tab.
5. The Input Locales tab appears, as shown in Figure 5-44. Notice that even though
support for multiple languages is installed, only the English (United States) input
language and US keyboard layout is configured. You must manually add each
additional input locale to complete the process of implementing support for each
language you have added.
To add an additional input locale, click Add.
4701-1 ch05.f.qc 4/24/00 09:11 Page 250

250 Part II ▼ Installation and Configuration

STEP BY STEP Continued

6. In the Add Input Locale dialog box, select the first input locale you want to add
from the “Input locale” drop-down list box. Then select the keyboard layout you
want to use with this input locale from the “Keyboard layout/IME” drop-down list
box. Click OK.
7. The Input Locales tab reappears. Repeat Step 6 until you’ve added all of the input
locales you need. Figure 5-45 shows the Input Locales tab after two new input
locales have been added.

FIGURE 5-44 Adding input locales

Notice in Figure 5-45 that there is a check mark next to the English (United
States) input locale. This check mark indicates that this is the default input locale
that will be used when an application that supports multiple languages (such as
Microsoft Word, Excel, and so on) is started.
To change the default input locale, highlight the locale in the “Installed input
locales” list box and click Set as Default.
8. You can also configure hot keys to quickly switch between input locales on the
Input Locales tab. To do this, highlight the item for which you want to configure a
hot key sequence in the “Hot keys for input locales” list box and click Change Key
Sequence. Follow the instructions presented on-screen to configure the hot key
sequence you want to use.
4701-1 ch05.f.qc 4/24/00 09:11 Page 251

Chapter 5 ▼ Using Control Panel 251

STEP BY STEP Continued

FIGURE 5-45 Configuring multiple input locales

9. Finally, notice the “Enable indicator on taskbar” check box at the bottom of the
Input Locales tab in Figure 5-45. This option, which is selected by default when
you add additional input locales, causes an icon for the input locale currently
being used to appear on the taskbar, next to the clock. When you click this icon,
all installed input locales are displayed and you can quickly switch to a different
input locale by clicking the input locale you want to switch to.
Figure 5-46 shows the menu that appeared on my computer when I clicked the
input locale icon in the taskbar. Notice that all of the input locales that I added in
Steps 6 and 7 are displayed.
When you change to a different input locale in this way, only the active application
is affected. You can run multiple applications on your computer at the same time
and use a different input locale for each application.
10. When you’re finished configuring input locales, click OK.
4701-1 ch05.f.qc 4/24/00 09:11 Page 252

252 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 5-46 Selecting an input locale for an application

Scanners and Cameras

The Scanners and Cameras application enables you to install and configure
scanners and digital cameras. Although all users can start the Scanners and
Cameras application, you must be a member of the Administrators group
to add or remove scanners and cameras.
To access the Scanners and Cameras application, double-click the
Scanners and Cameras icon in Control Panel.

Adding, Removing, and Configuring

Scanners and Cameras
There is only one tab in the Scanners and Cameras Properties dialog box:
Devices. On this tab you can add, remove, configure, and troubleshoot
4701-1 ch05.f.qc 4/24/00 09:11 Page 253

Chapter 5 ▼ Using Control Panel 253

scanners and cameras. If you have an infrared port on your computer, you
can also use this tab to configure Windows 2000 to receive images from
digital cameras via an infrared/wireless link.
To install a new scanner or camera, click Add on the Devices tab. This
brings up the Scanner and Camera Installation Wizard, which is similar to
the Add/Remove Hardware Wizard.The advantage of adding a scanner or
camera by using this application is that it saves you from having to com-
plete several beginning screens in the Add/Remove Hardware Wizard.
Figure 5-47 shows the Scanners and Cameras Properties dialog box after a
camera and scanner have been installed.
To remove a scanner or camera, highlight the device you want to
remove on the Devices tab and then click Remove. Then click Yes when
Windows 2000 asks if you’re sure you want to remove this device.
To configure a scanner or camera, highlight the device you want to con-
figure on the Devices tab, and then click Properties. A Properties dialog
box specific to the device is displayed.The tabs and possible configuration
options vary depending on the model and type of device (scanner or cam-
era) you are configuring. Some of the most common tabs include General,
Port Settings, and Color Management.

FIGURE 5-47 Working with scanners and cameras

4701-1 ch05.f.qc 4/24/00 09:11 Page 254

254 Part II ▼ Installation and Configuration

Once you’ve installed and configured a scanner or camera, you can use
the Imaging application (Start ➪ Programs ➪ Accessories ➪ Imaging) to
initiate the transfer of images from your scanner or camera to your
Windows 2000 computer.
You can also configure Windows 2000 to receive images from a scanner
or digital camera via an infrared/wireless link if both your computer and
your scanner or camera have infrared support.To configure infrared image
transfer, click Wireless Device on the Devices tab.This command button is
a shortcut to the Wireless Link application in Control Panel.

TIP
If you don’t have an infrared port on your computer, the Wireless Device
command button will not be displayed.

I’ll discuss the Wireless Link application in more depth later in this chapter.

Troubleshooting Scanners and Cameras

Windows 2000 includes a special Help feature, called a Troubleshooter, that
is useful for identifying and resolving scanner and camera problems. To
access the Troubleshooter, click Troubleshoot on the Devices tab. The
Troubleshooter will ask you some questions and take you through some
steps. Follow the instructions presented on-screen to resolve the particular
problem you’re experiencing.
Other resources you can also use to troubleshoot scanners and cameras
include the Add/Remove Hardware application, Device Manager, and
System Information. Add/Remove Hardware was discussed earlier in this
chapter, and I’ll cover Device Manager and System Information later in
this chapter.

Scheduled Tasks Folder

The Scheduled Tasks folder is a tool used to schedule a program, com-
mand, script, document, or batch file to run at a specified time.You can
schedule multiple tasks in the Scheduled Tasks folder. The Scheduled
Tasks tool is sometimes called the Task Scheduler, particularly in Windows
2000 Help.
4701-1 ch05.f.qc 4/24/00 09:11 Page 255

Chapter 5 ▼ Using Control Panel 255

The Scheduled Tasks tool includes the functionality of (and interacts

with) the at command that was first introduced with earlier versions of
Windows NT. However, the Scheduled Tasks tool is a graphical utility,
whereas the at command is a command-line utility. If you’re a command-
line fan, you can still use the at command in Windows 2000, although the
at command does not have as much capability as the Scheduled Tasks tool.
Tasks that are created by using the at command are displayed in the
Scheduled Tasks folder and can be modified by using the Scheduled
Tasks tool.
Sometimes tasks created by other applications are also placed in the
Scheduled Tasks folder. For example, when Advanced Power
Management is enabled on a computer, the Low Battery Alarm task and
Critical Battery Alarm task will be displayed in the Scheduled Tasks
folder.
The Scheduled Tasks tool sounds more helpful than it is. Most of the
programs an administrator might want to schedule (such as Backup) come
with their own scheduling utility, which is often superior to the Scheduled
Tasks tool. The main drawback of the Scheduled Tasks tool is that unless
you can specify the program’s command line, including all parameters and
switches, Scheduled Tasks starts the program only, and requires you to
interact with the program to actually run and complete the task. So what
you end up with, in many cases, is basically a glorified reminder service.
On the other hand, where Scheduled Tasks shines is when you have an
application, script, or batch file that fully automates a process that needs to
be run periodically, and that requires no user input.
To access the Scheduled Tasks folder, double-click the Scheduled
Tasks folder icon in Control Panel. Figure 5-48 shows the Scheduled
Tasks folder. Notice the Add Scheduled Task icon in the folder — double-
clicking this icon starts the Scheduled Task Wizard, which walks you
through the steps necessary to schedule a task.
4701-1 ch05.f.qc 4/24/00 09:11 Page 256

256 Part II ▼ Installation and Configuration

FIGURE 5-48 The Scheduled Tasks folder

Configuring and Managing a Task

Using the Scheduled Tasks tool is simple. I’ll explain the steps involved in
scheduling a task in the next section.

STEP BY STEP

ADDING AND CONFIGURING A TASK

1. Start the Scheduled Tasks tool. (Select Start ➪ Settings ➪ Control Panel, and
then double-click Scheduled Tasks.)
2. In the Scheduled Tasks folder, double-click the Add Scheduled Task icon.
3. The Scheduled Task Wizard starts. Click Next.
4. The wizard prompts you to select the program you want to schedule, as shown in
Figure 5-49. Several applications are listed, and if you don’t find the program you
want, you can click Browse to locate the desired program or file on your com-
puter or the network.
If you selected a program from the list, click Next.
Or, if you browsed for and selected a file or program, click Open.
4701-1 ch05.f.qc 4/24/00 09:11 Page 257

Chapter 5 ▼ Using Control Panel 257

STEP BY STEP Continued

FIGURE 5-49 Selecting a program to schedule

5. Enter a name for this task, and select how often you want the task to be performed.
Figure 5-50 shows this screen after a task and frequency have been selected.
Click Next.
6. Depending on the frequency you selected in Step 5, an additional screen may be
displayed prompting you to enter specific scheduling information, including days,
dates, time, and so on. Configure this screen to meet your needs and click Next.
7. Enter a user name and password that Windows 2000 will use to run this task.
Ensure that the user name you enter has the necessary rights and permissions to
perform this task, especially if the task needs to access data on another com-
puter on your network. Confirm the password, and click Next.

FIGURE 5-50 Naming the task and selecting its frequency

4701-1 ch05.f.qc 4/24/00 09:11 Page 258

258 Part II ▼ Installation and Configuration

STEP BY STEP Continued

CROSS-REFERENCE
For more information on permissions and user rights, see Chapters 8, 9,
and 12. Active Directory security is covered in Chapter 8. User rights are
covered in Chapter 9. File and folder security is covered in depth in
Chapter 12.

8. To configure advanced settings for this task, select the check box next to “Open
advanced properties for this task when I click Finish.” Click Finish.
Or, if you don’t want to configure advanced settings at this time, click Finish, and
skip the remaining steps listed here. (You can set advanced settings later by right-
clicking the task’s icon in Scheduled Tasks, and then selecting Properties from
the menu that appears.)
9. Four tabs are displayed in which you can configure advanced settings: Task,
Schedule, Settings, and Security.
 On the Task tab, you can configure command-line switches, specify the
appropriate folder to start the task in, and specify a user name and password
for the task. You can also temporarily disable a task by clearing the check
box next to Enabled.
 On the Schedule tab, you can configure specific scheduling information for
the task and create additional schedules for this task.
 On the Settings tab, you can configure various advanced settings, includ-
ing idle time and Power Management options. For example, you can config-
ure Windows 2000 to start the task only if the computer has been idle for a
specified number of minutes, or to not start the task if the computer is run-
ning on battery power.
 On the Security Tab, you can configure security permissions so that other
users can run the task.
When you’ve finished configuring advanced settings, click OK.

After you’ve added a task to the Scheduled Tasks folder you may
want to delete the task or to change its configuration settings.To delete a
task, right-click the task’s icon in the Scheduled Tasks folder and select
Delete from the menu that appears. To change a task’s configuration set-
tings, double-click the task’s icon in the Scheduled Tasks folder and
make the necessary changes in the task’s dialog box.
4701-1 ch05.f.qc 4/24/00 09:11 Page 259

Chapter 5 ▼ Using Control Panel 259

Troubleshooting Scheduled Tasks

There are several common problems that may arise when working with
scheduled tasks.Table 5-1 lists common scheduled task problems and rec-
ommended solutions.
TABLE 5-1 Scheduled Task Problems and Solutions
Problem Recommended Solution

The scheduled task starts, but You may need to add command-line switches or
does not complete correctly. options to the Run text box on the Task tab in the
Scheduled Tasks tool, or you may need to modify
or correct the existing path in this text box.
Or, you may need to configure the task to log on
by using a different user account that has the
necessary rights and permissions to perform
the task.
A task scheduled by using the You may need to add command-line switches or
at command starts, but does options to the Run text box on the Task tab in the
not complete correctly. Scheduled Tasks tool, or you may need to modify
or correct the existing path in this text box.
Or, because you cannot specify a user account
with the at command, you may need to use the
Task tab in the Scheduled Tasks tool to configure
the task to log on by using a user account that has
the necessary rights and permissions to perform
the task.
Or, if you schedule several tasks using the at
command, you may need to configure the Schedule
service to log on using a user account instead of
logging on using a system account. This process
is explained in Chapter 15.
The scheduled task starts, but Verify the task’s schedule on the Schedule tab.
not at the time you expected it
to start.
The scheduled task does Ensure that the task is enabled on the Task tab.
not start.
No scheduled tasks run on Ensure that the Schedule service is running on your
your computer. computer. Configuring services is explained in detail
in Chapter 15.

Sounds and Multimedia

The Sounds and Multimedia application is used to assign sounds to specific
events and to configure sound devices, such as sound cards, microphones,
speakers, and so on. Although all users can start and use the Sounds and
4701-1 ch05.f.qc 4/24/00 09:11 Page 260

260 Part II ▼ Installation and Configuration

Multimedia application, you must be a member of the Administrators

group to perform some of the tasks available in this application.
To start the Sounds and Multimedia application, double-click the
Sounds and Multimedia icon in Control Panel. Figure 5-51 shows the
Sounds and Multimedia Properties dialog box.
Notice in Figure 5-51 that there are three tabs in this dialog box:
Sounds,Audio, and Hardware.

FIGURE 5-51 Sounds and Multimedia Properties

Windows 2000 defines several sound events, such as Default Beep, Exit
Windows, New Mail Notification, Incoming Fax, Low Battery Alarm, and
so on. On the Sounds tab you can select a sound scheme that Windows
2000 will use when sound events occur.You can also modify the selected
sound scheme by changing the default sounds that are assigned to sound
events, and you can replace an individual sound within a sound scheme
with another sound that you have recorded.You can also select No Sounds
for your sound scheme if you don’t want Windows 2000 to use sounds. On
this tab you can also configure sound volume and whether or not a volume
control (speaker) icon is displayed in your taskbar.
On the Audio tab you can set the preferred device to use for sound
playback, sound recording, and MIDI music playback.You can also set the
4701-1 ch05.f.qc 4/24/00 09:11 Page 261

Chapter 5 ▼ Using Control Panel 261

volume and configure advanced settings for each of these devices. So, if
you have multiple sound devices in your computer, you can select which
device Windows 2000 will use for each sound activity.
On the Hardware tab you can view and configure the properties of
sound and multimedia devices that are installed in your computer, and
troubleshoot these devices.
If you highlight a device on the Hardware tab and then click Trouble-
shoot, Windows 2000 starts a Troubleshooter specific to the highlighted
device. This Troubleshooter takes you through a series of questions and
steps to help you identify and resolve various sound and multimedia device
problems. Follow the instructions presented on-screen to resolve the par-
ticular problem you’re experiencing.
Other resources you can also use to troubleshoot sound and multimedia
devices include the Add/Remove Hardware application, Device Manager,
and System Information. Add/Remove Hardware was discussed earlier in
this chapter, and I’ll cover Device Manager and System Information later
in this chapter.

System
The System application is a robust tool that enables you to view system
information and configure environment settings, including network iden-
tification, hardware, user profiles, and advanced settings. Although all users
can start the System application and use it to view system properties, you
must be a member of the Administrators group to use the System applica-
tion to change system settings.
To start the System application, double-click the System icon in
Control Panel. Or, you can right-click My Computer on the desktop, and
then select Properties from the menu that appears. Figure 5-52 shows the
System Properties dialog box.
Notice in Figure 5-52 that there are five tabs in this dialog box: General,
Network Identification, Hardware, User Profiles, and Advanced.
The General tab in the System Properties dialog box, which is shown in
Figure 5-52, displays various system information, including the operating
system and version number, the registered owner of the operating system,
and information about the computer.
4701-1 ch05.f.qc 4/24/00 09:11 Page 262

262 Part II ▼ Installation and Configuration

FIGURE 5-52 System Properties

Changing Network Identification

Occasionally you may need to change a computer’s name, or its work-
group/domain membership. You can accomplish this task by using the
Network Identification tab in the System Properties dialog box.
For example, you might want to change the computer name of a
Windows 2000 computer that is assigned to a new employee to match the
new user’s name, instead of the name of the previous employee who used
that computer.
Or, consider a growing company that recently installed a new Windows
2000 Server computer and is converting from a workgroup structure to a
domain structure. In this situation, you would need to reconfigure the
existing Windows 2000 computers to be members of the new domain.
This process is called joining a domain. Each Windows 2000 computer must
belong to either a workgroup or a domain.
In the following steps I’ll explain how to make identification changes on
a Windows 2000 computer. Before you change a computer’s domain mem-
bership, or change the name of a computer that is a member of a domain,
4701-1 ch05.f.qc 4/24/00 09:11 Page 263

Chapter 5 ▼ Using Control Panel 263

you must disconnect all mapped drives (from the computer you’re changing) to
domain controllers in that domain.

CAUTION
Because Windows 2000 requires you to reboot the computer after mak-
ing identification changes, you should perform this task only when you
can shut down and restart the computer.

STEP BY STEP

CHANGING A COMPUTER’S NAME AND ITS WORKGROUP/DOMAIN

MEMBERSHIP
1. Start the System application. (Select Start ➪ Settings ➪ Control Panel, and then
double-click System.)
2. In the System Properties dialog box, click the Network Identification tab.
3. The Network Identification tab appears, as shown in Figure 5-53. Click
Properties.

FIGURE 5-53 Network Identification

4701-1 ch05.f.qc 4/24/00 09:11 Page 264

264 Part II ▼ Installation and Configuration

STEP BY STEP Continued

4. The Identification Changes dialog box appears, as shown in Figure 5-54.

FIGURE 5-54 Making identification changes

To change the computer’s name, type over the name that is highlighted in the
“Computer name” text box with a new computer name. For backwards compatibil-
ity with NetBIOS, you should typically limit a computer name to 15 characters in
length, with no special characters or spaces.
To change the computer’s workgroup/domain membership, select the appropriate
option button, and type in the name of the workgroup or domain you want to
make this computer a member of. You must know the name of the workgroup or
domain — browsing is not supported in this dialog box.
When you’re finished making configuration changes, click OK.
5. If you changed the computer’s domain membership in Step 4, or changed the
name of a computer that belongs to a domain, a Domain Username and
Password dialog box appears. Enter the name and password of a user account
that has permission to join the domain, rename this computer in the domain, or
both (this is usually the name and password of an administrator). Click OK.
6. If you changed the computer’s workgroup or domain membership in Step 4, a
Network Identification dialog box appears, welcoming you to the workgroup or
domain. Click OK.
7. A Network Identification dialog box appears, stating that you must reboot your
computer for the changes to take effect. Click OK. The changes you made will
take effect the next time you restart the computer.
4701-1 ch05.f.qc 4/24/00 09:11 Page 265

Chapter 5 ▼ Using Control Panel 265

STEP BY STEP Continued

8. Click OK in the System Properties dialog box.

9. Click Yes in the System Settings Change dialog box to restart your computer.

If you’re using Windows 2000 Server, the Network Identification tab

doesn’t have a Network ID command button.When this button is clicked
on a Windows 2000 Professional computer, the Network Identification
Wizard starts.This wizard helps you create a local user account and join a
domain.

Managing System Hardware

When it comes to managing the hardware devices in a computer, the
Hardware tab in the System Properties dialog box is probably the most
widely used Windows 2000 tool. Figure 5-55 shows the Hardware tab.

FIGURE 5-55 The Hardware tab

4701-1 ch05.f.qc 4/24/00 09:11 Page 266

266 Part II ▼ Installation and Configuration

Notice that on the Hardware tab you can start the Hardware Wizard, man-
age driver signing, start Device Manager, and configure hardware profiles.
Clicking the Hardware Wizard command button starts the Add/
Remove Hardware Wizard, which was covered earlier in this chapter.This
wizard enables you to add, remove, unplug, and troubleshoot hardware in
your computer.

Managing Driver Signing

Clicking the Driver Signing command button causes the Driver Signing
Options dialog box to be displayed. In this dialog box you can configure
how Windows 2000 handles the installation of system files that are not dig-
itally signed.A digital signature is a tag appended to a file by its creator.This
tag consists of digitally coded information that identifies the file’s creator
and enables Windows 2000 to verify that the file has not been altered or
corrupted (by a virus or other means) since it was created. All files on the
Windows 2000 compact disc, for example, have been digitally signed by
Microsoft.The Driver Signing Options dialog box is shown in Figure 5-56.

FIGURE 5-56 Configuring driver signing options

Notice that there are three file signature verification options in the
Driver Signing Options dialog box:
■ Ignore: Selecting this option causes Windows 2000 to install all
files, whether or not they have been digitally signed. Because all
files, signed and unsigned, are installed when this option is selected,
4701-1 ch05.f.qc 4/24/00 09:11 Page 267

Chapter 5 ▼ Using Control Panel 267

it is the least secure of the three options. Selecting this option

leaves you open to two potentially harmful possibilities: First, you
could be overwriting perfectly good system files with new,
untested, and unsigned files that may render your system unstable
or unable to boot. Second, if you install unsigned files, you may
unknowingly be introducing a virus to your system.
■ Warn: Selecting this option causes Windows 2000 to display a dia-
log box before an unsigned file is installed.You then need to
choose whether or not to install each unsigned file.This option is
the default setting, and provides the appropriate amount of security
for most environments.
■ Block: Selecting this option causes Windows 2000 to prevent the
installation of all unsigned files.This is the most secure and protec-
tive of the three options. I recommend that you use this option in
environments that are tightly controlled and have high reliability
and high data security requirements.
There are a couple of tools you can use to manage and troubleshoot
driver signing: Sigverif.exe and Sfc.exe.
Sigverif.exe (which stands for signature verification) is a command-
line utility you can use to detect any unsigned files on your computer. In
addition to detecting these files, this tool enables you to view specific
information about each unsigned file detected, including the file’s name,
location, last modification date, file type, and version number. To run this
utility, select Start ➪ Run, type sigverif in the Run dialog box, and click
OK.When the program is run, it scans all of the system files in the com-
puter, and produces a list of any unsigned files it detected. Figure 5-57
shows the signature verification results produced by Sigverif.exe when
unsigned files are detected.
Sfc.exe is another command-line utility that scans protected operating
system files. This utility, however, unlike Sigverif.exe, replaces any
unsigned file it finds with the original signed Microsoft version of this file
(which it copies from the SystemRoot\System32\Dllcache folder).

TIP
The Dllcache folder is hidden from normal view in Windows Explorer.
4701-1 ch05.f.qc 4/24/00 09:11 Page 268

268 Part II ▼ Installation and Configuration

FIGURE 5-57 Unsigned files detected by Sigverif.exe

To use the Sfc.exe utility, first start a command prompt (select Start ➪
Programs ➪ Accessories ➪ Command Prompt). Then type sfc and press
Enter to display a list of this utility’s command-line switches. Finally, type
sfc followed by the appropriate command-line switches, and press Enter.
Depending on the switches you select, it can take several minutes to an
hour or more for this utility to run.

Using Device Manager

Clicking the Device Manager command button on the Hardware tab starts
the Device Manager application for the local computer. Device Manager is
an invaluable tool that enables you to view a graphical representation of
the hardware devices installed in a computer, and also to configure, man-
age, and troubleshoot these various hardware devices, including:
■ Display devices/video adapters
■ DVD and CD-ROM devices
■ Input/output (I/O) devices, such as:
 Cameras

 Keyboard

 Modems, including fax modems

 Mouse

 Multimedia devices

 Printers
4701-1 ch05.f.qc 4/24/00 09:11 Page 269

Chapter 5 ▼ Using Control Panel 269

Scanners
 Smart card readers

 USB devices

 Wireless devices, such as infrared (IrDA) devices

■ Mobile computer hardware, such as PC Card devices

■ Network adapter cards

EXAM TIP
Because many of the Professional and Server exam objectives deal with
configuring and troubleshooting hardware devices, and because Device
Manager is one of the primary tools used for these tasks, I urge you to
read the next several sections carefully and practice using this tool.

In the following sections, I’ll show you how to use Device Manager to
perform several types of tasks, such as viewing and changing the configu-
ration of hardware devices; configuring and managing card services; unin-
stalling, disabling, enabling, and updating device drivers; and upgrading
from a single processor to multiple processors. I’ll also explain how to use
Device Manager to troubleshoot hardware devices.
Figure 5-58 shows the Device Manager dialog box. Notice that a graph-
ical list of devices installed in a laptop computer is displayed.

FIGURE 5-58 Device Manager

4701-1 ch05.f.qc 4/24/00 09:12 Page 270

270 Part II ▼ Installation and Configuration

Viewing and Changing the Configuration of Hardware Devices You can

easily obtain more detailed information on the specific devices listed in the
Device Manager dialog box.You can also make configuration changes to
the devices listed.The following steps explain how to perform these tasks.

STEP BY STEP

USING DEVICE MANAGER TO VIEW AND CHANGE DEVICE

CONFIGURATION

1. Start Device Manager. (Select Start ➪ Settings ➪ Control Panel, then double-click
System. Click the Hardware tab. Click Device Manager.)
2. In the Device Manager dialog box, click the + next to the type of device you want
more detailed information on.
3. A list of the specific devices installed is displayed under the device type heading.
Right-click the specific device you want detailed configuration information on, and
select Properties from the menu that appears.
4. The device’s Properties dialog box appears. Within the Properties dialog box,
there are several tabs, which vary depending on the device. Click the Resources
tab to view the resources currently being used by the device. Figure 5-59 shows
the Resources tab for the built-in infrared device in a laptop computer.

FIGURE 5-59 Built-in Infrared Device Properties

4701-1 ch05.f.qc 4/24/00 09:12 Page 271

Chapter 5 ▼ Using Control Panel 271

STEP BY STEP Continued

Notice in Figure 5-59 that the I/O range and interrupt request used by the built-in
infrared device are displayed in the “Resource settings” box. Also notice the
“Conflicting device list” box at the bottom of the dialog box, and notice that no
conflicts are listed for this particular device.

TIP
If the device you are viewing the properties of conflicts with another
device in your computer, is not currently enabled, or can’t find enough
free resources that it can use, when you click the Resources tab you may
need to click Set Configuration Manually to view the resource settings.
The Set Configuration Manually button is only displayed when Windows
2000 is unable to automatically configure a device.

5. If you want to change the resources used by this device (because of a conflict or
for any other reason), you can accomplish this by selecting one of the Basic con-
figuration options in the “Settings based on” drop-down list box. Unless the
device is Plug and Play, you’ll need to know what settings are configured (by
jumpers or switches) on the hardware device in order to select the correct config-
uration. Each of the Basic configuration options, when selected, will display a dif-
ferent combination of resources used in the “Resource settings” box, and may
cause conflicts to appear in the “Conflicting device list” box.
First, ensure that the check box next to “Use automatic settings” is cleared. Then
select each of the Basic configuration options, one at a time, until you find one
that displays the correct settings in the “Resource settings” box.

TIP
Windows 2000 permits you to change the resource settings of many, but
not all, devices.

When you find the correct setting, no conflicts should be listed in the “Conflicting
device list” box. If conflicts are listed, you must resolve them, either by physically
changing the hardware settings on the device you are adding, or by using Device
Manager to change the resource settings on the conflicting device. Click OK.
If you are unable to find a Basic configuration option that matches your hardware
configuration, select the Basic configuration option that most closely matches
your hardware configuration. Then highlight the specific resource type in the
“Resource settings” box that does not match your hardware configuration, clear
the check box next to “Use automatic settings” if it is checked, and click Change
Setting. If the “Use automatic settings” check box is grayed out, you won’t be
able to manually change individual settings, but you may still be able to select
from among the Basic configuration options. Follow the instructions presented
on-screen to make the setting match your hardware configuration. Click OK.
4701-1 ch05.f.qc 4/24/00 09:12 Page 272

272 Part II ▼ Installation and Configuration

STEP BY STEP Continued

6. Windows 2000 prompts you to restart your computer so that the configuration
changes you’ve made can take effect. Click Yes.

Configuring and Managing Card Services Card services is a term used to refer
to the device drivers used by CardBus/PCMCIA controllers.These device
drivers make it possible for a laptop/mobile computer to recognize and
enable the built-in CardBus/PCMCIA slot(s) in the computer. Card services
doesn’t include the device drivers associated with the specific PC Cards
themselves (such as network adapter cards or fax modem cards), but only
includes the device drivers associated with the CardBus/PCMCIA slots.
If your laptop computer is listed in the System/Mobile Uniprocessor
section of the Windows 2000 Hardware Compatibility List (HCL),
Windows 2000 should automatically detect and install the device drivers
for your computer’s CardBus/PCMCIA slot(s).
When Windows 2000 automatically detects and installs a
CardBus/PCMCIA slot, this slot is displayed as a device under the “PCM-
CIA adapters” heading in Device Manager. Most laptop computers have
two devices listed under this device type heading, one for each of the two
slots in the computer. Figure 5-60 shows the Device Manager dialog box
with PCMCIA adapters expanded. Notice that there are two CardBus
controllers installed.
If Windows 2000 does not automatically detect your computer’s
CardBus/PCMCIA slot(s), contact the manufacturer of your computer to
obtain the latest Windows 2000-compatible drivers, and then use the
Add/Remove Hardware Wizard (discussed earlier in this chapter) to install
the CardBus/PCMCIA card slot(s).
If you need to view or change the resource settings used by a
CardBus/PCMCIA card slot (and its associated drivers), you can use the
steps titled “Using Device Manager to view and change device configura-
tion” in the previous section.

Uninstalling, Disabling, Enabling, and Updating Device Drivers In addition

to viewing and changing device configuration, Device Manager is also
used to uninstall, disable, enable, and update device drivers.
4701-1 ch05.f.qc 4/24/00 09:12 Page 273

Chapter 5 ▼ Using Control Panel 273

FIGURE 5-60 PCMCIA adapters in a laptop computer

If you want to remove a hardware device, such as an old video card,

from your computer permanently, you can use Device Manager to unin-
stall the device drivers for the hardware device. After you uninstall the
device drivers, you should physically remove the hardware device from
your computer.
Occasionally you may want to disable the drivers for a hardware device.
For example, if a hardware device will be removed from your computer for
a period of time, and you don’t want to deal with annoying messages each
time you start your computer, you can use Device Manager to disable the
drivers for the device.
When you disable the drivers for a device, you don’t remove the drivers
from your computer’s hard drive, but you do cause them to not be loaded
each time you boot the computer. Because the drivers are still on your
computer’s hard drive, you can make them available again by enabling the
device that you previously disabled.
I’ll show you how to use Device Manager to uninstall, disable, or enable
device drivers in the following section.
4701-1 ch05.f.qc 4/24/00 09:12 Page 274

274 Part II ▼ Installation and Configuration

STEP BY STEP

USING DEVICE MANAGER TO UNINSTALL, DISABLE, OR ENABLE

DEVICE DRIVERS

1. Start Device Manager. (Select Start ➪ Settings ➪ Control Panel, and then double-
click System. Click the Hardware tab. Click Device Manager.)
2. In the Device Manager dialog box, click the + next to the type of device for which
you want to uninstall, disable, or enable device drivers.
3. Right-click the specific device for which you want to disable device drivers, and
select Uninstall, Disable, or Enable from the menu that appears.

TIP
Disable only appears in the menu if the device is enabled. Similarly,
Enable only appears in the menu if the device is disabled.

4. Windows 2000 may display a warning message or dialog box, depending on the
type of device driver action you specified. Click OK or Yes, as appropriate.
5. If prompted by Windows 2000, click Yes to restart your computer so that the con-
figuration changes you’ve made can take effect.

You can also use Device Manager to update device drivers.You might
want to update the device driver for a modem, for example, when the
modem’s manufacturer releases an updated driver that provides additional
uses or stability for the device (or, in some cases, just makes the thing
work).
Updated device drivers are usually obtained by downloading them from
a third-party manufacturer’s Web site. Updating device drivers is also
referred to as upgrading device drivers. I’ll show you how to update device
drivers in the steps that follow.

STEP BY STEP

UPDATING DEVICE DRIVERS

1. Start Device Manager. (Select Start ➪ Settings ➪ Control Panel, and then double-
click System. Click the Hardware tab. Click Device Manager.)
2. In the Device Manager dialog box, click the + next to the type of device for which
you want to update device drivers.
4701-1 ch05.f.qc 4/24/00 09:12 Page 275

Chapter 5 ▼ Using Control Panel 275

STEP BY STEP Continued

3. Right-click the specific device for which you want to update device drivers, and
select Properties from the menu that appears.
4. In the device’s Properties dialog box, click the Driver tab.
5. On the Driver tab, click Update Driver.
6. The Upgrade Device Driver Wizard starts. Click Next.
7. On the Install Hardware Device Drivers screen, you can either instruct Windows
2000 to search for a suitable driver for the device, or to display a list of known
device drivers for this device so you can choose a specific driver.
The recommended option is “Search for a suitable driver for my device.” Select
the appropriate option and click Next.
If you select the “Display a list of the known drivers for this device . . .” option and
click Next, follow the instructions presented on-screen to manually select and
install the updated device driver.
8. If you selected the “Search for a suitable driver for my device” option in Step 7,
the Locate Driver Files screen appears, as shown in Figure 5-61. Notice that you
can specify one or more specific locations for Windows 2000 to search for
device driver files.

FIGURE 5-61 Specifying search locations for driver files

Select the appropriate search locations for driver files for the device. Click Next.
9. The Driver Files Search Results screen appears, as shown in Figure 5-62.
4701-1 ch05.f.qc 4/24/00 09:12 Page 276

276 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 5-62 Results of driver files search

The content of this screen varies substantially, depending on the results of

Windows 2000’s search.
Windows 2000 may indicate that a suitable driver for the device is already
installed, and give you an option to cancel the process or to reinstall this driver.
Or, Windows 2000 may indicate that it found a driver that is a closer match for
your device than the current driver. (This is the message displayed in Figure
5-62.) When this message is displayed, Windows prompts you to install the more
suitable driver it found.
Or, Windows 2000 may indicate that it found an updated driver for the device.
When this message is displayed, Windows prompts you to install the updated dri-
ver it found.
Finally, the wizard may give you an option to view and install other device drivers
that it found for the specified device.
Select the appropriate option, and follow the instructions presented on-screen to
complete the process of updating your device driver.

Upgrading from a Single Processor to Multiple Processors When you

upgrade a computer from a single processor to multiple processors, you can
4701-1 ch05.f.qc 4/24/00 09:12 Page 277

Chapter 5 ▼ Using Control Panel 277

use Device Manager to update the computer’s device drivers to support

this change.
If you start out with a multiple processor computer, Windows 2000
should automatically detect and install the appropriate drivers, and no
upgrading action on your part should be necessary. However, when you
start out with a single processor computer (that has the capability to sup-
port more than one processor), install Windows 2000, and later on install
another processor, you’ll probably have to use Device Manager to config-
ure support for the additional processor(s).

STEP BY STEP

CONFIGURING SUPPORT FOR MULTIPLE PROCESSING UNITS

1. Start Device Manager. (Select Start ➪ Settings ➪ Control Panel, and then double-
click System. Click the Hardware tab. Click Device Manager.)
2. In the Device Manager dialog box, click the + next to Computer. (This is usually
the first or second device type listed under the computer’s name.)
3. Right-click the device listed under Computer. (This may be called Standard PC,
ACPI Uniprocessor PC, MPS Uniprocessor PC, or a brand-specific name.)
Select Properties from the menu that appears.
4. In the device’s Properties dialog box, click the Driver tab.
5. On the Driver tab, click Update Driver.
6. The Upgrade Device Driver Wizard starts. Click Next.
7. Select “Display a list of the known drivers for this device so that I can choose a
specific driver.” Click Next.
8. On the Select a Device Driver screen, select the “Show all hardware of this
device class” option.
Then select the manufacturer and multiprocessor model of your computer in the
appropriate boxes on this screen. Figure 5-63 shows a manufacturer and multi-
processor model selected. Click Next.
If your manufacturer and model don’t appear on this screen and you have a disk
containing the appropriate drivers, click Have Disk and follow the instructions pre-
sented on-screen.
4701-1 ch05.f.qc 4/24/00 09:12 Page 278

278 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 5-63 Configuring multiple processing units

9. In the Start Device Driver Installation screen, click Next to install the new device
driver.
10. In the Completing the Upgrade Device Driver Wizard screen, click Finish.
11. Click Close in your computer’s Properties dialog box.
12. Click Yes when Windows 2000 prompts you to restart your computer.

Using Device Manager to Troubleshoot Hardware Devices Device

Manager is one of Windows 2000’s best troubleshooting tools in terms of
identifying and resolving hardware problems.You can perform several spe-
cific troubleshooting tasks in Device Manager, including:
■ Viewing a device’s status: The “Device status” box on the
General tab in the device’s Properties dialog box indicates whether
or not the device is working properly.
■ Viewing and configuring the resource settings used by a
device: The resource settings currently configured for the device
are listed on the Resources tab in the device’s Properties dialog
box. On this tab you can also view any conflicting devices, and
4701-1 ch05.f.qc 4/24/00 09:12 Page 279

Chapter 5 ▼ Using Control Panel 279

change resource settings if necessary to resolve configuration con-

flicts. See the step-by-step section titled “Using Device Manager to
view and change device configuration” earlier in this chapter for
details.
■ Starting a Troubleshooter to help you diagnose and resolve
a hardware problem: When you click Troubleshooter on the
General tab in the device’s Properties dialog box, either a general
hardware Troubleshooter or a Troubleshooter specific to the hard-
ware device starts.The Troubleshooter takes you through a series of
questions and steps to help you identify and resolve various hard-
ware problems. Follow the instructions presented on-screen to
resolve the particular problem you’re experiencing.

Creating and Managing Hardware Profiles

You can also use the System application to create and manage hardware
profiles. A hardware profile is a list of devices (and settings for each of these
devices) that Windows 2000 starts when you boot your computer. When
you first install Windows 2000, the operating system creates an initial hard-
ware profile.
The primary reason for creating hardware profiles is to manage the dif-
ferent hardware configurations used by laptop and other mobile comput-
ers. For example, a laptop computer used at the office in a docking station
often has a different hardware configuration than the same laptop com-
puter when it is used while traveling or at home without a docking station.
Hardware profiles make it possible to create multiple configurations for the
same laptop computer.
Clicking Hardware Profiles on the Hardware tab in the System applica-
tion brings up the Hardware Profiles dialog box, which is shown in Figure
5-64. Notice that the default hardware profile (created by Windows 2000
during installation) is named Profile 1.Also notice that the word (Current)
is listed after Profile 1.This indicates that Profile 1 is the hardware profile
currently being used.
Creating a new hardware profile is accomplished by copying an existing
hardware profile and then modifying it. In the following sections I’ll
explain how to create a new hardware profile, how to rename a hardware
profile, how to set the default hardware profile, how to enable or disable
devices within a hardware profile, and how to enable or disable a service
within a hardware profile.
4701-1 ch05.f.qc 4/24/00 09:12 Page 280

280 Part II ▼ Installation and Configuration

FIGURE 5-64 Working with hardware profiles

STEP BY STEP

CREATING A NEW HARDWARE PROFILE

1. Start the System application. (Select Start ➪ Settings ➪ Control Panel, and then
double-click System.)
2. In the System Properties dialog box, click the Hardware tab.
3. On the Hardware tab, click Hardware Profiles.
4. In the Hardware Profiles dialog box, ensure that the profile you want to use to cre-
ate a new profile is highlighted. Click Copy.
5. In the Copy Profile dialog box, type in a name for the new profile, such as
Undocked, or accept the default name displayed. Click OK.
6. Now, to configure the new hardware profile, click Properties in the Hardware
Profiles dialog box.
7. The new profile’s Properties dialog box appears, as shown in Figure 5-65.
If this profile is for a laptop computer, select the check box next to “This is a
portable computer” and select one of the three possible docking options. If you
want this hardware profile to be displayed as an option when Windows 2000
starts, select the check box next to “Always include this profile as an option when
Windows starts.” Click OK.
4701-1 ch05.f.qc 4/24/00 09:12 Page 281

Chapter 5 ▼ Using Control Panel 281

STEP BY STEP Continued

FIGURE 5-65 Configuring a new hardware profile

At this point, it’s often a good idea to rename Profile 1 with a more
intuitive name for the user, such as “Docked.” To rename a profile, high-
light the profile in the Hardware Profiles dialog box, then click Rename.
Type a new name for the hardware profile in the Rename Profile dialog
box, then click OK.
Another configuration you might want to make now is to set the default
hardware profile. In the Hardware Profiles dialog box, the default hardware
profile is the profile at the top of the list in the “Available hardware profiles”
box. If the hardware profile used most often is not at the top of the list, you
can configure it to be the default profile by moving it to the top of the list.
To move a profile within the list of available hardware profiles, highlight
the profile you want to move, then click the up arrow or down arrow
command button to move it up or down in the list.
When more than one hardware profile is configured on a computer,
Windows 2000 displays these hardware profiles during the boot process
and permits you to manually select the profile you want to use. In the
Hardware Profiles dialog box you can configure Windows 2000 to either
wait until you manually select a hardware profile or automatically start the
4701-1 ch05.f.qc 4/24/00 09:12 Page 282

282 Part II ▼ Installation and Configuration

default profile after a specified number of seconds has passed without a

hardware profile being selected.
Now that you’ve created your new hardware profile and configured it,
you might want to enable or disable specific devices within your new
hardware profile. For example, you might want to disable the network
adapter card in your “Undocked” profile for your laptop computer if the
network adapter card is only used when the laptop is connected to its
docking station at the office.
Disabling the drivers for a device only disables the device in the current
hardware profile. Likewise, enabling the drivers for a device only enables the
device in the current hardware profile.The status of the device is unaffected
in other hardware profiles (if you have more than one) on the computer.
The following steps explain how to enable or disable a specific hardware
device within a hardware profile.

STEP BY STEP

ENABLING/DISABLING A DEVICE WITHIN A HARDWARE PROFILE

1. Start your Windows 2000 computer. During the boot process, select the hard-
ware profile for which you want to enable or disable devices.
2. Start the System application. (Select Start ➪ Settings ➪ Control Panel, and then
double-click System.)
3. In the System Properties dialog box, click the Hardware tab.
4. On the Hardware tab, click Device Manager.
5. In Device Manager, click the + next to the type of device you want to enable or
disable within this hardware profile.
6. Right-click the specific device you want to enable or disable within this hardware
profile. From the menu that appears, select Properties.
7. In the device’s Properties dialog box, select the appropriate usage for this device
in the “Device usage” drop-down list box. The possible configuration settings are:
 Use this device (enable)
 Do not use this device in the current hardware profile (disable)
 Do not use this device in any hardware profiles (disable)
If you are configuring a hardware profile for a laptop computer in its undocked
state, you would typically select “Do not use this device in the current hardware
profile (disable)” to disable a device, such as a network adapter card, that is not
available when a laptop computer is not docked.
Select the appropriate device usage option. Click OK.
4701-1 ch05.f.qc 4/24/00 09:12 Page 283

Chapter 5 ▼ Using Control Panel 283

STEP BY STEP Continued

8. Exit Device Manager.

9. Click OK in the System Properties dialog box.

In addition to enabling or disabling specific devices within a hardware

profile, you can also enable or disable specific services within a hardware
profile.This task is performed by using the Services tool.

STEP BY STEP

ENABLING OR DISABLING A SERVICE WITHIN A HARDWARE PROFILE

1. Start Services. (Right-click My Computer, then select Manage from the menu that
appears. In the Computer Management dialog box, click the + next to Services
and Applications, then click Services.)
2. In the right pane of the window, right-click the specific service you want to enable
or disable within a hardware profile, and then select Properties from the menu
that appears.
3. In the service’s Properties dialog box, click the Log On tab.
4. On the Log On tab, click the hardware profile you want to enable or disable this
service in. Then click Enable or Disable, as appropriate. Click OK.
5. Exit Computer Management.

TIP
If you enabled or disabled a service in the hardware profile you’re cur-
rently using, you’ll need to restart your computer before these changes
will take effect.

Working with User Profiles

A user profile is a collection of settings, options, and files that specify a user’s
desktop and all other user-definable settings for a user’s work environment.
You can use the User Profiles tab in the System application to copy, delete,
and change the type of user profiles. The System application is the only
application in Windows 2000 that you can use to copy user profiles.You
can’t copy user profiles by using Windows Explorer.
4701-1 ch05.f.qc 4/24/00 09:12 Page 284

284 Part II ▼ Installation and Configuration

CROSS-REFERENCE
I’ll explain how to work with user profiles in depth in Chapter 9.

Configuring Advanced System and

Environment Settings
The Advanced tab in the System application enables you to configure per-
formance options, environment variables, and startup and recovery
options, as shown in Figure 5-66.

FIGURE 5-66 Advanced system settings

Configuring Application Performance and Virtual Memory

Within Performance Options, there are two primary configurable options:
You can optimize application performance for either the foreground appli-
cation or for programs running in the background, and you can configure
virtual memory, including the size of paging files.
To configure performance options, click Performance Options in the
System Properties dialog box. The Performance Options dialog box
4701-1 ch05.f.qc 4/24/00 09:12 Page 285

Chapter 5 ▼ Using Control Panel 285

appears, as shown in Figure 5-67. Notice the “Application response” section

in this dialog box.

FIGURE 5-67 Configuring performance options

There are two options in the “Application response” section that enable
you to choose how Windows 2000 allocates processor time between pro-
grams running on your computer:
■ Applications: Selecting this option causes Windows 2000 to
assign a higher priority (in terms of processor time allocated)
to the application running in the foreground than to all other
programs.This feature is often selected for desktop computers to
promote smoother, faster response to user input in the active appli-
cation.This setting is selected by default on Windows 2000
Professional computers (but is not the default on Windows 2000
Server or Advanced Server computers).
■ Background services: Selecting this option causes Windows
2000 to assign equal priority to all programs.When this option is
selected, the foreground application has the same priority as a pro-
gram running in the background.This option is generally the most
appropriate setting for servers, which don’t normally have an inter-
active user.This setting is selected by default on Windows 2000
Server and Advanced Server computers.
You can also configure virtual memory in the Performance Options
dialog box. Virtual memory, you may recall, is the physical space on a hard
disk that Windows 2000 treats as though it were RAM.Virtual memory is
implemented in Windows 2000 by the use of paging files.
4701-1 ch05.f.qc 4/24/00 09:12 Page 286

286 Part II ▼ Installation and Configuration

You should consider both paging file performance and system recover-
ability when configuring virtual memory paging files.
If you want to configure your computer for maximum paging file per-
formance, consider doing one or more of the following:
■ Place the paging file on any hard disk in your computer that does
not contain the Windows 2000 boot partition.
■ Place the paging file on the hard disk in your computer that has
the least amount of activity.
■ Place a small paging file on each hard disk in your computer,
except on the disk that contains the Windows 2000 boot partition.
■ Place the paging file on a striped volume.

CAUTION
It’s not normally a good idea to place the paging file on a RAID-5 volume
created by using Disk Management. If you do, you’ll improve perfor-
mance of the paging file, but you’ll decrease performance of the com-
puter’s processor because of the amount of processor time required to
compute the RAID-5 parity information.

If system recoverability is more important to you than paging file per-

formance, you must put a paging file on the Windows 2000 boot partition
that is at least as large as the amount of RAM in your computer plus 1MB.
This paging file is used by Windows 2000 as a normal paging file, and,
additionally, this paging file is required to enable Windows 2000 to write a
Memory.dmp file when the operating system crashes.
It’s up to you to consider the trade-offs between performance and
recoverability, and then to determine the best configuration for your pag-
ing file(s).
I’ll explain how to configure paging files in the next section.

CAUTION
When you modify your computer’s current paging file, Windows 2000
requires you to shut down and restart your computer.
4701-1 ch05.f.qc 4/24/00 09:12 Page 287

Chapter 5 ▼ Using Control Panel 287

STEP BY STEP

CONFIGURING A PAGING FILE(S)

1. Start the System application. (Select Start ➪ Settings ➪ Control Panel, and then
double-click System.)
2. In the System Properties dialog box, click the Advanced tab.
3. On the Advanced tab, click Performance Options.
4. In the Performance Options dialog box, click Change.
5. The Virtual Memory dialog box appears, as shown in Figure 5-68. Notice that all
logical drives are listed in the Drive list box, regardless of whether or not a paging
file exists on the drive.

FIGURE 5-68 Configuring a paging file

To create an additional paging file, in the Drive list box, highlight the logical
drive on which you want to create the paging file. Then, configure the initial size
and maximum size you want the new paging file to be. Then click Set.
4701-1 ch05.f.qc 4/24/00 09:12 Page 288

288 Part II ▼ Installation and Configuration

STEP BY STEP Continued

TIP
To avoid fragmentation of your paging file, configure the file’s initial size
and maximum size with the same values. The total combined size of all of
your paging files should be at least as large as the recommended size
displayed in the Virtual Memory dialog box.

To move a paging file to another disk, first, create a new paging file on the
target disk. Then configure the initial size and maximum size of the original paging
file to zero, and click Set. (This deletes the original paging file.)
6. In the Virtual Memory dialog box, click OK.
7. If you have modified the current paging file, Windows 2000 notifies you that you
must restart your computer before the changes you made will take effect. Click OK.
8. In the Performance Options dialog box, click OK.
9. In the System Properties dialog box, click OK.
10. If you modified the current paging file, Windows 2000 prompts you to restart your
computer now. Click Yes.

There’s one other important configuration you can make in the Virtual
Memory dialog box (shown in Figure 5-68).You can configure the maxi-
mum size, in MB, that Windows 2000 will allocate to the operating sys-
tem’s Registry database. By default,Windows 2000 allocates enough space
to accommodate even the largest anticipated Registry. However, each pro-
gram that you install on your computer requires space in the Registry. If
your current Registry size is approaching the maximum Registry size set-
ting, you might want to manually increase the maximum Registry size in
the Virtual Memory dialog box.

Configuring Environment Variables

Environment variables are values that specify information about your com-
puter and operating system.Windows 2000 and applications use environ-
ment variables to locate certain types of information, such as the location
of system files, or the name of the currently-logged-on user.You can use
the System application to configure both user environment variables and
system environment variables. User environment variables apply only to a
4701-1 ch05.f.qc 4/24/00 09:12 Page 289

Chapter 5 ▼ Using Control Panel 289

specific user. System environment variables apply to all users and to the oper-
ating system.
In my experience, administrators don’t often have to change environ-
ment variables. However, occasionally a legacy application may require you
to manually change one or more environment variables.
To change a user environment variable, you must be logged on as the user
whose variable you want to modify.To modify a system environment vari-
able, you must be logged on as a user with Administrator rights. The next
section explains the steps involved in configuring environment variables.

STEP BY STEP

CONFIGURING USER AND SYSTEM ENVIRONMENT VARIABLES

1. Start the System application. (Select Start ➪ Settings ➪ Control Panel, and then
double-click System.)
2. In the System Properties dialog box, click the Advanced tab.
3. On the Advanced tab, click Environment Variables.
4. The Environment Variables dialog box appears, as shown in Figure 5-69. Notice
the “User variables for Administrator” and “System variables” list boxes.

FIGURE 5-69 Configuring environment variables

4701-1 ch05.f.qc 4/24/00 09:12 Page 290

290 Part II ▼ Installation and Configuration

STEP BY STEP Continued

 To modify an existing variable (either user or system), highlight that vari-

able and click Edit. In the Edit User Variable or Edit System Variable dialog
box, edit the variable’s value as appropriate. Click OK.
 To create a new variable, click New in the “User variables for Username”
list box if you want to create a new user variable, or click New in the “System
variables” list box if you want to create a new system variable. In the New
User Variable or New System Variable dialog box, enter a name and value for
the new variable. Click OK.
 To delete a variable (either user or system), highlight that variable, and
click Delete.
5. To save the variable changes you’ve made, click OK in the Environment Variables
dialog box. If you’ve made errors or accidentally deleted required variables, click
Cancel.
6. Click OK in the System Properties dialog box.

Configuring Startup and Recovery Options

Although Windows 2000’s default settings are appropriate for most situa-
tions, you can use the System application to configure the default operat-
ing system (if more than one operating system is installed on the
computer) that Windows 2000 will start, and what action(s) Windows 2000
will take if an unexpected error causes the system to stop (crash).To con-
figure these options, click Startup and Recovery on the Advanced tab in
the System Properties dialog box. The Startup and Recovery dialog box
appears, as shown in Figure 5-70. Figure 5-70 shows a Windows 2000
Server version of this dialog box. Notice the various system startup and
system failure configuration options.The Windows 2000 Professional ver-
sion of this dialog box has the same configuration options, but has a differ-
ent set of default settings in the System Failure section.
There are three sections in the Startup and Recovery dialog box: System
startup, System Failure, and Write Debugging Information.
In the System startup section there are two configurable options:
■ Default operating system: If more than one operating system is
installed on your computer, you can select the default operating
system from this drop-down list box.The default operating system
is the operating system that will start if no operating system selec-
tion is made during the boot process.
4701-1 ch05.f.qc 4/24/00 09:12 Page 291

Chapter 5 ▼ Using Control Panel 291

FIGURE 5-70 Configuring startup and recovery options

■ Display list of operating systems for xx seconds: If this check

box is selected, during the boot process Windows 2000 will display
a list of operating systems that can be started.Windows 2000 will
display this list for the number of seconds specified in the spin box.
If this check box is cleared,Windows 2000 will start the default
operating system without displaying a list. By default (on both
Windows 2000 Professional and Windows 2000 Server computers),
this check box is selected and the list is displayed for 30 seconds.
In the System Failure section there are three options:
■ Write an event to the system log: This option is selected
and grayed out, by default, on Windows 2000 Server computers
because Windows 2000 takes this action every time a Stop error
occurs. (A Stop error is an error from which Windows 2000 can-
not recover — in other words, a system crash.) This option is not
selected, by default, on Windows 2000 Professional computers.
■ Send an administrative alert: When this check box is selected,
Windows 2000 uses the Messenger service to send an alert message
to all users on the network that are logged on as Administrator
when a Stop error occurs.This option is selected, by default, on
Windows 2000 Server computers; but is not selected, by default,
on Windows 2000 Professional computers.
4701-1 ch05.f.qc 4/24/00 09:12 Page 292

292 Part II ▼ Installation and Configuration

■ Automatically reboot: When this check box is selected,

Windows 2000 automatically reboots the computer in the event
of a system crash.This option is selected, by default, on Windows
2000 Server computers; but is not selected, by default, on Windows
2000 Professional computers.
In the Write Debugging Information section there are three config-
urable options:
■ Write Debugging Information: In this drop-down list box, you
can select the amount of information Windows 2000 will write to a
dump file in the event of a system crash.The options you can select
from are none, small memory dump (64K), kernel memory dump,
and complete memory dump.The default setting for Windows 2000
Server is Complete Memory Dump.The default setting for
Windows 2000 Professional is none.

TIP
If you want Windows 2000 to write debugging information when the sys-
tem crashes, remember that you must have a paging file on the boot par-
tition that is at least as large as the amount of RAM in the computer, plus
1MB, in order for Windows 2000 to create a memory dump file.
■ Dump File: This text box is used to specify the name and loca-
tion of the file that Windows 2000 will use as a dump file in the
event of a system crash. By default, the file is named Memory.dmp
and is located in the folder Windows 2000 is installed in.
■ Overwrite any existing file: When this check box is selected
(and it is selected by default),Windows 2000 overwrites any previ-
ously existing dump file when a Stop error occurs. If this check
box is cleared and a dump file exists,Windows 2000 will not write
a new dump file in the event of a system crash.

TIP
If you experience recurrent system crashes, the Memory.dmp file may
be needed when you contact Microsoft Technical Support. Microsoft
Technical Support personnel can use a debugger on your Memory.dmp
file to identify the cause of your system crashes.
4701-1 ch05.f.qc 4/24/00 09:12 Page 293

Chapter 5 ▼ Using Control Panel 293

Users and Passwords

The Users and Passwords application, which is only available on Windows
2000 Professional computers, enables you to manage users and passwords
for the computer. In this application you can grant or deny users access to
a computer, change passwords, manage certificates, access the Local Users
and Groups tool contained in Computer Management, and require users
to press Ctrl+Alt+Delete before logging on.

CROSS-REFERENCE
I’ll cover how to use this application when I discuss managing users and
groups in Chapter 9.

Wireless Link
The Wireless Link application enables you to configure the infrared
device(s) installed in a Windows 2000 computer, including how files and
images are transferred to this computer.The Wireless Link application does
not enable you to configure infrared devices located in other hardware
devices.
An infrared device, which is also called a wireless device, is a port in a
computer or other piece of hardware (such as a printer, camera, scanner,
digital camera, and so on) that is capable of sending and receiving data,
images, or both by using infrared light. Standards for infrared/wireless
devices are maintained by the Infrared Data Association (IrDA). Because of
this, infrared devices are also called IrDA devices.
Infrared devices are commonly used to transfer data between two laptop
computers, transfer data between a laptop computer and a personal digital
assistant (PDA), send print jobs from a laptop computer to a printer, or to
transfer images from a digital camera to a laptop computer.
Although all users can start and use the Wireless Link application, you
must be a member of the Administrators group to use this application to
change hardware settings.
To access the Wireless Link application, double-click the Wireless Link
icon in Control Panel.
4701-1 ch05.f.qc 4/24/00 09:12 Page 294

294 Part II ▼ Installation and Configuration

TIP
The Wireless Link icon appears in Control Panel only if an infrared device
is installed in the computer.

Figure 5-71 shows the Wireless Link dialog box.

FIGURE 5-71 Configuring a wireless link

Notice in Figure 5-71 that there are three tabs in this dialog box: File
Transfer, Image Transfer, and Hardware.
On the File Transfer tab, you can configure how files are received by the
infrared device(s) installed in your computer.You can cause an icon to be
displayed in the taskbar when the infrared device is in use. You can also
configure your computer to accept (or reject) files sent to your infrared
device(s). You can configure Windows 2000 to display file transfer status
during file transfers. Finally, you can specify the default location where
Windows 2000 will save files received through the infrared device(s) on
your computer.
On the Image Transfer tab you can enable your computer to accept
images transferred from a digital camera over a wireless link.You can also
specify the folder in which Windows 2000 will store these digital images,
and whether or not Windows 2000 will automatically open Windows
Explorer to the specified folder after receiving the images.
4701-1 ch05.f.qc 4/24/00 09:12 Page 295

Chapter 5 ▼ Using Control Panel 295

TIP
You can’t initiate the transfer of images from a digital camera to your
computer by using the Wireless Link application — you should either initi-
ate the transfer from the camera, or install and configure the camera on
your computer and then use the Imaging application to transfer images.

On the Hardware tab you can view and configure the properties of the
infrared device(s) that are installed in your computer.The Properties dialog
boxes that you can access here are the same as those you can access by
using Device Manager, which was covered earlier in this chapter. If you are
having problems with an infrared device in your computer, you can click
Troubleshoot on the Hardware tab to start the Hardware Troubleshooter.

Troubleshooting Hardware
Troubleshooting hardware is a common task for network administrators. It
is also a strong focus of the Professional and Server exams. In this section,
I’ll discuss some tips and tools for troubleshooting hardware on Windows
2000 computers.
There are numerous hardware devices, which, when installed in a
Windows 2000 computer, may require troubleshooting. Some of these
devices include:
■ Display devices/video adapters
■ Input/output (I/O) devices, such as: cameras; keyboard; modems,
including fax modems; the mouse, multimedia devices, printers,
scanners, and smart card readers
■ Mobile computer hardware
■ Network adapter cards

Troubleshooting Common Hardware Problems

Some of the most common hardware problems are configuration problems
that occur when two cards installed in the same computer are configured
to use the same interrupt, I/O port address, or DMA address. To resolve
this type of problem, you should use Device Manager (or Add/Remove
Hardware) to reconfigure one of the cards to use a nonconflicting setting.
4701-1 ch05.f.qc 4/24/00 09:12 Page 296

296 Part II ▼ Installation and Configuration

Another common hardware configuration problem occurs when a card

is physically configured in one way (via switches, jumpers, or both), and
the software driver for that card is configured with different settings. To
resolve this type of problem, you must either change the hardware settings
or use Device Manager (or Add/Remove Hardware) to change the soft-
ware device driver settings so that both the hardware and the software use
the same settings.

Recommended Hardware Troubleshooting Tools

Throughout this chapter I’ve discussed several general tools that are useful
for troubleshooting hardware devices, including:
■ Troubleshooters: These special Help features take you through a
series of questions and steps to help you identify and resolve various
hardware problems. Follow the instructions presented on-screen to
resolve the particular problem you’re experiencing.Windows 2000
includes both general and device-specific Troubleshooters.
■ Add/Remove Hardware: This Control Panel application is use-
ful not only for adding and removing hardware, but also for trou-
bleshooting hardware devices. One nice feature of this application
is that it enables you to easily access a Troubleshooter for the
device you’re trying to fix.
■ Device Manager: This tool, which is accessed through the System
application, enables you to view a graphical representation of the
hardware devices installed in a Windows 2000 computer, and also
to configure, manage, and troubleshoot various hardware devices.
Device Manager is especially useful because it displays resource set-
tings used by a device, including any resource conflicts with other
devices, and enables you to resolve these conflicts in the same dialog
box.When you use Device Manager you not only have a good
chance of identifying the hardware problem, but you can use this
tool to resolve the problem, as well.
Another good general tool for troubleshooting hardware is System
Information, which I’ll cover in the next section.
Finally, in addition to general troubleshooting tools, there are also some
device-specific troubleshooting tools you can use. Many of the hardware
devices I discussed in this chapter have their own Control Panel applications.
4701-1 ch05.f.qc 4/24/00 09:12 Page 297

Chapter 5 ▼ Using Control Panel 297

When troubleshooting a specific device (such as a mouse), you can often use
its associated application (in this case, Mouse) to view and configure device
properties, update drivers, and start a device-specific Troubleshooter.

Using System Information

System Information is a Windows 2000 administrative tool that enables
you to view detailed system configuration information, and is often used
to troubleshoot system configuration problems. System Information is the
Windows 2000 equivalent to Windows NT Diagnostics that shipped with
Windows NT 4.0.
To start System Information, right-click My Computer on your desk-
top, then select Manage from the menu that appears.Then, to expand the
System Information components, click the + next to System Information
in the left pane of the Computer Management window. Expanding System
Information reveals its five primary components: System Summary,
Hardware Resources, Components, Software Environment, and Internet
Explorer 5. Figure 5-72 shows System Information expanded.

FIGURE 5-72 System Information

To further expand any of the System Information components, click the

+ next to that component in the left pane of the Computer Management
4701-1 ch05.f.qc 4/24/00 09:12 Page 298

298 Part II ▼ Installation and Configuration

window.To access a System Information component, click that component

in the left pane.
The System Summary component displays the operating system in use,
including its version and manufacturer. System Summary also displays var-
ious hardware information about the computer, including the system
(computer) name, processor type, BIOS version, and amount of RAM in
the computer. Figure 5-73 shows System Summary information for a
Windows 2000 Server computer in my office. Notice the various informa-
tion listed.

FIGURE 5-73 System Summary

TIP
Once you’ve displayed information using one of the System Information
components, you may want to print it. To print the information displayed,
right-click anywhere in the right pane, and select Print from the menu that
appears.

The Hardware Resources component displays detailed configuration

information on the various hardware devices installed in the computer.You
can click any of six different options in Hardware Resources:
4701-1 ch05.f.qc 4/24/00 09:12 Page 299

Chapter 5 ▼ Using Control Panel 299

■ Conflicts/Sharing: This option displays a listing of any resource

conflicts in the computer, such as interrupt conflicts or I/O address
conflicts.This option also displays resources that are shared, such as
shared interrupts.
■ DMA: This option displays a list of direct memory access (DMA)
addresses in use by various hardware devices installed in the
computer.
■ Forced Hardware: This option displays a list of hardware devices
installed in the computer that has been manually configured (by
using Device Manager) by the user. If no devices have been manu-
ally configured,“No Forced Hardware” is displayed in the Device
column.
■ I/O: This option displays a list of the input/output (I/O) ports in
the computer, and shows whether each I/O port is free or is in use
by a specific hardware device.
■ IRQs: This option displays a list of the interrupts in use on the
computer, and the specific hardware device using each interrupt.
Figure 5-74 shows a listing of the IRQs in use on a Windows 2000
Server computer.

FIGURE 5-74 Hardware Resources — IRQs

4701-1 ch05.f.qc 4/24/00 09:12 Page 300

300 Part II ▼ Installation and Configuration

■ Memory: This option displays a list of the memory ranges in use

on the computer, and, when known, the specific hardware device
that uses each range.
The Components folder displays detailed information about various
hardware and software components installed in a Windows 2000 computer.
Figure 5-75 shows the numerous options available within Components.
Notice that many of the Components options have suboptions.

FIGURE 5-75 Components

Also notice in Figure 5-75 that I’ve highlighted the Serial suboption
under Ports. Clicking an option or suboption in the left pane causes the
details for the option or suboption to be displayed in the right pane.
The Software Environment component displays detailed information
about the software loaded in computer memory.You can use this compo-
nent to determine whether a driver or process is running, and to view ver-
sion information. Figure 5-76 shows the options available within the
Software Environment component. Notice that the Drivers option is high-
lighted, and that various driver information, including the driver name,
description, type, and state, is shown in the right pane of the window.
The Internet Explorer 5 component displays various information about
the Internet Explorer 5 installation on this computer, including version
4701-1 ch05.f.qc 4/24/00 09:12 Page 301

Chapter 5 ▼ Using Control Panel 301

and build number, a list of files and their version numbers, Internet con-
nectivity settings, cache information, content settings and certificates, and
security configuration information.

FIGURE 5-76 Software Environment — Drivers

Hardware Troubleshooting Tips

I know that the troubleshooting process is both an art and a science, and
that there are as many methods of troubleshooting as there are network
administrators.That said, here are a few of my own personal recommenda-
tions of things to consider trying when you’re faced with a hardware trou-
bleshooting problem:
■ Look for (and resolve) hardware device resource conflicts.
■ Verify that the correct device driver for the device in question is
installed.
■ If the device is an external device, verify that it is powered on and
that all of its cables are correctly connected to the computer.
■ Verify that the device is enabled in the current hardware profile.
■ Try rebooting the computer.
■ Try removing and reinstalling the device.
4701-1 ch05.f.qc 4/24/00 09:12 Page 302

302 Part II ▼ Installation and Configuration

■ Try replacing the device with a known good device of the same
exact type.
■ Verify that the device in question is on the Windows 2000
Hardware Compatibility List.

KEY POINT SUMMARY

This chapter explored numerous Control Panel topics. Many of the Control Panel
applications are self-explanatory, but a few deserve some final emphasis before I
leave this chapter.
■ Control Panel is an exhaustive collection of applications. These applications,
which are automatically installed during installation of Windows 2000, are
used to install,configure, or both install and configure various components,
applications, hardware, protocols, and services.
■ Add/Remove Hardware is an important application because it is used to add,
remove, unplug, and troubleshoot the hardware devices in your computer.
■ The Display application is used to configure desktop settings, display settings,
and multiple-display support.
■ The Folder Options application is particularly useful for configuring offline files.
■ The Power Options application is used to configure power schemes, hiberna-
tion, Advanced Power Management (APM), and UPS devices.
■ The Regional Options application is useful for configuring local settings, and
for configuring support for multiple languages and locations.
■ The System application is used to perform numerous tasks, including changing
network identification, managing driver signing, and creating and managing
hardware profiles. The System application also includes Device Manager, a
powerful tool for configuring and troubleshooting hardware devices.
■ Numerous tools for troubleshooting hardware are covered in this chapter, such
as the Add/Remove Hardware application, Device Manager, Troubleshooters,
and System Information.
4701-1 ch05.f.qc 4/24/00 09:12 Page 303

303

STUDY GUIDE
This section contains several exercises that are designed to cement your
knowledge of Control Panel topics and help you prepare for the
Professional and Server exams:
■ Assessment questions: These questions test your knowledge of
the Control Panel features and topics covered in this chapter.You
can find the answers to these questions at the end of this chapter.
■ Scenario: The situation-based questions in a scenario challenge you
to apply your understanding of the material to solve a hypothetical
problem. In this chapter’s scenario, you are asked to describe the
action you would take to solve a number of troubleshooting prob-
lems.You don’t need to be at a computer to do the scenario.Answers
to this chapter’s scenario are presented at the end of this chapter.
■ Labs: These exercises are hands-on practice activities that you per-
form on a Windows 2000 computer.The labs in this chapter give
you an opportunity to use the Add/Remove Hardware application,
to use Device Manager, and to explore several different Control
Panel applications.

Assessment Questions
1. You want to install the device drivers for a new infrared device in
your Windows 2000 computer.Which tool should you use?
A. Wireless Link
B. Device Manager
C. Scanners and Cameras
D. Add/Remove Hardware
2. You want to configure multiple language support on your Windows
2000 computer.Which tool should you use?
A. Fonts
B. Keyboard
C. Regional Options
D. Add/Remove Programs
4701-1 ch05.f.qc 4/24/00 09:12 Page 304

304

3. Which Windows 2000 tool can you use to initiate the transfer of
images from a digital camera to your Windows 2000 computer?
A. Imaging
B. Wireless Link
C. Scanners and Cameras
D. Sounds and Multimedia
4. Which tool should you use to manage driver signing on a Windows
2000 computer?
A. System
B. Folder Options
C. Licensing
D. Add/Remove Programs
5. Which of the following features is supported on Windows 2000
Professional computers but is not supported on Windows 2000 Server
computers?
A. Wireless devices
B. Multiple displays
C. Advanced Power Management (APM)
D. Uninterruptible power supplies (UPSs)
6. You want to change the workgroup membership of a Windows 2000
Professional computer.Which tool should you use?
A. System
B. Regional Options
C. System Information
D. Network and Dial-up Connections
7. You want to create and configure a hardware profile on your
Windows 2000 computer.Which tool should you use?
A. System
B. Device Manager
C. Add/Remove Programs
D. Add/Remove Hardware
8. You want to configure synchronization settings for your offline files.
Which tool should you use?
4701-1 ch05.f.qc 4/24/00 09:12 Page 305

305

A. Folder Options
B. Scheduled Tasks
C. Windows Explorer
D. System Information
9. You want to add an additional paging file to your Windows 2000
Server computer.Which tool should you use?
A. System
B. Folder Options
C. Windows Explorer
D. Add/Remove Programs
10. Which of the following tools are useful for troubleshooting hardware
devices on a Windows 2000 computer? (Choose all that apply.)
A. Device Manager
B. System Information
C. Add/Remove Programs
D. Add/Remove Hardware

Scenarios
The following scenarios provide you with an opportunity to apply the
knowledge you’ve gained in this chapter about troubleshooting several
Windows 2000 features that are managed by Control Panel applications.
Many times when a feature fails to perform as expected, the cause of the
failure is an underlying configuration problem. For each of the following
problems, describe the actions you would take to try to resolve the problem.
1. Yesterday you enabled the StickyKeys option (in Accessibility
Options) on a user’s Windows 2000 computer.Today the user reports
that he is unable to log on.
2. A user reports that the icons displayed on her Windows 2000 desktop
are too small to read easily.
3. A user reports that he can’t receive faxes by using the fax modem
installed in his Windows 2000 computer.
4. An employee at your office uses a Windows 2000 laptop computer
both at work and at home.The user recently configured some files for
4701-1 ch05.f.qc 4/24/00 09:12 Page 306

306

offline use.The user reports that when working at home she doesn’t
always have the most current version of the offline files.
5. A user recently scheduled several tasks on his Windows 2000 com-
puter. He reports that he is having problems with one of the sched-
uled tasks.The task starts, but does not complete correctly.

Lab Exercises
These labs are designed to provide you with hands-on experience using
many of the applications and tools in Control Panel. From installing and
configuring all the way to troubleshooting, these labs cover it all.

Lab 5-1 Using Add/Remove Hardware

 Professional
 Server
EXAM
MATERIAL

The purpose of this lab is to give you practical experience using the
Add/Remove Hardware application. As stated previously, you use this
application to add, remove, unplug, and troubleshoot the hardware in your
computer, including display devices/video adapters; DVD and CD-ROM
devices; input/output (I/O) devices, such as cameras, keyboard, modems
(including fax modems), the mouse, multimedia devices, printers, scanners,
smart card readers, USB devices, and wireless devices such as infrared
(IrDA) devices; mobile computer hardware such as PC Card devices; and
network adapter cards.
In this lab, you’ll install, configure, and remove a non–Plug and Play
infrared device in your computer. Use these same basic steps no matter which of
the devices listed above you want to install, configure, or remove.

TIP
I don’t expect you to go out and buy any hardware to do this lab. You’ll be
installing device drivers for a nonexistent piece of hardware, and later you’ll
remove the device drivers to return your computer to its normal state.
4701-1 ch05.f.qc 4/24/00 09:12 Page 307

307

The steps that follow walk you through using Add/Remove Hardware
on a Windows 2000 Professional computer.The steps for using this appli-
cation on a Windows 2000 Server computer are identical.
1. Boot your computer to Windows 2000 Professional. Log on as
Administrator.
2. Select Start ➪ Settings ➪ Control Panel.
3. In the Control Panel dialog box, double-click Add/Remove
Hardware.
4. The Add/Remove Hardware Wizard starts. Click Next.
5. The Choose a Hardware Task screen appears. Select the
“Add/Troubleshoot a device” option. Click Next.
6. Windows 2000 attempts to detect the new hardware device.The
Choose a Hardware Device screen appears. Click “Add a new device”
in the Devices list box. Click Next.
7. The Find New Hardware screen appears. Select the “No, I want to
select the hardware from a list” option. Click Next.
8. The Hardware Type screen appears. Click “Infrared devices.”
You’re installing, configuring, and removing an infrared (IrDA) device
in this lab, but use these same basic steps to install, configure (when
appropriate), and remove any hardware device in your computer,
including a display device/video adapter; a DVD or CD-ROM
device; an input/output (I/O) device, such as a camera, a keyboard, a
modem (including a fax modem), a mouse, a multimedia device, a
printer, a scanner, a smart card reader, or a USB device; mobile com-
puter hardware such as a PC Card device; or a network adapter card.
Click Next.
9. The Select Infrared Device screen appears. In the Manufacturers box,
highlight (Standard Infrared Port). In the Infrared Device box, high-
light Built-in Infrared Device. Click Next.
10. Windows 2000 displays a warning dialog box informing you that
Windows 2000 could not detect the settings of the device. Click OK.
11. A Resources tab is displayed. Examine this tab closely. Notice the
question marks in the “Resource settings” box.This means that the
device is not yet configured.
4701-1 ch05.f.qc 4/24/00 09:12 Page 308

308

In the “Setting based on” drop-down list box, select Basic configura-
tion 0001. On most computers, this causes a conflict to be displayed
in the “Conflicting device list” box.All conflicts listed in the
“Conflicting device list” box must be resolved.
In the “Setting based on” drop-down list box, select Basic configura-
tion 0005. In the “Resource settings” box, click Input/Output Range,
then click Change Setting. In the Edit Input/Output Range dialog
box, accept the defaults (if no devices are conflicting) and click OK.
In the “Resource settings” box, click Interrupt Request, then click
Change Setting. In the Edit Interrupt Request dialog box, accept the
defaults (if no devices are conflicting) and click OK.
If there are conflicting devices in either the Edit Input/Output
Range dialog box of the Edit Interrupt Request dialog box, use the
up or down arrow to the right of the Value text box to find a value
that does not cause any conflicts.Then click OK.
On the Resources tab, click OK.
12. In the Start Hardware Installation screen, click Next.
13. In the Completing the Add/Remove Hardware Wizard screen, click
Finish.
14. A System Settings Change dialog box is displayed, notifying you that
you must restart your computer before the new settings will take
effect. Click Yes to restart your computer.
15. Boot your computer to Windows 2000 Professional. Log on as
Administrator.
16. Start Control Panel (if it is not already displayed on your desktop).
Double-click Add/Remove Hardware.
17. When the Add/Remove Hardware Wizard starts, click Next.
18. In the Choose a Hardware Task screen, select the “Uninstall/Unplug a
device” option. Click Next.
19. In the Choose a Removal Task screen, select the “Uninstall a device”
option. Click Next.
20. In the Installed Devices on Your Computer screen, highlight the
Built-in Infrared Device that has a yellow circle containing an excla-
mation point as part of its icon. (This device is probably at the top of
the Devices list.) Click Next.
4701-1 ch05.f.qc 4/24/00 09:12 Page 309

309

21. In the Uninstall a Device screen, select the “Yes, I want to uninstall
this device” option. Click Next.
22. In the Completing the Add/Remove Hardware Wizard screen, click
Finish.

Lab 5-2 Using the System application

 Professional
 Server
EXAM
MATERIAL

The purpose of this lab is to give you hands-on experience using the
System application. This application is used to perform several configura-
tion, management, and troubleshooting tasks.
This lab has three parts:
■ Part 1: Managing and Troubleshooting Driver Signing
■ Part 2: Using Device Manager
■ Part 3: Creating and Managing Hardware Profiles
The steps that follow take you through these tasks on a Windows 2000
Professional computer. The steps are identical on a Windows 2000 Server
computer.

Part 1: Managing and Troubleshooting Driver Signing

In this section you use the System application to configure driver signing,
and then run Sigverif.exe to troubleshoot the presence of unsigned
driver files.
1. Boot your computer to Windows 2000 Professional. Log on as
Administrator.
2. Start Control Panel. (From the desktop, select Start ➪ Settings ➪
Control Panel.)
3. In the Control Panel dialog box, double-click System.
4. In the System Properties dialog box, click the Hardware tab.
5. On the Hardware tab, click Driver Signing.
6. In the Driver Signing Options dialog box, notice the three configura-
tion options. Select the “Block — Prevent installation of unsigned
files” option, and click OK.
4701-1 ch05.f.qc 4/24/00 09:12 Page 310

310

7. On the Hardware tab, click OK.

8. Close Control Panel.
9. Now you’ll troubleshoot driver signing by running sigverif.exe
to detect any unsigned system files on your computer. Select Start ➪
Programs ➪ Accessories ➪ Command Prompt.
10. At the command prompt, type sigverif and press Enter.
11. In the File Signature Verification dialog box, click Start to have
Windows 2000 search for any unsigned system files.
12. Windows 2000 displays the SigVerif dialog box, indicating that your
files have been scanned and verified. Click OK.
13. In the File Signature Verification dialog box, click Close.
14. At the command prompt, type exit and press Enter.

Part 2: Using Device Manager

In this section, you use Device Manager to configure, manage, and trou-
bleshoot hardware devices, such as: display devices/video adapters; DVD
and CD-ROM devices; input/output (I/O) devices, such as cameras, key-
board, modems (including fax modems), mouse, multimedia devices, print-
ers, scanners, smart card readers, USB devices, and wireless devices such as
infrared (IrDA) devices; mobile computer hardware such as PC Card
devices; and network adapter cards. (Steps 1 through 12)
You’ll also use Device Manager to update device drivers and configure
multiple processing units. (Steps 13 through 23)
Finally, you’ll use Device Manager to implement and manage mobile
computer hardware, by configuring and managing card services. (Steps 24
through 34) This section of the lab is optional because it requires a laptop or other
mobile computer.
1. Start Control Panel. (From the desktop, select Start ➪ Settings ➪
Control Panel.)
2. In the Control Panel dialog box, double-click System.
3. In the System Properties dialog box, click the Hardware tab.
4. On the Hardware tab, click Device Manager.
5. In the Device Manager dialog box, click the + next to Network
adapters. Right-click the device listed under Network adapters, and
select Properties from the menu that appears.
4701-1 ch05.f.qc 4/24/00 09:12 Page 311

311

You’re using Device Manager to configure, manage, and troubleshoot a

network adapter card in this section, but use these same basic steps to
configure, manage, and troubleshoot any hardware device in your com-
puter, including a display device/video adapter; a DVD or CD-ROM
device; an input/output (I/O) device, such as a camera, an infrared
(IrDA) device, a keyboard, a modem (including a fax modem), a mouse,
a multimedia device, a printer, a scanner, a smart card reader, or a USB
device; or mobile computer hardware such as a PC Card device.
6. In the device’s Properties dialog box, click the Resources tab. Notice
the resource settings used by the network adapter in your computer.
If conflicts are listed in the “Conflicting device list” box, highlight the
conflicting resource (in the “Resource settings” box) and click
Change Setting. Configure a nonconflicting setting and click OK.
Click the General tab.
7. On the General tab, note the device status.The status probably dis-
played is “This device is working properly.” However, humor me for a
minute and assume the device is not working properly. I want you to
experience troubleshooting the device. Click Troubleshooter.
8. The Hardware Troubleshooter starts. Notice the many types of prob-
lems that the Troubleshooter can help you identify and resolve. Click
the “My network adapter doesn’t work” option, and click Next at the
bottom of the screen.
9. Select the “Yes, my device is on the HCL” option, and click Next.
10. Notice the options presented on the screen. If a hardware problem
actually existed, you could continue working through the
Troubleshooter for some time. But for now, select the “Yes, my net-
work adapter works” option, and click Next.
11. Close Windows 2000 Help.
12. In the network adapter’s Properties dialog box, click OK.
13. In the next several steps you’ll learn how to update device drivers and
configure multiple processing units.

TIP
You don’t need to have a computer with multiple processors to perform
this lab.
4701-1 ch05.f.qc 4/24/00 09:12 Page 312

312

In the Device Manager dialog box, click the + next to Computer.

(This is usually the first or second device type listed under the com-
puter’s name.)
14. Notice the name of the device listed under Computer, and write it
down for future use. (It may be called Standard PC,ACPI Uniprocessor
PC, MPS Uniprocessor PC, or a brand-specific name.) Right-click this
device and select Properties from the menu that appears.
15. In the device’s Properties dialog box, click the Driver tab.
16. On the Driver tab, click Update Driver.
17. The Upgrade Device Driver Wizard starts. Click Next.
18. Select the “Display a list of the known drivers for this device so that I
can choose a specific driver” option. Click Next.
19. On the Select a Device Driver screen, select the “Show all hardware
of this device class” option.Accept the default manufacturer of your
PC highlighted in the Manufacturers box. Ensure that the model
highlighted in the Models box matches the name you wrote down
in Step 14.

TIP
Normally you would select one of the multiprocessor models to configure
support for multiple processing units. However, I’m assuming that you
don’t have a multiprocessor computer, but still want to experience the
basic steps in the process.

Click Next.
20. In the Start Device Driver Installation screen, click Next to install the
device driver you selected.
21. In the Completing the Upgrade Device Driver Wizard screen, click
Finish.
22. Click Close in your computer’s Properties dialog box.
23. Click Yes when Windows 2000 prompts you to restart your computer.
24. In the next several steps you configure card services on a mobile
computer. The rest of the steps in this section are optional because they
require that you have a laptop computer.
Boot your computer to Windows 2000 Professional. Log on as
Administrator.
4701-1 ch05.f.qc 4/24/00 09:12 Page 313

313

25. Start Control Panel if it is not displayed on your desktop. (From the
desktop, select Start ➪ Settings ➪ Control Panel.)
26. In the Control Panel dialog box, double-click System.
27. In the System Properties dialog box, click the Hardware tab.
28. On the Hardware tab, click Device Manager.
29. In the Device Manager dialog box, click the + next to PCMCIA
adapters. Right-click any device listed under this heading, and select
Properties from the menu that appears.
30. In the PCMCIA adapter’s Properties dialog box, view the informa-
tion displayed on the General tab, including the device type and
device status. Click the Resources tab.
31. On the Resources tab, notice the resource settings used by the PCM-
CIA adapter in your computer.
If conflicts are listed in the “Conflicting device list” box, highlight the
conflicting resource (in the “Resource settings” box) and click
Change Setting. Configure a nonconflicting setting and click OK.
Windows 2000 may not permit you to change the resource settings
used by this device — if this is the case, and if the PCMCIA adapter
conflicts with another device, you’ll probably have to change the
resource settings for the other device to resolve the conflicts.
Click OK.
32. Close Device Manager.
33. In the System Properties dialog box, click OK.
34. If you made configuration changes to your PCMCIA adapter,
Windows 2000 will prompt you to restart your computer now.

Part 3: Creating and Managing Hardware Profiles

In this section, you use the System application to create and configure a
hardware profile.
1. Boot your computer to Windows 2000 Professional. Log on as
Administrator.
2. Start Control Panel. (From the desktop, select Start ➪ Settings ➪ Control
Panel.)
3. In the Control Panel dialog box, double-click System.
4. In the System Properties dialog box, click the Hardware tab.
4701-1 ch05.f.qc 4/24/00 09:13 Page 314

314

5. On the Hardware tab, click Hardware Profiles.

6. In the Hardware Profiles dialog box, highlight Profile 1 (Current), and
click Copy.
7. In the Copy Profile dialog box, type Undocked over the default
name in the To text box. Click OK.
8. In the Hardware Profiles dialog box, highlight Profile 1 (Current), and
click Rename.
9. Type Docked over the default name in the To text box. Click OK.
10. In the Hardware Profiles dialog box, highlight Undocked, and click
Properties.
11. In the Undocked Properties dialog box, select the check box next to
“This is a portable computer.”Then select “The computer is
undocked” option. Click OK.
12. In the Hardware Profiles dialog box, click OK.
13. In the System Properties dialog box, click OK.
14. Select Start ➪ Shut Down. In the Shut Down Windows dialog box,
select Restart, and click OK.
15. When your computer reboots, notice that you are given an option to
select from your Docked or Undocked hardware profile.Windows
2000 will use the Docked profile, by default, unless you select the
Undocked profile during the boot process.

Lab 5-3 Exploring Control Panel

 Professional
 Server
EXAM
MATERIAL

The objective of this lab is to give you hands-on experience using several
Control Panel applications.
This lab has eight parts:
■ Part 1: Configuring Accessibility Services
■ Part 2: Configuring Fax Support
■ Part 3: Configuring and Managing the Task Scheduler
4701-1 ch05.f.qc 4/24/00 09:13 Page 315

315

■ Part 4: Managing the Use and Synchronization of Offline Files

■ Part 5: Configuring Local Settings and Support for Multiple
Languages and Locations
■ Part 6: Configuring Desktop Settings and Multiple-Display
Support
■ Part 7: Configuring Advanced Power Management
■ Part 8: Using Miscellaneous Control Panel Applications
The steps that follow take you through these tasks on a Windows 2000
Professional computer. The steps are identical on a Windows 2000 Server
computer, except for Part 7, which can’t be performed because Windows
2000 Server doesn’t support APM.

Part 1: Configuring Accessibility Services

In this part you use the Accessibility Options application to configure
accessibility services.
1. Boot your computer to Windows 2000 Professional. Log on as
Administrator.
2. Select Start ➪ Settings ➪ Control Panel.
3. Double-click Accessibility Options.
4. On the Keyboard tab, select the check box next to Use StickyKeys.
Click the Sound tab.
5. On the Sound tab, view the possible configuration options. Click the
Display tab.
6. On the Display tab, notice the high contrast option. Click the Mouse tab.
7. On the Mouse tab, notice that you can configure the computer to use
MouseKeys. Click the General tab.
8. On the General tab, select the check boxes next to “Apply all settings
to logon desktop” and “Apply all settings to defaults for new users.”
Click OK.

Part 2: Configuring Fax Support

In this part you use the fax application to configure personal information
for a fax cover page and enable your fax modem to receive faxes. This sec-
tion is optional because a fax modem must be installed in the computer in order to
perform this task.
4701-1 ch05.f.qc 4/24/00 09:13 Page 316

316

1. In the Control Panel dialog box, double-click Fax.

2. In the Fax Properties dialog box, complete the information on the
User Information tab. Click the Advanced Options tab.
3. On the Advanced Options tab, click Open Fax Service Management
Console.
4. In the Fax Service Management dialog box, click Devices in the left
pane. In the right pane, right-click the fax modem device listed, and
select Receive from the menu that appears.This enables your fax
modem to receive faxes. (It is configured only to send faxes by default.)
After a few seconds, notice that the Receive status changes from No
to Yes. Close Fax Service Management.
5. In the Fax Properties dialog box, click OK.

Part 3: Configuring and Managing the Task Scheduler

In Part 3 you use the Scheduled Tasks tool to schedule the Disk Cleanup
application to run once a week.
1. Start the Scheduled Tasks tool. (In Control Panel, double-click
Scheduled Tasks.)
2. In the Scheduled Tasks folder, double-click the Add Scheduled
Task icon.
3. The Scheduled Task Wizard starts. Click Next.
4. In the list of applications, click Disk Cleanup. Click Next.
5. Accept the default name for this task. Select the Weekly option.
Click Next.
6. In the next screen, configure the start time and day of the week that
you want to run this task. Click Next.
7. Enter the password for Administrator in the “Enter the password”
text box. Retype the password in the “Confirm password” test box.
Click Next.
8. Click Finish.
9. Notice that the task is displayed in the Scheduled Tasks dialog box.
Close Scheduled Tasks.
4701-1 ch05.f.qc 4/24/00 09:13 Page 317

317

Part 4: Managing the Use and Synchronization of Offline Files

In Part 4 you use Windows Explorer to select a file for offline use and con-
figure synchronization settings. This section is optional because it requires that
your computer be connected to a network server.
1. From the desktop, start Windows Explorer. (Select Start ➪ Programs ➪
Accessories ➪ Windows Explorer.)
2. In Windows Explorer, select Tools ➪ Map Network Drive.
3. In the Map Network Drive dialog box, accept the default drive letter
listed in the Drive text box.Then, in the Folder text box, type the
name of your network server and the name of any shared folder on
this server in the format \\server_name\share_name and click
Finish.
4. Windows Explorer connects your computer to the shared folder, and
displays the contents of that folder. Right-click any file in this folder
that you want to make available for offline use, and select Make
Available Offline from the menu that appears.
5. If this is the first time you have configured offline files,Windows
2000 starts the Offline Files Wizard. Click Next.
6. Select the check box next to “Automatically synchronize the Offline
Files when I log on and log off my computer.” Click Next.
7. On the next screen, click Finish.Windows 2000 copies the selected
offline file from the network server to the Offline Files folder on
your computer.
8. Close the shared folder. Close Windows Explorer.

Part 5: Configuring Local Settings and Support for Multiple

Languages and Locations
In this part you use the Regional Options application to configure local set-
tings, and to configure support for multiple languages and multiple locations.
1. Select Start ➪ Settings ➪ Control Panel.
2. Double-click Regional Options.
3. In the Regional Options dialog box, select the check box next to
Japanese in the “Language settings for the system” box. Click OK.
4. When prompted, insert your Windows 2000 Professional compact
disc into your computer’s CD-ROM drive, and then click OK.
4701-1 ch05.f.qc 4/24/00 09:13 Page 318

318

5. When prompted, click Yes to restart your computer. Remove the

compact disc from your computer’s CD-ROM drive.
6. Reboot your computer to Windows 2000 Professional. Log on as
Administrator.
7. In the Control Panel dialog box, double-click Regional Options.
8. In the Regional Options dialog box, click the Numbers tab. Note the
local settings for numbers for the English (United States) locale,
including the measurement system.
Click the Currency tab. Note the local settings for currency for the
English (United States) locale.
Click the Time tab. Note the local settings for time for the English
(United States) locale.
Click the Date tab. Note the local settings, and make any desired
changes. Click the Input Locales tab.
9. On the Input Locales tab, click Add.
10. In the Add Input Locale dialog box, select Japanese from the “Input
locale” drop-down list box.Accept the default keyboard layout.
Click OK.
11. On the Input Locales tab, click OK. Notice that an additional icon
(the letters EN in a blue box) appears in your taskbar next to the
clock.This icon indicates that your current input locale is English
(United States).

Part 6: Configuring Desktop Settings and

Multiple-Display Support
In Part 6 you use the Display application to configure desktop settings and
display properties.You also use the Display Troubleshooter and configure
multiple-display support. The last portion of Part 6 (Steps 9 through 11) is
optional because it requires multiple display adapters and multiple monitors.
1. In the Control Panel dialog box, double-click Display.
2. In the Display properties dialog box, notice the backgrounds you can
select from on the Background tab. Click the Screen Saver tab.
3. On the Screen Saver tab, select any screen saver from the Screen Saver
drop-down list box. Select the check box next to “Password pro-
tected.” Click the Appearance tab.
4701-1 ch05.f.qc 4/24/00 09:13 Page 319

319

4. On the Appearance tab, try out several schemes (by selecting them,
one at a time) in the Scheme drop-down list box until you find one
you like. Click the Web tab.
5. On the Web tab, notice that you can enable Web content on your
Active Desktop. Click the Effects tab.
6. On the Effects tab, notice the many visual effects you can configure.
Click the Settings tab.
7. On the Settings tab, notice that you can set the number of colors used
and the screen area. Click Troubleshoot.
8. The Display Troubleshooter starts. Notice that this is a special
Troubleshooter just for display problems. Close Windows 2000 Help.
If you don’t have multiple display devices, click OK and stop here.
If you have multiple video adapters and multiple monitors, continue
on to Step 9.
9. If you have multiple video adapters and multiple monitors, your
Settings tab should be similar to Figure 5-77.

FIGURE 5-77 Configuring multiple display support

4701-1 ch05.f.qc 4/24/00 09:13 Page 320

320

Click the icon representing your second monitor and select the check
box next to “Extend my Windows desktop onto this monitor.”Then
configure the monitor icons to match the physical arrangement of
your monitors. For example, if you have two monitors, stacked one
on top of the other, you can click and drag one monitor under the
other, so that the picture on the screen coincides with the actual
physical arrangement. Click OK.
10. If you’ve changed any display settings,Windows 2000 prompts you to
apply the new settings. Click OK.
11. In the Monitor Settings dialog box, click Yes to keep your new set-
tings. Click No if you want to revert to your original settings.

Part 7: Configuring Advanced Power Management

In this part you use the Power Options application to configure Advanced
Power Management on a laptop computer. Part 7 is optional because it
requires a computer that supports Advanced Power Management. Many laptops
support APM.
1. Start Control Panel if it is not already displayed on your desktop.
2. In the Control Panel dialog box, double-click Power Options.
3. In the Power Options Properties dialog box, click the APM tab.
4. On the APM tab, select the check box next to “Enable Advanced
Power Management support.” Click OK.A Found New Hardware
dialog box may appear while Windows 2000 detects your laptop
computer’s battery.
5. In the Control Panel dialog box, double-click Power Options.
6. In the Power Options Properties dialog box, notice that the tabs have
changed.Also notice that the Power Schemes tab now shows settings
for when the computer is plugged into AC power and when it is run-
ning on batteries. Click the Alarms tab.
7. On the Alarms tab, notice that both a low battery alarm and critical
battery alarm are enabled. Click the Alarm Action button for the crit-
ical battery alarm.
8. In the Critical Battery Alarm Actions dialog box, select the check box
next to “When the alarm goes off, the computer will,” and accept the
default option of Standby in the drop-down list box. Click OK.
9. On the Alarms tab, click OK.
4701-1 ch05.f.qc 4/24/00 09:13 Page 321

321

Part 8: Using Miscellaneous Control Panel Applications

In this part you use several miscellaneous Control Panel applications, includ-
ing Keyboard, Mouse, Scanners and Cameras, Sounds and Multimedia, and
Wireless Link.You also explore the Troubleshooters available in each of these
applications.
1. Start Control Panel if it is not already displayed on your desktop.
Double-click Keyboard.
2. On the Speed tab, configure keyboard settings to meet your needs.
Click the Input Locales tab.
3. On the Input Locales tab, notice that this is the same tab as the Input
Locales tab you previously worked with in Regional Options. Click
the Hardware tab.
4. On the Hardware tab, click Troubleshoot.
5. The Keyboard Troubleshooter starts.This Troubleshooter is designed
specifically for diagnosing and resolving keyboard problems. Close
Windows 2000 Help.
6. In the Keyboard Properties dialog box, click OK.
7. In the Control Panel dialog box, double-click Mouse.
8. In the Mouse Properties dialog box, view the various configuration
options on the four tabs. Configure your mouse to meet your needs.
Click the Hardware tab.
9. On the Hardware tab, notice the Troubleshoot command button.
Clicking this button starts the Mouse Troubleshooter, a
Troubleshooter designed specifically for troubleshooting mouse prob-
lems. Click OK.
10. In the Control Panel dialog box, double-click Scanners and Cameras.
11. In the Scanners and Cameras Properties dialog box, notice that you
can add, remove, troubleshoot, and configure the properties of scan-
ners and cameras. If you click Troubleshoot, a Troubleshooter that is
designed specifically to identify and help you resolve problems with
scanners and cameras starts. Click OK.
12. In the Control Panel dialog box, double-click Sounds and Multimedia.
13. In the Sounds and Multimedia Properties dialog box, view the vari-
ous configuration options on the three tabs. Configure any sounds
and multimedia devices in your computer as appropriate. Notice the
4701-1 ch05.f.qc 4/24/00 09:13 Page 322

322

Troubleshoot command button on the Hardware tab.As with other

Control Panel applications, clicking Troubleshoot starts a device-spe-
cific Troubleshooter. Click OK.
14. If you have an infrared port in your computer, double-click Wireless
Link in the Control Panel dialog box.
15. In the Wireless Link dialog box, view the various configuration
options on the three tabs. Notice the Troubleshoot command button
on the Hardware tab. Clicking Troubleshoot starts the Hardware
Troubleshooter. Click OK.
16. Close Control Panel.

Answers to Chapter Questions

Chapter Pre-Test
1. Windows 2000 Control Panel is an exhaustive collection of applica-
tions, sometimes called applets.These applications, which are auto-
matically installed during installation of Windows 2000, are used to
install, configure, or both install and configure various components,
applications, hardware, protocols, and services.
2. Add/Remove Hardware is used to add, remove, unplug, and trou-
bleshoot the hardware devices in your computer.
3. A device driver
4. Up to 10
5. Driver signing refers to system files, device drivers, or both that have
digital signatures.A digital signature is a special tag appended to a file
by its creator.
6. IrDA stands for the Infrared Data Association.This organization sets
standards for infrared/wireless devices.
7. There are several tools used to troubleshoot hardware devices on
Windows 2000 computers. Some of the most common tools include
the Windows 2000 Help Troubleshooters, Device Manager,
Add/Remove Hardware, and System Information.
4701-1 ch05.f.qc 4/24/00 09:13 Page 323

323

Assessment Questions
1. D. Add/Remove Hardware is the only Windows 2000 application
that can be used to add/install an infrared device.
2. C. Regional Options is the only Windows 2000 application that can
be used to configure support for multiple languages.
3. A. The Imaging application (Start ➪ Programs ➪ Accessories ➪
Imaging) is the only Windows 2000 application that can be used to
initiate image transfer.You can use Wireless Link to configure how
Windows 2000 will handle received image files, but you can’t use
Wireless Link to initiate the image transfer.
4. A. The System application is used to configure and manage driver
signing.
5. C. Of the four features listed, all are supported on both Windows
2000 Professional and Windows 2000 Server computers except APM.
APM is only supported on Windows 2000 Professional computers.
6. A.The System application in Control Panel is used to make network
identification changes.
7. A.The System application is used to create, configure, and manage
hardware profiles.
8. C. Use Windows Explorer to configure a synchronization schedule
for offline files. (Select Tools ➪ Synchronize to start this process.) You
can also access the same synchronization tool by selecting Start ➪
Programs ➪ Accessories ➪ Synchronize.
9. A. The System application is used to create, configure, and manage
paging files.
10. A, B, D. All of the tools listed are commonly used to troubleshoot
hardware devices except Add/Remove Programs.

Scenarios
1. The most likely cause of this problem is that the check box next
to “Apply all settings to logon desktop” on the General tab in the
Accessibility Options application is not selected. Ensure that this
check box is selected, and click OK.The user should now be able
to log on to the computer.
4701-1 ch05.f.qc 4/24/00 09:13 Page 324

324

2. There are few things you can try to fix this problem.You can try
decreasing the monitor resolution on the Settings tab in the Display
application. Or, you can try selecting a different appearance scheme
such as Windows Classic (large) or Windows Standard (extra large)
on the Appearance tab in the Display application. Finally, you can try
selecting the check box next to “Use large icons” on the Effects tab in
the Display application.
3. The most likely cause of this problem is that the computer isn’t con-
figured to receive faxes. By default,Windows 2000 computers are
configured to send faxes, but must be manually configured to receive
faxes. Configure the device to receive faxes by using the Fax Service
Management Console on the user’s computer.
4. Ensure that the user’s laptop computer is configured to synchronize
offline files both when she logs on and logs off the computer. Instruct
the user to always log off before powering off the computer for the
night.
5. You may need to add command-line switches or options to the Run
text box in the task’s Properties dialog box. Or, you may need to mod-
ify or correct the existing path in this text box. Or, you may need to
configure the task to log on by using a different user account that has
the necessary rights and permissions to perform the task.
4701-1 ch05.f.qc 4/24/00 09:13 Page 325
4701-1 ch06.f.qc 4/24/00 09:14 Page 326

 Professional
EXAM  Server
MATERIAL

EXAM OBJECTIVES

Professional  Exam 70-210

■ Configure and manage file systems.
■ Convert from one file system to another file system.
■ Configure file systems by using NTFS, FAT32, or FAT.
■ Implement, manage, and troubleshoot disk devices.
■ Monitor and configure disks.
■ Monitor, configure, and troubleshoot volumes.

Server  Exam 70-215

■ Monitor, configure, and troubleshoot disks and volumes.
■ Recover from disk failures.
4701-1 ch06.f.qc 4/24/00 09:14 Page 327

C HAP TE R

6
Working with File
Systems and Disks

I n this chapter I’ll introduce you to the file systems supported by Windows
2000, including FAT, FAT32, and NTFS. I’ll also cover the basics of
configuring a Windows 2000 computer’s hard disks and volumes. In this
section I’ll explain about various types of disks, partitions, and volumes, and
then discuss how to use Disk Management to perform numerous disk
management tasks on a Windows 2000 computer. I’ll provide you with
detailed steps to create several volume types, including simple volumes,
spanned volumes, striped volumes, mirrored volumes, and RAID-5 volumes.
Next, I’ll explain how to use Disk Defragmenter to analyze and defragment
volumes, and how to use Logical Drives to view logical drive properties and
change a logical drive’s label. Then I’ll present some troubleshooting tips,
and finally, I’ll explain how to recover from disk failure when using a simple,
spanned, striped, mirrored, or RAID-5 volume.

327
4701-1 ch06.f.qc 4/24/00 09:14 Page 328

328 Part II ▼ Installation and Configuration

Chapter Pre-Test
1. Unless you require your computer to dual boot between Windows
2000 and another operating system, what is usually the best file
system to use on a Windows 2000 computer?
2. Which is easier: converting from FAT (or FAT32) to NTFS, or
converting from NTFS to FAT (or FAT32)?
3. What is the difference between a basic disk and a dynamic disk?
4. What are the five different types of volumes that Windows 2000
supports?
5. What is the name of the Windows 2000 tool used to perform
most disk administration tasks?
4701-1 ch06.f.qc 4/24/00 09:14 Page 329

Chapter 6 ▼ Working with File Systems and Disks 329

Working with File Systems

Before you attempt to configure a computer’s disks, it’s important that you
have a clear understanding of the different file systems that Windows 2000
supports.Windows 2000 supports five file systems: the file allocation table
(FAT) file system, the FAT32 file system, the Windows NT file system
(NTFS), the Compact Disc File System (CDFS), and the Universal Disk
Format (UDF). Table 6-1 shows which file systems are supported by
various operating systems.
TABLE 6-1 File System Support by Operating System
Operating System File Systems Supported

Windows 2000 FAT, FAT32, NTFS, CDFS, UDF

Windows NT 4.0 FAT, NTFS, CDFS, UDF
Windows NT 3.51 (and earlier versions) FAT, NTFS, CDFS, HPFS
Windows 98 FAT, FAT32, CDFS, UDF
Windows 95 FAT, (FAT32 on OSR2 only), CDFS, UDF
Windows 3.x and 3.1x FAT, CDFS
OS/2 1.x FAT, CDFS, HPFS
MS-DOS FAT, CDFS

In the following sections I’ll describe each of the file systems supported
by Windows 2000 in detail. I’ll also discuss the capabilities and limitations
of each of these file systems.

FAT
The file allocation table (FAT) file system used by Windows 2000 is a modified
version of the FAT file system used by MS-DOS. FAT (sometimes called
FAT16) is the only hard disk file system supported by Windows 95
(versions prior to OSR2),Windows 3.x,Windows 3.1x, and MS-DOS. So,
if you want to configure a Windows 2000 computer to dual boot between
Windows 2000 and Windows 95 (versions prior to OSR2),Windows 3.1x,
or MS-DOS, your computer’s first partition on the first hard disk must use
the FAT file system.
4701-1 ch06.f.qc 4/24/00 09:14 Page 330

330 Part II ▼ Installation and Configuration

If you’re not sure whether you have an OSR2 version of Windows 95,
there’s an easy way to find out. From the Windows 95 desktop, select
Start ➪ Settings ➪ Control Panel.Then double-click the Systems application,
and examine the General tab, which lists specific information about the
system installed on your computer. If your system version is 4.00.950 or
4.00.950 a, then you have a version of Windows 95 that was released prior
to OSR2.
Now I’ll give a brief overview of the characteristics and features of the
FAT file system, including security, naming conventions, speed of access to
files, and volume size.

TIP
A volume is an area of disk space (often called a partition) on one or
more hard disks that has been formatted with a file system.

Security
The FAT file system does not support file and folder security in Windows
2000. Because file and folder security is not supported on a FAT volume,
any user who is logged on locally to a computer has full control of all of
the files and folders located in the FAT volume(s) on that computer.This
applies only to local access.
However, you can use share permissions to control users’ access to
shared folders over the network. Share permissions affect only the access of
files and folders over the network, not when someone is logged on locally.
So, if you need local file and folder security, you should use the NTFS file
system instead of the FAT file system.

Naming Conventions
The FAT file system, as used by Windows 2000, supports the use of long
filenames. Filenames can be up to 255 characters in length.

TIP
Windows 2000 supports extremely long filenames, but many applica-
tions don’t. Consider the length of filename supported by the applica-
tions you use when assigning filenames.

Filenames can contain any character except \ / : * ? “ < > | and

may begin with any permitted character. Filenames can contain spaces and
multiple periods, and the characters after the last period are considered the
filename extension.
4701-1 ch06.f.qc 4/24/00 09:14 Page 331

Chapter 6 ▼ Working with File Systems and Disks 331

The FAT file system preserves uppercase and lowercase in filenames, but
filenames are not case sensitive. Because of this, I can request the file
ALAN.DOC by typing Alan.doc, ALAN.DOC, or alan.doc, and Windows
2000 always retrieves ALAN.DOC.

Speed of Access to Files

Access speed to files in a FAT volume is dependent on many factors, includ-
ing volume size, number of files in a folder, and fragmentation.
Windows 2000 accesses files in FAT volumes smaller than 512MB faster
than it accesses files in similar-sized FAT32 and NTFS volumes.
If the volume size is larger than 512MB, however, or when there is a
large number of files in a folder, Windows 2000 accesses files in FAT32
and NTFS volumes much faster than it accesses files in a FAT volume of
similar size.
Windows 2000 usually accesses files in a highly fragmented FAT volume
more slowly than it accesses files in an NTFS volume of similar size.

Volume Size
The maximum size of a FAT volume on all operating systems except
Windows 2000 and Windows NT is 2GB. Both Windows 2000 and Win-
dows NT support FAT volumes up to 4GB. This is possible because
Windows 2000 and Windows NT support a larger cluster size (up to 64K)
than do other operating systems.

CAUTION
I recommend against dual booting between Windows 2000 (or
Windows NT) and another operating system when using a FAT volume
larger than 2GB. It’s possible to lose some or all of the files on your FAT
volume if you dual boot on a computer with this configuration.

The maximum size of a file in a FAT volume is 4GB.The FAT file system,
as used by Windows 2000, does not support file compression.

TIP
Windows 2000 does not support the file compression utilities contained
in Windows 98, Windows 95, and MS-DOS. If you compress files by
using these utilities, Windows 2000 won’t be able to access these files.
4701-1 ch06.f.qc 4/24/00 09:14 Page 332

332 Part II ▼ Installation and Configuration

FAT32
The FAT32 file system used by Windows 2000 is the same as the FAT32 file
system that was released with Windows 95 OSR2 and Windows 98. The
FAT32 file system is only supported by Windows 2000,Windows 98, and
Windows 95 OSR2.
If you want to dual boot between Windows 2000 and Windows 98 (or
Windows 95 OSR2), you can use either the FAT32 or FAT file system on
your computer’s first volume.
In the sections that follow I’ll cover the specific characteristics of the
FAT 32 file system, including security, naming conventions, speed of access
to files, and volume size.

Security
Like the FAT file system, the FAT32 file system does not support file and
folder security in Windows 2000. Because file and folder security is not
supported on a FAT32 volume, any user who is logged on locally to a
computer has full control of all of the files and folders located in the
FAT32 volume(s) on that computer.This applies only to local access.
However, you can use share permissions to control users’ access to
shared folders over the network. Share permissions affect only the access of
files and folders over the network, not when someone is logged on locally.
So, if you need local file and folder security, you should use the NTFS file
system instead of the FAT32 or FAT file systems.

Naming Conventions
The naming conventions supported by the FAT32 file system are identical
to those supported by the FAT file system:
■ Filenames can be up to 255 characters in length.
■ Filenames can contain any character except \ / : * ? “ < > |
and may begin with any permitted character. Filenames can contain
spaces and multiple periods.
■ The FAT32 file system preserves uppercase and lowercase in file-
names, but filenames are not case sensitive.
4701-1 ch06.f.qc 4/24/00 09:14 Page 333

Chapter 6 ▼ Working with File Systems and Disks 333

Speed of Access to Files

Access speed to files in a FAT32 volume is dependent primarily on volume
size and fragmentation.
Windows 2000 accesses files in FAT32 volumes larger than 512MB
faster than it accesses files in similar-sized FAT volumes, but slower than it
accesses files in similar-sized NTFS volumes.
Windows 2000 usually accesses files in a highly fragmented FAT32 volume
more slowly than it accesses files in an NTFS volume of similar size.

Volume Size
Although the maximum size of a FAT32 volume on Windows 98
and Windows 95 OSR2 is 2 terabytes (TB), the disk management utilities
contained in Windows 2000 only enable you to create and format a FAT32
volume up to 32GB. Windows 2000 does support FAT32 volumes larger
than 32GB that are created by other operating systems.
The maximum size of a file in a FAT32 volume is 32GB. Like the FAT
file system, FAT32 does not support file compression.

NTFS
The Windows NT file system (NTFS) is the most powerful file system
supported by Windows 2000. Only Windows 2000 and Windows NT
support NTFS — no other Microsoft operating systems currently support
this file system.
Windows 2000 NTFS is a newer version than Windows NT NTFS, and
supports several features not supported by Windows NT NTFS. Because of
this, if you want to dual boot between Windows 2000 and Windows NT,
you must have Windows NT 4.0 with Service Pack 4 or later installed.
When it comes to security, naming conventions, speed of access to files,
and volume size, NTFS in Windows 2000 has its own unique characteristics.
Additionally, NTFS has some features not supported by the FAT or FAT32
file systems.

Security
NTFS provides file and folder security for both local and remote users on
a network. NTFS is the only file system discussed here that permits the
assigning of permissions to individual files and folders.
4701-1 ch06.f.qc 4/24/00 09:14 Page 334

334 Part II ▼ Installation and Configuration

So how does NTFS security actually work? NTFS security controls

access to files on an NTFS volume by utilizing the user’s security identifier
(SID) to determine which files that user can access. Each file and folder on
an NTFS volume has an access control list (ACL) associated with it. The
ACL is a list that contains user and group SIDs, with the associated privi-
leges of each user and group.

CROSS-REFERENCE
NTFS and share security are covered in depth in Chapter 11.

NTFS supports the Encrypting File System (EFS). EFS enables you to
store files on an NTFS partition in an encrypted format so that even if an
unauthorized user removes a hard drive from your computer, that user will
be unable to access the sensitive data contained in the encrypted file.
In addition to the security provided by NTFS, remember that because
Windows 2000 requires a user to log on before accessing files, Windows
2000’s security is greater than operating systems that don’t require the user
to log on.

Naming Conventions
Like the FAT and FAT32 file systems, NTFS supports the use of long
filenames. Filenames can be up to 255 characters in length.
Filenames can contain any character except \ / : * ? “ < > | and
may begin with any permitted character. Filenames can contain spaces and
multiple periods, and the characters after the last period are considered the
filename extension.
NTFS preserves uppercase and lowercase in filenames. Filenames are not
case sensitive (except when used by a POSIX application). For example, a
Win32 application does not distinguish between Money.DOC, MONEY.DOC,
and money.doc — it treats all three names as though they were the
same file.
The POSIX subsystem, however, is case sensitive with respect to
filenames, because it does not translate a request for a file into all uppercase
letters as the Win32 and other subsystems do. A POSIX application treats
the filenames in the previous paragraph as though they were three separate
files: Money.DOC, MONEY.DOC, and money.doc. You must use a POSIX
application if you want to access these three different files — if you attempt
4701-1 ch06.f.qc 4/24/00 09:14 Page 335

Chapter 6 ▼ Working with File Systems and Disks 335

to access Money.DOC with a Win32 application (no matter how you type
the file name), you will always retrieve the MONEY.DOC file because the
Win32 Subsystem translates file requests into all uppercase letters.

Speed of Access to Files

NTFS usually provides faster access than the FAT or FAT32 file systems to
files stored on a large volume that contains many files. NTFS is able to access
files in this situation faster than the FAT or FAT32 file systems because
NTFS uses an enhanced binary tree to locate files. A binary tree search is a
faster mechanism for searching through a large number of filenames than the
sequential read mechanism used on FAT and FAT32 volumes.

Volume Size
The maximum theoretical size of an NTFS volume is 16 exabytes (an
exabyte is one billion billion bytes, or a giga-gigabyte). However, when you
actually implement NTFS on current standard industry hardware, there is a
functional limitation of 2TB.
The maximum size of a file in an NTFS volume is limited only by the
amount of free space in the NTFS volume.

Additional Features Not Supported by FAT or FAT32

NTFS has several other unique attributes and features that are not found
in, nor supported by, the FAT or FAT32 file systems.
■ NTFS supports a compression attribute for each file.You can
choose which files to compress and which ones to leave uncom-
pressed.The compression algorithm NTFS uses is similar to the
one used by Drivespace in MS-DOS. Using compression provides
an approximately 40 to 50 percent increase in hard disk space.

TIP
Compression can cause some performance degradation on volumes
with substantial write activity. Additionally, accessing uncompressed files
is faster than accessing compressed files.

■ NTFS is a highly reliable, recoverable file system. It is not necessary

to periodically run Chkdsk.exe on an NTFS volume.
4701-1 ch06.f.qc 4/24/00 09:14 Page 336

336 Part II ▼ Installation and Configuration

■ Using NTFS greatly reduces fragmentation on volumes.

However, files can still become fragmented when their size
is increased.Windows 2000 (unlike Windows NT) includes a
defragmentation utility which can be used to defragment FAT,
FAT32, and NTFS volumes.
■ NTFS maintains a recycle bin for each user.
■ NTFS enables you to mount a volume on a folder in a different
volume.The term mounting a volume refers to a disk management
technique sometimes used to access space on more than one hard
disk (or volume) but still retain and use a single drive letter.The
result of this feature is that a folder’s contents are physically stored
on a different hard disk (or volume), but this folder and its contents
appear to users to be located in the current volume.This feature
produces results similar to those produced by executing the mount
command on a UNIX computer.
■ NTFS supports the Encrypting File System (EFS).
■ NTFS supports disk quotas. Disk quotas is a volume management
tool that is enabled on a volume-by-volume basis. Once enabled,
disk quotas automatically track disk space usage on a user-by-user
basis, and prevent individual users from exceeding the disk space
limitations that they have been assigned by administrators.
The first four features in the preceding list are supported by both
Windows 2000 NTFS and Windows NT NTFS.The last three features are
new features that are supported only by Windows 2000 NTFS.
A couple of final tidbits about NTFS:
■ You can’t use NTFS to format floppy disks.
■ You can change media in a removable media device (such as a Zip
drive) that has been formatted with NTFS without rebooting the
computer. (This feature was not supported by Windows NT.)

Which File System Should I Use?

Because of its speed, security, and recoverability, I recommend the use of
NTFS on all volumes except for floppy disks, and volumes that are used to
dual boot between Windows 2000 and another operating system.
4701-1 ch06.f.qc 4/24/00 09:14 Page 337

Chapter 6 ▼ Working with File Systems and Disks 337

If you require dual boot, and the other operating system supports
FAT32, then I recommend FAT32 over FAT because of FAT32’s speed and
support of larger volume sizes.

CDFS
The Compact Disc File System (CDFS) supports access to compact discs.
It is not used on a computer’s hard disks — this file system is used only
on CD-ROM devices that read and/or write compact discs. Because
of the prevalence of CD-ROM devices, CDFS is supported by most
operating systems.

UDF
The Universal Disk Format (UDF) is a file system used to access read-only
digital video discs (DVDs). Like CDFS, this file system is not used on a
computer’s hard disks — this file system is used only on DVD-ROM devices.

HPFS
Windows 2000 does not support the high performance file system
(HPFS), although some of the earliest versions of Windows NT did. If you
want to upgrade to Windows 2000 from an early version of Windows NT
that used HPFS, you must convert your HPFS volume to NTFS before
performing the upgrade.

Converting from FAT or FAT32 to NTFS

In Windows 2000 you can format a new volume with either FAT, FAT32,
or NTFS. But what do you do when you want to change the file system
on an existing volume? You can change an existing FAT or FAT32 volume
into an NTFS volume by using Convert.exe. This is a fairly simple
procedure. When you use Convert.exe all data on the existing volume
is retained..
However, it is a one-way process — there is no way to convert an NTFS
volume into a FAT or FAT32 volume without first backing up, reformatting
the volume, and restoring the data.
4701-1 ch06.f.qc 4/24/00 09:14 Page 338

338 Part II ▼ Installation and Configuration

To convert a FAT or FAT32 volume into an NTFS volume, use the

Convert.exe command at a command prompt. To start a command
prompt, select Start ➪ Programs ➪ Accessories ➪ Command Prompt. The
syntax for the Convert.exe command is:
CONVERT volume /FS:NTFS [/V]

The following is an explanation of this syntax:

■ Volume This specifies the drive letter (followed by a colon) or
mount point to convert to NTFS.
■ /FS:NTFS This indicates that the file system should be converted
to NTFS.This is an outdated switch, because NTFS is the only file
system that you can use Convert.exe to switch to in Windows
2000; but its use, in terms of command syntax, is still required.
■ /V This optional switch specifies that Convert.exe will run in
verbose mode. Running a command in verbose mode will display the
maximum amount of information and detail to the user.
Let me illustrate the use of this command with a couple of examples:
1. To convert drive D: from FAT to NTFS, use the following command:
CONVERT D: /FS:NTFS
2. To convert a mount point named C:\Data from FAT32 to NTFS,
using the optional verbose mode, use the following command:
CONVERT C:\Data /FS:NTFS /V

TIP
Command syntax typed at the command prompt is not case sensitive —
meaning that you can type the command in either uppercase or lower-
case. The exceptions to this rule are POSIX commands typed at the
command prompt. All POSIX commands are case sensitive.

To successfully use the Convert.exe command, Convert.exe must

be the only application that accesses the drive or mount point you want to
change during the conversion process. If Windows Explorer accesses the
drive or mount point you are trying to convert, if you are trying to convert
the boot partition, or if your active command prompt has the drive you are
trying to convert as its current drive,Windows 2000 will display an error
message stating that Convert.exe cannot gain exclusive access to the
4701-1 ch06.f.qc 4/24/00 09:14 Page 339

Chapter 6 ▼ Working with File Systems and Disks 339

drive or mount point, and asks if you want to schedule it to be converted

the next time the system restarts.
If you try to execute the Convert.exe command, but can’t gain exclu-
sive access to a drive or mount point, type Y when asked if you want to
schedule it to be converted the next time the system restarts.Windows 2000
will convert the file system when you restart your computer.

Understanding Disks and Volumes

This section is all about working with disks on a Windows 2000 computer.
I’ll introduce Disk Management, the Windows 2000 tool used to create,
format, and manage volumes, and explain how to perform numerous disk
management tasks. I’ll also introduce Disk Defragmenter and Logical Drives,
two additional tools used on disks and volumes. Finally, I’ll cover some disk
and volume troubleshooting topics, and also talk about recovering from a
single or multiple disk failure on your system.
But before I get to the nitty gritty of how to perform specific disk
management tasks, there’s a lot of Windows 2000 disk terminology I need
to cover. Once you master this terminology, using Disk Management will
be much easier.
So, allow me to introduce you to the Windows 2000 disk types, partition
types, and volume types.

Disk Types
Windows 2000 uses two primary terms to refer to the hard disks in a
computer: basic disks and dynamic disks. I’ll define and discuss each of these
terms in the next sections.
Windows 2000 also supports removable media devices, such as Zip drives
and tape drives. I’ll also briefly examine these types of storage devices.

Basic Disks
Basic disks is a fancy Windows 2000 term that refers to hard disks that use
industry-standard partitioning and formatting, and contain primary and/or
extended partitions. Prior to Windows 2000, all Microsoft operating systems
used basic disks — there wasn’t any other kind.
4701-1 ch06.f.qc 4/24/00 09:14 Page 340

340 Part II ▼ Installation and Configuration

CARING FOR YOUR HARD DISKS

Let’s face it — hard disks can be a large investment, and like the other assets your
company owns, they need to be secured and properly maintained. And I’m sure I
don’t have to tell you that even more important than the disks themselves is the
data they contain.

With these thoughts in mind, here are a few personal recommendations to help
ensure that your hard disks don’t fail prematurely:

Treat hard disks carefully. I’ve been told that baggage handlers for some airline
carriers interpret the word “Fragile” to mean that the box or bag shouldn’t be
dropped from higher than ten feet. But I’m really talking about kinder and gentler
treatment than that when it comes to hard disks.

Observe proper techniques when installing and removing hard disks from the
computer. Ensure that you’re grounded and working in a static-free environment. I
like to use static mats and wrist straps to provide the necessary static protection.

Protect hard disks from excessive heat. In my experience, a hard disk’s number one
enemy is excessive heat. Many times small companies put their servers in an
unventilated closet, or don’t have adequate cooling fans for the number of disks
installed in a computer. These oversights often lead to premature disk failure.

I recommend that servers be placed in ventilated, climate-controlled rooms. Ensure

that the climate-control for this room is not turned off during nonbusiness hours,
such as over a long holiday weekend. I once lost hard disks on multiple servers
because the building my company was located in decided to save money by
turning off the air conditioning over a three-day weekend. Needless to say, I wasn’t
a very happy camper on Tuesday morning. Shortly thereafter my company installed
a new air conditioning unit just for our computer room.

Windows 2000 partitions and formats the first hard disk in your
computer (the disk that Windows 2000 is installed on) as a basic disk
during the installation process. If you have multiple hard disks in your
computer, Windows 2000 prompts you to convert these additional disks
into dynamic disks the first time you run Disk Management.
There are some limitations to using basic disks.A basic disk can contain
a maximum of four partitions: it can contain up to four primary partitions,
but only one extended partition.
If your Windows 2000 computer is configured to dual boot between
Windows 2000 and any other operating system, you should configure all
hard disks that will be accessed by the other operating system as basic disks,
4701-1 ch06.f.qc 4/24/00 09:14 Page 341

Chapter 6 ▼ Working with File Systems and Disks 341

because no other operating system supports dynamic disks. Only Windows

2000 can read dynamic disks.
Disk Management is the Windows 2000 tool that is used to configure
basic disks. Detailed steps to perform disk configuration tasks are included
later in this chapter in the “Using Disk Management” section.

Dynamic Disks
Dynamic disks is a Windows 2000 term that refers to hard disks that contain
Windows 2000 dynamic volumes. Dynamic volumes are volumes that do not
use primary partitions, extended partitions, or logical drives. These
dynamic volumes are manually created by using Disk Management.
Dynamic disks overcome the partition limitations inherent in basic
disks. Dynamic disks can support an unlimited number of volumes, versus
the four-partition maximum of basic disks.
In Windows 2000, you must use dynamic disks to create any volume
that extends across more than one hard disk, such as spanned volumes,
striped volumes, mirrored volumes, and RAID-5 volumes. (I’ll define and
discuss each of these different kinds of volumes later in this chapter in the
“Volume Types” section.) Windows 2000 will support the Windows NT
versions of these types of volumes on basic disks if they were created by
Windows NT, but in Windows 2000 you can only create these volume
types on dynamic disks.
Because dynamic disks do not contain industry-standard primary or
extended partitions, no other operating system supports or can access
dynamic disks. Only Windows 2000 supports dynamic disks. For this
reason, if your Windows 2000 computer is configured to dual boot
between Windows 2000 and any other operating system, you should
configure all hard disks that will be accessed by the other operating system
as basic disks, not dynamic disks.
Windows 2000 does not currently support dynamic disks on laptop
computers, but you can create and configure them on some. Microsoft
intended that the option to convert to a dynamic disk would be grayed out
on laptop computers.

Removable Media
Windows 2000 supports various removable media devices. Removable
devices include CD-ROM drives, tape drives, Zip drives, DVD drives, and
so on.
4701-1 ch06.f.qc 4/24/00 09:14 Page 342

342 Part II ▼ Installation and Configuration

As an adjunct to supporting removable media devices, Windows 2000

includes the Remote Storage service. This service, when installed and
configured on a Windows 2000 computer, enables you to migrate infre-
quently accessed data from your computer’s hard disks to removable media.
Windows 2000 permits you to change media in a removable media device
(such as a Zip drive) that has been formatted with NTFS without rebooting
the computer.This feature was not supported by Windows NT.

Partition Types
Windows 2000 supports two types of partitions on basic disks: primary and
extended. Both types of partitions can coexist on the same hard disk. A
basic disk can have a maximum of four partitions — it can have more than
one primary partition, but it can have only one extended partition.

TIP
In Windows 2000, primary and extended partitions can only be created
on basic disks — they cannot be created on dynamic disks.

The next sections discuss primary and extended partitions in detail.

Primary Partitions
A primary partition is a partition on a basic disk that can be configured as the
active partition. The active partition is the partition that contains the files
necessary to load the operating system. When the computer boots, it
attempts to load the operating system from the active primary partition on
the first hard disk in the computer.Any primary partition on the first hard
disk in the computer can be designated as the active partition. In Windows
2000 terminology, the active partition is also called the system partition.
A primary partition can occupy all of the space on a disk, or any portion
of it.A basic disk can have up to four primary partitions.A primary partition
can be formatted as a single logical drive (but not as multiple logical drives).
For detailed instructions on creating a primary partition, see the
“Creating and Formatting Partitions” section later in this chapter.

Extended Partitions
An extended partition is a partition on a basic disk that can be subdivided
into one or more logical drives. A logical drive is a volume that is created
4701-1 ch06.f.qc 4/24/00 09:14 Page 343

Chapter 6 ▼ Working with File Systems and Disks 343

from some or all of the space in an extended partition, and that is assigned
a drive letter.
Logical drives can be formatted with FAT, FAT32, or NTFS.You can
have one logical drive formatted with FAT or FAT32, and another logical
drive in the same extended partition formatted with NTFS.
There can be only one extended partition on a disk.An extended partition
can’t be marked active.
For detailed instructions on creating an extended partition, see the
“Creating and Formatting Partitions” section later in this chapter.

Volume Types
A volume is an area of disk space (often called a partition) on one or more
hard disks that has been formatted with a file system. Windows 2000
supports several different volume types, including:
■ Simple volumes
■ Spanned volumes
■ Striped volumes
■ Mirrored volumes
■ RAID-5 volumes
The volume types listed here can only be created on dynamic disks. As I
stated earlier,Windows 2000 will support the Windows NT versions of these
types of volumes on basic disks if they were created by Windows NT, but in
Windows 2000 you can only create these volume types on dynamic disks.
I’ll define and discuss each of these volume types in the following
sections. Then I’ll compare the fault tolerance, cost, and access speed of
these five volume types. Finally, I’ll provide detailed steps for creating each
of these volume types later in this chapter in the “Using Disk
Management” section.

Simple Volumes
A simple volume is volume that consists of formatted disk space on a single
hard disk.You can create simple volumes only on dynamic disks.
4701-1 ch06.f.qc 4/24/00 09:14 Page 344

344 Part II ▼ Installation and Configuration

TIP
If you’re used to thinking in terms of primary and extended partitions, it
might be helpful for you to picture a simple volume as if it were a logical
drive in an extended partition.

A simple volume can be formatted with FAT, FAT32, or NTFS.

A simple volume provides no fault tolerance.This means that if the disk
that contains the simple volume fails, all data in the simple volume is lost
unless the data is backed up.
There is no additional cost associated with using simple volumes,
because simple volumes use the minimum amount of hardware required to
store data. This volume type is the standard against which other volume
types are compared in terms of cost, because it is the basic unit of data
storage in use today.
There is no speed gain or speed loss associated with a simple volume,
because this volume type is the benchmark type for speed of access.
Simple volumes are supported by all of the Windows 2000 operating
systems:Windows 2000 Professional,Windows 2000 Server, and Windows
2000 Advanced Server.
For detailed instructions on creating a simple volume, see the “Creating
a Simple Volume” section later in this chapter.

Spanned Volumes
A spanned volume consists of formatted disk space on more than one hard
disk that is treated as a single volume.A spanned volume can be formatted
with FAT, FAT32, or NTFS. The areas of disk space that make up a
spanned volume do not need to be of identical size.You can create spanned
volumes only on dynamic disks.
The primary purpose and use of a spanned volume is to access disk
space on more than one hard disk by using a single drive letter. A spanned
volume is sometimes used when a volume becomes full and you want to
enlarge its capacity.
The Windows NT equivalent of a spanned volume is a volume set.
However, volume sets are created on basic disks, whereas spanned volumes
are created on dynamic disks. If you upgrade a Windows NT computer to
Windows 2000,Windows 2000 will support any existing volume sets.
Spanned volumes are said to be created when areas of free space only (not
existing volumes) are combined into a spanned volume. Spanned volumes
are said to be extended when an existing NTFS simple or spanned volume
4701-1 ch06.f.qc 4/24/00 09:14 Page 345

Chapter 6 ▼ Working with File Systems and Disks 345

is enlarged. A simple volume can be extended into a spanned volume by

adding disk space from other disks to the simple volume. Only simple or
spanned volumes on dynamic disks that are formatted with NTFS can
be extended.

TIP
The system partition can’t be extended into a spanned volume, even if
you have upgraded the disk that contains the system partition to a
dynamic disk. In addition, the partition on which Windows 2000 is
installed (also called the boot partition) can’t be extended into a spanned
volume, even if you have upgraded this disk to a dynamic disk.

Spanned volumes do not perform any fault tolerance function. If one

disk in a spanned volume fails, all data on the spanned volume may be lost
(unless the data is backed up), because Windows 2000 can’t access data
unless all of the disks that make up the spanned volume are functional.
Spanned volumes have no additional cost associated with them because
they use the same amount of disk space in which that data would normally
be stored.
There is no speed gain or speed loss associated with a spanned volume.
Spanned volumes are supported by all of the Windows 2000 operating
systems.
For detailed instructions on creating a spanned volume, see the
“Creating a Spanned Volume” section later in this chapter.

Striped Volumes
A striped volume consists of identical-sized areas of formatted disk space
located on two or more dynamic disks. In a striped volume, data is stored,
a block at a time, evenly and sequentially, among all of the disks in the
striped volume. Striped volumes are sometimes referred to as disk striping.
Disk striping refers to the process wherein a file is written, or striped, one
block at a time; first to one disk, then to the next disk, and then to the next
disk, and so on, until all of the data in the file has been evenly distributed
among all of the disks in the striped volume.
A striped volume is accessed by using a single drive letter, as if all of its
disks were combined into a single drive.A striped volume can be formatted
with FAT, FAT32, or NTFS.
The Windows NT equivalent of a striped volume is a stripe set.
However, stripe sets are created on basic disks, whereas striped volumes are
4701-1 ch06.f.qc 4/24/00 09:14 Page 346

346 Part II ▼ Installation and Configuration

created on dynamic disks. If you upgrade a Windows NT computer to

Windows 2000,Windows 2000 will support any existing stripe sets.
Striped volumes do not provide any fault tolerance. If one disk in a
striped volume fails, all data on the striped volume is lost unless the data is
backed up.
Striped volumes have no additional cost associated with them because
they use the same amount of disk space in which that data would normally
be stored.
Striped volumes provide faster disk access than any other Windows 2000
volume type, because the striped volume stores a single file across multiple
disks.The various pieces of the file can be read nearly simultaneously from
the multiple disks, thus increasing performance. Access speed is the
primary advantage and common reason for using a striped volume. The
tradeoff or downside to using a striped volume is that the potential disk
failure rate is increased because there are more possible points of failure
when a file is accessed across several disks.
A striped volume (or disk striping) is also known as RAID level 0.
RAID stands for Redundant Array of Inexpensive Disks.
Striped volumes are supported by all of the Windows 2000 operating
systems.
For detailed instructions on creating a striped volume, see the “Creating
a Striped Volume” section later in this chapter.

Mirrored Volumes
A mirrored volume consists of a simple volume that is exactly duplicated, in
its entirety, onto a second dynamic disk. A mirrored volume can be for-
matted with FAT, FAT32, or NTFS. Any simple volume can be mirrored.
A mirrored volume is accessed by using a single drive letter.
The Windows NT equivalent of a mirrored volume is a mirror set.
However, mirror sets are created on basic disks, whereas mirrored volumes
are created on dynamic disks. If you upgrade a Windows NT computer to
Windows 2000,Windows 2000 will support any existing mirror sets.
A mirrored volume provides the highest level of fault tolerance available
in Windows 2000. Mirrored volumes are used in situations where the
integrity of data is more important than minimizing costs. For example, a
financial institution might decide that using mirrored volumes is cost-
effective for their organization because the extra safety provided by
mirrored volumes outweighs the cost of additional disk space.
4701-1 ch06.f.qc 4/24/00 09:14 Page 347

Chapter 6 ▼ Working with File Systems and Disks 347

A mirrored volume enables an organization to continue accessing its

data in the event of a single hard disk failure. I should point out, however,
that a mirrored volume does not provide fault tolerance in the event of
multiple disk failure, and it does not guarantee continued operations if a
server goes down.
Mirrored volumes are the most expensive volume type discussed here,
because twice the normal amount of hard disks are required to store the data.
There is no speed gain or speed loss associated with a mirrored volume.
Mirrored volumes, sometimes called disk mirroring, is also known as
RAID level 1.
Mirrored volumes are supported only by Windows 2000 Server and
Windows 2000 Advanced Server. Windows 2000 Professional does not
support mirrored volumes.
For detailed instructions on creating a mirrored volume, see the
“Creating a Mirrored Volume” section later in this chapter.

RAID-5 Volumes
A RAID-5 volume consists of identical-sized areas of formatted disk space
located on three or more dynamic disks. In a RAID-5 volume, data is stored,
a block at a time, evenly and sequentially, among all of the disks in the
volume. In addition to data, parity information is also written across all of the
disks in the RAID-5 volume. This parity information enables RAID-5
volumes to provide the fault tolerance that striped volumes cannot.

IN THE REAL WORLD

RAID-5, in my experience, is the most commonly used method of fault
tolerance. It is less costly than mirrored volumes (because data is not
replicated on another disk), is faster than mirrored volumes, and provides
a modest level of data safety.

A RAID-5 volume is accessed by using a single drive letter, as if all of its

disks were combined into a single drive.A RAID-5 volume can be formatted
with FAT, FAT32, or NTFS.
The Windows NT equivalent of a RAID-5 volume is a stripe set with
parity. However, stripe sets with parity are created on basic disks, whereas
RAID-5 volumes are created on dynamic disks. If you upgrade a Windows
NT computer to Windows 2000,Windows 2000 will support any existing
stripe sets with parity.
4701-1 ch06.f.qc 4/24/00 09:14 Page 348

348 Part II ▼ Installation and Configuration

RAID-5 volumes provide a medium level of fault tolerance. If a single

disk in a RAID-5 volume fails, the parity information contained on the
other disks in the volume is used to regenerate the data from the failed
disk. If more than one disk in a RAID-5 volume fails, you cannot recover
your data unless the data is backed up.
RAID-5 volumes have a higher cost than simple, spanned, or striped
volumes because the equivalent of one of the disks in the volume is used
for parity information. However, RAID-5 volumes are less costly than
mirrored volumes.
A RAID-5 volume provides the same read performance as a striped
volume, but its write performance is a little slower because of the
processor time required to generate the parity information.
RAID-5 volumes are supported only by Windows 2000 Server and
Windows 2000 Advanced Server. Windows 2000 Professional does not
support RAID-5 volumes.
For detailed instructions on creating a RAID-5 volume, see the
“Creating a RAID-5 Volume” section later in this chapter.

Comparison of Volume Types

Up to this point, you’ve had a chance to examine five different volume types:
simple volumes, spanned volumes, striped volumes, mirrored volumes, and
RAID-5 volumes.
Table 6-2 compares the fault tolerance, cost, and access speed provided
by these five different volume types. Note that the most expensive volume
type — a mirrored volume — also provides the highest level of fault
tolerance of the volume types listed. As with most things in life, you get
what you pay for.
TABLE 6-2 Comparison of Volume Types
Volume Type Fault Tolerance Cost Access Speed

Simple volume None Low Normal

Spanned volume None Low Normal
Striped volume None Low Fastest
Mirrored volume High High Normal
RAID-5 volume Medium Medium Fast
4701-1 ch06.f.qc 4/24/00 09:14 Page 349

Chapter 6 ▼ Working with File Systems and Disks 349

Using Disk Management

Windows 2000 includes a powerful tool to manage disks — it’s called Disk
Management. Disk Management is a graphical tool that is a snap-in to the
Microsoft Management Console (MMC).
The MMC is a Windows 2000 feature that hosts administrative tools
you can use to perform administrative tasks on your Windows 2000
computer and network.The tools contained in the MMC are referred to as
snap-ins.
You can use Disk Management to:
■ Create and format partitions
■ Upgrade a disk from basic to dynamic
■ Revert from a dynamic disk to a basic disk
■ Create and format simple, spanned, striped, mirrored, and
RAID-5 volumes
■ Delete simple, spanned, striped, mirrored, and RAID-5 volumes
■ Troubleshoot disk configuration problems
■ Recover from single hard disk failures in mirrored and RAID-5
volumes
Disk Management replaces the Disk Administrator tool that was included
in Windows NT 4.0.
You must be a member of the Administrators group on the computer that
contains the disks you want to manage in order to use Disk Management.
Disk Management can be used in two capacities:
■ Disk Management can be used at the local computer to manage
the local computer.
■ Disk Management can also be used at one computer to remotely
manage disks on another computer.
Two of the most common ways to start Disk Management are described
in the steps that follow.
4701-1 ch06.f.qc 4/24/00 09:14 Page 350

350 Part II ▼ Installation and Configuration

STEP BY STEP

STARTING DISK MANAGEMENT — METHOD 1

1. From the desktop, Select Start ➪ Programs ➪ Administrative Tools ➪ Computer

Management. This starts the Microsoft Management Console (MMC).
2. If you want to use Disk Management to manage the local computer, skip to
Step 3 now.
If you want to use Disk Management to manage a remote computer, in the left
pane of the Computer Management dialog box, right-click Computer Management
(Local), and select “Connect to another computer” from the menu that appears. In
the Select Computer dialog box, either click the computer you want to manage in
the list box, or type in the name of the computer you want to manage in the Name
text box. Click OK.
3. Click the + next to Storage in the left pane in the Computer Management
dialog box.
4. Click Disk Management.
Or, you can use the following shortcut method to start Disk Management:

STARTING DISK MANAGEMENT — METHOD 2

1. From the desktop, right-click My Computer. Select Manage from the menu
that appears.
2. If you want to use Disk Management to manage the local computer, skip to
Step 3 now.
If you want to use Disk Management to manage a remote computer, in the left
pane of the Computer Management dialog box, right-click Computer Management
(Local), and select “Connect to another computer” from the menu that appears. In
the Select Computer dialog box, either click the computer you want to manage in
the list box, or type in the name of the computer you want to manage in the Name
text box. Click OK.
3. In the left pane of the Computer Management dialog box, click Disk Management.
(If Storage is not already expanded so that Disk Management appears in the list,
click the + next to Storage.)

Figure 6-1 shows the Disk Management tool within Computer

Management. Disk Management is one of the many tools available in
Computer Management. Notice that the upper pane lists information on
each of the volumes in the computer. In this pane you can view the
volume name and drive letter; its volume type and layout; the file system
4701-1 ch06.f.qc 4/24/00 09:14 Page 351

Chapter 6 ▼ Working with File Systems and Disks 351

used; the status of the volume; the capacity, free space, and percent of the
volume’s capacity that is free space; whether or not the volume provides
fault tolerance; and the percent of disk space overhead required by
Windows 2000 to manage the volume. You might have to scroll to the
right to view all of this information.

FIGURE 6-1 Disk Management

Also notice in Figure 6-1 that the lower pane of Disk Management
graphically illustrates each of the disks in the computer. For each disk in
the computer, the disk number, type of disk (basic or dynamic), size of the
disk, and whether the disk is Online or Offline is displayed. Disk
Management also displays, in a bar graph fashion, each volume or partition
on each disk along with pertinent information about each volume.
You can easily customize the appearance of Disk Management by using
the options in the View menu. In the top pane, you can choose to display a
disk list, a volume list, or a graphical view of the disks in the computer. In
the bottom pane, you can choose to display a disk list, a volume list, a
graphical view of the disks in the computer, or to hide the bottom pane
entirely. In addition, you can move the bar that separates the top and
bottom panes by clicking and dragging it. You can also configure
appearance and scaling settings and customize additional MMC and
snap-in view options in the View menu.
4701-1 ch06.f.qc 4/24/00 09:14 Page 352

352 Part II ▼ Installation and Configuration

I’ve always wished that some book or course would have given me
more precise information and detailed instructions on working with disks.
It’s for this reason that I include the instructions to perform most disk
management tasks in the rest of this chapter in a step-by-step format. I’ll
explain how you can use Disk Management to create and format
partitions; upgrade a disk from basic to dynamic; revert from a dynamic
disk to a basic disk; and create and format simple, spanned, striped,
mirrored, and RAID-5 volumes. I’ll also include lots of screen shots to
help solidify your understanding of disk management.
It’s a good practice to use Disk Management only during times when
no one else is accessing the server. Some of Disk Management’s functions
take a significant amount of time to complete. This means that service to
clients during these times can be seriously slowed or interrupted.

CAUTION
Because using Disk Management can disrupt service to clients, I recom-
mend that you perform disk management tasks during nonbusiness hours
whenever possible, just as you would other administrative tasks on a server.

Creating and Formatting Partitions

You can use Disk Management to create and format partitions on your
computer’s hard disk(s). So why would you want to create partitions on a
Windows 2000 computer? Well, if your computer is configured to dual
boot, you might want to create partitions on basic disks to enable the other
operating system to access the files in these partitions.
If you decide to perform any of the disk management tasks described in
this chapter, do so carefully, and make sure you have a current backup of
the computer on which you are working before you modify any existing
partitions or volumes.

CAUTION
Take extreme care when using Disk Management — it’s easy to delete a
partition or volume that contains important data. Remember that reformat-
ting a partition or volume will also delete existing data.

The following steps explain how to create and format a primary partition,
how to create an extended partition, and how to create and format a logical
drive in an extended partition.These tasks can be performed only on basic
disks.You cannot create partitions on dynamic disks.
4701-1 ch06.f.qc 4/24/00 09:14 Page 353

Chapter 6 ▼ Working with File Systems and Disks 353

STEP BY STEP

CREATING AND FORMATTING A PRIMARY PARTITION

1. Start Disk Management. (The steps to start Disk Management are listed in the
previous section.)
2. If you have not previously upgraded all of your unpartitioned basic disks, the
Write Signature and Upgrade Disk Wizard appears. Because primary partitions
can only be created on basic disks, I’m assuming that you don’t want to upgrade
all of your disks to dynamic disks. If this is the case, and if this dialog box appears,
click Cancel.
3. In the bottom right pane, right-click in an area of unallocated space on the disk
on which you want to create the primary partition. From the menu that appears,
select Create Partition.
4. The Create Partition Wizard appears, as shown in Figure 6-2. Notice the
explanation of basic disks. Click Next.

FIGURE 6-2 The Create Partition Wizard

5. In the Select Partition Type screen, select the “Primary partition” option.
Click Next.
6. Specify the amount of disk space, in MB, to be used for this partition, or accept
the default, which is all of the unallocated space on the disk. Click Next.
7. The Assign Drive Letter or Path window appears, as shown in Figure 6-3. Notice
the three options available.
If you choose the “Assign a drive letter” option, select a drive letter from the
drop-down list box.
4701-1 ch06.f.qc 4/24/00 09:14 Page 354

354 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 6-3 Assigning a drive letter or path to a partition

If you select the “Mount this volume at an empty folder that supports drive paths”
option, either type in the path to an empty folder on an NTFS volume on the local
computer, or click Browse and select an empty folder. The Browse command but-
ton is grayed out and not available if you are using Disk Management remotely.
If you select the “Do not assign a drive letter or path” option, you will need to
assign a drive letter or path to this partition later so that it can be accessed.
Click Next.
8. The Format Partition window appears, as shown in Figure 6-4. Note that the
default file system to use is NTFS.
There are several options you can configure in this dialog box.
You can choose to not format this partition, or to format the partition with specified
settings. If you choose to format the partition, you have the option to specify several
of its characteristics.
 File system to use: The file system choices available are FAT, FAT32, or
NTFS. The default file system is NTFS. If you are creating a partition larger
than 2,048MB, the FAT file system will not be available as an option. If you
are creating a partition larger than 32GB, the FAT32 file system will not be
an option. If your partition is larger than 2GB and smaller than 4GB, and
you want to format it with the FAT file system, you must choose the “Do
not format this partition” option, and then format the partition later using
the Format.exe command-line utility.
4701-1 ch06.f.qc 4/24/00 09:14 Page 355

Chapter 6 ▼ Working with File Systems and Disks 355

STEP BY STEP Continued

FIGURE 6-4 Formatting a primary partition

 Allocation unit size: This setting refers to the sector size Disk
Management uses when it formats a partition. Sector sizes vary in this
menu from 512 bytes to 256K. There’s an important trade off to consider
when choosing a sector size. If you select a small sector size, you’ll have
less wasted disk space when storing files. If you select a large sector size,
large files will be accessed more quickly. For example, if you plan to store
large graphics or CAD files on this partition, consider using a large sector
size to improve performance. I normally recommend accepting the Default
setting for this option. The value for the Default setting varies depending
on the size of the partition (or volume) being formatted.
 Volume label: This setting enables you to give the partition a name. Type
in the name you want to use for the volume label. The default label is New
Volume. You can assign a blank label to a volume by deleting the default name.
 Perform a Quick Format: Selecting this option instructs Windows 2000
to write only the necessary data to the disk to support a volume, and not to
check for bad sectors during the formatting. Checking for bad sectors can
add a significant amount of time to the formatting process. I recommend that
you don’t select this option unless you are reformatting an existing partition.
 Enable file and folder compression: This option is only available if you
choose NTFS as the file system. (If you choose any other file system, this box
is grayed out.) Selecting this option causes all files and folders placed in this
partition to be compressed by default. You can also set this attribute later by
using Windows Explorer.
4701-1 ch06.f.qc 4/24/00 09:14 Page 356

356 Part II ▼ Installation and Configuration

STEP BY STEP Continued

When you finish configuring the settings in this dialog box, click Next.
9. In the Completing the Create Partition Wizard window, review the settings you
have selected. If the settings are correct, click Finish. If you want to change any|
of the settings, click Back and make the appropriate changes. Windows 2000
creates and formats the primary partition.

After Windows 2000 creates and formats the primary partition, it

appears in Disk Management with a listing of its characteristics, including
the name of the new partition, a drive letter or path, the amount of space
the partition contains, the file system the partition is formatted with, and
the word “Healthy.” The space on the disk that was used to create the
partition is no longer shown as unallocated.

STEP BY STEP

CREATING AN EXTENDED PARTITION

1. Start Disk Management. (The steps to start Disk Management are listed in the
“Using Disk Management” section.)
2. If you have not previously upgraded all of your unpartitioned basic disks, the
Write Signature and Upgrade Disk Wizard appears. Because extended partitions
can only be created on basic disks, I’m assuming that you don’t want to upgrade
all of your disks to dynamic disks. If this is the case, and if this dialog box appears,
click Cancel.
3. In the bottom right pane, right-click in an area of unallocated space on the disk
on which you want to create the extended partition. From the menu that appears,
select Create Partition.
4. The Create Partition Wizard appears. Click Next.
5. Select the “Extended partition” option. Click Next.
6. Specify the amount of disk space, in MB, to be used for this partition, or accept
the default, which is all of the unallocated space on the disk. Click Next.
7. In the Completing the Create Partition Wizard window, review the settings you
have selected. If the settings are correct, click Finish. If you want to change any
of the settings, click Back and make the appropriate changes. Windows 2000
creates the extended partition.
4701-1 ch06.f.qc 4/24/00 09:14 Page 357

Chapter 6 ▼ Working with File Systems and Disks 357

After Windows 2000 creates the extended partition, it appears in Disk

Management with a listing of its characteristics, as shown in Figure 6-5.
Notice the attributes of the extended partition, which was created on Disk
2, including the amount of space the partition contains and the words
“Free Space.”Also notice that the space on the disk that was used to create
this partition is no longer shown as unallocated.

FIGURE 6-5 An extended partition

STEP BY STEP

CREATING AND FORMATTING A LOGICAL DRIVE IN AN

EXTENDED PARTITION
1. Start Disk Management. (The steps to start Disk Management are listed in the
“Using Disk Management” section.)
2. If you have not previously upgraded all of your unpartitioned basic disks, the Write
Signature and Upgrade Disk Wizard appears. Because logical drives can only be
created on basic disks that contain extended partitions, I’m assuming that you
don’t want to upgrade all of your disks to dynamic disks. If this is the case, and
if this dialog box appears, click Cancel.
3. In the bottom right pane, right-click in an area marked “Free Space” on the disk
which contains the extended partition in which you want to create the logical
drive. From the menu that appears, select Create Logical Drive.
4701-1 ch06.f.qc 4/24/00 09:14 Page 358

358 Part II ▼ Installation and Configuration

STEP BY STEP Continued

4. The Create Partition Wizard appears. Click Next.

5. Select the “Logical drive” option. Click Next.
6. Specify the amount of disk space, in MB, to be used for this logical drive, or accept
the default, which is all of the free space in the extended partition. Click Next.
7. The Assign Drive Letter or Path window appears. Select and configure the
appropriate option. (For a detailed description of these options, see the “Creating
and formatting a primary partition” step-by-step section earlier in this chapter.)
Click Next.
8. The Format Partition window appears. Select and configure the appropriate option.
(For a detailed description of these options, see the “Creating and formatting a
primary partition” step-by-step section earlier in this chapter.) Click Next.
9. In the Completing the Create Partition Wizard window, review the settings you
have selected. If the settings are correct, click Finish. If you want to change any
of the settings, click Back and make the appropriate changes. Windows 2000
creates and formats the logical drive.

After Windows 2000 creates and formats the logical drive, it appears in
Disk Management with a listing of its characteristics, including a drive letter
or path, the amount of space the logical drive contains, the file system the
logical drive is formatted with, and the word “Healthy.” The space on the
disk that was used to create the logical drive is no longer shown as free space.

Upgrading a Disk from Basic to Dynamic

In Windows 2000, the preferred disk type is dynamic. In fact, every time
you run Disk Management, if you have not previously upgraded all of your
unpartitioned basic disks to dynamic disks, the Write Signature and
Upgrade Disk Wizard appears, as shown in Figure 6-6. Notice the check
box at the bottom of the dialog box that you can check if you want to keep
your existing basic disks and instruct Windows 2000 to not display this
wizard each time you run Disk Management.

TIP
I recommend you upgrade all of your unpartitioned basic disks to dynamic
disks when you first encounter this wizard unless you plan to dual boot
your computer between Windows 2000 and another operating system.
4701-1 ch06.f.qc 4/24/00 09:14 Page 359

Chapter 6 ▼ Working with File Systems and Disks 359

FIGURE 6-6 The Write Signature and Upgrade Disk Wizard

Using the wizard is fairly straightforward. Here are the steps to use the
wizard to upgrade a basic disk to a dynamic disk.

STEP BY STEP

USING THE WRITE SIGNATURE AND UPGRADE DISK WIZARD TO

UPGRADE A DISK FROM BASIC TO DYNAMIC

1. Start Disk Management. (The steps to start Disk Management are listed in the
“Using Disk Management” section.)
2. If you have not previously upgraded all of your unpartitioned basic disks, the
Write Signature and Upgrade Disk Wizard appears, as shown in Figure 6-6.
(If this wizard does not appear and you want to upgrade a disk, use the next
set of steps in this section.) Click Next.
3. Select the disk(s) you want to upgrade. By default, all unpartitioned disks are
selected for upgrade. If you don’t want one of these disks to be upgraded,
deselect the check box next to that disk. Click Next.

TIP
This wizard only gives you an option to upgrade unpartitioned disks.
If you want to upgrade a disk that has already been partitioned, use the
next set of steps in this section.
4701-1 ch06.f.qc 4/24/00 09:14 Page 360

360 Part II ▼ Installation and Configuration

STEP BY STEP Continued

4. In the Completing the Write Signature and Upgrade Disk Wizard window, review
the settings you have selected. If the settings are correct, click Finish. If you want
to change any of the settings, click Back and make the appropriate changes.
Windows 2000 upgrades your disk(s) from basic to dynamic.

Occasionally you might want to upgrade a partitioned basic disk to a

dynamic disk. For example, if you want to mirror Disk 0, you must first
upgrade it to a dynamic disk before you can mirror it.
If you upgrade a partitioned basic disk to a dynamic disk,Windows 2000
converts the partitions on the basic disk into dynamic volumes that are
Windows 2000 equivalents of their basic disk counterparts. For example,
Windows 2000 converts a primary partition into a simple volume; a mirror
set into a mirrored volume; a stripe set with parity into a RAID-5 volume,
and so on. When converting disks from basic to dynamic, make sure that
you convert all of the disks that make up a volume at the same time.
To upgrade a partitioned basic disk, you’ll need to manually upgrade the
basic disk by using Disk Management. I’ll get to the steps involved in
performing this task in a minute, but first I need to fill you in on a couple
of important cautionary notes.
■ Converting a partitioned basic disk to a dynamic disk is a one-way process.
Once the disk is converted, the only way to change it back to a basic
disk is to delete all of the volumes on the disk (and the contents of
those volumes) and then use Disk Management to revert the disk to
a basic disk.The new basic disk will not have any partitions or data
on it. For more information on this topic, see the “Reverting from a
Dynamic Disk to a Basic Disk” section later in this chapter.
■ One situation where you should not upgrade a basic disk to a dynamic disk
is when your computer is configured to dual boot between Windows 2000
and another operating system. If your computer is configured to dual
boot and you upgrade a basic disk (that has been partitioned and
formatted) to a dynamic disk, the other operating system will no
longer be able to access this disk.Additionally, if you upgrade Disk
0, the other operating system will no longer be able to boot.
Now I’ll show you how to use Disk Management to manually upgrade
a basic disk to a dynamic disk.
4701-1 ch06.f.qc 4/24/00 09:14 Page 361

Chapter 6 ▼ Working with File Systems and Disks 361

STEP BY STEP

MANUALLY UPGRADING A DISK FROM BASIC TO DYNAMIC

1. Start Disk Management. (The steps to start Disk Management are listed in the
“Using Disk Management” section.)
2. In the bottom right pane, right-click the disk you want to upgrade, as shown in
Figure 6-7. When you do this, right-click the small gray area on the left that
contains the actual disk number and disk type, not the long bar on the right
that contains the volume information.

FIGURE 6-7 Manually upgrading a disk from basic to dynamic

Notice that I clicked the gray area where “Disk 1” appears, not on the bar to the
right representing the partitioned space.
From the menu that appears, select Upgrade to Dynamic Disk.
3. In the Upgrade to Dynamic Disk dialog box, select the disk(s) you want to
upgrade. By default, only the disk that you right-clicked is selected for upgrade.
All basic disks, both formatted and unformatted, are available for upgrade in this
dialog box. Click OK.
4. In the Disks to Upgrade dialog box, review the list of disks that will be upgraded.
You can click Details to display a list of the volumes currently contained on the
disk(s) selected for upgrade. If the list is correct, click Upgrade. If the list is not
correct, click Cancel.
4701-1 ch06.f.qc 4/24/00 09:14 Page 362

362 Part II ▼ Installation and Configuration

STEP BY STEP Continued

5. A warning dialog box appears. Note that once you upgrade a disk from basic to
dynamic, you will no longer be able to boot previous versions of Windows from
this disk. Assuming that you want to continue with the upgrade, click Yes.
6. Another warning dialog box appears. File systems on this disk will be dismounted
and unavailable during the upgrade process. This means that other users on the
network will not be able to access files on this disk during the upgrade process,
and that any open files will be closed without prior notice to the user. Open files
can become corrupted in this situation. Click Yes to continue.
7. If you are upgrading Disk 0, Windows 2000 displays another message, stating
that a reboot will take place after the disk is upgraded.
Windows 2000 upgrades the selected disk(s) from basic to dynamic, and may
reboot your computer.

Reverting from a Dynamic Disk to a Basic Disk

It’s possible, especially in a dual boot situation, that you might want to
convert a dynamic disk back into a basic disk. For example, suppose that
your computer is configured to dual boot between Windows 2000 and
Windows 98.You decide that you want to be able to access data located in
a dynamic volume when you are booted to Windows 98. In order to
accomplish this, you will need to revert the dynamic disk to a basic disk.
Reverting from a dynamic disk to a basic disk is not a choice to make
lightly. If the dynamic disk does not contain any volumes, you can quite
easily revert it to a basic disk. However, if the dynamic disk contains one or
more volumes, the process isn’t so painless.

STEP BY STEP

REVERTING TO A BASIC DISK

1. If the disk contains data in one or more volumes, back up all of the data on the disk.
2. Start Disk Management. (The steps to start Disk Management are listed in the
“Using Disk Management” section.)
3. If the disk to be reverted does not contain any volumes, skip to Step 6.
4701-1 ch06.f.qc 4/24/00 09:14 Page 363

Chapter 6 ▼ Working with File Systems and Disks 363

STEP BY STEP Continued

If the disk to be reverted contains one or more volumes, you must delete these
volumes. To do this, in the bottom right pane of Disk Management, right-click in
a bar-shaped area that represents the volume you want to delete. Select Delete
Volume from the menu that appears.
4. Click Yes in the warning dialog box that appears to delete the selected volume.
5. Click Yes in the Disk Management dialog box to force the deletion of the selected
volume. Windows 2000 deletes the volume. Repeat Steps 3 through 5 to delete
each volume on the disk.
6. In the bottom right pane of Disk Management, right-click the small gray area on
the left that contains the disk number and disk type of the disk you want to revert.
Select Revert To Basic Disk from the menu that appears. Windows 2000 reverts
the dynamic disk to a basic disk.
7. Partition and format the basic disk, and if the volume previously contained data
that you need to access, restore that data to the disk.

Creating a Simple Volume

When you add a new disk to a computer, or after you first install Windows
2000 onto a new computer, you will probably need to create a simple
volume. Simple volumes, as you may recall, can only be created on
dynamic disks.
Creating a simple volume is fairly straightforward. Simple volumes are
created by using Disk Management. Here are the steps to create and format
a simple volume.

STEP BY STEP

CREATING AND FORMATTING A SIMPLE VOLUME

1. Start Disk Management. (The steps to start Disk Management are listed in the
“Using Disk Management” section.)
2. If you have not previously upgraded all of your unpartitioned basic disks, the
Write Signature and Upgrade Disk Wizard appears. If you want to create a simple
volume on a basic disk, you’ll need to upgrade that disk to a dynamic disk. If this
is the case, use this wizard and the steps in the “Upgrading a Disk from Basic to
Dynamic” section earlier in this chapter. If you already have a dynamic disk on which
to create a simple volume and want to keep your existing basic disks, click Cancel.
4701-1 ch06.f.qc 4/24/00 09:14 Page 364

364 Part II ▼ Installation and Configuration

STEP BY STEP Continued

3. In the bottom right Disk Management pane, right-click in an area of unallocated

space on the dynamic disk on which you want to create the simple volume. From
the menu that appears, select Create Volume.
4. The Create Volume Wizard appears, as shown in Figure 6-8. Notice the explanation
of volumes. Click Next.

FIGURE 6-8 The Create Volume Wizard

5. In the Select Volume Type screen, select the “Simple volume” option. Click Next.
6. In the Select Disks screen, specify the amount of disk space, in MB, to be used
for this volume, or accept the default, which is all of the unallocated space on the
disk. Click Next.
7. The Assign Drive Letter or Path screen appears. Select and configure one of the
three options in this dialog box.
If you choose the “Assign a drive letter” option, select a drive letter from the drop-
down list box.
If you select the “Mount this volume at an empty folder that supports drive paths”
option, either type in the path to an empty folder on an NTFS volume on the local
computer, or click Browse and select an empty folder. The Browse command but-
ton is grayed out and not available if you are using Disk Management remotely.
4701-1 ch06.f.qc 4/24/00 09:14 Page 365

Chapter 6 ▼ Working with File Systems and Disks 365

STEP BY STEP Continued

If you select the “Do not assign a drive letter or path” option, you will need to
assign a drive letter or path to this volume later so that it can be accessed.
Click Next.
8. The Format Volume screen appears, as shown in Figure 6-9. Note that the
options for formatting a volume are the same as those used when formatting
a primary partition.

FIGURE 6-9 Formatting a volume

There are several options you can configure in this dialog box.
You can choose to not format this volume, or to format the volume with specified
settings. If you choose to format the volume, you have the option to specify several
of its characteristics.
 File system to use: The file system choices available are FAT, FAT32, or
NTFS. The default file system is NTFS. If you are creating a volume larger
than 2,048MB, the FAT file system will not be available as an option. If you
are creating a volume larger than 32GB, the FAT32 file system will not be
an option. If your volume is larger than 2GB and smaller than 4GB, and you
want to format it with the FAT file system, you must choose the “Do not
format this volume” option, and then format the volume later using the
Format.exe command-line utility.
4701-1 ch06.f.qc 4/24/00 09:14 Page 366

366 Part II ▼ Installation and Configuration

STEP BY STEP Continued

 Allocation unit size: This setting refers to the sector size Disk Manage-
ment uses when it formats the volume. Sector sizes vary in this menu from
512 bytes to 256K. There’s an important trade-off to consider when choos-
ing a sector size. If you select a small sector size, you’ll have less wasted
disk space when storing files. If you select a large sector size, large files
will be accessed more quickly. For example, if you plan to store large multi-
media or graphics files on this partition, consider using a large sector size
to improve performance. I normally recommend accepting the Default
setting for this option. The value for the Default setting varies depending
on the size of the volume being formatted.
 Volume label: This setting enables you to give the volume a name. Type
in the name you want to use for the volume label. The default label is New
Volume. You can assign a blank label to a volume by deleting the default name.
 Perform a Quick Format: Selecting this option instructs Windows 2000
to write only the necessary data to the disk to support a volume, and not to
check for bad sectors during the formatting. Checking for bad sectors can
add a significant amount of time to the formatting process. I recommend that
you don’t select this option unless you are reformatting an existing volume.
 Enable file and folder compression: This option is only available if you
choose NTFS as the file system. (If you choose any other file system, this box
is grayed out.) Selecting this option causes all files and folders placed in this
volume to be compressed by default. You can also set this attribute later by
using Windows Explorer.
When you finish configuring the settings in this dialog box, click Next.
9. In the Completing the Create Volume Wizard screen, review the settings you have
selected. If the settings are correct, click Finish. If you want to change any of the
settings, click Back and make the appropriate changes. Windows 2000 creates
and formats the simple volume.

After Windows 2000 creates and formats the simple volume, it appears in
Disk Management with a listing of its characteristics, including
the name of the new volume, a drive letter or path, the amount of space the
volume contains, the file system the volume is formatted with, and the word
“Healthy.”The space on the disk that was used to create the simple volume
is no longer shown as unallocated.
4701-1 ch06.f.qc 4/24/00 09:14 Page 367

Chapter 6 ▼ Working with File Systems and Disks 367

Creating a Spanned Volume

You might want to create a spanned volume when you add a new disk to
a computer and want that disk to be a part of an existing volume, or, after
you first install Windows 2000 onto a new computer and want to create a
volume that is larger than a single hard disk.To create a spanned volume,
you need two or more dynamic disks.
Another situation where you might want to create a spanned volume is
when you need to extend an existing volume. If you need more disk space
in an existing simple or spanned volume, you can extend the existing
volume if it has been formatted with NTFS.To extend a volume, you need
the existing simple or spanned volume, plus one or more additional
dynamic disks. Extended volumes are always spanned volumes.

TIP
Neither the system nor the boot partition can be extended into a spanned
volume, even if you have upgraded the disk that contains these partitions
to a dynamic disk.

Now I’ll explain how to create a spanned volume, and then I’ll explain
how to extend an existing simple or spanned volume.

STEP BY STEP

CREATING A NEW SPANNED VOLUME

1. Start Disk Management. (The steps to start Disk Management are listed in the
“Using Disk Management” section.)
2. If you have not previously upgraded all of your unpartitioned basic disks, the
Write Signature and Upgrade Disk Wizard appears. If the disks you want to
use to create the spanned volume are basic disks, you’ll need to upgrade those
disks to dynamic disks. If this is the case, use this wizard and the steps in the
“Upgrading a Disk from Basic to Dynamic” section earlier in this chapter. If you
already have the dynamic disks on which you want to create a spanned volume
and want to keep your existing basic disks, click Cancel.
3. In the bottom right Disk Management pane, right-click in an area of unallocated
space on any of the dynamic disks that you want to be a part of the spanned
volume. From the menu that appears, select Create Volume.
4. In the Create Volume Wizard dialog box, click Next.
5. Select the “Spanned volume” option. Click Next.
4701-1 ch06.f.qc 4/24/00 09:14 Page 368

368 Part II ▼ Installation and Configuration

STEP BY STEP Continued

6. The Select Disks screen appears, as shown in Figure 6-10. Note that only one
dynamic disk is selected, by default, for inclusion in the spanned volume.

FIGURE 6-10 Selecting disks for a spanned volume

Highlight one or more additional dynamic disks in the “All available dynamic disks”
box. Click Add. You should now have two or more disks listed in the “Selected
dynamic disks” box.
Highlight the first disk listed in the “Selected dynamic disks” box, and specify
the amount of disk space, in MB, to be used for this disk in the spanned volume.
Repeat this process for each of the disks listed in the “Selected dynamic disks”
box. Click Next.
Or, instead of configuring disk space for each disk individually, you can accept the
default, which is all of the unallocated space on each of the disks, by clicking Next.
7. The Assign Drive Letter or Path screen appears. Select and configure one of the
three options in this dialog box. (These options are explained in detail in Step 7 in
the “Creating a Simple Volume” section.) Click Next.
8. The Format Volume screen appears. Select and configure the appropriate option.
(These options are explained in detail in Step 8 in the “Creating a Simple Volume”
section.) Click Next.
4701-1 ch06.f.qc 4/24/00 09:15 Page 369

Chapter 6 ▼ Working with File Systems and Disks 369

STEP BY STEP Continued

9. In the Completing the Create Volume Wizard screen, review the settings you have
selected. If the settings are correct, click Finish. If you want to change any of the
settings, click Back and make the appropriate changes. Windows 2000 creates
and formats the spanned volume.

After Windows 2000 creates and formats the spanned volume, it appears
in Disk Management with a listing of its characteristics, including the
name of the new volume, a drive letter or path, the amount of space
on each disk that is included in the volume, the file system the volume is
formatted with, and the word “Healthy.” A newly created spanned volume
is shown in Figure 6-11. Notice that I chose to name this volume
“Spanned,” and that it consists of two dynamic disks, Disk 1 and Disk 2.

FIGURE 6-11 Newly created spanned volume

4701-1 ch06.f.qc 4/24/00 09:15 Page 370

370 Part II ▼ Installation and Configuration

If you want to know the total amount of disk capacity of the spanned
volume, view the entry in the Capacity column for the spanned volume in
the top right pane in Disk Management.

STEP BY STEP

EXTENDING A SIMPLE OR SPANNED VOLUME

1. Start Disk Management. (The steps to start Disk Management are listed in the
“Using Disk Management” section.)
2. If you have not previously upgraded all of your unpartitioned basic disks, the Write
Signature and Upgrade Disk Wizard appears. If the disks you want to use to
extend your simple or spanned volume are basic disks, you’ll need to upgrade
those disks to dynamic disks. If this is the case, use this wizard and the steps in
the “Upgrading a Disk from Basic to Dynamic” section earlier in this chapter. If
you already have the dynamic disks you need to extend your simple or spanned
volume and want to keep your existing basic disks, click Cancel.
3. In the bottom right Disk Management pane, right-click anywhere in the bar-
shaped space that represents the volume you want to extend. From the menu
that appears, select Extend Volume.
4. In the Extend Volume Wizard dialog box, click Next.
5. In the Select Disks screen, highlight one or more dynamic disks from the “All avail-
able dynamic disks” box to add to your existing volume. Click Add. You should now
have one or more disks listed in the “Selected dynamic disks” box.
Configure the amount of disk space you want to be included in the extended
volume from each of the dynamic disks listed in the “Selected dynamic disks” box.
The default setting is all of the unallocated space on each of the disks. Click Next.
6. In the Completing the Extend Volume Wizard screen, review the settings you have
selected. If the settings are correct, click Finish. If you want to change any of the
settings, click Back and make the appropriate changes. Windows 2000 extends
the volume.

Creating a Striped Volume

You might want to create a striped volume if you determine you want
faster speed of access to files than you can get by using a simple or spanned
volume, and you do not require any fault tolerance. To create a striped
volume, you need two or more dynamic disks.
4701-1 ch06.f.qc 4/24/00 09:15 Page 371

Chapter 6 ▼ Working with File Systems and Disks 371

STEP BY STEP

CREATING A STRIPED VOLUME

1. Start Disk Management. (The steps to start Disk Management are listed in the
“Using Disk Management” section.)
2. If you have not previously upgraded all of your unpartitioned basic disks, the Write
Signature and Upgrade Disk Wizard appears. If the disks you want to use to create a
striped volume are basic disks, you’ll need to upgrade those disks to dynamic disks.
If this is the case, use this wizard and the steps in the “Upgrading a Disk from Basic
to Dynamic” section earlier in this chapter. If you already have the dynamic disks on
which you want to create a striped volume and want to keep your existing basic
disks, click Cancel.
3. In the bottom right Disk Management pane, right-click in an area of unallocated
space on any of the dynamic disks that you want to be a part of the striped volume.
From the menu that appears, select Create Volume.
4. In the Create Volume Wizard dialog box, click Next.
5. Select the “Striped volume” option. Click Next.
6. In the Select Disks screen, highlight one or more dynamic disks from the “All
available dynamic disks” box to be included in your striped volume. Click Add. You
should now have two or more disks listed in the “Selected dynamic disks” box.
Highlight any disk in the “Selected dynamic disks” box and configure the amount
of disk space you want to be included in the striped volume.
Because striped volumes require identical amounts of disk space on each disk
in the volume, Windows 2000 will use the amount of disk space you configure
from each of the selected disks when it creates the striped volume. If the disks
that will make up the striped volume have unequal amounts of unallocated space,
the largest amount of space you can configure is the amount of unallocated
space from the disk that has the smallest amount of unallocated space. (This
maximum size is also the default setting.) The total size of the striped volume
will be the amount of disk space you select times the number of disks that make
up the volume. This total is displayed in the Total volume size text box after you
configure the size for all selected disks setting. Click Next.
7. The Assign Drive Letter or Path screen appears. Select and configure one of the
three options in this dialog box. (These options are explained in detail in Step 7
in the “Creating a Simple Volume” section.) Click Next.
8. The Format Volume screen appears. Select and configure the appropriate option.
(These options are explained in detail in Step 8 in the “Creating a Simple Volume”
section.) Click Next.
4701-1 ch06.f.qc 4/24/00 09:15 Page 372

372 Part II ▼ Installation and Configuration

STEP BY STEP Continued

9. In the Completing the Create Volume Wizard screen, review the settings you have
selected. If the settings are correct, click Finish. If you want to change any of the
settings, click Back and make the appropriate changes. Windows 2000 creates
and formats the striped volume.

After Windows 2000 creates and formats the striped volume, it appears
in Disk Management with a listing of its characteristics, including the
name of the new volume, a drive letter or path, the amount of space on
each disk that is included in the striped volume, the file system the volume
is formatted with, and the word “Healthy.”A newly created striped volume
is shown in Figure 6-12. Notice that I chose to name this volume
“Striped,” and that it consists of three dynamic disks, Disk 1 and Disk 2,
and Disk 3.

FIGURE 6-12 Newly created striped volume

4701-1 ch06.f.qc 4/24/00 09:15 Page 373

Chapter 6 ▼ Working with File Systems and Disks 373

Creating a Mirrored Volume

You’ll probably want to create a mirrored volume if you determine you
want the highest level of fault tolerance that Windows 2000 provides. To
create a mirrored volume, you need two dynamic disks.

TIP
You can only create and use mirrored volumes on Windows 2000 Server
and Advanced Server computers. Windows 2000 Professional does not
support mirrored volumes.

There are two different situations in which you can create a mirrored
volume:
■ You can create a mirrored volume from unallocated space on two
dynamic disks.This means you’re starting out with two dynamic
disks that have no data on them.
■ You can mirror an existing simple volume onto a second dynamic
disk that has enough unallocated space to contain the volume. In
this situation, you’re starting out with one disk that already has data
on it, and one additional dynamic disk that has no data on it.
In this section, I’ll list the steps to create a mirrored volume in each of
these situations.
I’ll also explain how to perform another common task associated with
mirrored volumes — creating a fault tolerance boot disk.When you mirror
the volume that contains your Windows 2000 Server/Advanced Server
installation folder (usually C:\Winnt), you should create a floppy disk that
will enable you to boot from your second hard disk should the first hard
disk in your mirrored volume fail.This floppy disk is called a fault tolerance
boot disk.
So, allow me to begin by explaining how to create a mirrored volume
on a Windows 2000 Server/Advanced Server computer by using two
dynamic disks that have no data on them.
4701-1 ch06.f.qc 4/24/00 09:15 Page 374

374 Part II ▼ Installation and Configuration

STEP BY STEP

CREATING A MIRRORED VOLUME ON TWO BLANK DYNAMIC DISKS

1. Start Disk Management. (The steps to start Disk Management are listed in the
“Using Disk Management” section.)
2. If you have not previously upgraded all of your unpartitioned basic disks, the
Write Signature and Upgrade Disk Wizard appears. If either of the two disks you
want to use to create the mirrored volume are basic disks, you’ll need to upgrade
those disks to dynamic disks. If this is the case, use this wizard and the steps in
the “Upgrading a Disk from Basic to Dynamic” section earlier in this chapter. If
you already have the two dynamic disks on which you want to create a mirrored
volume and want to keep your existing basic disks, click Cancel.
3. In the bottom right Disk Management pane, right-click in an area of unallocated
space on either of the two dynamic disks that you want to be a part of the mirrored
volume. From the menu that appears, select Create Volume.
4. In the Create Volume Wizard dialog box, click Next.
5. Select the “Mirrored volume” option. Click Next.
6. The Select Disks screen appears.
Highlight one additional dynamic disk in the “All available dynamic disks” box. Click
Add. You should now have two disks listed in the “Selected dynamic disks” box.
Highlight any disk in the “Selected dynamic disks” box and configure the amount
of disk space you want to be included in the mirrored volume.
Because mirrored volumes require identical amounts of disk space on each disk
in the volume, Windows 2000 Server/Advanced Server will use the amount of
disk space you configure from each of the two selected disks when it creates the
mirrored volume. If the two disks that will make up the mirrored volume have
unequal amounts of unallocated space, the largest amount of space you can
configure is the amount of unallocated space from the disk that has the smallest
amount of unallocated space. (This maximum size is also the default setting.) The
total size of the mirrored volume will be the amount of disk space you select. This
total is displayed in the Total volume size text box after you configure the size for
all selected disks setting. Click Next.
7. The Assign Drive Letter or Path screen appears. Select and configure one of the
three options in this dialog box. (These options are explained in detail in Step 7
in the “Creating a Simple Volume” section.) Click Next.
8. The Format Volume screen appears. Select and configure the appropriate option.
(These options are explained in detail in Step 8 in the “Creating a Simple Volume”
section.) Click Next.
4701-1 ch06.f.qc 4/24/00 09:15 Page 375

Chapter 6 ▼ Working with File Systems and Disks 375

STEP BY STEP Continued

9. In the Completing the Create Volume Wizard screen, review the settings you
have selected. If the settings are correct, click Finish. If you want to change any
of the settings, click Back and make the appropriate changes. Windows 2000
Server/Advanced Server creates, formats, and resynchronizes the mirrored
volume. This process takes awhile.

After Windows 2000 Server/Advanced Server creates, formats, and

resynchronizes the mirrored volume, it appears in Disk Management with
a listing of its characteristics, including the name of the new volume, a
drive letter or path, the identical amount of space on each disk that is
included in the volume, the file system the volume is formatted with, and
the word “Healthy.” A newly created mirrored volume is shown in Figure
6-13. Notice that I chose to name this volume “Mirrored,” and that it
consists of two dynamic disks, Disk 2 and Disk 3.

FIGURE 6-13 Newly created mirrored volume

4701-1 ch06.f.qc 4/24/00 09:15 Page 376

376 Part II ▼ Installation and Configuration

STEP BY STEP

CREATING A MIRRORED VOLUME FROM A SIMPLE VOLUME AND A

BLANK DYNAMIC DISK

1. Start Disk Management. (The steps to start Disk Management are listed in the
“Using Disk Management” section.)
2. If you have not previously upgraded all of your unpartitioned basic disks, the
Write Signature and Upgrade Disk Wizard appears. If the additional disk you want
to use to create the mirrored volume is a basic disk, you’ll need to upgrade that
disk to a dynamic disk. If this is the case, use this wizard and the steps in the
“Upgrading a Disk from Basic to Dynamic” section earlier in this chapter. If your
additional disk is already a dynamic disk and you want to keep your existing basic
disks, click Cancel.

TIP
If the disk that contains the volume (and data) you want to mirror is a
basic disk, you must upgrade that disk to a dynamic disk before you can
continue. Use the “Manually upgrading a basic disk to a dynamic disk”
step-by-step section earlier in this chapter to upgrade this disk.

3. In the bottom right Disk Management pane, right-click in the bar-shaped area that
represents the simple volume you want to mirror. From the menu that appears,
select Add Mirror.
4. In the Add Mirror dialog box, select the additional dynamic disk you want to use
to create the mirrored volume. Click Add Mirror. Windows 2000 Server/Advanced
Server creates and regenerates the mirrored volume. This process takes awhile
because Windows 2000 has to copy all of the data from the original disk to the
second disk in the mirrored volume.

Creating a Fault Tolerance Boot Disk

As I mentioned earlier, a fault tolerance boot disk is a floppy disk that enables
you to boot your computer in the event that the first disk in your computer’s
mirrored volume fails. If the first disk in a mirrored volume fails, and if that
disk contains the Windows 2000 installation folder (usually C:\Winnt), you
will not be able to reboot your computer because the Boot.ini file points
to the first (and failed) hard disk.When this happens, in order to boot your
computer, you need to use a fault tolerance boot disk that contains an
4701-1 ch06.f.qc 4/24/00 09:15 Page 377

Chapter 6 ▼ Working with File Systems and Disks 377

edited Boot.ini file that points to the disk in the mirrored volume that is
still functional.

IN THE REAL WORLD

This may sound obvious, but you should create the fault tolerance boot
disk before the disk failure occurs. I even go so far as to recommend that
after you make the fault tolerance boot disk you tape it to the side of the
computer so you can easily locate it in the event of a disk failure.

Here are the steps to create your own fault tolerance boot disk. Also,
because you’ll need to edit the Boot.ini file during this process, I’ve
included some information on how to edit this file in the section that follows
these steps.

STEP BY STEP

CREATING A FAULT TOLERANCE BOOT DISK

1. Place a blank 3.5-inch floppy disk in your computer’s floppy disk drive. From the
desktop, select Start ➪ Programs ➪ Accessories ➪ Windows Explorer.
2. Click the + next to My Computer in the left pane. Right-click 31⁄2 Floppy (A:),
and select Format from the menu that appears. You should perform this task
in Windows 2000, not in Windows 95 or Windows 98.
3. In the Format A:\ dialog box, click Start.

TIP
I recommend that you don’t select the quick format option for this task,
because you want to ensure that Windows 2000 will detect and com-
pensate for any and all errors on the disk.

4. A warning dialog box appears, indicating that all data on the disk will be erased.
Click OK.
5. Windows 2000 displays a message that the format is complete. Click OK.
6. In the Format A:\ dialog box, click Close.
7. In Windows Explorer, select Tools ➪ Folder Options. Click the View tab, and in the
Advanced settings box, select the “Show hidden files and folders” option. Then,
clear the check boxes next to “Hide file extensions for known file types,”
and “Hide protected operating system files.” In the warning dialog box, click Yes.
Click OK.
4701-1 ch06.f.qc 4/24/00 09:15 Page 378

378 Part II ▼ Installation and Configuration

STEP BY STEP Continued

8. Use Windows Explorer to copy the Ntldr, Ntdetect.com, and Boot.ini

files from the first hard disk in your computer (usually C:\) to the floppy disk.
Also copy Bootsect.dos to the floppy disk if your computer is configured to
dual boot, and copy Ntbootdd.sys to the floppy disk if this file exists in the
root of your computer’s system partition. (The Ntbootdd.sys file is renamed
copy of the driver for your computer’s hard disk controller. This file will exist in
your system partition only if you have entries in your Boot.ini file that begin
with scsi.)
9. Use a text editor, such as Notepad, to edit the Boot.ini file on the floppy disk
(not the Boot.ini file on your hard drive) to point at the second disk in the
mirrored volume, instead of at the first disk. (The next section of this chapter
discusses how to edit the Boot.ini file.)

Editing the Boot.ini File

The Boot.ini file is a hidden file in the root of the first hard disk in the
computer.This file is critical to the boot process.Windows 2000 uses this
file to create the boot loader operating system selection menu that is
displayed when Windows 2000 starts. The Boot.ini file also informs
Windows 2000 of the location of your Windows 2000 installation folder. If
this file is incorrectly configured, your computer won’t boot.
In the previous section, I discussed how you can copy this file to a
floppy disk when creating a fault tolerance boot disk. In this section, I’ll
explain how to edit the copy of the Boot.ini file on the floppy disk, not
the Boot.ini file on your computer’s hard disk.

CAUTION
If you edit the Boot.ini file on your computer’s hard disk, your
computer may no longer be bootable.

You can use any text editor, such as Notepad, to edit the Boot.ini file.
However, before you go on to edit this file, you might want to take a
closer look at it to understand its structure and syntax. I’ve reproduced a
sample Boot.ini file in Listing 6-1.
LISTING 6-1 Sample Boot.ini File

[boot loader]
timeout=30
4701-1 ch06.f.qc 4/24/00 09:15 Page 379

Chapter 6 ▼ Working with File Systems and Disks 379

default=scsi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
scsi(0)disk(0)rdisk(0)partition(1)\WINNT=”Microsoft Windows 2000 Server”
C:\=”Microsoft Windows”

Note that there are two sections to the Boot.ini file: [boot loader]
and [operating systems].
The first section, [boot loader], contains two entries.The first entry,
timeout, specifies how long, in seconds, the boot loader operating system
selection menu is displayed when the computer boots.The default timeout
is thirty seconds. The second entry, default, specifies which operating
system loads if no selection is made within the timeout period.
The second section of the Boot.ini file, [operating systems], first
lists entries consisting of ARC (Advanced RISC Computing) paths to various
operating systems. Only Windows 2000 and Windows NT use ARC paths
in the Boot.ini file to indicate which partition, physical disk, and folder
contains the files used to start the operating system. Next, the drive letter
and path to any other operating systems are listed. The operating system
named at the end of each [operating systems] entry, after the = sign
(whether it is an ARC path entry or not), is the operating system displayed
in the boot loader operating system selection menu.
There are two types of ARC path entries: multi and scsi.The terms
multi and SCSI refer to the type of hard disk that is listed in the ARC path.

TIP
The term scsi is normally presented in lowercase when it is used to indi-
cate an ARC path. It is normally presented in uppercase when it is used
to refer to a disk, adapter, or controller.

All hard disks that can be detected by the computer’s BIOS, or by the
BIOS on a SCSI adapter, are referred to as multi. All hard disks connected
to SCSI adapters that do not have their BIOS enabled are referred to as
SCSI. SCSI disks require a device driver to be loaded before the operating
system can access the disk.The Windows 2000 installation program copies
the device driver for a SCSI adapter to the root of the system partition, and
renames the file as Ntbootdd.sys.
4701-1 ch06.f.qc 4/24/00 09:15 Page 380

380 Part II ▼ Installation and Configuration

The syntax of [operating systems] entries that begin with multi

is as follows:
multi(W)disk(X)rdisk(Y)partition(Z)\path

■ W is the ordinal number of the adapter. It should always be zero.

■ X is not used for multi entries. It is always zero.
■ Y is the ordinal for the hard disk on the controller. It is always 0 or
1 for disks connected to the primary controller, including SCSI
adapters that have their BIOS enabled.
■ Z is the partition number.The range of Z is usually 1–4.
■ \path is the path to the folder that contains the Windows 2000
installation, usually \Winnt
The syntax of [operating systems] entries that begin with scsi is
as follows:
scsi(W)disk(X)rdisk(Y)partition(Z)\path

■ W is the ordinal number of the adapter.

■ X is the SCSI ID of the disk.
■ Y is the logical unit number (LUN) of the disk. It is usually zero.
■ Z is the partition number.The range of Z is usually 1–4.
■ \path is the path to the folder that contains the Windows 2000
installation, usually \Winnt
Entries in the [operating systems] section that begin with scsi
are typically used in four types of situations:
■ When the hard disk containing the system partition is on a SCSI
adapter that does not have its BIOS enabled
■ When the hard disk containing the system partition is on a SCSI
adapter and has an SCSI ID greater than one
■ When the hard disk containing the system partition is on a SCSI
adapter and there is an IDE or EIDE controller in the computer
■ When the computer contains three or more IDE hard disks
You may be wondering why the syntax in the Boot.ini file includes
partition numbers, when we’re dealing with dynamic disks in a mirrored
4701-1 ch06.f.qc 4/24/00 09:15 Page 381

Chapter 6 ▼ Working with File Systems and Disks 381

volume. Well, in a nutshell, Windows 2000 can only be installed on a

partitioned basic disk, and when this basic disk is upgraded to a dynamic
disk,Windows 2000 retains and continues to use the partition information.
In fact, whenever you upgrade a partitioned basic disk to a dynamic disk,
partition information is retained.
Now that you understand the structure of the Boot.ini file, and the
types of entries and syntax used in this file, you’re ready to edit it.
Figure 6-14 illustrates the disks on a computer named LOTSADISKS on
which I’ve created a mirrored volume that consists of Disk 0 and Disk 1.
Both the boot and system partitions are located on the first disk (Disk 0),
and use the drive letter C:. LOTSADISKS uses a dual-channel EIDE
controller with four IDE hard disks attached.

FIGURE 6-14 New mirrored volume

I decide that I want to create a fault tolerance boot disk so I can reboot
the computer in the event that Disk 0 fails. I follow the steps outlined in
the “Creating a fault tolerance boot disk” step-by-step section up to the
point where I edit the Boot.ini file on my floppy disk. The Boot.ini
file on my floppy disk (before editing) looks like Listing 6-2.
4701-1 ch06.f.qc 4/24/00 09:15 Page 382

382 Part II ▼ Installation and Configuration

LISTING 6-2 Boot.ini File before Editing

[boot loader]
timeout=30
default=scsi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
scsi(0)disk(0)rdisk(0)partition(1)\WINNT=”Microsoft Windows 2000 Server”
C:\=”Microsoft Windows”

In this situation, I need to edit the Boot.ini file on my floppy disk so

that it will start Windows 2000 from Disk 1 instead of from Disk 0 in the
event that Disk 0 fails. (The Boot.ini file must point to Disk 1 because if
Disk 0 fails, Disk 1 will be the only disk in the mirrored volume that still
works.)
Now, you may be wondering, how do I know what specific entries to
change in my Boot.ini file? Well, I cheat. In the bottom right pane in
Disk Management I right-click the gray area at the left end of the bar
graph that says Disk 1, and then select Properties from the menu that
appears.This brings up the Disk 1 Properties dialog box, which is shown in
Figure 6-15. Notice the information displayed for the Device Type entry.
This information identifies a port number (Port 0) which corresponds to
the number that should appear to the right of scsi (or multi, depending
on your Boot.ini file).The Target ID, in this case, 1, corresponds to the
number that should appear after disk in the boot.ini file. The LUN
entry, in this case, 0, corresponds to the number that should appear after
rdisk in the boot.ini file. And finally, I know which partition number
to use because there is only one partition on Disk 1, and partitions are
numbered beginning with the number 1.
So, I use this information to construct an edited ARC path for my
Boot.ini file:

scsi(0)disk(1)rdisk(0)partition(1)

To edit my Boot.ini file, I use Notepad and change the following

entries:
1. In the default entry in the [boot loader] section, I change
disk(0) to disk(1)
2. In the scsi entry in the [operating systems] section, I change
disk(0) to disk(1)
4701-1 ch06.f.qc 4/24/00 09:15 Page 383

Chapter 6 ▼ Working with File Systems and Disks 383

FIGURE 6-15 The Disk 1 Properties dialog box

The edited version of my Boot.ini file on my newly created fault

tolerance boot disk is presented in Listing 6-3.
LISTING 6-3 Edited Boot.ini File on Fault Tolerance Boot Disk

[boot loader]
timeout=30
default=scsi(0)disk(1)rdisk(0)partition(1)\WINNT
[operating systems]
scsi(0)disk(1)rdisk(0)partition(1)\WINNT=”Microsoft Windows 2000 Server”
C:\=”Microsoft Windows”

Notice that the ARC path in both the [boot loader] and [operating
systems] sections now points to Disk 1 instead of Disk 0. In the event that
Disk 0 in LOTSADISKS fails, I can use my fault tolerance boot disk to boot
to Disk 1.
Finally, there are several optional switches you can add at the end of an
[operating systems] entry in a Boot.ini file. Table 6-3 lists and
describes these switches. These switches are not case sensitive — you can
type them in either uppercase or lowercase.
4701-1 ch06.f.qc 4/24/00 09:15 Page 384

384 Part II ▼ Installation and Configuration

TIP
These switches are not typically used when creating a fault tolerance boot
disk. However, because they are used frequently during troubleshooting,
and because this is the only section of this book that addresses the
Boot.ini file in detail, I’ve covered the switches here.

TABLE 6-3 Boot.ini File Switches

Switch Description

/BASEVIDEO This switch causes the computer to use the standard

VGA driver when it starts, and is useful in
troubleshooting video driver problems.
/FASTDETECT=COMx This specifies that the indicated serial port will not
|COMx,y,z | be tested for the presence of a mouse, but that all
other serial ports will be tested. The default setting
in Boot.ini files is /FASTDETECT with no serial
ports specified. This default setting, with no serial
ports specified, causes Windows 2000 to skip the
mouse detection process entirely.
/MAXMEM:n This switch specifies the maximum amount of memory that
Windows 2000 can use. It is useful for troubleshooting
memory problems.
/NOGUIBOOT This switch causes Windows 2000 to boot without
displaying the graphical boot status screen. In theory,
using this switch is supposed to shorten the time
required to start Windows 2000. However, when you
use this switch it seems to actually take longer to boot,
because you don’t see any status indicators during the
boot process.
/SOS This switch provides a verbose listing of each device
driver as it is loaded during the boot sequence. It is
useful for troubleshooting device drivers.

Creating a RAID-5 Volume

You might want to create a RAID-5 volume if you determine you want
faster speed of access to files than you can get by using a simple or spanned
volume, and you also want a modest level of fault tolerance. To create a
RAID-5 volume, you need three or more dynamic disks.
4701-1 ch06.f.qc 4/24/00 09:15 Page 385

Chapter 6 ▼ Working with File Systems and Disks 385

TIP
You can only create and use RAID-5 volumes on Windows 2000 Server
and Advanced Server computers. Windows 2000 Professional does not
support RAID-5 volumes.

STEP BY STEP

CREATING A RAID-5 VOLUME

1. Start Disk Management. (The steps to start Disk Management are listed in the
“Using Disk Management” section.)
2. If you have not previously upgraded all of your unpartitioned basic disks, the
Write Signature and Upgrade Disk Wizard appears. If the disks you want to
use to create the RAID-5 volume are basic disks, you’ll need to upgrade those
disks to dynamic disks. If this is the case, use this wizard and the steps in the
“Upgrading a Disk from Basic to Dynamic” section earlier in this chapter. If you
already have the dynamic disks on which you want to create the RAID-5 volume
and want to keep your existing basic disks, click Cancel.
3. In the bottom right Disk Management pane, right-click in an area of unallocated
space on any of the dynamic disks that you want to be a part of the RAID-5
volume. From the menu that appears, select Create Volume.
4. In the Create Volume Wizard dialog box, click Next.
5. Select the “RAID-5 volume” option. Click Next.
6. In the Select Disks screen, highlight two or more dynamic disks from the
“All available dynamic disks” box to be included in your RAID-5 volume. Click
Add. You should now have three or more disks listed in the “Selected dynamic
disks” box.
Highlight any disk in the “Selected dynamic disks” box and configure the amount
of disk space you want to be included in the RAID-5 volume.
Because RAID-5 volumes require identical amounts of disk space on each disk
in the volume, Windows 2000 Server/Advanced Server will use the amount of disk
space you configure from each of the selected disks when it creates the RAID-5
volume. If the disks that will make up the RAID-5 volume have unequal amounts of
unallocated space, the largest amount of space you can configure is the amount of
unallocated space from the disk that has the smallest amount of unallocated space.
(This maximum size is also the default setting.) The total size of the RAID-5 volume
will be the amount of disk space you select times one less than the total number of
disks that make up the volume. This total is displayed in the Total volume size text
box after you configure the size for all selected disks setting. Click Next.
4701-1 ch06.f.qc 4/24/00 09:15 Page 386

386 Part II ▼ Installation and Configuration

STEP BY STEP Continued

7. The Assign Drive Letter or Path screen appears. Select and configure one of the
three options in this dialog box. (These options are explained in detail in Step 7
in the “Creating a Simple Volume” section.) Click Next.
8. The Format Volume screen appears. Select and configure the appropriate option.
(These options are explained in detail in Step 8 in the “Creating a Simple Volume”
section.) Click Next.
9. In the Completing the Create Volume Wizard screen, review the settings you
have selected. If the settings are correct, click Finish. If you want to change any
of the settings, click Back and make the appropriate changes. Windows 2000
Server/Advanced Server creates and formats the RAID-5 volume. This process
may take awhile, because Windows 2000 must first create the volume, then
format the volume, and finally generate parity information (which Windows
2000 refers to as “Regenerating”).

After Windows 2000 Server/Advanced Server creates, formats, and

regenerates the RAID-5 volume, it appears in Disk Management with a
listing of its characteristics, including the name of the new volume, a drive
letter or path, the identical amount of space on each disk that is included in
the RAID-5 volume, the file system the volume is formatted with, and the
word “Healthy.” A newly created RAID-5 volume is shown in Figure
6-16. Notice that I chose to name this volume “RAID-5,” and that it
consists of three dynamic disks, Disk 1 and Disk 2, and Disk 3.
Also notice in Figure 6-18 that the capacity of this RAID-5 volume,
which is shown in the Capacity column in the top right Disk Management
pane, is two-thirds of the total capacity of the three disks that make up the
RAID-5 volume.The total capacity is less than the sum total of the capac-
ity of each of the three disks because the equivalent of one of the disks in
the RAID-5 volume is used by Windows 2000 Server/Advanced Server
for parity information.
Finally, notice in Figure 6-16 that the Fault Tolerance column for the
RAID-5 volume (in the top Disk Management pane) displays “yes”
because a RAID-5 volume provides a medium amount of fault tolerance.
Now that you’re up to speed on basic disk management tasks, I want to
move on to using Disk Defragmenter, and then to troubleshooting disks
and volumes.Then I’ll explain how to recover from disk failures.
4701-1 ch06.f.qc 4/24/00 09:15 Page 387

Chapter 6 ▼ Working with File Systems and Disks 387

FIGURE 6-16 Newly created RAID-5 volume

Using Disk Defragmenter

Disk Defragmenter, like Disk Management, is a graphical Windows 2000
tool that is a snap-in to the Microsoft Management Console (MMC). Disk
Defragmenter is used to analyze volumes, and to defragment these volumes
when necessary. You must be a member of the Administrators group in
order to use Disk Defragmenter.
A file is considered to be fragmented when it is not stored in consecutive
segments in a volume, but rather is stored in diverse segments located
throughout the volume. Fragmented files take longer to load than files
that aren’t fragmented. You can use Disk Defragmenter to determine
whether the files in a particular volume are fragmented enough to warrant
defragmenting the volume.
Disk analysis and defragmentation is an important part of an overall
network preventive maintenance plan. Consider analyzing and/or
defragmenting volumes on servers at least once a week. Also, depending
on your client computers’ use, you should consider analyzing and/or
defragmenting volumes on Windows 2000 Professional computers at least
once a month.
4701-1 ch06.f.qc 4/24/00 09:15 Page 388

388 Part II ▼ Installation and Configuration

I recommend that you use Disk Defragmenter only during times when
no one else is accessing the server. Disk Defragmenter’s functions can take
a significant amount of time to complete.This means that service to clients
during these times can be seriously slowed or interrupted.

CAUTION
Because running Disk Defragmenter can slow or interrupt service to
clients, I recommend that you perform disk defragmentation tasks during
nonbusiness hours whenever possible, just as you would other adminis-
trative tasks on a server.

Disk Defragmenter can only be used on the local computer.You can’t

use this tool to remotely defragment disks on another computer.
Two of the most common ways to start Disk Defragmenter are described
in the steps that follow.

STEP BY STEP

STARTING DISK DEFRAGMENTER — METHOD 1

1. From the desktop, Select Start ➪ Programs ➪ Administrative Tools ➪ Computer

Management. This starts the Microsoft Management Console (MMC).
2. In the left pane of the Computer Management dialog box, click Disk Defragmenter.
(If Storage is not already expanded so that Disk Defragmenter appears in the list,
click the + next to Storage.)

STARTING DISK DEFRAGMENTER — METHOD 2

1. From the desktop, right click My Computer. Select Manage from the menu
that appears.
2. In the left pane of the Computer Management dialog box, click Disk Defragmenter.
(If Storage is not already expanded so that Disk Defragmenter appears in the list,
click the + next to Storage.)

Figure 6-17 shows the Disk Defragmenter tool. Notice the Analyze and
Defragment command buttons in the right pane of this window.
Using Disk Defragmenter, both to analyze and defragment volumes, is
very straightforward.
4701-1 ch06.f.qc 4/24/00 09:15 Page 389

Chapter 6 ▼ Working with File Systems and Disks 389

FIGURE 6-17 The Disk Defragmenter tool

STEP BY STEP

USING DISK DEFRAGMENTER TO ANALYZE AND DEFRAGMENT

A VOLUME

1. Start Disk Defragmenter (see the preceding steps).

2. Highlight the volume you want to analyze from the list of volumes displayed at the
top of the right pane in the window. Click Analyze.
3. Disk Defragmenter analyzes the volume and displays the Analysis Complete
dialog box, which recommends whether or not to defragment the volume. Within
this dialog box, you can click View Report to view the detailed results of the vol-
ume analysis, as shown in Figure 6-18.
Notice that the report includes a list of fragmented files found in the volume.
If you decide to defragment the volume, click Defragment.
4. Disk Defragmenter defragments the volume, and then displays the Defragmentation
Complete dialog box. Within this dialog box, you can click View Report to view the
detailed results of the disk defragmentation. This report looks nearly identical to
the analysis report that Disk Defragmenter creates when it analyzes a volume.
Click Close.
4701-1 ch06.f.qc 4/24/00 09:15 Page 390

390 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 6-18 Disk Defragmenter analysis report

TIP
You can defragment a volume without first analyzing it, if you want to.
To do this, start Disk Defragmenter, highlight the volume you want to
defragment, and click Defragment.

Disk Defragmenter does not provide the ability to schedule defragmen-

tation of volumes, nor to perform defragmentation on a remote computer.
If you want these capabilities, you’ll need to use a third-party utility, such
as Executive Software’s Diskeeper. For more information on this product,
visit the Diskeeper Web site at http://www.diskeeper.com.

Using Logical Drives

Logical Drives, like Disk Management and Disk Defragmenter, is a graphical
Windows 2000 tool that is a snap-in to the Microsoft Management Console
4701-1 ch06.f.qc 4/24/00 09:15 Page 391

Chapter 6 ▼ Working with File Systems and Disks 391

(MMC). Logical Drives enables you to view logical drive properties, change
a logical drive’s label, and configure several types of security settings on a log-
ical drive, including access permissions, ownership, audit entries, and special
permissions.The term logical drive, as it is used in this application, refers to any
volume or network-connected drive that is assigned a drive letter.
Viewing a logical drive’s properties and changing its label are easy tasks
to accomplish.

STEP BY STEP

VIEWING THE PROPERTIES AND CHANGING THE LABEL OF A

LOGICAL DRIVE

1. From the desktop, Select Start ➪ Programs ➪ Administrative Tools ➪ Computer

Management.
2. In the left pane of the Computer Management dialog box, click Logical Drives.
A graphical listing of all of the logical drives on the computer, both local and
network connected, is displayed, as shown in Figure 6-19. Notice that the net-
work-connected logical drives use a different icon than the local logical drives.

FIGURE 6-19 Logical Drives

4701-1 ch06.f.qc 4/24/00 09:15 Page 392

392 Part II ▼ Installation and Configuration

STEP BY STEP Continued

Also notice the various information displayed about each of the logical drives,
including the type of logical drive, and whether the logical drive is local or is
mapped to a shared network drive.
3. To view the properties of a specific logical drive, right-click the logical drive in the
right pane, and select Properties from the menu that appears. The properties of
the logical drive are displayed, as shown in Figure 6-20. Notice the information
that is displayed, including the drive’s label, its type, the type of file system the
logical drive uses, the logical drive’s used and free space, and its capacity.

FIGURE 6-20 Logical drive properties

4. To change the label of the logical drive, type a new label in the Label text box, and
click OK.

Troubleshooting Disks and Volumes

Unfortunately, troubleshooting disks and volumes is a fairly common admin-
istrative task. Disk Management is not only the primary Windows 2000 disk
configuration tool, it is also the primary Windows 2000 disk troubleshooting
4701-1 ch06.f.qc 4/24/00 09:15 Page 393

Chapter 6 ▼ Working with File Systems and Disks 393

tool. Disk Management is particularly useful for providing information

about disks and volumes that you can use to diagnose disk problems.
Figure 6-21 shows the graphical information Disk Management displays
about a normal, healthy disk and the normal, healthy volume it contains.
Notice that Disk Management provides the following information about
the disk:
■ The number of the disk
■ The type of disk (Basic or Dynamic)
■ The capacity of the disk
■ The status of the disk (Online, Offline, and so on)

FIGURE 6-21 Normal disk and normal volume

Also notice in Figure 6-21 that Disk Management provides the following
information about the volume that the disk contains:
■ The name of the volume, if it has one, and its drive letter
■ The size of the volume
■ The status of the volume (Healthy, Failed, and so on)
What I want to focus on in this section is the status of the disk and volume.
The status that Disk Management displays is of primary importance when
4701-1 ch06.f.qc 4/24/00 09:15 Page 394

394 Part II ▼ Installation and Configuration

troubleshooting a disk or volume. Once you determine the status of a disk or

volume you can often diagnose and correct the problem.
Table 6-4 lists and describes the possible status values that Disk
Management can display for disks, as well as the steps you can take when
trying to fix a disk problem. The commands listed in the table can be
accessed by right-clicking the disk in question and selecting the command
from the menu that appears.
TABLE 6-4 Possible Disk Status Values
Status Value Description What You Should Do

Online This is the normal status Nothing

displayed for a basic or
dynamic disk that is both
accessible and has no known
problems.
Foreign This status indicates that a To set up the disk and achieve
dynamic disk from another Online status, use the Import
Windows 2000 computer Foreign Disks command in
has been installed in this Disk Management.
computer, but that the disk
has not yet been set up for
use on this computer.
No Media This status, which applies Nothing, or place the appropriate
only to removable media media in the drive.
drives, indicates that there is
no media in the drive.
Offline This status indicates that a You may be able to use the
dynamic disk is not accessible. Reactivate Disk command in Disk
It may be unavailable, missing, Management to bring the disk
or corrupted. back Online. If the disk name
displayed is “Missing,” and you
have removed the disk from the
computer, you should use the
Remove Disk command so that
Disk Management will no longer
display information on this disk.
Online (Errors) This status indicates that I/O If these errors are transient, you
errors have been found on a may be able to return the disk to
portion of a dynamic disk. the Online status by using the
Reactivate Disk command in
Disk Management.
4701-1 ch06.f.qc 4/24/00 09:15 Page 395

Chapter 6 ▼ Working with File Systems and Disks 395

Status Value Description What You Should Do

Unreadable This status indicates that a Try using the Rescan Disks
basic or dynamic disk is not command in Disk Management
accessible, due to hardware or rebooting your computer to
failure, I/O errors, or corruption. change the disk status. If these
steps don’t work, you may need
to replace the disk.
Unrecognized This status indicates that the Use a disk that is compatible with
disk is an Unknown disk type, your computer and with Windows
and that it has an OEM 2000. Or, if you’re not worried
signature that causes Disk about losing data on this disk, you
Management to prevent you can try performing a low-level
from using the disk. Most likely format using the disk controller’s
the disk was formatted and/or utilities. If you perform a low-level
configured by an incompatible format, all data on this disk will be
operating system, such lost, and the disk can potentially
as UNIX. become unusable. Performing a
low-level format is a last resort.

Table 6-5 lists and describes the possible status values that Disk
Management can display for volumes, and the actions you can take to
correct a volume problem.
TABLE 6-5 Possible Volume Status Values
Status Value Description What You Should Do

Healthy This is the normal status Nothing

displayed for a volume that
is both accessible and has no
known problems.
Healthy (Boot) This is the normal status Nothing
displayed for a volume that
is contained in the active,
primary partition on the
computer’s first hard disk.
The volume is accessible
and has no known problems.
Healthy (System) This is the normal status Nothing
displayed for a volume that
contains the Windows 2000
installation folder, is accessible,
and has no known problems.
If the system volume and boot
volume are the same, this
volume will be called Healthy
(Boot), not Healthy (System).

Continued 
4701-1 ch06.f.qc 4/24/00 09:15 Page 396

396 Part II ▼ Installation and Configuration

TABLE 6-5 (continued)

Status Value Description What You Should Do

Failed This status indicates that the If the disk that contains this
volume can’t be automatically volume is Offline, you may be able
started. Make sure that the to bring the disk back Online
physical disk is plugged in, by using the Reactivate Disk
powered on, and attached command in Disk Management.
to the computer. If the disk that contains this
volume is Online, you may be
able to use the Reactivate Volume
command to return the volume
to a Healthy status.
Failed
Redundancy This status indicates that a Because the volume no longer
volume no longer has any has any fault tolerance, you can
fault tolerance because one continue operations, but should
of the disks in the fault-tolerant repair the volume as soon as
volume is Offline. This status possible.
is only possible for mirrored
or RAID-5 volumes.
Failed This status indicates that a If the disk’s status value is
Redundancy volume no longer has any fault Online (Errors), try using the
(At Risk) tolerance and that I/O errors Reactivate Disk command in Disk
have been detected on one of Management to bring the disk
the disks in the fault-tolerant back Online. Because the volume
volume. This status is only no longer has any fault tolerance,
possible for mirrored or you can continue operations, but
RAID-5 volumes. should repair the volume as soon
as possible.
Healthy (At Risk) This status indicates that I/O If the disk status is Online
errors have been found on the (Errors), you may be able to
dynamic disk that contains return the disk to the Online
this volume. status by using the Reactivate Disk
command in Disk Management.
Initializing This status indicates that a Wait for the status to change
dynamic volume is being to Healthy.
initialized. This is a normal
status. Disk Management
displays this status during
initialization, and then
displays a status of Healthy.
Regenerating This status indicates that Wait for the status to change
data and parity are being to Healthy.
regenerated for a RAID-5
volume. This is a normal
status. Disk Management
displays this status during
regeneration, and then
displays a status of Healthy
for the RAID-5 volume.
4701-1 ch06.f.qc 4/24/00 09:15 Page 397

Chapter 6 ▼ Working with File Systems and Disks 397

Status Value Description What You Should Do

Resynching This status indicates that the Wait for the status to change
mirrors in a mirrored volume to Healthy.
are being resynchronized so
that both contain identical
data. This is a normal status.
Disk Management displays this
status during resynchronization,
and then displays a status of
Healthy for the mirrored volume.

One of the most common hard disk problems is disk failure. Once you
troubleshoot the problem, you’ve got to fix it. The next section of this
chapter is devoted entirely to recovering from disk failure.

Recovering from Disk Failure

So what do you do when it all comes crashing down — when the remote
possibility of disk failure that you planned for, but never thought would
actually happen, is a painful reality?
This section provides information on how to recover from a single or
multiple hard disk failure. Specifically, you’ll learn how to recover from
disk failure in situations where a simple volume, spanned volume, striped
volume, mirrored volume, and RAID-5 volume are used.

EXAM TIP
The Server exam has an objective on recovering from disk failure. Because
you may not get a lot of practice at this in real life, I recommend that you
study this section carefully, and revisit it just before you take the exam.

In the case of a mirrored or RAID-5 volume, your disk configuration

may enable you to continue operations (but without any fault tolerance)
until you can replace the failed hard disk and restore your fault tolerance
configuration.
In the case of a simple volume, spanned volume, striped volume, or
multiple hard disk failure, you must repair the hardware and restore your
data from tape to continue operations. If you don’t have a tape backup in
these situations,Windows 2000 will not be able to recover your data.
4701-1 ch06.f.qc 4/24/00 09:15 Page 398

398 Part II ▼ Installation and Configuration

CROSS-REFERENCE
Tape backup is critically important. For more information on data backup
and restoration, see Chapter 14.

When you have a disk failure (or a multiple disk failure in the case of a
mirrored or RAID-5 volume), and you don’t have a tape backup, you
might consider using a third-party data recovery service if the data is
extremely important or valuable to you.The data recovery service may be
able to retrieve some of your data from the failed disk(s). Be forewarned,
however, that this process is expensive and takes time to complete.
Before you perform any of the steps in the following sections to recover
from a failed hard disk, I recommend that you back up all existing partitions
and volumes on the computer with the failed disk. I say this because I’ve
accidentally deleted perfectly good data on a healthy volume while trying
to repair/recover from a failed hard disk. But hey, no one’s perfect.

CAUTION
Take extreme care when using Disk Management — it’s easy to delete
a partition or volume that contains important data. Remember that
reformatting a partition or volume will also delete existing data.

The next several sections explain the detailed steps you can take to recover
from disk failure in situations where simple volumes, spanned volumes,
striped volumes, mirrored volumes, and RAID-5 volumes are involved.

Recovering a Simple Volume

Recovering from a failed disk that contains a simple volume is fairly
straightforward. If you don’t have a backup of the files in the simple
volume,Windows 2000 can’t recover your data. If you have a tape backup,
follow these steps to recover from the disk failure.

STEP BY STEP

RECOVERING A SIMPLE VOLUME

1. Start Disk Management. Determine the disk that has failed — the failed disk will
appear with a status of Offline, and the failed volume may show a status of Failed.
2. Replace the failed hard disk.
4701-1 ch06.f.qc 4/24/00 09:15 Page 399

Chapter 6 ▼ Working with File Systems and Disks 399

STEP BY STEP Continued

3. Reboot the computer to Windows 2000. If the disk that failed contained your
Windows 2000 installation, you will have to reinstall Windows 2000 at this point.
Because Windows 2000 will create a new volume during the installation process,
after reinstalling Windows 2000, skip to Step 6.
4. Start Disk Management.
5. Use the steps in the “Creating and formatting a simple volume” step-by-step
section earlier in this chapter to create and format a replacement simple volume
on the new hard disk.
6. Restore all data from tape.

Recovering a Spanned Volume

Recovering from a failed disk (or disks) in a spanned volume is slightly more
complicated than recovering from a simple volume, but is not too difficult.
If you don’t have a backup of the files in the spanned volume,Windows
2000 can’t recover your data. If you have a tape backup, follow these steps
to recover from the disk failure.
Many of the steps in this section can’t be performed remotely — you
must perform them on the computer that has the failed hard disk.

STEP BY STEP

RECOVERING A SPANNED VOLUME

1. Start Disk Management. Determine the disk (or disks) that has failed — the failed
disk (or disks) will appear with a status of Offline, and the failed volume may show
a status of Failed.
2. Replace the failed hard disk or disks.
3. Reboot the computer to Windows 2000.
4. Start Disk Management.
5. The Write Signature and Upgrade Disk Wizard appears. Use this wizard and the
steps in the “Upgrading a Disk from Basic to Dynamic” section earlier in this
chapter to upgrade the new hard disk or disks.
4701-1 ch06.f.qc 4/24/00 09:15 Page 400

400 Part II ▼ Installation and Configuration

STEP BY STEP Continued

6. If you are recovering from a single disk failure, your nonfailed disk(s) will still con-
tain part of the original spanned volume. The partial volume on this disk(s) must be
deleted. In the bottom right pane of Disk Management, right-click the bar-shaped
area that represents the remaining portion of the spanned volume — this area will
show a status of Failed. From the menu that appears, select Delete Volume.
7. In the Delete Spanned Volume warning dialog box, click Yes. Windows 2000
deletes the remaining portion of the spanned volume.
8. Now that you’ve deleted the remaining portion of the spanned volume, you can
delete the Disk Management listing of the failed hard disk that you replaced in
Step 2. The listing for this disk appears at the bottom of the bottom right pane
in Disk Management with a name of Missing and a status of Offline. Right-click
this disk, and select Remove Disk from the menu that appears. Disk Management
removes the listing for this disk.
9. Use the steps in the “Creating a new spanned volume” step-by-step section
earlier in this chapter to create a new spanned volume.
10. Restore all data from tape.

Recovering a Striped Volume

Recovering from a failed disk (or disks) in a striped volume is similar to
recovering from a failed disk in a spanned volume.
If you don’t have a backup of the files in the striped volume,Windows
2000 can’t recover your data. If you have a tape backup, follow these steps
to recover from the disk failure.
Many of the steps in this section can’t be performed remotely — you
must perform them on the computer that has the failed hard disk.

STEP BY STEP

RECOVERING A STRIPED VOLUME

1. Start Disk Management. Determine the disk (or disks) that has failed — the failed
disk (or disks) will appear with a status of Offline, and the failed volume may show
a status of Failed.
2. Replace the failed hard disk or disks.
3. Reboot the computer to Windows 2000.
4. Start Disk Management.
4701-1 ch06.f.qc 4/24/00 09:15 Page 401

Chapter 6 ▼ Working with File Systems and Disks 401

STEP BY STEP Continued

5. The Write Signature and Upgrade Disk Wizard appears. Use this wizard and the
steps in the “Upgrading a Disk from Basic to Dynamic” section earlier in this
chapter to upgrade the new hard disk or disks.
6. If you are recovering from a single disk failure, your nonfailed disk(s) will still con-
tain part of the original striped volume. The partial volume on this disk(s) must be
deleted. In the bottom right pane of Disk Management, right-click the bar-shaped
area that represents the remaining portion of the striped volume — this area will
show a status of Failed. From the menu that appears, select Delete Volume.
7. In the Delete Striped Volume warning dialog box, click Yes. Windows 2000
deletes the remaining portion of the striped volume.
8. Now that you’ve deleted the remaining portion of the striped volume, you can
delete the Disk Management listing of the failed hard disk that you replaced in
Step 2. The listing for this disk appears at the bottom of the lower right pane in
Disk Management with a name of Missing and a status of Offline. Right-click this
disk, and select Remove Disk from the menu that appears. Disk Management
removes the listing for this disk.
9. Use the steps in the “Creating a striped volume” step-by-step section earlier in
this chapter to create a new striped volume.
10. Restore all data from tape.

Recovering a Mirrored Volume

Sometimes a disk that is part of a mirrored volume fails. If only one disk in
the mirrored volume fails, you can continue operations (without any fault
tolerance, however) until you can take the server offline to replace the
failed hard disk and repair the mirrored volume.
If both disks in a mirrored volume fail, Windows 2000 can’t recover
your data unless you have a tape backup.

STEP BY STEP

RECOVERING A MIRRORED VOLUME

1. Start Disk Management. Determine the disk that has failed — the failed disk will
appear with a status of Offline, and the failed volume may show a status of Failed
Redundancy.
2. Replace the failed hard disk.
4701-1 ch06.f.qc 4/24/00 09:15 Page 402

402 Part II ▼ Installation and Configuration

STEP BY STEP Continued

3. Reboot the computer to Windows 2000. If the failed disk contained your
Windows 2000 installation folder, use your fault tolerance boot disk to boot
the computer to Windows 2000.
4. Start Disk Management.
5. The Write Signature and Upgrade Disk Wizard appears. Use this wizard and
the steps in the “Upgrading a Disk from Basic to Dynamic” section earlier in this
chapter to upgrade the new hard disk.
6. In the bottom right pane in Disk Management, right-click the bar-shaped area that
represents the volume on the disk in the mirrored volume that is still functional
(Online) — the status of this volume is displayed as Failed Redundancy. From the
menu that appears, select Remove Mirror.
7. In the Remove Mirror dialog box, select the disk with the name Missing. Click
Remove Mirror.

CAUTION
If you select the wrong disk in this step, Windows 2000 will delete all of
the data on your good/nonfailed disk, and you will have to recreate your
mirrored volume and restore all your data from tape.

8. In the Disk Management warning dialog box, click Yes.

9. Now that you’ve removed the mirror, you can delete the Disk Management listing
of the failed hard disk that you replaced in Step 2. The listing for this disk appears
at the bottom of the lower right pane in Disk Management with a name of Missing
and a status of Offline. Right-click this disk, and select Remove Disk from the
menu that appears. Disk Management removes the listing for this disk.
10. In the bottom right pane in Disk Management, right-click the bar-shaped area that
represents the volume on the disk in the mirrored volume that is still functional
(Online) — the status of this volume is now displayed as Healthy. From the menu
that appears, select Add Mirror.
11. In the Add Mirror dialog box, highlight the new hard disk that you installed in the
computer in Step 2. Click Add Mirror. Windows 2000 creates the mirrored volume.
During this process the status displayed is “Regenerating.”
4701-1 ch06.f.qc 4/24/00 09:15 Page 403

Chapter 6 ▼ Working with File Systems and Disks 403

Recovering a RAID-5 Volume

Sometimes a disk that is part of a RAID-5 volume fails. If only one disk in
the RAID-5 volume fails, you can continue operations (without any fault
tolerance, however) until you can take the server offline to replace the
failed hard disk and repair the RAID-5 volume.
If more than one disk in a RAID-5 volume fails, Windows 2000 can’t
recover your data unless you have a tape backup.

STEP BY STEP

RECOVERING A RAID-5 VOLUME

1. Start Disk Management. Determine the disk that has failed — the failed disk
will appear with a status of Offline, and the failed volume may show a status
of Failed Redundancy.
2. Replace the failed hard disk.
3. Reboot the computer to Windows 2000.
4. Start Disk Management.
5. The Write Signature and Upgrade Disk Wizard appears. Use this wizard and
the steps in the “Upgrading a Disk from Basic to Dynamic” section earlier in this
chapter to upgrade the new hard disk.
6. In the bottom right pane in Disk Management, right-click the bar-shaped area
that represents the volume on any disk in the RAID-5 volume that is still functional
(Online) — the status of this volume is displayed as Failed Redundancy. From the
menu that appears, select Repair Volume.
7. In the Repair RAID-5 Volume dialog box, select the disk that you installed in
Step 2 to replace the failed hard disk. Click OK.
8. Windows 2000 repairs the RAID-5 volume. During this process the status
displayed is “Regenerating.”
4701-1 ch06.f.qc 4/24/00 09:15 Page 404

404 Part II ▼ Installation and Configuration

KEY POINT SUMMARY

This chapter introduced several key file system and disk topics:
■ Several file systems are supported by Windows 2000, including FAT, FAT32,
and NTFS. Because of its speed, security, and recoverability, I recommend
using NTFS except when you need to dual boot between Windows 2000
and another operating system.
■ Disk Management is used to perform numerous disk management tasks on
your Windows 2000 computer, such as:
 Creating and formatting partitions
 Upgrading a disk from basic to dynamic
 Reverting a dynamic disk to a basic disk
■ Disk Management is also used to create several different volume types, includ-
ing simple volumes, spanned volumes, striped volumes, mirrored volumes, and
RAID-5 volumes.
■ Disk Defragmenter is used to analyze and defragment volumes.
■ Logical Drives enables you to view logical drive properties, change a logical
drive’s label, and configure several types of security settings on a logical drive.
■ Tips for troubleshooting disks and volumes were presented. Specific steps on
how to recover from disk failure when using a simple volume, spanned volume,
striped volume, mirrored volume, and RAID-5 volume were also covered.
4701-1 ch06.f.qc 4/24/00 09:15 Page 405

405

STUDY GUIDE
This section contains several exercises that are designed to solidify your
knowledge about file systems and disks and help you prepare for the
Professional and Server exams:
■ Assessment Questions: These questions test your knowledge of
the file systems and disk topics covered in this chapter.You’ll find
the answers to these questions at the end of this chapter.
■ Scenarios: These situation-based questions challenge you to
apply your understanding of the material to solve a hypothetical
problem. In the two scenarios in this chapter, you’ll be asked to
determine the courses of action you would take to resolve various
disk and volume problems.You don’t need to be at a computer to
do scenarios.The answers to these questions are also presented at
the end of this chapter.
■ Lab Exercises: These exercises are hands-on practice activities
that you perform on a computer.The two labs in this chapter give
you an opportunity to convert from one file system to another;
and to create, configure, and format a simple volume.

Assessment Questions
1. You are choosing a file system for your Windows 2000 Server computer.
You need this computer to support file compression, and you don’t need
to dual boot this computer between Windows 2000 Server and any
other operating system.Which file system should you choose?
A. FAT
B. FAT32
C. HPFS
D. NTFS
4701-1 ch06.f.qc 4/24/00 09:15 Page 406

406

2. You are choosing a file system to use on your Windows 2000

Professional computer.You plan to use this computer to run
Windows 2000, but you will also run Windows 95 and MS-DOS
on this computer, as well.Which file system should you choose?
A. FAT
B. CDFS
C. HPFS
D. NTFS
3. You decide to change the file system on your Windows 2000
computer.You want to change drive C: from FAT to NTFS.
What should you type at the command prompt?
A. FORMAT C: /FS:NTFS
B. CONVERT C: /FS:NTFS
C. FORMAT C: /NTFS
D. CONVERT C: /NTFS
4. What is the maximum number of partitions a basic disk can contain?
A. 1
B. 2
C. 3
D. 4
5. Which volume type provides high fault tolerance, has a high cost
associated with it, and provides normal speed of access to files?
A. Mirrored volume
B. RAID-5 volume
C. Simple volume
D. Spanned volume
E. Striped volume
6. You want to create and format a simple volume on a Windows 2000
computer.Which tool should you use?
A. Disk Administrator
B. Disk Management
C. The Convert.exe command-line utility
D. The Format.exe command-line utility
4701-1 ch06.f.qc 4/24/00 09:15 Page 407

407

7. You create a mirrored volume on a Windows 2000 Server computer.

What additional item should you create?
A. A new Config.nt file
B. A new Autoexec.nt file
C. A fault tolerance boot disk
D. A set of Windows 2000 Setup Boot Disks
8. You want to analyze volumes on your Windows 2000 computer.
Which tool should you use?
A. Disk Management
B. Disk Administrator
C. Disk Defragmenter
D. Windows Components Wizard

Scenarios
The following scenarios provide you with an opportunity to apply the
knowledge you’ve gained in this chapter about troubleshooting disk and
volumes and recovering from disk failure.

Troubleshooting Disks and Volumes

Troubleshooting disks and volumes is a fairly common administrative task.
In each of the following problems, I’ll provide you with the Disk
Management status value for the disk or volume in question.Your job is to
consider the given status value (or values), along with any other information
given, and determine the following: What type of problem does the Disk
Management status value indicate may exist? What course of action would
you take to try to resolve the problem?
1. Disk Management displays a status value of Online (Errors) for one of
the disks in your computer.You want to continue using this disk.
2. Disk Management displays a status value of Foreign for one of the
dynamic disks in your computer.You need to access existing data
on this disk.
3. Disk Management displays a status value of Failed for a simple volume.
The status value of the disk that contains this simple volume is Online.
4701-1 ch06.f.qc 4/24/00 09:15 Page 408

408

Recovering from Disk Failure

It’s important to know how to recover from disk failure if you want to pass
the Server exam or if you administer a Windows 2000 network.
In each of the following problems, a disk in a fault-tolerant volume has
failed. I’ll provide you with the Disk Management status values for the disk
and volume in question. Your job is to consider the given status values,
along with any other information given, and determine the course of
action you would take to recover from the disk failure.
1. Disk Management displays a status value of Failed Redundancy for
a mirrored volume in your Windows 2000 Server computer. One of
the disks in the mirrored volume has a status value of Online, and the
other disk has a status value of Unreadable.You try using the Rescan
Disks command in Disk Management and rebooting the computer
to change the disk’s status, but the status value remains unchanged.
2. Disk Management displays a status value of Failed Redundancy for
a RAID-5 volume in your Windows 2000 Server computer.Three
of the disks in the RAID-5 volume have a status value of Online,
and the fourth disk has a status value of Offline.You try using the
Reactivate Disk command in Disk Management to change the
disk’s status, but the status value remains unchanged.

Lab Exercises
The following two labs are designed to give you practical experience work-
ing with file systems, disks, and volumes on a Windows 2000 computer.

Lab 6-1 Converting from FAT32 to NTFS

 Professional
 Server
EXAM
MATERIAL

The objective of this lab is for you to gain hands-on experience using the
Convert.exe command-line utility to convert a volume’s file system
from FAT32 to NTFS. In this lab, you’ll convert your computer’s C: drive
to NTFS.
4701-1 ch06.f.qc 4/24/00 09:15 Page 409

409

CAUTION
If your computer is configured to dual boot between Windows 2000 and
another operating system, performing this lab will render the second
operating system unbootable.

If you skip this lab, though, you will be unable to complete most of the
remaining labs in this book, because NTFS is required to install Active
Directory. So, I recommend you use a dedicated hard disk to perform the
labs in this book, or that you give up dual boot capability on the computer
you’re using while you’re preparing for the exams.
The steps below walk you through the process of converting a volume’s
file system on a Windows 2000 Professional computer. The steps used to
perform this task on a Windows 2000 Server computer are identical.
1. Boot your computer to Windows 2000 Professional. Log on as
Administrator.
2. Select Start ➪ Programs ➪ Accessories ➪ Command Prompt.
3. At the command prompt, type convert c: /fs:ntfs and press Enter.
4. Convert.exe notifies you that it can’t gain exclusive access to the C:
drive.Type Y and press Enter to have this utility convert the C: drive
to NTFS when the computer is rebooted.
5. At the command prompt, type exit and press Enter.
6. Select Start ➪ Shut Down.
7. In the “What do you want the computer to do?” drop-down list box,
select Restart, and click OK.The computer shuts down and restarts.
During the reboot process,Windows 2000 converts the C: drive to
NTFS.At the end of the conversion process,Windows 2000 restarts
your computer.

Lab 6-2 Configuring Disks and Volumes

 Professional
 Server
EXAM
MATERIAL

The objective of this lab is for you to gain hands-on experience using Disk
Management on a Windows 2000 computer.You’ll convert a basic disk to
a dynamic disk; and then create, configure, and format a simple volume.
This lab is optional because it requires a second hard disk in your computer.
4701-1 ch06.f.qc 4/24/00 09:15 Page 410

410

This lab has two parts:

■ Part 1: Converting a Basic Disk to a Dynamic Disk
■ Part 2: Creating, Configuring, and Formatting a Simple Volume
The steps that follow take you through the process of converting a disk
and creating a volume on a Windows 2000 Server computer. The steps
used to perform this task on a Windows 2000 Professional computer
are identical.

Part 1: Converting a Basic Disk to a Dynamic Disk

1. Boot your computer to Windows 2000 Server. Log on as Administrator.
2. From the desktop, right-click My Computer. Select Manage from the
menu that appears.
3. In the left pane of the Computer Management dialog box, click
Disk Management. (If Storage is not already expanded so that Disk
Management appears in the list, click the + next to Storage first, and
then click Disk Management.)
4. The Write Signature and Upgrade Disk Wizard appears. Click Next.
5. The Select Disks to Upgrade screen appears. Ensure that all disks
listed are selected for upgrade. Click Next.
6. In the Completing the Write Signature and Upgrade Disk Wizard
window, review the settings you have selected. Click Finish. Continue
on to Part 2.

Part 2: Creating, Configuring, and Formatting a Simple Volume

1. In the Computer Management dialog box, right-click the area of

unallocated space on Disk 1. From the menu that appears, select
Create Volume.
2. The Create Volume Wizard appears. Click Next.
3. Accept the “Simple volume” default option. Click Next.
4. In the Select Disks screen, accept the default size for the selected
disk. Click Next.
5. The Assign Drive Letter or Path screen appears.Accept the default
drive letter assignment. Click Next.
4701-1 ch06.f.qc 4/24/00 09:15 Page 411

411

6. The Format Volume screen appears.Accept the default selections.

Click Next.
7. In the Completing the Create Volume Wizard window, review the
settings you have selected. Click Finish.Windows 2000 creates and
formats the simple volume.This may take a few minutes.
8. When the process is complete, exit Computer Management.

Answers to Chapter Questions

Chapter Pre-Test
1. Because of its speed, security, and recoverability, I recommend the
use of NTFS except when you need to dual boot between Windows
2000 and another operating system.
2. It’s definitely easier to convert from FAT (or FAT32) to NTFS than
it is to convert from NTFS to FAT.
3. Basic disks are hard disks that use industry-standard partitioning and
formatting, and contain primary and/or extended partitions; whereas
dynamic disks are hard disks that contain Windows 2000 dynamic
volumes. Dynamic volumes are volumes that do not use primary
partitions, extended partitions, or logical drives.
4. Windows 2000 supports several different volume types, including
simple volumes, spanned volumes, striped volumes, mirrored volumes,
and RAID-5 volumes.
5. Disk Management

Assessment Questions
1. D. NTFS is the only file system supported by Windows 2000 that
supports file compression.
2. A. If you need to dual boot between Windows 2000 and Windows
95 and MS-DOS, your only file system choice is FAT.
3. B. The Convert.exe command is used to change a volume’s file
system from FAT to NTFS.
4. D. A basic disk can contain a maximum of four partitions: it can contain
up to four primary partitions, but only one extended partition.
4701-1 ch06.f.qc 4/24/00 09:15 Page 412

412

5. A. See Table 6-2

6. B. Windows 2000 includes a powerful tool to manage disks — it’s
called Disk Management.You can use Disk Management to create and
manage several different volume types on a Windows 2000 computer.
7. C. A fault tolerance boot disk is a floppy disk that you create that
enables you to boot your Windows 2000 computer in the event that
the first disk in your computer’s mirrored volume fails.This disk
contains an edited copy of the Boot.ini file.
8. C. Disk Defragmenter is used not only to defragment disks but also
to analyze volumes.

Scenarios
Troubleshooting Disks and Volumes
1. The Online (Errors) status value indicates that Disk Management has
found I/O errors on a portion of a dynamic disk. Use the Reactivate
Disk command in Disk Management to try to return this disk to a
status value of Online.
2. The Foreign status value indicates that the disk in question is from
another Windows 2000 computer, that it has been installed on this
computer, but it has not yet been set up for use on this computer.
Use the Import Foreign Disks command in Disk Management to set
up the disk for this computer and to achieve a status value of Online.
3. The Failed status value for the volume indicates that Windows 2000 is
unable to automatically activate the volume. Since the status value for
the disk that contains this volume is Online, try using the Reactivate
Volume command in Disk Management to return the volume to a
status value of Healthy.

Recovering from Disk Failure

1. You should take the following steps to recover from the failed
mirrored volume as soon as you are able to take the server offline:
a. Replace the failed hard disk. (This is the disk with the status value
of Unreadable.)
b. Reboot the computer to Windows 2000. If the failed disk
contained your Windows 2000 installation folder, use your fault
tolerance boot disk to boot the computer to Windows 2000.
4701-1 ch06.f.qc 4/24/00 09:15 Page 413

413

c. Start Disk Management.

d. Use the Write Signature and Upgrade Disk Wizard to upgrade
the new hard disk to a dynamic disk.
e. In the bottom right pane in Disk Management, right-click the
mirrored volume that is still functional (Online). From the menu
that appears, select Remove Mirror.
f. In the Remove Mirror dialog box, select the disk with the name
Missing. Click Remove Mirror.
g. In the Disk Management warning dialog box, click Yes.
h. Right-click the disk with a name of Missing and a status of
Offline, and select Remove Disk from the menu that appears.
i. Right-click the volume on the disk in the mirrored volume that is
still functional (Online) — the status of this volume is now displayed
as Healthy. From the menu that appears, select Add Mirror.
j. In the Add Mirror dialog box, highlight the new hard disk that
you installed in the computer in Step 1. Click Add Mirror.
2. You should take the following steps to recover from the failed
RAID-5 volume as soon as you are able to take the server offline:
a. Replace the failed hard disk. (This is the disk with a status value
of Offline.)
b. Reboot the computer to Windows 2000.
c. Start Disk Management.
d. Use the Write Signature and Upgrade Disk Wizard to upgrade
the new hard disk to a dynamic disk.
e. In the bottom right pane in Disk Management, right-click the
volume on any disk in the RAID-5 volume that is still functional
(Online). From the menu that appears, select Repair Volume.
f. In the Repair RAID-5 Volume dialog box, select the disk that
you installed in Step 1 to replace the failed hard disk. Click OK.
4701-1 ch07.f.qc 4/24/00 09:16 Page 414

 Network
EXAM  Directory Services
MATERIAL

EXAM OBJECTIVES

Network  Exam 70-216

■ Install, configure and troubleshoot DNS.
■ Install the DNS Server service.
■ Configure a root server.
■ Configure zones.
■ Configure a caching-only server.
■ Configure a DNS client.
■ Configure zones for dynamic updates.
■ Test the DNS Server service.
■ Implement a delegated zone for DNS.
■ Manually create DNS resource records.
■ Manage and monitor DNS.

Directory Services  Exam 70-217

■ Install, configure and troubleshoot the components of Active
Directory.
■ Install Active Directory.
■ Verify Active Directory installation.
■ Install, configure and troubleshoot DNS for Active Directory.
■ Integrate an Active Directory DNS with a non-Active Directory
DNS.
■ Configure zones for dynamic updates.
■ Manage, monitor, and troubleshoot DNS.
■ Manage replication of DNS data.
4701-1 ch07.f.qc 4/24/00 09:16 Page 415

C HAP TE R

7
Installing and Configuring
DNS and Active Directory

T his chapter features important information on two tightly integrated

Windows 2000 topics: DNS and Active Directory. You may be wondering
what these two subjects are doing in the same chapter, but let me reassure you
that they really do belong together. Because Active Directory is dependent on
DNS, you’ve got to understand DNS (and in many cases you’ll want to have
your DNS server up and running) before you install Active Directory.
The bulk of this chapter, then, is all about DNS. I’ll explain what DNS is, as
well as how to install, configure, test, monitor, and troubleshoot DNS on a
Windows 2000 Server/Advanced Server computer. I’ll also show you how to
configure client computers to use a DNS server. Finally, I’ll discuss how to
install Active Directory, including how to verify and troubleshoot the Active
Directory installation.

415
4701-1 ch07.f.qc 4/24/00 09:16 Page 416

416 Part II ▼ Installation and Configuration

Chapter Pre-Test
1. What does DNS stand for?
2. Define the term host name resolution.
3. The DNS domain at the top of the DNS domain namespace is
called the ________ domain. This domain is often represented
by a _____.
4. List four types of DNS servers.
5. What does TTL stand for?
6. What two prerequisites must be met prior to installing
Active Directory?
4701-1 ch07.f.qc 4/24/00 09:16 Page 417

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 417

What Is DNS?
DNS stands for Domain Name System.The primary purpose of DNS, which
consists of a set of specified naming rules and implementation standards, is to
provide host name resolution.
Host name resolution is the process of resolving a computer’s user-friendly
host name (such as www.idgbooks.com) to the numerical IP address of
that computer. The reason host name resolution is important is because
TCP/IP-based applications and utilities, such as Web browsers, use IP
addresses to communicate with other computers, while users prefer to use
easily remembered host names to access other computers.
In the next several sections I’ll explain what DNS has to do with Active
Directory, talk a little about DNS domain names and naming conventions,
explain in detail how host name resolution works using DNS, introduce
you to zones and other basic DNS terminology, and finally, describe the
many DNS server roles.

What Does DNS Have to Do with Active Directory?

You’re probably wondering why I’m discussing DNS in the same chapter as
Active Directory. (I know my editor did.) As I explained in Chapter 2,Active
Directory uses the same hierarchical naming conventions as DNS. Because
of this, client computers use DNS servers to locate Active Directory domain
controllers and other Active Directory resources on the network. Without
DNS,Active Directory couldn’t function, because client computers wouldn’t
be able to locate these domain controllers and resources.
The bottom line, then, is that Active Directory is dependent on DNS. In
fact, Active Directory can’t be implemented until the DNS Server service
(or its equivalent) is installed.

TIP
The actual installation of DNS can take place either prior to installing
Active Directory, or as part of the Active Directory installation.

For large, established networks, it usually makes sense to install and

configure a DNS server prior to installing Active Directory. However, for
very small or brand new networks, it’s easier to install DNS during the
Active Directory installation.
4701-1 ch07.f.qc 4/24/00 09:16 Page 418

418 Part II ▼ Installation and Configuration

DNS Domain Names and Naming Conventions

DNS is implemented as a hierarchical structure often called the DNS domain
namespace.The trees and subtrees that make up the DNS domain namespace
are called DNS domains.The DNS domain namespace is graphically repre-
sented as an inverted tree structure, with the root of the tree at the top.
The DNS domain at the top (or root) of the tree is called the root
domain. It is often represented by a period (.).
The DNS domains directly under the root domain are called top-level
domains. I’ve listed the most common top-level DNS domains for you in
Table 7-1.
TABLE 7-1 Top-Level DNS domains
DNS Domain Description of Subdomains of This Domain

com Commercial organizations, such as pepsi.com

gov Government organizations, such as whitehouse.gov
mil Military organizations, such as army.mil
edu Educational organizations, such as stanford.edu
net Internet service providers, such as nsf.net
org Nonprofit organizations, such as metmuseum.org
arpa Domains used for resolving IP addresses to host names, sometimes
called reverse DNS or reverse lookup domains, such as 123.arpa
xx Domains within a specific country, where each country is represented
by a two-letter code, such as cbc.ca (where ca stands for Canada)

The DNS domains in the next level down, under top-level domains, are
called second-level domains. These domains are subdomains of top-level
domains. Many businesses have a second-level domain that is a subdomain
of the com domain, such as microsoft.com. Each person or organization
using a second-level domain on the Internet is responsible for registering
that unique DNS domain name with the appropriate authority — the
appropriate authority being the one that manages the top-level domain
containing the second-level domain. If your organization’s network is never
connected to the Internet, you can use any top-level and second-level
domain names you want to, and you don’t have to register these names
with any naming authority.
4701-1 ch07.f.qc 4/24/00 09:16 Page 419

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 419

Figure 7-1 shows a partial illustration of the DNS domain namespace,

and includes the root domain, several top-level domains, and a couple of
second-level domains.

Root Domain

Top-Level Domains

com gov edu net

Second-Level
Domains

microsoft idgbooks

FIGURE 7-1 The DNS domain namespace

You may be wondering, at this point, if DNS domains are the same as
Windows 2000 domains. In short, no, they’re not the same. However,
Windows 2000 domains directly correspond to and have the same names
as their corresponding DNS domains. In addition, Windows 2000 Active
Directory is designed to be tightly integrated with DNS.
DNS domain names (also called fully qualified domain names [FQDNs])
can contain a maximum of 63 characters. Allowed characters include
uppercase letters (A–Z), lowercase letters (a–z), numbers (0–9), and the
hyphen (-). Periods are used to separate domain and subdomain names, for
example, microsoft.com.

How Host Name Resolution Works Using DNS

Earlier in this chapter I gave you a basic definition of host name resolution.
What I didn’t explain then (and I’m going to now) is a detailed account of
how the host name resolution process works when using DNS.
4701-1 ch07.f.qc 4/24/00 09:16 Page 420

420 Part II ▼ Installation and Configuration

So, suppose that a user wants to access the Microsoft Web site at
www.microsoft.com.The user, in this example, is using a Windows 2000
Professional computer on IDG Books Worldwide, Inc.’s network. Here’s a
detailed account of how name resolution is accomplished in this case:
1. The user types in a URL of www.microsoft.com in Internet
Explorer on his or her Windows 2000 Professional computer.
2. Internet Explorer asks the DNS client software (on the user’s
computer) to determine the IP address of www.microsoft.com.
3. The DNS client software (on the user’s computer) sends a request
(called a query) to the DNS server on the IDG Books Worldwide, Inc.
network, asking that server to resolve www.microsoft.com to an IP
address.
4. Because the DNS server on the IDG Books Worldwide, Inc. network
primarily contains host name resolution information for only the com-
puters in the idgbooks.com domain, it sends a query to a DNS server
in the root domain, asking for the IP address of www.microsoft.com.
5. The DNS server in the root domain provides the IDG Books DNS
server with the IP address of a DNS server in the com domain that
can help the IDG Books DNS server resolve its query.
6. The IDG Books DNS server sends a query to the DNS server in the
com domain, asking for the IP address of www.microsoft.com.
7. The DNS server in the com domain provides the IDG Books DNS
server with the IP address of a DNS server in the microsoft.com
domain that can help the IDG Books DNS server resolve its query.
8. The IDG Books DNS server sends a query to the DNS server
in the microsoft.com domain, asking for the IP address of
www.microsoft.com.
9. The DNS server in the microsoft.com domain provides the IDG
Books DNS server with the IP address of www.microsoft.com.
10. When the IDG Books DNS server receives the IP address of
www.microsoft.com, it performs two tasks:
 It stores the IP address of www.microsoft.com in its cache, so it

can quickly resolve this name when it is requested in the future.

4701-1 ch07.f.qc 4/24/00 09:16 Page 421

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 421

 It sends the IP address of www.microsoft.com to the DNS

client software on the user’s computer that requested it.
11. When the DNS client software on the user’s computer receives the IP
address of www.microsoft.com, it caches this IP address for future
use, and also forwards the IP address to Internet Explorer.
12. Internet Explorer then establishes TCP/IP network communications
with www.microsoft.com, and opens the Web page for the user.

Zones and DNS Server Roles

Before I get into the actual nuts and bolts of implementing DNS, I need to
explain some basic DNS terminology. In this section I’ll define zones and
several other DNS terms. I’ll also describe the many types of roles DNS
servers can play.
A zone is a storage database for either a DNS domain or for a DNS
domain and one or more of its subdomains.This storage database is often
implemented as a special text file, called a zone file.

TIP
The terms zone and zone file are often used interchangeably.

Zones are not created by default when the DNS Server service is
installed — they are created and configured by an administrator.
DNS servers are computers that have the capability to use DNS to pro-
vide host name resolution to client computers. The Windows 2000 DNS
Server service (or its equivalent), when installed on a server, is what gives
that server the ability to provide host name resolution. A DNS server can
provide host name resolution for more than one zone. In addition, copies
of a zone can exist on multiple DNS servers for the purposes of providing
load balancing and fault tolerance.
On all Windows 2000 DNS servers except Active Directory-integrated
DNS servers, all DNS entries for a zone are contained in a single text file
called a zone file. On Active Directory-integrated DNS servers, DNS
entries are stored in the Active Directory data store instead of in a zone file.
4701-1 ch07.f.qc 4/24/00 09:16 Page 422

422 Part II ▼ Installation and Configuration

A DNS server can play one (or more) of several different roles, depending
on the type of zone(s) the server contains and how the DNS server is con-
figured.The types of roles that a DNS server can perform include:
■ Standard primary: This type of DNS server stores DNS entries (IP
address to host name mapping information and other DNS resource
records) in a zone file that is maintained on this server.The standard
primary server is typically called the primary server for short.The
primary server maintains the master copy of a zone file. Because
of this, when changes need to be made to the zone, they should
be made only on the standard primary server.There can only be
one standard primary server for a zone.
■ Active Directory-integrated (primary): This type of DNS
server is just like a standard primary server, except that it stores DNS
entries in the Active Directory data store, rather than in a zone file.
Because Active Directory supports multiple master replication, there
can be more than one Active Directory-integrated (primary) DNS
server for a zone.When changes need to made to the zone, they can
be made on any Active Directory-integrated (primary) DNS server
that contains the zone.
■ Standard secondary: This type of DNS server stores copies of
zones that it obtains from the standard primary,Active Directory-
integrated (primary), or another standard secondary DNS server.
The standard secondary server is typically called the secondary
server for short.The process of copying a zone to a standard sec-
ondary DNS server is called a zone transfer. Microsoft sometimes
calls this process replication.There can be multiple secondary DNS
servers for a zone.
■ Master: This type of DNS server provides a copy of the zone
to a standard secondary DNS server.The secondary DNS server
receiving the copy of the zone is sometimes called the slave in
this relationship.The types of DNS servers that can function
as masters are standard primary, Active Directory-integrated
(primary), and standard secondary.
■ Caching-only: This type of DNS server does not store any
zones whatsoever. It resolves host names to IP addresses for
client computers, and stores the resulting mapping information
in its cache. If a client computer requests resolution for a host
name that exists in the cache, the DNS server provides the
4701-1 ch07.f.qc 4/24/00 09:16 Page 423

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 423

cached information to the client computer without contacting

other DNS servers to resolve the query. Mapping information
remains in the cache for a specified amount of time (called
Time-To-Live [TTL]), and then is “flushed” from the cache.
■ Forwarder: This type of DNS server is designated to perform host
name resolution for other DNS servers on a company’s internal
network when the host name to be resolved resides in an external
DNS domain.The forwarder resolves the host name resolution
request, caches the results, and returns the mapping information
to the internal DNS server that requested it.
The forwarder role is often played by the same computer that
functions as the company’s firewall.There are two primary
advantages of this arrangement. First, internal network traffic is
reduced because the forwarder (instead of many internal DNS
servers) executes the numerous queries required to perform host
name resolution.These queries are external rather than internal,
thus reducing internal traffic. In addition, the forwarder main-
tains a cache of all externally resolved names, thus eliminating
repeated queries for the same information. Second, because the
forwarder is often configured as a caching-only DNS server, the
company’s internal zone information is protected from hackers
on the Internet.
■ Root server: This type of DNS server contains a copy of a zone
for the root domain — either the root domain for the Internet,
or the root domain for a company’s private, internal network.
The purpose of the root server is to enable other DNS servers
on a network to access second-level domains on the Internet,
or to access other second-level domains on the internal network.
A root server should be used only when a network is not con-
nected to the Internet, or when a network is connected to the
Internet by using a proxy server.

EXAM TIP
DNS topics make up a large portion of the objectives for both the
Network and Directory Services exams. Make sure that you understand
DNS concepts and terminology, and get as much hands-on practice with
DNS as possible before you take these exams.
4701-1 ch07.f.qc 4/24/00 09:16 Page 424

424 Part II ▼ Installation and Configuration

Installing, Configuring, Managing, and

Troubleshooting DNS
DNS is implemented in Windows 2000 via the DNS Server service. The
DNS Server service is supported only on Windows 2000 Server and
Advanced Server computers — you can’t install the DNS Server service on
a Windows 2000 Professional computer, but a Windows 2000 Professional
computer can be a DNS client.
The Windows 2000 DNS Server service supports the dynamic update
protocol.The term dynamic update means that client computers and servers
can register and update their host names and IP addresses with the DNS
server without administrator intervention. Previous versions of DNS,
including the version that shipped with Windows NT 4.0, required the
administrator to manually enter host names and their associated IP addresses
for each computer on the network.
The Windows 2000 DNS Server service also supports the SRV (service)
resource records that are required for the implementation of Active Directory.
A resource record is any entry in a zone.The entry may be a host name to IP
address mapping entry, a service name to IP address mapping entry, and so on.
I’ll discuss resource records in more depth later in this chapter when I explain
how to manually create DNS resource records.
In the following sections I’ll explain how to install and configure the
DNS Server service on a Windows 2000 Server computer, including how
to configure various properties of servers and how to configure zones;
how to configure client computers to use a DNS server; and how to test,
monitor, and troubleshot DNS.

Installing the DNS Server Service

The DNS Server service is not installed by default on Windows 2000
Server/Advanced Server computers — you must manually install this service
on each computer that you want to function as a DNS server.
Before you can install the DNS Server service, the Windows 2000
Server/Advanced Server computer must be configured to use a static IP
address. If your computer is configured to use DHCP to obtain its IP address
dynamically, you must reconfigure the computer with a static IP address
before you install DNS. In addition, before you install DNS, you should
4701-1 ch07.f.qc 4/24/00 09:16 Page 425

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 425

configure the Windows 2000 Server/Advanced Server computer with a pri-

mary DNS suffix.

TIP
If you have a DHCP server on your network, and you chose the “Typical
settings” option during the Windows 2000 installation, you probably
need to reconfigure your computer to use a static IP address.

If you have to reconfigure your computer to use a static IP address prior

to installing the DNS Server service, here’s how to accomplish this task.

STEP BY STEP

CONFIGURING A STATIC IP ADDRESS

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click the Network and Dial-up
Connections folder.
3. In the Network and Dial-up Connections folder, right-click Local Area
Connection and select Properties from the menu that appears.

TIP
If you have more than one Local Area Connection, you’ll have to repeat
this process for each one.

4. In the Local Area Connection Properties dialog box, highlight Internet Protocol
(TCP/IP) and click Properties.
5. In the Internet Protocol (TCP/IP) Properties dialog box, select the “Use the
following IP Address” option, and type in a static IP address, subnet mask,
and default gateway. Click OK.
6. In the Local Area Connection Properties dialog box, click OK.
7. Close the Network and Dial-up Connections folder.

In order for DNS to function properly on your Windows 2000

Server/Advanced Server computer, you’ll also want to configure the com-
puter to use a primary DNS suffix, as the following steps explain.
4701-1 ch07.f.qc 4/24/00 09:16 Page 426

426 Part II ▼ Installation and Configuration

STEP BY STEP

CONFIGURING A PRIMARY DNS SUFFIX

1. From the desktop, right-click My Computer and select Properties from the menu
that appears.
2. In the System Properties dialog box, click the Network Identification tab.
3. On the Network Identification tab, click Properties.
4. In the Identification Changes dialog box, click More.
5. In the DNS Suffix and NetBIOS Computer Name dialog box, type your
company’s FQDN in the “Primary DNS suffix of this computer” text box
(for example, mycompany.com). Click OK.
6. In the Identification Changes dialog box, click OK.
7. In the Network Identification dialog box, click OK.
8. On the Network Identification tab, click OK.
9. In the System Settings Change dialog box, click Yes to restart your computer.

Now you’re ready to install the DNS Server service on your

Windows 2000 Server/Advanced Server computer.

STEP BY STEP

INSTALLING THE DNS SERVER SERVICE

1. Place your Windows 2000 Server or Advanced Server compact disc into your
computer’s CD-ROM drive. Select Start ➪ Settings ➪ Control Panel.
2. In the Control Panel dialog box, double-click Add/Remove Programs.
3. In the Add/Remove Programs dialog box, click Add/Remove Windows Components.
4. The Windows Components Wizard starts. In the Windows Components screen,
scroll down and highlight Networking Services. Click Details.
5. In the Networking Services dialog box, select the check box next to Domain
Name System (DNS). Click OK.
6. In the Windows Components screen, click Next.
7. Windows 2000 Setup configures components. In the Completing the Windows
Components Wizard screen, click Finish.
8. Close the Add/Remove Programs dialog box. Close Control Panel.
4701-1 ch07.f.qc 4/24/00 09:16 Page 427

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 427

Configuring DNS
Now that you’ve installed the DNS Server service on a Windows 2000
Server/Advanced Server computer, you’re ready to configure it.
Windows 2000 includes a tool specifically designed to help you configure
and manage DNS servers — it’s an administrative tool called DNS.To access
this tool, select Start ➪ Programs ➪ Administrative Tools ➪ DNS.You must
be a member of the Administrators group to use this tool.
Configuring DNS can include many different tasks, such as configuring
a DNS server to be its own DNS client, configuring a server to play one or
more server roles, configuring the properties of a DNS server, configuring
zones, integrating an Active Directory DNS with a non–Active Directory
DNS, managing replication of DNS, and manually creating DNS resource
records. I’ll show you how to perform each of these tasks in the following
sections.

EXAM TIP
The Network exam contains at least five objectives dealing with configur-
ing DNS. Ensure that you understand why and how each configuration is
used, the steps involved in performing each task, and which computer
you need to perform the necessary configuration on.

Configuring a DNS Server as Its Own DNS Client

One of the first things you should do after you install the DNS Server service
on your Windows 2000 Server computer is to configure your new DNS
server to be its own client.What I mean by this is that your DNS server needs
to be configured to use itself to perform host name resolution.

CAUTION
If you don’t make this configuration change on your DNS server, common
DNS testing utilities and other TCP/IP-based programs on the server
may not function correctly.

The steps involved in configuring the DNS server to be its own client
are fairly straightforward.
4701-1 ch07.f.qc 4/24/00 09:16 Page 428

428 Part II ▼ Installation and Configuration

STEP BY STEP

CONFIGURING YOUR DNS SERVER TO USE ITSELF

1. From the desktop, select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click the Network and Dial-up
Connections folder.
3. In the Network and Dial-up Connections folder, right-click Local Area
Connection and select Properties from the menu that appears.

TIP
If you have more than one Local Area Connection, you’ll have to repeat
this process for each one.

4. In the Local Area Connection Properties dialog box, highlight Internet Protocol
(TCP/IP) and click Properties.
5. In the Internet Protocol (TCP/IP) Properties dialog box, ensure that the “Use the
following DNS server addresses” option is selected. Then, in the Preferred DNS
server text box, type the IP address of this DNS server. Click Advanced.
6. In the Advanced TCP/IP Settings dialog box, click the DNS tab.
7. On the DNS tab, type the FQDN of the DNS domain that this DNS server belongs
to in the “DNS suffix for this connection” text box. Generally it’s okay to accept the
remaining default settings on this tab. Click OK.
8. In the Internet Protocol (TCP/IP) Properties dialog box, click OK.
9. In the Local Area Connection Properties dialog box, click OK.
10. Close the Network and Dial-up Connections folder.

Configuring a Root Server

If this is the first DNS server on your network, and your network is not
connected to the Internet, you may want to consider configuring it to be
a root server. If you already have a root server on your network, or if your
network is connected to the Internet, you’ll need to configure this DNS
server to use either the existing root server on your network or the root
servers on the Internet.
In either case, you’ll need to run the Configure DNS Server Wizard,
which can be accessed by starting the DNS administrative tool. In addition
to enabling you to configure a root server, the Configure DNS Server
Wizard also enables you to create a forward lookup zone and a reverse
lookup zone.
4701-1 ch07.f.qc 4/24/00 09:16 Page 429

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 429

A forward lookup zone is a zone that contains the host name to IP address
mappings and information about available services for either a DNS
domain or a DNS domain and one or more of its subdomains. A reverse
lookup zone is a zone that contains IP address to host name mappings.The
mappings in a reverse lookup zone are the opposite of those contained in a
forward lookup zone. A DNS server uses a forward lookup zone when a
client computer knows the host name, but doesn’t know the associated IP
address. A DNS server uses a reverse lookup zone when a client computer
knows the IP address, but doesn’t know the associated host name.
The following steps explain how to configure a root server.

STEP BY STEP

CONFIGURING A ROOT SERVER

1. Select Start ➪ Programs ➪ Administrative Tools ➪ DNS.

2. In the DNS dialog box, highlight your computer in the left pane.
3. Windows 2000 indicates that your DNS server has not yet been configured,
as shown in Figure 7-2. Notice the two panes in the DNS administrative tool.

FIGURE 7-2 The DNS administrative tool

Select Action ➪ Configure the server.

4. The Configure DNS Server Wizard starts. Click Next.
4701-1 ch07.f.qc 4/24/00 09:16 Page 430

430 Part II ▼ Installation and Configuration

STEP BY STEP Continued

5. The Root Server screen appears, as shown in Figure 7-3. Notice the two options
available in this screen.

FIGURE 7-3 Configuring a root server

TIP
If your DNS server is connected to the Internet, this screen won’t appear,
because the DNS server will automatically configure itself to use the root
servers on the Internet.

If you want to configure this server to be a root server, accept the default option
of “This is the first DNS server on this network.” Click Next.
If you want this DNS server to use an existing root server on your network, select
the “One or more DNS servers are running on this network” option, and provide
the IP address of a root server on your network that you want this server to use.
Click Next.
6. In the Forward Lookup Zone screen, you can choose whether or not to create
a forward lookup zone now.
If you select the “Yes, create a forward lookup zone” option and click Next, the New
Zone Wizard begins. (This wizard is explained fully in the next sections.) Follow the
instructions presented on-screen to create your forward lookup zone, and a reverse
lookup zone if desired. When you finish creating zones, skip to Step 7.
4701-1 ch07.f.qc 4/24/00 09:16 Page 431

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 431

STEP BY STEP Continued

If you select the “No, do not create a forward lookup zone” option, click Next.
7. The Completing the Configure DNS Server Wizard screen appears. Click Finish.
8. The DNS dialog box reappears. This completes the configuration of a root server.
Close the DNS dialog box.

Configuring Properties of a DNS Server

There are numerous properties of a DNS server that you can configure.
These properties can be configured by using the DNS administrative tool.
(To access this tool, select Start ➪ Programs ➪ Administrative Tools ➪ DNS.)
To access a DNS server’s Properties dialog box, in the DNS administrative
tool, highlight the name of the DNS server you want to configure. Then
select Action ➪ Properties.
The DNS server’s Properties dialog box appears, as shown in Figure 7-4.
Notice the six tabs in this dialog box: Interfaces, Forwarders, Advanced,
Root Hints, Logging, and Monitoring.

FIGURE 7-4 A DNS server’s properties

4701-1 ch07.f.qc 4/24/00 09:16 Page 432

432 Part II ▼ Installation and Configuration

Configuring Interfaces Also notice in Figure 7-4 that the Interfaces tab
appears on top. On this tab, you can limit or specify the network adapters
in this computer that will accept DNS queries from client computers.
There are two basic options on this tab:
■ All IP addresses: Selecting this option enables the DNS server
to accept client DNS queries that are addressed to any network
adapter in the server.This is the default setting.
■ Only the following IP addresses: Selecting this option
enables you to specify which network adapter(s) in the server
will accept client DNS queries. Once configured, the server
will only accept client DNS queries that are addressed to the
specified network adapters (which have been identified on
this tab by their associated IP addresses).
This feature is designed to help you protect your DNS server from
attack through a network adapter that is connected to a public network,
such as the Internet.

Configuring Forwarders The next tab in the DNS server’s Properties dialog
box is the Forwarders tab, which is shown in Figure 7-5.

FIGURE 7-5 Enabling forwarders

4701-1 ch07.f.qc 4/24/00 09:16 Page 433

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 433

On this tab, you can configure the DNS server to use one or more other
existing DNS servers on your network as a forwarder. If you select this
option, you need to specify the IP address of at least one other DNS server
that will serve as a forwarder for this server.

TIP
If this DNS server is configured to be a root server, the options on this
tab are grayed out. You can’t configure a root server to use a forwarder.

Once you select the “Enable forwarders” check box on this tab and
specify an appropriate IP address, the DNS server that uses the specified IP
address automatically becomes a forwarder — no additional configuration
on the forwarder is required.
If you configure this server to use a forwarder, the “Do not use recursion”
option becomes available. Select this check box if you don’t want this DNS
server to attempt to contact a root server to resolve a DNS query if the for-
warder is unable to resolve the query.
I recommend that you select the “Do not use recursion” option because it
eliminates fruitless duplication of effort by this DNS server. If the forwarder
isn’t able to resolve the query, it’s unlikely that this server will be able to,
either.

Configuring Advanced DNS Server Options The next tab in the DNS
server’s Properties dialog box is the Advanced tab, which is shown in
Figure 7-6.
In addition to displaying the version number of the DNS Server service,
this tab offers several configurable server options:
■ Disable recursion: The term recursion refers to repeating a process
until a solution is found. By default, recursion is enabled on DNS
servers.This means that a DNS server will contact as many other
DNS servers as necessary, one after another, to resolve a client DNS
query. Selecting the “Disable recursion” option prevents the DNS
server from contacting any other DNS servers to resolve a query. If
the DNS server does not have the mapping information required
to resolve the query, it provides the requesting client with the IP
address of the DNS server it would have contacted first if recursion
were enabled. It’s then up to the client computer to contact the
referred DNS server in an attempt to resolve the host name.
4701-1 ch07.f.qc 4/24/00 09:16 Page 434

434 Part II ▼ Installation and Configuration

FIGURE 7-6 Configuring advanced options

■ BIND secondaries: This option, which is selected by default,

causes zones to be transferred from master DNS servers to secondary
DNS servers by using a fast zone transfer format. If all of your sec-
ondary DNS servers are Windows 2000 DNS servers, you should
accept the default setting for this option. If some of your secondary
DNS servers are not Windows 2000 DNS servers, and if you have
been unable to successfully complete zone transfers to any of these
servers, consider clearing this check box.
■ Fail on load if bad zone data: Normally, when the DNS Server
service starts, it logs any errors it detects in its zone(s), but continues
to use these zones anyway. Selecting this option causes the DNS
Server service to log errors that it detects and to not use a zone
that contains errors.This check box is not selected by default.
■ Enable round robin: This option, which is selected by default, is a
nifty Windows 2000 load balancing feature.The round robin feature
is used when multiple servers (such as Web servers) have identical
configurations and identical host names, but different IP addresses.
The DNS server, when it contains multiple mappings for the same
host name, cycles through its list to provide a different IP address to
4701-1 ch07.f.qc 4/24/00 09:16 Page 435

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 435

the requesting client each time the host name is requested, thereby
providing load balancing for the requested servers. If this option is
deselected, the DNS server responds with the IP address of the first
mapping entry in its zone that matches the client’s query.
■ Enable netmask ordering: This option, which is selected by
default, determines how a DNS server responds when it receives
a query to resolve a host name of a computer that has multiple
network adapters.When this option is selected, the DNS server
attempts to respond with the associated IP address that is physically
located on the same subnet as the client, thus avoiding unnecessary
routing traffic. If this option is deselected, the DNS server uses
round robin (if enabled) to respond to client queries.
■ Secure cache against pollution: This option determines how
much information gathered by a DNS server (when it must contact
multiple DNS servers to resolve a query) is cached for future use.
By default, all responses to queries are cached.When this option
is selected, only the final answer to the query is cached.This
option is not selected by default.
The next configurable option on the Advanced tab is “Name checking.”
When you manually create a resource record, the DNS server checks the
host name contained in this record, and verifies that it meets certain criteria.
The drop-down list box contains three name checking methods that the
DNS server can use: Strict RFC (ANSI), Non-RFC (ANSI), and Multibyte
(UTF8). Multibyte (UTF8) is the default setting, and permits the DNS
server to recognize more characters than either of the other two options. I
recommend that you accept the default setting, unless you are using other
DNS servers on your network that don’t support this option.
The next option on this tab is “Load zone data on startup.”This option
determines where the DNS server will look for its initialization informa-
tion when the DNS Server service starts.The three options available in the
drop-down list box are “From registry,” “From file,” and “From Active
Directory and registry.” The default setting is “From Active Directory and
registry,” and is appropriate for most situations.
The last option on the Advanced tab is “Enable automatic scavenging of
stale records.” Selecting this option enables scavenging on the DNS server.
Scavenging is the process of searching for and deleting stale resource records
in zones. If you select this option, you can configure an additional option
that defines how old a record must be in order to be considered stale.The
4701-1 ch07.f.qc 4/24/00 09:16 Page 436

436 Part II ▼ Installation and Configuration

default scavenging period is seven days. In addition to enabling scavenging

on the DNS server, you must also manually configure scavenging for each
zone managed by this DNS server before any scavenging will occur. (I’ll
discuss how to do this later in the chapter when I explain how to configure
a zone for dynamic updates.)

CAUTION
I recommend that you read all of the on-line Windows 2000 Help infor-
mation on scavenging before you implement this feature. If this feature is
incorrectly implemented, DNS resource records that you want to keep
may be deleted.

Configuring Root Hints The next tab in the DNS server’s Properties dialog
box is the Root Hints tab, which is shown in Figure 7-7. Notice the server
names and IP addresses listed on this tab.

FIGURE 7-7 Root hints

Root hints are server name and IP address combinations that point to
root servers located either on the Internet or on your organization’s private
network.The Root Hints tab contains a list of DNS servers that this DNS
server can contact to resolve client DNS queries for host names that reside
in another DNS domain.
4701-1 ch07.f.qc 4/24/00 09:16 Page 437

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 437

If a Windows 2000 DNS server is connected to the Internet, its Root

Hints tab should be similar to Figure 7-7. Figure 7-7 shows the list of root
servers on the Internet.
If a Windows 2000 DNS server is configured to be a root server, the
command buttons on the Root Hints tab are grayed out, because a root
server doesn’t need to contact other root servers.

TIP
You can’t configure root hints on a Windows 2000 DNS server that is a
root server.

If your Windows 2000 DNS server is not configured as a root server,

Windows 2000 should have automatically configured root hints when you
used the Configure DNS Server Wizard. If root hints are not automatically
configured on your Windows 2000 DNS server, or if they are configured
incorrectly, you can manually specify the root DNS servers this DNS
server should contact. To add, edit, or remove root hints, click the appro-
priate command button on the Root Hints tab.
There are two remaining tabs in the DNS server’s Properties dialog
box — Logging and Monitoring. I’ll cover both of these tabs later in this
chapter when I discuss testing, monitoring, and troubleshooting DNS.

Configuring a Caching-only Server

Once you’ve installed the DNS Server service on your Windows 2000
Server/Advanced Server computer and configured it to use a root server,
your computer is, by default, a caching-only DNS server.The only additional
configuration required is to configure client computers to use this DNS
server. I’ll explain how to configure client computers to use a DNS server a
little later in this chapter.

Creating and Configuring Zones

Before you can add resource records to your DNS server, you need to create
and configure one or more zones to contain those resource records.
You can create and configure several different types of DNS zones:
■ Forward lookup zone: This type of zone contains host name to IP
address mappings and information about available services for either a
DNS domain or a DNS domain and one or more of its subdomains.
4701-1 ch07.f.qc 4/24/00 09:16 Page 438

438 Part II ▼ Installation and Configuration

■ Reverse lookup zone: This type of zone contains IP address to

host name mappings.
■ Standard primary zone: This type of zone can be either a forward
lookup or reverse lookup zone. In either case, the standard primary
zone is the master copy of that zone.All other copies of the standard
primary zone are standard secondary zones.
■ Active Directory-integrated zone: This type of zone can
be either a forward lookup or reverse lookup zone. In either case,
the Active Directory-integrated zone is the master copy of that
zone. However, because Active Directory supports multiple master
replication, there can be more than one instance of the Active
Directory-integrated zone on different DNS servers. In addition,
copies of the Active Directory-integrated zone can be created as
standard secondary zones.
■ Standard secondary zone: This type of zone is a copy of either
a standard primary zone or an Active Directory-integrated zone.
Standard secondary zones must be created on different DNS
servers than the DNS server that contains the master copy of the
zone.The purpose of standard secondary zones is to provide load
balancing and fault tolerance for the zone.
Zones and DNS domains have an interesting relationship. When you
create a standard primary forward lookup zone or an Active Directory-
integrated forward lookup zone, you also create (without performing
any additional steps) a DNS domain that has the same name as your
newly created zone.The new DNS domain is not a separate entity from
the new zone — in fact, unless subdomains are created within this zone,
the new zone and the new DNS domain are one and the same.
The DNS administrative tool contains a handy wizard for creating and
configuring zones. It’s called the New Zone Wizard, and I’ll show you how
to use this wizard in the next several sections.

Creating and Configuring a Standard Primary Zone Creating and configur-

ing a standard primary zone is typically one of the first zone configuration
tasks performed when implementing DNS. In the next sections I’ll show
you how to create a standard primary forward lookup zone, a standard pri-
mary reverse lookup zone, and finally, how to configure your newly created
standard primary zones.
4701-1 ch07.f.qc 4/24/00 09:16 Page 439

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 439

STEP BY STEP

CREATING A STANDARD PRIMARY FORWARD LOOKUP ZONE

1. Select Start ➪ Programs ➪ Administrative Tools ➪ DNS.

2. In the DNS dialog box, click the + next to the DNS server’s name in the left pane.
3. In the left pane, highlight the Forward Lookup Zones folder. Select Action ➪
New Zone.
4. The New Zone Wizard begins. Click Next.
5. The Zone Type screen appears, as shown in Figure 7-8. Notice the three types
of zones you can create.

FIGURE 7-8 Creating a standard primary zone

Also notice that the option next to “Active Directory-integrated” is grayed out — this
option is only available after you install Active Directory and the DNS Server service
on a Windows 2000 Server/Advanced Server computer.
Accept the default option of “Standard primary” and click Next.
6. In the Zone Name screen, type in the name of the zone you are creating. This
name is usually the FQDN of the DNS domain that the zone will contain, such
as microsoft.com. Click Next.
7. The Zone File screen appears. In this screen, you can either create a new zone file
for the new zone, or configure the new zone to use an existing file. I recommend
you accept the default option of “Create a new file with this file name,” and also
that you accept the default filename presented. Click Next.
4701-1 ch07.f.qc 4/24/00 09:17 Page 440

440 Part II ▼ Installation and Configuration

STEP BY STEP Continued

8. The Completing the New Zone Wizard screen appears. Click Finish.
9. The DNS dialog box reappears. Notice that the new zone you created appears
in the right pane.

After creating a forward lookup zone to resolve host names to IP

addresses, you’ll probably want to create a reverse lookup zone so that client
computers can resolve IP addresses to host names. The following steps
explain how to accomplish this.

STEP BY STEP

CREATING A STANDARD PRIMARY REVERSE LOOKUP ZONE

1. Start the DNS administrative tool if it is not already running.

(Select Start ➪ Programs ➪ Administrative Tools ➪ DNS.)
2. In the DNS dialog box, click the + next to the DNS server’s name in the left pane
if this computer is not already expanded.
3. In the left pane, highlight the Reverse Lookup Zones folder. Select
Action ➪ New Zone.
4. The New Zone Wizard begins. Click Next.
5. The Zone Type screen appears. Accept the default option of “Standard primary”
and click Next.
6. The Reverse Lookup Zone screen appears, as shown in Figure 7-9. Notice the
two options available on this screen: you can either identify the reverse lookup
zone you’re creating by network ID, or by typing in a name for the new reverse
lookup zone.
Because it’s difficult to construct the correct name for a reverse lookup zone, I rec-
ommend that you select the default “Network ID” option and enter the network ID
of the zone. This network ID is really the network ID of the subnet for which this
reverse lookup zone will provide IP address to host name resolution. Click Next.

CROSS-REFERENCE
For more information on network IDs, subnets, and other TCP/IP issues,
see Chapter 16.
4701-1 ch07.f.qc 4/24/00 09:17 Page 441

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 441

STEP BY STEP Continued

FIGURE 7-9 Creating a reverse lookup zone

7. The Zone File screen appears. In this screen, you can either create a new zone file
for the new zone, or configure the new zone to use an existing file. I recommend you
accept the default option of “Create a new file with this file name,” and also that you
accept the default filename presented. Click Next.
8. The Completing the New Zone Wizard screen appears. Click Finish.
9. The DNS dialog box reappears. Notice that the new zone you created appears
in the right pane.

Now that you’ve created your forward lookup and reverse lookup
zones, you may want to consider configuring the properties of these zones
if the default settings don’t meet your needs.

STEP BY STEP

CONFIGURING A STANDARD PRIMARY ZONE (FORWARD LOOKUP OR

REVERSE LOOKUP)

1. Start the DNS administrative tool if it is not already running. (Select Start ➪
Programs ➪ Administrative Tools ➪ DNS.)
4701-1 ch07.f.qc 4/24/00 09:17 Page 442

442 Part II ▼ Installation and Configuration

STEP BY STEP Continued

2. In the DNS dialog box, click the + next to the DNS server’s name in the left pane
if this computer is not already expanded.
3. If you want to configure a forward lookup zone, click the + next to the Forward
Lookup Zones folder in the left pane.
If you want to configure a reverse lookup zone, click the + next to the Reverse
Lookup Zones folder in the left pane.
In the left pane, highlight the specific zone you want to configure. Select
Action ➪ Properties.
4. The zone’s Properties dialog box appears, as shown in Figure 7-10. Notice the
five tabs in this dialog box.

FIGURE 7-10 Configuring a zone

Figure 7-10 shows the zone properties of a standard primary forward lookup zone.
On the General tab, notice that the status of the zone and type of the zone are indi-
cated. You can pause the zone (if it is running), or start the zone (if it is paused) on
this tab. You can also change the type of the zone on this tab. (I’ll discuss changing
zone types in more depth later in this chapter.)
Also notice that the zone filename is displayed on the General tab, and that you can
configure the zone to allow dynamic updates. (See the section on “Configuring
zones for dynamic updates” later in this chapter for more information.)
Make any appropriate configurations on this tab, and click the Start of Authority
(SOA) tab.
4701-1 ch07.f.qc 4/24/00 09:17 Page 443

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 443

STEP BY STEP Continued

5. The Start of Authority (SOA) tab appears, as shown in Figure 7-11.

FIGURE 7-11 Configuring a zone’s SOA properties

The default settings on this tab are acceptable in most situations, with the
exception of the entry in the “Responsible person” text box. (This entry should
be the e-mail address of the DNS administrator responsible for maintaining this
DNS server.) That said, here are descriptions of the each of the configurable
options on the Start of Authority (SOA) tab:
 Serial number: This number represents the version number, if you will, of
the zone. Each time a resource record is added, modified, or deleted from a
zone, the serial number increases by one. Secondary servers use the serial
number to determine whether they have the most recent copy of the zone.
This number is normally not modified by administrators.
 Primary server: This is the host name of this DNS server. This field should
not be modified unless you designate a different server to be the standard
primary server for this zone.
 Responsible person: This field should contain the e-mail address of the
administrator responsible for this DNS server. Normally, e-mail addresses
contain an @ sign, for example, [email protected]. In this field, you
should not use the @ sign — use a period (.) instead of the @ sign. The previ-
ous e-mail name would be entered in this field as alan_carter.usa.net.
4701-1 ch07.f.qc 4/24/00 09:17 Page 444

444 Part II ▼ Installation and Configuration

STEP BY STEP Continued

 Refresh interval: This is the amount of time a secondary server waits

between attempts to update its copy of the zone.
 Retry interval: This is the amount of time a secondary server waits (after a
failed attempt to update its copy of the zone) before it tries again. This inter-
val is usually shorter than the refresh interval.
 Expires after: This is the amount of time a secondary server will continue to
respond to queries for this zone after a successful refresh. If the secondary
server is unable to refresh its copy of the zone before this time expires, it will
stop responding to client queries for this zone. The interval specified here
should be longer than the refresh interval.
 Minimum (default) TTL: This field specifies the minimum length of time other
DNS servers should cache query results received from this DNS server. Values
are entered in this text box in the format days:hours:minutes:seconds. As
Figure 7-11 shows, the default setting is 0 days, 1 hour, 0 minutes, 0 seconds.
 TTL for this record: This field specifies the length of time other DNS
servers should cache this DNS server’s Start of Authority (SOA) record
when they request and receive it. Values are entered in this text box in the
same format as the Minimum (default) TTL text box.
Make any appropriate configurations on this tab, and click the Name Servers tab.
6. The Name Servers tab appears, as shown in Figure 7-12.

FIGURE 7-12 Configuring a list of DNS servers for the zone

4701-1 ch07.f.qc 4/24/00 09:17 Page 445

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 445

STEP BY STEP Continued

This tab shows a list of known DNS servers for this zone. By default, only the primary
server for the zone is listed. You must manually add entries for each secondary server
for the zone.
Use the Add, Edit, and Remove command buttons on this tab to make any
necessary configurations. Then click the WINS tab.
7. The WINS tab appears, as shown in Figure 7-13.

FIGURE 7-13 Enabling WINS lookup

On this tab you can configure the DNS server to query a specified WINS
server to resolve host names that the DNS server is unable to resolve by
searching the resource records contained in this zone. A WINS server is
used to resolve NetBIOS computer names into IP addresses. For more
information on WINS, see chapter 16.

TIP
Reverse lookup zones don’t have a WINS tab — they have a WINS-R tab.
The WINS-R tab is used to configure the DNS server to use a specified
WINS server to resolve IP addresses that the DNS server is unable to
resolve by searching the resource records in this zone.

To enable WINS lookup, select the check box next to “Use WINS forward lookup”
and add the IP address of at least one WINS server that you want this DNS server
to use.
4701-1 ch07.f.qc 4/24/00 09:17 Page 446

446 Part II ▼ Installation and Configuration

STEP BY STEP Continued

Make any appropriate configurations on this tab, and click the Zone Transfers tab.
8. The Zone Transfers tab appears, as shown in Figure 7-14.

FIGURE 7-14 Configuring zone transfers

The settings on this tab determine how this zone handles the process of copying
this zone (in other words, performing zone transfers) to secondary servers. By
default, the zone is configured to allow zone transfers to any secondary DNS
server that requests a copy of the zone. If you want to protect your zone’s data,
you can configure the zone to only transfer copies of the zone to servers listed
on the Name Servers tab, or only to a list of specified servers.
You can also specify which secondary servers will be notified of updates to the zone.
This means that when the zone’s serial number increases, the specified secondary
servers will be notified of the change. By default, all servers listed on the Name
Servers tab are notified of updates.
Make any appropriate configurations on this tab, and click OK.

Creating and Configuring a Standard Secondary Zone Before you can

create a standard secondary zone, you must have first created a standard
primary zone on another DNS server. This is important — a standard
4701-1 ch07.f.qc 4/24/00 09:17 Page 447

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 447

secondary zone is created on a different server than the DNS server that
contains the standard primary zone. In addition, the zone name of a stan-
dard secondary zone must match the name of the standard primary zone
as it will be copied to the secondary server.
A standard secondary zone can be either a forward lookup or reverse
lookup zone.
In the remainder of this section I’ll explain how to create and configure
a standard secondary zone.

STEP BY STEP

CREATING A STANDARD SECONDARY ZONE

1. Select Start ➪ Programs ➪ Administrative Tools ➪ DNS.

2. In the DNS dialog box, click the + next to the DNS server’s name in the left pane.
3. In the left pane, highlight either the Forward Lookup Zones or Reverse
Lookup Zones folder, depending on the type of secondary zone you want to
create. Select Action ➪ New Zone.
4. The New Zone Wizard begins. Click Next.
5. The Zone Type screen appears. Select the option next to “Standard secondary”
and click Next.
6. If you’re creating a standard secondary forward lookup zone, the Zone Name
screen appears. On this screen, type the name of the secondary zone you are
creating. This zone name must match the name of a zone on another DNS server
that you want to copy to this DNS server. If you don’t know the name of the zone,
click Browse and browse for it. Click Next.
If you’re creating a standard secondary reverse lookup zone, the Reverse
Lookup Zone screen appears. On this screen, identify the reverse lookup
zone either by entering a network ID or by typing in the name of the reverse
lookup zone. Click Next.
7. The Master DNS Servers screen appears. In the IP address text box, type the IP
address of the DNS server that contains the zone you want to copy to this DNS
server. If you don’t know the IP address of this server, you can click Browse and
browse for it. Click Add. Then click Next.
8. The Completing the New Zone Wizard screen appears. Click Finish.

Once you’ve created a secondary zone, you can configure it if necessary.

Normally, though, configuration of a secondary zone is not required.
4701-1 ch07.f.qc 4/24/00 09:17 Page 448

448 Part II ▼ Installation and Configuration

The process of configuring a secondary zone is just like configuring a

primary zone, except that the Start of Authority (SOA) and Name Servers
tabs are grayed out (not configurable) for secondary zones.

Configuring Zones for Dynamic Updates As I mentioned earlier, dynamic

update enables client computers and servers to register and update their
host names and IP addresses with a DNS server without administrator
intervention. Dynamic update is defined and specified in RFC 2136.
However, dynamic update is not enabled by default on Windows 2000
DNS servers. Dynamic update must be enabled on a zone-by-zone basis.
During the process of configuring a zone for dynamic updates, you
have the option to enable and configure scavenging. Scavenging is the
process of searching for and deleting stale resource records in a zone.
Enabling scavenging can help keep a zone from becoming overloaded
with stale resource records. Before the advent of dynamic update, it was
the administrator’s job to manually add and remove resource records as
needed. Now, with client computers and servers dynamically registering
with a DNS server, scavenging becomes a necessity so that old, outdated
resource records are removed from the zone.

STEP BY STEP

CONFIGURING A ZONE FOR DYNAMIC UPDATES

1. Select Start ➪ Programs ➪ Administrative Tools ➪ DNS.

2. In the DNS dialog box, click the + next to the DNS server’s name in the left pane.
Then, under the DNS server’s name, click the + next to the Forward Lookup
Zones or Reverse Lookup Zones folder, depending on the zone you want
to configure. In the left pane, highlight the zone you want to configure for dynamic
updates, and select Action ➪ Properties.
3. The zone’s Properties dialog box appears, as shown in Figure 7-15. Notice the
drop-down list box next to “Allow dynamic updates?” Also notice that the default
setting for this option is No.
Select Yes in the “Allow dynamic updates?” drop-down list box.
If you want to enable and configure scavenging for this zone, click Aging.
Otherwise, skip to Step 6.
4. The Zone Aging/Scavenging Properties dialog box appears, as shown
in Figure 7-16.
4701-1 ch07.f.qc 4/24/00 09:17 Page 449

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 449

STEP BY STEP Continued

FIGURE 7-15 Configuring a zone for dynamic updates

FIGURE 7-16 Configuring scavenging

4701-1 ch07.f.qc 4/24/00 09:17 Page 450

450 Part II ▼ Installation and Configuration

STEP BY STEP Continued

In this dialog box, there are three configuration options:

 Scavenge stale resource records: Selecting this check box causes this
DNS server to scavenge (search for and delete) stale resource records in
the zone. If you select this option, you should configure the other two options
to define how old a record must be in order to be considered stale.
 No-refresh interval: This option specifies the number of hours or days a client
computer of this DNS server must wait, from the time it creates (or refreshes)
a record in the zone, until it is permitted to refresh that record. If the record
changes during this period, however, the client is permitted to update it. The
purpose of limiting refresh frequency is to limit the load on the DNS server.
 Refresh interval: This option specifies the amount of time that must elapse,
in addition to the amount of time specified for the no-refresh interval, before
the DNS server is permitted to scavenge the record. The client computer is
permitted to refresh the record during this time.

TIP
When a client computer refreshes a record, the timestamp on the record
is updated, and the no-refresh interval begins again.

Microsoft recommends that you set the refresh interval to the same length of time
as the no-refresh interval. The default time interval for both options is seven days.
Select and/or configure the appropriate options. Click OK.
5. If you are configuring a standard primary zone for dynamic updates and you
enabled scavenging, a DNS warning dialog box appears. Click Yes to continue.
6. The zone’s Properties dialog box reappears. Click OK.

Converting a Standard Primary Zone to an Active Directory-integrated Zone

When Active Directory is installed on a Windows 2000 Server (or
Advanced Server) computer, that computer becomes a domain controller.
After you install Active Directory on a Windows 2000 Server/Advanced
Server computer that has the DNS Server service installed, you might want
to consider converting the server’s standard primary zone to an Active
Directory-integrated zone. Although this conversion is not mandatory,
there are several advantages to converting to an Active Directory-integrated
zone:
■ Increased performance of DNS server: Because resource
records in an Active Directory-integrated zone are stored in a
4701-1 ch07.f.qc 4/24/00 09:17 Page 451

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 451

database, rather than in a text file (as is the case in a standard

primary zone), the DNS Server service can respond faster to
client DNS queries. Query performance is increased because
it’s faster to search a database than a text file.
■ No need to use secondary servers: When Active Directory-
integrated zones are used, DNS resource records are stored in the
Active Directory data store, and Active Directory replicates these
resource records to all other domain controllers in the domain.
Because of this, DNS servers that are also domain controllers auto-
matically receive a copy of all Active Directory-integrated zones.
Because Active Directory is performing the replication, it’s not nec-
essary to create secondary servers that will initiate zone transfers.
■ More masters available for updates: Because Active Directory
supports multiple master replication, each DNS server/domain
controller that receives a copy of an Active Directory-integrated
zone can accept updates for that zone.
The steps that follow explain how to convert a standard primary zone to
an Active Directory-integrated zone after Active Directory has been
installed.You can also use this same basic set of steps to change a zone’s
type for any other reason.

STEP BY STEP

CHANGING A ZONE TYPE: CONVERTING TO AN ACTIVE DIRECTORY-

INTEGRATED ZONE

1. Select Start ➪ Programs ➪ Administrative Tools ➪ DNS.

2. In the left pane of the DNS dialog box, click the + next to the name of the DNS
server that contains the zone you want to change. Then, under this computer’s
name, click the + next to the Forward Lookup Zones or Reverse Lookup
Zones folder, depending on the zone you want to change. In the left pane, high-
light the zone you want to change, and select Action ➪ Properties.
3. The zone’s Properties dialog box appears. Click Change.
4. The Change Zone Type dialog box appears, as shown in Figure 7-17. Notice the
three zone types you can select in this dialog box: Active Directory-integrated,
standard primary, and standard secondary.
4701-1 ch07.f.qc 4/24/00 09:17 Page 452

452 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 7-17 Changing a zone type

Select the “Active Directory-integrated” option, and click OK.

5. When a DNS warning message appears, asking if you’re sure you want this zone
to become an Active Directory-integrated primary zone, click OK.
6. In the zone’s Properties dialog box, click OK.

Integrating an Active Directory DNS with a Non–Active

Directory DNS
In today’s mixed networks, it’s not too uncommon to have an Active
Directory-integrated DNS server on the same network as a non–Active
Directory DNS server. The non–Active Directory DNS server may run
Windows 2000, or it may run UNIX or any other operating system that
supports DNS servers. As long as the non–Active Directory DNS server
supports SRV (service) resource records, you can configure it to integrate
with the Active Directory-integrated DNS server.
When a non–Active Directory DNS server is configured to integrate with
an Active Directory-integrated DNS server, the non–Active Directory DNS
server will maintain a secondary copy of one or more zones from the Active
Directory-integrated DNS server. The non–Active Directory DNS server
will then be able to respond to client queries for host name resolution in the
zone(s) it has received from the Active Directory-integrated DNS server.
To configure a non–Active Directory DNS server to integrate with an
Active Directory-integrated DNS server, you need to create a standard
secondary zone on the non–Active Directory DNS server. When you
4701-1 ch07.f.qc 4/24/00 09:17 Page 453

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 453

create this secondary zone, you must assign it the same name as the
Active Directory-integrated zone, and specify the IP address of the
Active Directory-integrated DNS server.

TIP
If you want the non–Active Directory DNS server to maintain a copy of
more than one Active Directory-integrated zone, you must create a sec-
ondary zone for each Active Directory-integrated zone that you want the
server to maintain a copy of.

The actual steps involved in creating and configuring a secondary zone

on a non–Active Directory DNS server vary depending on the operating
system and type of DNS server software being used.To create a secondary
zone on a Windows 2000 DNS server, see the step-by-step section earlier
in this chapter titled “Creating a standard secondary zone.”

Managing Replication of DNS

As I mentioned earlier, Microsoft sometimes refers to zone transfers as
replication. DNS replication tasks don’t normally require much administra-
tive time, but there are a few considerations to take into account.
The easiest way to manage replication of DNS data on a Windows 2000
network is to simply let Active Directory do the replicating. To do this, all
DNS servers need to be installed on Windows 2000 Server/Advanced Server
domain controllers, and all zones need to be Active Directory-integrated
zones. In this scenario,Active Directory automatically manages the replication
of all DNS zones and their resource records.
If you choose to not use Active Directory or to not use Active
Directory-integrated zones, you can implement replication of zone data by
creating secondary servers. Once you’ve implemented replication, there are
a few DNS configuration options to help you manage zone transfers.
One way you can manage replication is by configuring the properties of
the zone. For example, suppose that you want to protect the data in a standard
primary zone so that it can only be replicated to secondary servers that you
specify. By default, standard primary zones are configured to allow zone trans-
fers to any server. So, in order to restrict zone transfers to specific servers,
you’ll need to select the “Only to the following servers” option and then
specify the IP addresses of the secondary servers you want the standard pri-
mary zone to allow zone transfers to.This configuration is made on the Zone
4701-1 ch07.f.qc 4/24/00 09:17 Page 454

454 Part II ▼ Installation and Configuration

Transfers tab in the standard primary zone’s Properties dialog box. (See the
“Configuring a standard primary zone” section earlier in this chapter for
details on how to perform this task.) Figure 7-18 shows the Zone Transfers
tab after it has been configured to limit zone transfers to a specified list of
DNS servers.

FIGURE 7-18 Limiting zone transfers

You might also want to configure notification of secondary servers so

that they will request a zone transfer immediately after updates are made to
the standard primary zone. To do this, you can click Notify on the Zone
Transfers tab in the standard primary zone’s Properties dialog box. After
you click Notify, you can specify the IP addresses of the secondary servers
that will be notified of zone updates. Figure 7-19 shows the Notify dialog
box after it has been configured to automatically notify a specified list of
secondary DNS servers of an update to the zone.
If your network structure requires it, you can make these same types of
configurations to secondary servers to specify the additional secondary
servers they are allowed to make zone transfers to, or the additional sec-
ondary servers they will notify of updates to the zone.
4701-1 ch07.f.qc 4/24/00 09:17 Page 455

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 455

FIGURE 7-19 Configuring notification of secondary servers

Another way to manage replication is by configuring the properties of the

DNS server. For example, if you have secondary servers that don’t support
the fast zone transfer format, such as older DNS servers or non-Windows
2000 DNS servers, you should consider configuring the properties of the
primary (or secondary) DNS server that is replicating to the secondary
servers that don’t support the fast zone transfer format. To do this, in the
server’s Properties dialog box, clear the “BIND secondaries” check box on
the Advanced tab. (See Figure 7-6 and the “Configuring advanced DNS
server options” section earlier in this chapter for details on how to perform
this task.)

Manually Creating DNS Resource Records

At one time or another, you’ll probably have to manually create DNS
resource records.Although the Windows 2000 DNS Server service supports
dynamic update of many types of DNS resource records, some types of
computers don’t support dynamic update and some types of resource
records can’t be dynamically created.
You can manually create DNS resource records only in standard primary
zones and in Active Directory-integrated zones. In other words, you can’t
add resource records to secondary zones.
4701-1 ch07.f.qc 4/24/00 09:17 Page 456

456 Part II ▼ Installation and Configuration

DNS servers support a wide variety of resource record types. Each type of
resource record has a different purpose.Table 7-2 lists and describes the types
of resource records supported by the Windows 2000 DNS Server service.
TABLE 7-2 Windows 2000 DNS Resource Record Types
Record Type Description

A Standard host name resource record. Contains host name to IP

address mapping.
AAAA Host name resource record used when IPv6 is used on a network.
AFSDB Andrew File System Database (AFSDB) resource record. Identifies
servers that support this file system and specific server subtypes.
ATMA Asynchronous Transfer Mode (ATM) address resource record. Used
to map DNS names to ATM addresses.
CNAME Alias resource record. Used to map an additional host name (that
is, an alias) to the actual name of the host.
HINFO Host information resource record. Used to specify information
about a host, such as CPU type and operating system type.
ISDN Integrated Services Digital Network (ISDN) resource record. Used
to map DNS names to ISDN telephone numbers.
MB Mailbox resource record. Used to map an e-mail address to a
specific host name.
MG Mail group resource record. Used to specify a list of mailbox
records that are members of a mail group.
MINFO Mailbox mail list information (MINFO) resource record. Used to
specify a mailbox that will receive error messages for another
specified mailbox. Also used to specify the mailbox of the
Responsible Person (RP) for the specified mailbox.
MR Mailbox renamed resource record. Used to map an old mailbox
name to its new name.
MX Mail exchanger resource record. Used to map a DNS domain name
to the host name of the mail server for that domain.
PTR Pointer (PTR) resource record. Used to map IP addresses to their
associated host names. These records are only used in reverse
lookup zones.
RP Responsible Person (RP) resource record. Used to specify the
e-mail address of the Responsible Person (RP) for a DNS domain.
RT Route through (RT) resource record. Used to specify routing
information for specific DNS domain names.
4701-1 ch07.f.qc 4/24/00 09:17 Page 457

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 457

Record Type Description

SRV Service locator (SRV) resource record. Used to map a specific

service (or TCP/IP port number) to a list of servers that provide
that service.
TXT Text (TXT) resource record. Used to map a DNS name to a string of
descriptive text.
WKS Well-known service (WKS) resource record. Used to map a host
name to the specific list of well-known services that host supports.
X25 X.25 resource record. Used to map a host name to an X.25 address.

Now that you have a good understanding of the different types of DNS
resource records, I’ll show you how to manually create DNS resource records.

STEP BY STEP

MANUALLY CREATING DNS RESOURCE RECORDS

1. Start the DNS administrative tool. (Select Start ➪ Programs ➪ Administrative

Tools ➪ DNS.)
2. In the left pane of the DNS dialog box, click the + next to the name of
the DNS server.
3. In the left pane, click the + next to the Forward Lookup Zones folder or
the Reverse Lookup Zones folder, depending on the type of zone you want
to add a resource record to. In the left pane, highlight the specific zone you want
to add a resource record to. Select one of the following commands, depending
on the type of resource record you want to add:
 Action ➪ New Host
 Action ➪ New Alias
 Action ➪ New Mail Exchanger
 Action ➪ New Pointer (only available on reverse lookup zones)
 Action ➪ Other New Records
Probably the most common type of resource record created is a new host record.
If you selected any command other than Action ➪ New Host, follow the directions
presented on-screen to create your new record. Otherwise, continue to Step 4.
4. The New Host dialog box appears, as shown in Figure 7-20. Notice that when you
create a new record you can also create an associated pointer (reverse lookup)
record at the same time.
4701-1 ch07.f.qc 4/24/00 09:17 Page 458

458 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 7-20 Creating a new host resource record

In the Name text box, type the name of the host you want to add a record for.
Then, in the IP address box, type the IP address of the host.
Finally, if you want to create an associated pointer (reverse lookup) record,
select the check box next to “Create associated pointer (PTR) record.”
Click Add Host.
5. A DNS message appears, indicating that the host record was successfully created.
Click OK.
6. Repeat Steps 4 and 5 until you have added all of the new host records you need.
Then, in the New Host dialog box, click Done.

Creating DNS Subdomains and Implementing Zone Delegation

Some organizations are so large that administrators find it easier to break
their second-level domain (such as microsoft.com) into multiple DNS
subdomains (such as marketing.microsoft.com, development.
microsoft.com, and so on).There are two possible approaches to imple-
menting DNS subdomains in this type of situation.
The first way is to create the DNS subdomains within the zone that con-
tains the second-level domain.This method is called “creating subdomains.”
You can create DNS subdomains within standard primary and Active
Directory-integrated zones.
4701-1 ch07.f.qc 4/24/00 09:17 Page 459

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 459

The second way involves creating new zones and is called “creating
delegated zones.” This process involves two steps: first, you create a new
standard primary or Active Directory-integrated zone to implement each
new subdomain; and second, you configure zone delegation for each of
the newly created zones.The key point to remember about delegation is
that it must be performed on the standard primary or Active Directory-
integrated zone that contains the parent domain of the new DNS subdo-
main(s). For example, suppose that I create two new zones to implement
two new subdomains (for example, marketing.microsoft.com and
development.microsoft.com). I then need to configure delegation
for the two new zones on the standard primary or Active Directory-
integrated zone that contains the microsoft.com domain.

TIP
If you create the zones for the new subdomains on the Windows 2000
DNS server that contains the standard primary or Active Directory-inte-
grated zone for the parent domain, delegation is automatically configured
by Windows 2000, and you can skip that part of the process.

Now I’ll explain how to implement the first approach to implementing

DNS subdomains: creating a new subdomain within a zone.

STEP BY STEP

CREATING A NEW SUBDOMAIN

1. Start the DNS administrative tool. (Select Start ➪ Programs ➪ Administrative

Tools ➪ DNS.)
2. In the left pane of the DNS dialog box, click the + next to the name of the DNS
server that contains the standard primary or Active Directory-integrated zone for
the DNS domain in which you want to create a subdomain.
3. In the left pane, click the + next to the Forward Lookup Zones folder (under
the DNS server that you just expanded). In the left pane, highlight the specific zone
you want to add a subdomain to. Select Action ➪ New Domain.
4. The New Domain dialog box appears. Type in the name of the new subdomain,
for example, subdomain and click OK.
5. When the DNS dialog box reappears, the new subdomain appears in the right pane
as a folder within the zone.
4701-1 ch07.f.qc 4/24/00 09:17 Page 460

460 Part II ▼ Installation and Configuration

In the next section I’ll explain how to create and delegate a new zone for
a new subdomain. Remember, if you create the zones for the new subdo-
mains on the Windows 2000 DNS server that contains the standard primary
or Active Directory-integrated zone for the parent domain, delegation is
automatically configured by Windows 2000, and you can skip the steps in
Part 2 of this process.

STEP BY STEP

CREATING THE ZONE

1. Start the DNS administrative tool. (Select Start ➪ Programs ➪ Administrative

Tools ➪ DNS.)
2. In the left pane of the DNS dialog box, click the + next to the name of the DNS
server on which you want to create the new zone.
3. In the left pane, highlight the Forward Lookup Zones folder (under
the DNS server that you just expanded). Select Action ➪ New Zone.
4. The New Zone Wizard begins. Click Next.
5. In the Zone Type screen, select the “Standard primary” or “Active Directory-
integrated” option, depending on your needs and your network configuration.
Click Next.
6. In the Zone Name screen, type the name of the zone. This should be the FQDN of
the new DNS subdomain, such as marketing.microsoft.com. Click Next.
7. In The Zone File screen, accept the default options and click Next.
8. In the Completing the New Zone Wizard screen, click Finish.

DELEGATING THE NEW ZONE

1. Start the DNS administrative tool if it is not already running. (Select Start ➪
Programs ➪ Administrative Tools ➪ DNS.)
2. In the left pane, click the + next to the name of the DNS server that contains the
standard primary or Active Directory-integrated zone that contains the parent
domain of the subdomain you just created.
3. In the left pane, click the + next to the Forward Lookup Zones folder.
In the left pane, highlight the parent domain. Select Action ➪ New Delegation.
4. The New Delegation Wizard begins. Click Next.
5. The Delegated Domain Name screen appears. In the “Delegated domain” text
box, type the name of the subdomain, for example, marketing. Click Next.
4701-1 ch07.f.qc 4/24/00 09:17 Page 461

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 461

STEP BY STEP Continued

6. The Name Servers screen appears. On this screen, specify the names and asso-
ciated IP addresses of all DNS servers you plan to configure to maintain a copy
of the zone you created in Part 1. The list you create here is a DNS referral list
that this DNS server will use to refer other DNS servers attempting to resolve
names in the new, delegated zone.

TIP
Listing servers here does not cause a copy of the zone to be automati-
cally replicated to these DNS servers — you’ll have to configure these
servers as secondary servers (or as Active Directory-integrated servers)
in order for them to receive a copy of the zone.

You must add at least one server name and IP address to this screen in order to
continue. To add a server name and IP address to the list, click Add.
7. The New Resource Record dialog box appears. In the Server name text box,
type the name of the server you want to add. In the IP address box, type the IP
address of the server you want to add. Click Add. Click OK.
8. Repeat Steps 6 and 7 until you are finished adding server names and IP
addresses. Figure 7-21 shows the Name Servers screen after server names
and IP addresses have been added. Click Next.

FIGURE 7-21 Specifying DNS servers for the delegated zone

9. In the Completing the New Delegation Wizard screen, click Finish.

4701-1 ch07.f.qc 4/24/00 09:17 Page 462

462 Part II ▼ Installation and Configuration

Configuring Clients to Use a DNS Server

Before client computers can use a DNS server, they must be configured to do
so. Specifically, client computers must be configured with the IP address(es) of
the DNS server(s) they will use.
The following steps explain how to configure a Windows 2000 com-
puter to be a client of a DNS server.

STEP BY STEP

CONFIGURING A WINDOWS 2000 COMPUTER TO USE A DNS SERVER

1. From the desktop, select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click the Network and Dial-up
Connections folder.
3. In the Network and Dial-up Connections folder, right-click Local Area
Connection and select Properties from the menu that appears.

TIP
If you have more than one Local Area Connection, you’ll have to repeat
this process for each one.

4. In the Local Area Connection Properties dialog box, highlight Internet Protocol
(TCP/IP) and click Properties.
5. In the Internet Protocol (TCP/IP) Properties dialog box, ensure that the “Use the
following DNS server addresses” option is selected. Then, in the Preferred DNS
server text box, type the IP address of the DNS server you want this computer to
use. You can also specify, in the “Alternate DNS server” text box, an IP address of
an alternate DNS server that this computer will use if the preferred DNS server is
not available. Click Advanced.
6. In the Advanced TCP/IP Settings dialog box, click the DNS tab.
7. On the DNS tab, type the FQDN of the DNS domain that the computer you’re
configuring belongs to in the “DNS suffix for this connection” text box. Generally
you can accept the remaining default settings on this tab. Click OK.
8. In the Internet Protocol (TCP/IP) Properties dialog box, click OK.
9. In the Local Area Connection Properties dialog box, click OK.
10. Close the Network and Dial-up Connections folder.
4701-1 ch07.f.qc 4/24/00 09:17 Page 463

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 463

Installing DNS for Active Directory

If you’re installing DNS in preparation for installing Active Directory, you
should ensure that the following tasks are performed prior to the Active
Directory installation:
■ The DNS Server service should be installed on a Windows 2000
Server/Advanced Server computer.
■ A forward lookup zone must be created on the DNS server. In
addition, I recommend that you also create a reverse lookup zone
on this server.
■ All zones that will be used by Active Directory should be configured
for dynamic updates.
■ The Windows 2000 Server/Advanced Server computer that
Active Directory will be installed on (this can be either the
DNS server or another computer) must be configured to be
a client of the DNS server.
For details on how to perform any of these tasks, see the earlier sections
in this chapter.

Testing, Monitoring, and Troubleshooting DNS

Once your DNS server(s) and clients are up and running, you may want to
do some periodic testing and monitoring to make sure that all components
are functioning properly.You may also need to troubleshoot DNS operations
and events from time to time. In this section, I’ll explore some tools you can
use to perform these tasks.

Using the Monitoring Tab to Test and Monitor DNS

You can use the Monitoring tab in your DNS server’s Properties dialog box
to test and monitor your DNS server.You can also use this tab to verify your
DNS installation.
To access the Monitoring tab, select Start ➪ Programs ➪ Administrative
Tools ➪ DNS.Then, in the DNS dialog box, highlight the name of the DNS
server you want to test or monitor.Then select Action ➪ Properties. Finally,
in the DNS server’s Properties dialog box, click the Monitoring tab.
4701-1 ch07.f.qc 4/24/00 09:17 Page 464

464 Part II ▼ Installation and Configuration

The Monitoring tab appears, as shown in Figure 7-22. Notice the types
of testing that you can configure on this tab.Also notice that monitoring is
not configured, by default.

FIGURE 7-22 The Monitoring tab

There are two types of tests that you can configure on the Monitoring
tab: a simple query, and a recursive query.A simple query is a query that this
DNS server can resolve without contacting any other DNS servers. In
other words, it’s a query for a resource record in one of the zones that this
DNS server contains. If you select the check box next to “A simple query
against this DNS server” and then click Test Now, you’ll be instructing
your DNS server to immediately test itself to see if it can resolve a standard
client DNS query.
The results of this test are displayed in the Test results box at the bottom
of the Monitoring tab. If a PASS result is displayed, this indicates that the
DNS Server service was successfully installed on the computer, and that
this DNS server can resolve queries. Instead of clicking Test Now, you can
configure the DNS server to automatically perform the simple query test
at the intervals you specify.This type of testing can be useful for monitor-
ing your DNS server.
4701-1 ch07.f.qc 4/24/00 09:17 Page 465

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 465

A recursive query is a query that this DNS server can’t resolve by itself — it
must contact one or more additional DNS servers to resolve the query. If
you select the check box next to “A recursive query to other DNS servers”
and then click Test Now, you’ll be instructing your DNS server to immedi-
ately query another DNS server in an attempt to resolve the query. The
results of this test are displayed in the Test results box at the bottom of the
Monitoring tab. Or, instead of clicking Test Now, you can configure the
DNS server to automatically perform this test at the intervals you specify.
This type of testing can also be useful for monitoring your DNS server.

Troubleshooting DNS
There are several tools you can use when you need to troubleshoot a DNS
problem, including the Monitoring tab, Nslookup.exe, the DNS Server
log in Event Viewer,Windows 2000 Help, and the Logging tab. I’ll discuss
each of these resources in the sections that follow.

Using the Monitoring Tab You can use the Monitoring tab in a DNS server’s
Properties dialog box to determine whether the DNS server can resolve a
query, as explained in the previous section.

Using Nslookup.exe You can use the Nslookup.exe command-line utility

to test whether a DNS server can resolve various types of queries. This is
probably the most common tool for troubleshooting DNS.

STEP BY STEP

USING NSLOOKUP.EXE

1. From the desktop, select Start ➪ Programs ➪ Accessories ➪ Command Prompt.

2. Maximize the Command Prompt dialog box when it appears.
3. At the command prompt, type nslookup and press Enter.
4. Nslookup.exe displays the name and IP address of the default DNS server
for this computer. (If you run Nslookup.exe on a DNS server, it will probably
display its own name and IP address.)
5. To use Nslookup.exe to test name resolution on your DNS server, type the
FQDN of a host in a zone on your DNS server, for example, host_name.your_
domain.com, and press Enter.
4701-1 ch07.f.qc 4/24/00 09:17 Page 466

466 Part II ▼ Installation and Configuration

STEP BY STEP Continued

6. If the DNS server is functioning correctly, Nslookup.exe should display the

name and IP address of the DNS server resolving the query (this may be itself)
and the name and IP address of the specified host.
If Nslookup.exe displays a message that it can’t find a specified FQDN or
that a nonexistent domain was specified, retry your query, carefully checking your
typing, and making sure that you are attempting to resolve a host that is located
on this server.
7. To obtain detailed information on the syntax for using Nslookup.exe to perform
specific queries, type help at the prompt and press Enter. Figure 7-23 shows the
results of running the help command in Nslookup.exe.

FIGURE 7-23 Nslookup.exe help

8. When you’re finished using Nslookup.exe, type exit and press Enter to close
Nslookup.exe. Then type exit and press Enter to close the Command Prompt.
4701-1 ch07.f.qc 4/24/00 09:17 Page 467

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 467

Using the DNS Server Log Another DNS troubleshooting tool is the DNS
Server log in Event Viewer.You can use this tool to view event detail about
DNS Server service events. Sometimes the detailed information displayed
can be useful for troubleshooting DNS problems.

STEP BY STEP

USING THE DNS SERVER LOG IN EVENT VIEWER

1. From the desktop, select Start ➪ Programs ➪ Administrative Tools ➪ Event Viewer.
2. In the left pane of the Event Viewer dialog box, highlight the DNS Server log.
The DNS Server log is displayed in the right pane, as shown in Figure 7-24.

FIGURE 7-24 The DNS Server log

To view the detail on a specific DNS event, double-click that event in the right pane.
3. The Event Properties dialog box is displayed, as shown in Figure 7-25. Notice the
detailed description of the DNS event and possible solutions listed.
4701-1 ch07.f.qc 4/24/00 09:17 Page 468

468 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 7-25 Viewing DNS event detail

Also notice the up arrow and down arrow in this dialog box. You can use these
buttons to view event detail for other events in the list. When you’re finished
viewing event details, click OK.
4. Close Event Viewer.

Using Windows 2000 Help You can also use Windows 2000 Help to obtain a
wealth of information on common DNS problems.Windows 2000 Help is a
good troubleshooting resource because it contains detailed descriptions of
many specific DNS problems and recommended solutions to these problems.

STEP BY STEP

USING WINDOWS 2000 HELP TO LOCATE DNS TROUBLESHOOTING

INFORMATION
1. From the desktop, select Start ➪ Help.
2. Click the Contents tab if it does not appear on top.
4701-1 ch07.f.qc 4/24/00 09:17 Page 469

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 469

STEP BY STEP Continued

3. On the Contents tab, double-click Networking.

4. In the list that appears under Networking, double-click DNS.
5. In the list that appears under DNS, double-click Troubleshooting. Figure 7-26
shows the DNS Troubleshooting section in Windows 2000 Help. Notice the
various DNS troubleshooting topics listed.

FIGURE 7-26 DNS troubleshooting topics

To access any of the topics listed, click the topic in the right pane.
6. When you are finished using Windows 2000 Help, close the Windows 2000
dialog box.

Using the Logging Tab Finally, you can use the Logging tab in a DNS
server’s Properties dialog box to create detailed logs of DNS activity.These
logs can be particularly helpful when troubleshooting DNS. By default,
logging is not enabled on a Windows 2000 DNS server.
To access the Logging tab, select Start ➪ Programs ➪ Administrative Tools
➪ DNS.Then, in the DNS dialog box, highlight the name of the DNS server
for which you want to configure logging. Then select Action ➪ Properties.
Finally, in the DNS server’s Properties dialog box, click the Logging tab.
4701-1 ch07.f.qc 4/24/00 09:17 Page 470

470 Part II ▼ Installation and Configuration

The Logging tab appears, as shown in Figure 7-27. Notice the various
logging options, and that none of these options are selected by default.

FIGURE 7-27 Enabling logging

Also notice, in Figure 7-27, the location of the log file.The DNS log file
is stored as %SystemRoot%\system32\dns\dns.log. (Remember that
SystemRoot represents the folder that Windows 2000 is installed in.)
Each of the logging options on the Logging tab represents a specific type
of DNS event. For example, selecting the check box next to Query causes
each query received to be logged. Likewise, selecting the check box next to
Update causes each resource record update request received to be logged.
To enable logging, select the check box(es) next to the events you want
logged, and click OK.To view the log file after logging has been enabled,
use Notepad to open the %SystemRoot%\system32\dns\dns.log file.

Installing Active Directory

Now that you have a good understanding of DNS, you’re ready to move
on to installing Active Directory.You can run Windows 2000 without ever
installing Active Directory, but if you do so, you’ll miss out on most of the
benefits of using Windows 2000.
4701-1 ch07.f.qc 4/24/00 09:17 Page 471

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 471

Active Directory can be installed on any Windows 2000 Server or

Advanced Server computer. Like DNS,Active Directory is not supported on
Windows 2000 Professional computers.
There are a couple of prerequisites that must be met prior to installing
Active Directory:
■ At least one volume on the Windows 2000 Server/Advanced Server
computer must be formatted with NTFS.
■ Because Active Directory requires DNS, you either need to have
a DNS server installed on your network prior to installing Active
Directory, or you can choose to install DNS at the same time that
you perform the Active Directory installation. (If you install DNS
before installing Active Directory, see the “Installing DNS for Active
Directory” section earlier in this chapter for specific requirements.)
Another fact to consider when preparing to install Active Directory is
that any computer that you install Active Directory on will become a
domain controller. Because domain controllers provide extensive network
services, you’ll probably want to make sure this computer is reliable and
powerful enough to handle the extra load. You should also consider the
services and functions currently being performed by this computer. For
example, if a computer is already a SQL server, an Exchange server, or a
heavily used Web server, you may decide not to increase the burden on this
computer by installing Active Directory.
Finally, before you charge right off and install Active Directory, ensure that
you’ve taken the time to learn how Active Directory is implemented,
planned your domain design (including domain structure, organizational
unit structure, and the upgrade of previous domains), decided on the naming
conventions you will use, and determined how client computers will fit into
your overall Windows 2000 Active Directory implementation plan.

CROSS-REFERENCE
See Chapter 2 for detailed information on how Active Directory is
implemented and for practical tips on planning for Active Directory on
your network.
4701-1 ch07.f.qc 4/24/00 09:17 Page 472

472 Part II ▼ Installation and Configuration

Windows 2000 includes a wizard that helps you install Active Directory,
called the Active Directory Installation Wizard.There are two ways to start
this wizard:
■ From the desktop, select Start ➪ Run. In the Run dialog box, type
dcpromo and click OK.
■ From the desktop, select Start ➪ Programs ➪ Administrative Tools ➪
Configure Your Server.Then, in the Windows 2000 Configure Your
Server dialog box, click the Active Directory link. On the Active
Directory page, scroll down and click Start the Active Directory
wizard.
In the next several sections, I’ll show you how to install Active
Directory. Because the installation steps vary depending on the computer’s
role in Active Directory and your network configuration, I’ll try to cover
the most common installation scenarios you’ll encounter.

Installing Active Directory for the First Time

This section explains how to install Active Directory for the first time on
your network.
When Active Directory is installed for the first time, the following
events take place:
■ The computer on which Active Directory is installed becomes a
domain controller for a new Windows 2000 domain.
■ The Active Directory Installation Wizard creates the new
Windows 2000 domain, using the domain name you specify
in the process.
■ The Active Directory Installation Wizard creates a new domain tree
and forest.
In the steps that follow I’ll show you how to perform your first Active
Directory installation.

CAUTION
The Active Directory Installation Wizard requires you to restart your
computer at the end of the installation process. Because of this, con-
sider performing this task at a time when service to clients won’t be
interrupted by a shutdown and restart.
4701-1 ch07.f.qc 4/24/00 09:17 Page 473

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 473

STEP BY STEP

INSTALLING ACTIVE DIRECTORY

1. Start the Active Directory Installation Wizard. (Select Start ➪ Run. In the Run
dialog box, type dcpromo and click OK.)
2. The Active Directory Installation Wizard starts. Click Next.
3. The Domain Controller Type screen appears. Accept the default option of “Domain
controller for a new domain” and click Next.
4. The Create Tree or Child Domain screen appears. Accept the default option of
“Create a new domain tree” and click Next.
5. The Create or Join Forest screen appears. Accept the default option of “Create a
new forest of domain trees” and click Next.
6. The New Domain Name screen appears. In the “Full DNS name for new domain”
text box, type the FQDN of the new domain. Figure 7-28 shows this screen after
the name of the new domain has been entered. Click Next.

FIGURE 7-28 Specifying a domain name

7. The NetBIOS Domain Name screen appears. Accept the default name displayed,
and click Next.
8. The Database and Log Locations screen appears. In this screen, you specify the
location where the Active Directory database and log will be stored. Microsoft rec-
ommends that, for best recoverability, you store the database and log on separate
physical hard disks. However, the default locations are on the same hard disk. Either
accept the default locations or type in the locations you want to use and click Next.
4701-1 ch07.f.qc 4/24/00 09:17 Page 474

474 Part II ▼ Installation and Configuration

STEP BY STEP Continued

9. The Shared System Volume screen appears. On this screen you specify the location
of the folder that will be shared as the system volume. This folder must be located
on a Windows 2000 NTFS volume. Either accept the default location or type in
the location you want to use and click Next.
10. If you have not previously configured a DNS server on your network, or if this
computer is not correctly configured to use a DNS server, the Active Directory
Installation Wizard may display a message indicating that it can’t contact the
DNS server. If this message is displayed, click OK.
11. If you don’t have a DNS server on your network, or if your DNS server does not
support dynamic updates, the Configure DNS screen appears, as shown in
Figure 7-29.

FIGURE 7-29 Configuring DNS options

If you haven’t yet installed a DNS server on your network, accept the default
option of “Yes, install and configure DNS on this computer.”
If you have a DNS server but it doesn’t support dynamic updates, select the “No,
I will install and configure DNS myself” option.
Click Next.
12. The Permissions screen appears.
If your network includes Windows NT 4.0 Server computers as well as Windows
2000 Server computers, accept the default option of “Permissions compatible
with pre-Windows 2000 Servers.”
4701-1 ch07.f.qc 4/24/00 09:17 Page 475

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 475

STEP BY STEP Continued

If the servers on your network all run Windows 2000, select the “Permissions
compatible only with Windows 2000 servers” option.
Click Next.
13. The Directory Services Restore Mode Administrator Password screen appears.
In this screen, type in and confirm an Administrator password that will be used if
Active Directory ever needs to be restored on this computer from a backup. I rec-
ommend that you write down this password and store it in a safe place. Click Next.
14. The Summary screen appears, summarizing the choices you selected while using
this wizard. If you are satisfied with the configurations, click Next. (Otherwise, you
can click Back to change the options you selected.)
15. The wizard installs and configures Active Directory. This process may take several
minutes to complete.
16. The Completing the Active Directory Installation Wizard screen appears. Click Finish.
17. When the Active Directory Wizard dialog box appears, click Restart Now to
restart your computer and complete the Active Directory installation.

If you selected the “No, I will install and configure DNS myself ” option
in Step 11 because your DNS server doesn’t support dynamic updates, you
will need to manually add Active Directory resource records to the zone
file on your DNS server.
To do this, first copy the SystemRoot\System32\Config\Netlogon.
dns file from the server on which you installed Active Directory to your
DNS server.Then, on the DNS server, use your favorite text editor to copy
the contents of this file and then paste these contents onto the end of the zone
file of the DNS domain with the same name as the Windows 2000 domain
you created during the Active Directory installation process.

TIP
I recommend that you reboot your DNS server and your new Windows
2000 domain controller after you complete this process to ensure that the
changes to the DNS server are correctly recognized by the Windows 2000
domain controller.
4701-1 ch07.f.qc 4/24/00 09:17 Page 476

476 Part II ▼ Installation and Configuration

Installing Active Directory on Additional Servers in

a Domain
For load balancing and fault tolerance purposes, it’s often a good idea to install
Active Directory on more than one server in a Windows 2000 domain.When
you install Active Directory on an additional server in a Windows 2000
domain, you create an additional domain controller for that domain.
In the steps that follow, I’ll explain how to install Active Directory on an
additional server in a domain.

TIP
In these steps, I assume that you have previously configured the addi-
tional server as a client of a DNS server that supports dynamic updates.

STEP BY STEP

INSTALLING ACTIVE DIRECTORY ON AN ADDITIONAL SERVER

1. Start the Active Directory Installation Wizard. (Select Start ➪ Run. In the Run dialog
box, type dcpromo and click OK.)
2. The Active Directory Installation Wizard starts. Click Next.
3. The Domain Controller Type screen appears, as shown in Figure 7-30. Notice the
warnings displayed in the bottom of this dialog box.

FIGURE 7-30 Selecting the type of domain controller

4701-1 ch07.f.qc 4/24/00 09:17 Page 477

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 477

STEP BY STEP Continued

Select the option next to “Additional domain controller for an existing domain” and
click Next.
4. The Network Credentials screen appears. Type in the user name, password, and
domain name of the Administrator account for the domain. Figure 7-31 shows the
Network Credentials screen after this information has been entered. Click Next.

FIGURE 7-31 Specifying network credentials

5. The Additional Domain Controller screen appears. Type in the FQDN of the
Windows 2000 domain to which this domain controller will belong. You can
browse for the domain name if you don’t know it. Click Next.
6. The Database and Log Locations screen appears. In this screen, you specify the
location where the Active Directory database and log will be stored. Microsoft rec-
ommends that, for best recoverability, you store the database and log on separate
physical hard disks. However, the default locations are on the same hard disk. Either
accept the default locations or type in the locations you want to use and click Next.
7. The Shared System Volume screen appears. On this screen you specify the location
of the folder that will be shared as the system volume. This folder must be located
on a Windows 2000 NTFS volume. Either accept the default location or type in
the location you want to use and click Next.
8. The Directory Services Restore Mode Administrator Password screen appears. In
this screen, type in and confirm an Administrator password that will be used if Active
Directory ever needs to be restored on this computer from a backup. Click Next.
4701-1 ch07.f.qc 4/24/00 09:17 Page 478

478 Part II ▼ Installation and Configuration

STEP BY STEP Continued

9. The Summary screen appears, summarizing the choices you selected while using
this wizard. If you are satisfied with the configurations, click Next. (Otherwise, you
can click Back to change the options you selected.)
10. The wizard installs and configures Active Directory. This process may take several
minutes to complete.
11. The Completing the Active Directory Installation Wizard screen appears. Click Finish.
12. When the Active Directory Wizard dialog box appears, click Restart Now to
restart your computer and complete the Active Directory installation.

Creating a New Child Domain

Sometimes organizations choose to further subdivide their Windows 2000
domains into one or more subdomains.These subdomains are often called
child domains.
For example, suppose that a company’s Windows 2000 domain name is
idgbooks.com.The company might decide to create two child domains,
named editorial.idgbooks.com and production.idgbooks.com.
To create these new child domains, you must install Active Directory on
the first domain controller in each new child domain.
In the steps that follow, I’ll show you how to install Active Directory on
a Windows 2000 Server computer and thereby cause that computer to
become the first domain controller in a new child domain. In these steps, I
assume that you have previously configured this computer as a client of a
DNS server that supports dynamic updates.

STEP BY STEP

CREATING A NEW DOMAIN CONTROLLER IN A NEW CHILD DOMAIN

1. Start the Active Directory Installation Wizard. (Select Start ➪ Run. In the Run dialog
box, type dcpromo and click OK.)
2. The Active Directory Installation Wizard starts. Click Next.
3. The Domain Controller Type screen appears. Accept the default option of
“Domain controller for a new domain” and click Next.
4. The Create Tree or Child Domain screen appears. Select the option “Create a
new child domain in an existing domain tree” and click Next.
4701-1 ch07.f.qc 4/24/00 09:17 Page 479

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 479

STEP BY STEP Continued

5. The Network Credentials screen appears. Type in the user name, password, and
domain name of the Administrator account for the parent domain of the new child
domain you are creating. Click Next.
6. The Child Domain Installation screen appears. In the “Parent domain” text box,
type the name of the parent domain — in other words, the name of the domain in
which you are creating a new child domain. In the “Child domain” text box, type
the name of the new child domain. Figure 7-32 shows this screen after it has
been configured. Click Next.

FIGURE 7-32 Naming the child domain

7. The NetBIOS Domain Name screen appears. Accept the default name displayed,
and click Next.
8. The Database and Log Locations screen appears. In this screen, you specify the
location where the Active Directory database and log will be stored. Either accept
the default locations or type in the locations you want to use and click Next.
9. The Shared System Volume screen appears. On this screen you specify the location
of the folder that will be shared as the system volume. This folder must be located
on a Windows 2000 NTFS volume. Either accept the default location or type in the
location you want to use, and then click Next.
10. The Permissions screen appears.
If your network includes Windows NT 4.0 Server computers as well as Windows
2000 Server computers, accept the default option of “Permissions compatible
with pre-Windows 2000 Servers.”
4701-1 ch07.f.qc 4/24/00 09:17 Page 480

480 Part II ▼ Installation and Configuration

STEP BY STEP Continued

If the servers on your network all run Windows 2000, select the “Permissions
compatible only with Windows 2000 servers” option.
Click Next.
11. The Directory Services Restore Mode Administrator Password screen appears. In
this screen, type in and confirm an Administrator password that will be used if Active
Directory ever needs to be restored on this computer from a backup. Click Next.
12. The Summary screen appears, summarizing the choices you selected while using
this wizard. If you are satisfied with the configurations, click Next.
13. The wizard installs and configures Active Directory. This process may take several
minutes to complete.
14. The Completing the Active Directory Installation Wizard screen appears. Click Finish.
15. When the Active Directory Wizard dialog box appears, click Restart Now to
restart your computer and complete the Active Directory installation.

Creating a New Tree in the Forest

There may come a time when you need to create a new tree in your Active
Directory forest.Although it’s not all that common, sometimes the situation
warrants this treatment. For example, suppose your organization has
recently acquired another company.You want to place the acquired com-
pany’s computers in a separate domain and tree, but want to keep them in
the same forest so that trust relationships are easier for you to manage.
The following steps explain how to install Active Directory on a
Windows 2000 Server computer and thereby cause that computer to
become the first domain controller in a new domain tree in the forest. In
these steps, I assume that you have previously configured this computer as
a client of a DNS server that supports dynamic updates. In addition, I
assume that you have created a new zone on the DNS server for the new
domain tree, and that you have configured this zone for dynamic updates.

STEP BY STEP

CREATING A NEW DOMAIN CONTROLLER IN A NEW DOMAIN TREE

1. Start the Active Directory Installation Wizard. (Select Start ➪ Run. In the Run dialog
box, type dcpromo and click OK.)
4701-1 ch07.f.qc 4/24/00 09:17 Page 481

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 481

STEP BY STEP Continued

2. The Active Directory Installation Wizard starts. Click Next.

3. The Domain Controller Type screen appears. Accept the default option
of “Domain controller for a new domain” and click Next.
4. The Create Tree or Child Domain screen appears. Accept the default option
of “Create a new domain tree” and click Next.
5. The Create or Join Forest screen appears. Select the “Place this new domain tree
in an existing forest” option. Figure 7-33 shows the Create or Join Forest screen
after it has been configured. Click Next.

FIGURE 7-33 Creating a new tree

6. The New Domain Tree screen appears. In the text box, type the FQDN of the new
domain tree. (This is the name of the new domain you’re creating.) Click Next.
7. The NetBIOS Domain Name screen appears. Accept the default name displayed,
and click Next.
8. The Database and Log Locations screen appears. In this screen, you specify the
location where the Active Directory database and log will be stored. Either accept
the default locations or type in the locations you want to use and click Next.
9. The Shared System Volume screen appears. On this screen you specify the location
of the folder that will be shared as the system volume. This folder must be located
on a Windows 2000 NTFS volume. Either accept the default location or type in
the location you want to use and click Next.
10. The Permissions screen appears.
4701-1 ch07.f.qc 4/24/00 09:17 Page 482

482 Part II ▼ Installation and Configuration

STEP BY STEP Continued

If your network includes Windows NT 4.0 Server computers as well as Windows

2000 Server computers, accept the default option of “Permissions compatible
with pre-Windows 2000 Servers.”
If the servers on your network all run Windows 2000, select the “Permissions
compatible only with Windows 2000 servers” option.
Click Next.
11. The Directory Services Restore Mode Administrator Password screen appears. In
this screen, type in and confirm an Administrator password that will be used if Active
Directory ever needs to be restored on this computer from a backup. Click Next.
12. The Summary screen appears, summarizing the choices you selected while using
this wizard. If you are satisfied with the configurations, click Next.
13. The wizard installs and configures Active Directory. This process may take several
minutes to complete.
14. The Completing the Active Directory Installation Wizard screen appears. Click Finish.
15. When the Active Directory Wizard dialog box appears, click Restart Now to
restart your computer and complete the Active Directory installation.

Creating a New Forest

Creating a new forest is something most network administrators will never
do. In the first place, most companies aren’t large enough to even think
about using multiple forests.And even large companies typically use only a
single forest to manage their Windows 2000 network resources.
However, consider the situation where your company is composed of
two distinct divisions. Because the divisions manufacture and market unre-
lated products, the divisions have been run as separate entities since the
inception of the company. Each division maintains its own information
services staff, and company management has no plans to integrate the net-
works or management of the two divisions. In addition, management is
considering selling one of the divisions in the not-too-distant future.This
is the type of situation in which it might make sense to use multiple forests.
The process of creating a new forest is the same as installing Active
Directory for the first time on your network.The only difference is that when
you create a new forest, you’re installing Active Directory on a computer that
4701-1 ch07.f.qc 4/24/00 09:17 Page 483

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 483

will become the first domain controller in the new forest (instead of the first
domain controller on your network). For details on how to perform this task,
see the section titled “Installing Active Directory for the First Time” earlier in
this chapter.

Removing Active Directory

There may come a time when you need to remove Active Directory from a
computer. For example, you might want to move a domain controller from
one domain to another domain. In this situation, you’d need to remove Active
Directory from the domain controller, move the server to the new domain,
and then reinstall Active Directory if you want that server to function as a
domain controller in its new domain.
Removing Active Directory from a domain controller changes that
computer into a member server.
The steps that follow explain how to remove Active Directory from a
Windows 2000 Server or Advanced Server computer.

STEP BY STEP

REMOVING ACTIVE DIRECTORY

1. From the desktop, select Start ➪ Run.

2. In the Run dialog box, type dcpromo and click OK.
3. The Active Directory Installation Wizard starts. Click Next.
4. The Remove Active Directory screen appears. Select the check box on this
screen if this server is the only domain controller in the domain. Otherwise,
leave the check box cleared. Click Next.
5. The Administrator Password screen appears. Type in and confirm the password
that you want to assign to the Administrator account for this server. Click Next.
6. The Summary screen appears. Click Next.
7. The wizard removes Active Directory.
8. The Completing the Active Directory Installation Wizard screen appears. Click Finish.
9. When the Active Directory Wizard dialog box appears, click Restart Now to
restart your computer and complete the removal of Active Directory.
4701-1 ch07.f.qc 4/24/00 09:17 Page 484

484 Part II ▼ Installation and Configuration

Verifying and Troubleshooting an

Active Directory Installation
After you install Active Directory, you should verify that the installation
was successful.There are two parts to the verification process:
1. On the computer that you installed Active Directory, use Active
Directory Users and Computers to verify that the new Active
Directory domain has been created, and that the computer
on which you installed Active Directory is listed as a domain
controller for that domain.
2. On your DNS server, use the DNS administrative tool to verify that
the Active Directory DNS entries for the new domain are listed in
the zone.
I’ll show you how to perform these two tasks in the following steps.

STEP BY STEP

VERIFYING AND TROUBLESHOOTING YOUR ACTIVE DIRECTORY

INSTALLATION

1. From the desktop of the computer on which you installed Active Directory, select
Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, click the
+ next to the name of the domain you’ve just created.

TIP
If the Active Directory domain you created isn’t listed in this dialog box,
your Active Directory installation was not successful. You’ll probably have
to reinstall Active Directory.

3. In the left pane, highlight the Domain Controllers folder. In the right
pane, the name of your computer should be displayed. (This is the computer
on which you installed Active Directory.) Figure 7-34 shows an Active Directory
domain (domain1.mcse) and a domain controller (INSPIRON) displayed
after a successful Active Directory installation.
If your Active Directory domain and/or domain controller aren’t displayed, your
Active Directory installation was not successful. You’ll probably have to reinstall
Active Directory. Close the Active Directory Users and Computers dialog box.
4701-1 ch07.f.qc 4/24/00 09:17 Page 485

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 485

STEP BY STEP Continued

FIGURE 7-34 Verifying Active Directory installation

If your Active Directory domain and domain controller are displayed, close Active
Directory Users and Computers and proceed to Step 4.
4. From the desktop of your DNS server, select Start ➪ Programs ➪ Administrative
Tools ➪ DNS.
5. In the left pane of the DNS dialog box, click the + next to the name of your DNS
server. Then click the + next to the Forward Lookup Zones folder. Then
highlight the folder that has the same name as the Active Directory domain you
just created.
In the right pane of the DNS dialog box, four folders should be displayed, as
shown in Figure 7-35. Notice the four folders: _msdcs, _sites, _tcp, _udp.
(If you just installed Active Directory, you may need to wait several minutes for all
of these folders to be displayed. Click Action ➪ Refresh to update your display.)
If these four folders are present, Active Directory is correctly installed and registered
with your DNS server. Close DNS.
If these folders are not present, Active Directory has not correctly registered itself
with the DNS server. In this situation, you probably don’t have to reinstall Active
Directory, but you do need to register Active Directory with the DNS server, as
explained in the next section.
4701-1 ch07.f.qc 4/24/00 09:17 Page 486

486 Part II ▼ Installation and Configuration

STEP BY STEP Continued

FIGURE 7-35 Verifying the existence of Active Directory DNS entries

If your Active Directory domain and domain controller are displayed in

Active Directory Users and Computers, but for some reason Active
Directory has not correctly registered itself with your DNS server, there
are two ways you can remedy the situation:
■ If the zone that contains your Active Directory domain supports
dynamic updates, on the DNS server, ensure that the zone is config-
ured to permit dynamic updates.Then, on the domain controller,
stop and restart the Net Logon service.This should force Active
Directory to register itself with the DNS server.

TIP
To stop and restart the Net Logon service, use the Services administrative
tool. For information on using this tool, see Chapter 15. Or, at a command
prompt, you can type net stop netlogon (and press Enter), and then type
net start netlogon (and press Enter) to stop and restart this service.
4701-1 ch07.f.qc 4/24/00 09:17 Page 487

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 487

■ If the zone that contains your Active Directory domain doesn’t sup-
port dynamic updates, you’ll need to manually add Active Directory
resource records to the zone file on your DNS server. (I explained
how to do this at the end of the section titled “Installing Active
Directory for the First Time” earlier in this chapter.)
If the solutions recommended above don’t resolve your Active Directory
installation problem, or if you encounter other problems with Active
Directory, I recommend that you consult Windows 2000 Help for trou-
bleshooting assistance. Windows 2000 Help contains detailed descriptions
of many specific Active Directory problems and recommended solutions to
these problems.

STEP BY STEP

USING WINDOWS 2000 HELP TO LOCATE ACTIVE DIRECTORY

TROUBLESHOOTING INFORMATION

1. From the desktop, select Start ➪ Help.

2. Click the Contents tab if it does not appear on top.
3. On the Contents tab, double-click Active Directory.
4. In the list that appears under Active Directory, click Troubleshooting.
Several common Active Directory problems are displayed in the right pane,
as shown in Figure 7-36.

FIGURE 7-36 Using Help to troubleshoot Active Directory problems

4701-1 ch07.f.qc 4/24/00 09:17 Page 488

488 Part II ▼ Installation and Configuration

STEP BY STEP Continued

To view more information and possible solutions for any of the problems listed,
click the problem.
5. When you are finished using Windows 2000 Help, close the Windows 2000
dialog box.

KEY POINT SUMMARY

This chapter introduced several DNS and Active Directory topics:

■ DNS stands for the Domain Name System. The primary purpose of DNS
is to provide host name resolution.
■ Active Directory is dependent on DNS.
■ DNS is implemented as a hierarchical structure often called the DNS domain
namespace. The trees and subtrees that make up the DNS domain namespace
are called DNS domains.
■ A zone is an administrator-created storage database for either a DNS domain or
for a DNS domain and one or more of its subdomains. This storage database is
often implemented as a special text file, called a zone file.
■ A DNS server can play one (or more) of several different roles, depending on
the type of zone(s) the server contains and how the DNS server is configured.
The types of roles that a DNS server can perform include standard primary,
Active Directory-integrated (primary), standard secondary, master, slave,
caching-only, forwarder, and root server.
■ DNS is implemented in Windows 2000 via the DNS Server service. The DNS
Server service is supported only on Windows 2000 Server and Advanced
Server computers.
4701-1 ch07.f.qc 4/24/00 09:17 Page 489

Chapter 7 ▼ Installing and Configuring DNS and Active Directory 489

■ After you install the DNS Server service, numerous configurations can be
made to a DNS server. You can:
 Configure the DNS server to be or to use a root server and to be a
caching-only server
 Configure the properties of the DNS server
 Create and configure zones, including standard primary zones and standard
secondary zones
 Configure zones for dynamic updates
 Convert a standard primary zone to an Active Directory-integrated zone
 Integrate an Active Directory DNS with a non–Active Directory DNS
 Manage replication of DNS
 Manually create DNS resource records
 Create DNS subdomains and implement zone delegation
■ Before client computers on your network can utilize a DNS server, they must
be configured to do so.
■ Nslookup.exe is a command-line utility that is used to test a DNS server.
■ Active Directory can be installed on Windows 2000 Server and Windows
2000 Advanced Server computers. Two prerequisites must be met prior to
installing Active Directory:
 At least one volume on the Windows 2000 Server/Advanced Server
computer must be formatted with NTFS.
 Because Active Directory requires DNS, you either need to have a DNS
server installed on your network prior to installing Active Directory, or, you
can choose to install DNS at the same time that you perform the Active
Directory installation.
■ The specific steps to install Active Directory vary depending on the computer’s
role in Active Directory and your network configuration.
4701-1 ch07.f.qc 4/24/00 09:17 Page 490

490

STUDY GUIDE
This section contains several exercises that are designed to solidify your
knowledge about DNS and Active Directory, and help you prepare for the
Network and Directory Services exams:
■ Assessment Questions: These questions test your knowledge of
the DNS and Active Directory topics covered in this chapter.You’ll
find the answers to these questions at the end of this chapter.
■ Scenarios: The problems in scenarios challenge you to apply your
understanding of the material to a hypothetical situation. In this
chapter’s scenarios, you’ll be asked to spell out the specific steps
you would take to perform several complex DNS tasks.You don’t
need to be at a computer to do scenarios.Answers to the scenarios
are presented at the end of this chapter.
■ Lab Exercises: These exercises are hands-on practice activities that
you perform on a computer.The two labs in this chapter give you
an opportunity to install, configure, test, monitor, and troubleshoot
DNS; and to install, verify, and troubleshoot Active Directory.

Assessment Questions
1. What type of DNS domain is microsoft.com?
A. Root domain
B. Top-level domain
C. Second-level domain
D. Third-level domain
2. You install the DNS Server service on a Windows 2000 Server
computer.You configure this DNS server to use a root server,
but you do not create any zones whatsoever on this DNS server.
What type of DNS server have you configured?
A. Master
B. Forwarder
C. Root server
D. Caching-only
4701-1 ch07.f.qc 4/24/00 09:17 Page 491

491

3. You want to configure root hints on a Windows 2000 DNS server.

What tool should you use?
A. Nslookup.exe
B. DNS administrative tool
C. Active Directory Users and Computers
D. Network and Dial-up Connections folder
4. You want to configure a static IP address on a Windows 2000 Server
computer on which you want to install the DNS Server service and
Active Directory.What tool should you use to configure the static
IP address?
A. Ipconfig.exe
B. DNS administrative tool
C. Active Directory Users and Computers
D. Network and Dial-up Connections folder
5. You want client computers and servers on your Windows 2000 net-
work to be able to register and revise their host names and IP addresses
with the network Windows 2000 DNS server without administrator
intervention.What should you configure on the Windows 2000 DNS
server, and where should you make the necessary configuration?
A. Enable forwarding — in the zone’s Properties dialog box
B. Enable dynamic updates — in the zone’s Properties dialog box
C. Enable forwarding — in the DNS server’s Properties dialog box
D. Enable dynamic updates — in the DNS server’s Properties
dialog box
6. When will the Configure DNS Server Wizard not permit you to
configure a Windows 2000 DNS server as a root server?
A. When Active Directory is installed on the DNS server
B. When the DNS server has a dynamic IP address
C. When the DNS server is connected to the Internet
D. When another server is configured to use the DNS server
as a forwarder
7. What must be installed and/or configured prior to (or during) the
installation of Active Directory? (Choose all that apply.)
A. An NTFS volume
B. DNS Server service
4701-1 ch07.f.qc 4/24/00 09:17 Page 492

492

C. Certificate Services
D. Windows 2000 Server or Advanced Server
8. Which of the following statements about Active Directory are true?
(Choose all that apply.)
A. You can install Active Directory on any Windows 2000
Professional, Server, or Advanced Server computer.
B. When you install Active Directory on a Windows 2000 Server
computer, the computer becomes a domain controller.
C. You can use Active Directory Users and Computers to install
Active Directory.
D. At least one volume must be formatted with FAT or FAT32 prior
to installing Active Directory.
9. You want to install Active Directory on a Windows 2000 Server
computer. How can you start the Active Directory Installation
Wizard? (Choose all that apply.)
A. Select Start ➪ Run.Then, in the Run dialog box, type dcpromo
and click OK.
B. Select Start ➪ Programs ➪ Administrative Tools ➪ DNS.Then, in
the DNS dialog box, select Action ➪ New Host.
C. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory
Users and Computers.Then, in the Active Directory Users and
Computers dialog box, select Action ➪ Connect to Domain.
D. Select Start ➪ Programs ➪ Administrative Tools ➪ Configure Your
Server.Then, in the Windows 2000 Configure Your Server dialog
box, click the Active Directory link. On the Active Directory
page, scroll down and click Start the Active Directory wizard.

Scenarios
Scenarios provide you with an opportunity to apply the knowledge you’ve
gained in this chapter. In this chapter’s scenarios, you’ll get an opportunity
to revisit two specific DNS configuration tasks. Because each of these tasks
involve multiple DNS servers, you probably won’t have the computer
resources to practice the tasks directly. However, these scenario problems
enable you to act as if you were performing each task, and spell out the
steps you would take on each DNS server to complete the task.
4701-1 ch07.f.qc 4/24/00 09:17 Page 493

493

For each problem, consider the given information and identify the steps
required to accomplish the specified task.
1. You have two DNS servers on your network. One DNS server is a
Windows 2000 Active Directory-integrated DNS server, and the other
is a DNS server that runs on a UNIX host.You want the UNIX DNS
server to maintain a copy of the zone that is located on the Active
Directory-integrated DNS server.What steps would you take (and
on which server) to accomplish this?
2. Your company’s network has five locations: a central office and four
satellite offices. Each location has a server that functions both as an
Active Directory domain controller and as a Windows 2000 DNS
server.The DNS server at your central office currently has one
standard primary zone.You want to replicate this zone to the
other four DNS servers in the most efficient manner possible.What
steps would you take (and on which servers) to accomplish this?

Lab Exercises
The following two labs are designed to give you practical experience
working with DNS and Active Directory.

Lab 7-1 Installing and Configuring DNS

 Network
 Directory Services
EXAM
MATERIAL

The purpose of this lab is to provide you with hands-on experience

installing, configuring, managing, testing, and troubleshooting DNS on a
Windows 2000 Server computer.
There are seven parts to this lab:
■ Part 1: Configuring your server and installing the DNS Server service
■ Part 2: Configuring a DNS client
■ Part 3: Configuring a root server and a caching-only server
■ Part 4: Configuring zones and zone delegation
■ Part 5: Manually creating a DNS resource record
4701-1 ch07.f.qc 4/24/00 09:18 Page 494

494

■ Part 6:Testing the DNS Server service

■ Part 7:Troubleshooting DNS
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator. Follow the steps in the lab carefully.

Part 1: Configuring Your Server and Installing the DNS

Server Service
In this part, you assign your Windows 2000 Server computer a primary
DNS suffix, and then install the DNS Server service.
1. From the desktop, right-click My Computer and select Properties
from the menu that appears.
2. In the System Properties dialog box, click the Network
Identification tab.
3. On the Network Identification tab, click Properties.
4. In the Identification Changes dialog box, click More.
5. In the DNS Suffix and NetBIOS Computer Name dialog box, type
domain1.mcse in the “Primary DNS suffix of this computer” text
box. Click OK.
6. In the Identification Changes dialog box, click OK.
7. In the Network Identification dialog box, click OK.
8. On the Network Identification tab, click OK.
9. In the System Settings Change dialog box, click Yes to restart your
computer.When your computer restarts, boot to Windows 2000
Server and log on as Administrator.
10. Place your Windows 2000 Server compact disc in your computer’s
CD-ROM drive. Close the Microsoft Windows 2000 CD dialog box.
Select Start ➪ Settings ➪ Control Panel.
11. In the Control Panel dialog box, double-click Add/Remove Programs.
12. In the Add/Remove Programs dialog box, click Add/Remove
Windows Components.
13. The Windows Components Wizard starts. In the Windows Components
screen, scroll down and highlight Networking Services. Click Details.
14. In the Networking Services dialog box, select the check box next to
Domain Name System (DNS). Click OK.
15. In the Windows Components screen, click Next.
4701-1 ch07.f.qc 4/24/00 09:18 Page 495

495

16. Windows 2000 Setup configures components. In the Completing the

Windows Components Wizard screen, click Finish.
17. Close the Add/Remove Programs dialog box. Close Control Panel.
Remove the Windows 2000 compact disc from your computer’s
CD-ROM drive.

Part 2: Configuring a DNS Client

In this part you configure your DNS server to be its own DNS client.
1. From the desktop, select Start ➪ Settings ➪ Control Panel.
2. In the Control Panel dialog box, double-click the Network
and Dial-up Connections folder.
3. In the Network and Dial-up Connections folder, right-click Local
Area Connection and select Properties from the menu that appears.
4. In the Local Area Connection Properties dialog box, highlight
Internet Protocol (TCP/IP) and click Properties.
5. In the Internet Protocol (TCP/IP) Properties dialog box, ensure that
the “Use the following DNS server addresses” option is selected.Then,
in the Preferred DNS server text box, type the IP address of this DNS
server. (Use 192.168.59.101 unless your network administrator or
instructor supplies you with a different IP address.) Click Advanced.
6. In the Advanced TCP/IP Settings dialog box, click the DNS tab.
7. On the DNS tab, in the “DNS suffix for this connection” text box,
type domain1.mcse and click OK.
If you’re performing this lab in a classroom setting, your instructor
may provide you with a different domain name to enter in this step.
8. In the Internet Protocol (TCP/IP) Properties dialog box, click OK.
9. In the Local Area Connection Properties dialog box, click OK.
10. Close the Network and Dial-up Connections folder.

Part 3: Configuring a Root Server and a Caching-only Server

In this part you configure a root server and a caching-only server.
1. Select Start ➪ Programs ➪ Administrative Tools ➪ DNS.
2. In the DNS dialog box, highlight your computer in the left pane.
3. Windows 2000 indicates that your DNS server has not yet been
configured. Select Action ➪ Configure the server.
4701-1 ch07.f.qc 4/24/00 09:18 Page 496

496

4. The Configure DNS Server Wizard starts. Click Next.

5. The Root Server screen appears.Accept the default option of “This is
the first DNS server on this network.” Click Next.
6. In the Forward Lookup Zone screen, select the “No, do not create a
forward lookup zone” option, and click Next.
7. The Completing the Configure DNS Server Wizard screen appears.
Click Finish.
8. The DNS dialog box reappears.This completes the configuration of a
root server.
Because you’ve installed and configured the DNS Server service, your
DNS server is now configured as a caching-only server.

Part 4: Configuring Zones and Zone Delegation

In this part you create three standard primary forward lookup zones and
one standard primary reverse lookup zone. You also configure zones for
dynamic updates and implement zone delegation.
1. In the DNS dialog box, click the + next to your computer’s name in
the left pane.
2. In the left pane, highlight the Forward Lookup Zones folder. Select
Action ➪ New Zone.
3. The New Zone Wizard begins. Click Next.
4. The Zone Type screen appears.Accept the default option of “Standard
primary” and click Next.
5. In the Name text box on the Zone Name screen, type domain1.mcse
and click Next.
6. The Zone File screen appears.Accept the default options presented
on this screen. Click Next.
7. The Completing the New Zone Wizard screen appears. Click Finish.
8. The DNS dialog box reappears. Notice that the new zone you created
appears in the right pane.
9. Repeat Steps 2 through 8 two more times to create two additional for-
ward lookup zones.When prompted to name these zones in Step 5, uses
the names sales.domain1.mcse and manufacturing.domain1.mcse
for the two new zones.
4701-1 ch07.f.qc 4/24/00 09:18 Page 497

497

10. In the left pane of the DNS dialog box, highlight the Reverse
Lookup Zones folder. Select Action ➪ New Zone.
11. The New Zone Wizard begins. Click Next.
12. The Zone Type screen appears.Accept the default option of
“Standard primary” and click Next.
13. The Reverse Lookup Zone screen appears.Accept the default
“Network ID” option.Type in a Network ID of 192.168.59
unless your network administrator or instructor supplies you
with a different Network ID. Click Next.
14. The Zone File screen appears.Accept the default options presented
on this screen. Click Next.
15. The Completing the New Zone Wizard screen appears. Click Finish.
16. The DNS dialog box reappears. Notice that the new zone you created
appears in the right pane.
In the left pane of the DNS dialog box, click the + next to the
Forward Lookup Zones folder.Also click the + next to the
Reverse Lookup Zones folder.
17. In the left pane, highlight the domain1.mcse zone. Select
Action ➪ Properties.
18. The zone’s Properties dialog box appears. On the General tab, select
Yes in the “Allow dynamic updates?” drop-down list box. Click OK.
19. Repeat Steps 17 through 18 for each of the other three zones you
created, configuring each zone to allow dynamic updates.
20. In the left pane of the DNS dialog box, highlight the domain1.mcse
folder. Select Action ➪ Refresh.
21. In the right pane of the DNS dialog box, notice the manufacturing
and sales folders that are displayed.Also notice that both folders are
gray, which indicates that zone delegation is enabled for the manufac-
turing and sales zones.You don’t have to manually configure zone
delegation because you created the subdomains on the same DNS
server that contains the domain1.mcse parent domain.

Part 5: Manually Creating a DNS Resource Record

In this part you manually create a Pointer (PTR) record for your DNS server.
1. In the left pane of the DNS dialog box, highlight the 192.168.59.x
Subnet folder. Select Action ➪ New Pointer.
4701-1 ch07.f.qc 4/24/00 09:18 Page 498

498

2. The New Resource Record dialog box appears.Type 101 in the

white space at the end of the “Host IP number” box.Type server01.
domain1.mcse in the “Host name” text box. Click OK.
3. When the DNS dialog box reappears, notice that the new record you
just created appears in the right pane. Close the DNS dialog box.

Part 6: Testing the DNS Server Service

In this part, you use Nslookup.exe to test your DNS server.
1. From the desktop, select Start ➪ Programs ➪ Accessories ➪ Command
Prompt.
2. Maximize the Command Prompt dialog box when it appears.
3. At the command prompt, type nslookup and press Enter.
4. Nslookup.exe displays your computer’s name and IP address.At the
Nslookup.exe prompt (>) type 192.168.59.101 and press Enter.
5. Nslookup.exe displays two pairs of computers and their IP addresses.
The first pair consists of the name of the DNS server that resolved this
request and its associated IP address.The second pair consists of the
computer name and IP address of the host that you supplied the IP
address for in Step 4.The DNS server used the Pointer (PTR) record
you created earlier in this lab to perform this reverse lookup from IP
address to host name.
6. At the Nslookup.exe prompt (>) type help and press Enter.
Notice the syntax for the Nslookup.exe commands and options.
7. At the Nslookup.exe prompt (>) type exit and press Enter to
close Nslookup.exe.Then type exit and press Enter to close
the Command Prompt.

Part 7: Troubleshooting DNS

1. From the desktop, select Start ➪ Help.

2. Click the Contents tab if it does not appear on top.
3. On the Contents tab, double-click Networking.
4. In the list that appears under Networking, double-click DNS.
5. In the list that appears under DNS, double-click Troubleshooting.
Notice the various DNS troubleshooting topics listed.
4701-1 ch07.f.qc 4/24/00 09:18 Page 499

499

6. In the right pane, click “Troubleshoot DNS servers.” Notice the

various problems this Help feature can help you resolve.
7. Close the Windows 2000 dialog box.

Lab 7-2 Installing Active Directory

 Network
 Directory Services
EXAM
MATERIAL

The objective of this lab is to give you hands-on experience installing Active
Directory on a Windows 2000 Server computer. Then, after the Active
Directory installation, you’ll have an opportunity to verify the installation,
practice troubleshooting Active Directory problems, and monitor the DNS
Server service.
There are four parts to this lab:
■ Part 1: Installing Active Directory
■ Part 2:Verifying Your Active Directory Installation
■ Part 3:Troubleshooting Active Directory
■ Part 4: Monitoring the DNS Server Service
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.

Part 1: Installing Active Directory

1. Select Start ➪ Run. In the Run dialog box, type dcpromo and
click OK.
2. The Active Directory Installation Wizard starts. Click Next.
3. The Domain Controller Type screen appears.Accept the default
option of “Domain controller for a new domain” and click Next.
4. The Create Tree or Child Domain screen appears.Accept the default
option of “Create a new domain tree” and click Next.
5. The Create or Join Forest screen appears.Accept the default option
of “Create a new forest of domain trees” and click Next.
6. The New Domain Name screen appears. In the “Full DNS name
for new domain” text box type domain1.mcse and click Next.
4701-1 ch07.f.qc 4/24/00 09:18 Page 500

500

7. The NetBIOS Domain Name screen appears.Accept the default

name displayed and click Next.
8. The Database and Log Locations screen appears.Accept the default
locations displayed and click Next.
9. The Shared System Volume screen appears.Accept the default folder
location displayed and click Next.
10. The Permissions screen appears. Select the “Permissions compatible
only with Windows 2000 servers” option. Click Next.
11. The Directory Services Restore Mode Administrator Password screen
appears. In this screen, type password in the Password text box.Then
type password in the “Confirm password” text box. Click Next.
12. The Summary screen appears. Click Next.
13. The wizard installs and configures Active Directory.This process may
take several minutes to complete.
14. The Completing the Active Directory Installation Wizard screen
appears. Click Finish.
15. When the Active Directory Wizard dialog box appears, click
Restart Now to restart your computer and complete the
Active Directory installation.

Part 2: Verifying Your Active Directory Installation

1. When your computer restarts, boot to Windows 2000 Server and

log on as Administrator. From the desktop select Start ➪ Programs ➪
Administrative Tools ➪ Active Directory Users and Computers.
2. In the left pane of the Active Directory Users and Computers dialog
box, click the + next to domain1.mcse.
If domain1.mcse isn’t listed in the left pane of this dialog box, your
Active Directory installation was not successful.You’ll probably have
to reinstall Active Directory.
3. In the left pane, highlight the Domain Controllers folder. In the
right pane, the name of your computer (Server01) should be displayed.
If your computer isn’t listed in this pane, your Active Directory installa-
tion was not successful.You’ll probably have to reinstall Active Directory.
Close the Active Directory Users and Computers dialog box.
4. From the desktop select Start ➪ Programs ➪ Administrative
Tools ➪ DNS.
4701-1 ch07.f.qc 4/24/00 09:18 Page 501

501

5. In the left pane of the DNS dialog box, click the + next to the name
of your DNS server (Server01).Then click the + next to the Forward
Lookup Zones folder.Then highlight the domain1.mcse folder.
In the right pane of the DNS dialog box, four folders should be dis-
played: _msdcs, _sites, _tcp, _udp. (You may need to wait several
minutes after the computer reboots for all of the folders to be displayed.
Click Action ➪ Refresh to update your display.)
If these four folders are present,Active Directory is correctly installed
and registered with your DNS server. Close the DNS dialog box.

Part 3: Troubleshooting Active Directory

1. From the desktop, select Start ➪ Help.

2. Click the Contents tab if it does not appear on top.
3. On the Contents tab, double-click Active Directory.
4. In the list that appears under Active Directory, click Troubleshooting.
Notice that several common Active Directory problems are displayed
in the right pane.
5. In the right pane, click “Cannot add or remove a domain” and view
the possible causes and recommended solutions for this problem.
6. Close the Windows 2000 dialog box.

Part 4: Monitoring the DNS Server Service

In this part, you use the Monitoring tab in the DNS administrative tool to
monitor your DNS server.
1. From the desktop, select Start ➪ Programs ➪ Administrative
Tools ➪ DNS.
2. In the left pane of the DNS dialog box, highlight the name of your
computer, and select Action ➪ Properties.
3. In the DNS server’s Properties dialog box, click the Monitoring tab.
4. The Monitoring tab appears. Select the check box next to “A simple
query against this DNS server.”Then, select the check box next to
“Perform automatic testing at the following interval.” From the
drop-down list box, select “seconds.”The test interval should now
be configured for every 30 seconds. Click Apply.
4701-1 ch07.f.qc 4/24/00 09:18 Page 502

502

5. The test results (either PASS or FAILED) will begin appearing in

the box at the bottom of the dialog box. Monitor this dialog box
for two minutes. Notice that the time field is automatically updated
every 30 seconds. Also notice that only the most recent test is
displayed in this box.

TIP
The monitoring feature doesn’t appear to be rock-solid (although it does
work better after Active Directory is installed). Sometimes a PASS result
is displayed, and sometimes a FAILED result is displayed. Even if a
FAILED result is displayed, this doesn’t necessarily mean your DNS
server is not functioning properly.

6. Clear the check boxes next to “A simple query against this DNS
server” and “Perform automatic testing at the following interval.”
Click OK.
7. Close the DNS dialog box.

Answers to Chapter Questions

Chapter Pre-Test
1. DNS stands for the Domain Name System.
2. Host name resolution is the process of resolving a computer’s
user-friendly host name (such as www.idgbooks.com) to the
IP address of that computer.
3. The DNS domain at the top of the DNS domain namespace is called
the root domain.This domain is often represented by a period (.).
4. Any four of the following:
 Standard primary

 Active Directory integrated (primary)

 Standard secondary

 Master

 Slave

 Caching-only

 Forwarder

 Root server
4701-1 ch07.f.qc 4/24/00 09:18 Page 503

503

5. TTL stands for Time-To-Live.

6. The prerequisites that must be met prior to installing
Active Directory are:
 At least one volume on the Windows 2000 Server/Advanced

Server computer must be formatted with NTFS.

 Because Active Directory requires DNS, you either need to have

a DNS server installed on your network prior to installing Active

Directory, or you can choose to install DNS at the same time that
you perform the Active Directory installation.

Assessment Questions
1. C. Microsoft.com is a second-level domain.The root domain
is . and the top-level domain is com.
2. D. A caching-only server is a DNS server that has been configured to
use (or to be) a root server.A caching-only DNS server does not store
any zones.
3. B. Use the Root Hints tab in a DNS server’s Properties dialog box in
the DNS administrative tool to configure root hints.
4. D. A static IP address is specified by configuring the Local Area
Connection in the Network and Dial-up Connections folder.
5. B. You should select Yes in the drop-down list box next to “Allow
dynamic updates?” in the zone’s Properties dialog box.
6. C. When a Windows 2000 DNS server is connected to the Internet,
the Configure DNS Server Wizard does not permit you to configure
this server as a root server.
7. A, B, D. Windows 2000 Server (or Advanced Server) must be installed
and at least one volume formatted with NTFS prior to installing Active
Directory. In addition, the DNS Server service must be installed either
before installing Active Directory or during the process of installing
Active Directory.
8. B. When Active Directory is installed on a Windows 2000 Server or
Advanced Server computer, the computer becomes a domain controller.
None of the other statements are true.
9. A, D. These are the only two ways to start the Active Directory
Installation Wizard.
4701-1 ch07.f.qc 4/24/00 09:18 Page 504

504

Scenarios
1. On the UNIX DNS server, create a standard secondary zone.
When you create this secondary zone, assign it the same name as
the Active Directory-integrated zone, and specify the IP address
of the Active Directory-integrated DNS server that contains the
master copy of the zone.
2. The most efficient way to achieve replication, in this situation, is to:
a. Convert the standard primary zone on the Windows 2000 DNS
server at the central office to an Active Directory-integrated zone.
b. Configure each of the four Windows 2000 DNS servers at
the four satellite offices to load zone data on startup from
“Active Directory and registry.”
Once these two steps have been performed,Active Directory will
automatically replicate the zone data to each of the four satellite
Windows 2000 DNS servers.
4701-1 ch07.f.qc 4/24/00 09:18 Page 505
4701-1 ch08.f.qc 4/24/00 09:20 Page 508

 Directory Services
EXAM
MATERIAL

EXAM OBJECTIVES

Directory Services  Exam 70-217

■ Install, configure, and troubleshoot the components
of Active Directory
■ Implement an organizational unit (OU) structure.
■ Manage Active Directory objects.
■ Move Active Directory objects.
■ Publish resources in Active Directory.
■ Locate objects in Active Directory.
■ Control access to Active Directory objects.
■ Delegate administrative control of objects in Active Directory.
4701-1 ch08.f.qc 4/24/00 09:20 Page 509

C HAP TE R

8
Administering and
Securing Active Directory

N ow that you’ve installed and configured a Windows 2000 computer, it’s

time to start thinking about managing and securing your resources. In
this chapter, you’ll learn how to administer and secure Active Directory. To this
end, I’ll introduce you to Active Directory Users and Computers, a powerful tool
you’ll use to perform many Active Directory administration tasks. Then I’ll show
you how to create organizational units (OUs) and configure OU properties. Next,
I’ll explain how to perform various management tasks with Active Directory
objects, including how to locate objects, publish resources, and move objects in
Active Directory. Finally, I’ll explore how to control access to and delegate
administration of Active Directory objects.

509
4701-1 ch08.f.qc 4/24/00 09:20 Page 510

510 Part III ▼ Managing and Securing Resources

Chapter Pre-Test
1. What are OUs, and what is their purpose?
2. List two tasks you can use Active Directory Users and Computers
to perform.
3. The act of creating an Active Directory object for a shared folder,
shared printer, or other network resource is called ______________.
4. Define the terms parent object and child object.
5. What is the smallest container object in Active Directory to which
you can delegate administrative authority?
4701-1 ch08.f.qc 4/24/00 09:20 Page 511

Chapter 8 ▼ Administering and Securing Active Directory 511

Implementing an Organizational Unit

(OU) Structure
An organizational unit (OU) is a type of Active Directory object. OUs,
which are sometimes called container objects, are specifically designed to
contain objects and other organizational units from their own domain.
OUs help you organize the structure of Active Directory in much the
same way that folders help you organize a file system.You should plan your
OU structure before you begin creating OUs.The whole purpose of OUs
is to make network administration simpler.

CROSS-REFERENCE
OUs and planning an OU structure were covered in Chapter 2.

In the sections that follow I’ll explain how to implement an OU structure,

which is accomplished by creating and configuring OUs.

Creating OUs
Before you can create OUs, you must install Active Directory and create an
Active Directory domain that will contain the OUs you create. OUs are
created by using Active Directory Users and Computers.

Active Directory Users and Computers

Active Directory Users and Computers is an administrative tool that is a snap-in to
the Microsoft Management Console (MMC).You must be an Administrator,
a member of the Enterprise Admins group, or a member of the Domain
Admins group to have sufficient privileges to use this tool.
In addition to creating OUs, you can use Active Directory Users and
Computers to:
■ Add users, groups, computers, contacts, printers, and shared folders
to Active Directory
■ Delete any object in Active Directory
4701-1 ch08.f.qc 4/24/00 09:20 Page 512

512 Part III ▼ Managing and Securing Resources

■ Configure the properties of any object in Active Directory

■ Locate objects in Active Directory
■ Publish resources in Active Directory
■ Move objects in Active Directory
■ Control access to and configure security for Active Directory objects
■ Delegate administrative control of Active Directory objects
By default, Active Directory Users and Computers is only installed on
domain controllers. However, if you want to create OUs or otherwise
administer Active Directory from a nondomain controller (such as your
Windows 2000 Professional desktop computer), you can make Active
Directory Users and Computers available on any Windows 2000 computer
by installing the ADMINPAK. (See the sidebar for more information on
installing the ADMINPAK.)

INSTALLING THE ADMINPAK

The Windows 2000 Administration Tools, called the ADMINPAK, can be installed
on any Windows 2000 computer (Professional, Server, or Advanced Server).
However, the ADMINPAK files must be installed from a Windows 2000 Server or
Advanced Server compact disc.

Installing the ADMINPAK

1. Place the Windows 2000 Server or Advanced Server compact disc in your
computer’s CD-ROM drive.
2. From the desktop, right-click My Computer, and select Explore from the
menu that appears.
3. In the left pane of the My Computer dialog box, click the + next to your
CD-ROM drive.
4. Highlight the I386 folder under your CD-ROM drive. In the right pane of the
window, scroll down and double-click the ADMINPAK icon. (The full name of
this file is Adminpak.msi.)
5. The Windows 2000 Administration Tools Setup Wizard appears. Follow the
instructions on-screen to install the ADMINPAK.
4701-1 ch08.f.qc 4/24/00 09:20 Page 513

Chapter 8 ▼ Administering and Securing Active Directory 513

To access Active Directory Users and Computers, select Start ➪

Programs ➪ Administrative Tools ➪ Active Directory Users and Computers.
Figure 8-1 shows the Active Directory Users and Computers dialog box.

FIGURE 8-1 Active Directory Users and Computers

Notice the left pane in the dialog box.This pane displays the hierarchical
structure of Active Directory in a tree format. Each item displayed in the left
pane is an Active Directory object.The Active Directory objects in the left
pane are called container objects (or sometimes just containers) because they
can contain other objects.When you highlight an object in the left pane, its
contents are displayed in the right pane.
Because you’ll probably use Active Directory Users and Computers
extensively to create OUs and to manage Active Directory objects, I want
to tell you about another way to access this tool.
Microsoft recommends, for security reasons, that you log on as a regular
user instead of always as Administrator. However, because you need
Administrator privileges to use Active Directory Users and Computers, you’ll
need to create a shortcut to this tool and configure it to run as Administrator.
4701-1 ch08.f.qc 4/24/00 09:20 Page 514

514 Part III ▼ Managing and Securing Resources

STEP BY STEP

CREATING A SHORTCUT TO ACTIVE DIRECTORY USERS

AND COMPUTERS

1. Right-click the desktop, and select New ➪ Shortcut from the menu that appears.
2. The Create Shortcut wizard begins. In the “Type the location of the item” text box,
type runas /netonly /user:domain_name\administrator “mmc.exe dsa.msc”
and click Next.

TIP
Remember to replace italicized text, such as domain_name, with your actual
domain name, and don’t use the underscore — it’s just a placeholder.

3. In the “Type a name for this shortcut” text box, type Active Directory Users and
Computers. Click Finish.
4. The shortcut you just created appears on your desktop. To run Active Directory
Users and Computers with Administrator privileges while logged on as regular
user, double-click the shortcut on your desktop, and supply the Administrator
password when prompted.

The Process of Creating OUs

Using Active Directory Users and Computers to create OUs is a fairly
straightforward process.

STEP BY STEP

CREATING AN OU

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the left pane of the Active Directory Users and Computers dialog box, either
highlight the domain in which you want to create an OU, or expand the domain
and highlight the OU in which you want to create an OU. Then select Action ➪
New ➪ Organizational Unit.
3. In the New Object - Organizational Unit dialog box, type the name you want to
assign to the new OU. I recommend that you choose a name that intuitively
describes the objects that will be contained in this OU (such as “Accounting
Users” for an OU that contains only users who are part of your company’s
accounting department). Click OK.
4701-1 ch08.f.qc 4/24/00 09:21 Page 515

Chapter 8 ▼ Administering and Securing Active Directory 515

STEP BY STEP Continued

4. The new OU appears in the right pane of the Active Directory Users and
Computers dialog box.

Configuring OU Properties
After you’ve created an OU, you may want to configure its properties.
Specifically, you can configure a general description of the OU, specify a
user account that is responsible for managing the OU, and configure
Group Policy for the OU.

STEP BY STEP

CONFIGURING AN OU

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the left pane of the Active Directory Users and Computers dialog box, click the
+ next to the domain that contains the OU you want to configure. If the OU you
want to configure is displayed in the tree, highlight it.
If the OU you want to configure is not listed in the tree, click the + next to the
OU that contains the OU you want to configure. Then, highlight the OU you
want to configure.
Select Action ➪ Properties.
3. The OU’s Properties dialog box appears. There are three tabs in this dialog box:
General, Managed By, and Group Policy. Configurations on all three of these tabs
are optional.
On the General tab, type any descriptive text you want to enter about the OU.
You can enter a general description of the OU and specify a complete geographic
address for the OU. Microsoft included this tab because OUs are often based on
a physical management location, such as a building, a specific floor of a building,
or an office in a specific city. Click the Managed By tab.
4. On the Managed By tab, you can specify the user account that is responsible
for managing this OU. To specify a user account, click Change, and select the
appropriate user from the list that appears. You can also specify additional con-
tact information about the user you specified if this information is not displayed
automatically. To do this, click View, fill in the appropriate information in the
user’s Properties dialog box, then click OK.
4701-1 ch08.f.qc 4/24/00 09:21 Page 516

516 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

5. To configure Group Policy for the OU, click the Group Policy tab and make the
necessary configurations. Click OK.

CROSS-REFERENCE
I’ll cover Group Policy in great detail in Chapter 10.

Up to this point, you’ve created an OU and configured its properties. But

an OU is really just an empty shell (and of little value) until you create or
place objects in it. Some of the objects that you can create or place in an OU
include users, groups, computers, printers, contacts, shared folders, and other
organizational units. I’ll explain how to create these objects in later chapters as
I cover the specific topics of users, groups, printers, shared folders, and so on.

Managing Active Directory Objects

Active Directory objects are generally managed with two primary goals
in mind:
■ To organize objects in such a way that they are easy for users to locate
■ To secure objects and control access to them so that network
resources are protected
The primary tool used to manage Active Directory objects is Active
Directory Users and Computers.
Some of the most common Active Directory administrative tasks are
locating objects in Active Directory, publishing resources in Active Directory,
moving objects in Active Directory, controlling access to Active Directory
objects, and delegating administration of Active Directory objects. I’ll explain
how to perform each of these tasks in the sections that follow.

Locating Objects in Active Directory

One of the benefits of Active Directory is that it’s a searchable database. Users
can search for (and locate) objects with only a small amount of known
information.
4701-1 ch08.f.qc 4/24/00 09:21 Page 517

Chapter 8 ▼ Administering and Securing Active Directory 517

For example, suppose I want to send e-mail to a coworker in my com-

pany’s Denver office, but I only know my coworker’s name. I can search
Active Directory for all users with that name. When the results of the
search are displayed, I can view my coworker’s full name, e-mail address,
business phone number, and home phone number.
Or, suppose I want to locate a printer in my building that can print in
color. I can search Active Directory for all printers with that feature.Then,
when the list of results is displayed, I can directly connect to the color
printer nearest to me.
There are two tools that users (and administrators) can use to find
objects in Active Directory:
■ Active Directory Users and Computers: This tool is primarily
used by administrators, because users normally don’t have this tool
installed on their computers. If a user has Active Directory Users and
Computers installed on his or her computer, he or she can search for
an object without having to have Administrator privileges.This tool
can be used to search Active Directory for users, contacts, and groups;
computers; printers; shared folders; and organizational units.
■ Windows Explorer: This tool can be used by anyone, and is the
only tool that is typically available to all users.This tool can be used
to search Active Directory for people, printers, and computers. In
addition, you can use Windows Explorer to browse Active Directory
for shared folders, but you can’t use Windows Explorer to search
Active Directory for a particular shared folder.
In the next sections I’ll show you how to use both of these tools to
locate objects in Active Directory.

STEP BY STEP

USING ACTIVE DIRECTORY USERS AND COMPUTERS

TO LOCATE OBJECTS

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the left pane of the Active Directory Users and Computers dialog box, highlight
the domain in which you want to search. Select Action ➪ Find.
4701-1 ch08.f.qc 4/24/00 09:21 Page 518

518 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

3. The Find Users, Contacts, and Groups dialog box appears, as shown in Figure 8-2.
Notice the “Find” and “In” drop-down list boxes near the top of the dialog box.

FIGURE 8-2 Searching for an object in Active Directory

In the “In” drop-down list box, select the domain or OU in which you want to
search; or select the Entire Directory, which includes records for all domains
in the forest.
In the “Find” drop-down list box, select the type of object you want to locate. The
types of objects you can select from are users, contacts, and groups; computers;
printers; shared folders; organizational units; or custom search.
Depending on the object you select, a tab specific to that object type is displayed,
along with an Advanced tab.
On the object-specific tab, enter any known information about the object you
want to locate, as prompted by the tab. Text boxes for information such as the
object’s name, description, owner, location, model, and so on may be displayed.
Click Find Now to perform the search.
4. Active Directory Users and Computers displays a list of all objects that match
the information you specified.
If the object you searched for is displayed, you can take various actions depend-
ing on the type of object. If you searched for a user, contact, or group, you can
view and modify the object’s properties (if you have the appropriate permissions)
by double-clicking the object. If you searched for a printer, you can directly con-
nect to the printer. If you searched for a shared folder, you can map a network
drive to that shared folder, and so on.
4701-1 ch08.f.qc 4/24/00 09:21 Page 519

Chapter 8 ▼ Administering and Securing Active Directory 519

STEP BY STEP Continued

If the object you searched for is not displayed, or if you want to search for multiple
objects that all have a similar property, such as all objects located in a particular
city, click the Advanced tab and select the specific fields and values you want to
search by. Numerous fields are available on this tab — in fact, you can search for
an object by virtually any of its properties.
5. Close the Find Users, Contacts, and Groups dialog box.

Windows Explorer is also a useful tool for locating objects in Active

Directory. In the steps that follow I’ll show you how to search for a person,
printer, and computer. I’ll also explain how to use Windows Explorer to
browse for shared folders.

STEP BY STEP

STARTING AN ACTIVE DIRECTORY SEARCH IN WINDOWS EXPLORER

1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪

Windows Explorer.)
2. In the Windows Explorer dialog box, select View ➪ Explorer Bar ➪ Search,
or click the Search button in the toolbar.
3. The Search Explorer bar is displayed in the left pane. The following steps explain
how to perform a search for a person, printer, or computer, and how to browse for
a shared folder. Continue on to the appropriate set of steps.

SEARCHING FOR A PERSON

1. To search for a person, in the Search Explorer bar, scroll down and click People.
2. The Find People dialog box appears, as shown in Figure 8-3. Notice the “Look in”
drop-down list box.
4701-1 ch08.f.qc 4/24/00 09:21 Page 520

520 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 8-3 Searching for a person in Active Directory

If Active Directory is not selected in the “Look in” drop-down list box, select it.
On the People tab, fill in any known information about the person you want to
find, such as the person’s first name, last name, or a portion of their e-mail
address. Click Find Now to perform the search.
3. Windows Explorer displays a list of all people that match the information
you specified.
If the person you searched for is displayed, you can view the person’s full name,
e-mail address, business phone number, and home phone number. You can click
Properties to view and/or modify detailed information about the user (if you have
the appropriate permissions). You can also click Add to Address Book to add this
user to your Outlook Express Address Book.
If the person you searched for is not displayed, you can click the Advanced tab and
define advanced search criteria that you want Windows Explorer to search by.

SEARCHING FOR A PRINTER

1. To search for a printer, in the Search Explorer bar, scroll down and click Printers.
2. The Find Printers dialog box appears. This dialog box has three tabs: Printers,
Features, and Advanced.
In the “In” drop-down list box, either accept the default of Entire Directory, or
select a domain you want Windows Explorer to search.
On the Printers tab, specify any known information about the printer you want to
search for, such as its name, location, or model.
The Features tab is shown in Figure 8-4. Notice that on this tab you can specify
which features the printer you’re searching for must have.
4701-1 ch08.f.qc 4/24/00 09:21 Page 521

Chapter 8 ▼ Administering and Securing Active Directory 521

STEP BY STEP Continued

FIGURE 8-4 Specifying printer features before a search

Also notice that on the Features tab you can select from multiple options, such
as double-sided printing, stapling, color printing, and so on. Select the features
you need.
On the Advanced tab you can select the specific fields and values you want to
search by. Numerous fields are available on this tab — in fact, you can search for
a printer by virtually any of its properties.
Once you’ve made all configurations you want to on the Printers, Features, and/or
Advanced tabs, click Find Now to search.
3. Windows Explorer displays a list of all printers that match the information you
specified. In addition to the printer’s name, the location, model, server the printer
is connected to, and comments (if any) are displayed for each printer listed.
If you want to connect to one of the printers listed, right-click the printer and
select Connect from the menu that appears. Windows 2000 will install drivers
for that printer on your computer (if not already installed) and will connect to
the printer.
You can also view the printer’s properties by right-clicking the printer and selecting
Properties from the menu that appears. If you have the appropriate permissions,
you can edit the printer’s properties, as well.

SEARCHING FOR A COMPUTER

1. To search for a computer, in the Search Explorer bar, scroll down and
click Computers.
2. The Search for Computers screen appears in the Search Explorer bar. In the
Computer Name text box, type in any known part of the name of the computer
you want to search for. Click Search Now.
4701-1 ch08.f.qc 4/24/00 09:21 Page 522

522 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

3. Windows Explorer displays the results of the computer search in the right pane.
Figure 8-5 shows both the Search for Computers Explorer bar and the computer
search results.

FIGURE 8-5 Computer search results

All computer names that contain the letter combination you specified in Step 2
are listed in the computer search results. In addition to the computer’s name, the
location and comments (if any) are displayed for each computer listed.
If you right-click any computer listed in the search results pane, you can select
from numerous options in the menu that appears, including:
 Open Containing Folder: If you select this option, Windows Explorer
opens a dialog box for the domain in which the computer is located. This
dialog box lists all computers in this domain. You can open, explore, create
a shortcut to, or view the properties of any computer listed.
 Open: If you select this option, Windows Explorer graphically displays all of
the shared folders, shared printers, the Scheduled Tasks folder, and the
Printers folder for the computer. You can map a network drive to a shared
folder; connect to a shared printer; or open, explore, or create a shortcut to
any of the folders listed.
4701-1 ch08.f.qc 4/24/00 09:21 Page 523

Chapter 8 ▼ Administering and Securing Active Directory 523

STEP BY STEP Continued

 Explore: If you select this option, a Windows Explorer window is opened that
shows the computer’s location on the network in the left pane, and a graphical
list of the shared folders, shared printers, the Scheduled Tasks folder,
and the Printers folder for the computer. You can browse the network;
map a network drive to a shared folder; connect to a shared printer; or open,
explore, or create a shortcut to any of the folders listed.
 Create Shortcut: If you select this option, Windows 2000 enables you to
create a shortcut to this computer on your desktop.
 Properties: If you select this option, a few general properties of the
computer are displayed.

BROWSING FOR A SHARED FOLDER

1. To browse for a shared folder in Active Directory, in Windows Explorer, select

View ➪ Explorer Bar ➪ Folders.
2. The Folders Explorer bar appears in the left pane. Click the + next to My Network
Places. Click the + next to Entire Network. Click the + next to Directory. Click the +
next to the domain you want to browse. Beneath the domain, highlight the container
object you want to browse.
3. The contents of the container object you selected, including the container’s shared
folders, shared printers, users, groups, computers, and so on, are displayed in the
right pane. Figure 8-6 shows an OU highlighted in the left pane, and the two shared
folders it contains displayed in the right pane.

FIGURE 8-6 Browsing for shared folders

4701-1 ch08.f.qc 4/24/00 09:21 Page 524

524 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

If you right-click any of the shared folders displayed, you can open, explore,
search, map a network drive to, create a shortcut to, or view the properties of the
shared folder.

Publishing Resources in Active Directory

In order for users and administrators to locate objects in Active Directory,
those objects must exist in Active Directory.Windows 2000 automatically
creates some objects in Active Directory as the resources they represent are
created, but other objects must be manually created in Active Directory by
an administrator.The act of creating an Active Directory object for a shared
folder, shared printer, or other network resource is called publishing.
You don’t have to publish shared resources in Active Directory for users
to be able to access those resources. For example, users can use Windows
Explorer to browse the network to locate a shared printer or a shared
folder. However, the advantage of publishing resources in Active Directory
is that, because Active Directory is a searchable database, it provides an
additional means for users to easily locate these resources.

Resources That Can Be Published

When you create a user, contact, group, or OU, you are creating an Active
Directory object. Because of this, the object for the user, contact, group,
or OU is automatically published in Active Directory when you create it.
(I explained how to create OUs earlier in this chapter, and I’ll show you
how to create users and groups in Chapter 9.)
In similar fashion, when a computer joins a Windows 2000 domain, a
computer object for the computer joining the domain is created and auto-
matically published in Active Directory. In addition, you can manually
publish a computer object in Active Directory for a computer that has not
yet joined a Windows 2000 domain.
Shared printers are sometimes automatically published in Active
Directory, but this is not always the case.When you create a shared printer on
a Windows 2000 computer that is a member of a Windows 2000 domain,
Windows 2000 automatically creates a shared printer object and publishes it
in Active Directory. However, you must manually publish Active Directory
objects for shared printers on Windows NT computers.
4701-1 ch08.f.qc 4/24/00 09:21 Page 525

Chapter 8 ▼ Administering and Securing Active Directory 525

Folders, once they have been created and shared on a network server,
must always be manually published in Active Directory.

TIP
Publishing a shared folder or printer in Active Directory doesn’t create the
shared folder or printer. Instead, it creates an object in Active Directory
that represents the previously created and shared folder or printer.

Some network services, such as Certificate Services, can be published in

Active Directory.These services can’t be published manually, but rather are
published automatically during installation if their installation programs
provide that capability.

How to Manually Publish Resources in Active Directory

After you have created and shared folders or printers, you can use Active
Directory Users and Computers to manually publish objects that represent
these resources in Active Directory, as the steps that follow explain.

STEP BY STEP

PUBLISHING SHARED FOLDERS AND SHARED PRINTERS IN

ACTIVE DIRECTORY

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the left pane of the Active Directory Users and Computers dialog box, either
highlight the domain in which you want to create the shared folder or shared
printer; or, expand the domain and highlight the OU in which you want to
create the shared folder or shared printer.
To create a shared folder, select Action ➪ New ➪ Shared Folder.
To create a shared printer, select Action ➪ New ➪ Printer.
3. If you are creating a shared folder, in the New Object - Shared Folder dialog box,
type the name you want to assign to the new shared folder, and enter the full
network path to the shared folder. Click OK.
If you are creating a shared printer, in the New Object - Printer dialog box, type
the full network path to the shared printer. Click OK.
4. The new shared folder or shared printer appears in the right pane of the Active
Directory Users and Computers dialog box.
4701-1 ch08.f.qc 4/24/00 09:21 Page 526

526 Part III ▼ Managing and Securing Resources

Moving Objects in Active Directory

Occasionally you may need to move objects in Active Directory. Suppose, for
example, that an employee is transferred from your company’s San Francisco
office to your New York office. If your company uses OUs to manage users,
groups, and computers by city, you would need to move this employee’s user
object from the San Francisco OU to the New York OU.
When an OU is moved in Active Directory, all of the OU’s contents are
moved, as well. Moving an OU in Active Directory is much like moving a
folder in a volume.
When an object is moved in Active Directory, several things happen:
■ The moved object acquires the inheritable permissions from its
new parent object.
■ The moved object loses all previously inherited permissions from
its old parent object.
■ Any previously explicitly assigned permissions to users and groups
for this object are retained. In other words, the same users and
groups that could access or manage this object before it was moved
can access the object after it is moved, if their permissions were
explicitly assigned, and not inherited.
The new parent object is the domain, OU, or other container object in
which the moved object is placed. I’ll define and discuss permissions in
greater detail a little later in this chapter.

EXAM TIP
Make sure you understand what happens to an Active Directory object’s
permissions when the object is moved. Since the process of moving an
object is pretty simple, expect the exam to focus more on permissions
than on the moving process.

Moving Objects within a Domain

You can use Active Directory Users and Computers to move an object within
a domain, as the steps that follow explain.
4701-1 ch08.f.qc 4/24/00 09:21 Page 527

Chapter 8 ▼ Administering and Securing Active Directory 527

STEP BY STEP

MOVING AN OBJECT IN ACTIVE DIRECTORY

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the left pane of the Active Directory Users and Computers dialog box, click the +
next to the name of the domain that contains the object you want to move. Highlight
the OU or other container object that contains the object you want to move.
In the right pane, right-click the object you want to move, and select Move from
the menu that appears.
3. The Move dialog box appears, as shown in Figure 8-7. Notice that a list of all
container objects in the domain is displayed.

FIGURE 8-7 Moving an object in Active Directory

Expand the OUs or other container objects in this dialog box as necessary.
Highlight the OU or other container object in which you want to place the
object you are moving. Click OK.
4. Windows 2000 moves the object, and returns you to the Active Directory Users
and Computers dialog box.
4701-1 ch08.f.qc 4/24/00 09:21 Page 528

528 Part III ▼ Managing and Securing Resources

Moving Objects to a Different Domain

If you need to move an object to a different domain, you won’t be able to
use Active Directory Users and Computers to get the job done.You can
use the MoveTree.exe command-line utility to move objects from one
domain to another. MoveTree.exe is not installed by default. You can
make MoveTree.exe available by installing the Windows 2000 Support
Tools, which are located on the Windows 2000 Server/Advanced Server
compact disc in the \Support\Tools folder.
For more information on using MoveTree.exe, install the Windows
2000 Support Tools, then select Start ➪ Programs ➪ Windows 2000
Support Tools ➪ Tools Help, and search for MoveTree.

Controlling Access to Active Directory Objects

Access to Active Directory objects can be controlled by assigning Active
Directory permissions to users, groups, and computers that may attempt to
access these objects. It’s normally a good practice to control access to Active
Directory objects in order to prevent undesired modification (either inten-
tionally or unintentionally) of the objects, and to enable specific users and
groups to administer objects in Active Directory.
Controlling access to an object in Active Directory is not necessarily the
same as controlling access to the object itself.When a component (such as
a computer, shared folder, or shared printer) exists outside of Active
Directory, and also has a corresponding object in Active Directory, the per-
missions set on the Active Directory object do not affect the permissions to
the actual component itself.
For example, suppose I have permission to write to a shared folder on my
network. That doesn’t necessarily mean I have permission to write to the
object that represents this shared folder in Active Directory. Or, suppose I
have Full Control over a shared printer object in Active Directory. I may or
may not have permissions to print to this printer, depending on how the
administrator has configured the printer’s permissions.

TIP
Active Directory permissions only specify whether a user, group, or com-
puter can view or modify an object’s properties in Active Directory. Active
Directory permissions do not control access to the shared folders or
shared printers themselves.
4701-1 ch08.f.qc 4/24/00 09:21 Page 529

Chapter 8 ▼ Administering and Securing Active Directory 529

In the real world you may not have to modify the security properties on
Active Directory objects, because the default security permissions of the
Windows 2000 built-in groups are often adequate for small to medium-sized
organizations. Once an administrator makes users members of appropriate
groups, the users have permissions to Active Directory objects suitable for
the users’ job tasks and responsibilities.

EXAM TIP
Even if you don’t have to set permissions on Active Directory objects on
your company’s Windows 2000 network, make sure you understand and
know how to apply these permissions before you take the Directory
Services exam.

Permissions Terminology
Before I move on to the process of setting permissions on Active Directory
objects, there are a few terms I need to define, which are used throughout the
Windows 2000 user interface. Two of these terms are parent object and child
object. A parent object is a container object that contains other objects. An
object that is contained in the parent object is referred to as a child object.
Another important term is inheritance. Inheritance refers to the per-
missions an object receives simply because it is contained in another
object — in other words, because an object is a child (or grandchild)
object of a particular parent object. When an object inherits permis-
sions, it’s not because the permissions have been applied specifically to
the object in question, but rather because permissions have been set on
the parent object that contains the object in question.An important fea-
ture of inheritance is that when permissions are configured to apply to
all of an object’s child objects, the permissions are applied to all objects
contained in the parent object’s tree, regardless of how many intermedi-
ate containers exist between the child object and the parent object to
which the permissions have been assigned.

Setting Permissions on Active Directory Objects

You can use Active Directory Users and Computers to set permissions on
Active Directory objects.This tool provides you with a great deal of control
when it comes to assigning permissions to objects.
4701-1 ch08.f.qc 4/24/00 09:21 Page 530

530 Part III ▼ Managing and Securing Resources

Permissions are set in Active Directory Users and Computers by modify-

ing the security properties of an Active Directory object.When you configure
the permissions of an Active Directory object, you can:
■ Specify the users and groups that are specifically permitted or denied
access to the object or its properties
■ Specify whether the object’s permissions will be applied to only
the object itself, or to the object and to all of its child objects
■ Specify whether the object will inherit permissions from its parent
object. (If you configure an object to not inherit permissions from
its parent object, this is referred to as blocking inheritance.)
■ Configure permissions to control access to a specific property
of the object
There are numerous permissions that can be set for Active Directory
objects.The specific permissions that can be set for each object vary, depend-
ing on the type of object.That said, there are five standard Active Directory
permissions that can be applied to most objects in Active Directory.Table 8-1
lists and describes each of these permissions.
TABLE 8-1 Standard Active Directory Permissions
Permission Description

Full Control Assigns all permissions to the specified user or group

for this object, including permission to: delete the object;
delete the subtree; view or edit the object’s properties,
including permissions; take ownership of the object;
configure auditing for the object, and so on.
Read Permits the specified user or group for this object to list
the contents of the object; and read all of the properties
of this object, including its permissions.
Write Permits the specified user or group for this object to
write all properties of this object. However, the write
permission does not permit the specified user or group
to take ownership of the object, modify permissions, or
configure auditing.
Create All Child Objects Permits the specified user or group for this object to
create all child objects for this object, including computer
objects, contact objects, group objects, organizational
unit objects, printer objects and so on.
Delete All Child Objects Permits the specified user or group for this object to
delete all child objects for this object, including computer
objects, contact objects, group objects, organizational
unit objects, printer objects and so on.
4701-1 ch08.f.qc 4/24/00 09:21 Page 531

Chapter 8 ▼ Administering and Securing Active Directory 531

In addition to standard permissions, there are numerous advanced permis-

sions that can be set on Active Directory objects.These advanced permissions
enable precise, granular access control to Active Directory objects.

TIP
I recommend, for ease of administration, that you assign permissions to
groups instead of users whenever possible. I also recommend that you
assign permissions as high in the domain tree as possible and rely on
inheritance to propagate permissions down the tree.

Now I’ll explain the steps involved in assigning permissions to Active

Directory objects.

STEP BY STEP

CONFIGURING PERMISSIONS ON ACTIVE DIRECTORY OBJECTS

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the Active Directory Users and Computers dialog box, select View ➪ Advanced
Features. (You must select this option before the Security tab will become available.)
3. In the left pane of the Active Directory Users and Computers dialog box, click the
+ next to the name of the domain that contains the object for which you want to
configure permissions. In the left pane, continue expanding the domain tree until
the object you want to set permissions on is displayed. Then right-click the object,
and select Properties from the menu that appears.
4. In the object’s Properties dialog box, click the Security tab.
5. The Security tab is displayed. Figure 8-8 shows the Security tab for an OU
named Kirkland. Notice that various users and groups are displayed in the top
section of this tab. Only users or groups that have some sort of permission to
view or modify one or more properties of this object are listed. Also notice that
permissions for the highlighted user or group are listed in the bottom section
of this tab.
First, highlight the user or group to which you want to assign permissions. (If the
user or group you want to assign permissions to is not listed in this dialog box,
click Add. Then, in the Select Users, Computers, or Groups dialog box, double-
click the user or group you want to add, and click OK.)
Then, in the permissions box, select the permission(s) you want to allow or deny
to the user or group you selected by selecting the appropriate “Allow” or “Deny”
check box(es).
4701-1 ch08.f.qc 4/24/00 09:21 Page 532

532 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 8-8 The Security tab

If you want to block inheritance to this object, clear the check box next to “Allow
inheritable permissions from parent to propagate to this object.” This check box is
selected by default.
If you want to configure advanced permissions, or if you want the permissions you
assign to be inheritable by child objects of this object, click Advanced. (If you are
done configuring permissions, skip to Step 9.)
6. The Access Control Settings dialog box for the object is displayed. Figure 8-9
shows the Access Control Settings dialog box for an OU. Notice the detailed
permission entries listed.
To configure advanced permissions, highlight the user or group (listed in the
Name column) for which you want to edit permissions. Then click View/Edit.
7. The Permission Entry dialog box for the object appears. Figure 8-10 shows
the Permission Entry for Kirkland dialog box. Notice that the user or group
you selected in Step 6 appears in the Name list box. Also notice the
detailed list of permissions and the “Apply onto” drop-down list box.
4701-1 ch08.f.qc 4/24/00 09:21 Page 533

Chapter 8 ▼ Administering and Securing Active Directory 533

STEP BY STEP Continued

FIGURE 8-9 Access control settings

FIGURE 8-10 Configuring advanced permissions

4701-1 ch08.f.qc 4/24/00 09:21 Page 534

534 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

By default, the permissions you configure will apply to this object only. However, if
you want to use inheritance to propagate this permission to child objects, select the
“This object and all child objects” option from the “Apply onto” drop-down list box.

TIP
You must manually change the setting in the “Apply onto” drop-down list
box if you want to use inheritance to propagate the permissions you’re
configuring.

In the Permissions box, select or clear the check boxes next to the permissions
you want to modify for the selected user or group. Click OK.
8. The Access Control Settings dialog box for the object reappears. Click OK.
9. In the object’s Properties dialog box, click OK.

Taking Ownership of an Active Directory Object

Occasionally, you may need to assign permissions to an Active Directory
object, but not have the Full Control permission for the object.Without the
Full Control permission (or the Modify Permissions specific permission),
you can’t assign or change an object’s permissions.This situation can arise if
an administrator accidentally changes his or her own permissions so that he
or she no longer has the Modify Permissions permission, or if a delegated
administrator removes a senior administrator’s permissions to the object.
To remedy this situation, you must take ownership of the Active
Directory object.The owner of an object can always assign permissions to
that object.
You can take ownership of an Active Directory object if you are a member
of the Domain Admins group or have the Modify Owner permission to the
object.
The steps that follow explain how to take ownership of an Active
Directory object.
4701-1 ch08.f.qc 4/24/00 09:21 Page 535

Chapter 8 ▼ Administering and Securing Active Directory 535

STEP BY STEP

TAKING OWNERSHIP OF AN OBJECT IN ACTIVE DIRECTORY

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the Active Directory Users and Computers dialog box, select View ➪
Advanced Features.
3. In the left pane of the Active Directory Users and Computers dialog box, click
the + next to the name of the domain that contains the object for which you
want to take ownership. In the left pane, continue expanding the domain tree
until the object you want to take ownership of is displayed. Then right-click
the object, and select Properties from the menu that appears.
4. In the object’s Properties dialog box, click the Security tab.
5. On the Security tab, click Advanced.
6. In the Access Control Settings for the object dialog box, click the Owner tab.
7. The Owner tab appears. In the “Change owner to” box, highlight your user name
(or group). Click OK.
8. In the object’s Properties dialog box, you can now assign permissions to this
object as desired. Click OK.

How Active Directory Permissions Combine

It is not uncommon for a user to have permissions to an Active Directory
object and to be a member of one or more groups that also have permissions
to that object. These permissions may either be assigned directly to the
object, or may be inherited from a parent object.
When user and group permissions to an Active Directory object differ, the
user and group permissions are additive, and the least restrictive permission is
the user’s effective permission. For example, a user has the Read permission
to an Active Directory object, and a group that the user is a member of has
the Full Control permission to the object.The user’s effective permission to
the object is Full Control.
However, there is an exception to this rule. First, if the user, or any
group the user is a member of, is denied a specific permission, then the user
is denied that permission. For example if a user is allowed the read permis-
sion, and a group the user is a member of is denied the read permission,
then the user is denied the read permission.When an allow permission and
a deny permission combine, the deny permission takes precedence. I like to
4701-1 ch08.f.qc 4/24/00 09:21 Page 536

536 Part III ▼ Managing and Securing Resources

call this exception “the deny rule.” The Full Control permission can be
particularly troublesome here. If the user (or any group that the user is a
member of) is denied the Full Control permission, the user is denied all
permissions to the Active Directory object. For this reason, you should use
great care when denying a permission to a user or group.
However, even the deny rule has an exception. If a specific user (or group)
is denied a permission at the parent object level, and that user (or group) is
directly allowed that permission (or a permission that includes that permis-
sion) at the object level, then the directly assigned permission (called an explicit
permission) takes precedence, and even overrides the denied permission. For
example, suppose a user is denied the Write permission to an OU, and is also
assigned the Full Control permission to a child object of the OU.At the child
object level, then, the user is denied the Write permission by inheritance, but
is explicitly assigned the Full Control permission.The user’s effective permis-
sion to the child object is Full Control, because this permission was explicitly
assigned at the child object level.

Delegating Administration of Active

Directory Objects
Delegation is one of the many benefits of Active Directory. Delegation is
useful, particularly in large organizations, because it enables the administrator
to distribute administrative tasks among several assistant administrators with-
out giving each assistant administrative privileges to the entire network.
Delegation is accomplished by assigning the appropriate permissions to an
assistant administrator for a manageable-sized portion of Active Directory,
typically an OU. Once this permission is assigned to an assistant administra-
tor for the OU, the assistant can manage the entire OU, including all of its
child objects.
The OU is the smallest container object in Active Directory to which
you can delegate administrative authority.
There are two primary ways to delegate administration of Active
Directory objects:
■ You can use Active Directory Users and Computers to manually
assign the appropriate permission(s) to the assistant administrator for
the Active Directory object, and configure this permission(s) to apply
to “This object and all child objects.” (To do this, see the step-by-step
section titled “Configuring permissions on Active Directory objects”
earlier in this chapter.)
4701-1 ch08.f.qc 4/24/00 09:21 Page 537

Chapter 8 ▼ Administering and Securing Active Directory 537

TIP
Sometimes administrators want to delegate authority to an assistant for
all objects in the OU, but not to the actual OU itself. In this case, select
the “Child objects only” option instead of the “This object and all child
objects” option when configuring advanced permissions.

■ You can use the Delegation of Control Wizard in Active Directory

Users and Computers. I’ll explain how to use this wizard in the
next section.

STEP BY STEP

USING THE DELEGATION OF CONTROL WIZARD

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the left pane of the Active Directory Users and Computers dialog box, click the
+ next to the name of the domain that contains the object for which you want to
delegate authority. In the left pane, continue expanding the domain tree until the
object you want to delegate authority of is displayed. Then right-click the object,
and select Delegate Control from the menu that appears.
3. The Delegation of Control Wizard starts. Click Next.
4. In the Users or Groups screen, click Add.
5. In the Select Users, Computers, or Groups dialog box, double-click the user
(or group) you want to delegate control to. (If you want to delegate authority
to more than one user or group, double-click each one.) Click OK.
6. In the Users or Groups screen, click Next.
7. The Tasks to Delegate screen appears, as shown in Figure 8-11. Notice the various
tasks you can delegate.
If the task(s) you want to delegate to the user or group you selected in Step 5
are listed on this screen, select the task(s). Click Next, and skip to Step 10.
If the task you want to delegate to the user or group you selected in Step 5 is not
listed on this screen, select the “Create a custom task to delegate” option, and
click Next.

TIP
For purposes of using this wizard only, think of a “custom task” in terms
of assigning specific permissions to a specific user for a specific Active
Directory object (or for a particular type of child object contained in that
object).
4701-1 ch08.f.qc 4/24/00 09:21 Page 538

538 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 8-11 Delegating tasks

8. The Active Directory Object Type screen appears. In this screen you specify the
scope of the task you want to delegate. You can choose to either delegate control
of this entire object, or to delegate control of specific child objects contained in
this object. Select the appropriate option and click Next.
9. The Permissions screen appears, as shown in Figure 8-12.

FIGURE 8-12 Specifying permissions

4701-1 ch08.f.qc 4/24/00 09:21 Page 539

Chapter 8 ▼ Administering and Securing Active Directory 539

STEP BY STEP Continued

In the top half of this screen, select the type(s) of permissions you want to
assign. Then, in the Permissions box, select the specific permissions you
want to assign. Click Next.
10. In the Completing the Delegation of Control Wizard screen, click Finish.

KEY POINT SUMMARY

This chapter introduced several important Active Directory topics:

■ An organizational unit (OU) is a type of Active Directory object. The whole
purpose of OUs is to organize users, computers, and other Active directory
objects to simplify network administration .
■ Active Directory Users and Computers is the primary administrative tool used
to perform management tasks with OUs and other Active Directory objects.
By default, this tool is only installed on domain controllers, but you can make
it available on any Windows 2000 computer by installing the ADMINPAK.
■ There are two tools that users (and administrators) can use to find objects in
Active Directory: Active Directory Users and Computers and Windows Explorer.
■ The act of creating an Active Directory object for a shared folder, shared
printer, or other network resource is called publishing. The advantage of
publishing resources in Active Directory is that, because Active Directory
is a searchable database, it provides an additional means for users to
easily locate these resources.
■ Windows 2000 automatically publishes some objects in Active Directory as
the resources they represent are created, but other objects must be manually
published in Active Directory by an administrator.
■ You can use Active Directory Users and Computers to move an object within
a domain. The MoveTree.exe command-line utility is used to move objects
from one domain to another.
4701-1 ch08.f.qc 4/24/00 09:21 Page 540

540 Part III ▼ Managing and Securing Resources

■ When an OU is moved in Active Directory, all of the OU’s contents are moved,
as well.
■ A parent object is a container object that contains other objects. An object
that is contained in the parent object is referred to as a child object.
■ Access to Active Directory objects can be controlled by assigning Active
Directory permissions to users, groups, and computers that may attempt to
access these objects. Permissions are set by modifying the security properties
of an Active Directory object.
■ When you configure the permissions of an Active Directory object, you can:
 Specify the users and groups that are specifically permitted or denied
access to the object and/or its properties
 Specify whether the object’s permissions will be applied to only the object
itself, or to the object and to all of its child objects
 Specify whether the object will inherit permissions from its parent object
 Configure permissions to control access to a specific property of the object
■ Occasionally, you may need to assign permissions to an Active Directory
object, but not have the Full Control (or the Modify Permissions) permission
for the object. To remedy this situation, an Administrator must take ownership
of the object.
■ It’s not uncommon for a user to have permissions to an Active Directory object
and to be a member of one or more groups that also have permissions to that
object. In general, user and group permissions are additive, and the least restric-
tive permission is the user’s effective permission. But there are exceptions.
■ Delegation is one of the many benefits of Active Directory. Delegation of Active
Directory objects enables the administrator to distribute administrative tasks
among several assistant administrators without giving each assistant adminis-
trative privileges to the entire network.
4701-1 ch08.f.qc 4/24/00 09:21 Page 541

541

STUDY GUIDE
This section contains exercises that are designed to solidify your knowledge
about implementing an OU structure and managing Active Directory
objects, and to help you prepare for the Directory Services exam:
■ Assessment questions: These questions test your knowledge of
the Directory Service topics covered in this chapter.You’ll find the
answers to these questions at the end of this chapter.
■ Lab Exercises: These exercises are hands-on practice activities
that you perform on a computer.The lab in this chapter gives you
an opportunity to practice implementing OUs and managing
Active Directory objects.

Assessment Questions
1. You want to create an organizational unit (OU) on a Windows 2000
Server computer that is a domain controller.Which tool should you use?
A. Windows Explorer
B. Active Directory Sites and Services
C. Active Directory Domains and Trusts
D. Active Directory Users and Computers
2. You want to use a Windows 2000 Professional computer on your
Windows 2000 network to create an organizational unit (OU).
How can you accomplish this?
A. Install Active Directory on the Windows 2000 Professional
computer.Then use Active Directory Domains and Trusts
to create the OU.
B. Install the ADMINPAK on the Windows 2000 Professional
computer.Then use Active Directory Users and Computers
to create the OU.
4701-1 ch08.f.qc 4/24/00 09:21 Page 542

542

C. Install Active Directory on the Windows 2000 Professional

computer.Then use Active Directory Users and Computers
to create the OU.
D. Install the ADMINPAK on the Windows 2000 Professional
computer.Then use Active Directory Sites and Services to
create the OU.
3. You want to search for a specific shared folder object in Active
Directory.Which tool should you use?
A. Search
B. Windows Explorer
C. Active Directory Sites and Services
D. Active Directory Users and Computers
4. You recently moved a user, JoeB, from the New York OU to the
Los Angeles OU.Which of the following statements about JoeB
are correct? (Choose all that apply.)
A. JoeB acquires the inheritable permissions from the Los Angeles OU.
B. JoeB retains the inheritable permissions from the New York OU.
C. JoeB loses all previously inherited permissions from the New York
OU.
D. All users and groups that were previously assigned explicit
permissions to manage JoeB can still manage JoeB.
5. You want to move the Philadelphia OU from the acme1.com
domain to the acme2.com domain.Which tool should you use?
A. MoveTree.exe
B. The move command-line utility
C. Server Extensions Administrator
D. Active Directory Domains and Trusts
6. Which of the following statements about controlling access to Active
Directory objects is true?
A. Controlling access to an object in Active Directory, such as a
shared folder, is the same as controlling access to the object itself.
B. If I have the Full Control permission to a shared Windows NT
printer on my network, I also have the Full Control permission to
the object that represents this shared printer in Active Directory.
4701-1 ch08.f.qc 4/24/00 09:21 Page 543

543

C. When user and group permissions to an Active Directory object

differ, the permissions are additive, and usually the least restrictive
permission is the user’s effective permission.
D. Inherited permissions always take precedence over explicit
permissions.
7. When you set permissions on Active Directory objects, what can
you specify? (Choose all that apply.)
A. The users and groups that are specifically permitted or denied
access to the object and/or its properties
B. Whether the object’s permissions will be applied to only the
object itself, or to the object and to all of its child objects
C. Whether the object will inherit, or be blocked from inheriting,
permissions from its parent object
D. The permissions that will control access to a specific property
of the object
8. You want to delegate administration of an OU to a specific user.
How can you accomplish this? (Choose two.)
A. Use the Delegation of Control Wizard to delegate administration
of the OU.
B. Use the Active Directory Installation Wizard to delegate
administration of the OU.
C. Use Active Directory Users and Computers to manually assign
the appropriate permissions to the user for the OU.
D. Use Active Directory Domains and Trusts to manually assign
each of the individual Active Directory permissions to the
user for the OU.

Lab Exercises
The following lab is designed to give you practical experience working
OUs and Active Directory objects.
4701-1 ch08.f.qc 4/24/00 09:21 Page 544

544

Lab 8-1 Implementing OUs and Managing Active

Directory Objects
 Directory Services

EXAM
MATERIAL

The purpose of this lab is to provide you with an opportunity to implement

OUs and manage Active Directory objects.You’ll use Active Directory Users
and Computers to perform most of the tasks in this lab.
There are six parts to this lab:
■ Part 1: Implementing an Organizational Unit (OU) Structure
■ Part 2: Locating Objects in Active Directory
■ Part 3: Publishing Resources in Active Directory
■ Part 4: Moving Objects in Active Directory
■ Part 5: Controlling Access to Active Directory Objects
■ Part 6: Delegating Administration of Active Directory Objects
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.

Part 1: Implementing an Organizational Unit (OU) Structure

In this part, you use Active Directory Users and Computers to create
several OUs.
1. Start Active Directory Users and Computers. (Select Start ➪
Programs ➪ Administrative Tools ➪ Active Directory Users
and Computers.)
2. In the left pane of the Active Directory Users and Computers
dialog box, highlight domain1.mcse. Select Action ➪ New ➪
Organizational Unit.
3. In the New Object - Organizational Unit dialog box, type HQ Seattle
and click OK.
4. In the Active Directory Users and Computers dialog box, select
Action ➪ New ➪ Organizational Unit.
5. In the New Object - Organizational Unit dialog box, type Denver
and click OK.
4701-1 ch08.f.qc 4/24/00 09:21 Page 545

545

6. In the right pane of the Active Directory Users and Computers

dialog box, double-click HQ Seattle.Then select Action ➪ New ➪
Organizational Unit.
7. In the New Object - Organizational Unit dialog box, type Accounting
and click OK.
8. In the Active Directory Users and Computers dialog box, select
Action ➪ New ➪ Organizational Unit.
9. In the New Object - Organizational Unit dialog box, type Marketing
and click OK.
10. In the left pane of the Active Directory Users and Computers
dialog box, highlight Denver.Then select Action ➪ New ➪
Organizational Unit.
11. In the New Object - Organizational Unit dialog box, type R & D
and click OK.
12. In the Active Directory Users and Computers dialog box, select
Action ➪ New ➪ Organizational Unit.
13. In the New Object - Organizational Unit dialog box, type
Manufacturing and click OK.
14. In the Active Directory Users and Computers dialog box, select
Action ➪ New ➪ Organizational Unit.
15. In the New Object - Organizational Unit dialog box, type
Information Services and click OK. Continue on to Part 2.

Part 2: Locating Objects in Active Directory

In this part, you use Active Directory Users and Computers to search for
objects in Active Directory.
1. In the left pane of the Active Directory Users and Computers
dialog box, highlight domain1.mcse. Select Action ➪ Find.
2. The Find Users, Contacts, and Groups dialog box appears. In the
Name text box, type administrator and click Find Now.
3. Active Directory Users and Computers displays a group named
Administrators and a user named Administrator in the bottom
of the dialog box. Double-click the user named Administrator.
4. The Administrator Properties dialog box appears. Notice the numerous
tabs in this Properties dialog box. On the General tab, fill in all of your
personal information and click OK.
4701-1 ch08.f.qc 4/24/00 09:21 Page 546

546

5. The Find Users, Contacts, and Groups dialog box reappears. In the
Find drop-down list box, select Computers.
6. When the “Find in the Directory” dialog box is displayed, click OK.
7. In the “Computer name” text box, type Server01 and click Find Now.
8. Active Directory Users and Computers displays a computer named
SERVER01. Double-click SERVER01.
9. The SERVER01 Properties dialog box appears. Notice the various
tabs.Type in a description of your computer on the General tab, and
click OK.
10. Close the Find Computers dialog box. Close the Active Directory
Users and Computers dialog box.

Part 3: Publishing Resources in Active Directory

In this part you share a folder, and then publish the shared folder in
Active Directory.
1. From the desktop, select Start ➪ Programs ➪ Accessories ➪
Windows Explorer.
2. In the left pane, click the + next to My Computer. Click the + next
to Local Disk (C:). Click the + next to Program Files. Right-click
Accessories, and select Sharing from the menu that appears.
3. In the Accessories Properties dialog box, select the “Share this folder”
option.Accept the default share name of Accessories. Click OK.
4. Close Windows Explorer.
5. Start Active Directory Users and Computers. (Select Start ➪
Programs ➪ Administrative Tools ➪ Active Directory Users
and Computers.)
6. In the left pane of the Active Directory Users and Computers dialog
box, click the + next to domain1.mcse. Click the + next to Denver.
Highlight Information Services. Select Action ➪ New ➪ Shared Folder.
7. In the New Object – Shared Folder dialog box, type Accessories
in the Name text box.Then type \\server01\accessories in the
“Network path” text box. Click OK.
8. The new shared folder object appears in the right pane of the Active
Directory Users and Computers dialog box.You’ve now shared a
folder and published it in Active Directory. Continue on to Part 4.
4701-1 ch08.f.qc 4/24/00 09:21 Page 547

547

Part 4: Moving Objects in Active Directory

In this part, you move the Information Services OU (and all of its contents)
from the Denver OU into the HQ Seattle OU.
1. In the left pane of the Active Directory Users and Computers dialog
box, highlight Information Services. Select Action ➪ Move.
2. In the Move dialog box, highlight HQ Seattle, and click OK.
3. In the left pane of the Active Directory Users and Computers dialog
box, click the + next to HQ Seattle. Notice that the Information
Services OU is now contained in the HQ Seattle OU. Highlight
the Information Services OU. Notice that the shared folder named
Accessories was also moved when the OU that contained it
(Information Services) was moved. Continue on to Part 5.

Part 5: Controlling Access to Active Directory Objects

In this part, you assign permissions to a group for a specific OU.
1. In the left pane of the Active Directory Users and Computers dialog
box, select View ➪ Advanced Features.
2. In the left pane of the Active Directory Users and Computers dialog
box, click the + next to HQ Seattle. Highlight Information Services.
Select Action ➪ Properties.
3. In the Information Services Properties dialog box, click the Security tab.
4. On the Security tab, highlight the Account Operators group in the
Name box.Then select the check boxes under “Allow” next to Read,
Create All Child Objects, and Delete All Child Objects. Click Advanced.
5. In the Access Control Settings for Information Services dialog box,
ensure that Account Operators is highlighted in the Permission
Entries box. Click View/Edit.
6. In the Permission Entry for Information Services dialog box, select
“This object and all child objects” from the “Apply onto” drop-down
list box. Click OK.
7. In the Access Control Settings for Information Services dialog box,
click OK.
8. In the Information Services Properties dialog box, click OK.
Continue on to Part 6.
4701-1 ch08.f.qc 4/24/00 09:21 Page 548

548

Part 6: Delegating Administration of Active Directory Objects

In this part, you delegate authority to administer the Denver OU and all of
its contents.
1. In the left pane of the Active Directory Users and Computers dialog
box, highlight Denver. Select Action ➪ Delegate Control.
2. The Delegation of Control Wizard starts. Click Next.
3. In the Users or Groups screen, click Add.
4. In the Select Users, Computers, or Groups dialog box, double-click
Server Operators. Click OK.
5. In the Users or Groups screen, click Next.
6. In the Tasks to Delegate screen, select the “Create a custom task to
delegate” option and click Next.
7. The Active Directory Object Type screen appears.Accept the default
setting to delegate control of “This folder, existing objects in this
folder, and creation of new objects in this folder.” Click Next.
8. In the Permissions screen, select the check box next to Full Control
in the Permissions box. Click Next.
9. In the Completing the Delegation of Control Wizard screen,
click Finish.

Answers to Chapter Questions

Chapter Pre-Test
1. An organizational unit (OU) is a type of Active Directory object. OUs
are specifically designed to contain objects and other organizational
units from their own domain.The purpose of OUs is to make network
administration simpler.
2. Any two tasks in the following list are correct.You can use Active
Directory Users and Computers to: create OUs; add users, groups,
computers, contacts, printers, and shared folders to Active Directory;
delete any object in Active Directory; configure the properties of any
object in Active Directory; locate objects in Active Directory; publish
resources in Active Directory; move objects in Active Directory; control
access to and configure security for Active Directory objects; delegate
administrative control of Active Directory objects.
4701-1 ch08.f.qc 4/24/00 09:21 Page 549

549

3. The act of creating an Active Directory object for a shared folder,

shared printer, or other network resource is called publishing.
4. A parent object is a container object that contains other objects.
An object that is contained in the parent object is referred to as
a child object.
5. The OU is the smallest container object in Active Directory to which
you can delegate administrative authority.

Assessment Questions
1. D. You can use Active Directory Users and Computers to create and
manage OUs.
2. B. To use a Windows 2000 Professional computer to create an OU, you
should first install the ADMINPAK on the Windows 2000 Professional
computer, and then use Active Directory Users and Computers to
create the OU.You can’t install Active Directory on a Windows 2000
Professional computer.
3. D. To search for a specific shared folder in Active Directory, use Active
Directory Users and Computers.You can use Windows Explorer to
browse Active Directory, but you can’t use it to search for a specific
shared folder.
4. A, C, D. B is not correct because Joe loses all of his previously
inherited permissions from the New York OU.
5. A. Use MoveTree.exe to move Active Directory objects from
one domain to another.
6. C. Typically, when user and group permissions to an Active Directory
object differ, the permissions are additive, and the least restrictive permis-
sion is the user’s effective permission.There are, however, exceptions to
this rule.All of the other statements are false.
7. A, B, C, D. All of the statements are true.
8. A, C. There are two ways to delegate administration of Active Directory
objects: by using the Delegation of Control Wizard (found in Active
Directory Users and Computers) and by using Active Directory Users
and Computers to manually assign the appropriate permissions to the
user for the OU.
4701-1 ch09.f.qc 4/24/00 09:22 Page 550

 Professional
 Server
EXAM
MATERIAL  Directory Services

EXAM OBJECTIVES

Professional  Exam 70-210

■ Configure and manage user profiles.
■ Implement, configure, manage, and troubleshoot local user
accounts.
■ Implement, configure, manage, and troubleshoot account
settings.
■ Implement, configure, manage, and troubleshoot account
policy.
■ Create and manage local users and groups.
■ Implement, configure, manage, and troubleshoot user rights.
■ Implement, configure, manage, and troubleshoot local user authen-
tication.
■ Configure and troubleshoot local user accounts.
■ Configure and troubleshoot domain user accounts.

Server  Exam 70-215

■ Configure and manage user profiles.
■ Implement, configure, manage, and troubleshoot local accounts.
■ Implement, configure, manage, and troubleshoot Account Policy.

Directory Services  Exam 70-217

■ Manage Active Directory objects.
■ Create and manage accounts manually or by scripting.
4701-1 ch09.f.qc 4/24/00 09:22 Page 551

C HAP TE R

9
Managing Users
and Groups

I almost called this chapter “Everything You Always Wanted to Know About
Users and Groups but Were Afraid Someone Would Explain to You in
Great Detail.” It’s way too long a title, but it conveys the idea that this chapter
is a comprehensive study of users and groups in a Windows 2000 environ-
ment. I’ll start by explaining how user authentication works. Then I’ll spend the
rest of the chapter exploring user and group accounts. I’ll take you through the
steps involved in just about every local and domain user task you can think of,
from creating and configuring user accounts to copying, renaming, and delet-
ing user accounts. I’ll also show you how to work with user profiles, account
policies, and user rights, and spend some time explaining how to troubleshoot
these features. Then I’ll move on to groups, where I’ll begin by explaining how
to use local and built-in groups on the local computer. Finally, I’ll discuss
groups in Active Directory, including how to create, configure, and manage
these groups.

551
4701-1 ch09.f.qc 4/24/00 09:22 Page 552

552 Part III ▼ Managing and Securing Resources

Chapter Pre-Test
1. What is Kerberos V5?
2. What are the two Windows 2000 built-in user accounts?
3. What’s the difference between a local user account and a
domain user account?
4. What are roaming user profiles and mandatory user profiles?
5. What are the three major types of Windows 2000 account
policies?
6. What’s the difference between a security group and a distribution
group?
7. What type of group has preset characteristics and is automati-
cally created during the installation of Windows 2000?
4701-1 ch09.f.qc 4/24/00 09:22 Page 553

Chapter 9 ▼ Managing Users and Groups 553

Creating and Managing User Accounts

User accounts are records that contain unique user information, such as user
name, password, and any logon restrictions. User accounts enable users to log
on to Windows 2000 computers, and to access resources on the network.
There’s a lot to know about creating and managing user accounts. In the
following sections I’ll explain the user authentication process and discuss
the built-in user accounts.Then I’ll show you how to create user accounts;
how to configure and manage user account properties; and how to copy,
rename, and delete user accounts. Finally, I’ll explore user profiles, account
policies, user rights, and several troubleshooting topics.

Understanding User Authentication

User authentication is the process of verifying a user’s credentials for the pur-
pose of determining whether the user is permitted to access a local com-
puter or a network resource, such as a shared folder or shared printer. In
Windows 2000, user authentication is performed by either the local com-
puter (if the user logs on by using a local user account) or by a domain
controller (if the user logs on by using a domain user account).
Windows 2000 supports three different authentication protocols:
■ Kerberos V5: This protocol is an Internet standard authentication
protocol that provides a higher level of security and faster, more
efficient authentication than the Windows NT LAN Manager pro-
tocol. Kerberos V5 is the default protocol used between Windows
2000 computers when each of these computers is a member of a
Windows 2000 domain. Kerberos V5 is not used, however, when
the computers belong to Windows 2000 domains that are located
in different forests.
■ Windows NT LAN Manager (NTLM): This protocol enables
users of Windows 95,Windows 98, and Windows NT client com-
puters to be authenticated to Windows 2000 domains and network
resources.This protocol is only available when Windows 2000
Active Directory is configured to operate in mixed-mode.This
protocol is disabled when Windows 2000 Active Directory is
configured to operate in native-mode.
4701-1 ch09.f.qc 4/24/00 09:22 Page 554

554 Part III ▼ Managing and Securing Resources

■ Secure Sockets Layer/Transport Layer Security (SSL/TLS):

This protocol is primarily used to authenticate Internet users to
secure Web sites. It can also be used to authenticate Internet users
to Windows 2000 computers.This protocol requires the use of
Certificate Services, and each user account must be mapped to
an individual certificate.

CROSS-REFERENCE
I’ll cover Certificate Services in more depth in Chapter 18.

There are two primary types of Windows 2000 authentication processes:

interactive logon authentication and network authentication.

Interactive Logon Authentication

Interactive logon authentication is the process of verifying a user’s credentials
for the purpose of determining whether the user is permitted to log on to
a local Windows 2000 computer.
Here’s a basic description of what happens when a user logs on to a
Windows 2000 computer. (Because Kerberos V5 is the default Windows
2000 authentication protocol, I assume that the Kerberos V5 protocol is
used in this illustration.)
1. The user presses Ctrl+Alt+Delete, then enters a user name and pass-
word, and specifies whether he or she wants to log on to the local
computer or to a domain.
2. If the user logs on to the local computer, the local Windows 2000
computer checks the user name and password against the information
in its local user account database. If these items match, the computer
logs the user on, and the authentication process is complete.
If the user logs on to the domain, the local Windows 2000 computer
converts the user’s password into an encryption key.The local com-
puter uses this encryption key to encrypt timestamp information.
Then the local computer sends the user name and the encrypted
timestamp information to a Windows 2000 domain controller, along
with a request for user authentication.
3. The Windows 2000 domain controller (using the user name and the
user’s stored password from the Active Directory data store) unencrypts
the timestamp information. If the unencryption process produces a
4701-1 ch09.f.qc 4/24/00 09:22 Page 555

Chapter 9 ▼ Managing Users and Groups 555

valid timestamp, the domain controller creates two Kerberos V5 tickets,

encrypts these tickets by using the user’s stored password as an encryp-
tion key, and sends the encrypted tickets back to the local Windows
2000 computer. One of these tickets, called the logon session key, con-
tains the credentials the user needs to establish the logon session.The
other ticket, called a ticket-granting ticket or a user ticket, is used to obtain
additional Kerberos V5 tickets that enable the user to access network
resources.
4. The local Windows 2000 computer (using the encryption key it cre-
ated in Step 2) unencrypts the two Kerberos V5 tickets, and uses the
logon session key to log the user on.

Network Authentication
Network authentication is the process of verifying a user’s credentials for the
purpose of determining whether the user is permitted to access network
resources, such as a shared folder, a shared printer, or a network service.
Here’s a high-level overview of what happens when a user attempts to
access a network resource. (Because Kerberos V5 is the default Windows
2000 authentication protocol, I assume that the Kerberos V5 protocol is
used in this example.)
1. The user attempts to access the network resource from the local
Windows 2000 computer.
The action the user takes to initiate access can take several forms. For
example, the user could attempt to open a file stored on a network
server from within an application, such as Microsoft Word. Or, the user
could click Print within any application.There are numerous actions
the user can take, but they all boil down to the user attempting to
access a network resource.
2. The local Windows 2000 computer sends a Kerberos Ticket-Granting
Service Request that includes the user’s name, the name of the net-
work resource the user wants to access, encrypted timestamp infor-
mation, and the ticket-granting ticket (received when the user logged
on) to a Windows 2000 domain controller.
3. The Windows 2000 domain controller unencrypts the timestamp
information. If the unencryption process produces a valid timestamp,
the domain controller uses the information in the Ticket-Granting
4701-1 ch09.f.qc 4/24/00 09:22 Page 556

556 Part III ▼ Managing and Securing Resources

Service Request to create and encrypt a session key.This session key

includes the user’s authorization data (including user account and
group membership information).Then the domain controller sends
this encrypted session key to the local Windows 2000 computer.
4. The local Windows 2000 computer sends the encrypted session key
to the network server that hosts the network resource that the user
wants to access, along with a request for access to the resource.
5. The server that hosts the resource unencrypts the session key, and
then checks the user’s authorization data against the access control list
(ACL) for the network resource. If the user has permission to access
the resource in question, the server grants the user access to the
resource.

Built-in User Accounts

There are two Windows 2000 built-in user accounts: Administrator and
Guest. On nondomain controllers, the built-in user accounts are created
automatically during the installation of Windows 2000. On a domain con-
troller, the built-in user accounts are created automatically during the
installation of Active Directory.
The Administrator user account has all of the rights and permissions
needed to fully administer a Windows 2000 computer or a Windows 2000
domain.The Administrator account can be used to perform numerous tasks,
such as creating and managing users and groups, managing file and folder
permissions, and installing and managing printers and printer security.
The Administrator account, because of its powerful capabilities, can pose
a security risk to your network if a nonauthorized user is able to guess the
password for the account. For this reason, you should consider renaming
the Administrator account. (I’ll explain how to rename a user account later
in this chapter.)
You can’t delete the Administrator account. You also can’t disable the
Administrator account, nor can you remove this account from the
Administrators local group. Incidentally, it’s the Administrator account’s
membership in the Administrators local group that gives the Administrator
account all of its rights and permissions.
The Guest account, which is disabled by default, is designed to permit
limited access to network resources to occasional users who don’t have
their own user accounts. For example, a client visiting your office might
4701-1 ch09.f.qc 4/24/00 09:22 Page 557

Chapter 9 ▼ Managing Users and Groups 557

want to connect a laptop computer to your network in order to print a

document. Once the Guest account is enabled, the client can log on using
this account. You can specify, in advance, which network resources are
available to the Guest account by assigning the appropriate file, folder, and
printer permissions to this account.
The Guest account does not require a password. If your network con-
tains sensitive data, I recommend, for security reasons, that you leave the
Guest account disabled. In this situation, instead of using the Guest
account, you should establish a user account for each and every person
who needs access to network resources.
You can’t delete the Guest account, but you can rename it.

Creating User Accounts

Every person who uses the network on a regular basis should have a user
account.
There are two kinds of user accounts: local user accounts and domain
user accounts. Local user accounts enable users to log on to the local com-
puter and to access that computer’s resources. Domain user accounts enable
users to log on to the domain and to access resources in the domain.
In order to create local user accounts, you must be a member of either
the Administrators or Power Users group on the local computer. In order
to create domain user accounts, you must be a member of either the
Administrators or Account Operators group in the domain.
I’ll show you how to create user accounts in just a minute, but before I
do, I want to say a few words about naming conventions and passwords.

Naming Conventions
When you create user accounts, keep in mind a few simple rules for user
names:
■ User names (which are referred to as user logon names in Active
Directory Users and Computers) can be from one to 20 char-
acters long.

TIP
Windows 2000 allows you to enter more than 20 characters for a user
name, but will only recognize the first 20.
4701-1 ch09.f.qc 4/24/00 09:22 Page 558

558 Part III ▼ Managing and Securing Resources

■ User names must be unique.A domain user name can’t be the

same as another user, group, or computer name within the domain.
A local user name can’t be the same as another user, group, or
computer name within the local computer’s account database.
■ The following characters may not be used in user names:
“ / \ [ ] :;| = ,+ * ? < >
In addition, a user name can’t consist entirely of spaces or periods.
If you have more than a few people in your organization, it’s a good idea
to plan your user account naming convention.
There are probably as many user account naming schemes as there are
network administrators. Sometimes the overall length of a user name is
limited to eight characters, so that the name is compatible with MS-DOS
directory name limitations. While this eight-character limitation is com-
mon, it’s certainly not mandatory, especially on most of today’s networks.A
few common naming conventions for user names include:
A. The first seven letters of the user’s first name plus the first letter of the
user’s last name
B. The first letter of the user’s first name plus the first seven letters of the
user’s last name
C. The user’s initials plus the last four digits of the user’s employee number
D. Various hybrid combinations of the preceding schemes

Table 9-1 shows how three user names would appear using the naming
conventions described in A, B, and C.
TABLE 9-1 Common User Account Naming Conventions
Full Name Scheme A Scheme B Scheme C

Nadine Smith NadineS NSmith NS5500

Robert Jones RobertJ RJones RJ1234
Jonathan Whitmore JonathaW JWhitmor JW2266

In addition to choosing a naming convention, you should have a way to

handle exceptions. It’s quite common, for example, for two users to have
the same first name and last initial, such as Mike Smith and Mike
Sutherland. If your company uses the naming convention described in
scheme A, you would need to resolve the potentially duplicate user names
4701-1 ch09.f.qc 4/24/00 09:22 Page 559

Chapter 9 ▼ Managing Users and Groups 559

for these two employees.You could resolve the problem by assigning Mike
Smith the user name of MikeS (assuming he was hired before Mike
Sutherland), and assigning Mike Sutherland the user name of MikeSu.

Passwords
I’ll just say a few words about passwords. Everyone knows that using pass-
words protects the security of the network, because only authorized users
can log on.
When user accounts are created, you should have a plan for managing
passwords. Will passwords be assigned and maintained by the network
administrator? Or, will users choose their own passwords?

IN THE REAL WORLD

I normally recommend that the network administrator not maintain user
passwords, because it can take an enormous amount of time. However, if
a very high level of network security is required, the administrator may
decide to assign user passwords of appropriate length and complexity.

When users maintain their own passwords, it’s a good idea to remind
them of a few password security basics:
■ Don’t use your own name or the name of a family member or pet as
a password. (This is a common security loophole in most networks.)
■ Never tell your password to anyone.
■ Don’t write your password on a sticky note and then stick it on
your monitor. Other not-so-hot places to store your password are
on or under your keyboard; in your top desk drawer; in your
Rolodex; or in your briefcase, wallet, or purse.
■ Use a sufficiently long password. I recommend using eight or more
characters in a password.The longer the password, the more diffi-
cult it is to guess.
■ Use a mix of uppercase and lowercase letters, numbers, and special
characters. Remember, passwords are case-sensitive.
■ If passwords are required to be changed regularly, don’t use the
same password with an incremental number at the end, such as
Alan01,Alan02,Alan03, and so on. (Don’t laugh.This may seem
like common sense, but I’ve seen several network administrators
actually do this.)
4701-1 ch09.f.qc 4/24/00 09:22 Page 560

560 Part III ▼ Managing and Securing Resources

Creating Local User Accounts

You can use the Local Users and Groups tool in Computer Management
to create local user accounts on a nondomain controller, as the following
steps explain.

STEP BY STEP

CREATING A LOCAL USER ACCOUNT

1. From the desktop, right-click My Computer, and select Manage from the menu
that appears.
2. In the Computer Management dialog box, click the + next to Local Users and
Groups. Highlight the Users folder, and select Action ➪ New User.
3. The New User dialog box appears, as shown in Figure 9-1. Notice that by default
the new user must change his or her password when he or she first logs on.

FIGURE 9-1 Creating a new user

Enter the user name, the person’s full name (this entry is optional), description
(this could be a department, location, or job title — it is also optional) and pass-
word (also optional). Confirm the password by retyping it.
Accept the default selection of “User must change password at next logon” if you
want the user to choose and enter a new password the first time the user logs on.
If you don’t want the user to change his or her password the first time the user
logs on, clear this check box.
4701-1 ch09.f.qc 4/24/00 09:22 Page 561

Chapter 9 ▼ Managing Users and Groups 561

STEP BY STEP Continued

If the “User must change password at next logon” check box is cleared, two addi-
tional check boxes become available. Select the “User cannot change password”
check box if you — the network administrator — want to manage and assign user
passwords. Select the “Password never expires” check box if you are configuring
a user account for a Windows 2000 service to use when it logs on.
Select the check box next to “Account is disabled” if you are creating a user tem-
plate. (I’ll cover user templates in the section titled “Copying User Accounts” later
in this chapter.)
Click Create.
4. The New User dialog box reappears. Add additional users as necessary. When
you are finished adding users, click Close.
5. The new user(s) is created, and appears in the right pane of the Computer
Management dialog box.

Creating Domain User Accounts

To create domain user accounts in Active Directory, use Active Directory
Users and Computers, as explained in the following steps.

STEP BY STEP

CREATING A DOMAIN USER ACCOUNT

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the left pane of the Active Directory Users and Computers dialog box, click the
+ next to the name of the domain in which you want to create a domain user
account. Notice the Users folder in the domain tree. This folder is the default
container in which Windows 2000 places all users and many of the groups that it
automatically creates when Active Directory is installed.
If you have a relatively small organization, you may want to place your administra-
tor-created user accounts in the Users folder, too, so that you can easily locate
and administer all user accounts.
Or, if you have a large organization and use organizational units (OUs) to adminis-
ter groups of users, you can place each newly created user in the appropriate OU.
Highlight the Users folder or the OU in which you want to create a domain user
account, and select Action ➪ New ➪ User.
3. The New Object - User dialog box appears, as shown in Figure 9-2.
4701-1 ch09.f.qc 4/24/00 09:22 Page 562

562 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 9-2 Creating a new domain user account

Enter the first name, middle initial, and last name of the new user in the appropri-
ate text boxes. Windows 2000 automatically displays the full name based on the
information you entered.
Enter a user logon name — this is the user name. Click Next.
4. The next New Object - User dialog box appears, as shown in Figure 9-3.

FIGURE 9-3 Configuring password options for a new domain user account
4701-1 ch09.f.qc 4/24/00 09:22 Page 563

Chapter 9 ▼ Managing Users and Groups 563

STEP BY STEP Continued

Enter the password for the new user account, and confirm the password by retyp-
ing it. (Entering a password is optional.)
There are four check boxes that can be selected in this dialog box, none of which
are selected by default:
 User must change password at next logon: Select this check box if you
want the user to choose and enter a new password the first time the user
logs on.
 User cannot change password: Select this check box if you — the network
administrator — want to manage and assign user passwords.
 Password never expires: Select this check box if you are configuring a
user account for a Windows 2000 service to use when it logs on.
 Account is disabled: Select this check box if you are creating a user tem-
plate. (I’ll cover user templates in the section titled “Copying User Accounts”
later in this chapter.)
Make the appropriate configurations in this dialog box, and then click Next.
5. In the next New Object - User dialog box, click Finish.
6. Windows 2000 creates the new user account, and displays it in the right pane of
the Active Directory Users and Computers dialog box.

Using NET USER to Create User Accounts

You can also create user accounts by using a batch file or a script file in
conjunction with the NET USER command-line utility. Using a batch file
or a script file can be useful for automating the creation of user accounts,
but this method is not widely used by administrators because it’s typically
easier to use the Windows 2000 graphical tools to create user accounts.
You can use Notepad (or your favorite text editor) to create the batch
or script file. If you create a batch file, it should end with a .bat extension.
The NET USER command-line utility can also be used from the com-
mand line to manually create user accounts. Figure 9-4 shows how the NET
USER command is used to create a new domain user account named AlanC
with a password of 1234Pass.
Windows 2000 places domain user accounts created by using the NET
USER command (either manually or by using a script) in the Users folder
in the domain to which the administrator creating the user account is cur-
rently logged on.
4701-1 ch09.f.qc 4/24/00 09:22 Page 564

564 Part III ▼ Managing and Securing Resources

FIGURE 9-4 Using NET USER to create a new user

The syntax for the NET USER command is fairly complex.To view this
command’s syntax, type net help user | more at the command prompt,
and press Enter.

Configuring and Managing User Account

Properties
Once you create user accounts, you’ll need to configure them.The numer-
ous options that can be configured on user accounts are called user
account properties.
In order to fully configure local user accounts, you must be a member of
the Administrators group on the local computer. In order to fully config-
ure domain user accounts, you must be a member of the Administrators
group in the domain. Members of the Power Users group on the local
computer and members of the Account Operators group in the domain
can perform some, but not all, user configuration tasks.
Local user accounts have fewer configurable properties than domain
user accounts, as the next sections illustrate.

Configuring Local User Accounts

You can use the same tool to view and configure local user account prop-
erties that you use to create local user accounts — the Local Users and
Groups tool in Computer Management.

EXAM TIP
Both the Professional and Server exams test implementing, configuring,
managing, and troubleshooting local user accounts. You should practice
creating and configuring local user accounts until you’ve mastered these
tasks.
4701-1 ch09.f.qc 4/24/00 09:22 Page 565

Chapter 9 ▼ Managing Users and Groups 565

STEP BY STEP

ACCESSING AND CONFIGURING A LOCAL USER ACCOUNT’S

PROPERTIES

1. From the desktop, right-click My Computer, and select Manage from the menu
that appears.
2. In the Computer Management dialog box, click the + next to Local Users and
Groups. Highlight the Users folder. In the right pane, double-click the user
whose properties you want to configure. Or, you can right-click the user, and
select Properties from the menu that appears.
3. The user’s Properties dialog box appears. Configure the user’s properties as
necessary, and click OK.

The next several sections describe the tabs available in a local user account’s
Properties dialog box, and their many configurable options.

General On the General tab you can configure the local user’s full name,
description of the user account, and various password options, as shown in
Figure 9-5. Notice the check box next to “Account is locked out.”

FIGURE 9-5 Configuring a local user account’s general properties

4701-1 ch09.f.qc 4/24/00 09:22 Page 566

566 Part III ▼ Managing and Securing Resources

Also notice that the “Account is locked out” check box is grayed out. If
the account has been locked out (due to too many unsuccessful logon
attempts), this check box will be checked.To unlock a locked account, you
need to clear this check box.

Member Of On the Member Of tab you can configure the local user’s
membership in the local groups on the local computer. Assigning users to
groups is an efficient way to manage permissions for multiple users. Click
Add to make the user account a member of a group, and click Remove to
remove the user account from a group. By default, all users are members of
the Users local group.

Profile The Profile tab is used to configure the local user’s environment.
On this tab you can specify a local or network path to the user’s Profile
folder. A user’s profile contains the user’s unique desktop settings, such as
screen color, screen saver, desktop icons, fonts, and so on.The default loca-
tion for a user’s profile is the C:\Documents and Settings\user_
name folder. If no path is entered on this tab, Windows 2000 uses the
default location. (I’ll cover managing user profiles in more detail later in
this chapter.)
On the Profile tab you can also specify a network or local path to the
user’s Home folder, and specify the name of the user’s logon script file, if a
logon script is used. A logon script is a batch file that is run each time a
user logs on. Logon scripts for local user accounts must be stored in the
SystemRoot\System32 folder. Logon scripts are commonly used to
automatically connect network drives and printers, and to install and
maintain certain types of software, such as the Systems Management Server
(SMS) client.

Dial-in On the Dial-in tab you can configure numerous dial-in properties
for the local user account. This tab is only available on Windows 2000
Server/Advanced Server computers. Figure 9-6 shows the Dial-in tab.

CROSS-REFERENCE
I’ll discuss configuring dial-in properties extensively when I cover remote
access in Chapter 17.
4701-1 ch09.f.qc 4/24/00 09:22 Page 567

Chapter 9 ▼ Managing Users and Groups 567

FIGURE 9-6 Configuring a local user account’s dial-in properties

Configuring Domain User Accounts

You use the same tool to view and configure domain user account proper-
ties that you use to create domain user accounts — Active Directory Users
and Computers.

STEP BY STEP

ACCESSING AND CONFIGURING A DOMAIN USER

ACCOUNT’S PROPERTIES
1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪
Administrative Tools ➪ Active Directory Users and Computers.)
2. In the left pane of the Active Directory Users and Computers dialog box, click the
+ next to the name of the domain that contains the user account you want to con-
figure. Highlight the Users folder or the OU that contains the user account you
want to configure. In the right pane, double-click the user account you want to
configure. Or, you can right-click the user account, and select Properties from the
menu that appears.
3. The user’s Properties dialog box appears. Configure the user’s properties as nec-
essary, and click OK.
4701-1 ch09.f.qc 4/24/00 09:22 Page 568

568 Part III ▼ Managing and Securing Resources

The next several sections describe the many tabs available in a domain
user account’s Properties dialog box, and their many configurable options.

General On the General tab you can configure the domain user’s name
and contact information, as shown in Figure 9-7.

FIGURE 9-7 Configuring a domain user account’s general properties

On this tab, you can change the user’s first name, last name, and display
name.You can also add a description of the user account and the location
of the user’s office. Finally, you can configure the user’s telephone number,
e-mail address, and Web page address.

Address On the Address tab, you can configure detailed mailing and/or
physical address information for the domain user.The configurable options
on this tab are self-explanatory.

Account On the Account tab, you can configure the domain user’s logon
name, logon hours, computers the user can log on to, password and other
account options, and account expiration information, as shown in Figure
9-8. Notice the check box next to “Account is locked out.”
4701-1 ch09.f.qc 4/24/00 09:22 Page 569

Chapter 9 ▼ Managing Users and Groups 569

FIGURE 9-8 Configuring account properties for a domain user

Also notice that the “Account is locked out” check box is grayed out. If
the account has been locked out (due to too many unsuccessful logon
attempts), this check box will be checked.To unlock a locked account you
need to clear this check box.
There are ten options you can select in the “Account options” section of
this tab:
■ User must change password at next logon: Select this option
if you want the user to choose a new password the next time the
user logs on.
■ User cannot change password: Select this option if you want to
manage the user’s password, rather than having the user choose his
or her own password.
■ Password never expires: Select this option if you are configuring
a user account for a Windows 2000 service to use when it logs on.
■ Store password using reversible encryption: Select this option
if this user will be logging on to the domain from an Apple com-
puter, because Apple computers use a different type of password
encryption than Windows 2000 computers use.
4701-1 ch09.f.qc 4/24/00 09:22 Page 570

570 Part III ▼ Managing and Securing Resources

■ Account is disabled: Select this option if the user account will

be used as a user template.
■ Smart card is required for interactive logon: Select this
option if you want to require the user to use a smart card and pin
number in order to log on.
■ Account is trusted for delegation: Select this option if you
want the user to be able to delegate administrative authority for a
portion of the domain.
■ Account is sensitive and cannot be delegated: Select this
option if you want to prevent administrative authority for this user
account from being delegated.
■ Use DES encryption types for this account: Select this
option if you want to use DES encryption for this account instead
of standard Windows 2000 encryption.
■ Do not require Kerberos preauthentication: Select this
option if the user will be logging on to the domain from a com-
puter that uses an operating system other than Windows 2000, and
this other operating system supports the Kerberos protocol but
doesn’t support Kerberos preauthentication.
You can also set account expiration on the Account tab.There are two
options on this tab: Never and “End of,” where you specify the exact date
the user account will expire. Never is often selected when the user is a per-
manent employee of the company, or when the account is used by a
Windows 2000 service when it logs on.“End of ” is often selected for tem-
porary employees or contractors, so they can no longer access the network
when their term of employment or contract has expired.When you select
“End of,” the user account expires at midnight on the date specified in the
drop-down list box.
There are two other important configurations you can make on this tab:
■ Logon Hours
■ Log On To
Logon Hours specify the hours that a user is permitted to log on to the
domain. Click Logon Hours to configure these hours. The Logon Hours
for a specific user,AlanC, is shown in Figure 9-9. Notice that by default all
hours are available for logon.
4701-1 ch09.f.qc 4/24/00 09:22 Page 571

Chapter 9 ▼ Managing Users and Groups 571

FIGURE 9-9 Configuring logon hours

It’s a common practice to prevent users from logging on during certain

hours of the day, such as the hours when a backup is being performed.To
modify the user’s logon hours, use your mouse to highlight the hours you
don’t want the user to be able to log on, and select the Logon Denied
option. Or, you can use your mouse to highlight the entire graph, select
the Logon Denied option, highlight the hours you want the user to be able
to log on, and then select the Logon Permitted option.
Restricting a user’s logon hours does not disconnect a user from a
domain when the user’s logon hours expire.A logon hours restriction only
prevents a user from logging on to the domain during the specified
restricted hours. If you want to automatically log off all users (from the
domain controller) when their logon time expires, you must enable this
option in Local Policies – Security Options by using the Domain Security
Policy tool. (I’ll cover using Domain Security Policy later in this chapter.)
The Log On To command button enables you to specify which com-
puters a user is permitted to log on to. Click Log On To to specify these
workstations.The Logon Workstations dialog box is shown in Figure 9-10.
Notice that by default the user is permitted to log on to all computers.
If you want to specify which computers a user can log on to, select “The
following computers” option, then click Add to add specific computers to
a list.
4701-1 ch09.f.qc 4/24/00 09:22 Page 572

572 Part III ▼ Managing and Securing Resources

FIGURE 9-10 Specifying the workstations a user can log on to

TIP
The Logon Workstations feature requires the NetBIOS protocol, and is
primarily designed to restrict access to non-Windows 2000 computers
that rely on NetBIOS. If you have removed NetBIOS from your Windows
2000 client computers, this feature won’t work correctly.

Profile The Profile tab is used to configure the domain user’s environ-
ment. On this tab you can specify a local or network path to the user’s
Profile folder. The default location for a user’s profile is the
C:\Documents and Settings\user_name folder on the computer the
user logs on to. If no path is entered on this tab, Windows 2000 uses the
default location. (I’ll cover managing user profiles in more detail later in
this chapter.)
On the Profile tab you can also specify a network or local path to the
user’s Home folder, and specify the name of the user’s logon script file, if a
logon script is used. Logon scripts for domain user accounts must be stored
in the NETLOGON share on a domain controller. By default, the NETLOGON
share is located in the SystemRoot\SYSVOL\sysvol\domain_name\
SCRIPTS folder on each domain controller in the domain.Windows 2000
automatically replicates all information in the SYSVOL folder, including the
NETLOGON share, to all domain controllers in the domain.
4701-1 ch09.f.qc 4/24/00 09:22 Page 573

Chapter 9 ▼ Managing Users and Groups 573

Telephones On the Telephones tab, you can specify detailed telephone

information for the domain user, including home number, pager number,
mobile number, fax number, and so on. The configurable options on this
tab are self-explanatory.

Organization On the Organization tab, you can specify detailed personnel

information for the domain user, including the user’s title, department,
company, manager’s name, and so on.The configurable options on this tab
are self-explanatory.

Published Certificates On the Published Certificates tab, you can add or

remove X509 (Internet) certificates that have been issued to the domain user.

CROSS-REFERENCE
I’ll cover Certificate Services in Chapter 18.

This tab is only present after you select View ➪ Advanced Features in
the Active Directory Users and Computers dialog box.

Member Of On the Member Of tab you can configure the user’s member-
ship in groups in the domain. Click Add to make the domain user account
a member of a group in the user’s domain, and click Remove to remove
the user account from a group in the user’s domain. By default, all domain
users are members of the Domain Users global group.
The Member Of tab also has an option to set a primary group for the
user account.Windows 2000 doesn’t require the use of primary groups, but
users of Apple computers who access files on a Windows 2000 Server
computer and users of Windows 2000 computers who run POSIX-com-
pliant applications do require certain file ownership and permissions set-
tings that a primary group provides. The default primary group is the
Domain Users global group.

Dial-in On the Dial-in tab you can configure numerous dial-in properties
for the domain user account.This Dial-in tab is identical to the Dial-in tab
for a local user account, which was shown in Figure 9-6.

CROSS-REFERENCE
I’ll discuss configuring dial-in properties extensively when I cover remote
access in Chapter 17.
4701-1 ch09.f.qc 4/24/00 09:22 Page 574

574 Part III ▼ Managing and Securing Resources

Object On the Object tab you can view limited information about the
domain user account object, including the object’s class, the date the user
account was created, the date the user account was last modified, and so
on. No configurations are possible on this tab. In addition, this tab is only
present after you select View ➪ Advanced Features in the Active Directory
Users and Computers dialog box.

Security On the Security tab you can specify the users and groups that are
permitted to view or modify the properties of the domain user account.
This tab is only present after you select View ➪ Advanced Features in the
Active Directory Users and Computers dialog box.
The Security tab is shown in Figure 9-11. Notice the “Allow” and
“Deny” check boxes for the various permissions listed.

FIGURE 9-11 The Security tab

In the Name box, users and groups that have some sort of permission to
view or modify one or more properties of this user are listed.You can use
the Add and Remove command buttons to add and remove users and
groups to and from the Name box.
4701-1 ch09.f.qc 4/24/00 09:22 Page 575

Chapter 9 ▼ Managing Users and Groups 575

You can set permissions on any user or group for this user by highlight-
ing the user or group in the Name box and then selecting permissions in
the Permissions box.

CROSS-REFERENCE
Setting permissions is covered extensively in the “Setting Permissions on
Active Directory Objects” section in Chapter 8.

Environment, Sessions, Remote Control, and Terminal Services Profile On

these four tabs you can configure various options for this domain user
when the user logs on to and uses a Terminal Services session.

CROSS-REFERENCE
I’ll discuss Terminal Services (and the settings on these tabs) in
Chapter 20.

Using Users and Passwords to Manage User Accounts

On Windows 2000 Professional computers, there is an additional tool you
can use to manage local and domain user accounts — it’s called Users and
Passwords, and it’s a Control Panel application.To use Users and Passwords,
you must be a member of the Administrators group on the local computer.
The Users and Passwords application enables you to manage users and
passwords for the local computer. In this application you can grant or deny
local (or domain) users access to the local computer, change passwords,
manage certificates, access the Local Users and Groups tool in Computer
Management, and configure whether local users are required to press
Ctrl+Alt+Delete before logging on.
To start Users and Passwords on your Windows 2000 Professional com-
puter, select Start ➪ Settings ➪ Control Panel, then double-click Users and
Passwords. Figure 9-12 shows the Users and Passwords dialog box. Notice
the list of users who are currently permitted to access this computer.
Also notice the three columns in the “Users for this computer” box:
User Name, Domain, and Group. User Name is the user account name of
each user who is permitted to access this computer. Domain refers to the
location of the user account named in the first column, and it will be
either the name of the local Windows 2000 Professional computer or the
name of a Windows 2000 domain. (The Domain column only appears on
Windows 2000 Professional computers that are members of a domain.)
4701-1 ch09.f.qc 4/24/00 09:22 Page 576

576 Part III ▼ Managing and Securing Resources

Group is the name of the local group on the Windows 2000 Professional
computer to which the user named in the first column belongs.
Click Add to add an existing user to the “Users for this computer” box.

FIGURE 9-12 Users and Passwords

TIP
You can’t use the Add command button to create new users.

Click Remove to remove a user from the “Users for this computer”
box. If you highlight a local user in the “Users for this computer” box and
click Remove, the user is deleted. If you highlight a domain user in the
“Users for this computer” box and click Remove, the domain user is not
deleted, but is denied access to this computer and is removed from the
“Users for this computer” box.
To view or modify a user’s properties or group memberships, highlight
the user in the “Users for this computer” box and click Properties. If the
user you highlighted is a local user, you can configure the user’s name, full
name, description, and group membership. For domain users, you can only
configure group membership. The Group Membership tab is shown in
Figure 9-13. Notice the three options in this dialog box.
4701-1 ch09.f.qc 4/24/00 09:22 Page 577

Chapter 9 ▼ Managing Users and Groups 577

FIGURE 9-13 Configuring group membership

On the Group Membership tab you can make the highlighted user a
member of any group on the local computer. The options you can select
from are:
■ Standard user: Select this option if you want to make the user a
member of the Power Users Group on the local computer.
Members of this group can modify the computer and install pro-
grams, but can’t read other users’ files.This is the recommended
setting for most environments.
■ Restricted user: Select this option if you want to make the user a
member of the Users Group on the local computer. Members of
this group can log on to and use the local computer, can modify
and save their own documents, but can’t install programs or modify
computer system settings.This is the recommended setting for
high-security environments.
■ Other: Select this option if you want to make the user a member
of any other group on the local computer, such as Administrators,
Backup Operators, and so on.
You can also use Users and Passwords to change the password for any
local user listed in the “Users for this computer” box.To change a password,
highlight the local user in the “Users for this computer” box, click Set
4701-1 ch09.f.qc 4/24/00 09:22 Page 578

578 Part III ▼ Managing and Securing Resources

Password, type in (and confirm) the new user password in the Set Password
dialog box, and then click OK.
On the Advanced tab in the Users and Passwords dialog box you can
manage certificates, access the Local Users and Groups tool in Computer
Management, and configure whether local users are required to press
Ctrl+Alt+Delete before logging on.

Copying User Accounts

Sometimes the easiest way to create a new user account is to copy an exist-
ing user account.There are basically two ways to accomplish this:
■ You can copy any existing user account that has properties and
group memberships that are similar to the desired properties and
group memberships for the new user account.
■ You can create a new user account that will be used as a template
to create multiple user accounts with the same set of account prop-
erties and group memberships.

TIP
Only domain user accounts can be copied — local user accounts can’t be
copied.

For example, suppose that you want to create a domain user account to
be used by an employee who will administer the network.You want this
user account to have all of the capabilities of the Administrator account, so
you decide to copy the Administrator account. When a user account is
copied, all properties of the user account, including its group member-
ships, are copied to the new user account with the exception of the user
name, full name, password, logon hours, address and telephone informa-
tion, organization information, the “Account is disabled” option, and user
rights and permissions.
You can use Active Directory Users and Computers to copy user
accounts.
4701-1 ch09.f.qc 4/24/00 09:22 Page 579

Chapter 9 ▼ Managing Users and Groups 579

STEP BY STEP

COPYING A USER ACCOUNT

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the left pane of the Active Directory Users and Computers dialog box, click the
+ next to the name of the domain that contains the user account you want to
copy. Highlight the Users folder or OU that contains this user. In the right pane
of the dialog box, right-click the name of the user you want to copy, and select
Copy from the menu that appears.
3. In the Copy Object - User dialog box, fill in the requested information for the new
user account that is being created by copying an existing user account. Enter the
new user’s first name, middle initial, last name, and user logon name. Click Next.
4. In the next Copy Object - User dialog box, enter the password for the new user
account, and confirm the password by retyping it. (Entering a password is
optional.) Select one or more appropriate password configuration options, then
click Next.
5. In the next Copy Object - User dialog box, click Finish.
6. Windows 2000 creates the new user account, and displays it in the right pane of
the Active Directory Users and Computers dialog box.

Suppose, instead, that you are setting up a new network and need to cre-
ate multiple new user accounts for the accountants at a large CPA firm.All
of the accountants at this firm have similar network access needs, and their
user accounts will have substantially similar properties and group member-
ships.You can create a new user account, named Acct_Template, to use as a
template to create these new user accounts.
To create a new user account that will be used as a template, follow the
steps presented earlier in this chapter under “Creating a domain user
account.”When you create the new user account, assign the user account a
name that indicates the type of user account this template will be used to
create, such as Acct_Template for the accountants in the previous example.
Configure the template user account’s properties and group memberships
to match the requirements of the user accounts you will create using this
template.
4701-1 ch09.f.qc 4/24/00 09:22 Page 580

580 Part III ▼ Managing and Securing Resources

TIP
When you create a user account to be used as a template, I recommend
that you select the “Account is disabled” check box on the Account tab
so that no one can log on using this account.

To use a template, copy it to create a new user account. All properties

and group memberships of the template user account are copied to the
new user account with the exception of the user name, full name, pass-
word, logon hours, address and telephone information, organization infor-
mation, the “Account is disabled” option, and user rights and permissions.

Renaming and Deleting User Accounts

Occasionally you may want to rename or delete a user account.
Renaming a user account doesn’t affect any of the user account’s prop-
erties, except for its name.The user account, after it is renamed, retains all
of its properties, including group memberships, permissions, and user
rights.You might want to rename a user account when a new staff member
replaces an employee who has left the company.
You can rename both local and domain user accounts, as the following
steps explain.

STEP BY STEP

RENAMING A LOCAL USER ACCOUNT

1. From the desktop, right-click My Computer, and select Manage from the menu
that appears.
2. In the Computer Management dialog box, click the + next to Local Users and
Groups. Highlight the Users folder. In the right pane, right-click the user account
you want to rename, and select Rename from the menu that appears.
3. Type in a new name for the user account, and press Enter. The user account is
renamed.

RENAMING A DOMAIN USER ACCOUNT

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
4701-1 ch09.f.qc 4/24/00 09:22 Page 581

Chapter 9 ▼ Managing Users and Groups 581

STEP BY STEP Continued

2. In the left pane of the Active Directory Users and Computers dialog box, click the
+ next to the name of the domain that contains the user account you want to
rename. Highlight the Users folder or OU that contains this user account. In the
right pane of the dialog box, right-click the name of the user you want to rename,
and select Rename from the menu that appears.
3. Type in a new name for the user account, and press Enter.
4. The Rename User dialog box appears. Fill in the requested information, including
the user’s first name, last name, and user logon name. (This is the information
about the user who will use this user account from this point on.) Click OK. The
user account is renamed.

Deleting a user account is just what it sounds like — the user account is
permanently removed, and all of its group memberships, permissions, and
user rights are lost. Normally you would only delete a user account when
you never plan to use the account again.
When you delete a user account, the SID associated with the account is
marked as deleted. If you later create a new account with the same name,
A new SID will be associated with the account. For this reason, the new
account won’t have the same privileges as the old, deleted account.
The two built-in accounts, Administrator and Guest, can’t be deleted,
although they can be renamed.
You can delete both local and domain user accounts, as the following
steps explain.

STEP BY STEP

DELETING A LOCAL USER ACCOUNT

1. From the desktop, right-click My Computer, and select Manage from the menu
that appears.
2. In the Computer Management dialog box, click the + next to Local Users and
Groups. Highlight the Users folder. In the right pane, right-click the user account
you want to delete, and select Delete from the menu that appears.
3. A dialog box appears, asking if you’re sure you want to delete the user account.
Click Yes to delete the user account. The user account is deleted.
4701-1 ch09.f.qc 4/24/00 09:22 Page 582

582 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

DELETING A DOMAIN USER ACCOUNT

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the left pane of the Active Directory Users and Computers dialog box, click the
+ next to the name of the domain that contains the user account you want to
delete. Highlight the Users folder or OU that contains this user account. In the
right pane of the dialog box, right-click the name of the user you want to delete,
and select Delete from the menu that appears.
3. A dialog box appears, asking if you’re sure you want to delete the user account
object. Click Yes to delete the user account. The user account is deleted.

Managing User Profiles

A user profile is a folder that contains a collection of settings and options
that specify a user’s desktop and all other user-definable settings for a user’s
work environment. Both users and administrators can benefit from user
profiles.
Benefits to users include:
■ When a user logs on, the same desktop is displayed as when the
user last logged off.This is because when a user makes changes to
his or her desktop or work environment during the time the user
is logged on, these settings are saved to the user’s profile folder at
logoff.
■ When a computer has more than one user, a customized desktop is
displayed for each user at logon.
■ Roaming user profiles can be saved on a Windows 2000 Server
computer, and thereby apply to a user no matter which Windows
2000 computer on the network the user logs on at.
Benefits to administrators include:
■ Administrators can develop and assign user profiles that are cus-
tomized, so each user has a desktop and work environment that
complies with established company standards, and can assign user
profiles that are suitable for the tasks that each user needs to perform.
4701-1 ch09.f.qc 4/24/00 09:22 Page 583

Chapter 9 ▼ Managing Users and Groups 583

■ If desired or necessary, administrators can forcibly prevent certain

users from permanently changing any of their desktop or work
environment settings by assigning them mandatory user profiles.
■ User profiles make it possible for administrators to assign common
program items and shortcuts to all users by customizing the All
Users profile folder.

EXAM TIP
User profiles cover a lot of ground, and are tested on both the
Professional and Server exams. Every heading in this section is fair game,
so spend as much time as it takes for you to be comfortable with all of
the nuances of user profiles.

In the following sections I’ll discuss the contents of a user profile, how a
user profile is created, customizing the local and domain-wide Default
User profile folder, customizing the All Users profile folder, roaming
and mandatory user profiles, and deleting user profiles.

Contents of a User Profile

Various settings are saved in a user profile. The contents of a user profile
include:
■ All user-specific settings for Windows Explorer, Notepad, Paint,
HyperTerminal, Clock, Calculator, and other built-in Windows
2000 applications
■ User-specific desktop settings, including screen saver, background
color, background pattern, wallpaper, and other display settings
■ User-specific settings for applications written to run on Windows
2000
■ User-specific settings for network drive and printer connections
■ User-specific settings for the Start menu, including program groups,
applications, and recently accessed documents
The default location for a user’s profile is the C:\Documents and
Settings\user_name folder on the Windows 2000 computer the user
logs on to. Each user’s profile is stored in a separate folder named after the
user’s account. For example, the Administrator’s user profile is stored in the
C:\Documents and Settings\Administrator folder. Figure 9-14
shows, in Windows Explorer, the location and contents of the Administrator’s
profile folder.
4701-1 ch09.f.qc 4/24/00 09:22 Page 584

584 Part III ▼ Managing and Securing Resources

TIP
All user profiles have virtually the same contents as those shown for the
Administrator.

FIGURE 9-14 Contents of the Administrator’s profile folder

Note in Figure 9-14 that there are several subfolders and files contained
in the Administrator’s profile folder. Table 9-2 lists and describes each of
these folders and files.All users’ profile folders (not just the Administrator’s)
contain the folders and files listed in Table 9-2.
TABLE 9-2 Windows 2000 User Profile Folder Contents
Folder or File Description

Application Data This folder contains any user-specific application data that
an application vendor has chosen to store in it. For
example, a word processing application could store the
user’s custom dictionary in this subfolder.
Cookies This folder contains cookies, which are files stored on the
user’s computer that provide customization of Internet or
intranet Web sites.
Desktop This folder contains all shortcuts, files, and folders stored
on the user’s desktop.
4701-1 ch09.f.qc 4/24/00 09:22 Page 585

Chapter 9 ▼ Managing Users and Groups 585

Folder or File Description

Favorites This folder contains shortcuts from the user’s Favorites

folder in various applications. For example, when you add
an Internet site to your Favorites folder in Internet
Explorer, a shortcut to that site is created in this folder.
FrontPageTempDir This folder is only present in user profiles located on
Windows 2000 Server computers. This folder contains
temporary files created by using Microsoft FrontPage.
Local Settings This folder contains several folders commonly used by
Internet Explorer (and other Internet applications),
including Application Data, History, Temp,
and Temporary Internet Files.
My Documents This folder contains user-created documents. It is the
default location for saving user-created documents in
most applications.
NetHood This folder contains any shortcuts a user has created to
network servers or shared folders. These shortcuts are
displayed in the My Network Places dialog box.
PrintHood This folder can contain shortcuts to network printers.
These shortcuts are displayed in the Printers dialog box.
Recent This folder contains shortcuts to document files the user
has recently accessed. These shortcuts can be displayed
by selecting Start ➪ Documents.
SendTo This folder contains shortcuts to folders, briefcases, mail,
the computer’s floppy drive, My Documents, and so on.
These shortcuts are displayed when a user right-clicks
any file or folder, and then selects Send To from the menu
that appears.
Start Menu This folder contains the Programs folder from a user’s
Start menu, and any additional shortcuts to programs that
the user has created in the Start Menu folder or any of
its subfolders. These shortcuts are displayed in the Start
menu, or in the Programs folder in the Start menu,
depending on where the shortcut was created.
Templates This folder contains application templates.
NTUSER.DAT This file contains all of the registry settings that are
specific to a user account. When a user logs on, the
settings in this file are copied to the HKEY_CURRENT_
USER registry settings on the local computer.
ntuser.dat.LOG This file is used by Windows 2000 to recover the user’s
original NTUSER.DAT file if an error occurs while
updating the NTUSER.DAT file.
ntuser.ini This file contains settings that determine the components
of a user’s roaming user profile that are not copied to the
server each time the user logs off.
4701-1 ch09.f.qc 4/24/00 09:22 Page 586

586 Part III ▼ Managing and Securing Resources

Understanding How a User Profile Is Created

When a user logs on to a Windows 2000 computer,Windows 2000 checks
to see if a user profile for that user exists on the local computer. If a user pro-
file exists on the local computer, Windows 2000 uses the existing user
profile. If no profile exists, Windows 2000 automatically creates a new
user profile for the user and stores that profile on the local computer.
Windows 2000 implements user profiles on a computer-by-computer
(and user-by-user) basis.This means that each time a domain user logs on
to a different Windows 2000 computer, a new user profile is created for
that user and stored on that computer. If a domain user routinely logs on to
five different Windows 2000 computers, that user has five different user
profiles, one stored on each of the five computers.
In general, then, administrators don’t need to create user profiles for
users because Windows 2000 automatically creates a user profile for each
user of every Windows 2000 computer.Administrators can, however, man-
ually assign a roaming or mandatory user profile to a user — I’ll cover these
topics a bit later in this chapter.
You may be wondering how Windows 2000 actually creates user pro-
files. To some extent, the process depends on whether the user is logging
on by using a local user account or a domain user account:
■ If no user profile exists when a local user logs on,Windows 2000
creates a new user profile for the user by copying the entire con-
tents of the local Default User profile folder to a new folder on
the local computer named after the user’s account.
■ If no user profile exists when a domain user logs on,Windows 2000
checks to see whether a domain-wide Default User profile
folder exists in the NETLOGON share on the domain controller.
 If Windows 2000 finds a domain-wide Default User profile

folder in the NETLOGON share on the domain controller, it copies

the entire contents of that folder to a new folder on the local
computer named after the user’s account.
 If Windows 2000 doesn’t find a domain-wide Default User pro-

file folder in the NETLOGON share on the domain controller, it copies

the entire contents of the local Default User profile folder to a
new folder on the local computer named after the user’s account.
By default,Windows 2000 stores a user’s profile in the C:\Documents
and Settings\user_name folder on the computer the user logs on to.
4701-1 ch09.f.qc 4/24/00 09:22 Page 587

Chapter 9 ▼ Managing Users and Groups 587

When Windows 2000 creates a new user profile, the new user’s initial user
profile is an exact copy of either the local or domain-wide Default User
profile folder (depending on the folder Windows 2000 copied to create the
new user profile).
The Default User profile folder can be customized by the Admini-
strator, as I’ll explain in the next section.

Customizing the Local Default User Profile Folder

Administrators can customize the local Default User profile folder on
an individual Windows 2000 computer so that new users of this computer,
at first logon, have the appropriate desktop and work environment settings.
For example, you might want to place a shortcut to a network application
on the desktop of all new users. Or, you might want to add a shortcut that
will appear in the Start menu for all new users of this computer.

TIP
Remember that the Default User profile folder only affects first-time
users of this computer — previous users already have individual user pro-
file folders.

To customize the local Default User profile folder on a Windows

2000 computer, an Administrator can either copy an existing user profile to
the local Default User profile folder, or create shortcuts in the local
Default User profile subfolders.
The System application in Control Panel is used to copy user profiles.

TIP
You can’t use Windows Explorer to copy user profiles. You can only copy
user profiles by using the System application in Control Panel.

STEP BY STEP

COPYING A USER PROFILE

1. Select Start ➪ Settings ➪ Control Panel. Then double-click the System icon. (Or,
from the desktop, right-click My Computer, and select Properties from the menu
that appears.)
2. In the System Properties dialog box, click the User Profiles tab.
3. The User Profiles tab appears, as shown in Figure 9-15. Highlight the existing
user profile that you want to copy. Click Copy To.
4701-1 ch09.f.qc 4/24/00 09:22 Page 588

588 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 9-15 Copying a user profile

4. In the Copy To dialog box, type the full path of the location to which you want
to copy the user profile. (This could be C:\Documents and Settings\
Default User if you are copying an existing profile to replace the current local
Default User profile folder.) Figure 9-16 shows the Copy To dialog box after it
has been configured. Notice which user is permitted to use the copied user profile.

FIGURE 9-16 Specifying the destination for the copied user profile

To specify the user(s) who will be permitted to use the copied user profile, click
Change.
4701-1 ch09.f.qc 4/24/00 09:22 Page 589

Chapter 9 ▼ Managing Users and Groups 589

STEP BY STEP Continued

5. In the Select User or Group dialog box, select the user or group that you want to
permit to use the copied user profile. (If you’re copying a user profile to customize
a Default User profile folder, you might want to select the Everyone group.)
Click OK.
6. The Copy To dialog box reappears, with the user or group you selected in Step 5
displayed in the “Permitted to use” section of the dialog box. Click OK.
7. If the destination location you selected in Step 4 already exists (such as the loca-
tion of an existing user or Default User profile folder) a Confirm Copy dialog
box appears, notifying you that the current contents of the destination folder will
be deleted during this operation. Click Yes to copy the user profile to the new
location and to overwrite the existing contents.
8. In the System Properties dialog box, click OK.

CREATING SHORTCUTS IN THE DEFAULT USER PROFILE

SUBFOLDERS

1. Select Start ➪ Programs ➪ Accessories ➪ Windows Explorer.

2. In the left pane, click the + next to My Computer. Click the + next to Local Disk
(C:). Click the + next to Documents and Settings. Click the + next to Default User.
Figure 9-17 shows the Default User profile folder in Windows Explorer.

FIGURE 9-17 The Default User profile folder

4701-1 ch09.f.qc 4/24/00 09:22 Page 590

590 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

3. In the left pane, highlight the subfolder of the Default User profile folder in
which you want to create a shortcut. Select File ➪ New ➪ Shortcut.
4. In the Create Shortcut dialog box, type the full path to the application. If you don’t
know the full path to the application, you can browse for it. Click Next.
5. In the Select a Title for the Program dialog box, type the name of the shortcut the
way you want it to appear on the user’s desktop. Click Finish.
6. Repeat Steps 3 through 5 until you have created all the shortcuts you want in the
Default User profile folder. Close Windows Explorer.

Creating and Customizing a Domain-wide Default

User Profile Folder
In addition to (or instead of) customizing the local Default User profile
folder on a Windows 2000 computer, you can create a domain-wide
Default User profile folder for all Windows 2000 computers in a
domain.
While changes to the local Default User profile folder on a Windows
2000 computer affect only first-time users who log on to the local com-
puter, the domain-wide Default User profile folder affects all domain
users the first time they log on to any Windows 2000 computer in the
domain.
Windows 2000 doesn’t automatically create a domain-wide Default
User profile folder — you must manually create it.
To create a domain-wide Default User profile folder, first customize
any existing user profile or Default User profile folder on any Windows
2000 computer in the domain so that it has the settings and shortcuts you
want the new domain-wide Default User profile folder to have. Then
use the System application in Control Panel to copy the customized pro-
file folder to the NETLOGON share on any domain controller in the domain.

TIP
In order for the new domain-wide Default User profile folder to work
correctly, you must name the copied folder Default User, and you
must configure the copied folder so the Everyone group is permitted to
use it.
4701-1 ch09.f.qc 4/24/00 09:22 Page 591

Chapter 9 ▼ Managing Users and Groups 591

By default, the NETLOGON share is located in the SystemRoot\

SYSVOL\sysvol\domain_name\SCRIPTS folder on each domain con-
troller in the domain. Because the NETLOGON share is located in a subfolder
of the \SYSVOL folder, Windows 2000 will automatically replicate the
domain-wide Default User profile folder to all other domain controllers
in the domain.

Customizing the All Users Profile Folder

The All Users profile folder is a subfolder of the Documents and
Settings folder on all Windows 2000 computers.The All Users profile
folder contains seven subfolders, as shown in Figure 9-18.

FIGURE 9-18 The All Users profile folder

The purpose of the All Users profile folder is to enable an

Administrator to create shortcuts and install applications that he or she
wants to make available to all (not just first-time) users of a Windows 2000
computer.
Whenever a user logs on to a Windows 2000 computer, any files, short-
cuts, or applications placed in any of the subfolders in the All Users pro-
file folder will appear on the user’s desktop, Start menu, or other
appropriate location. Only members of the Administrators group on the
local computer can customize the All Users profile folder.
4701-1 ch09.f.qc 4/24/00 09:22 Page 592

592 Part III ▼ Managing and Securing Resources

The All Users profile folder must be managed on a computer-by-

computer basis. There is currently no method to create a domain-wide
All Users profile folder on a server.This means the Administrator must
customize the All Users profile folder on each individual Windows 2000
computer.
To customize the All Users profile folder, follow the same steps you
would use to customize the local Default User profile folder, except
select the All Users profile folder in Windows Explorer instead of the
Default User profile folder.

Roaming User Profiles

Roaming user profiles are user profiles that are stored on a Windows 2000
Server computer. Because these profiles are stored on a server instead of on
the local computer, they are available to users regardless of which Windows
2000 computer on the network they log on to.
The benefit of using roaming user profiles is that users retain their own
customized desktop and work environment settings even though they may
use several different Windows 2000 computers.
Roaming user profiles are implemented by first creating a shared folder
on a Windows 2000 Server computer, and then assigning a server-based
user profile path to a user account.

STEP BY STEP

PART 1: CREATING A SHARED FOLDER ON A SERVER

1. Choose a Windows 2000 Server computer on your network on which to store

roaming user profiles. (This is often a domain controller.)
2. Create a shared folder on the server. To do this, select Start ➪ Programs ➪
Accessories ➪ Windows Explorer.
3. In the left pane, click the + next to My Computer. Highlight one of the drives on
the server. (This drive must have enough free space to contain your roaming user
profiles.) Select File ➪ New ➪ Folder.
4. Type in a name for the new folder and press Enter. (I recommend you use the
name Profiles.) Right-click the newly created folder, and select Sharing from the
menu that appears.
5. In the new folder’s Properties dialog box, select the “Share this folder” option.
Accept the default share name and click OK.
6. Close Windows Explorer.
4701-1 ch09.f.qc 4/24/00 09:22 Page 593

Chapter 9 ▼ Managing Users and Groups 593

STEP BY STEP Continued

At this point you’ve created a shared folder on the server. Now you must assign
a server-based user profile path to each user you want to assign a roaming user
profile. Use the steps in Part 2 to assign a server-based user profile path to a
domain user account. Use the steps in Part 3 to assign a server-based user pro-
file path to a local user account.

PART 2: ASSIGNING A SERVER-BASED USER PROFILE PATH

TO A DOMAIN USER ACCOUNT

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the left pane of the Active Directory Users and Computers dialog box, click the +
next to the name of the domain that contains the user account for which you want to
configure a roaming user profile. Highlight the Users folder or the OU that contains
the desired user account. In the right pane, double-click the user account. Or, you
can right-click the user account, and select Properties from the menu that appears.
3. The user’s Properties dialog box appears. Click the Profile tab.
4. The Profile tab appears. In the “Profile path” text box, type in the complete path to
the shared folder you created in Part 1, and append the user’s name to the end of
this path. (For example, on a server named SERVER01, you might use the path
\\SERVER01\Profiles\BillT.) Figure 9-19 shows the Profile tab after it
has been configured with a server profile path. Click OK.

FIGURE 9-19 Assigning a server-based user profile path

4701-1 ch09.f.qc 4/24/00 09:22 Page 594

594 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

5. Close Active Directory Users and Computers.

PART 3: ASSIGNING A SERVER-BASED USER PROFILE PATH TO A

LOCAL USER ACCOUNT

1. From the desktop, right-click My Computer, and select Manage from the menu
that appears.
2. In the Computer Management dialog box, click the + next to Local Users and
Groups. Highlight the Users folder. In the right pane, double-click the user for
whom you want to configure a roaming user profile. Or, you can right-click the
user, and select Properties from the menu that appears.
3. The user’s Properties dialog box appears. Click the Profile tab.
4. The Profile tab appears. In the “Profile path” text box, type in the complete path to
the shared folder you created in Part 1, and append the user’s name to the end of
this path. (For example, on a server named SERVER02, you might use the path
\\SERVER02\Profiles\JulieC.) Click OK.
5. Close the Computer Management dialog box.

At this point, all you’ve done is assign a location for the user’s roaming
user profile. Now the user must log on and log off to create a roaming user
profile on the server.When the user logs off, the user’s local user profile is
saved to the server and then becomes the user’s roaming user profile.The
roaming user profile is then available to the user from any Windows 2000
computer to which the user logs on. From this point on, every time the
user logs off, the user’s roaming user profile will be updated with any
changes the user has made during the time the user was logged on.
Both new and existing users can be assigned roaming user profiles.You
can also preconfigure a new or existing user’s roaming user profile so that
the next time the user logs on, the properties of the preconfigured server-
based roaming user profile are applied to the user.The advantage of using
preconfigured roaming user profiles is that the Administrator can provide
users with all of the shortcuts and program items users need to perform
their day-to-day tasks.
To preconfigure a user’s roaming user profile, assign a server-based profile
path to a user account, and then copy an existing user profile (that you have
customized with all of the files, shortcuts, settings, and applications you want
4701-1 ch09.f.qc 4/24/00 09:22 Page 595

Chapter 9 ▼ Managing Users and Groups 595

the user to have) to the user’s roaming user profile path, and ensure that the
user is permitted to use the profile.

Mandatory User Profiles

A mandatory user profile is a user profile that, when assigned to a user, can’t
be changed by the user. A user can make changes to desktop and work
environment settings during a single logon session, but these changes are
not saved to the mandatory user profile when the user logs off. Each time
the user logs on, the user’s desktop and work environment settings revert to
those contained in the mandatory user profile.
In most cases, an administrator permits users to change and customize
their own user profiles.There are instances, however, when you might want
to use mandatory user profiles:
■ When “problem users” require a significant amount of administra-
tor time
■ When an administrator has a large number of users to administer
Occasionally, a “problem user” modifies his or her profile so that needed
shortcuts and applications are deleted, and the administrator must fix the
user’s profile by reinstalling the necessary items. If this happens too fre-
quently, the administrator might choose to assign the user a mandatory
user profile.
To make an individual user’s profile (either local or roaming) a manda-
tory user profile, rename the user’s NTUSER.DAT file (in the user’s pro-
file folder) as NTUSER.MAN. The mandatory profile will become
effective the next time the user logs on.
Sometimes an administrator needs to create a standardized desktop and
work environment settings for a large number of users with similar job
tasks.To accomplish this, the administrator can assign a single, customized
mandatory roaming user profile to multiple user accounts.

TIP
If you have a need for the capabilities of mandatory user profiles, con-
sider using group policy instead. Group policy provides the administrator
with more control over users’ environment settings than mandatory user
profiles. I’ll cover group policy in Chapter 10.
4701-1 ch09.f.qc 4/24/00 09:22 Page 596

596 Part III ▼ Managing and Securing Resources

Deleting User Profiles

You should consider deleting user profiles for user accounts that have been
deleted. Deleting a user profile by using the System application in Control
Panel removes the entire user profile folder for the specified user, and also
removes any Windows 2000 registry entries related to that user profile.
Simply deleting the user profile folder by using Windows Explorer does not
completely delete all settings related to the user profile.

STEP BY STEP

DELETING A USER PROFILE

1. Select Start ➪ Settings ➪ Control Panel. Then double-click the System icon. (Or,
from the desktop, right-click My Computer, and select Properties from the menu
that appears.)
2. In the System Properties dialog box, click the User Profiles tab.
3. On the User Profiles tab, highlight the user profile you want to delete. Click
Delete.
4. In the Confirm Delete dialog box, click Yes to delete the user profile.
5. On the User Profiles tab, click OK.
6. Exit Control Panel if you opened it in Step 1.

Managing Account Policies

Windows 2000 account policies are sets of rules that are applied to user
accounts. Account policies are not set on an individual account basis.
Rather, they are set to apply to many users, often to all of the users in a
domain. You must be a member of the Administrators group to manage
account policies.
There are three major types of account policies:
■ Password policy
■ Account lockout policy
■ Kerberos policy
I’ll discuss each of these types of account policies in the sections that
follow, and then show you how to set Windows 2000 account policies.
4701-1 ch09.f.qc 4/24/00 09:22 Page 597

Chapter 9 ▼ Managing Users and Groups 597

EXAM TIP
Windows 2000 account policies are fairly straightforward, but expect to
see at least one password policy or account lockout policy question on
both the Professional and Server exams.

Password Policy
Password policy dictates the requirements of user passwords and how often
users must change their passwords. There are six configurable password
policy settings: “Enforce password history,” “Maximum password age,”
“Minimum password age,” “Minimum password length,” “Passwords must
meet complexity requirements,” and “Store password using reversible
encryption for all users.”

Enforce Password History The “Enforce password history” setting specifies

how many different passwords a user must use before an old password can
be reused. (In Windows NT 4.0, this setting was called Password
Uniqueness.) You can configure any number from 0 to 24 for this setting.
The default “Enforce password history” setting for a domain is “1 pass-
words remembered.”
If this setting is configured to “0 passwords remembered,” users can
cycle back and forth between their two favorite passwords each time they
are required to change their passwords.
If this setting is configured to “x passwords remembered,” (where x rep-
resents a number from 1 through 24), users must use at least the number of
new passwords specified before they can reuse an old password.
You can multiply the number of passwords remembered in “Enforce
password history” times the number of days specified in “Minimum pass-
word age” to determine the number of days that must pass before a user
can reuse an old password.

Maximum Password Age The “Maximum password age” setting deter-

mines the number of days a user may use the same password.You can con-
figure any number from 0 to 999 days for this setting. The default
“Maximum password age” setting is 42 days (six weeks).
If this setting is configured to 0 days, users are never required to change
their passwords.
If this setting is configured to x days (where x represents a number from
1 through 999), Windows 2000 forces users to change their passwords
4701-1 ch09.f.qc 4/24/00 09:22 Page 598

598 Part III ▼ Managing and Securing Resources

when the “Maximum password age” setting is exceeded. Normal settings

for “Maximum password age” are between thirty and ninety days.

TIP
If users are not forced to change their passwords often enough, network
security may be compromised. However, if users have to change their
passwords too frequently, they may be unable to remember their pass-
words.

Minimum Password Age The “Minimum password age” setting deter-

mines the number of days a user must keep the same password.You can
configure any number from 0 to 998 days for this setting. The default
“Minimum password age” setting is 0 days.
Windows 2000 requires that the “Minimum password age” setting be at
least one day less than the “Maximum password age” setting, in order to
permit users to change their passwords before they expire. I recommend
that you set the “Minimum password age” setting at least five days less than
the “Maximum password age” setting.
If this setting is configured to 0 days, users can change their passwords as
often as they like, without waiting for any time to pass before selecting a
new password.
If this setting is configured to x days (where x represents a number from
1 through 998), users must use their passwords for at least the number of
days specified before Windows 2000 will let them change their passwords.
Password policy settings are designed to work in conjunction with each
other.You can’t always just configure one setting and forget the rest. For
example, if you accept the default “Minimum password age” setting of 0
days, and the “Enforce password history” setting is configured to “8 pass-
words remembered,” a user may be tempted to bypass the intent of the
“Enforce password history” setting by changing his or her password nine
times, in rapid succession, so the user can recycle back to the user’s origi-
nal, favorite, and easily remembered password.

Minimum Password Length The “Minimum password length” setting

specifies the minimum number of characters required in users’ passwords.
You can configure any number from 0 to 14 characters for this setting.The
default “Minimum password length” setting is 0 characters.
If this setting is configured to 0 characters, users are not required to have
passwords.
4701-1 ch09.f.qc 4/24/00 09:23 Page 599

Chapter 9 ▼ Managing Users and Groups 599

If this setting is configured to x characters (where x represents a number

from 1 through 14), you can specify the minimum number of characters a
user’s password must contain. Windows 2000 will not permit users to
choose a password with fewer than the required number of characters.

TIP
I recommend a minimum of eight characters for the “Minimum password
length” setting. With a password length of eight characters or more,
assuming basic password security measures are taken, it’s statistically
almost impossible for an unauthorized user to guess a password.

Passwords Must Meet Complexity Requirements The “Passwords must

meet complexity requirements” setting determines whether user passwords
must contain a combination of specified characters.This setting can either
be enabled or disabled. By default, the “Passwords must meet complexity
requirements” setting is disabled.
When this setting is disabled, user passwords may contain any type or
combination of characters.
When this setting is enabled, user passwords must contain at least one
character from at least three of the following four categories:
■ Lowercase alphabetic characters
■ Uppercase alphabetic characters
■ Numbers
■ Special characters
For example, the password JB1234QR does not meet the password
complexity requirements because it contains only uppercase alphabetic
characters and numbers. However, the password JB1234qr does meet the
complexity requirements, because it uses uppercase alphabetic characters,
lowercase alphabetic characters, and numbers.

Store Password Using Reversible Encryption for All Users The “Store
password using reversible encryption for all users” setting determines
whether Windows 2000 stores user passwords by using one-way encryp-
tion or by using reversible encryption. One-way encryption is more secure
than reversible encryption. This setting can either be enabled or disabled.
By default, the “Store password using reversible encryption for all users”
setting is disabled.
4701-1 ch09.f.qc 4/24/00 09:23 Page 600

600 Part III ▼ Managing and Securing Resources

When this setting is disabled, Windows 2000 stores user passwords by

using one-way encryption. When this setting is enabled, Windows 2000
stores user passwords by using reversible encryption.
This setting should only be enabled when most or all users in the
domain log on to the Windows 2000 domain from Apple computers,
because Apple computers don’t support the Windows 2000 implementa-
tion of one-way encryption.
If only a few users log on to the Windows 2000 domain from Apple
computers, configure the individual user accounts to “Store password using
reversible encryption” instead of setting an account policy.

Account Lockout Policy

Account lockout policy dictates how Windows 2000 treats a user account
after several successive unsuccessful logon attempts have occurred. There
are three configurable settings: “Account lockout threshold,” “Account
lockout duration,” and “Reset account lockout counter after.”

Account Lockout Threshold The “Account lockout threshold” setting

specifies the number of successive unsuccessful logon attempts that will be
permitted before Windows 2000 locks out a user account.The possible set-
tings are from 0 to 999 invalid logon attempts.The default “Account lock-
out threshold” setting is 0 invalid logon attempts.
If this setting is configured to 0 invalid logon attempts, user accounts
will never be locked out, regardless of the number of successive unsuccess-
ful logon attempts.
If this setting is configured to x invalid logon attempts (where x repre-
sents a number from 1 through 999), Windows 2000 will lock out a user
account after the specified number of successive unsuccessful logon
attempts is reached. This setting’s counter is reset to 0 after each successful
logon.Windows 2000 maintains a separate counter for each user account.

Account Lockout Duration The “Account lockout duration” setting speci-

fies how long a user account is locked out after the specified number of
bad logon attempts occurs.The possible settings are:“Not defined,” or from
0 to 99,999 minutes. The default “Account lockout duration” setting is
“Not defined.”
If this setting is “Not defined,” user accounts will never be locked out,
and there will not be an account lockout duration.
4701-1 ch09.f.qc 4/24/00 09:23 Page 601

Chapter 9 ▼ Managing Users and Groups 601

Contrary to what it sounds like, if this setting is configured to 0 minutes,

user accounts will be locked out, not for 0 minutes, but until the
Administrator unlocks the account.
If this setting is configured to x minutes (where x represents a number
from 1 through 99,999), user accounts will be locked out either until the
Administrator unlocks the account, or until the number of specified min-
utes have passed, whichever occurs first.

Reset Account Lockout After The “Reset account lockout after” setting
specifies the number of minutes that must pass without a bad logon
attempt in order for the “Account lockout threshold” counter to be reset
to zero. Resetting the counter to zero gives users the full number of possi-
ble bad logon attempts before account lockout. The possible settings are:
“Not defined,” or from 1 to 99,999 minutes. The default “Reset account
lockout after” setting is “Not defined.”
If this setting is “Not defined,” user accounts will never be locked out,
and the “Reset account lockout after” setting won’t be used.
If this setting is configured to x minutes (where x represents a number
from 1 through 99,999), the “Account lockout threshold” counter will be
reset to zero after the specified number of minutes have passed with no bad
logon attempts.

Kerberos Policy
Kerberos policy dictates how Windows 2000 uses the Kerberos V5 authen-
tication protocol to authenticate users.There are five configurable settings:
■ Enforce user logon restrictions
■ Maximum lifetime for service ticket
■ Maximum lifetime for user ticket
■ Maximum lifetime for user ticket renewal
■ Maximum tolerance for computer clock synchronization
The default configurations for each of these five settings are adequate
for most Windows 2000 implementations, and should not be changed
except by Administrators who have an in-depth understanding of the
Kerberos V5 protocol.
4701-1 ch09.f.qc 4/24/00 09:23 Page 602

602 Part III ▼ Managing and Securing Resources

Setting Account Policies

Although account policies are applied to user accounts, the policies are
actually configured on individual Windows 2000 computers or groups of
computers.Then the account policies are applied to users as they log on to
a computer.
Account policies can be set for the local Windows 2000 computer, for
all Windows 2000 computers in a domain, for all domain controllers in a
domain, or for all Windows 2000 computers in a particular organizational
unit (OU) in a domain. (The exception to this is Kerberos policy, which
can’t be configured for the local computer or for all computers in an OU.)
The most common way to set account policies is to set the policies for all
Windows 2000 computers in the domain.
Sometimes account policies are set in more than one place. For example,
account policies may be set for the local computer and also set for the
domain.When account policies conflict, the policy with the highest prior-
ity is applied.The levels of account policy priority, from greatest to least, are:
1. Account policies for an OU
2. Account policies for the domain
3. Account policies for domain controllers
4. Account policies for the local computer

The tool you use to set account policies depends on where you want to
set account policies:
■ To set account policies on the local Windows 2000 computer,
use the Local Security Policy tool in Administrative Tools. (Select
Start ➪ Settings ➪ Control Panel, double-click Administrative
Tools, then double-click Local Security Policy.)
■ To set account policies for all Windows 2000 computers in a
domain, use the Domain Security Policy tool in Administrative
Tools. (Select Start ➪ Programs ➪ Administrative Tools ➪ Domain
Security Policy.) This tool is available on Windows 2000 domain
controllers, or on other Windows 2000 computers that have the
ADMINPAK installed.
■ To set account policies for all domain controllers in a domain, use
the Domain Controller Security Policy tool in Administrative
Tools. (Select Start ➪ Programs ➪ Administrative Tools ➪ Domain
4701-1 ch09.f.qc 4/24/00 09:23 Page 603

Chapter 9 ▼ Managing Users and Groups 603

Controller Security Policy.) This tool is available on Windows 2000

domain controllers, or on other Windows 2000 computers that
have the ADMINPAK installed.
■ To set account policies for all Windows 2000 computers in a partic-
ular OU in a domain, use Active Directory Users and Computers to
configure a group policy for the OU that specifies the desired
account policies.

TIP
Another way to set account policies is to use Active Directory Users and
Computers to configure a group policy for the domain (or for the domain
controllers in the domain) that specifies the desired account policies. I’ll
explain how to use group policy in Chapter 10.

Now I’ll show you how to set account policies for all Windows 2000
computers in the domain by using the Domain Security Policy tool.
Because the Windows 2000 user interfaces for the Domain Security Policy
tool, the Domain Controller Security Policy tool, and the Local Security
Policy tool are substantially similar, you can use these same steps to set
account policies for domain controllers or for the local Windows 2000
computer by using the appropriate tool.

STEP BY STEP

SETTING ACCOUNT POLICIES FOR THE DOMAIN

1. Start the Domain Security Policy tool. (Select Start ➪ Programs ➪ Administrative
Tools ➪ Domain Security Policy.)
2. In the left pane of the Domain Security Policy dialog box, click the + next to
Security Settings. Then click the + next to Account Policies.
3. In the left pane of the dialog box, highlight the type of account policies you want
to set, either Password Policy, Account Lockout Policy, or Kerberos Policy.
Figure 9-20 shows Password Policy highlighted in the Domain Security Policy
dialog box. Notice the six configurable settings displayed in the right pane.
4. To set account policies, in the right pane, double-click the setting you want to
configure. For example, suppose you want to configure the minimum password
length.
4701-1 ch09.f.qc 4/24/00 09:23 Page 604

604 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 9-20 Setting password policy

5. In this case, the Security Policy Setting dialog box would be displayed, as shown
in Figure 9-21. Notice that a spin box is used to specify the minimum number of
required characters in user passwords.

FIGURE 9-21 Setting minimum password length

TIP
Most of the Security Policy Setting dialog boxes, which are used for set-
ting password policy, account lockout policy, and Kerberos policy, are
similar to the dialog box shown in Figure 9-21.
4701-1 ch09.f.qc 4/24/00 09:23 Page 605

Chapter 9 ▼ Managing Users and Groups 605

STEP BY STEP Continued

Make the appropriate configurations in the Security Policy Setting dialog box and
click OK.
6. Repeat Steps 3 through 5 to set additional account policies as necessary. When
you’ve finished setting account policies, close the Domain Security Policy dialog box.

TIP
Changes made to domain security policy are made on only one domain
controller. It may take several minutes to several hours for these changes
to replicate to all domain controllers in the domain. During this time,
some users will experience the changes, and some won’t.

Managing User Rights

User rights authorize users and groups to perform specific tasks on a
Windows 2000 computer or in a Windows 2000 domain. User rights are
not the same as permissions: user rights enable users to perform tasks;
whereas permissions enable users to access objects, such as files, folders,
printers, and Active Directory objects. You must be a member of the
Administrators group to assign user rights.
In the following sections I’ll discuss specific Windows 2000 user rights,
and also explain how to assign user rights.

User Rights
Each user right authorizes a user or group to perform a specific task. User
rights, unlike account policies, can be assigned to individual users and groups.
Microsoft has subdivided Windows 2000 user rights into two categories:
logon rights and privileges. Logon rights specify whether a user is permitted
to authenticate (log on) to a Windows 2000 computer, and if so, how that
user is permitted to log on. Privileges enable a user to perform specific tasks.
The Windows 2000 logon rights are:
■ Access this computer from the network
■ Deny access to this computer from the network
■ Deny logon as a batch job
■ Deny logon as a service
4701-1 ch09.f.qc 4/24/00 09:23 Page 606

606 Part III ▼ Managing and Securing Resources

■ Deny logon locally

■ Log on as a batch job
■ Log on as a service
■ Log on locally

TIP
When a user is assigned both the “Log on locally” and the “Deny logon
locally” logon rights or when logon rights conflict, the “Deny logon
locally” logon right takes precedence.

The Windows 2000 privileges are:

■ Act as part of the operating system
■ Add workstations to domain
■ Back up files and directories
■ Bypass traverse checking
■ Change the system time
■ Create a pagefile
■ Create a token object
■ Create permanent shared objects
■ Debug programs
■ Enable computer and user accounts to be trusted for delegation
■ Force shutdown from a remote system
■ Generate security audits
■ Increase quotas
■ Increase scheduling priority
■ Load and unload device drivers
■ Lock pages in memory
■ Manage auditing and security log
■ Modify firmware environment values
■ Profile single process
■ Profile system performance
■ Remove computer from docking station
■ Replace a process level token
4701-1 ch09.f.qc 4/24/00 09:23 Page 607

Chapter 9 ▼ Managing Users and Groups 607

■ Restore files and directories

■ Shut down the system
■ Synchronize directory service data
■ Take ownership of files or other objects
Most of these user rights are self explanatory. For detailed descriptions
of any of these logon rights or privileges, view the Windows 2000 Help
topics (on a Windows 2000 Server computer) titled “Logon rights” and
“Privileges.”

Assigning User Rights

Although user rights are applied to user and group accounts, user rights are
actually configured for individual Windows 2000 computers or groups of
computers.
User rights can be set for the local Windows 2000 computer, for all
Windows 2000 computers in a domain, for all domain controllers in a
domain, or for all Windows 2000 computers in a particular OU in a domain.
The most common way to assign user rights is to configure them for all
Windows 2000 computers in the domain.
You can assign user rights in much the same way that you set account
policies.The tool you use to assign user rights depends on where you want
to configure them:
■ To assign user rights for the local Windows 2000 computer, use the
Local Security Policy tool in Administrative Tools. (Select Start ➪
Settings ➪ Control Panel, double-click Administrative Tools, then
double-click Local Security Policy.)
■ To assign user rights for all Windows 2000 computers in a domain,
use the Domain Security Policy tool in Administrative Tools.
(Select Start ➪ Programs ➪ Administrative Tools ➪ Domain Security
Policy.) This tool is available on Windows 2000 domain controllers,
or on other Windows 2000 computers that have the ADMINPAK
installed.
■ To assign user rights for all domain controllers in a domain, use the
Domain Controller Security Policy tool in Administrative Tools.
(Select Start ➪ Programs ➪ Administrative Tools ➪ Domain Controller
Security Policy.) This tool is available on Windows 2000 domain
controllers, or on other Windows 2000 computers that have the
ADMINPAK installed.
4701-1 ch09.f.qc 4/24/00 09:23 Page 608

608 Part III ▼ Managing and Securing Resources

■ To assign user rights for all Windows 2000 computers in a particu-

lar OU in a domain, use Active Directory Users and Computers to
configure a group policy for the OU that specifies the desired
account policies.

TIP
Another way to assign user rights is to use Active Directory Users and
Computers to configure a group policy for the domain (or for the domain
controllers in the domain) that specifies the desired user rights. I’ll explain
how to use group policy in Chapter 10.

Now I’ll show you how to assign user rights for all Windows 2000 com-
puters in the domain by using the Domain Security Policy tool. Because
the Windows 2000 user interfaces for the Domain Security Policy tool, the
Domain Controller Security Policy tool, and the Local Security Policy
tool are very similar, you can use these same steps to configure user rights
for domain controllers or for the local Windows 2000 computer by using
the appropriate tool.

STEP BY STEP

ASSIGNING USER RIGHTS FOR THE DOMAIN

1. Start the Domain Security Policy tool. (Select Start ➪ Programs ➪ Administrative
Tools ➪ Domain Security Policy.)
2. In the left pane of the Domain Security Policy dialog box, click the + next to
Security Settings. Then click the + next to Local Policies. In the left pane of the
dialog box, highlight User Rights Assignment. The list of user rights that you can
assign appears in the right pane, as shown in Figure 9-22. Notice that both logon
rights and privileges are listed.
3. To assign user rights, in the right pane, double-click the user right you want to
assign.
4. A Security Policy Setting dialog box for the user right you selected appears, as
shown in Figure 9-23. Notice that the user right I chose to configure is called
“Log on locally.” This user right permits users to log on interactively at all
Windows 2000 computers within the tool’s scope, in this case, at all Windows
2000 computers in the domain.
4701-1 ch09.f.qc 4/24/00 09:23 Page 609

Chapter 9 ▼ Managing Users and Groups 609

STEP BY STEP Continued

FIGURE 9-22 Assigning user rights

FIGURE 9-23 Assigning the “Log on locally” user right

4701-1 ch09.f.qc 4/24/00 09:23 Page 610

610 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

If you’re using the Domain Security Policy tool or Domain Controller Security
Policy tool, select the check box next to “Define these policy settings” (if it is not
already selected). Then click Add.
If you’re using the Local Security Policy tool, click Add.
5. The “Add user or group” dialog box appears. Click Browse to add users or groups.
6. The Select Users or Groups dialog box appears, as shown in Figure 9-24.

FIGURE 9-24 Selecting users and groups

Double-click each user or group that you want to assign this user right to. As you
double-click each user or group, the user or group’s name will appear in the bot-
tom section of this dialog box. (You can also perform this step by highlighting a
user or group and then clicking Add, but double-clicking is faster and easier.)
When you’ve selected all of the users and/or groups you want to assign this
user right to, click OK.
7. In the “Add user or group” dialog box, click OK.
8. In the Security Policy Setting dialog box, click OK.
9. Repeat Steps 3 through 8 to assign additional user rights if necessary. When
you’ve finished assigning user rights, close the Domain Security Policy dialog box.
4701-1 ch09.f.qc 4/24/00 09:23 Page 611

Chapter 9 ▼ Managing Users and Groups 611

Removing User Rights

The steps in the previous section explain how to assign user rights to a user
or group, but you can also use these steps (with a few modifications) to
remove a user right from a user or group. If you’re using the Domain
Security Policy tool or the Domain Controller Security Policy tool, in Step
4, instead of clicking Add, highlight the existing user or group you want to
remove the user right from and click Remove. If you’re using the Local
Security Policy tool, in Step 4, instead of clicking Add, clear the check box
next to the user or group you want to remove the user right from.

Troubleshooting User Accounts, User Rights,

Account Policies, and Authentication
There are several common problems that may arise when working with
user accounts.These problems generally take the form of a user not being
able to log on, or not being able to access a resource or perform a task that
the user needs to access or perform. The solutions to these problems fre-
quently involve reconfiguring a user account setting, reconfiguring a user
rights assignment, or changing account policies.
The following tables address common user account problems and pro-
vide some troubleshooting tips that may help you resolve these problems.
Table 9-3 deals with user account settings problems. Table 9-4 addresses
user rights problems. Table 9-5 explores some common account policy
problems. Finally,Table 9-6 covers common user authentication problems.
TABLE 9-3 Troubleshooting User Account Settings
Problem Troubleshooting Tips

You are an Administrator, but Verify that you are logged on as Administrator. If
you are unable to modify the you are logged on as Administrator, ensure that you
properties of a user account. have the appropriate permissions to manage the
user account. Verify your permissions on the
Security tab in the user’s Properties dialog box. If
necessary, take ownership of the user account.

Continued
4701-1 ch09.f.qc 4/24/00 09:23 Page 612

612 Part III ▼ Managing and Securing Resources

TABLE 9-3 (continued)

Problem Troubleshooting Tips

A user reports that she can’t This message is displayed when a user’s account
log on to her Windows 2000 has expired, has been disabled, or has been locked
computer. During the logon out. If the user is a local user, on the General tab in
attempt, a message stating the local user’s Properties dialog box, clear the
“Your account has been check box next to “Account is locked out” or clear
disabled. Please see your the check box next to “Account is disabled.” If the
system administrator” is user is a domain user, on the Account tab in the
displayed. user’s Properties dialog box, change the account
expiration date or clear the check box next to
“Account is locked out.”
A user who normally works This message is displayed when a user attempts to
weekdays came in to work log on during restricted hours or attempts to log on
on Sunday, and could not to a restricted computer. Check the Logon Hours
log on to his Windows 2000 and Log On To settings on the Account tab in the
computer. A message stating user’s Properties dialog box, and make any
“Unable to log you on because necessary changes.
of an account restriction” was
displayed.

TABLE 9-4 Troubleshooting User Rights

Problem Troubleshooting Tips

A user reports that she is By default, only Administrators can log on locally to
unable to log on locally to the the domain controller. Restricting local logon to the
domain controller. domain controller is generally a preferred practice.
Use the Domain Controller Security Policy tool to
grant the user the “Log on locally” user right, or
make the user a member of a group that has that
user right. Remember, if the user has been assigned
both the “Log on locally” and “Deny logon locally”
user rights, the “Deny logon locally” right takes
precedence.
A user reports that he is Use the Local Security Policy tool on the local
unable to clear or save the computer to grant the user the “Manage auditing
Event Viewer logs on his and security log” user right, or make the user a
Windows 2000 computer. member of a group that has that user right.
4701-1 ch09.f.qc 4/24/00 09:23 Page 613

Chapter 9 ▼ Managing Users and Groups 613

TABLE 9-5 Troubleshooting Account Policies

Problem Troubleshooting Tips

When Windows 2000 prompts Examine the Password Policy settings. Check to
a user to change his password, see if the new password the user has entered
he types in a new password, but meets the minimum password length and
Windows 2000 will not accept password complexity requirements. Remember,
the user’s new password. A if password complexity is enabled, the password
message stating “Your must contain three of the four types of characters:
password must be at least 8 uppercase alphabetic, lowercase alphabetic,
characters; cannot repeat any numbers, and special characters. Is the user’s
of your previous 2 passwords; new password a password that he has used
must contain capitals, numerals previously? If so, check to see if it meets the
or punctuation . . .” is displayed. “Enforce password history” settings.
A user reports that she can’t The most likely cause of this problem is that the
change her password. When user hasn’t met the minimum password age
she attempts to do so, a requirements. Explain to the user that she must
message stating “The password keep her password for the minimum number of
on this account cannot be days specified.
changed at this time” is displayed.
Numerous users report that if Examine the Account Lockout Policy settings.
they mistype their passwords The most likely cause of this problem is that the
two times they are unable to “Account lockout threshold” setting is set too low.
log on. A message stating, Increase this setting if necessary. In addition, you
“Your account has been will need to manually unlock each user’s account
disabled. Please see your (in the user’s Properties dialog box) before they
system administrator” is will be able to log on.
displayed.

TABLE 9-6 Troubleshooting Local User Authentication

Problem Troubleshooting Tips

A user reports that he is Verify that the user name, domain, and password the
unable to log on. A message user is using are correct. Remember, passwords are
is displayed, stating “The case sensitive. Make sure that Caps Lock is not on.
system could not log you on.”
A user reports that she is able Verify that at least one domain controller is available
to log on locally (by using her on the network. If so, check the network connection
local user account) but is between the user’s computer and the domain
unable to log on to the domain controller.
(by using her domain user
account).
A user at a Windows NT 4.0 The most likely cause of this problem is that the
computer reports that he is Windows 2000 domain controller that is performing
nable to log on to the domain. the PDC emulator role is unavailable. Take the
necessary actions to make this computer available
on the network.
4701-1 ch09.f.qc 4/24/00 09:23 Page 614

614 Part III ▼ Managing and Securing Resources

Creating and Managing Group Accounts

Groups are collections of user accounts. Using groups is a convenient and
efficient way to assign user rights and permissions to multiple users.
There are two fundamental types of groups in Windows 2000: security
groups and distribution groups. Security groups are primarily used to assign
permissions and user rights to multiple users. In addition, security groups
can be used by some e-mail programs to send messages to the list of users
who are members of the group.
Distribution groups are primarily used to send e-mail messages to a speci-
fied list of users.You can’t assign permissions and user rights to distribution
groups. Distribution groups are an important feature because some e-mail
programs are unable to send e-mail to the list of users who are members of
a security group. Lastly, distribution groups can’t be created on the local
computer — they can only be created in Active Directory.
When I discuss groups in the rest of this chapter, I’ll be talking about
security groups, because only security groups can be used to assign user
rights and permissions to multiple users.
Groups can be created either on the local computer or in Active
Directory. In the following sections I’ll discuss the various Windows 2000
groups, explain how to create groups, and show you how to configure and
manage group properties.

Groups on the Local Computer

Groups on the local computer are primarily used to control access to
resources on that computer. All groups on the local computer are security
groups.There are two kinds of groups found on the local computer: local
groups and built-in groups.

Local Groups
Local groups are groups that are created and maintained on an individual
Windows 2000 computer (that is not a domain controller). Local groups
can be created by members of the Administrators, Power Users, and Users
groups.
Local groups are used to control access to resources on the local com-
puter. In a typical configuration, a local group is assigned permissions to a
specific resource, such as a shared folder or a shared printer.Then individual
user accounts and groups are made members of this local group.The result
4701-1 ch09.f.qc 4/24/00 09:23 Page 615

Chapter 9 ▼ Managing Users and Groups 615

is that all members of the local group now have permissions to the shared
resource on the local computer. Using local groups simplifies the adminis-
tration of resources, because permissions can be assigned once to a local
group, instead of separately to each user account.

TIP
Local groups can’t be used to control access to resources on any com-
puter other than the local computer.

Both local and domain user accounts can be members of a local group.
In addition, built-in system groups on the local computer and global
groups and universal groups from the domain can be members of a local
group. Finally, a local group can’t be a member of another group.

Built-in Groups
Built-in groups are groups with preset characteristics that are automatically
created during the installation of Windows 2000. There are two kinds of
built-in groups on a Windows 2000 computer that is not a domain con-
troller: built-in local groups, and built-in special groups.

Built-in Local Groups Built-in local groups are groups that have the rights
and/or permissions that enable their members to perform specific tasks on
the local computer.You can assign users to the built-in local groups that
most closely match the tasks the users need to perform. If there isn’t a
built-in local group that has the rights or permissions needed to perform a
specific task or access a specific resource, then you can create a local group
and assign it the necessary rights or permissions to accomplish the task or
access the resource.
You can assign rights and permissions to built-in local groups. In addi-
tion, you can make users members of (and remove users from) built-in
local groups. (An exception is that you can’t remove Administrator from
the Administrators group.) Built-in local groups can be renamed, but they
can’t be deleted.
There are six built-in local groups that are automatically created during
the installation of Windows 2000 on a nondomain controller:
■ Administrators: Members of this group have full administrative
rights and permissions to administer the local computer.This group
initially contains the Administrator account, and, if the computer is
a member of a domain, it contains that domain’s Domain Admins
global group.
4701-1 ch09.f.qc 4/24/00 09:23 Page 616

616 Part III ▼ Managing and Securing Resources

■ Backup Operators: Members of this group have permissions to

back up and restore all files on the local computer, even if the user
does not have permissions to all files.This group initially has no
members.
■ Guests: Members of this group can log on locally. Initially this
group has no permissions to resources.This group initially contains
the Guest account, which is disabled by default.
■ Power Users: Members of this group can run applications, use
local printers, and create local user and group accounts (and mod-
ify the users and groups they create). Members of this group can
add users to and remove users from the Guests, Power Users, and
Users groups. Members of this group can also share folders and
printers.This group initially has no members.
■ Replicator: This group, which supports directory replication
processes, is included in Windows 2000 to provide backward com-
patibility with the Windows NT 4.0 Directory Replicator service.
This group initially has no members.
■ Users: Members of this group can run applications, create local
groups (and manage the groups they create), and use local printers.
This group initially contains the Authenticated Users and
Interactive special groups, and, if the computer is a member of a
domain, it contains that domain’s Domain Users group.As new
local user accounts are created, they are automatically made mem-
bers of the built-in Users group.

Built-in Special Groups Built-in special groups are groups created by

Windows 2000 that are used for specific purposes by the operating system.
Special groups are sometimes called system groups.
You can assign user rights and permissions to special groups, and you
can remove user rights and permissions from special groups. You can’t
assign users or groups to special groups. However, you can make a special
group a member of a local group. You can’t rename or delete special
groups.
Membership in a special group is temporary, and is based solely on
whether a specific set of membership requirements are met. A user is a
member of a special group only for the time period in which the user
meets the special group’s membership requirements.
4701-1 ch09.f.qc 4/24/00 09:23 Page 617

Chapter 9 ▼ Managing Users and Groups 617

There are 12 built-in special groups on Windows 2000 computers that

are not domain controllers:
■ Everyone: Any user who accesses a Windows 2000 computer,
either interactively or over-the-network, is considered a member
of the Everyone special group.This includes all users accessing the
computer using authorized user accounts, as well as users who are
authenticated using an anonymous logon, such as a user who
accesses a Web server over the network. If your network is con-
nected to the Internet, over-the-network also means over the
Internet. Because of this, Everyone means everyone.You should
consider limiting the permissions assigned to the Everyone group.
■ Anonymous Logon: Any user who accesses a Windows 2000
computer over-the-network (or over the Internet) by using an
anonymous logon is considered a member of the Anonymous
Logon special group.
■ Authenticated Users: Any user who accesses a Windows 2000
computer, either interactively or over-the-network, by using an
authorized user account is considered a member of the
Authenticated Users special group.
■ Batch: When a scheduled program or batch job logs on using a
user account that has the “Log on as a batch job” user right, that
user account is a member of the Batch special group.
■ Creator Owner: A user who creates a file, folder, or print job is
considered a member of the Creator Owner special group for that
file, folder, or print job.The Creator Owner special group is used
to assign permissions to creators of these objects. For example, by
default the Creator Owner special group is assigned the Manage
Documents permission to a printer when it is first created, so that
creators of print jobs sent to this printer are able to manage their
own print jobs.
■ Creator Group: When a user of an Apple computer (or a user of
a POSIX-compliant application) creates a file or folder, that user’s
primary group is considered a member of the Creator Group spe-
cial group for that file or folder.The Creator Group special group
is used to define the group ownership of the newly created file or
folder.
4701-1 ch09.f.qc 4/24/00 09:23 Page 618

618 Part III ▼ Managing and Securing Resources

■ Dialup: Any user who accesses a Windows 2000 computer via

a phone line, a Virtual Private Network (VPN), or a direct cable
connection by using an authorized user account is considered a
member of the Dialup special group.
■ Interactive: Any user who physically sits at a computer and logs
on locally to that Windows 2000 computer is a member of the
Interactive special group. If you want to grant access to a resource
on the local computer to users who log on locally to this com-
puter, consider assigning the appropriate permissions to the
Interactive group.
■ Network: Any user who accesses resources on a Windows 2000
computer over-the-network is a member of the Network special
group. If you want to grant access to a resource on the local com-
puter to users who access this computer over-the-network, con-
sider assigning the appropriate permissions to the Network group.
■ Service: When a service logs on using a user account, that user
account is a member of the Service special group.
■ System: This special group is used by the Windows 2000 operat-
ing system.The System special group is not normally assigned any
permissions to network resources.
■ Terminal Server User: Any user who logs on to a Terminal
Services session is a member of the Terminal Server User special
group.

Creating and Managing Groups on the Local Computer

You can create and manage local groups by using the Local Users and
Groups tool in Computer Management. You must be a member of the
Administrators, Power Users, or Users groups to create a local group.
The degree to which a user can manage groups is typically determined
by that user’s group membership:
■ A member of the Administrators group can manage all groups on
the local computer.
■ A member of the Power Users group can manage the Power Users,
Guests, and Users groups on the local computer, as well as any local
groups that the member creates.
■ A member of the Users group can only manage the local groups
that the member creates.
4701-1 ch09.f.qc 4/24/00 09:23 Page 619

Chapter 9 ▼ Managing Users and Groups 619

STEP BY STEP

CREATING A LOCAL GROUP ON THE LOCAL COMPUTER

1. Right-click My Computer, and select Manage from the menu that appears.
2. In the left pane of the Computer Management dialog box, click the + next to Local
Users and Groups. Highlight the Groups folder. Select Action ➪ New Group.
3. In the New Group dialog box, type in a name for the new group in the “Group
name” text box. Enter a description if you want to. Click Add to add members to
this group.
4. In the Select Users or Groups dialog box, double-click each user or group you
want to make a member of your new group. As you double-click each user or
group, the user or group’s name will appear in the bottom section of this dialog
box. (You can also perform this step by highlighting a user or group and then
clicking Add, but double-clicking is faster and easier.) When you’ve selected all
of the users or groups you want to make members of this group, click OK.
5. In the New Group dialog box, click Create.
6. Repeat Steps 3 through 5 if you want to create additional local groups. Click Close.

Three of the most common local group management tasks are renaming
a group, deleting a group, and changing the group’s membership.

STEP BY STEP

RENAMING OR DELETING A LOCAL GROUP

1. Right-click My Computer, and select Manage from the menu that appears.
2. In the left pane of the Computer Management dialog box, click the + next to Local
Users and Groups. Highlight the Groups folder. In the right pane, right-click the
group you want to rename or delete.
To rename a group, select Rename from the menu that appears, type in a new
name for the group, and press Enter.
To delete a group, select Delete from the menu that appears. Click Yes when
Windows 2000 asks if you’re sure you want to delete the group.

TIP
Remember, you can’t delete the built-in local groups.
4701-1 ch09.f.qc 4/24/00 09:23 Page 620

620 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

ADDING MEMBERS TO AND REMOVING MEMBERS FROM

A LOCAL GROUP

1. Right-click My Computer, and select Manage from the menu that appears.
2. In the left pane of the Computer Management dialog box, click the + next to Local
Users and Groups. Highlight the Groups folder. In the right pane, double-click
the group you want to change the membership of.
3. The group’s Properties dialog box appears.
To remove a member from the group, highlight the member in the Members box,
and click Remove. Skip to Step 5.
To add a member to the group, click Add.
4. In the Select Users or Groups dialog box, double-click each user or group you
want to add to the group. When you’ve selected all of the users and/or groups
you want to add, click OK.
5. In the group’s Properties dialog box, click OK.

On a Windows 2000 Professional computer, you can also use the Users
and Passwords Control Panel application to add and remove existing local
user accounts to and from existing local groups.

Groups in Active Directory

Groups in Active Directory are used to control access to network resources
and to organize users who perform similar job tasks or have similar net-
work access requirements.
There are three administrator-created kinds of groups in Active
Directory: domain local groups, global groups, and universal groups.When
you select one of these kinds of groups, the Windows 2000 user interface
calls this selecting the Group scope. In addition to these three kinds of
groups, there are built-in local, global, universal, and special groups in Active
Directory.
Administrator-created groups in Active Directory can be either security
groups or distribution groups.All of the built-in groups in Active Directory
are security groups.
In the following sections I’ll discuss each of the various groups in Active
Directory, and then explain how to create and manage these groups.
4701-1 ch09.f.qc 4/24/00 09:23 Page 621

Chapter 9 ▼ Managing Users and Groups 621

Domain Local Groups

Domain local groups are groups that are created and maintained in Active
Directory on Windows 2000 domain controllers. Domain local groups are
used to control access to resources located on any computer in a Windows
2000 domain.
In a typical configuration, a domain local group is assigned permissions
to a specific resource, such as a shared folder or a shared printer.Then indi-
vidual user accounts and groups are made members of this domain local
group.The result is that all members of the domain local group now have
permissions to the shared resource.
A domain local group can contain user accounts from its domain, and
from other domains in the forest. A domain local group can contain other
domain local groups from its own domain, and can also contain global and
universal groups from any domain in the forest.

Global Groups
Global groups, like domain local groups, are created and maintained in
Active Directory on Windows 2000 domain controllers. Global groups,
however, are primarily used to organize users who perform similar tasks or
have similar network access requirements.
In a typical configuration, user accounts of domain users who have sim-
ilar job functions are placed in a global group. Then this global group is
made a member of one or more domain local groups in any domain in the
forest. Each of these domain local groups is assigned permissions to a spe-
cific shared resource. The result is that members of the global group now
have permissions to the shared resource(s).
Here’s an example of how global groups can be used in real life. Suppose
that when the company’s network was first installed, the administrator cre-
ated user accounts, and placed these user accounts in various global groups
depending on the users’ job functions. Now, the network administrator
wants to assign several users permissions to a shared printer on a Windows
2000 computer. The administrator creates a new domain local group and
assigns this group permissions to the shared printer.Then the administrator
selects the global groups that contain the user accounts that need access to
this shared printer, and makes the global groups members of the new
domain local group. The result is that all domain user accounts that are
members of the selected global groups now have access to the shared
printer. If access to all resources is managed in this way, when a new user is
4701-1 ch09.f.qc 4/24/00 09:23 Page 622

622 Part III ▼ Managing and Securing Resources

created, the administrator need only make the user a member of the appro-
priate global group(s) in order for the user to have access to all network
resources required to do his or her job.
The advantage of using global groups, then, is ease of administration —
the network administrator can manage large numbers of users by placing
them in a small number of global groups.
A global group can only contain user accounts and other global groups
from its domain. Global groups can’t contain domain local groups or uni-
versal groups from its domain, and can’t contain user accounts or groups
from any other domain.
Although it is not a preferred practice, you can assign user rights and
permissions to global groups. Global groups can be assigned permissions to
shared resources on any computer in the forest.

Universal Groups
Universal groups, like domain local groups and global groups, are created and
maintained in Active Directory on Windows 2000 domain controllers.
Universal groups, however, are used to organize users from multiple domains
that perform similar job tasks or have similar network access requirements,
and/or to control access to shared resources in multiple domains.
There’s no one typical universal group configuration. For example, you
can use a universal group as a “super” global group by placing users from
multiple domains into the universal group, and then making the universal
group a member of one or more domain local groups to which you have
assigned permissions to shared resources. Or, you can use a universal group
in much the same way as you’d use a domain local group, except that you
can assign a universal group permission to a shared resource on any com-
puter in the forest. In short, you can use universal groups just about any
way you want to.
Universal groups provide significant advantages, but sometimes present
significant challenges, too.The primary advantage of using universal groups is
their open membership: user accounts, global groups, and universal groups
from any domain in the forest can be members of a universal group.An addi-
tional advantage of using universal groups is that universal groups can be
assigned permissions to shared resources on any computer in the forest.
The main disadvantage of using universal groups is that they can cause
potential network traffic problems. Here’s how this can happen.When you
first create a universal group, all of the group’s members are listed in the
global catalog.Then, each time you change the membership of a universal
4701-1 ch09.f.qc 4/24/00 09:23 Page 623

Chapter 9 ▼ Managing Users and Groups 623

group, the global catalog is updated, and this change is replicated to all
global catalog servers on your network. If you have a large number of uni-
versal groups and change them frequently, this can cause significant
amounts of replication traffic on your network.
Another challenge presented by universal groups is that they are not avail-
able if your Windows 2000 domain is operating in mixed-mode, that is,
when you have both Windows 2000 domain controllers and Windows NT
4.0 backup domain controllers in your domain. Universal groups can only
be used when your Windows 2000 domain is operating in native-mode.
Because of these challenges, you should only use universal groups when
you need to organize users from multiple domains that perform similar job
tasks or have similar network access requirements, or when you need to use
a single group to control access to shared resources in multiple domains.

Built-in Groups on Domain Controllers

Built-in groups (in Active Directory) are security groups with preset char-
acteristics that are automatically created during the installation of Active
Directory. There are four kinds of built-in groups on Windows 2000
domain controllers: built-in local groups, built-in global groups, built-in
universal groups, and built-in special groups.

Built-in Local Groups Built-in local groups on domain controllers are

groups that are automatically created during the installation of Active
Directory and stored in the Builtin folder. Built-in local groups have
rights and/or permissions that enable their members to perform specific
tasks in Active Directory and/or on Windows 2000 domain controllers in
the domain.
You can assign rights and permissions to built-in local groups on
domain controllers only for resources located in Active Directory and/or
on domain controllers in the domain.You can also add members to and
remove members from built-in local groups on domain controllers (except
that you can’t remove the Administrator account from the Administrators
group).
Built-in local groups on domain controllers can contain user accounts
from the domain and from other domains in the forest. In addition, built-
in local groups on domain controllers can contain domain local groups
from the domain, and global and universal groups from any domain in the
forest.
4701-1 ch09.f.qc 4/24/00 09:23 Page 624

624 Part III ▼ Managing and Securing Resources

Built-in local groups on domain controllers can’t contain other built-it

local groups. And, built-in local groups on domain controllers can’t be
members of any other groups.
There are nine built-in local groups that are automatically created during
the installation of Active Directory on a Windows 2000 domain controller:
■ Account Operators: Members of this group can create, delete,
and modify domain user and group accounts in the domain, except
that Account Operators can’t modify the Administrator account
and can’t modify or change the membership of the Administrators,
Account Operators, Backup Operators, Print Operators, or Server
Operators groups.This group initially has no members.
■ Administrators: Members of this group have full administrative
rights and permissions to administer Active Directory (including
all of its domain users, groups, and other objects) and all domain
controllers in the domain.This group initially contains the Admini-
strator account, the Domain Admins group, and the Enterprise
Admins group.
■ Backup Operators: Members of this group have permissions to
back up and restore all files on all domain controllers in the domain,
even if the user does not have permissions to all files.This group
initially has no members.
■ Guests: Members of this group have no initial rights or permis-
sions.This group initially contains the Domain Guests group and
the Guest account.
■ Pre-Windows 2000 Compatible Access: Members of this group
have the Read permission for all domain users and groups in the
domain.This group initially has no members.The purpose of this
group is to enable users of Windows NT 4.0 computers to log on to
the domain. If you have Windows NT 4.0 computers in the domain,
you should make the Everyone group a member of this group.
■ Print Operators: Members of this group can create and manage
printers on any domain controller in the domain.This group ini-
tially has no members.
■ Replicator: This group, which supports directory replication
processes, is included in Windows 2000 to provide backward
compatibility with the Windows NT 4.0 Directory Replicator
service.This group initially has no members.
4701-1 ch09.f.qc 4/24/00 09:23 Page 625

Chapter 9 ▼ Managing Users and Groups 625

■ Server Operators: Members of this group have permissions to

back up and restore files and folders on all domain controllers in
the domain, and can share folders on any domain controller in the
domain.This group initially has no members.
■ Users: Members of this group have no initial rights or permis-
sions.You can assign to this group rights and permissions that you
want all domain users to have.This group initially contains the
Authenticated Users, Domain Users, and Interactive groups.As
new domain user accounts are created, they are automatically made
members of the Domain Users group, which is a member of the
built-in Users group.

Built-in Global and Universal Groups Built-in global and universal groups
on domain controllers are automatically created during the installation of
Active Directory and stored in the Users folder. Built-in global and uni-
versal groups are primarily used to group users by the types of administra-
tive tasks they can perform in Active Directory and on all computers in the
Windows 2000 domain.
Built-in global and universal groups on domain controllers have the
same characteristics as administrator-created global and universal groups
(which were covered earlier in this chapter).
There are numerous built-in global and universal groups. Below I’ve
listed and described the most common ones:
■ Domain Admins: Members of this global group have no initial
rights or permissions.This group initially derives all of its rights
and permissions from its membership in other groups. By default,
this group is a member of the domain’s built-in local
Administrators group and the local built-in Administrators group
on all computers that are members of the domain.As a result of
this group’s membership in other groups, members of Domain
Admins can administer Active Directory and all computers in the
domain.This group initially contains the Administrator account.
■ Domain Users: Members of this global group have no initial rights
or permissions.This group initially derives all of its rights and per-
missions from its membership in other groups. By default, this group
is a member of the domain’s built-in local Users group and the local
built-in Users group on all computers that are members of the
domain.This group initially contains all domain user accounts
4701-1 ch09.f.qc 4/24/00 09:23 Page 626

626 Part III ▼ Managing and Securing Resources

created when Active Directory is installed, including the Admini-

strator and Guest accounts.As new domain user accounts are cre-
ated, they are automatically made members of Domain Users.
■ Domain Guests: Members of this global group have no initial
rights or permissions.This group initially derives all of its rights
and permissions from its membership in the domain’s built-in local
Guests group.This group initially contains the Guest account.
■ Enterprise Admins: Members of this universal group have no
initial rights or permissions.This group initially derives all of its
rights and permissions from its membership in the domain’s built-
in local Administrators group in each domain in the forest.As a
result of this membership, members of Enterprise Admins can
administer Active Directory throughout the forest and all domain
controllers in the forest. If you have multiple domains in your for-
est,Windows 2000 only creates the Enterprise Admins group in
the first domain in the forest.This group initially contains the
Administrator account.
■ Schema Admins: Members of this universal group can modify
the Active Directory schema. If you have multiple domains in your
forest,Windows 2000 only creates the Schema Admins group in
the first domain in the forest.This group initially contains the
Administrator account.

Built-in Special Groups Built-in special groups on domain controllers are

automatically created during the installation of Active Directory. These
built-in special groups are used for specific purposes by the operating sys-
tem, and are sometimes called system groups.
All of the built-in special groups that exist on nondomain controllers are
also present on Windows 2000 domain controllers. The built-in special
groups on domain controllers have the same characteristics as the built-in
special groups on nondomain controllers. (Built-in special groups on non-
domain controllers are covered earlier in this chapter).

Creating Groups in Active Directory

You can create groups in Active Directory by using Active Directory Users
and Computers. You must be a member of the domain’s built-in local
Administrators or Account Operators groups to create groups in Active
Directory.
4701-1 ch09.f.qc 4/24/00 09:23 Page 627

Chapter 9 ▼ Managing Users and Groups 627

STEP BY STEP

CREATING A GROUP IN ACTIVE DIRECTORY

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the left pane of the Active Directory Users and Computers dialog box, click the
+ next to the name of the domain in which you want to create a group. Notice the
Users folder in the domain tree. This folder is the default container in which
Windows 2000 places most groups (and all users) that it automatically creates
when Active Directory is installed.
If you have a relatively small organization, you may want to place your administra-
tor-created groups in the Users folder, too, so that you can easily locate and
administer them.
Or, if you have a large organization and use OUs to administer groups of users,
you can place administrator-created groups in the appropriate OUs.
Highlight the Users folder or the OU in which you want to create a group, and
select Action ➪ New ➪ Group.
3. The New Object-Group dialog box appears, as shown in Figure 9-25.

FIGURE 9-25 Creating a new group

In the “Group name” text box, enter a name for the group.
If you have Windows NT 4.0 computers in your domain, you can assign the group
a different name for those computers by entering it in the “Group name (pre-
Windows 2000)” text box. If you choose to assign a different name, it should con-
tain 20 characters or fewer for backward compatibility with Windows NT 4.0.
4701-1 ch09.f.qc 4/24/00 09:23 Page 628

628 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

Select a group scope — either Domain local, Global, or Universal. The default
selection is Global.

TIP
You can’t create a universal group in a Windows 2000 domain that is
operating in mixed-mode.

Select a group type — either Security or Distribution. The default selection is

Security. Click OK.
4. Windows 2000 creates the new group, and displays it in the right pane of the
Active Directory Users and Computers dialog box.

Configuring and Managing Group Properties in

Active Directory
Once you’ve created groups in Active Directory, you’ll want to add mem-
bers to these groups and configure various group properties.
You can configure and manage groups in Active Directory by using
Active Directory Users and Computers. Members of the Administrators
group can fully manage and modify all groups in Active Directory, whereas
members of the Account Operators group can manage all groups except
the Administrators, Account Operators, Backup Operators, Print
Operators, and Server Operators groups.
Some of the most common group management tasks include adding
and removing members to and from a group, renaming a group, deleting a
group, and configuring group properties.

STEP BY STEP

ADDING MEMBERS TO AND REMOVING MEMBERS FROM A GROUP IN

ACTIVE DIRECTORY

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the left pane of the Active Directory Users and Computers dialog box, click the
+ next to the name of the domain that contains the group you want to add or
remove members to or from. Then highlight the Users folder or the OU that
contains this group. In the right pane, double-click this group.
4701-1 ch09.f.qc 4/24/00 09:23 Page 629

Chapter 9 ▼ Managing Users and Groups 629

STEP BY STEP Continued

3. In the group’s Properties dialog box, click the Members tab.

4. The Members tab appears.
To remove a member from the group, highlight the member in the Members box
and click Remove. Then click Yes when Windows 2000 asks if you want to
remove the selected member from the group. Skip to Step 6.
To add a member to the group, click Add.
5. The Select Users, Contacts, Computers, or Groups dialog box appears. To add
members to this group from the current domain, double-click each user, contact,
computer, or group that you want to add.
If you want to add members to this group from other domains, select the domain
from the “Look in” drop-down list box. Then double-click each user, contact, com-
puter, or group that you want to add.
When you finish adding members to the group, click OK.
6. In the group’s Properties dialog box, click OK.

RENAMING OR DELETING A GROUP IN ACTIVE DIRECTORY

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the left pane of the Active Directory Users and Computers dialog box, click the
+ next to the name of the domain that contains the group you want to rename or
delete. Then highlight the Users folder or the OU that contains this group. In the
right pane, right-click the group you want to rename or delete.
To rename the group, select Rename from the menu that appears, type in a
new name for the group, and press Enter. Then click OK in the Rename Group
dialog box.
To delete the group, select Delete from the menu that appears. Click Yes when
Windows 2000 asks if you’re sure you want to delete the group.

TIP
You can’t delete any of the domain’s built-in groups.

CONFIGURING PROPERTIES OF A GROUP IN ACTIVE DIRECTORY

1. Start Active Directory Users and Computers. (Select Start ➪ Programs ➪

Administrative Tools ➪ Active Directory Users and Computers.)
2. In the left pane of the Active Directory Users and Computers dialog box, click the
+ next to the name of the domain that contains the group you want to configure.
Then highlight the Users folder or the OU that contains this group. In the right
pane, double-click this group.
4701-1 ch09.f.qc 4/24/00 09:23 Page 630

630 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

3. The group’s Properties dialog box appears, as shown in Figure 9-26. Notice the
six tabs in this dialog box: General, Members, Member Of, Managed By, Object,
and Security. (The Object and Security tabs are only displayed when Advanced
Features is selected in the View menu.)

FIGURE 9-26 Configuring a group’s properties

On the General tab, you can change the group’s pre-Windows 2000 name, enter
a description for the group, and enter the e-mail address for the group.
On this tab you can also change the group scope. The three possible options
are Domain local, Global, and Universal. The actual options available to you will
depend on the type of group you’re configuring.
You can also change the group type on the General tab. The two possible options
are Security and Distribution.

CAUTION
Changing the group scope or group type can significantly change the
structure and functionality of the group, including the membership of the
group, the resources to which the group can be assigned permissions,
and so on. In general, I recommend that you don’t change the group
scope or group type.
4701-1 ch09.f.qc 4/24/00 09:23 Page 631

Chapter 9 ▼ Managing Users and Groups 631

STEP BY STEP Continued

Make any appropriate changes on the General tab. If you’re finished configuring
the group, click OK. Otherwise, I’ll explain the other tabs in the following steps.
4. On the Members tab, you can add and remove members to and from the group.
(For detailed instructions, see the step-by-step section titled “Adding and remov-
ing members to/from a group in Active Directory.”)
5. On the Members Of tab, you can add this group to and remove this group from
other groups.
6. On the Managed By tab, you can select a user from any domain in Active
Directory to be listed as the manager for this group. All of the user’s contact infor-
mation will then be displayed on this tab. To select a user, click Change, and then
select a user from the Select User or Contact dialog box. Click OK. If you need to
view or modify the user’s contact data, click View.
7. On the Object tab, you can view information about the group, including the
group’s FQDN, the date the group was created, the date the group was last mod-
ified, and so on. No configurations are possible on this tab.
8. On the Security tab, you can specify the users and groups that are permitted to
view or modify the properties of this group, and assign permissions to these users
and groups.
9. When you’re finished configuring the group’s properties, click OK in the group’s
Properties dialog box.

KEY POINT SUMMARY

Several important user and group topics were introduced in this chapter:
■ User authentication is the process of verifying a user’s credentials for the pur-
pose of determining whether the user is permitted to access a local computer
or a network resource, such as a shared folder or shared printer.
■ There are two Windows 2000 built-in user accounts: Administrator and Guest.
■ You can use the Local Users and Groups tool in Computer Management to
create and configure local user accounts on a nondomain controller.
■ To create and configure domain user accounts in Active Directory, use Active
Directory Users and Computers.
■ You can also create user accounts by using a batch file or a script file in con-
junction with the NET USER command-line utility.
4701-1 ch09.f.qc 4/24/00 09:23 Page 632

632 Part III ▼ Managing and Securing Resources

■ You can copy, rename, and delete user accounts, with the exception of the two
built-in accounts, Administrator and Guest, which can’t be deleted.
■ A user profile is a folder that contains a collection of settings and options that
specify a user’s desktop and all other user-definable settings for a user’s work
environment. The System application in Control Panel is used to copy user
profiles.
■ Roaming user profiles are user profiles that are stored on a Windows 2000
Server computer. Because these profiles are stored on a server, they are avail-
able to users regardless of which Windows 2000 computer on the network
they log on to.
■ A mandatory user profile is a user profile that, when assigned to a user, can’t
be changed by the user. A user can make changes to desktop and work envi-
ronment settings during a single logon session, but these changes are not
saved to the mandatory user profile when the user logs off.
■ Windows 2000 account policies are sets of rules that are applied to many user
accounts, often to all of the users in a domain. There are three major types of
account policies: password policy, account lockout policy, and Kerberos policy.
■ User rights authorize individual users and groups to perform specific tasks.
User rights are not the same as permissions: user rights enable users to per-
form tasks; whereas permissions enable users to access objects, such as files,
folders, printers, and Active Directory objects.
■ Groups on the local computer are primarily used to control access to
resources on that computer. All groups on the local computer are security
groups. There are two kinds of groups found on the local computer: local
groups and built-in groups.
■ You can create and manage local groups by using the Local Users and Groups
tool in Computer Management. You must be a member of the Administrators,
Power Users, or Users groups to create a local group.
■ Groups in Active Directory are used to control access to network resources
and to organize users who perform similar job tasks and/or have similar net-
work access requirements.
■ There are three administrator-created kinds of groups in Active Directory:
domain local groups, global groups, and universal groups. In addition, there
are built-in local, global, universal, and special groups in Active Directory.
4701-1 ch09.f.qc 4/24/00 09:23 Page 633

Chapter 9 ▼ Managing Users and Groups 633

■ You can create groups in Active Directory by using Active Directory Users
and Computers. You must be a member of the domain’s built-in local
Administrators or Account Operators groups to create groups in Active
Directory.
4701-1 ch09.f.qc 4/24/00 09:23 Page 634

634

STUDY GUIDE
This section contains several exercises designed to drive home the user and
group concepts presented in this chapter:
■ Assessment questions: These questions test your knowledge of
the user and group topics covered in this chapter.You can find the
answers to these questions at the end of this chapter.
■ Scenario: The situation-based questions in scenarios challenge
you to apply your understanding of the material to solve a hypo-
thetical problem. In this chapter’s scenario, you are asked to
describe the action you would take to solve a number of given
troubleshooting problems.You don’t need to be at a computer to
do scenarios.Answers to this chapter’s scenario are presented at the
end of this chapter.
■ Lab Exercises: These exercises are hands-on practice activities
that you perform on a Windows 2000 computer.The two labs in
this chapter give you an opportunity to create local and domain
user and group accounts; test local user authentication; and work
with account policies, user rights, and user profiles.

Assessment Questions
1. You want to create a local user account on a Windows 2000
computer.Which tool should you use?
A. Local Security Policy
B. Local Users and Groups
C. The System application
D. Active Directory Users and Computers
2. You want to create a domain user account.Which tool should
you use?
A. Users and Passwords
B. The System application
C. Local Users and Groups
D. Active Directory Users and Computers
4701-1 ch09.f.qc 4/24/00 09:23 Page 635

635

3. You want to assign a roaming user profile to a user.Where should you

store this user’s profile folder?
A. In the C:\Documents and Settings\user_name folder on
the local computer
B. In the All Users profile folder on the local computer
C. In a shared folder on a Windows 2000 Server computer
D. In the Default User profile folder on a Windows 2000 Server
computer
4. You want to assign a mandatory user profile to a user.What must
you do?
A. Rename the user’s NTUSER.DAT file.
B. Rename the user’s ntuser.ini file.
C. Copy the Default User profile folder to the user’s profile folder.
D. Copy the user’s profile folder to the Default User profile folder.
5. You want to copy a user profile.What tool should you use?
A. Windows Explorer
B. The System application
C. Local Users and Groups
D. Active Directory Users and Computers
6. You want all of the users on your Windows 2000 network to use
passwords that are at least eight characters long.You also want all users
to use two different passwords before an old password can be reused.
Which account policies should you configure?
A. “Enforce password history” and “Minimum password age”
B. “Maximum password age” and “Minimum password length”
C. “Enforce password history” and “Minimum password length”
D. “Minimum password length” and “Passwords must meet com-
plexity requirements”
7. You want to configure a newly created local group on the local
Windows 2000 computer.Which tool should you use?
A. Local Security Policy
B. Local Users and Groups
C. The System application
D. Active Directory Users and Computers
4701-1 ch09.f.qc 4/24/00 09:23 Page 636

636

8. You want to create a domain local group.Which tool should you use?
A. Local Security Policy
B. Domain Security Policy
C. Local Users and Groups
D. Active Directory Users and Computers
9. Your company has 50 sales representatives.The domain user accounts
of these sales representatives are the only members of a single global
group.You want to assign all of the sales representatives permissions to
a specific printer located in the sales office. How can you efficiently
accomplish this?
A. Assign each of the sales representatives’ user accounts permissions
to the printer.
B. Create a new global group. Make the user accounts of all of the
sales representatives members of the new global group.Assign
permissions to the printer to the new global group.
C. Create a new built-in special group.Assign permissions to the
printer to the built-in special group. Make the global group that
contains the sales representatives a member of the new built-in
special group.
D. Create a new domain local group.Assign permissions to the
printer to the new domain local group. Make the global group
that contains the sales representatives a member of the new
domain local group.
10. You want to use a single group to organize users from multiple
domains that perform similar job tasks.Which kind of group should
you use?
A. Universal group
B. Global group
C. Domain local group
D. Built-in special group
4701-1 ch09.f.qc 4/24/00 09:23 Page 637

637

Scenarios
The following scenarios provide you with an opportunity to apply the
knowledge you’ve gained in this chapter about troubleshooting local and
domain user accounts. User account problems can arise due to a number of
different causes. For each of the following problems, consider the given sit-
uation and facts, and state what course of action you would take to try to
resolve the problem.
1. A user,ToddE, reports that he can’t log on to his Windows 2000 com-
puter.Windows 2000 displayed the following message:“Your account
has been disabled. Please see your system administrator.”
2. A user, SusanB, usually works from Monday through Friday. However,
this past weekend she came in to work and could not log on to her
Windows 2000 computer.Windows 2000 displayed the following
message:“Unable to log you on because of an account restriction.”
3. A user,AnneC, reports that Windows 2000 prompted her to change
her password, but when she typed in a new password,Windows 2000
would not accept the new password.Windows 2000 displayed the fol-
lowing message:“Your password must be at least 9 characters; cannot
repeat any of your previous 3 passwords; must contain capitals,
numerals, or punctuation . . .”
4. A user, JeffT, reports that he can’t log on locally to your network’s
Windows 2000 domain controller.
5. A user, GregZ, reports that he is unable to log on to his Windows
2000 computer.Windows 2000 displayed the following message:“The
system could not log you on.”

Lab Exercises
These labs are designed to provide you with hands-on experience working
with users and groups in a Windows 2000 environment.
4701-1 ch09.f.qc 4/24/00 09:23 Page 638

638

Lab 9-1 Implementing local user authentication and

local users and groups
 Professional
 Server
EXAM
MATERIAL

The purpose of this lab is to give you practical experience working with
local users and groups on a Windows 2000 Professional computer.
There are three parts to this lab:
■ Part 1: Creating and Configuring Local Users and Groups
■ Part 2: Implementing and Configuring User Rights
■ Part 3:Testing Local User Authentication
Begin this lab by booting your computer to Windows 2000 Professional
and logging on as Administrator.

Part 1: Creating and Configuring Local Users and Groups

In this part, you use Local Users and Groups to create two local user
accounts and configure account settings. You also create and configure a
group on the local computer, and place your two new users in groups.
1. From the desktop, right-click My Computer, and select Manage from
the menu that appears.
2. In the Computer Management dialog box, click the + next to Local
Users and Groups. Highlight the Users folder, and select Action ➪
New User.
3. The New User dialog box appears.Type User1 in the “User name”
text box.Type Regular User in the “Full name” text box.Type
newuser in the Password text box. Confirm the password by retyping
it. Click Create.
4. The New User dialog box reappears.Type Backup in the “User
name” text box.Type Backup User in the “Full name” text box.
Type Can only backup files in the Description text box.Type
password in the Password text box. Confirm the password by retyp-
ing it. Clear the check box next to “User must change password
at next logon.” Select the check box next to “User cannot change
password” and “Password never expires.” Click Create.
4701-1 ch09.f.qc 4/24/00 09:23 Page 639

639

5. In the New User dialog box, click Close.The new users are created,
and appear in the right pane of the Computer Management dialog
box. In the right pane, double-click User1.
6. In the User1 Properties dialog box, click the Profile tab.
7. On the Profile tab, type C:\User1 in the “Profile path” text box.
Click OK.
8. In the left pane of the Computer Management dialog box, highlight
the Groups folder. Select Action ➪ New Group.
9. In the New Group dialog box, type Backuponly in the “Group
name” text box. Enter a description of Members can back up
files but not restore them. Click Add.
10. In the Select Users or Groups dialog box, scroll down until the user
named Backup is displayed. Double-click Backup. Click OK.
11. In the New Group dialog box, click Create.Then click Close.
12. In the right pane of the Computer Management dialog box, double-
click Power Users.
13. In the Power Users Properties dialog box, click Add.
14. In the Select Users or Groups dialog box, scroll down until the user
named User1 is displayed. Double-click User1. Click OK.
15. In the Power Users Properties dialog box, click OK.
16. Close Computer Management.

Part 2: Implementing and Configuring User Rights

In this part, you use the Local Security Policy tool to assign user rights to
the group you created in Part 1.
1. Select Start ➪ Settings ➪ Control Panel.
2. In the Control Panel dialog box, double-click Administrative Tools.
3. In the Administrative Tools dialog box, double-click Local Security
Policy.
4. In the left pane of the Local Security Settings dialog box, click
the + next to Local Policies. In the left pane, highlight User Rights
Assignment. In the right pane, double-click the “Log on locally”
user right.
5. In the Local Security Policy Setting dialog box, click Add.
4701-1 ch09.f.qc 4/24/00 09:23 Page 640

640

6. In the Select Users or Groups dialog box, scroll down until the
Backuponly group is displayed. Double-click Backuponly. Click OK.
7. In the Local Security Policy Setting dialog box, click OK.
8. In the right pane of the Local Security Settings dialog box, double-
click the “Back up files and directories” user right.
9. In the Local Security Policy Setting dialog box, click Add.
10. In the Select Users or Groups dialog box, scroll down until the
Backuponly group is displayed. Double-click Backuponly. Click OK.
11. In the Local Security Policy Setting dialog box, click OK.
12. Close the Local Security Settings dialog box.
13. Close Administrative Tools.

Part 3: Testing Local User Authentication

In this part, you test local user authentication by logging on as one of the
users you created in Part 1.
1. From the desktop, select Start ➪ Shut Down.
2. In the Shut Down Windows dialog box, select “Log off administrator”
from the drop-down list box. Click OK.
3. In the Log On to Windows dialog box, enter a User name of User1,
and a password of wrongo, and click OK.
4. A Logon Message appears, indicating that the system could not log
you on. Local user authentication failed because you entered an
incorrect user password. Click OK.
5. In the Log On to Windows dialog box, enter a password of newuser,
and click OK.
6. A Logon Message appears, indicating that you must change your pass-
word. (Remember that when you created this user, you accepted the
default selection of “User must change password at next logon.”)
Click OK.
7. In the Change Password dialog box, type password in the New
Password text box, and confirm the new password by retyping it.
Click OK.
8. A Change Password dialog box appears, indicating that your password
has been changed. Click OK.
4701-1 ch09.f.qc 4/24/00 09:23 Page 641

641

9. Windows 2000 logs you on as User1.You have successfully authenti-

cated to Windows 2000 by using a local user account. Shut down
your computer, reboot it to Windows 2000 Server, and log on as
Administrator to do the next lab.

Lab 9-2 Implementing domain user and group

accounts, account policies, user rights, and
user profiles
 Professional
 Server
EXAM  Directory Services
MATERIAL

The purpose of this lab is to give you practical experience working with
domain users and groups on a Windows 2000 Server computer.
There are four parts to this lab:
■ Part 1: Configuring Account Policies and Assigning User Rights
■ Part 2: Creating and Configuring Domain User and Group Accounts
■ Part 3: Creating and Configuring Domain User Accounts by
Scripting
■ Part 4: Configuring and Managing User Profiles
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.

Part 1: Configuring Account Policies and Assigning

User Rights
In this part, you use the Domain Security Policy tool to configure account
policies (including password policy and account lockout policy) and to
assign a user right.
1. Select Start ➪ Programs ➪ Administrative Tools ➪ Domain Security
Policy.
2. In the left pane of the Domain Security Policy dialog box, click the +
next to Security Settings.Then click the + next to Account Policies.
Highlight Password Policy.
3. In the right pane, double-click “Enforce password history.”
4701-1 ch09.f.qc 4/24/00 09:23 Page 642

642

4. In the Security Policy Setting dialog box, configure the “Keep pass-
word history” spin box to 8 passwords remembered. Click OK.
5. In the right pane of the Domain Security Policy dialog box, double-
click “Maximum password age.”
6. In the Security Policy Setting dialog box configure the “Passwords
expire in” spin box to 30 days. Click OK.
7. If a Suggested Value Changes dialog box appears, click OK.
8. In the right pane of the Domain Security Policy dialog box, double-
click “Minimum password age.”
9. In the Security Policy Setting dialog box, configure the “Passwords
can be changed after” spin box to 5 days. Click OK.
10. In the right pane of the Domain Security Policy dialog box, double-
click “Minimum password length.”
11. In the Security Policy Setting dialog box, configure the “No password
required” spin box to 8 characters. (Note that the name of this spin
box changes to “Password must be at least.”) Click OK.
12. In the left pane of the Domain Security Policy dialog box, highlight
Account Lockout Policy.
13. In the right pane, double-click “Account lockout threshold.”
14. In the Security Policy Setting dialog box configure the “Account will
not lock out” spin box to 3 invalid logon attempts. (Note that the name
of this spin box changes to “Account will lock out after.”) Click OK.
15. In the Suggested Value Changes dialog box, click OK.
16. In the left pane of the Domain Security Policy dialog box, click
the + next to Local Policies. In the left pane, highlight User Rights
Assignment. In the right pane, double-click the “Log on locally”
user right.
17. In the Security Policy Setting dialog box, select the check box next to
“Define these policy settings.” Click Add.
18. In the “Add user or group” dialog box, click Browse.
19. In the Select Users or Groups dialog box, scroll down until the
Everyone group is displayed. Double-click Everyone. Click OK.
20. In the “Add user or group” dialog box, click OK.
21. In the Security Policy Setting dialog box, click OK.
22. Close Domain Security Policy.
4701-1 ch09.f.qc 4/24/00 09:23 Page 643

643

IN THE REAL WORLD

You have just assigned the “Log on locally” user right to the Everyone
group for all computers in the domain. This is not typically done in the real
world, but is necessary for you to complete the labs in this book because
your lab computer is a Windows 2000 domain controller.

Part 2: Creating and Configuring Domain User and

Group Accounts
In this part, you use Windows Explorer to create and share a folder that
will contain roaming user profiles. Then you use Active Directory Users
and Computers to create and configure several domain user and group
accounts. Finally, you assign users to groups.
1. From the desktop, right-click My Computer, and select Explore from
the menu that appears.
2. In the left pane of the My Computer dialog box, highlight Local Disk
(C:). Select File ➪ New ➪ Folder.
3. In the right pane, type in a new folder name of Profiles and press
Enter. In the right pane, right-click the Profiles folder, and select
Sharing from the menu that appears.
4. In the Profiles Properties dialog box, select the “Share this folder”
option. Click OK.You’ve now created and shared a folder that will
contain roaming user profiles.
5. Close Windows Explorer.
6. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory
Users and Computers.
7. In the left pane of the Active Directory Users and Computers dialog
box, click the + next to domain1.mcse. Click the + next to the HQ
Seattle OU.
8. Highlight the Accounting OU, and select Action ➪ New ➪ User.
9. In the New Object - User dialog box, enter the following information:
First name: Robert
Last name: Jones
User logon name: RobertJ
Click next.
4701-1 ch09.f.qc 4/24/00 09:23 Page 644

644

10. In the New Object - User dialog box, enter a password of changeme,
and confirm this password by retyping it. Select the check box next to
“User must change password at next logon.” Click Next.
11. In the New Object - User dialog box, click Finish.
12. Repeat Steps 8 through 11 to create two additional new users in the
Accounting OU.When prompted, enter the following information
for the additional new users:

Text Box Label 1st Additional User 2nd Additional User

First name Nancy Mike

Last name Yates Cook
User logon name NancyY MikeC
Password changeme changeme

13. In the left pane of the Active Directory Users and Computers dialog
box, highlight the Information Services OU, and select Action ➪
New ➪ User.
14. In the New Object - User dialog box, enter the following information:
First name: Mike
Last name: Calhoun
User logon name: MikeCa
Click next.
15. In the New Object - User dialog box, enter a password of changeme,
and confirm this password by retyping it. Select the check box next to
“User must change password at next logon.” Click Next.
16. In the New Object - User dialog box, click Finish.
17. In the left pane of the Active Directory Users and Computers dialog
box, highlight the Marketing OU, and select Action ➪ New ➪ User.
18. In the New Object - User dialog box, enter the following information:
First name: Pam
Last name: Rhodes
User logon name: PamR
Click next.
4701-1 ch09.f.qc 4/24/00 09:23 Page 645

645

19. In the New Object - User dialog box, enter a password of changeme,
and confirm this password by retyping it. Select the check box next to
“User must change password at next logon.” Click Next.
20. In the New Object - User dialog box, click Finish.
21. Repeat Steps 17 through 20 to create three additional new users in
the Marketing OU.When prompted, enter the following information
for the additional new users:

Text Box Label 1st New User 2nd New User 3rd New User

First name John Colleen Bill

Last name Spencer Green Tracy
User logon name JohnS ColleenG BillT
Password changeme changeme changeme

22. In the left pane of the Active Directory Users and Computers dialog
box, highlight the Accounting OU.Then, in the right pane, double-
click Robert Jones.
23. On the General tab in the Robert Jones Properties dialog box, type
Accounting Manager in the Description text box. Click the
Profile tab.
24. On the Profile tab, type \\Server01\Profiles\RobertJ in the Profile
path text box. Click OK.
25. Repeat Steps 22 through 24 to configure account settings for each
of the new domain users you created. Remember to highlight the
appropriate OU to access each user account. Use the following table
to assign a description and profile path to each user.

OU User Description Profile Path

Accounting Nancy Yates Accounting Staff \\Server01\

Profiles\NancyY
Accounting Mike Cook Accounting Staff \\Server01\
Profiles\MikeC
Information Mike Calhoun Information \\Server01\
Services Services Profiles\MikeCa
Manager
4701-1 ch09.f.qc 4/24/00 09:23 Page 646

646

OU User Description Profile Path

Marketing Pam Rhodes District Manager \\Server01\

Profiles\PamR
Marketing John Spencer Sales Manager \\Server01\
Profiles\JohnS
Marketing Colleen Green Sales Rep \\Server01\
Profiles\ColleenG
Marketing Bill Tracy Sales Rep \\Server01\
Profiles\BillT

26. In the left pane of the Active Directory Users and Computers dialog
box, highlight the Accounting OU.
27. Select Action ➪ New Group.
28. In the New Object - Group dialog box, enter/configure the following
information for the new group:
Group name: Accountants
Group scope: Global
Group type: Security
Click OK.
29. In the right pane of the Active Directory Users and Computers
dialog box, double-click the group you just created.
30. On the General tab in the group’s Properties dialog box, type
Accounting Managers and Staff in the Description text box.
Click the Members tab.
31. On the Members tab, click Add.
32. In the Select Users, Contacts, Computers, or Groups dialog box, add
the following users to the group by double-clicking each user: Pam
Rhodes, Robert Jones, Nancy Yates, and Mike Cook.Then click OK.
33. In the group’s Properties dialog box, click OK.
34. In the left pane of the Active Directory Users and Computers dialog
box, highlight the Marketing OU.Then repeat Steps 27 through 33
two more times to create and configure two additional groups. Use
the information in the following table to help you create these two
groups.
4701-1 ch09.f.qc 4/24/00 09:23 Page 647

647

Configurable Options 1st Additional Group 2nd Additional Group

Group name Sales Managers

Group scope Global Global
Group type Security Security
Description Sales Managers and Corporate Managers
Representatives
Members to be added Pam Rhodes, John Spencer, Pam Rhodes,
to group Colleen Green, Bill Tracy John Spencer,
Robert Jones,
Mike Calhoun

35. In the left pane of the Active Directory Users and Computers dialog
box, highlight the Users folder. In the right pane, double-click the
Enterprise Admins group.
36. In the Enterprise Admins Properties dialog box, click the Members tab.
37. On the Members tab, click Add.
38. In the Select Users, Contacts, Computers, or Groups dialog box, scroll
down until Mike Calhoun is displayed. Double-click Mike Calhoun.
Click OK.
39. In the Enterprise Admins Properties dialog box, click OK.You have
just made Mike Calhoun (the Information Services Manager) a
member of the Enterprise Admins group so that he can administer
Active Directory and all computers in the domain. Close Active
Directory Users and Computers.

Part 3: Creating and Configuring Domain User

Accounts by Scripting
In this part, you use Notepad and the NET USER and NET GROUP command-
line utilities to create a script file.Then you use this script file to create two
new domain users and assign these users to the Domain Admins group.
1. From the desktop, select Start ➪ Programs ➪ Accessories ➪ Notepad.
2. In the Untitled - Notepad dialog box, enter the following three lines
of text. (Press Enter after you type each line.)
net user SteveS password /add /fullname:”Steve Smith” /domain
net user PeteS password /add /fullname:”Pete Short” /domain
net group “domain admins” SteveS PeteS /add /domain
4701-1 ch09.f.qc 4/24/00 09:23 Page 648

648

Select File ➪ Save As.

3. In the Save As dialog box, type C:\newusers.bat in the “File name”
text box. Select “All Files” from the “Save as type” drop-down list
box. Click Save.
4. Close Notepad.
5. Select Start ➪ Run.
6. In the Run dialog box, type C:\newusers.bat in the Open text box.
Click OK.Windows 2000 creates the two new users and adds them
to the Domain Admins group.
7. Start Active Directory Users and Computers. (Select Start ➪ Programs
➪ Administrative Tools ➪ Active Directory Users and Computers.)
8. In the left pane of the Active Directory Users and Computers dialog
box, click the + next to domain1.mcse (if it is not already expanded).
Highlight the Users folder. In the right pane, scroll down until the
new users you just created (PeteS and SteveS) are displayed.Then
scroll up until the Domain Admins group is displayed. Double-click
Domain Admins.
9. In the Domain Admins Properties dialog box, click the Members tab.
10. On the Members tab, notice that both PeteS and SteveS are listed as
members of the Domain Admins group. Click OK.
11. Close Active Directory Users and Computers.

Part 4: Configuring and Managing User Profiles

In this part, you log on as one of the new users you created in Part 3.Then
you customize the user’s profile, copy the customized user profile to the
Default User profile folder, and assign a mandatory user profile to a user.

1. From the desktop, select Start ➪ Shut Down.

2. In the Shut Down Windows dialog box, select “Log off administrator”
from the drop-down list box. Click OK.
3. Press Ctrl+Alt+Delete.
4. In the Log On to Windows dialog box, enter a user name of SteveS
and a password of password. Click OK.
5. In the Windows 2000 Configure Your Server dialog box, clear the
check box next to “Show this screen at startup”. Close the Windows
2000 Configure Your Server dialog box.
4701-1 ch09.f.qc 4/24/00 09:24 Page 649

649

6. Right-click the desktop, and select Properties from the menu that
appears.
7. On the Background tab in the Display Properties dialog box, select a
wallpaper of Snow Trees from the scrolling list box. Click OK.
8. Click Yes to enable Active Desktop.
9. Right-click the desktop, and select New ➪ Shortcut from the menu
that appears.
10. In the Create Shortcut dialog box, type calc.exe in the text box.
Click Next.
11. In the Select a Title for the Program dialog box, type Calculator in
the text box. Click Finish.The shortcut to the calculator appears on
the desktop.
12. From the desktop, select Start ➪ Shut Down.
13. In the Shut Down Windows dialog box, select “Log off SteveS” from
the drop-down list box. Click OK.
14. Press Ctrl+Alt+Delete.
15. In the Log On to Windows dialog box, enter a user name of
Administrator and a password of password. Click OK.
16. Right-click My Computer, and select Properties from the menu that
appears.
17. In the System Properties dialog box, click the User Profiles tab.
18. On the User Profiles tab, highlight the DOMAIN1\SteveS profile
and click Copy To.
19. In the Copy To dialog box, type C:\Winnt\Sysvol\Sysvol\
domain1.mcse\Scripts\Default User in the “Copy profile to”
text box. Click Change.
20. In the Select User or Group dialog box, type Everyone in the Name
text box. Click OK.
21. In the Copy To dialog box, click OK.You have just modified the
domain-wide Default User profile folder.
22. In the System Properties dialog box, highlight the DOMAIN1\SteveS
profile and click Copy To.
23. In the Copy To dialog box, type \\Server01\Profiles\BillT in the
“Copy profile to” text box. Click Change.
4701-1 ch09.f.qc 4/24/00 09:24 Page 650

650

24. In the Select User or Group dialog box, scroll down until the user
Bill Tracy is displayed. Double-click Bill Tracy.
25. In the Copy To dialog box, click OK.You’ve just copied Steve Smith’s
user profile to Bill Tracy’s profile folder.
26. In the System Properties dialog box, click OK.
27. Right-click My Computer, and select Explore from the menu that
appears.
28. In the left pane of the My Computer dialog box, click the + next to
Local Disk (C:). Highlight the Profiles folder. In the right pane,
double-click the BillT folder. Select Tools ➪ Folder Options.
29. In the Folder Options dialog box, click the View tab.
30. On the View tab, select the option next to “Show hidden files and
folders.” Clear the check box next to “Hide file extensions for known
file types.” Click OK.
31. In the right pane of the BillT dialog box, right-click the
ntuser.dat file, and select Rename from the menu that appears.
32. Type in a new name for the file of ntuser.man and press Enter.You
have just configured BillT’s profile to be a mandatory user profile.
Close Windows Explorer.

Answers to Chapter Questions

Chapter Pre-Test
1. Kerberos V5 is an Internet standard authentication protocol that pro-
vides a higher level of security and faster, more efficient authentica-
tion than the Windows NT LAN Manager protocol. Kerberos V5 is
the default protocol used between Windows 2000 computers when
each of these computers is a member of a Windows 2000 domain.
2. The two Windows 2000 built-in user accounts are Administrator and
Guest.
3. Local user accounts enable users to log on to the local computer and
to access that computer’s resources. Domain user accounts enable
users to log on to the domain and to access resources in the domain.
4701-1 ch09.f.qc 4/24/00 09:24 Page 651

651

4. Roaming user profiles are user profiles that are stored on a Windows
2000 Server computer. Because these profiles are stored on a server
instead of on the local computer, they are available to users regardless
of which Windows 2000 computer on the network they log on to.
A mandatory user profile is a user profile that, when assigned to a
user, can’t be changed by the user.A user can make changes to desk-
top and work environment settings during a single logon session, but
these changes are not saved to the mandatory user profile when the
user logs off.
5. The three major types of Windows 2000 account policies are: pass-
word policy, account lockout policy, and Kerberos policy.
6. Security groups are primarily used to assign permissions and user
rights to multiple users. Distribution groups are primarily used to
send e-mail messages to a specified list of users.You can’t assign per-
missions and user rights to distribution groups.
7. A built-in group

Assessment Questions
1. B. Use the Local Users and Groups tool in Computer management to
create a new local user account on the local Windows 2000 computer.
2. D. Use Active Directory Users and Computers to create a new
domain user account.
3. C. Roaming user profiles are server-based profiles.They should be
stored in a shared folder on a Windows 2000 Server computer.
4. A. To make a user’s profile mandatory, you must rename the user’s
NTUSER.DAT file as NTUSER.MAN.
5. B. Use the System application (found in Control Panel) to copy user
profiles — you can’t use Windows Explorer for this task.
6. C. “Enforce password history” requires that a certain number of dif-
ferent passwords be used before an old password can be reused (in this
case, two).“Minimum password length” specifies the minimum num-
ber of characters a password can contain (in this case, eight).
7. B. Use Local Users and Groups to create and configure local groups
on the local Windows 2000 computer.
4701-1 ch09.f.qc 4/24/00 09:24 Page 652

652

8. D. Use Active Directory Users and Computers to create and config-

ure groups in Active Directory, such as a domain local group.
9. D. Answer A will work, but is not correct because it is not efficient.
Answer B will also work, but again, is not correct because it is not
efficient and is not the manner in which global groups are typically
used.Answer C is incorrect because built-in groups can’t be created
by an administrator, nor can you add users and groups to built-in spe-
cial groups.Answer D is the best solution, and is the manner in which
domain local and global groups are typically used.
10. A. Universal groups are used to organize users from multiple domains
that perform similar job tasks or have similar network access require-
ments, and/or to control access to shared resources in multiple
domains.

Scenarios
1. This message is displayed when a local user’s account has been locked
out or has been disabled. On the General tab in the local user’s
Properties dialog box, clear the check box next to “Account is locked
out” or clear the check box next to “Account is disabled.”
2. This message is displayed when a user attempts to log on during
restricted hours or attempts to log on to a restricted computer. Check
the Logon Hours and Log On To settings on the Account tab in the
user’s Properties dialog box, and make any necessary changes.
3. Examine the Password Policy settings. Check to see if the new pass-
word the user has entered meets the minimum password length and
password complexity requirements. Remember, if password complex-
ity is enabled, the password must contain three of the four types of
characters: uppercase alphabetic, lowercase alphabetic, numbers, and
special characters. Is the user’s new password a password that she has
used previously? If so, check to see if it meets the “Enforce password
history” settings.
4701-1 ch09.f.qc 4/24/00 09:24 Page 653

653

4. By default, only Administrators can log on locally to the domain con-

troller. Restricting local logon to the domain controller is generally a
preferred practice. Use the Domain Controller Security Policy tool to
grant the user the “Log on locally” user right, or make the user a
member of a group that has that user right. Remember, if the user has
been assigned both the “Log on locally” and “Deny logon locally”
user rights, the “Deny logon locally” right takes precedence.
5. Verify that the user name and password the user is using are correct.
Remember, passwords are case sensitive. Make sure that Caps Lock is
not on.
4701-1 ch10.f.qc 4/24/00 09:24 Page 654

 Professional
 Server
EXAM  Directory Services
MATERIAL

EXAM OBJECTIVES

Professional  Exam 70-210

■ Deploy service packs.
■ Install applications by using Windows Installer packages.
■ Implement, configure, manage, and troubleshoot local
Group Policy.

Server  Exam 70-215

■ Deploy service packs.
■ Implement, configure, manage, and troubleshoot policies
in a Windows 2000 environment.
■ Implement, configure, manage, and troubleshoot Local
Policy in a Windows 2000 environment.
■ Implement, configure, manage, and troubleshoot System
Policy in a Windows 2000 environment.
4701-1 ch10.f.qc 4/24/00 09:24 Page 655

C HAP TE R

10
Directory Services  Exam 70-217
■ Implement and troubleshoot Group Policy.
■ Create a Group Policy object (GPO).
■ Link an existing GPO.
■ Delegate administrative control of Group Policy.
■ Modify Group Policy inheritance.
■ Filter Group Policy settings by associating security
groups to GPOs.
■ Modify Group Policy.
■ Manage and troubleshoot user environments by using
Group Policy.
■ Control user environments by using Administrative
Templates.
■ Assign script policies to users and computers.

Continued 
4701-1 ch10.f.qc 4/24/00 09:24 Page 656

 Professional
 Server
EXAM  Directory Services
MATERIAL

EXAM OBJECTIVES Continued

■ Manage and troubleshoot software by using Group

Policy.
■ Deploy software by using Group Policy.
■ Maintain software by using Group Policy.
■ Configure deployment options.
■ Troubleshoot common problems that occur during
software deployment.
■ Manage network configuration by using Group Policy.
■ Apply security policies by using Group Policy.
4701-1 ch10.f.qc 4/24/00 09:24 Page 657

C HAP TE R

10
Using System Policy and
Group Policy

C hapter 10 is all about using policies to manage users and computers

in a Windows 2000 environment. After a quick overview of policies, I’ll
explain how to use System Policy to manage non-Windows 2000 client com-
puters and their users on a Windows 2000 network.
I’ll spend the rest of the chapter discussing how to use Group Policy to
manage Windows 2000 computers and their users. Group Policy is a policy
that contains rules and settings that are applied to Windows 2000 computers,
their users, or both. Group policy settings can be stored on the local computer
(local Group Policy), or in Group Policy objects (GPOs) that are stored in
Active Directory. I’ll explain how Group Policy is implemented and the order in
which it is applied. Then I’ll show you how to create and configure GPOs.
After that, I’ll address the numerous types of settings you can configure in
Group Policy, including settings that manage user environments, scripts, secu-
rity, folder redirection, and software deployment. Finally, I’ll provide you with
some tips for troubleshooting Group Policy.

657
4701-1 ch10.f.qc 4/24/00 09:24 Page 658

658 Part III ▼ Managing and Securing Resources

Chapter Pre-Test
1. What is System Policy?
2. In what sequence is System Policy applied?
3. What is Group Policy?
4. What is Group Policy called when it is implemented directly on
the local computer?
5. Fill in the blanks: Group Policy consists of two components: an
Active Directory object, called a ________ ________ ________ ,
and a series of files and folders that are automatically created
when the Active Directory object is created.
4701-1 ch10.f.qc 4/24/00 09:24 Page 659

Chapter 10 ▼ Using System Policy and Group Policy 659

Overview of Policies in Windows 2000

In a Windows 2000 network environment, various types of policies are used
by administrators to manage users and computers. Some policies are set on
the local computer and apply only to that computer, to users who log on to
that computer, or both. Other policies are set at the domain, site, or organi-
zational unit level, and apply to multiple users, computers, or both.
The two primary types of policies used in a Windows 2000 network envi-
ronment are System Policy and Group Policy. System Policy is used to manage
non-Windows 2000 client computers (and their users) on a Windows 2000
network. Group Policy is used to manage Windows 2000 computers, their
users, or both. I’ll explain how to manage both System Policy and Group
Policy in this chapter.

Managing System Policy

System Policy is a collection of Administrator-created user, group, and com-
puter system policies that enable an administrator to manage non-Windows
2000 client computers (and their users) on a Windows 2000 network. For
example, you can use System Policy to restrict the user’s ability to perform
certain tasks or to enforce mandatory display settings, such as wallpaper
and color scheme.You can also use System Policy to configure computer
settings, such as a custom logon banner that is displayed each time a user
logs on to a particular computer.
The types of client computers that you can create System Policy for
include: Windows NT 4.0 computers, Windows 95 computers, and
Windows 98 computers. Microsoft originally intended to allow System
Policy to apply to Windows 2000 computers, but that capability was
removed between Beta 3 and the final release of Windows 2000.
System Policy, like mandatory user profiles, enables an administrator to
control the work environment of users on the network. System Policy,
however, gives the administrator far more configurable options than a
mandatory user profile. Administrators can use System Policy to provide a
consistent environment for a large number of users, or to enforce a speci-
fied work environment for problem users who demand a significant
amount of administrator time.
4701-1 ch10.f.qc 4/24/00 09:24 Page 660

660 Part III ▼ Managing and Securing Resources

In addition to enabling the administrator to limit the changes users can

make to their work environments, System Policy can be used as a security
measure to limit access to parts of the network, to restrict the use of spe-
cific tools such as the Registry Editor, and to remove the Run command
option from the Start menu.
The following sections explain the components that can be included in
System Policy, including user system policy, group system policy, and com-
puter system policy.

User System Policy

A user system policy is a collection of settings that restrict a user’s program
and network options and can enforce a specified configuration on the
user’s work environment. There are two types of user system policies: an
individual user policy and the Default User policy.
An individual user policy applies to a single, specific user. Normally, an
individual user policy is created only when a user requires a unique policy
that differs from any existing Default User or group system policy.
The Default User policy, contrary to what its name implies, does not exist
by default. Rather, it is created when an Administrator initially creates a
System Policy file. When the Default User policy is initially created, it
doesn’t contain any settings that restrict users. The Administrator must
configure any desired user restrictions in the Default User policy. The
Default User policy applies to a user only if the user does not have an indi-
vidual user policy.
There are a variety of settings that you can configure in a user system
policy. Figure 10-1 shows all of the configurable options for a Windows
NT individual user policy.The same list of configurable options is available
for the Default User policy.
The actual process of configuring the check boxes in this list is covered
in the “Creating a System Policy File” section later in this chapter.
When a user logs on to a non-Windows 2000 client computer on a
Windows 2000 network, Windows NT (or Windows 95 or 98) perma-
nently overwrites the existing settings in the HKEY_CURRENT_USER
section of the registry on the computer to which the user logs on with the
settings contained in the user system policy.
4701-1 ch10.f.qc 4/24/00 09:24 Page 661

Chapter 10 ▼ Using System Policy and Group Policy 661

FIGURE 10-1 Configurable settings in a Windows NT 4.0 user system policy

4701-1 ch10.f.qc 4/24/00 09:24 Page 662

662 Part III ▼ Managing and Securing Resources

Group System Policy

A group system policy is a policy that applies to a group of users.A group sys-
tem policy applies to all users that are members of a group (that has a group
policy) and that do not have individual user policies. Group system policies
have the same configurable options as user system policies.
A group system policy should be created when more than one user
requires the same settings, because it takes far less time to create one group
policy than to create multiple individual user policies.
A user may belong to multiple groups that each have a group system
policy.When this is the case, the policies are applied in a specific order.
For example, suppose that a user of a Windows NT 4.0 client computer,
JohnS, belongs to three groups: Domain Admins, Managers, and Sales, and
that each of these three groups has a group system policy.The groups are
listed in this order, from the top down, in the Group Priority dialog box in
System Policy Editor. Also suppose that JohnS does not have an individual
user policy. When JohnS logs on to the domain, the group system policy
for the Sales group (which has the lowest group priority because it is at the
bottom of the list) is applied first. Then the group system policy for the
Managers group is applied. Finally, the group system policy for the Domain
Admins group (which has the highest group priority because it is at the
top of the list) is applied to JohnS. As each group system policy is applied,
it overwrites any conflicting settings from previously applied group poli-
cies.The last group system policy applied (in this case, the Domain Admins
group system policy) takes precedence over the lower priority group sys-
tem policies.
An Administrator can configure group system policy priority by moving
a group up or down in the Group Priority dialog box. The group at the
top of the box has the highest priority.

Computer System Policy

A computer system policy is a collection of settings that specifies a local com-
puter’s configuration. A computer system policy enforces the specified
configuration on all users of a particular Windows NT 4.0,Windows 95, or
Windows 98 client computer.
There are two types of computer system policies: an individual com-
puter policy and the Default Computer policy.
4701-1 ch10.f.qc 4/24/00 09:24 Page 663

Chapter 10 ▼ Using System Policy and Group Policy 663

An individual computer policy applies to a single, specific client computer.

Normally, an individual computer policy is created only when a client
computer requires a unique policy that differs from the Default Computer
policy.
The Default Computer policy, like the Default User policy, is created when
a System Policy file is initially created. The Default Computer policy
applies to a client computer only if the computer does not have an individ-
ual computer policy.
There are a variety of settings that you can configure in a computer sys-
tem policy, as shown in Figure 10-2.

FIGURE 10-2 Configurable settings in a Windows NT 4.0 computer system policy

4701-1 ch10.f.qc 4/24/00 09:25 Page 664

664 Part III ▼ Managing and Securing Resources

An individual computer policy and the Default Computer policy both

have the same configurable options. The actual process of configuring a
computer system policy is covered in the “Creating a System Policy File”
section later in this chapter.
When a user logs on to a non-Windows 2000 client computer on a
Windows 2000 network,Windows NT (or Windows 95 or 98) permanently
overwrites the existing settings in the HKEY_LOCAL_MACHINE section
of the registry on the computer to which the user logs on with the settings
contained in the computer system policy.

How System Policy Is Applied

System Policy is applied to a user or a computer in a predefined, systematic
manner. When a user logs on, the user’s roaming or local user profile is
applied first, and then System Policy is applied. If settings in the System
Policy conflict with settings in the user profile, the System Policy settings
take precedence.
System Policy is applied in the following sequence:
1. If a user has an individual user policy, it is applied.
2. If a user does not have an individual user policy, and the user is a
member of a group that has a group system policy, then the group
system policy (or policies, if the user is a member of multiple groups
that each have a group system policy) is applied.
3. If a user does not have an individual user policy, then the Default User
policy is applied.

TIP
If a user that does not have an individual user policy has a group system
policy that conflicts with the Default User policy, then the settings in the
Default User policy take precedence, because the Default User policy is
applied after the group system policy is applied.

4. If the non-Windows 2000 client computer the user logs on to has an

individual computer policy, it is applied.
4701-1 ch10.f.qc 4/24/00 09:25 Page 665

Chapter 10 ▼ Using System Policy and Group Policy 665

5. If the non-Windows 2000 client computer the user logs on to does

not have an individual computer policy, then the Default Computer
policy is applied.
The end result is that a user has one of the following user and group
system policy combinations applied:
■ An individual user policy only
■ The Default User policy only
■ A combination of the Default User policy and a group system policy
(or policies, if the user is a member of multiple groups that each have
a group system policy)
In addition, the client computer to which the user logs on has either an
individual computer policy or the Default Computer policy applied.

Creating a System Policy File

A System Policy file doesn’t exist by default — it must be created, config-
ured, and saved by an Administrator. System Policy is managed and config-
ured by using the System Policy Editor (Poledit.exe).You can use the
Windows 2000 System Policy Editor to create System Policy that will
apply to Windows NT 4.0 client computers (and the users of these com-
puters). System Policy Editor is installed, by default, on Windows 2000
Server/Advanced Server computers. You can make the System Policy
Editor available on a Windows 2000 Professional computer by installing
the ADMINPAK.After a System Policy file is created, it should be saved in
the NETLOGON share of one of the domain controllers in the domain. A
Windows NT 4.0 System Policy file should be named Ntconfig.pol.
You can use the System Policy Editor (Poledit.exe) on either a
Windows 95 or Windows 98 computer to create a System Policy file that
will apply to both Windows 95 and Windows 98 client computers (and the
users of these computers). The System Policy Editor is not installed by
default on Windows 95/98 computers — you must install this tool from
the Windows 95/98 compact disc. A Windows 95/98 System Policy file
should also be saved in the NETLOGON share of one of the domain con-
trollers in the domain, and the file should be named Config.pol.
4701-1 ch10.f.qc 4/24/00 09:25 Page 666

666 Part III ▼ Managing and Securing Resources

STEP BY STEP

CREATING A WINDOWS NT 4.0 SYSTEM POLICY FILE

1. Select Start ➪ Run.

2. In the Run dialog box, type poledit and click OK.
3. In the System Policy Editor dialog box, select File ➪ New Policy.
4. Two icons are displayed: Default Computer and Default User.
Customize the Default Computer and Default User policies as appropriate. To
customize a policy, double-click the policy’s icon. Then, in the policy’s Properties
dialog box, click the + next to the options you want to expand and configure. Then
configure the check box next to each option you want to configure. Each check
box has three possible configurations:
 Grayed out: Causes the current setting for this option to be retained. This is
the default setting for all configurable options in System Policy.
 Checked: Causes this option to be applied.
 Cleared (white): Causes the opposite of this option to be applied. For
example, if the option is called “Remove Run command from Start Menu,”
clearing this option will ensure that the Run command is displayed in the
Start Menu.
5. Create and customize individual user, individual computer, and group system poli-
cies as appropriate.
To create a new policy, select the appropriate option from the Edit menu (either
Add User, Add Computer, or Add Group). Then, in the Add User, Add Computer,
or Add Group dialog box, type the name of the user, computer, or group for which
you want to create a policy. Click OK.
Then customize your new policy (or policies) by using the instructions in Step 4.
6. After you create and customize policies, save the System Policy file. Select File ➪
Save As in the System Policy Editor dialog box. Save the file to the NETLOGON
share on a domain controller as Ntconfig.pol.
7. Exit System Policy Editor.

To create a Windows 95 or Windows 98 System Policy file, follow the

preceding steps, except:
1. Run the System Policy Editor on a Windows 95 or Windows 98
computer.
2. Save the System Policy file as Config.pol instead of
Ntconfig.pol.
4701-1 ch10.f.qc 4/24/00 09:25 Page 667

Chapter 10 ▼ Using System Policy and Group Policy 667

Using System Policy Editor to Manage the Local

Windows 2000 Computer
As I mentioned earlier, you can’t use System Policy to manage a Windows
2000 client computer (and its users). However, you can use System Policy
Editor to directly edit the registry on a Windows 2000 computer.You must
be a member of the Administrators group on the local computer to edit
the registry.

CAUTION
This is not a recommended practice, because using System Policy Editor
permanently changes the registry on a computer — if you decide you want
to revert to default settings at a later date, you’ll have to manually change
each and every setting that you previously changed.

I recommend that you use Group Policy (or Local Group Policy) to
configure settings on a Windows 2000 computer instead of using the
System Policy Editor, because registry changes made by Group Policy are
easily reversible.
That said, to edit the registry on a Windows 2000 computer by using
System Policy Editor, start System Policy Editor, then select File ➪ Open
Registry.Then configure local computer and local user settings as needed.
When you’re finished making changes, select File ➪ Save, then close
System Policy Editor.

Troubleshooting System Policy

System Policy can present an administrator with some challenging prob-
lems. Here are a couple of the most common System Policy problems and
their recommended solutions:
■ A group system policy setting is not being applied to all
members of the group. The most common cause of this prob-
lem is that some of the users of this group are also members of
another group that has a conflicting group system policy with a
higher group policy priority than the first group.To solve the
problem, you may need to change the group policy priority, or
perhaps change the users’ group memberships.
4701-1 ch10.f.qc 4/24/00 09:25 Page 668

668 Part III ▼ Managing and Securing Resources

■ After you remove the System Policy file from the domain
controllers, its settings are still applied to users and com-
puters. Unfortunately, System Policy permanently modifies the
registry, and does not revert to default settings even after the
System Policy file is removed.To solve this problem, you must
create a new System Policy file that reverses each setting that
was previously changed in the original System Policy file.

TIP
In order to create the new System Policy file, you’ll need to have a record
of each and every change that was applied by the old System Policy file.

Once you’ve implemented the new System Policy, and each user
has logged on, you can then remove the new System Policy file.

Managing Group Policy

Group Policy is a brand new Windows 2000 feature. Group Policy is a pol-
icy that contains rules and settings that are applied to Windows 2000 com-
puters, their users, or both, that are located in a specific part of Active
Directory. I like to think of Group Policy as System Policy on steroids —
it’s much bigger, meaner, and more powerful than System Policy.
Group Policy can only be used to manage Windows 2000 computers on
a network (and the users of those computers). If you have other Windows-
based client computers, such as Windows NT 4.0, Windows 95, or
Windows 98 computers, you can only manage those computers (and their
users) by using System Policy.

EXAM TIP
The Directory Services exam has multiple objectives on Group Policy.
Add that to the fact that Group Policy is a nifty new feature in Windows
2000, and you can rest assured of finding several tough Group Policy
questions on this exam.
4701-1 ch10.f.qc 4/24/00 09:25 Page 669

Chapter 10 ▼ Using System Policy and Group Policy 669

By using Group Policy, an Administrator can specify and manage a

number of user and computer settings, including:
■ Settings that manage user environments: You can specify a
user’s desktop settings, such as wallpaper and Active Desktop set-
tings.You can also configure the items that appear in a user’s Start
menu, and several other user and computer settings that affect a
user’s environment.
■ Settings that manage scripts: You can configure user logon and
logoff scripts, and computer startup and shutdown scripts.
■ Settings that manage security: You can specify security settings,
such as account policies, local policies, event log settings, and so on.
■ Settings that redirect folders: You can cause folders in a user’s
profile to be redirected to a shared folder on a network server.
■ Settings that manage software deployment: You can specify
an application that will be automatically installed on a computer
when the computer starts, or automatically installed when a user
opens a file with an extension associated with that application.You
can manage the deployment of multiple applications by using
Group Policy.
Group Policy is typically implemented in Active Directory. However,
Group Policy can be implemented directly on the local computer. When
implemented on the local computer, Group Policy is called Local Group
Policy.
Local Group Policy consists of a series of files and folders that are automat-
ically created during the installation of Windows 2000 on the local com-
puter. Local Group Policy files and folders are stored in the SystemRoot\
System32\GroupPolicy folder. Local Group Policy applies to the local
computer, and to users that log on to the local computer.
Group Policy consists of two components: an Active Directory object,
called a Group Policy object (GPO), and a series of files and folders that are
automatically created when the GPO is created. Group Policy files and
folders are stored in the SystemRoot\SYSVOL\sysvol\domain_name\
Policies folder on domain controllers in a Windows 2000 domain. Each
GPO is associated with a specific Active Directory container, such as a site,
4701-1 ch10.f.qc 4/24/00 09:25 Page 670

670 Part III ▼ Managing and Securing Resources

a domain, or an organizational unit (OU). Group Policy applies to com-

puters, users, or both, that are contained within the site, domain, or OU
with which the GPO is associated. An Active Directory container may
have more than one GPO associated with it.

How Group Policy Is Applied

Before you actually configure Group Policy settings, it’s a good idea to
understand the order in which Group Policy settings are applied to
Windows 2000 computers and their users. Group Policy is applied in a
predefined, systematic manner.
In general, when a user logs on, the user’s roaming or local user profile is
applied first.Then Local Group Policy is applied, and finally Group Policy is
applied. If any settings in Group Policy (either Local Group Policy or Group
Policy) conflict with settings in the user’s profile, the Group Policy settings
take precedence. If any Local Group Policy settings conflict with Group
Policy settings, the Group Policy settings take precedence and override the
conflicting Local Group Policy settings, because the policy applied last takes
precedence, and Group Policy is applied after Local Group Policy is applied.
By default, Group Policy is applied in the following order, and all
processes that occur in one step are completed before the processes in the
next step begin.
1. When a user powers on a Windows 2000 computer, all Group Policy
settings that apply to the computer are applied.
2. If the Group Policy settings that apply to the computer specify that a
startup script (or scripts) be run, this script is run.
3. When a user logs on, the user’s profile is loaded, then all Group Policy
settings that apply to the user are applied.
4. If the Group Policy settings that apply to the user specify that a logon
script (or scripts) be run, this script is run.Then, if a user has an indi-
vidual logon script assigned to his or her user account, this logon
script is run.
5. When a user logs off, if the Group Policy settings that apply to the
user specify that a logoff script (or scripts) be run, this script is run.
6. When a user shuts down a Windows 2000 computer, if the Group
Policy settings that apply to the computer specify that a shutdown
script (or scripts) be run, this script is run.
4701-1 ch10.f.qc 4/24/00 09:25 Page 671

Chapter 10 ▼ Using System Policy and Group Policy 671

Inheritance and Group Policy

Another factor that affects how Group Policy is applied is inheritance. An
Active Directory object, such as a user or a computer, normally inherits
Group Policy from the container in which the object resides and from the
parent containers above it in the Active Directory tree. Group Policy is
applied from the top of the tree down. This means that the normal
sequence of Group Policy application is first site, then domain, then OU.
The key point is that when Group Policy settings conflict, the Group
Policy that is applied last is the policy that takes precedence. Because the
last Group Policy that is normally applied is the Group Policy associated
with the OU that a computer or user is contained in, the Group Policy of
the OU normally takes precedence when settings conflict. Here are a cou-
ple of examples that explain how inheritance affects the application of
Group Policy.

Example 1 Suppose that a user is contained in an OU named Denver that

has a Group Policy. The Denver OU is contained in a domain named
domain1.com that also has a Group Policy.When Group Policy is applied,
it is applied first at the domain level, and then at the OU level.There are no
conflicting Group Policy settings between domain1.com and the Denver
OU.Therefore, in this case, the Group Policy settings are additive, and the
Group Policy settings associated with domain1.com and the Group Policy
settings associated with the Denver OU are both applied.

Example 2 Suppose that a user is contained in an OU named Seattle that

has a Group Policy. The Seattle OU is contained in a domain named
domain3.org that also has a Group Policy. There are some conflicting
Group Policy settings between domain3.org and the Seattle OU. The
Group Policy for domain3.org is applied first.Then the Group Policy for
the Seattle OU is applied. All nonconflicting settings in the Group Policy
for domain3.org remain applied after the Group Policy for the Seattle
OU is applied. However, any settings in the Group Policy for
domain3.org that conflict with the Group Policy for the Seattle OU are
replaced by the Group Policy settings for the Seattle OU, because this
Group Policy is applied last and takes precedence.
An Administrator can modify certain inheritance settings of GPOs and
their associated containers. I’ll explain how to configure these settings a lit-
tle later in this chapter.
4701-1 ch10.f.qc 4/24/00 09:25 Page 672

672 Part III ▼ Managing and Securing Resources

Periodic Updates of Group Policy

By default, all Windows 2000 computers (that are not domain controllers)
request and receive Group Policy updates from domain controllers approxi-
mately every 90 minutes. Domain controllers request updates from Active
Directory every 5 minutes.You can modify these intervals to suit your needs.

TIP
Just because Group Policy settings are updated throughout the day
doesn’t mean that all tasks specified by the Group Policy setting
changes will occur. For example, software installation and folder redirec-
tion only occur at startup or user logon.

Managing Local Group Policy

Local Group Policy is configured on an individual Windows 2000 com-
puter by using the Group Policy snap-in to the Microsoft Management
Console (MMC).You must be a member of the Administrators group on
the local computer to manage Local Group Policy.
As you may recall, Local Group Policy is applied first, so if its settings
conflict with Group Policy settings, the conflicting Group Policy settings
take precedence, because they are applied last.

STEP BY STEP

CONFIGURING LOCAL GROUP POLICY ON THE LOCAL COMPUTER

1. Select Start ➪ Run.

2. In the Run dialog box, type gpedit.msc and click OK.
3. The Group Policy snap-in to the MMC is displayed, as shown in Figure 10-3.
Notice the separate Computer Configuration and User Configuration sections.
Settings in the Computer Configuration section apply to the local computer.
Settings in the User Configuration section apply to all users who log on to the
local computer.
To configure settings in this dialog box, expand folders in the left pane until the
policy setting you want to configure is displayed in the right pane. Then, in the
right pane, double-click the policy you want to configure, configure its settings
as appropriate, and click OK.
4701-1 ch10.f.qc 4/24/00 09:25 Page 673

Chapter 10 ▼ Using System Policy and Group Policy 673

STEP BY STEP Continued

FIGURE 10-3 Configuring Local Group Policy

TIP
For more information on the many settings you can configure, see the
sections later in this chapter titled “Configuring Group Policy Settings to
Manage User Environments,” “Configuring Group Policy Settings to
Manage Scripts,” “Configuring Group Policy Settings to Manage
Security,” “Configuring Group Policy Settings to Redirect Folders,” and
“Configuring Group Policy Settings to Manage Software Deployment.”

4. When you’re finished configuring Local Group Policy, close the Group Policy
dialog box.

You may remember using the Local Security Policy tool (Start ➪
Programs ➪ Administrative Tools ➪ Local Security Policy) to set account
policies (such as password policy and account lockout policy) and local
policies (such as user rights assignment and audit policy) on the local
Windows 2000 computer .The Local Security Policy tool was discussed in
chapter 9.The Group Policy snap-in to the MMC enables you to config-
ure these same policies, plus many more, on the local computer.
You can also configure Local Group Policy on a remote Windows 2000
computer by using the Group Policy snap-in to the MMC.
4701-1 ch10.f.qc 4/24/00 09:25 Page 674

674 Part III ▼ Managing and Securing Resources

STEP BY STEP

CONFIGURING LOCAL GROUP POLICY ON A REMOTE WINDOWS 2000

COMPUTER

1. Select Start ➪ Run.

2. In the Run dialog box, type mmc and click OK.
3. A MMC dialog box named Console1 is displayed. Select Console ➪ Add/Remove
Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Add Standalone Snap-in dialog box, highlight Group Policy and click Add.
6. In the Select Group Policy Object dialog box, click Browse.
7. In the Browse for a Group Policy Object dialog box, click the Computers tab.
8. On the Computers tab, select the “Another computer” option, and type in the
name of the remote Windows 2000 computer for which you want to configure
Local Group Policy. Click OK.
9. In the Select Group Policy Object dialog box, click Finish.
10. In the Add Standalone Snap-in dialog box, click Close.
11. In the Add/Remove Snap-in dialog box, click OK.
12. On the MMC console, maximize the window named Console Root. (This console
is virtually identical to the console used to manage Local Group Policy on the
local computer.)Then, in the left pane, click the + next to the name of the remote
Windows 2000 computer. Expand folders in the left pane until the policy setting
you want to configure is displayed in the right pane. Then, in the right pane, dou-
ble-click the policy you want to configure, configure its settings as appropriate,
and click OK.
13. When you’re finished configuring the Local Group Policy for the remote Windows
2000 computer, close the MMC.

Creating Group Policy Objects in Active Directory

You can use several tools to create Group Policy objects (GPOs) in Active
Directory.The specific tool used generally depends on what type of con-
tainer (site, domain, or OU) will be associated with the GPO.
■ To create a GPO associated with a site, use Active Directory
Sites and Services (Start ➪ Programs ➪ Administrative Tools ➪
Active Directory Sites and Services).
4701-1 ch10.f.qc 4/24/00 09:25 Page 675

Chapter 10 ▼ Using System Policy and Group Policy 675

■ To create a GPO associated with a domain or OU, use

Active Directory Users and Computers (Start ➪ Programs ➪
Administrative Tools ➪ Active Directory Users and Computers).
You can also use the Group Policy snap-in to the MMC to create and
manage GPOs.
You must have the Read, Write, and Create All Child Objects Active
Directory permissions to the container (site, domain, or OU) in order to
create a GPO that will be associated with that container. If you’re a mem-
ber of the Enterprise Admins group, or a member of the domain’s
Administrators or Domain Admins groups, you have the necessary permis-
sions to create GPOs.
Now I’ll show you how to create a new GPO.You can use the steps that
follow to create a GPO associated with a domain or OU by using Active
Directory Users and Computers. The steps to create a GPO associated
with a site are virtually identical, except that you must use the Active
Directory Sites and Services tool.

STEP BY STEP

CREATING A NEW GROUP POLICY OBJECT

1. From the desktop, select Start ➪ Programs ➪ Administrative Tools ➪ Active

Directory Users and Computers.
2. The Active Directory Users and Computers dialog box appears. In the left pane,
expand domains and OUs as necessary until the domain or OU for which you
want to create a GPO is displayed in the left pane. Highlight the domain or OU,
then select Action ➪ Properties. (You can also right-click the domain or OU and
select Properties from the menu that appears.)
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. The Group Policy tab is displayed, as shown in Figure 10-4. Notice that by
default, this OU does not have a GPO associated with it. Also notice the “Block
Policy inheritance” check box.
To create a new GPO, click New.
5. The “New Group Policy Object” appears in the Group Policy Object Links col-
umn. To rename this new GPO, type in a new name and press Enter.
4701-1 ch10.f.qc 4/24/00 09:25 Page 676

676 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 10-4 Creating a new Group Policy object (GPO)

6. To create additional GPOs, repeat Step 5.

7. When you’re finished creating a GPO, you can configure its properties (which I’ll
discuss throughout the rest of this chapter), or you can click Close.
8. Close Active Directory Users and Computers.

Configuring and Modifying Group Policy Objects

When GPOs are first created, they have no initial settings.You must con-
figure GPOs before you can use them to help you manage the Windows
2000 computers (and their users) on your network.
You use the same tool to configure a GPO that you used to create the
GPO — either Active Directory Users and Computers (if the GPO is asso-
ciated with a domain or an OU) or Active Directory Sites and Services (if
the GPO is associated with a site).
4701-1 ch10.f.qc 4/24/00 09:25 Page 677

Chapter 10 ▼ Using System Policy and Group Policy 677

In this section I’ll explain how to modify a GPO’s Group Policy inher-
itance settings, how to disable computer or user configuration settings, and
how to configure security for a GPO.

TIP
I’ll show you how to modify GPOs primarily by using Active Directory
Users and Computers, but if you want to use Active Directory Sites and
Services, the steps to perform the various tasks are virtually identical.

Modifying Group Policy Inheritance

An Administrator can modify how inheritance occurs when Group Policy
settings are applied.There are two primary settings you can configure that
affect Group Policy inheritance. One of these settings is configured on the
Active Directory container with which the GPO is associated, and the sec-
ond is configured on the GPO itself.
The setting you can configure on the Active Directory container (site,
domain, or OU) with which a GPO is associated is a check box titled
“Block Policy inheritance.” If this check box is selected, Group Policy set-
tings from parent objects in the Active Directory tree are blocked from this
container and will not affect this container.

STEP BY STEP

BLOCKING GROUP POLICY INHERITANCE ON A SITE, DOMAIN, OR OU

1. If you want to block Group Policy inheritance on a domain or an OU, select Start ➪
Programs ➪ Administrative Tools ➪ Active Directory Users and Computers.
Or, if you want to block Group Policy inheritance on a site, start Active Directory
Sites and Services.
2. In the left pane of the dialog box, expand sites, domains, and OUs as necessary
until the site, domain, or OU you want to configure is displayed in the left pane.
Highlight the site, domain, or OU, then select Action ➪ Properties.
3. In the site, domain, or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab (which is shown earlier in Figure 10-4), select the check
box next to “Block Policy inheritance.” Click OK.
5. Close Active Directory Users and Computers (or Active Directory Sites and
Services).
4701-1 ch10.f.qc 4/24/00 09:25 Page 678

678 Part III ▼ Managing and Securing Resources

The setting you can configure on the GPO itself is an option called “No
Override.” When this option is selected, settings in this GPO will take
precedence and will not be overridden by any conflicting settings in a child
object’s GPO.

STEP BY STEP

CONFIGURING THE NO OVERRIDE OPTION ON A GPO

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the domain or OU associated with the GPO
you want to configure is displayed in the left pane. Highlight the domain or OU,
then select Action ➪ Properties.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, highlight the GPO you want to configure and click
Options.
5. The GPO Options dialog box appears, as shown in Figure 10-5. Notice the two
configurable options: No Override and Disabled.

FIGURE 10-5 Configuring the No Override option

Select the check box next to “No Override: prevents other Group Policy Objects
from overriding policy set in this one.” Click OK.
6. The Group Policy tab reappears. A check mark is displayed in the No Override
column next to the GPO you just configured. Click OK.
7. Close Active Directory Users and Computers.
4701-1 ch10.f.qc 4/24/00 09:25 Page 679

Chapter 10 ▼ Using System Policy and Group Policy 679

Finally, there’s a potential conflict between these two inheritance set-

tings that I need to warn you about. For example, suppose that the No
Override option is configured on a GPO associated with a domain (a par-
ent object), and that the “Block Policy inheritance” option is configured
on an OU in this domain (a child object). In this situation, the No
Override option wins, and the “Block Policy inheritance” option on the
OU is ignored. If the No Override option is configured on a GPO associ-
ated with a parent container, a child object can’t block policy inheritance
from that GPO.The No Override option always takes precedence.

EXAM TIP
If I were writing questions for the Directory Services exam, I’d write sev-
eral long, convoluted questions testing the examinees’ understanding of
the No Override and “Block Policy inheritance” options. Make sure you
thoroughly understand these two settings.

Disabling Computer Configuration or User Configuration

Settings
If a particular GPO contains settings that will only affect computers, or
contains settings that will only affect users, you should consider disabling
the unused configuration settings in the GPO. Disabling computer config-
uration settings when only user settings are used (and disabling user con-
figuration settings when only computer settings are used) will significantly
speed up the application of the GPO.

STEP BY STEP

DISABLING UNUSED SETTINGS IN A GPO

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and
Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the domain or OU associated with the GPO
you want to configure is displayed in the left pane. Highlight the domain or OU,
then select Action ➪ Properties.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, highlight the GPO you want to configure and click
Properties.
5. The GPO Properties dialog box appears, as shown in Figure 10-6. Notice the two
check boxes at the bottom of this dialog box.
4701-1 ch10.f.qc 4/24/00 09:25 Page 680

680 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 10-6 Disabling unused configuration settings in a GPO

Select either the “Disable Computer Configuration settings” check box or the
“Disable User Configuration settings” check box, as appropriate, to disable the
unused portion of this GPO.
6. When a check box is selected, Windows 2000 displays a Confirm Disable warn-
ing dialog box. Click Yes.
7. On the General tab in the GPO Properties dialog box, click OK.
8. On the Group Policy tab, click OK.
9. Close Active Directory Users and Computers.

Configuring Security for Group Policy Objects

Security is configured on GPOs to accomplish two different objectives:
■ To specify the users, computers, or both to which the GPO applies
■ To specify the users or groups who can administer the GPO
4701-1 ch10.f.qc 4/24/00 09:25 Page 681

Chapter 10 ▼ Using System Policy and Group Policy 681

A GPO is applied only to users and computers that have the Read and
Apply Group Policy Active Directory permissions to the GPO. By default,
the Authenticated Users group is assigned the Read and Apply Group Policy
Active Directory permissions to all newly created GPOs.The Authenticated
Users group includes all users and computers in Active Directory.
If you don’t want a GPO to be applied to all users and computers con-
tained in the site, domain, or OU with which the GPO is associated, you
must first remove the Authenticated Users group from the access control
list for the GPO, then you must add the appropriate users, computers, and
groups to the access control list for the GPO and assign these users, com-
puters, and groups the Read and Apply Group Policy permissions.
The easiest way to specify the users and computers to which a GPO
applies is to assign groups of users (or groups of computers) to the access
control list for the GPO, and then to assign the Read and Apply Group
Policy permissions to these groups for the GPO.This process is called filter-
ing Group Policy scope by using security groups. If you filter the scope of a GPO
by using security groups, it’s conceivable that you could have multiple
GPOs associated with a single container (such as an OU), with each GPO
applying to a different group of users or computers within the container.
Security is also configured on GPOs so that the administration of the
GPO can be delegated to other users on the network. A user (or group)
must be assigned the Read and Write Active Directory permissions to the
GPO in order to administer the GPO. By default, members of the Domain
Admins and Enterprise Admins groups have both of these permissions.

STEP BY STEP

MODIFYING GPO SECURITY, FILTERING SCOPE BY USING SECURITY

GROUPS, AND DELEGATING ADMINISTRATIVE CONTROL
1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and
Computers.
2. In the left pane of the Active Directory Users and Computers dialog box. expand
domains and OUs as necessary until the domain or OU associated with the GPO
you want to configure is displayed in the left pane. Highlight the domain or OU,
then select Action ➪ Properties.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, highlight the GPO you want to configure and click
Properties.
5. In the GPO Properties dialog box, click the Security tab.
4701-1 ch10.f.qc 4/24/00 09:25 Page 682

682 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

6. The Security tab appears, as shown in Figure 10-7. Notice that the Authenticated
Users group is allowed, by default, the Read and Apply Group Policy permissions.

FIGURE 10-7 Assigning permissions to users, groups,

and computers for a GPO

This tab is virtually the same as every other permissions dialog box you’ve seen so
far in Windows 2000. It has the usual list of users and groups (and computers) at
the top of the dialog box; and a list of permissions, along with a pair of Allow and
Deny check boxes for each permission, at the bottom of the dialog box.
To remove a user, group (such as Authenticated Users), or computer from the
permissions list for the GPO, highlight the user, group, or computer in the Name
box, and click Remove.
To add a user, group, or computer to the Name box, click Add.
7. In the Select Users, Computers, or Groups dialog box, double-click each user,
group, and computer you want to add. As you double-click each user, group, and
computer, it appears in the bottom portion of the dialog box. Click OK.
8. On the Security tab, each user, group, and computer you added is automatically
assigned the Read permission to the GPO.
4701-1 ch10.f.qc 4/24/00 09:25 Page 683

Chapter 10 ▼ Using System Policy and Group Policy 683

STEP BY STEP Continued

If you want this GPO to apply to the user, group, or computer you just
added, you’ll have to manually assign the user, group, or computer the Apply
Group Policy permission (in addition to the Read permission automatically
assigned).
If you want to delegate administrative control of this GPO to a user or
group you just added, you’ll have to manually assign the user or group the
Write permission (in addition to the Read permission automatically assigned).
To change the permissions of a user, group, or computer you added, highlight the
user, group, or computer in the Name box, then select or clear the appropriate
check boxes in the Permissions box.
When you’re finished configuring permissions, click OK.
9. On the Group Policy tab, click OK.
10. Close Active Directory Users and Computers.

Linking an Existing Group Policy Object

If you need to apply the same user and computer Group Policy settings to
more than one container in Active Directory, consider linking an existing
GPO to the additional containers. Linking an existing GPO to another
container is a quicker and easier task for an administrator to perform than
creating and configuring a new GPO from scratch.
When you link an existing GPO to another container, the settings con-
tained in the existing GPO apply to both of the containers. In addition,
when you link an existing GPO to another container, a new Active
Directory object is created. The new Active Directory object is a new
GPO that is a pointer to the original GPO.
You can assign different users, groups, and computers to the new GPO,
and you can change the permissions assigned to users, groups, and com-
puters for the new GPO.These changes will apply only to the new GPO
and not to the original GPO. However, you can’t change the actual user
and computer configuration settings in the new GPO without affecting
the original GPO as well. In other words, the two GPOs share a common
set of user and computer configuration settings.
4701-1 ch10.f.qc 4/24/00 09:25 Page 684

684 Part III ▼ Managing and Securing Resources

STEP BY STEP

LINKING AN EXISTING GPO TO ANOTHER CONTAINER

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. The Active Directory Users and Computers dialog box appears. In the left pane,
expand domains and OUs as necessary until the domain or OU (the additional
container) to which you want to link an existing GPO is displayed in the left pane.
Highlight the domain or OU, then select Action ➪ Properties.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, click Add.
5. The Add a Group Policy Object Link dialog box appears. Use the navigation fea-
tures in this dialog box (such as the “Look in” drop-down list box and the Up but-
ton) to cause the original GPO to be displayed in the “Domains, OUs and linked
Group Policy Objects” list box.
Figure 10-8 shows this dialog box after I’ve located the GPO I want to link, in this
case, the HQ Seattle GPO.

FIGURE 10-8 Linking an existing GPO

To link the existing GPO once you’ve located it, highlight it and click OK.
6. The Group Policy tab reappears, and the linked GPO is listed. Click OK.
7. Close Active Directory Users and Computers.
4701-1 ch10.f.qc 4/24/00 09:25 Page 685

Chapter 10 ▼ Using System Policy and Group Policy 685

Modifying the Order in Which Group Policy Is

Applied
If you have more than one GPO associated with a container, and particu-
larly if you filter Group Policy scope by using security groups, you may
need to modify the order in which the GPOs for this container are applied.
For example, suppose that TinaT, a user in the HQ Seattle OU, belongs
to four groups: Administrators, Managers, Accounting, and Everyone. The
HQ Seattle OU has four GPOs associated with it, one for each of these
groups, as shown in Figure 10-9. Notice the Up and Down command but-
tons in this dialog box.

FIGURE 10-9 Modifying GPO order

GPOs are applied, in order, from the bottom of the list to the top of the
list. The GPO at the bottom of the list (in this case, the HQ Seattle
Administrators GPO) has the lowest priority, and is applied first.The GPO
at the top of the list (in this case, the HQ Seattle Managers GPO) has the
highest priority, and is applied last.
In our example, this means that settings in the HQ Seattle Administrators
GPO will be overridden by any conflicting settings in any of the other GPOs
in the list. Because of this,TinaT (and other members of the Administrators
4701-1 ch10.f.qc 4/24/00 09:25 Page 686

686 Part III ▼ Managing and Securing Resources

group) may be unable to perform her administrative tasks.To prevent this

from happening, the Administrator should move the HQ Seattle Adminis-
trators GPO to the top of the list.
To modify the order of GPOs, the Administrator can highlight any
GPO in the list, and then use the Up and Down command buttons on the
Group Policy tab in the container’s Properties dialog box to move the
GPO up or down in the list.

Configuring Group Policy Settings to Manage

User Environments
As you’ve already learned, GPOs must be configured before you can use
them to help you manage Windows 2000 computers on their users on
a network. One of the primary uses of Group Policy is to manage user
environments.
You can use Active Directory Users and Computers (or Active Directory
Sites and Services, as appropriate) to configure numerous Group Policy
options that affect a user’s environment.You can also use the Group Policy
snap-in to the MMC to configure Group Policy options.These configura-
tion settings are contained within two primary sections in the Group Policy
dialog box: Computer Configuration and User Configuration.
All configurations made in the Computer Configuration section are
applied to all specified Windows 2000 computers that reside in the con-
tainer (site, domain, or OU) with which the GPO is associated. It follows,
then, that all configurations made in the Computer Configuration section
also indirectly affect all users who log on to these computers.
All configurations made in the User Configuration section are applied
to all specified users and groups that reside in the container with which the
GPO is associated.
Both the Computer Configuration section and the User Configuration
section have a subfolder that contains most of the Group Policy settings that
directly affect a user’s environment.This subfolder is called Administrative
Templates. Figure 10-10 shows the two Administrative Templates
subfolders and their various subfolders.
The Administrative Templates folder in the Computer Config-
uration section holds several subfolders that each contain various Group
Policy options that you can configure to manage a user’s environment:
4701-1 ch10.f.qc 4/24/00 09:25 Page 687

Chapter 10 ▼ Using System Policy and Group Policy 687

FIGURE 10-10 The Administrative Templates folders in Group Policy

■ Windows Components: In this folder you can configure numerous

settings that affect a user’s ability to utilize specific features of four
Windows 2000 components: NetMeeting, Internet Explorer,Task
Scheduler, and Windows Installer. For example, you can prevent
users from configuring remote desktop sharing in NetMeeting, and
you can prevent users from creating new tasks in Task Scheduler.
■ System: In this folder you can configure how Windows 2000 per-
forms certain processes during logon.You can also configure and
enable disk quotas, and configure a primary DNS suffix that will be
assigned to the Windows 2000 computer. Finally, you can configure
numerous settings that determine how Windows 2000 applies
Group Policy, and set various Windows File Protection options.
■ Network: In this folder you can configure numerous options to
manage network configuration.The primary feature you can con-
figure in this folder is offline files.There are several configurable
settings that specify how Windows 2000 will process offline files. In
the Network and Dial-up Connections subfolder, you can
specify whether users can configure connection sharing.
4701-1 ch10.f.qc 4/24/00 09:25 Page 688

688 Part III ▼ Managing and Securing Resources

■ Printers: In this folder you can configure numerous printer set-

tings. For example, you can specify whether printers will be auto-
matically published in Active Directory, and you can configure
whether Web-based printing will be supported on the Windows
2000 computer.
The Administrative Templates folder in the User Configuration
section also holds several subfolders that each contain various Group
Policy options that you can configure to manage a user’s environment:
■ Windows Components: In this folder you can configure numerous
settings that affect a user’s ability to utilize specific features of six
Windows 2000 components: NetMeeting, Internet Explorer,Win-
dows Explorer, Microsoft Management Console,Task Scheduler, and
Windows Installer. For example, you can remove the File menu from
Windows Explorer, and you can prevent users from changing home
page settings in Internet Explorer.
■ Start Menu & Taskbar: In this folder you can configure the
appearance and functionality of the Start menu and taskbar on the
user’s computer. For example, you can remove Favorites, Help,
Run, or Search from the Start menu.You can also prevent users
from changing Start menu and taskbar settings.
■ Desktop: In this folder you can configure various Active Desktop
and Active Directory settings. For example, you can enable or dis-
able Active Desktop, and you can hide the Internet Explorer icon
on the desktop.
■ Control Panel: In this folder you can configure settings that
affect a user’s ability to use Control Panel in general, and configure
settings that restrict a user’s ability to use specific features of four
Control Panel applications:Add/Remove Programs, Display,
Printers, and Regional Options. For example, you can prevent a
user from using Control Panel entirely, and you can hide specified
Control Panel applications from a user.You can also prevent a user
from using Add/Remove Programs, or from seeing specific pages
in the Add/Remove Programs Wizard. Likewise, you can hide sev-
eral tabs from a user in the Display application. Finally, you can
prevent a user from adding or deleting printers, or from browsing
the network to find printers.
4701-1 ch10.f.qc 4/24/00 09:25 Page 689

Chapter 10 ▼ Using System Policy and Group Policy 689

■ Network: In this folder you can configure numerous options to

manage network configuration.There are several configurable set-
tings that specify how Windows 2000 will process offline files. For
example, you can configure Windows 2000 to synchronize all
offline files before a user logs off.There are also several network
and dial-up connection settings you can configure. For example,
you can prevent a user from viewing the properties of or deleting
a RAS connection, and you can prevent a user from configuring
connection sharing.
■ System: In this folder you can configure how Windows 2000 per-
forms certain processes when a user logs on or logs off. For exam-
ple, you can prevent the user from changing his or her password,
and you can prevent the user from logging off.You can also config-
ure numerous settings that determine how Windows 2000 applies
Group Policy to the user. For example, you can specify the Group
Policy refresh interval for users.
Configuring the settings in the Administrative Templates folders is
done on a GPO-by-GPO basis, and is fairly straightforward, as the follow-
ing steps explain. As with other GPO configurations, you can use Active
Directory Users and Computers to configure the Administrative
Templates folder within a GPO associated with a domain or OU, and
you can use Active Directory Sites and Services to configure the
Administrative Templates folder within a GPO associated with a site.

TIP
Remember that when you configure the Administrative
Templates folder in the Computer Configuration section your settings
will apply to specified computers, and that when you configure the
Administrative Templates folder in the User Configuration sec-
tion your settings will apply to specified users.

STEP BY STEP

CONFIGURING THE ADMINISTRATIVE TEMPLATES FOLDER IN A GPO

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
4701-1 ch10.f.qc 4/24/00 09:25 Page 690

690 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the domain or OU associated with the GPO
you want to configure is displayed in the left pane. Highlight the domain or OU,
then select Action ➪ Properties.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, highlight the GPO for which you want to configure
Administrative Templates settings, and click Edit. (You can also dou-
ble-click the GPO.)
5. The Group Policy dialog box appears. Click the + next to the Administrative
Templates folder either in the Computer Configuration section or the User
Configuration section. Then expand subfolders as necessary until the folder that
contains the settings you want to configure is displayed in the left pane. Highlight
the folder that contains the Group Policy settings you want to configure. The con-
figurable settings in that folder are then displayed in the right pane.
6. In the right pane, double-click the setting you want to configure.
7. The setting’s Properties dialog box appears, as shown in Figure 10-11. Notice the
Not Configured, Enabled, and Disabled options. These three options are available
when configuring many settings in the Administrative Templates folder.

FIGURE 10-11 Configuring settings in the Administrative Templates folder

4701-1 ch10.f.qc 4/24/00 09:25 Page 691

Chapter 10 ▼ Using System Policy and Group Policy 691

STEP BY STEP Continued

If you want more information about the setting you selected, click the Explain tab.
Otherwise, configure options as appropriate on the Policy tab. (The possible set-
tings vary substantially from setting to setting.) Click OK.
8. The Group Policy dialog box reappears. Repeat Steps 5, 6, and 7, as necessary,
to configure additional Group Policy settings for this GPO. Close the Group
Policy dialog box.
9. In the domain or OU’s Properties dialog box, click OK.
10. Close Active Directory Users and Computers.

Configuring Group Policy Settings to Manage Scripts

You can configure Group Policy settings to manage several types of scripts.
A script is a text file with a .bat, .js, or .vbs extension that can be used
to configure a user’s environment, to start programs, to install software, or
to perform various other tasks. Script files that end with a .bat extension
can include any MS-DOS 5.0 batch command. Script files that end with a
.js extension can include any Microsoft JScript commands. Finally, script
files that end with a .vbs extension can include any Visual Basic Scripting
Edition (VBScript) commands.
Before you can assign a script to computers or users by using Group
Policy, you must create the script. You can use any text editor, such as
Notepad, to create a script file. Once you create the script file, you should
save it with the appropriate extension (.bat, .js, or .vbs) depending on
the type of commands contained in the file.
The types of scripts you can configure Group Policy settings for include
startup, shutdown, logon, and logoff scripts. Startup and shutdown scripts
apply to specified Windows 2000 computers, while logon and logoff scripts
apply to specified users.
Both the Computer Configuration section and the User Configuration
section have a subfolder, called Windows Settings, that contains Group
Policy settings used to manage scripts.The Windows Settings folder in
the Computer Configuration section has a container called Scripts
(Startup/Shutdown), and the Windows Settings folder in the User
Configuration section has a container called Scripts (Logon/Logoff). In
these containers you can specify the name of a script (or scripts) that will
run when the specified event (startup, shutdown, logon, or logoff) occurs,
4701-1 ch10.f.qc 4/24/00 09:25 Page 692

692 Part III ▼ Managing and Securing Resources

and, if multiple scripts are specified for one event, you can specify the order
in which scripts will run.
Configuring Group Policy settings to manage scripts is done on a GPO-
by-GPO basis, and is fairly straightforward, as the following steps explain.

STEP BY STEP

ASSIGNING SCRIPTS TO USERS AND COMPUTERS

1. Select Start ➪ Programs ➪ Accessories ➪ Windows Explorer.

2. In the left pane, expand drives and folders as necessary until the folder that con-
tains the script you previously created is displayed. Highlight the folder that con-
tains the script. In the right pane, highlight the script file. Select Edit ➪ Copy.
3. Close Windows Explorer.
4. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and
Computers.
5. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the domain or OU associated with the GPO
you want to configure is displayed in the left pane. Highlight the domain or OU,
then select Action ➪ Properties.
6. In the domain or OU’s Properties dialog box, click the Group Policy tab.
7. On the Group Policy tab, highlight the GPO for which you want to configure
script settings and click Edit. (You can also double-click the GPO.)
8. The Group Policy dialog box appears.
To configure settings to manage startup or shutdown scripts, click the +
next to the Windows Settings folder in the Computer Configuration section.
Then highlight the Scripts (Startup/Shutdown) container in the left pane.
To configure settings to manage logon or logoff scripts, click the + next to
the Windows Settings folder in the User Configuration section. Then high-
light the Scripts (Logon/Logoff) container in the left pane.
9. In the right pane, double-click the type of script (Startup, Shutdown, Logon, or
Logoff) for which you want to configure Group Policy settings.
10. The Properties dialog box for the type of script you selected appears, as shown in
Figure 10-12. Notice that I selected Logon Scripts. The Scripts tab is virtually
identical no matter which type of script you select.
4701-1 ch10.f.qc 4/24/00 09:25 Page 693

Chapter 10 ▼ Using System Policy and Group Policy 693

STEP BY STEP Continued

FIGURE 10-12 Configuring Group Policy script settings

To change the position of a script in the list (if multiple scripts are listed) in
order to change the order in which the scripts are run, highlight the script you
want to move, and use the Up and Down command buttons to change the
script’s position in the list. Scripts are run in the order they are listed on the
Scripts tab, from the top of the list down.
To edit the name of a script in the list or to change optional script parame-
ters, highlight the script and click Edit.
To remove a script from the list, highlight the script and click Remove.
To add a script to the list, click Show Files.
11. In the dialog box that appears (either Logon, Logoff, Startup, or Shutdown),
select Edit ➪ Paste. Close the dialog box.
12. Click Add.
13. The Add a Script dialog box appears. In the Script Name text box, type the name
of the script file you want to add. You can browse for the name of the script file if
you need to. In the Script Parameters text box, type in any optional parameters for
the script file. Click OK.
4701-1 ch10.f.qc 4/24/00 09:25 Page 694

694 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

14. On the Scripts tab, click OK.

15. Close the Group Policy dialog box.
16. In the domain or OU’s Properties dialog box, click OK.
17. Close Active Directory Users and Computers.

Just one final tip on working with scripts. Although you can assign a
logon script to an individual user account by configuring a user account’s
properties, Microsoft recommends, for ease of administration, that you use
Group Policy to assign logon scripts to users.

Configuring Group Policy Settings to Manage Security

You can configure numerous Group Policy settings to manage security set-
tings for Windows 2000 computers, and their users, on your Windows
2000 network.
The Windows Settings folders in both the Computer Configuration
section and the User Configuration section both have a container, called
Security Settings, that contains Group Policy settings used to manage secu-
rity. Although there is a Security Settings container in each section, virtu-
ally all of the configurable options are located in the Security Settings
container in the Computer Configuration section — almost no security
settings are available in the User Configuration section.
Figure 10-13 shows the many overall types of security settings available
in the Computer Configuration section in the Group Policy dialog box.
The Security Settings container in the Computer Configuration section
contains several subfolders and containers. Each of these subfolders and
containers has various Group Policy options that you can configure to
manage security:
■ Account Policies: In this container, you can configure several
password policy and account lockout policy options. (These
options were discussed in detail in Chapter 9.) For example, you
can specify the minimum number of characters a user’s password
must contain.
4701-1 ch10.f.qc 4/24/00 09:25 Page 695

Chapter 10 ▼ Using System Policy and Group Policy 695

FIGURE 10-13 Security settings in Group Policy

■ Local Policies: In this container you can configure audit policy,

user rights assignment, and security options. For example, you can
set a security option to automatically log off users when their
logon time expires.

CROSS-REFERENCE
Specific user rights assignment settings are covered in Chapter 9, and
specific audit policy settings are covered in Chapter 13.

■ Event Log: In this container you can configure various settings

for the Application, Security, and System logs that administrators
view by using Event Viewer.
■ Restricted Groups: In this folder you can configure Windows
2000 to monitor and maintain the membership lists of specified
local groups (such as Power Users) on nondomain controllers to
ensure that the membership in these groups is not modified by an
Administrator on the local computer.To implement this feature,
you add a specific group to this folder and then specify all of the
group’s members.
4701-1 ch10.f.qc 4/24/00 09:25 Page 696

696 Part III ▼ Managing and Securing Resources

■ System Services: In this folder you can specify the startup

behavior of individual services on all Windows 2000 computers
affected by this Group Policy.The possible configurations for ser-
vice startup mode are Automatic, Manual, and Disabled. For exam-
ple, you can set the service startup mode of the Task Scheduler
service to be disabled. In this folder you can also specify which
users and groups have permissions to start, stop, or manage the
properties of a particular Windows 2000 service.
■ Registry: In this folder you can specify individual registry settings
that will be applied to all computers affected by this Group Policy.
■ File System: In this folder you can configure security settings
for common files and folders that exist on multiple computers in
the container affected by this Group Policy.This enables you to
standardize security settings for common files and folders across
multiple computers. For example, you can assign a specific NTFS
permission, such as Read, to the Program Files folder located
on each computer affected by this Group Policy.
■ Public Key Policies: In this folder you can set various certifi-
cate policies. For example, you can configure a user to be an
encrypted data recovery agent, and you can specify a list of trusted
root certification authorities.

CROSS-REFERENCE
I cover certificates and public key policies in detail in Chapter 18.

■ IP Security Policies on Active Directory: In this container you

can specify IP Security rules for clients, severs, and secure servers.

CROSS-REFERENCE
I discuss IP Security in Chapter 16.

The Security Settings container in the User Configuration section con-

tains only one subfolder, named Public Key Policies. In this subfolder,
you can configure an enterprise certificate trust list.This list specifies all cer-
tificate authorities that are trusted by all users affected by this Group Policy.
4701-1 ch10.f.qc 4/24/00 09:25 Page 697

Chapter 10 ▼ Using System Policy and Group Policy 697

Group Policy security settings are configured on a GPO-by-GPO basis.

As usual, use Active Directory Users and Computers to configure a GPO
associated with a domain or OU, and use Active Directory Sites and
Services to configure a GPO associated with a site.

STEP BY STEP

APPLYING SECURITY POLICIES BY USING GROUP POLICY

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the domain or OU associated with the GPO
you want to configure is displayed in the left pane. Highlight the domain or OU,
then select Action ➪ Properties.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, highlight the GPO for which you want to configure
security settings, and click Edit. (You can also double-click the GPO.)
5. The Group Policy dialog box appears. Click the + next to the Windows
Settings folder in the Computer Configuration section (or the User Configuration
section). Then click the + next to the Security Settings container. Expand subfolders
or containers as necessary until the folder or container that has the security settings
you want to configure is displayed in the left pane. Highlight the folder or container.
6. If the security setting you want to configure is displayed in the right pane, double-
click the setting, and make the necessary configurations in the dialog box that
appears. Click OK.
If no security settings are displayed in the right pane, right-click the highlighted
folder or container and select the Add option from the menu that appears. Make
the necessary configurations and click OK.
7. When you’re finished configuring security settings, close the Group Policy
dialog box.
8. In the domain or OU’s Properties dialog box, click OK.
9. Close Active Directory Users and Computers.

Configuring Group Policy Settings to Redirect Folders

You can configure Group Policy settings that will cause a specific folder (or
folders) in a user’s profile to be redirected to a different location, such as a
shared folder on a network server. When a folder is redirected, it is no
4701-1 ch10.f.qc 4/24/00 09:25 Page 698

698 Part III ▼ Managing and Securing Resources

longer stored on the local computer — it is only stored on the network

server. The most common use of this feature is to redirect a user’s My
Documents folder to a shared folder on a network server that is backed up
on a regular basis.
There are many different reasons for redirecting folders. Some of the
more common ones are:
■ To protect data from loss if a disk on a local computer fails.
■ To speed up the process of loading roaming user profiles. (Folders
that are redirected do not have to be copied to the local computer
during the logon process.)
■ To enable users to access all of their personal documents, regardless of
which Windows 2000 computer on the network the users log on to.
■ To maintain consistent security on user-created data.
The folders in a user’s profile that can be redirected are the
Application Data, Desktop, My Documents, My Pictures, and
Start Menu folders.
Group Policy folder redirection settings are configured on a GPO-by-
GPO basis.As usual, use Active Directory Users and Computers to config-
ure a GPO associated with a domain or OU, and use Active Directory Sites
and Services to configure a GPO associated with a site.

STEP BY STEP

REDIRECTING FOLDERS BY USING GROUP POLICY

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the domain or OU associated with the GPO
you want to configure is displayed in the left pane. Highlight the domain or OU,
then select Action ➪ Properties.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, highlight the GPO for which you want to configure
folder redirection settings, and click Edit. (You can also double-click the GPO.)
5. In the Group Policy dialog box, under User Configuration, click the + next to the
Windows Settings folder. Click the + next to the Folder Redirection
folder. Right-click the name of the folder you want to redirect and select
Properties from the menu that appears.
4701-1 ch10.f.qc 4/24/00 09:25 Page 699

Chapter 10 ▼ Using System Policy and Group Policy 699

STEP BY STEP Continued

6. The folder’s Properties dialog box appears. Select one of the available redirection
options from the Setting drop-down list box. The available options are:
 No administrative policy specified: If you select this option, this GPO
will not redirect the folder.
 Basic - Redirect everyone’s folder to the same location: If you select
this option, Windows 2000 will redirect the specified folder (for all users
affected by this GPO) to the same shared folder on the network. You will then
need to specify a network location to redirect users’ folders to. This is normally
a UNC path such as \\Server_name\Share_name\%username%. The
%username% variable creates a new folder in the shared network folder for
each user whose folder is redirected.
 Advanced - Specify locations for various user groups: If you select this
option, users who belong to a specific group will have their folders redirected
to a specific shared folder on the network. You can specify a different network
location for each group you specify. You can use the %username% variable to
give each user in the group an individual folder in the specified network share.
Select the appropriate option and specify the network location(s) to which folders
will be redirected. Click the Settings tab.
7. The Settings tab is displayed, as shown in Figure 10-14. Notice the options avail-
able in the Policy Removal section.

FIGURE 10-14 Configuring folder redirection options

4701-1 ch10.f.qc 4/24/00 09:25 Page 700

700 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

Most of the options on this tab are self-explanatory. However, I want to point out
the two options in the Policy Removal section. If you think that you will ever want
to change the redirected folder back into a local folder, and you don’t want to
have to manually reconfigure each client computer, I recommend you select the
option next to “Redirect the folder back to the local user profile location when pol-
icy is removed.” If you want the folder to remain redirected when the policy is
removed, accept the default option of “Leave the folder in the new location when
policy is removed.”
Configure options on this tab as appropriate. Click OK.
8. Close the Group Policy dialog box.
9. In the Properties dialog box for the domain or OU, click OK.
10. Close Active Directory Users and Computers.

Configuring Group Policy Settings to Manage

Software Deployment
You can configure Group Policy to manage software deployment on your
Windows 2000 network.You can deploy applications, deploy service packs,
upgrade applications, and remove deployed applications. All of these tasks
come under the software deployment umbrella.

EXAM TIP
The Directory Services exam has five objectives on using Group Policy to
deploy and maintain software. This subject is sure to be well covered on
this exam. So, if you don’t get much opportunity to deploy software on
the job, be sure to revisit this section before you take the exam.

There are three primary Group Policy software deployment methods:

■ Assign an application to a user: When an application is assigned
to a user by using Group Policy, that application’s shortcuts appear
in the user’s Start menu.The application is not installed until the
user starts the application from the Start menu, or until the user
opens a document that has an extension that is associated with the
application.An application that is assigned to a user is available
regardless of which Windows 2000 computer on the network the
user logs on to. If the application is removed from a computer, or if
4701-1 ch10.f.qc 4/24/00 09:25 Page 701

Chapter 10 ▼ Using System Policy and Group Policy 701

any of the application’s files are removed, the application will be

reinstalled or repaired the next time the application is started.
■ Assign an application to a computer: When an application is
assigned to a computer by using Group Policy, that application is
installed on the computer the next time the computer is restarted.
The application is then available to all users who log on to that
computer. If the application is uninstalled or if files are removed,
the application is reinstalled or repaired the next time the com-
puter boots.
■ Publish an application to a user: When an application is pub-
lished to a user, it is installed automatically when a user attempts to
open a document that has an extension that is associated with that
application.The application is not listed in the user’s Start menu until
it is installed.A published application can also be installed by starting
the Add/Remove Programs tool in Control Panel.A published
application is shown in the “Add programs from your network” list
in the Add/Remove Programs tool. Published applications are not
automatically reinstalled or repaired if they are removed or if files are
accidentally deleted.

Preparing Software for Deployment

Before an application can be deployed, its installation files must be placed
in a shared folder on a network server.
Any application that ships with a Windows Installer file (a file that ends
with an .msi extension) can be deployed by using Group Policy.
Applications that do not have a Windows Installer file can be deployed, but
they must be prepared for deployment.You can prepare an application for
deployment either by repackaging the application and creating a Windows
Installer file for the application, or by creating a set of installation instruc-
tions for the application in a text file that ends with a .zap extension.
Applications that use a .zap file for deployment can only be published —
they can’t be assigned to users or computers.
To repackage an application and create an .msi file, you need to use a
special type of software application. Microsoft includes a third-party appli-
cation named WinINSTALL LE with Windows 2000. You can use
WinINSTALL LE to repackage an application and create an .msi file.
WinINSTALL LE is located on the Windows 2000 Server/Advanced
Server compact disc in the \VALUEADD\3RDPARTY\WINSTLE folder.
4701-1 ch10.f.qc 4/24/00 09:25 Page 702

702 Part III ▼ Managing and Securing Resources

If you don’t want to completely repackage an application, you can cre-

ate a .zap file for the application that contains the instructions necessary
to install and configure the application.You can use any text editor, such as
Notepad, to create the .zap file. Listing 10-1 shows the contents of a sam-
ple .zap file that would be used to publish Adobe Acrobat Reader.
LISTING 10-1 Sample .zap File

[Application]
FriendlyName = “Adobe Acrobat Reader”
SetupCommand = ar405eng.exe
[Ext]
pdf=

Notice that a .zap file is separated into two primary sections: the
Application section and the Ext (extensions) section.
In the Application section there are two required commands —
FriendlyName and SetupCommand. FriendlyName is used to specify the
name of the application as it will appear to the user. SetupCommand is used
to specify the filename of the setup program used to install the application.
The Ext section consists of a list of all three-letter file extensions that
will be associated with the application. If more than one extension will be
associated with the application, each extension is placed on a separate line.
Each application extension must be followed by the = sign.
When a .zap file is created, it must be saved in the same folder as the
application’s source files.

Deploying and Maintaining Software by Using Group Policy

Group Policy can be used not only to deploy software, but to maintain soft-
ware as well. For example, you can use Group Policy to deploy a new appli-
cation, and later, when a service pack becomes available, you can redeploy
the application to install the service pack. Finally, when the application is no
longer of value, you can use Group Policy to remove the application. I’ll
explain how to perform each of these tasks in the steps that follow.
Software applications are deployed on a GPO-by-GPO basis.As always,
you can use Active Directory Users and Computers (or Active Directory
Sites and Services, as appropriate) or the Group Policy snap-in to the
MMC to manage Group Policy.
4701-1 ch10.f.qc 4/24/00 09:25 Page 703

Chapter 10 ▼ Using System Policy and Group Policy 703

STEP BY STEP

DEPLOYING AN APPLICATION BY USING GROUP POLICY

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the domain or OU associated with the GPO
you want to configure is displayed in the left pane. Highlight the domain or OU,
then select Action ➪ Properties.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, highlight the GPO for which you want to configure soft-
ware deployment settings, and click Edit. (You can also double-click the GPO.)
5. In the Group Policy dialog box, under Computer Configuration or User Config-
uration (depending on whether you want to deploy software to computers or
users), click the + next to the Software Settings folder. Right-click the
Software installation container, and select New ➪ Package from the menu that
appears.
6. If the package you want to install is not displayed in the Open dialog box, you can
use this dialog box’s browsing feature to browse the network for the folder that
contains the package. Select the Windows Installer file for the package you want
to install and click Open.

TIP
The application must be stored in a shared folder on a network server, or
Group Policy will not be able to install the application on client computers.

7. The Deploy Software dialog box is displayed, as shown in Figure 10-15. Notice
the three available options in this dialog box.

FIGURE 10-15 Configuring software deployment options

4701-1 ch10.f.qc 4/24/00 09:25 Page 704

704 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

 Published: Select the Published option if you want Windows 2000 to pub-
lish the application using the default settings in the Windows Installer file you
selected in Step 6. Skip to Step 14. If you are deploying software to comput-
ers, the Published option will be grayed out, and the Assigned option will be
selected by default.
 Assigned: Select the Assigned option if you want Windows 2000 to assign
the application using the default settings in the Windows Installer file you
selected in Step 6. Skip to Step 14.
 Advanced published or assigned: Select the “Advanced published or
assigned” option if you want to modify how the application is installed or
assigned.
8. The package’s Properties dialog box appears. There are six tabs in this dialog
box: General, Deployment, Upgrades, Categories, Modifications, and Security.
On the General tab, type in the name you want the package to use, or accept
the default. Click the Deployment tab.
9. The Deployment tab appears, as shown in Figure 10-16. Notice the default
deployment options for a package that is being deployed to users.

FIGURE 10-16 Configuring the Deployment tab

4701-1 ch10.f.qc 4/24/00 09:25 Page 705

Chapter 10 ▼ Using System Policy and Group Policy 705

STEP BY STEP Continued

If the package is being deployed to computers, the Published option is grayed

out and the Assigned option is selected. In addition, in the “Deployment options”
section, the check box next to “Auto-install this application by file extension activa-
tion” is selected and grayed out, and the check box next to “Do not display this
package in the Add/Remove Programs control panel” is not selected and is also
grayed out.
Select the deployment type you want to use, then select the appropriate check
boxes in the “Deployment options” section.
Select the appropriate option in the “Installation user interface options” section
(in this particular case, Basic or Maximum). The settings available in this section
will vary from application to application. Click the Upgrades tab.
10. On this tab, you can specify which applications (that have been previously
deployed in this GPO by using Group Policy) will be upgraded by this application
package. You can also specify application packages in the current GPO that will
upgrade this package. Configure the selections on this tab as appropriate, and
click the Categories tab.
11. On the Categories tab, you can select one or more categories to list the applica-
tion in. (For more information on categories, see the step-by-step section titled
“Creating Application Categories” later in this chapter.) When you finish selecting
categories for the package, click the Modifications tab.
12. On the Modifications tab, add any modifications you have created to the package.
Modifications have special Windows Installer files that end with an .mst exten-
sion. Files that end with an .mst extension are called transforms. Transforms are
used to add features, such as templates, to applications. You can use a third-party
tool to create .mst files. When you finish adding modifications to the application,
click the Security tab.
13. On the Security tab you can assign users or computers permissions to the pack-
age as appropriate. Only users (or computers) that are allowed the Read permis-
sion to the package will be able to install the package. Configure permissions as
appropriate and click OK.
14. Close the Group Policy dialog box.
15. In the domain or OU’s Properties dialog box, click OK.
16. Close Active Directory Users and Computers.

Using Group Policy to Deploy Service Packs for Applications Once you
have deployed an application, you might want to deploy a service pack for
the application.To deploy a service pack, copy the service pack files into the
4701-1 ch10.f.qc 4/24/00 09:25 Page 706

706 Part III ▼ Managing and Securing Resources

shared network folder that contains the application’s original installation

files. Ensure that the .msi file for the service pack replaces the original
.msi file.Then use the following steps to redeploy the application.

STEP BY STEP

DEPLOYING A SERVICE PACK BY REDEPLOYING AN APPLICATION

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the domain or OU associated with the GPO
you want to configure is displayed in the left pane. Highlight the domain or OU,
then select Action ➪ Properties.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, highlight the GPO that was originally used to deploy
the application, and click Edit. (You can also double-click the GPO.)
5. In the Group Policy dialog box, in the Computer Configuration or User Configura-
tion section (depending on whether you originally deployed the software package
to computers or users), click the + next to the Software Settings folder. In
the left pane, highlight Software installation. Then, in the right pane, right-click the
application you want to redeploy and select All Tasks ➪ Redeploy application from
the menu that appears.
6. In the Application’s dialog box, click Yes to redeploy the application.
7. Close the Group Policy dialog box.
8. In the domain or OU’s Properties dialog box, click OK.
9. Close Active Directory Users and Computers.

Using Group Policy to Create Application Categories If you plan to deploy

many applications, you might want to create application categories that
will be displayed in the Add/Remove Programs application in Control
Panel. Application categories make it easier for users to find and install
published or assigned applications that they need to perform their jobs.
Once you create categories, you can assign them to software applications.
You can assign categories to applications either during the deployment
process or after they have been assigned or published. Figure 10-17 shows
how software categories appear in the Add/Remove Programs application
in Control Panel. Notice that only graphics applications are listed when
Graphics is selected from the Category drop-down list box.
4701-1 ch10.f.qc 4/24/00 09:25 Page 707

Chapter 10 ▼ Using System Policy and Group Policy 707

FIGURE 10-17 Using application categories

STEP BY STEP

CREATING APPLICATION CATEGORIES

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the domain or OU associated with the GPO
you want to configure is displayed in the left pane. Highlight the domain or OU,
then select Action ➪ Properties.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, highlight the GPO for which you want to create applica-
tion categories and click Edit. (You can also double-click the GPO.)
5. In the Group Policy dialog box, under Computer Configuration or User Configura-
tion (depending on whether you want to create categories for software applica-
tions that are deployed to computers or users), click the + next to the Software
Settings folder. In the left pane, right-click Software installation and select
Properties from the menu that appears.
6. In the Software installation Properties dialog box, click the Categories tab.
7. On the Categories tab, click Add to add a software category.
4701-1 ch10.f.qc 4/24/00 09:25 Page 708

708 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

8. In the Enter new category dialog box, type in a name for the new software cate-
gory and click OK.
9. Repeat Steps 7 and 8 until you have created all of the software categories you
need. Click OK.
10. Close the Group Policy dialog box.
11. In the domain or OU’s Properties dialog box, click OK.
12. Close Active Directory Users and Computers.

Using Group Policy to Remove Deployed Applications If the users on

your network no longer need an application, or if you have replaced an
application with one from a different vendor, you might want to remove
an application that you have previously deployed.You can easily remove
deployed applications by using Group Policy.

STEP BY STEP

REMOVING A DEPLOYED APPLICATION BY USING GROUP POLICY

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the domain or OU associated with the GPO
you want to configure is displayed in the left pane. Highlight the domain or OU,
then select Action ➪ Properties.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, highlight the GPO that was used to deploy the applica-
tion and click Edit. (You can also double-click the GPO.)
5. In the Group Policy dialog box, under Computer Configuration or User Config-
uration (depending on whether you want to remove software that was originally
deployed to computers or users), click the + next to the Software Settings
folder. In the left pane, highlight Software installation. Then, in the right pane,
right-click the application you want to remove and select All Tasks ➪ Remove
from the menu that appears.
4701-1 ch10.f.qc 4/24/00 09:25 Page 709

Chapter 10 ▼ Using System Policy and Group Policy 709

STEP BY STEP Continued

6. In the Remove Software dialog box, you can choose to either immediately unin-
stall the software, or allow users to continue using existing installations but pre-
vent new installations. Select the appropriate removal method and click OK.
7. Close the Group Policy dialog box.
8. In the domain or OU’s Properties dialog box, click OK.
9. Close Active Directory Users and Computers.

Troubleshooting Software Deployment

Sometimes software deployment doesn’t work exactly the way you want it
to. Because of this, I have included a few common software deployment
problems and recommended solutions to those problems.
■ An application is assigned to computers in the GPO, but
it is not installed on a particular computer: The most likely
cause of this problem is that the GPO does not apply to the com-
puter.This might occur because the computer does not have the
Read and Apply Group Policy permissions to the GPO, or because
the computer is not in the container the GPO is associated with.
■ An application is published to a user, but the user is unable
to install the application: The most likely cause of this problem
is that the user does not have enough permissions to access the
shared network folder that contains the application. Ensure that the
user is allowed at least the Read share permission and the Read &
Execute NTFS permissions to the shared network folder that con-
tains the application files.
■ An application is assigned to a user, but it doesn’t install
when it is invoked from the Start menu: One of the most
likely causes of this problem is that the application has been
marked for removal from the computer in another GPO. If an
application is marked for mandatory removal from a computer,
the application will not install on that computer even if the appli-
cation is assigned to a user on that computer.
4701-1 ch10.f.qc 4/24/00 09:25 Page 710

710 Part III ▼ Managing and Securing Resources

Troubleshooting Group Policy

Group Policy is a very complex feature of Windows 2000. It can be con-
figured for each domain, site, and OU in Active Directory. In addition,
each domain, site, or OU can have more than one GPO assigned.To make
matters even more complex, each computer can have Local Group Policy
configured, as well. To top all that off, an administrator can modify how
Group Policy is inherited and applied.
Because of Group Policy’s complexity, it is fairly easy for two or more
GPOs to have conflicting settings that apply to the same user, group of
users, computer, or group of computers. Most Group Policy problems
involve conflicting settings. Here are a few troubleshooting tips to help you
resolve Group Policy problems.
■ Verify that the No Override setting isn’t configured on any GPO
that applies to a parent container. If it is configured, verify that
there are no conflicting settings between the GPO on the parent
container and the GPO that is not working correctly.
■ Verify that the “Block Policy inheritance” check box is not selected
on any child containers that are affected by the GPO that is not
being applied correctly.
■ Verify that the Disabled option is not configured for a GPO that is
not being applied.
■ Verify that the users and computers that the GPO is intended to
affect are actually in the container (or one of its subcontainers)
with which the GPO is associated.
■ Ensure that the users and computers the GPO is intended to affect
are allowed the Read and Apply Group Policy permissions to the
GPO.
■ If multiple GPOs apply to a user or a computer (often due to the
user’s or computer’s membership in multiple security groups), ver-
ify that there are no conflicting settings in the GPOs. If conflicts
are present, reconfigure the GPOs as necessary, or consider modify-
ing the order in which the GPOs are applied.
■ Verify that the unused portions of GPOs that apply only to users
(or only to computers) are disabled.This will speed up the applica-
tion of GPOs during the boot-up and logon processes.
4701-1 ch10.f.qc 4/24/00 09:25 Page 711

Chapter 10 ▼ Using System Policy and Group Policy 711

KEY POINT SUMMARY

This chapter introduced several important System Policy and Group Policy topics:
■ System Policy is a collection of administrator-created user, group, and com-
puter system policies that enable an administrator to manage non-Windows
2000 client computers (and their users) on a Windows 2000 network. You can
create System Policy for Windows NT 4.0, Windows 95, and Windows 98
computers (and their users).
■ System Policy is managed and configured by using the System Policy Editor
(Poledit.exe). The three types of policies that can be included in System
Policy are a user system policy, a group system policy, and a computer system
policy.
■ Group Policy is a policy that contains rules and settings that are applied to
Windows 2000 computers, their users, or both, that are located in a specific
part of Active Directory. You can configure Group Policy settings to manage
user environments, scripts, security, redirection of folders, and software
deployment.
■ Group Policy is typically implemented in Active Directory. However, Group
Policy can be implemented directly on the local computer. When implemented
on the local computer, Group Policy is called Local Group Policy.
■ Group Policy consists of two components: an Active Directory object, called a
Group Policy object (GPO), and a series of files and folders that are automati-
cally created when the GPO is created.
■ Group Policy is applied to Windows 2000 computers and their users in a pre-
defined, systematic manner.
■ Inheritance also affects how Group Policy is applied. A user or a computer
normally inherits Group Policy from the container in which it resides and from
the parent containers above it in the Active Directory tree. When Group Policy
settings conflict, the Group Policy that is applied last is the policy that takes
precedence.
■ Local Group Policy is configured on an individual Windows 2000 computer by
using the Group Policy snap-in to the Microsoft Management Console (MMC).
You must be a member of the Administrators group on the local computer to
manage Local Group Policy.
4701-1 ch10.f.qc 4/24/00 09:25 Page 712

712 Part III ▼ Managing and Securing Resources

■ You can use Active Directory Users and Computers to create a GPO associ-
ated with a domain or an OU. You can use Active Directory Sites and Services
to create a GPO associated with a site. You can use these same tools to con-
figure and modify the GPOs you create.
■ You can use Group Policy to deploy software, upgrade software, apply service
packs, and remove software. You can select from three software deployment
methods: assigning software to computers, assigning software to users, and
publishing software to users.
4701-1 ch10.f.qc 4/24/00 09:25 Page 713

713

STUDY GUIDE
This section contains several exercises that are designed to solidify your
knowledge about System Policy and Group Policy, and to help you prepare
for the Professional, Server, and Directory Services exams:
■ Assessment questions: These questions test your knowledge of
the System Policy and Group Policy topics covered in this chapter.
You’ll find the answers to these questions at the end of this chapter.
■ Scenarios: The situation-based questions in scenarios challenge
you to apply your understanding of the material to solve a hypo-
thetical problem. In this chapter’s scenario, you are asked to analyze
Group Policy and System Policy situations and recommend solu-
tions for given problems.You don’t need to be at a computer to do
scenarios.Answers to this chapter’s scenarios are presented at the
end of this chapter.
■ Lab exercises: These exercises are hands-on practice activities that
you perform on a computer.The lab exercise in this chapter gives
you an opportunity to practice various System Policy and Group
Policy tasks.

Assessment Questions
1. You want to use System Policy to manage several Windows 98 client
computers on your company’s Windows 2000 network.Where must
you create this System Policy file?
A. On any Windows 2000 computer on the network on which the
ADMINPAK is installed
B. On any Windows 2000 Server computer on your network
C. On a Windows 2000 Server computer on your network that is a
domain controller
D. On a Windows 98 computer
4701-1 ch10.f.qc 4/24/00 09:25 Page 714

714

2. You create a System Policy file on a Windows 2000 Server computer

to manage Windows NT 4.0 client computers (and their users) on
your Windows 2000 network.What filename should you assign to this
System Policy file?
A. Config.pol
B. Ntconfig.pol
C. Nt4config.pol
D. Winntconfig.pol
3. You want to create a Group Policy object (GPO) that will be associ-
ated with a specific domain.Which tool should you use?
A. Domain Security Policy
B. Domain Controller Security Policy
C. Active Directory Users and Computers
D. Active Directory Sites and Services
4. You recently created a Group Policy object (GPO) and associated this
GPO with a particular OU. Now you want to link this existing GPO
with two additional OUs.Which tool should you use to link the GPO?
A. Windows Explorer
B. Internet Explorer
C. Active Directory Users and Computers
D. Active Directory Sites and Services
5. You want to delegate administrative control of a Group Policy object
(GPO) to an assistant network administrator.What are the minimum
Active Directory permissions that the assistant must have for the GPO?
A. Read and Write
B. Write and Create All Child Objects
C. Write and Apply Group Policy
D. Full Control, Read,Write, Create All Child Objects, Delete All
Child Objects, and Apply Group Policy
6. Which software deployment tasks can be performed by using Group
Policy? (Choose all that apply.)
A. Upgrading software
B. Removing software
4701-1 ch10.f.qc 4/24/00 09:25 Page 715

715

C. Deploying service packs

D. Repackaging an application and creating a Windows Installer
(.msi) file for it
7. Which Windows 2000 feature should you use to manage user envi-
ronments for 1000 Windows 2000 Professional client computers on
your Windows 2000 network?
A. System Policy
B. Group Policy
C. Local Group Policy
D. Logon Scripts
8. You want to deploy a service pack for an application that was origi-
nally deployed by using Group Policy.You copy the service pack files
to the shared network folder that contains the application’s original
installation files.What should you do next?
A. Remove the application.
B. Upgrade the application.
C. Redeploy the application.
D. Publish the service pack as a new application.

Scenarios
Using Group Policy and System Policy to manage your network can be an
enormously complex task. For each of the following problems, consider
the given facts and answer the question or questions that follow.
1. You manage a Windows 2000 network that has over 1,000 Windows
2000 Professional client computers.You just downloaded a service pack
for an application that was deployed to all client computers by using
Group Policy.What steps would you take to deploy the service pack?
2. You recently configured a GPO for an OU that contains 100 users
and their computers. Many of the settings in the GPO are not taking
effect.What should you do to resolve this problem?
3. You have configured several user settings in a GPO that is associated
with an OU.These settings are not being applied to any users in the
OU.What should you do to resolve this problem?
4701-1 ch10.f.qc 4/24/00 09:25 Page 716

716

4. You want to use Group Policy to replace an old word processing

application from one software vendor with a new word processing
application from another software vendor.You want to make this
change on 300 Windows 2000 Professional client computers on
your Windows 2000 network.The new application can’t be used to
upgrade the old application.What should you do to accomplish this?
5. You have assigned an application to computers in a GPO that is asso-
ciated with an OU.You have restarted all of the computers in the
OU, but the application is only installed on some of the computers
in the OU.What should you do to resolve this problem?
6. You recently used Poledit.exe on a Windows 2000 computer to
create a System Policy file named Ntconfig.pol.The settings in
this policy file are taking effect on all Windows NT Workstation 4.0
client computers on your network, but they are not taking effect on
the Windows 98 client computers on your network.What is the cause
of this problem, and what should you do to resolve it?
7. You configure Local Group Policy to remove the Run command
from the Start menu on a Windows 2000 Professional client com-
puter.After shutting down and restarting the computer, the Run
command is still displayed in the Start menu.What should you do
to resolve this problem?

Lab Exercises
Lab 10-1 Managing policies in Windows 2000
 Professional
 Server
EXAM  Directory Services
MATERIAL

The purpose of this lab is to provide you with an opportunity to practice

many of the tasks associated with managing policies in a Windows 2000
environment.
There are four parts to this lab:
■ Part 1: Configuring Local Group Policy
■ Part 2: Configuring System Policy
4701-1 ch10.f.qc 4/24/00 09:25 Page 717

717

■ Part 3: Sharing a Folder for Application Distribution

■ Part 4: Configuring Group Policy
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.

Part 1: Configuring Local Group Policy

In this part, you use the Group Policy snap-in to the Microsoft Management
Console (Gpedit.msc) to manage Local Group Policy on a Windows 2000
Server computer.
1. Select Start ➪ Run.
2. In the Run dialog box, type gpedit.msc and click OK.
3. In the Group Policy snap-in to the MMC, click the + next to the
Administrative Templates folder in the User Configuration
section. Click the + next to the System folder. Highlight the Logon/
Logoff folder.
4. In the right pane, double-click “Run logon scripts visible.”
5. In the Run logon scripts visible Properties dialog box, select the
Enabled option and click OK.
6. In the left pane, highlight the Start Menu & Taskbar folder.
7. In the right pane, double-click “Remove Help menu from Start Menu.”
8. In the Remove Help menu from Start Menu Properties dialog box,
select the Enabled option and click OK.
9. Close the Group Policy dialog box.
10. Select Start, and notice that the Help option is no longer displayed in
the Start menu.
11. Select Start ➪ Run.
12. In the Run dialog box, ensure that gpedit.msc appears in the Open
text box and click OK.
13. In the Group Policy dialog box, click the + next to the Adminis-
trative Templates folder in the User Configuration section.
Highlight the Start Menu & Taskbar folder.
14. In the right pane, double-click “Remove Help menu from Start Menu.”
15. In the Remove Help menu from Start Menu Properties dialog box,
select the Not Configured option and click OK.
16. Close the Group Policy dialog box.
4701-1 ch10.f.qc 4/24/00 09:25 Page 718

718

Part 2: Configuring System Policy

In this part, you use System Policy Editor (Poledit.exe) to create a
Windows NT 4.0 System Policy and to manage the local Windows 2000
Server computer.
1. Select Start ➪ Run.
2. In the Run dialog box, type Poledit.exe and click OK.
3. In the System Policy Editor dialog box, select File ➪ New Policy.
4. In the System Policy Editor dialog box, double-click Default
Computer.
5. In the Default Computer Properties dialog box, click the + next to
Windows NT System, then click the + next to Logon. Select the
check box next to “Do not display last logged on user name.”The
check box should be white with a check in it. Click OK.
6. In the System Policy Editor dialog box, double-click Default User.
7. In the Default User Properties dialog box, click the + next to
Desktop. Select the check box next to Color scheme.The check box
should be white with a check in it.
In the “Scheme name” drop-down list box (located at the bottom of
the Default User Properties dialog box), select Wheat.
Click the + next to Shell, then click the + next to Restrictions.
Select the check box next to “Remove Run command from Start
menu,” and select the check box next to “Don’t save settings at exit.”
Click OK.
8. Select File ➪ Save As.
9. In the Save As dialog box type \\Server01\NETLOGON\
NTconfig.pol in the File name text box. Click Save.
10. In the System Policy Editor dialog box, select File ➪ Close. Select
File ➪ Open Registry.
11. In the System Policy Editor - Local Registry dialog box, double-click
Local User.
12. In the Local User Properties dialog box, click the + next to Shell,
then click the + next to Restrictions. Select the check box next to
“Remove Run command from Start menu.” Click OK.
13. Select File ➪ Save.Then select File ➪ Exit.
4701-1 ch10.f.qc 4/24/00 09:25 Page 719

719

14. Click Start. Notice that the Run command has not been removed
from the Start menu.The changes made in System Policy Editor will
not take place until you log off and log on again.
15. Click Start ➪ Shut Down.
16. In the Shut Down Windows dialog box, select Log off Administrator
from the drop-down list box. Click OK.
17. Press Ctrl+Alt+Delete. In the Log On to Windows dialog box, type
in a user name of Administrator and a password of password.
Click OK.
18. Click Start. Notice that the Run command is no longer displayed in
the Start menu.
19. Select Start ➪ Programs ➪ Accessories ➪ Command Prompt.
20. At the command prompt, type poledit and press Enter.
21. In the System Policy Editor dialog box, select File ➪ Open Registry.
22. In the System Policy Editor - Local Registry dialog box, double-click
Local User.
23. In the Local User Properties dialog box, click the + next to Shell,
then click the + next to Restrictions. Clear the check box next to
“Remove Run command from Start menu.” Click OK.
24. Select File ➪ Save.Then select File ➪ Exit.
25. Close the Command Prompt dialog box.The next time you log off
and log on, the Run command will reappear in the Start menu.

Part 3: Sharing a Folder for Application Distribution

In this part, you use Windows Explorer to create and share a folder that
will be used for application distribution.
1. Select Start ➪ Programs ➪ Accessories ➪ Windows Explorer.
2. In the left pane, click the + next to My Computer. Highlight Local
Disk (C:).
3. Select File ➪ New ➪ Folder.
4. In the right pane, type a folder name of Apps and press Enter.
5. Right-click the Apps folder and select Sharing from the menu that
appears.
4701-1 ch10.f.qc 4/24/00 09:25 Page 720

720

6. On the Sharing tab, select the option next to “Share this folder” and
click OK.
7. Place your Windows 2000 Server compact disc in your computer’s
CD-ROM drive.
8. Close the Microsoft Windows 2000 CD dialog box.
9. In the left pane, click the + next to your CD-ROM drive. Highlight
the I386 folder.
10. In the right pane, scroll down until a file named ADMINPAK is dis-
played. (It may appear either as ADMINPAK or ADMINPAK.MSI.)
Right-click the ADMINPAK file and select Copy from the menu
that appears.
11. Click the + next to Local Disk (C:). Highlight the Apps folder.
Select Edit ➪ Paste.Windows 2000 copies the ADMINPAK file
from your compact disc to the Apps shared folder.
12. Close Windows Explorer.

Part 4: Configuring Group Policy

In this part, you use Notepad to create a logon script, and then use Active
Directory Users and Computers to create a Group Policy object (GPO),
modify Group Policy and Group Policy inheritance, filter Group Policy
settings by associating security groups to the GPO, delegate administrative
control of the GPO, and link an existing GPO.You also use Group Policy
to assign a script policy to users, manage network configuration, and apply
security policies. Finally, you manage software by using Group Policy,
including deploying software (by using a Windows Installer package) and
configuring deployment options.
1. Select Start ➪ Programs ➪ Accessories ➪ Notepad.
2. In the Untitled - Notepad dialog box, type the following lines
as shown:
@echo off
echo This is my logon script
pause

3. Make sure you press Enter after the last line. Select File ➪ Save As. In
the Save As dialog box, type Logonscript.bat in the “File name” text
box, and select All Files from the “Save as type” drop-down list box.
Click Save.
4701-1 ch10.f.qc 4/24/00 09:25 Page 721

721

4. Exit Notepad.
5. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory
Users and Computers.
6. In the left pane, right-click the HQ Seattle OU and select Properties
from the menu that appears.
7. In the HQ Seattle Properties dialog box, click the Group Policy tab.
8. On the Group Policy tab, click New.Type a name of HQ Seattle
GPO and press Enter. Click Options.
9. In the HQ Seattle GPO Options dialog box, select the check box
next to No Override. Click OK.
10. On the Group Policy tab, ensure that HQ Seattle GPO is highlighted
and click Properties.
11. In the HQ Seattle GPO Properties dialog box, click the Security tab.
12. On the Security tab, click Add.
13. In the Select Users, Computers, or Groups dialog box, double-click
Mike Calhoun.Then double-click the Sales, Managers, and
Accountants groups. Finally, double-click SERVER01. Click OK.
14. On the Security tab, highlight Mike Calhoun. In the Permissions box
select the Allow check boxes next to Write, Create All Child Objects,
Delete All Child Objects, and Apply Group Policy. (The Read check
box is selected by default — don’t deselect it.)
15. Repeat Step 14 for SERVER01 and for the Sales,Accountants and
Managers groups.
16. Highlight Authenticated Users, and clear the Allow check box next to
Apply Group Policy. Click OK.
17. On the Group Policy tab, click Edit.
18. In the Group Policy dialog box, in the User Configuration section,
click the + next to the Software Settings folder. Right-click
Software installation and select New ➪ Package from the menu that
appears.
19. In the Open dialog box, type in a file name of \\Server01\Apps\
Adminpak.msi and click Open.
20. In the Deploy Software dialog box, select the option next to
Assigned. Click OK.
21. Select Start ➪ Programs ➪ Accessories ➪ Windows Explorer.
4701-1 ch10.f.qc 4/24/00 09:26 Page 722

722

22. In the right pane, highlight Logonscript.bat. (If the Logonscript.

bat file is not displayed in the right pane, click the + next to My
Computer, and then highlight Local Disk (C:).) Select Edit ➪ Copy.
Close Windows Explorer.
23. In the Group Policy dialog box, in the User Configuration section,
click the + next to the Windows Settings folder. Highlight Scripts
(Logon/Logoff). In the right pane, double-click Logon.
24. In the Logon Properties dialog box, click Show Files.
25. In the Logon dialog box, click Edit ➪ Paste. Close the Logon
dialog box.
26. In the Logon Properties dialog box, click Add.
27. In the Add a Script dialog box, click Browse.
28. In the Browse dialog box, double-click Logonscript.bat.
29. In the Add a Script dialog box, click OK.
30. In the Logon Properties dialog box, click OK.
31. In the Group Policy dialog box, in the User Configuration section,
click the + next to the Administrative Templates folder.
Highlight the Start Menu & Taskbar folder. In the right pane,
double-click “Add Logoff to the Start Menu.”
32. In the Add Logoff to the Start Menu Properties dialog box, select the
option next to Enabled. Click OK.
33. In the Group Policy dialog box, in the User Configuration section,
click the + next to the Network folder. Highlight the Network and
Dial-up Connections folder. In the right pane, double-click
“Allow configuration of connection sharing.”
34. In the Allow configuration of connection sharing Properties dialog
box, select the option next to Disabled. Click OK.
35. In the Group Policy dialog box, in the Computer Configuration sec-
tion, click the + next to the Windows Settings folder. Click the +
next to the Security Settings container. Click the + next to the Local
Polices container. Highlight Security Options. In the right pane, double-
click “Automatically log off users when logon time expires (local).”
36. In the Security Policy Setting dialog box, select the check box next
to “Define this policy setting.” Select the option next to Enabled.
Click OK.
37. Close the Group Policy dialog box.
4701-1 ch10.f.qc 4/24/00 09:26 Page 723

723

38. In the HQ Seattle Properties dialog box, click Close.

39. In the Active Directory Users and Computers dialog box, right-click
the Denver OU, and select Properties from the menu that appears.
40. In the Denver Properties dialog box, click the Group Policy tab.
41. On the Group Policy tab, click Add.
42. In the Add a Group Policy Object Link dialog box, click the up but-
ton next to the right of the “Look in” drop-down list box. In the
Domains, OUs and linked Group Policy Objects list box, double-
click HQ Seattle.domain1.mcse.Then double-click HQ Seattle GPO.
43. In the Denver Properties dialog box, the HQ Seattle GPO appears in
the Group Policy Object Links list box. Click OK.
44. Close Active Directory Users and Computers.
45. Select Start ➪ Shut Down.
46. In the Shut Down Windows dialog box, select Restart from the drop-
down list box. Click OK.
47. When Windows 2000 restarts, boot your computer to Windows 2000
Server. Press Ctrl+Alt+Delete. In the Log On to Windows dialog
box, type in a user name of MikeCa and a password of changeme.
Click OK.
48. Click OK in the Logon Message dialog box.
49. In the Change Password dialog box, type in a New Password of
password, and confirm it by retyping it. Click OK. Click OK in
the Change Password dialog box that appears.
50. Click the program on the taskbar with a title of C:\WINNT\
System32\cmd . . . .The C:\WINNT\System32\cmd.exe dialog
box appears. It should display:
This is my logon script
Press any key to continue . . .
51. Click anywhere in the dialog box.Then press the spacebar to close
the logon script’s dialog box.
52. Select Start. Notice that there is a Log Off MikeCa option in the
Start Menu.
53. Select Start ➪ Programs ➪ Administrative Tools ➪ DHCP.
54. A Windows Installer dialog box appears.Windows 2000 installs the
Windows 2000 Administrative Tools. Finally, the DHCP dialog box
appears. Close the DHCP dialog box.
4701-1 ch10.f.qc 4/24/00 09:26 Page 724

724

Answers to Chapter Questions

Chapter Pre-Test
1. System Policy is a collection of Administrator-created user, group, and
computer system policies that enable an administrator to manage non-
Windows 2000 client computers (and their users) on a Windows 2000
network.The types of client computers that you can create System
Policy for include:Windows NT 4.0 computers,Windows 95 com-
puters, and Windows 98 computers.
2. System Policy is applied in the following sequence:
a. If a user has an individual user policy, it is applied.
b. If a user does not have an individual user policy, and the user is a
member of a group that has a group system policy, then the group
system policy (or policies, if the user is a member of multiple
groups that each have a group system policy) is applied.
c. If a user does not have an individual user policy, then the Default
User policy is applied.
d. If the non-Windows 2000 client computer the user logs on to has
an individual computer policy, it is applied.
e. If the non-Windows 2000 client computer the user logs on to
does not have an individual computer policy, then the Default
Computer policy is applied.
3. Group Policy is a policy that contains rules and settings that are
applied to Windows 2000 computers, their users, or both, that are
located in a specific part of Active Directory. Group Policy can only
be used to manage Windows 2000 computers on a network (and the
users of those computers).
4. When Group Policy is implemented directly on the local computer, it
is called Local Group Policy.
5. Group Policy consists of two components: an Active Directory object,
called a Group Policy object, and a series of files and folders that are
automatically created when the Active Directory object is created.
4701-1 ch10.f.qc 4/24/00 09:26 Page 725

725

Assessment Questions
1. D. The System Policy file for the Windows 98 client computers must
be created on either a Windows 95 or Windows 98 computer. Since a
Windows 98 computer was the only correct answer choice provided
in the possible answers to this question, D is the correct answer.
2. B. A Windows NT 4.0 System Policy file should be named
NTconfig.pol.
3. C. You can use Active Directory Users and Computers to create a
GPO that will be associated with a specific domain or OU. If you are
creating a GPO that will be associated with a site, you should use
Active Directory Sites and Services.
4. C. Use Active Directory Users and Computers to link the existing
GPO to the additional OUs.
5. A. In order to administer a GPO, the assistant network administrator
must be allowed the Read and Write Active Directory permissions to
the GPO.
6. A, B, and C. You can use Group Policy to upgrade software, remove
software, and deploy service packs. However, you need a third-party
application to repackage an application and create an .msi file for it.
7. B. You should use Group Policy to manage multiple Windows 2000
Professional computers on a Windows 2000 network. Using Local
Group Policy would work, but you would have to manage each com-
puter individually.You could also use System Policy Editor to individ-
ually edit the registry on each client computer, but it would be very
inefficient, and System Policy does not have nearly as many features
as Group Policy.
8. C. You should redeploy the application so that the new files in the
service pack will be installed on all computers on which the original
application was deployed.
4701-1 ch10.f.qc 4/24/00 09:26 Page 726

726

Scenarios
1. First, copy the contents of the service pack to the shared network
folder that contains the application’s installation files. Make sure that
the original Windows Installer file is replaced with the one in the
service pack.Then use Group Policy to redeploy the application.
2. Ensure that all users and computers that should be affected by the
GPO are allowed the Read and Apply Group Policy permissions to
the GPO. In addition, ensure that no other GPOs that affect those
users and computers are configured with conflicting settings.
3. Ensure that the user configuration settings portion of the GPO is not
disabled. If that does not resolve the problem, ensure that all users in
the OU are allowed the Read and Apply Group Policy permissions to
the GPO. Finally, ensure that no other GPOs that affect those users
are configured with settings that conflict with the new GPO.
4. Use Group Policy to mark the old word processing application for
mandatory removal, and then use Group Policy to deploy the new
word processing application to the appropriate users and computers.
5. Ensure that all computers in the OU are allowed the Read and Apply
Group Policy permissions to the GPO. In addition, ensure that no
other GPO that affects those computers is configured to specify
mandatory removal of the application.
6. A System Policy file that is created on a Windows 2000 computer
can’t be used to manage Windows 98 client computers.You must cre-
ate the System Policy file for the Windows 98 client computers by
using Poledit.exe on a Windows 98 (or Windows 95) client com-
puter and save that file as Config.pol (not as Ntconfig.pol).
7. Ensure that no GPOs in Active Directory are overriding the Local
Group Policy settings.A GPO in Active Directory must be overriding
the local settings, or they would have taken effect.
4701-1 ch10.f.qc 4/24/00 09:26 Page 727
4701-1 ch11.f.qc 4/24/00 09:26 Page 728

 Professional
EXAM  Server
MATERIAL

EXAM OBJECTIVES

Professional  Exam 70-210

■ Monitor, manage, and troubleshoot access to files and folders.
■ Configure, manage, and troubleshoot file compression.
■ Control access to files and folders by using permissions.
■ Optimize access to files and folders.
■ Manage and troubleshoot access to shared folders.
■ Create and remove shared folders.
■ Control access to shared folders by using permissions.
■ Connect to shared resources on a Microsoft network.
■ Encrypt data on a hard disk by using Encrypting File System (EFS).

Server  Exam 70-215

■ Monitor, configure, troubleshoot, and control access to files, folders,
and shared folders.
■ Configure, manage, and troubleshoot a stand-alone Distributed
file system (Dfs).
■ Configure, manage, and troubleshoot a domain-based
Distributed file system (Dfs).
■ Monitor, configure, troubleshoot, and control local security on
files and folders.
■ Monitor, configure, troubleshoot, and control access to files
and folders in a shared folder.
■ Configure data compression.
■ Monitor and configure disk quotas.
■ Encrypt data on a hard disk by using Encrypting File System (EFS).
4701-1 ch11.f.qc 4/24/00 09:26 Page 729

C HAP TE R

11
Sharing, Securing, and
Accessing Files and Folders

T his chapter focuses on sharing, securing, and accessing network

resources. After some introductory information about file and folder
attributes, I’ll get right to the nitty-gritty of sharing folders, including how to
share folders, how to connect to shared folders, and how to work with shared
folder permissions. Then I’ll explore the Distributed file system (Dfs), and
explain how you can use Dfs to make network resources easier for users to
find, and accessible even if a server is down. Next, I’ll explore NTFS permis-
sions. I’ll cover how to assign NTFS permissions to files and folders; how
NTFS permissions are applied to new, moved, and copied files and folders;
and how NTFS and share permissions interact. Then I’ll show you how to take
ownership of files and folders, how to configure and monitor disk quotas, and
how to optimize access to files and folders. Finally, I’ll provide you with some
troubleshooting tips for common resource access and permission problems.
In short, if it has to do with shared files and folders, you’ll find it in this chapter.

729
4701-1 ch11.f.qc 4/24/00 09:26 Page 730

730 Part III ▼ Managing and Securing Resources

Chapter Pre-Test
1. List the seven Windows 2000 file and folder attributes.
2. How does a shared folder appear in Windows Explorer?
3. User and group share permissions are __________ , and
normally the ____________ restrictive permission is the
user’s effective permission.
4. When NTFS and share permissions differ, the _________
restrictive permission becomes the user’s effective permission
to the file or folder in the share.
5. What volume management mechanism can you use to
automatically track disk space usage on a user-by-user basis,
and to prevent individual users from exceeding the disk space
limitations they have been assigned by an Administrator?
4701-1 ch11.f.qc 4/24/00 09:26 Page 731

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 731

Managing File and Folder Attributes

Windows 2000 files and folders have various properties, called attributes,
some of which the administrator can use to provide a limited amount of
data protection. Administrators or users assign many attributes to protect
files and folders. Other file and folder attributes are automatically applied
to system files during the installation of Windows 2000.

Windows 2000 File and Folder Attributes

There are seven Windows 2000 file and folder attributes. These file and
folder attributes can be used on FAT, FAT32, and NTFS volumes, with
the exception of the Compress, Encrypt, and Index attributes, which are
available only on NTFS volumes.
Table 11-1 lists and describes the Windows 2000 file and folder attributes.
TABLE 11-1 Windows 2000 File and Folder Attributes
Attribute Description

Archive Indicates that the file or folder has been modified since the last
backup.
Is applied by the operating system when a file or folder is saved
or created, and is commonly removed by backup programs after
the file or folder has been backed up.
Compress Indicates that Windows 2000 has compressed the file or folder.
Is only available on NTFS volumes.
Can be set by using Windows Explorer and by using the compress
command-line utility.
Can’t be used in conjunction with the Encrypt attribute. In other
words, a file can be encrypted or compressed, but not both.
Is applied by administrators to control which files and folders
will be compressed.
Encrypt Indicates that Windows 2000 has encrypted the file or folder.
Is only available on NTFS volumes.
Can be set by using Windows Explorer and by using the cipher
command-line utility.
Can’t be used in conjunction with the Compress attribute.
Is applied by users and administrator to control which files and
folders will be encrypted. Once a file or folder has been encrypted,
only the user who encrypted the file or folder (or the Administrator)
can open the file or folder and view its contents.

Continued
4701-1 ch11.f.qc 4/24/00 09:26 Page 732

732 Part III ▼ Managing and Securing Resources

TABLE 11-1 (continued)

Attribute Description

Hidden Indicates that the file or folder can’t be seen in a normal directory scan.
Files or folders with this attribute can’t be copied or deleted.
Is automatically applied to various files and folders by Windows
2000 during installation. In addition, this attribute can be applied
by administrators or users to hide and protect files and folders.
Index Indicates that the file or folder is indexed by the Indexing Service.
Is only available on NTFS volumes.
Can be applied by administrators or users. Once this attribute has
been applied to a file, users can use Windows Explorer to locate this
file by searching for words or phrases contained in the file.
Read-only Indicates that the file or folder can only be read — it can’t be written
to or deleted.
Is often applied by administrators to prevent accidental deletion of
application files.
System Indicates that the file or folder is used by the operating system.
Files or folders with this attribute can’t be seen in a normal directory
scan, and can’t be copied or deleted.
Can’t be set by using Windows Explorer. You must use the attrib
command-line utility to view or change this attribute.
Is automatically applied to various files and folders by Windows 2000
during installation.

EXAM TIP
Both the Professional and Server exams have objectives on configuring
file compression and data encryption. Pay special attention to both the
Compress and Encrypt attributes.

Using the Compress Attribute

The Compress attribute is typically used to conserve disk space.You should
only use this attribute on files or folders that are infrequently accessed
because accessing a compressed file or folder uses more processor time (on
the server that contains the file) than accessing an uncompressed file or
folder. If a large number of users access compressed files on a server, that
server’s performance may be degraded. You can only compress files and
folders on NTFS volumes.

Using the Encrypt Attribute

The Windows 2000 feature that provides the capability of the Encrypt
attribute is called the Encrypting File System (EFS).You don’t need to install
EFS — it’s installed by default and is transparent to users.When users assign
4701-1 ch11.f.qc 4/24/00 09:26 Page 733

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 733

the Encrypt attribute, that’s all there is to it. EFS does all the work.As stated
previously, the Encrypt attribute is only available for files and folders on
NTFS volumes.
The Encrypt attribute is normally applied by a user to protect sensitive
data that should be accessed only by that user. It is typically applied at the
folder level, because when applied to a folder,Windows 2000 encrypts all
of the files in the folder. When applied to an individual file, this attribute
must be reapplied each time the file is modified.
As stated previously, in a Windows 2000 domain environment, only the
user who encrypted the file and the domain’s Administrator account can
open the file. On a local Windows 2000 computer that is not a member of
a domain, only the local user who encrypted the file and the local
Administrator account can open the file. The Administrator account, in
both of these situations, is called the recovery agent because this account is
assigned a special key that permits it to unencrypt (that is, recover)
all encrypted files on the computer. If you want to designate additional
recovery agents, you can use Group Policy to specify additional users (on
the local computer, in an OU, or in an entire domain) who can open all
encrypted files and folders.
The Encrypt and Compress attributes are mutually exclusive — you can
use one or the other, but not both, on a file or folder.

Using the Read-only Attribute

The Read-only attribute is frequently used to prevent the accidental
deletion of application files.When a user has the Write NTFS permission
to a Read-only file or folder on an NTFS volume, the Read-only attribute
takes precedence.The Read-only attribute must be removed before the file
or folder can be modified or deleted. (I’ll cover NTFS permissions a little
later in this chapter.)

Assigning Attributes to Files or Folders

Any user who can access a file or folder on a FAT or FAT32 volume can
modify that file or folder’s attributes. Any user who has the Write NTFS
permission (or any permission that includes the functionality of the Write
permission) to a file or folder on an NTFS volume can modify that file or
folder’s attributes.
Most file and folder attributes can be changed or assigned by using
Windows Explorer, as the following steps explain.
4701-1 ch11.f.qc 4/24/00 09:26 Page 734

734 Part III ▼ Managing and Securing Resources

STEP BY STEP

ASSIGNING FILE OR FOLDER ATTRIBUTES

1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪ Windows

Explorer.)
2. In the left pane, expand folders as necessary until the file or folder to which you
want to assign attributes is displayed in the right pane. In the right pane, highlight
that file or folder. Select File ➪ Properties. (Or, right-click the file or folder, and
select Properties from the menu that appears.)
3. The file or folder’s Properties dialog box appears, as shown in Figure 11-1.
Notice the attributes that you can assign on the General tab.

FIGURE 11-1 Setting file or folder attributes

If you want to assign the Read-only or Hidden attributes, select the check box
next to the attribute you want to assign. To assign all other attributes, click
Advanced.

TIP
Files and folders on FAT or FAT32 volumes don’t have the Advanced com-
mand button, but do have an additional check box for the Archive attribute.
4701-1 ch11.f.qc 4/24/00 09:26 Page 735

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 735

STEP BY STEP Continued

4. The Advanced Attributes dialog box appears, as shown in Figure 11-2. Notice
that the Index attribute is selected by default. This dialog box (and the attributes
it contains) is available only for files or folders on NTFS volumes.

FIGURE 11-2 Setting advanced attributes

Select the check boxes next to the attributes you want to assign. (Or, clear the
check boxes next to attributes you want to remove.) The user interface in this
dialog box will not permit you to select both the Compress and Encrypt attributes —
you can select one or the other, but not both. Click OK.
5. In the file or folder’s Properties dialog box, click OK.
6. If you have modified the attributes of a folder that contains other files or folders,
a Confirm Attribute Changes dialog box appears. Choose whether to apply your
changes to this folder only, or to apply your changes to this folder and all of its
subfolders and files. Click OK.
7. Windows 2000 applies attributes. Close Windows Explorer.

Managing Shared Folders

In Windows 2000, folders are shared to enable users to access network
resources. A folder can’t be accessed by users across the network until it is
shared or placed within another folder that is shared. Once a folder is
shared, users with the appropriate permissions can access the shared folder
(and all folders and files that the shared folder contains) over the network.
4701-1 ch11.f.qc 4/24/00 09:26 Page 736

736 Part III ▼ Managing and Securing Resources

A shared folder appears in Windows Explorer as a folder with a hand

under it.A shared folder is often referred to as a share.

Sharing a Folder
Only certain users can share folders:
■ Members of the Administrators and Server Operators built-in local
groups on domain controllers can share folders on any Windows
2000 domain controller in the domain.
■ Members of the Administrators and Power Users built-in local groups
on nondomain controllers (whether or not they are members of the
domain) can share folders on the local computer.
■ Members of the Domain Admins built-in global group on
domain controllers can share folders on any Windows 2000
computer that is a member of the domain.This is due to the
fact that the Domain Admins group is, by default, a member of
the Administrators built-in local group on domain controllers
and a member of the Administrators built-in local group on all
nondomain controllers that are members of the domain.
When a folder is shared, its entire contents (including all files and subfolders)
are available to users who have the appropriate permissions to the share.
Because all files and subfolders are accessible when a folder is shared, you
should consider which users and groups need access to folders when you
design your server’s folder structure.
When sharing a folder, it’s a good idea to assign it a share name that is
easily recognized by users, and one that appropriately describes the
resources contained in the folder. Otherwise, users can become frustrated
trying to locate the specific network resources they need.
Additionally, keep in mind when you assign a name to a shared folder
that a long share name may not be readable by all client computers on your
network. MS-DOS computers, for example, can only read share names of
up to 8 characters (plus a 3-character extension) in length, and Windows
95 and Windows 98 computers can only read share names of up to 12
characters in length. Share names on Windows 2000 and Windows NT
computers can be up to 80 characters long.
You can use Windows Explorer or Computer Management to share
folders on the local Windows 2000 computer.To share folders on remote
computers, use Computer Management.
4701-1 ch11.f.qc 4/24/00 09:26 Page 737

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 737

STEP BY STEP

USING WINDOWS EXPLORER TO SHARE A FOLDER ON THE

LOCAL COMPUTER

1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪ Windows

Explorer.)
2. In the left pane, expand folders as necessary until the folder you want to share is
displayed in the right pane. In the right pane, highlight that folder. Select File ➪
Sharing. (Or, right-click the folder, and select Sharing from the menu that appears.)
3. The folder’s Properties dialog box appears with the Sharing tab displayed. To
share this folder, select the “Share this folder” option, as shown in Figure 11-3.

FIGURE 11-3 Sharing a folder in Windows Explorer

There are several configurable options on this tab:

Share name: Either accept the default name in the “Share name” text box or
type in the name you want to use for the share.
Comment: You can add a descriptive comment about the share in the Comment
text box if you want to. (This is an optional entry.)
User limit: If you want to limit the number of users who can connect to this
share simultaneously (because of licensing limitations or for other reasons),
you can configure the “User limit” section on this tab. The default “User limit”
is “Maximum allowed.”
4701-1 ch11.f.qc 4/24/00 09:26 Page 738

738 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

Permissions: If you want to assign or change share permissions for this shared
folder, click Permissions. (I’ll cover share permissions later in this chapter.)
Caching: If you want to modify offline file settings for this shared folder,
click Caching. Then, in the Caching Settings dialog box, select from the
following options:
Allow caching of files in this shared folder: This check box is selected by
default. If you want to prevent users from viewing this folder offline, clear this
check box. If you want users to be able to configure this folder for offline use,
accept the default setting, and select one of the following three options in the
Setting drop-down list box:
 Manual Caching for Documents: Select this option if you want users to
manually configure individual files in this folder for offline use. This is the
default setting.
 Automatic Caching for Documents: Select this option if you want the
files in this shared folder to be automatically downloaded to a user’s local
computer and cached on the local hard disk as the user opens each file in
the shared folder. The entire folder is not cached on the user’s computer —
just the individual files the user has opened. If this option is selected, users
don’t have to manually configure the files in this folder for offline use. In
addition, the cached files are automatically synchronized with the server
when the user logs on and logs off his or her computer. This setting is not r
ecommended when multiple users access and change the same file(s) in
the shared folder.
 Automatic Caching for Programs: Select this option if this folder contains
application files, and you want these application files to be cached on the
user’s local computer. Selecting this option can increase access speed for
the user and decrease network traffic because the application is executed
from the user’s local computer instead of over the network. If application files
in this shared folder are updated on the server, Windows 2000 will update
the cached files on the user’s local computer the next time the user logs on
or logs off.

CROSS-REFERENCE
For more information on working with offline files, see the “Folder
Options” section in Chapter 5.

Click OK.
4. In the folder’s Properties dialog box, click OK.
5. Close Windows Explorer.
4701-1 ch11.f.qc 4/24/00 09:27 Page 739

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 739

STEP BY STEP Continued

USING COMPUTER MANAGEMENT TO SHARE A FOLDER

1. Start Computer Management. (Right-click My Computer, and select Manage

from the menu that appears.)
2. If you want to share a folder on this computer, skip to Step 4.
If you want to share a folder on a remote computer, in the left pane of the
Computer Management dialog box, right-click Computer Management (Local),
and select “Connect to another computer” from the menu that appears.
3. In the Select Computer dialog box, double-click the name of the computer
on which you want to share a folder.
4. In the left pane of the Computer Management dialog box, click the + next to
System Tools (if System Tools is not already expanded). Click the + next to
Shared Folders. Highlight Shares. Select Action ➪ New File Share.
5. The Create Shared Folder dialog box appears, as shown in Figure 11-4.

FIGURE 11-4 Sharing a folder in Computer Management

In this dialog box, enter the full path to the folder you want to share (such
as C:\Data). You can browse for this folder if you don’t know its path.
Enter a share name for the share. You can also enter a description for the share
if you want to. Click Next.
6. In the next dialog box, configure the appropriate share permissions for this shared
folder. (I’ll cover share permissions a little later in this chapter.) Click Finish.
7. A dialog box appears, indicating that the folder has been successfully shared.
Click Yes if you want to create another shared folder. Otherwise, click No.
4701-1 ch11.f.qc 4/24/00 09:27 Page 740

740 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

8. The folder you just shared appears in the right pane of the Computer
Management dialog box. Close Computer Management.

Connecting to Shared Folders

Users must connect to shared folders before they can access the resources
they contain. In the next sections, I’ll discuss how to connect to shared
folders, including how to use common naming conventions, Windows
Explorer, and the command line to connect to shared network resources.

Naming Conventions
A naming convention is an accepted method of identifying individual
computers and their resources on the network.
The two common naming conventions used in Windows 2000 are the
universal naming convention (UNC) and fully qualified domain names (FQDNs).
A UNC name consists of a server name and a shared resource name in
the following format:
\\Server_name\Share_name

In this format, Server_name represents the name of the server that the
shared folder is located on, and Share_name represents the name of the
shared folder.You can use a UNC name in this format to connect to a net-
work share. For example, a shared folder named Public located on a
server named SERVER1 would have the following UNC name:
\\SERVER1\Public

A UNC name can also specify the name of a subfolder within the share,
the name of a file within the share, or the name of a file within a subfolder
in the share using the following format:
\\Server_name\Share_name\Subfolder_name\File_name
4701-1 ch11.f.qc 4/24/00 09:27 Page 741

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 741

You can use a UNC name in this format to access a specific folder or
file, such as a data file on a remote server. For example, a data file named
Salaries.doc in the Payroll folder located in a share named HR on a
server named CORP would have the following UNC name:
\\CORP\HR\Payroll\Salaries.doc

An FQDN is a fancy term for the way computers are named and refer-
enced on the Internet. FQDNs are often used on networks that use
TCP/IP and DNS servers.The format of an FQDN is:
server_name.domain_name.root_domain_name

For example, the FQDN of a server named WOLF in a domain named

AlanCarter in the com root domain would be: wolf.alancarter.com.
On Windows 2000 networks, you can replace the Server_name in a
UNC with an FQDN. For example, to specify a share named Books on a
server with an FQDN of wolf.alancarter.com, you could use:
\\wolf.alancarter.com\Books. In addition, you can also replace the
Server_name in a UNC with the IP address of the server.
Both UNC names and FQDNs can be used to connect to shared net-
work resources in Windows Explorer and from the command line.

Using Windows Explorer

Assuming that you have the appropriate permissions, you can connect to
any shared folder by using Windows Explorer.

STEP BY STEP

USING WINDOWS EXPLORER TO CONNECT TO A SHARED FOLDER

1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪ Windows
Explorer.)
2. Select Tools ➪ Map Network Drive.
3. In the Map Network Drive dialog box, either accept the default drive letter or
select a drive letter from the Drive drop-down list box. Then, in the Folder drop-
down list box, type in the UNC name of the shared folder you want to connect to.
If you don’t know the UNC name, click Browse.
4701-1 ch11.f.qc 4/24/00 09:27 Page 742

742 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

4. The Browse For Folder dialog box appears, as shown in Figure 11-5.
Click the + next to any domain or workgroup (or double-click the domain or
workgroup) to view a list of available network servers in that domain or work-
group. Then, click the + next to any server in the list (or double-click the server)
to view a list of shared folders on that server. Highlight the shared folder you
want to connect to, and click OK.

FIGURE 11-5 Browsing for a shared network folder

5. In the Map Network Drive dialog box, the UNC name for the shared folder you
selected appears in the Folder drop-down list box. Click Finish.
6. Windows Explorer connects to the shared folder and opens a new dialog box
for the shared folder. You can now access the contents of the shared folder. In
addition, the shared folder appears, along with its drive letter, in the left pane.

Once you have connected to a shared folder, the new drive letter
appears in Windows Explorer, My Computer, and the Open dialog box in
standard Windows applications. You can then access the files and folders
within the share in the same manner that you access files and folders on
your local computer.

Connecting to Shared Folders from the Command Line

You can use the Net.exe utility to browse the network, and, assuming you
have the appropriate permissions, to connect to a shared folder from the
command line.
4701-1 ch11.f.qc 4/24/00 09:27 Page 743

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 743

STEP BY STEP

USING NET.EXE TO BROWSE THE NETWORK FROM THE

COMMAND LINE

1. Select Start ➪ Programs ➪ Accessories ➪ Command Prompt.

2. To obtain a list of available servers in your domain or workgroup, at the C:\>
command prompt, type net view and press Enter.
3. To obtain a list of all domains and workgroups on the network, type net view
/domain and press Enter.
4. To obtain a list of available servers in another domain (or workgroup), type net view
/domain:domain_name and press Enter. (For example, to obtain a list of avail-
able servers in the LAB domain, type net view /domain:lab and press Enter.)
5. To obtain a list of available shares on a network server, type net view
\\server_name and press Enter. (For example, to obtain a list of available
shares on a server named SERVER01, type net view \\server01 and
press Enter.)
6. To exit the Command Prompt dialog box at any time, type exit at the command
prompt and press Enter.

USING NET.EXE TO CONNECT TO A SHARE FROM THE

COMMAND LINE

1. Select Start ➪ Programs ➪ Accessories ➪ Command Prompt.

2. At the C:\> command prompt type net use drive_letter: \\server_name\
share_name and press Enter. For example, to connect a
drive letter, such as X:, to a share named Data on a server named INSPIRON,
type net use x: \\inspiron\data and press Enter.
3. Windows 2000 displays a message indicating that the command completed
successfully.
4. Exit the Command Prompt dialog box by typing exit at the command prompt
and pressing Enter.

Shared Folder Permissions

Shared folder permissions control user access to shared folders. Shared folder
permissions only apply when users connect to the folder over the network —
they do not apply when users access the folder on the local computer.
4701-1 ch11.f.qc 4/24/00 09:27 Page 744

744 Part III ▼ Managing and Securing Resources

Shared folder permissions (commonly called share permissions) apply to

the shared folder, its files, and subfolders (in other words, to the entire
directory tree under the shared folder).
Share permissions are the only folder and file security available on a FAT
or FAT32 volume (with the exception of file attributes), and only control
over-the-network access to the share — local access is totally unrestricted
on a FAT or FAT32 volume.
Table 11-2 lists and describes the Windows 2000 share permissions,
from most restrictive to least restrictive.
TABLE 11-2 Windows 2000 Share Permissions
Permission Description

Read Permits a user to view a list of the share’s contents (names of files
and subfolders), to change the current folder to a subfolder of the
share (sometimes called traversing to subfolders), to view data in
files, and to run application files.
Change Permits a user to perform all tasks included in the Read permission.
In addition, permits a user to create files and subfolders within the
share, to edit data files and save changes, and to delete files and
subfolders within the share.
Full Control Permits a user to perform all tasks included in the Change permission.
In addition, permits a user to change NTFS permissions and to take
ownership of files and folders (on shares located on NTFS volumes).

Share permissions are assigned by adding a user or group to the

permissions list for the share. From an administrative standpoint, it’s more
efficient to add groups to the permissions list for a particular share than to
add individual users. By default, the Everyone group is granted the Full
Control permission to all newly created shared folders.
When assigning permissions to a share, you should consider assigning
the most restrictive permission that still permits users to accomplish the
tasks they need to perform. For example, on shares that contain
applications, consider assigning the Read permission so that users can’t
accidentally delete application files.
You can use Windows Explorer or Computer Management to assign
share permissions to shared folders on the local Windows 2000 computer.
To assign share permissions to shared folders on remote computers, use
Computer Management.
4701-1 ch11.f.qc 4/24/00 09:27 Page 745

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 745

STEP BY STEP

USING WINDOWS EXPLORER TO ASSIGN SHARE PERMISSIONS

1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪ Windows

Explorer.)
2. In the left pane, expand folders as necessary until the shared folder to which you
want to assign share permissions is displayed in the right pane. In the right pane,
highlight that folder. Select File ➪ Sharing. (Or, right-click the folder and select
Sharing from the menu that appears.)
3. The folder’s Properties dialog box appears with the Sharing tab displayed. Click
Permissions.
4. The Permissions dialog box for the shared folder appears, as shown in Figure
11-6. Notice that by default the Everyone group is allowed the Full Control,
Change, and Read permissions.

FIGURE 11-6 Assigning share permissions

Also notice the Allow and Deny check boxes.

 Allow: When the Allow check box next to a specific permission is selected
for a user or group, the user or group is granted the selected permission to
the share.
4701-1 ch11.f.qc 4/24/00 09:27 Page 746

746 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

 Deny: When the Deny check box next to a specific permission is selected
for a user or group, the user or group is specifically denied that permission
to the share, even if the user or group is allowed that permission through
membership in another group.

TIP
A denied permission always overrides an allowed permission.

 Neither: When neither the Allow or Deny check box next to a specific
permission is selected for a user or group, the user or group is not assigned
that permission to the share.
When a user or group is not listed in the Name box, the user or group has no
permissions (and no access) to the share unless the user or group is a member
of a group that is listed in the Name box.
To change the permissions currently assigned to a user or group
listed in the Name box, highlight the user or group, then select or clear the
appropriate check boxes in the Permissions box.
To remove a user or group from the permissions list for the share,
highlight the user or group in the Name box, and click Remove.
To add a user or group to the Name box, click Add.
5. In the Select Users, Computers, or Groups dialog box, double-click each user and
group you want to add. (You can also highlight each user or group and then click
Add, but double-clicking is faster and easier.) As you double-click each user or
group, the user or group appears in the bottom portion of the dialog box. Click OK.
6. In the Permissions dialog box for the share, each user or group that you added
is automatically assigned the Read permission to the share. To change the permis-
sions of a user or group you added, highlight the user or group in the Name box,
then select or clear the appropriate check boxes in the Permissions box. Click OK.
7. In the shared folder’s Properties dialog box, click OK.
8. Close Windows Explorer.

How User and Group Permissions Combine

It is not uncommon for a user to have permissions to a share and to be a
member of multiple groups that have different permissions to that share.
When this occurs, the user and group permissions are additive, and
normally the least restrictive permission is the user’s effective permission. For
4701-1 ch11.f.qc 4/24/00 09:27 Page 747

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 747

example, suppose a user is allowed the Read permission to a share, and a

group that the user is a member of is allowed the Change permission to
the share.The user’s effective share permission is Change.
An exception to this rule occurs when a user is specifically denied a
permission. Remember the Allow and Deny check boxes in the permissions
list to the share? A denied permission always overrides an allowed permission.
Whenever a user is specifically denied a permission, or is a member of a
group that is specifically denied a permission, the user is denied that
permission. If a user is allowed the Full Control permission, but is a
member of a group that is denied the Full Control permission, the user is
denied the Full Control permission to the share — in other words the user
is denied all access to the share. For this reason, you should exercise care in
denying a specific share permission to a user or group.

EXAM TIP
When taking the Professional and Server exams, watch out for denied
permissions. A denied permission is a big red flag. Remember that a
denied permission always overrides an allowed permission.

Here are two examples that illustrate how user and group share permis-
sions combine.

Example 1
A user, RomanB, manages a shared folder named SalesData that contains
Sales department data. RomanB is a member of three groups. Table 11-3
shows the SalesData share permissions assigned to RomanB and to the
three groups of which he is a member.
TABLE 11-3 RomanB’s Group Memberships and Share Permissions
User or Group SalesData Share Permissions Assigned

RomanB Allow — Full Control

Sales Allow — Change
Everyone Allow — Read
Domain Users Allow — Read

Because share permissions are additive, RomanB’s effective permission

to the SalesData share is Full Control.
4701-1 ch11.f.qc 4/24/00 09:27 Page 748

748 Part III ▼ Managing and Securing Resources

Example 2
Until recently, a user, PennyL, was a design analyst in the Marketing
department. She has just been promoted to a management position in the
Human Resources department. PennyL’s network has a shared folder
named HRData that contains Human Resources department data, including
employee performance reviews. PennyL is a member of three groups.Table
11-4 shows the HRData share permissions assigned to the three groups of
which PennyL is a member.
TABLE 11-4 PennyL’s Group Memberships and Their HRData
Share Permissions
Group HRData Share Permissions Assigned

Managers Allow — Read

HR Allow — Change
Marketing Deny — Full Control, Change, and Read

Because a denied permission always overrides an allowed permission,

PennyL’s effective permission to the HRData share is Deny – Full Control,
Change, and Read. In effect, PennyL is specifically denied all access to the
HRData share. The administrator should remove PennyL from the
Marketing group so she can access the HRData share. Once PennyL is
removed from the Marketing group, her effective permission to the
HRData share will be Change.

Modifying a Share
After a share is created, you may want to modify its properties. You can
assign multiple share names to a share, change the name of a share, or stop
sharing a share.

Assigning Multiple Share Names to a Share

To assist different users in locating or recognizing a share, you can assign
multiple names to the same share.
For example, a group of technical support engineers might routinely
access a share called CIM (CompuServe Information Manager), and less
technical personnel at a help desk might access this same share using the
name CompuServe.
4701-1 ch11.f.qc 4/24/00 09:27 Page 749

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 749

When you assign an additional name to a share, what you actually end
up doing is creating a new share for the same network resource.When you
create the new share you must manually assign a new set of share permissions
that apply only to new share.The permissions from the original share are not
automatically applied to the new share.

STEP BY STEP

ASSIGNING AN ADDITIONAL NAME TO A SHARE

1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪ Windows

Explorer.)
2. In the left pane, expand folders as necessary until the shared folder to which you
want to assign an additional name is displayed in the right pane. In the right pane,
highlight that folder. Select File ➪ Sharing. (Or, right-click the folder, and select
Sharing from the menu that appears.)
3. The folder’s Properties dialog box appears with the Sharing tab displayed. Click
New Share.
4. In the New Share dialog box, enter the new name you want to assign to the share
in the Share Name text box. Enter a comment if you want to. Configure the User
Limit if necessary. Click Permissions to assign share permissions to the new
share.
5. In the Permissions dialog box, configure permissions for the new share. Click OK.
6. In the New Share dialog box, click OK.
7. In the shared folder’s Properties dialog box, the “Share name” drop-down list box
now contains two names for the share: the original share name, and the name you
just added. Click OK.
8. Close Windows Explorer.

Changing a Share Name

Occasionally you may need to change a share name. Perhaps you want to
assign a more intuitive share name for users, or you might need to comply
with a newly established set of naming conventions. To change a share
name, you must create a new share that uses the new name, configure
permissions for the new share, and then remove the original share.
4701-1 ch11.f.qc 4/24/00 09:27 Page 750

750 Part III ▼ Managing and Securing Resources

STEP BY STEP

CHANGING A SHARE NAME AND REMOVING THE ORIGINAL SHARE

1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪ Windows

Explorer.)
2. In the left pane, expand folders as necessary until the shared folder you want
to rename is displayed in the right pane. In the right pane, highlight that folder.
Select File ➪ Sharing. (Or, right-click the folder, and select Sharing from the menu
that appears.)
3. The folder’s Properties dialog box appears with the Sharing tab displayed. Click
New Share.
4. In the New Share dialog box, enter the new name you want to assign to the share
in the Share Name text box. Enter a comment if you want to. Configure the User
Limit if necessary. Click Permissions to assign share permissions to the new share.
5. In the Permissions dialog box, configure permissions for the new share. Click OK.
6. In the New Share dialog box, click OK.
7. In the shared folder’s Properties dialog box, select the original share name in the
“Share name” drop-down list box. Click Remove Share to remove the original
share. The folder is now shared using only the new name you assigned — the
original share name has been removed. Click OK.
8. Close Windows Explorer.

How to Stop Sharing a Folder

You might decide to stop sharing a folder because it is no longer needed,
or for other reasons.

STEP BY STEP

TO STOP SHARING A FOLDER

1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪ Windows

Explorer.)
2. In the left pane, expand folders as necessary until the shared folder you want to
stop sharing is displayed in the right pane. In the right pane, highlight that folder.
Select File ➪ Sharing. (Or, right-click the folder, and select Sharing from the menu
that appears.)
4701-1 ch11.f.qc 4/24/00 09:27 Page 751

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 751

STEP BY STEP Continued

3. The folder’s Properties dialog box appears with the Sharing tab displayed. Select
the “Do not share this folder” option. Click OK.
4. Close Windows Explorer.

Administrative Shares
Every time you start Windows 2000 on a computer, Windows 2000
automatically creates several hidden shares that only members of the
Administrators group (on the local computer) have permissions to access.
These shared are referred to as administrative shares because they are used by
Administrators to perform administrative tasks.
The Windows 2000 administrative shares are: C$, D$, E$, and so on (one
share for the root of each hard disk volume on the computer); and a share
named Admin$, which corresponds to the folder in which Windows 2000
is installed (SystemRoot). The $ at the end of each administrative share
causes the share to be hidden from users when they browse the network. If
users are not specifically aware the share exists, they will not be able to
connect to the hidden share. To connect to a hidden share, you have to
type in the server name and share name in the Map Network Drive dialog
box in Windows Explorer.You can’t browse for hidden shares.
Administrative shares make it possible for an Administrator to connect
to any hard disk on a computer and to access all of its files and folders,
regardless of whether regular shares exist on that hard disk. In this way
an Administrator can perform backup, restore, and other administrative
functions on a Windows 2000 computer.
Any share can be configured as a hidden share by placing a $ at the end
of its share name. However, hiding a share by appending a $ to the share
name does not limit user access to the share. The hidden share retains it
assigned share permissions. Only access to the hidden administrative shares is
restricted, by default, to Administrators only.
If you don’t want administrative shares available on a Windows 2000
computer, you can configure Windows 2000 to prevent the creation of
administrative shares.To accomplish this, you can edit the registry.You can
4701-1 ch11.f.qc 4/24/00 09:27 Page 752

752 Part III ▼ Managing and Securing Resources

edit the registry directly by using Regedt32.exe, or you can use the
System Policy Editor to disable the creation of the hidden administrative
shares. System Policy editor was covered in chapter 10.

CAUTION
If you configure a Windows 2000 computer to prevent the creation of
administrative shares, some administrative tools such as the Distributed
File System tool may not function correctly on that computer.

STEP BY STEP

USING REGEDT32.EXE TO PREVENT THE CREATION OF

ADMINISTRATIVE SHARES
1. From the desktop, select Start ➪ Run.
2. In the Open text box, type Regedt32 and click OK.
3. In the Registry Editor dialog box, select Window ➪ HKEY_LOCAL_MACHINE
on Local Machine.
4. In the left pane of the Registry Editor dialog box, double-click the SYSTEM folder
under HKEY_LOCAL_MACHINE. Double-click the CurrentControlSet
folder. Double-click the Services folder. Double-click the lanmanserver
folder, then click the parameters folder.
5. In the right pane of the Registry Editor dialog box, double-click AutoShareServer.
(Or, if this value is not present, select Edit ➪ Add Value. In the Add Value dialog
box, type AutoShareServer in the Value Name text box. Then, in the Data Type
drop-down list box, select REG_DWORD. Click OK.)
(If you are configuring a Windows 2000 Professional computer, the value is
named AutoShareWks. If this value is not present, select Edit ➪ Add Value.
In the Add Value dialog box, type AutoShareWks in the Value Name text box.
Then, in the Data Type drop-down list box, select REG_DWORD. Click OK.)
6. In the DWORD Editor dialog box, edit the Data text box so that it has a value of 0
(zero). Click OK.
7. Close Registry Editor. The next time the computer is started, the hidden adminis-
trative shares will not be created.

If you configure a Windows 2000 computer to prevent the creation of

administrative shares and later change your mind and want to enable the
creation of administrative shares, follow the preceding steps, except assign a
value of 1 to AutoShareServer or AutoShareWks (instead of 0) in Step 6.
4701-1 ch11.f.qc 4/24/00 09:27 Page 753

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 753

Configuring and Managing the

Distributed File System
The Distributed file system (Dfs) is a file system that enables an administrator
to make shares that are stored on various servers on the network appear to
users as though they are stored within a single share on a single server.The
use of Dfs makes finding network resources easier for users because users
don’t have to know which server physically contains the shared resource
they are trying to access.
There are two specific components used in the implementation of Dfs:
Dfs roots and Dfs links.A Dfs root is a special type of shared folder that can
contain files, folders, Dfs links, and other Dfs roots.To the user, a Dfs root
appears in a browse list just like any other shared folder. A Dfs link is a
special type of subfolder in a Dfs root that acts as a pointer to a specific
shared folder on the network.
Here’s an example of how Dfs might be used on a typical network.
Suppose that you’re the administrator of a Windows 2000 network and
you want to organize all of the shared folders for the Sales department.
Currently, the shared folders for this department are stored on multiple
servers across your network. First, you create a Dfs root called Sales on
one of your Windows 2000 Server network servers. Then, in the Sales
Dfs root, you create a Dfs link for each shared network folder used by the
members of the Sales department. Now, users in the Sales department can
map a single network drive to the Sales Dfs root instead of searching
various network servers for the shared folders they need to access. When
users view the contents of the Sales Dfs root, each shared folder for the
Sales department appears as a subfolder of the Sales Dfs root. Users can
access these subfolders in the same manner they would normally access
subfolders on their local computers.
There are a few general Dfs facts you should know before I get down to
the nuts and bolts of working with Dfs:
■ You can use the Distributed File System tool in Administrative
Tools to create and configure Dfs roots and Dfs links.
■ Only Windows 2000 Server computers can host Dfs roots —
Windows 2000 Professional computers can’t.
■ A Windows 2000 Server computer can host only one Dfs root
(or one replica of a Dfs root).
4701-1 ch11.f.qc 4/24/00 09:27 Page 754

754 Part III ▼ Managing and Securing Resources

Creating and Configuring a Dfs Root

When you create a Dfs root, you choose whether the Dfs root will be a
stand-alone or domain Dfs root.
A stand-alone Dfs root is a type of Dfs root that can be hosted on any
individual Windows 2000 Server computer. A stand-alone Dfs root is not
published in Active Directory. In addition, you can’t create a replica of a
stand-alone Dfs root for load balancing or fault tolerance purposes. If the
server that hosts a stand-alone Dfs root isn’t available, the Dfs root is not
available to users. Users with the appropriate permissions can access a
stand-alone Dfs root by using a UNC path in the following format:
\\Server_name\Dfs_root_name.
A domain Dfs root is another type of Dfs root that can be hosted on any
Windows 2000 Server computer in the domain. In addition, an object
representing the Dfs root is published in Active Directory.You can create a
replica of a domain Dfs root on one or more Windows 2000 Server
computers on your network to provide load balancing and fault tolerance.
If one of the servers that hosts the Dfs root (or its replica) is not available,
users can still access the Dfs root on one of the other servers. Users with
the appropriate permissions can access a domain DFS root by using a
UNC path in the following format: \\Domain_name\Dfs_root_name. The
user does not need to know the name of the server that physically hosts the
domain Dfs root in order to access it.
In general, if you require fault tolerance or load balancing, or if a shared
resource must always be available to users, you would probably choose to
use a domain Dfs root. If you don’t require fault tolerance or load balanc-
ing, but simply want to organize shared resources for your users, you’d
probably choose to use a stand-alone Dfs root.

STEP BY STEP

CREATING AND CONFIGURING A STAND-ALONE OR DOMAIN

DFS ROOT

1. Start the Distributed File System tool. (Select Start ➪ Programs ➪ Administrative
Tools ➪ Distributed File System.) (This tool is available on all Windows 2000
Server computers, and is available on Windows 2000 Professional computers on
which the ADMINPAK has been installed.)
2. In the Distributed File System dialog box, select Action ➪ New Dfs Root.
4701-1 ch11.f.qc 4/24/00 09:27 Page 755

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 755

STEP BY STEP Continued

3. The New Dfs Root Wizard starts. Click Next.

4. The Select the Dfs Root Type screen appears.
To create a stand-alone Dfs root, select the “Create a standalone Dfs root”
option. Click Next, and skip to Step 6.
To create a domain Dfs root, select the “Create a domain Dfs root” option.
Click Next.
5. In the Select the Host Domain for the Dfs Root screen, select, from the “Trusting
domains” list box, the Windows 2000 domain that will host the domain Dfs root
you’re creating. The selected domain appears in the “Domain name” text box.
Click Next.
6. In the Specify the Host Server for the Dfs Root screen, type in the FQDN of the
Windows 2000 Server computer you want to host this Dfs root. For example,
server01.domain1.mcse. If you don’t know the FQDN of the server, you
can click Browse to browse for it. Click Next.
7. In the Specify the Dfs Root Share screen, choose whether to use an existing
share on the host server as your new Dfs root or to create a new share to use as
your new Dfs root.
If you have an existing shared folder that is a logical place to organize other
shared network resources, or if you already created a shared folder for the spe-
cific purpose of becoming your new Dfs root, select the “Use an existing share”
option and select the shared folder from the drop-down list box.
Otherwise, select the “Create a new share” option. Then, in the “Path to share”
text box, type in the drive letter and path to the share you want to create, for
example, C:\Dfs. (This can be the path to an existing or non-existing folder. If
the folder doesn’t yet exist, Windows 2000 will create it for you.) Finally, in the
“Share name” text box, type in the share name for the new Dfs root.
Figure 11-7 shows this screen configured to create a new share named Dfs in
the C:\Dfsroot folder.
Click Next.
8. If you chose to create a new share in Step 7, and the folder you specified does
not exist, Windows 2000 asks if you want to create the folder. Click Yes.
9. The Name the Dfs Root screen appears. If you chose to use an existing share in
Step 7, enter a name for the Dfs root in the “Dfs root name” text box, or accept
the default name displayed. (If you chose to create a new share, this text box is
grayed out.)
Enter a comment for the Dfs root if appropriate. Click Next.
4701-1 ch11.f.qc 4/24/00 09:27 Page 756

756 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 11-7 Creating a new share for the Dfs root

10. In the Completing the New Dfs Root Wizard screen, click Finish.
11. Windows 2000 creates the new Dfs root. It appears in the left pane in the
Distributed File System dialog box.

Creating and Configuring a Domain Dfs Root Replica

A domain Dfs root replica is a shared folder that is a copy of a domain Dfs
root that is stored on a different Windows 2000 Server computer than the
original Dfs root.The primary purpose of a domain Dfs root replica is to
provide load balancing and fault tolerance, so that if the server that hosts
the original domain Dfs root is not available, users can still access the
domain Dfs root.
When a domain Dfs root replica is created,Windows 2000 automatically
copies all Dfs links in the original domain Dfs root to the replica. However,
Windows 2000 does not automatically copy files and folders in the original
domain Dfs root to the replica — you must either manually copy these
items to the replica, or configure Windows 2000 to automatically replicate
them for you. If you enable automatic replication between the domain Dfs
4701-1 ch11.f.qc 4/24/00 09:27 Page 757

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 757

root and its replica(s), Windows 2000 will synchronize files and folders
between the replica(s) and the original domain Dfs root every 15 minutes.

TIP
You can only configure automatic replication between a domain Dfs root
and its replica when both shares are located on NTFS volumes.

You can create up to 31 replicas of an original domain Dfs root, plus the
original domain Dfs root, for a total of 32 instances of a domain Dfs root
(assuming that you have 32 Windows 2000 Server computers, one computer
for each instance).
In the steps that follow I’ll explain how to create a domain Dfs root
replica, and then how to configure automatic replication between the
domain Dfs root and its replica.

STEP BY STEP

CREATING AND CONFIGURING A DOMAIN DFS ROOT REPLICA

1. Start the Distributed File System tool. (Select Start ➪ Programs ➪ Administrative
Tools ➪ Distributed File System.)
2. If the domain Dfs root you want to create a replica of is not displayed in the left
pane of the Distributed File System dialog box, select Action ➪Display an Existing
Dfs Root.
Then, in the Display an Existing Dfs Root dialog box, expand the domains in the
Trusting Domains list box until the domain Dfs root you want to create a replica
of is displayed. Highlight this Dfs root (when you do, it appears in the “Dfs root
or host server” text box). Click OK.
3. In the left pane of the Distributed File System dialog box, right-click the domain
Dfs root you want to create a replica of, and select New Root Replica from the
menu that appears.
4. The New Dfs Root Wizard dialog box appears. Type in the FQDN of the
Windows 2000 Server computer on which you want to create the replica,
for example, server02.domain1.mcse. If you don’t know the FQDN
of the server, you can click Browse to browse for it. Click Next.
5. In the Specify the Dfs Root Share screen, choose whether to use an existing
share for the replica or to create a new share to use for the replica.
If you have an existing shared folder that you want to use for the replica,
select the “Use an existing share” option and select the shared folder from
the drop-down list box.
4701-1 ch11.f.qc 4/24/00 09:27 Page 758

758 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

Otherwise, select the “Create a new share” option. Then, in the “Path to share”
text box, type in the drive letter and path to the share you want to create for the
replica, for example, C:\Dfsreplica. (This can be the path to an existing or
nonexisting folder. If the folder doesn’t yet exist, Windows 2000 will create it for
you.) Finally, in the “Share name” text box, type in the share name for the replica.
Click Finish.
6. If you chose to create a new share in Step 5, and the folder you specified does
not exist, Windows 2000 asks if you want to create the folder. Click Yes.
7. Windows 2000 creates the Dfs root replica. It is displayed in the right pane of
the Distributed File System dialog box.
If you want to manually copy data between the domain Dfs root and its replica,
stop here. Otherwise, continue on to Step 8 to configure automatic replication.
8. In the left pane of the Distributed File System dialog box, right-click the domain
Dfs root, and select Replication Policy from the menu that appears.
9. The Replication Policy dialog box appears, as shown in Figure 11-8. Notice the “No”
entries in the Replication column. Automatic replication is not enabled by default.

FIGURE 11-8 Configuring automatic replication

Highlight the shared folder that contains the original domain Dfs root. Click
Enable. The entry in the Replication column changes from No to Yes (Primary).
Then, highlight the shared folder that contains the replica, and click Enable.
The entry in the Replication column changes from No to Yes. Click OK.
4701-1 ch11.f.qc 4/24/00 09:27 Page 759

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 759

STEP BY STEP Continued

TIP
When configuring automatic replication, it’s important to configure the
domain Dfs root first, and then the replica, to ensure that the contents of
the Dfs root are correctly copied to the replica.

Creating and Configuring a Dfs Link and a Dfs

Link Replica
As I said before, a Dfs link is a special type of subfolder in a Dfs root that acts
as a pointer to a specific shared folder on the network.A Dfs link can point
to a shared folder on any computer on the network, including Windows
NT computers,Windows 95/98 computers, and even NetWare servers.

STEP BY STEP

CREATING AND CONFIGURING A DFS LINK

1. Start the Distributed File System tool. (Select Start ➪ Programs ➪ Administrative
Tools ➪ Distributed File System.)
2. If the Dfs root in which you want to create a Dfs link is not displayed in the left
pane of the Distributed File System dialog box, select Action ➪ Display an Existing
Dfs Root.
Then, in the Display an Existing Dfs Root dialog box, expand the domains in the
Trusting Domains list box until the Dfs root in which you want to create a Dfs link
is displayed. Highlight this Dfs root (when you do, it appears in the “Dfs root or
host server” text box). Click OK.
3. In the left pane of the Distributed File System dialog box, right-click the Dfs root in
which you want to create a Dfs link, and select New Dfs Link from the menu that
appears.
4. The Create a New Dfs Link dialog box appears, as shown in Figure 11-9.
In the “Link name” text box, type a name for the Dfs link. Because this is the name
that users will see, it should clearly indicate the shared folder that it points to, the
shared folder’s contents, or both. The Dfs link name can even be the same as the
name of the shared folder it points to.
4701-1 ch11.f.qc 4/24/00 09:27 Page 760

760 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 11-9 Creating a new Dfs link

In the “Send the user to this shared folder” text box, type the full UNC name
to the shared folder that this Dfs link points to, for example, \\Server03\
Applications. You can browse for the UNC name if you don’t know it.
Enter a comment in the Comment text box if appropriate.
Configure the length of time client computers will cache the pointer if necessary.
The default setting is 1800 seconds (30 minutes).
Click OK.
5. Windows 2000 creates the Dfs link. It appears in the left pane of the Distributed
File System dialog box, under its Dfs root.

A Dfs link replica is an additional pointer attached to a Dfs link. This

pointer points to an alternate location where a user can access a copy of
the shared folder (that the Dfs link points to) if the server hosting the
original shared folder is unavailable. This feature provides load balancing
and fault tolerance for the Dfs link.
You can create up to 31 replicas of an original Dfs link, plus the original
Dfs link, for a total of 32 instances of a Dfs link. A Windows 2000 Server
computer can host multiple Dfs links.
Just as you can configure automatic replication between a domain Dfs
root and its replica, you can also configure automatic replication between the
original shared folder (that the Dfs link points to) and the copy of the shared
folder (that the Dfs link replica points to). In order to do this, however, both
4701-1 ch11.f.qc 4/24/00 09:27 Page 761

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 761

the original shared folder and the copy of the shared folder must both be
located on NTFS volumes on Windows 2000 Server computers.

STEP BY STEP

CREATING AND CONFIGURING A DFS LINK REPLICA

1. Start the Distributed File System tool. (Select Start ➪ Programs ➪ Administrative
Tools ➪ Distributed File System.)
2. If the Dfs root that contains the Dfs link for which you want to create a replica is
not displayed in the left pane of the Distributed File System dialog box, select
Action ➪Display an Existing Dfs Root.
Then, in the Display an Existing Dfs Root dialog box, expand the domains in the
Trusting Domains list box until the Dfs root that contains the Dfs link for which
you want to create a replica is displayed. Highlight this Dfs root (when you do,
it appears in the “Dfs root or host server” text box). Click OK.
3. In the left pane of the Distributed File System dialog box, click the + next to the
Dfs root that contains the Dfs link for which you want to create a replica (if the
Dfs root is not already expanded). Right-click the Dfs link, and select New
Replica from the menu that appears.
4. The Add a New Replica dialog box appears, as shown in Figure 11-10. Notice
that by default, automatic replication of Dfs link replicas is not enabled.

FIGURE 11-10 Creating a Dfs link replica

In the “Send the user to this shared folder” text box, type the full UNC name to
the shared folder that this Dfs link replica points to, for example, \\Server05\
Applications. You can browse for the UNC name if you don’t know it.
4701-1 ch11.f.qc 4/24/00 09:27 Page 762

762 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

If you want to manually copy data between the original shared folder and its alter-
nate copy, accept the default setting of “Manual replication.”
Otherwise, select the “Automatic replication” option. Click OK.
5. If you selected the “Automatic replication” option, the Replication Policy dialog
box appears.
Highlight the original shared folder to which the Dfs link points. Click Enable. The
entry in the Replication column changes from No to Yes (Primary).
Then, highlight the copy of the shared folder to which the Dfs link replica points,
and click Enable. The entry in the Replication column changes from No to Yes.
Click OK.
Figure 11-11 shows the Replication Policy dialog box after automatic replication
has been configured.

FIGURE 11-11 Replication configured between shared folders

6. The Dfs link replica appears in the right pane of the Distributed File System
dialog box.
4701-1 ch11.f.qc 4/24/00 09:27 Page 763

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 763

Configuring Client Computers to Use Dfs

All Windows 2000 client computers (Professional and Server) and all
Windows NT 4.0 client computers (Workstation and Server) with Service
Pack 3 or later installed can access Dfs roots on Windows 2000 Server com-
puters on the network. No special configuration or software is required.
However,Windows 95 and Windows 98 client computers need to have
Dfs client software installed before they can access Dfs roots. Once Dfs
client software is installed, Windows 95 and Windows 98 computers can
access Dfs links to shared folders on any Windows-based computer on the
network. However, Windows 95 and Windows 98 computers can’t access
Dfs links to NetWare servers, even with Dfs client software installed.

Managing NTFS File and Folder Security

When files and folders are stored on an NTFS volume on a Windows 2000
computer, NTFS permissions can be assigned to provide a greater level of
security than share permissions, because:
■ NTFS permissions, unlike share permissions, can be assigned to
individual files as well as folders.This gives an administrator a much
finer level of control over shared files and folders than is possible by
using only share permissions.
■ NTFS permissions apply to local users as well as to users who con-
nect to a shared folder over the network.This fills the large security
loophole left when files and folders on FAT partitions are secured
only by share permissions.
The following sections discuss NTFS permissions, including how they
are assigned to files and folders, how NTFS permissions are applied, and
how NTFS and share permissions interact.

NTFS Permissions
NTFS permissions, which can only be assigned to files and folders on NTFS
volumes, protect data from unauthorized access when users connect to the
share locally or over the network.
4701-1 ch11.f.qc 4/24/00 09:27 Page 764

764 Part III ▼ Managing and Securing Resources

The standard Windows 2000 NTFS permissions that can be assigned to

files and folders are listed and described in Table 11-5.
TABLE 11-5 Windows 2000 Standard NTFS Permissions
When Applied to a File, When Applied to a Folder,
Permission a User Is Able to . . . a User Is Able To . . .

Read View the file’s contents, View a list of the folder’s

attributes, extended contents (names of files and
attributes, and permissions; subfolders), attributes, extended
and synchronize the file. attributes, and permissions; and
synchronize the folder.
Read & Execute Perform all actions included Perform all actions included in
in the Read permission. the Read permission.
In addition, the user can In addition, the user can change
execute the file (if it is the current folder to a subfolder
an executable). (traverse to subfolders).
List Folder Contents This permission is not Perform all actions included in
available on files. the Read & Execute permission.
This permission is not inheritable
by files in a folder — it applies to
the folder only.
Write View the file’s permissions View the folder’s permissions
and synchronize the file. and synchronize the folder.
In addition, the user can In addition, the user can create
write data to the file, append files and subfolders in the
data to the file, and change folder, and can change the
the file’s attributes and folder’s attributes and extended
extended attributes. attributes.
Modify Perform all actions included Perform all actions included in
in the Read & Execute the Read & Execute and Write
and Write permissions. permissions.
In addition, the user can In addition, the user can delete
delete the file. the folder.

Full Control Perform all actions included Perform all actions included in
in the Modify permission. the Modify permission.
In addition, the user can In addition, the user can change
change the file’s permissions the folder’s permissions, take
and can take ownership of ownership of the folder, and
the file. delete files and subfolders
within the folder.
4701-1 ch11.f.qc 4/24/00 09:27 Page 765

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 765

Assigning NTFS Permissions to Files and Folders

NTFS permissions are assigned by adding a user or group to the access
control list (ACL) for the file or folder. From an administrative standpoint, it’s
more efficient to add groups to the ACL for a particular file or folder than to
add individual users. By default, the Everyone group is granted the Full
Control NTFS permission to the root of all newly created NTFS volumes.
When assigning NTFS permissions, you should consider assigning the
most restrictive permission that still permits users to accomplish the tasks
they need to perform. For example, on a folder that contains applications,
consider assigning the Read & Execute permission so that users can’t
accidentally delete application files.
Like share permissions, NTFS permissions are specifically allowed or
denied to a specific user or group.
Another important concept to keep in mind when assigning NTFS
permissions is inheritance. By default, when NTFS permissions are assigned
to a folder, those permissions extend to (that is, are inherited by) all of the
files and subfolders in that folder. However, when you assign NTFS
permissions to a folder, you can choose whether or not the NTFS permis-
sions you assign will be inherited by the files and subfolders contained in
that folder. In addition, when you assign NTFS permissions to a file or
folder, you can configure whether that file or folder will inherit NTFS
permissions from its parent folder (that is, the folder that contains the file
or folder you’re configuring).

TIP
You can think of a volume as a parent folder for all of the files and folders
it contains. You can assign NTFS permissions to a volume in the same
way you can assign them to a folder. A volume is just a big folder that
doesn’t have a parent folder.

You can use Windows Explorer or the Cacls.exe command-line

utility to assign NTFS permissions.You can assign NTFS permissions to a
file or folder only if you are the owner of the file or folder, or you have the
Full Control or Change Permissions NTFS permission to the file or folder.
4701-1 ch11.f.qc 4/24/00 09:27 Page 766

766 Part III ▼ Managing and Securing Resources

STEP BY STEP

ASSIGNING NTFS PERMISSIONS TO A FILE OR FOLDER

1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪ Windows

Explorer.)
2. In the left pane, expand folders as necessary until the file or folder to which you
want to assign NTFS permissions is displayed in the right pane. In the right pane,
highlight that file or folder. Select File ➪ Properties. (Or, right-click the file or
folder, and select Properties from the menu that appears.)
3. In the file or folder’s Properties dialog box, click the Security tab.
4. The Security tab appears, as shown in Figure 11-12. Notice that by default the
Everyone group is allowed the Full Control, Modify, Read & Execute, List Folder
Contents, Read, and Write NTFS permissions. Also notice that these permissions
are each displayed by the use of a gray box with a check in it. This indicates that
the permission has been inherited from a parent folder, rather than specifically
assigned to the file or folder.

FIGURE 11-12 Assigning NTFS permissions to a file

Also notice the Allow and Deny check boxes.

 Allow: When the Allow check box next to a specific NTFS permission is
selected for a user or group, the user or group has the selected NTFS
permission to the file or folder.
4701-1 ch11.f.qc 4/24/00 09:27 Page 767

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 767

STEP BY STEP Continued

 Deny: When the Deny check box next to a specific NTFS permission is
selected for a user or group, the user or group is specifically denied that
NTFS permission to the file or folder, even if the user or group is allowed
that permission through membership in another group.

TIP
A denied permission always overrides an allowed permission.

 Neither: When neither the Allow or Deny check box next to a specific NTFS
permission is selected for a user or group, the user or group is not assigned
that permission to the file or folder.
When a user or group is not listed in the Name box, the user or group has no
NTFS permissions (and no access) to the file or folder unless the user or group
is a member of a group that is listed in the Name box.
To change the NTFS permissions currently assigned to a user or group
listed in the Name box, highlight the user or group, then select or clear the
appropriate check boxes in the Permissions box.

TIP
You can’t change inherited NTFS permissions at this level. If the permis-
sions shown in this dialog box are inherited (that is, a gray box with a
check in it is displayed), you must change these permissions on the par-
ent folder where the NTFS permissions were originally assigned.

To remove a user or group from the permissions list for the file or folder,
highlight the user or group in the Name box, and click Remove.
To add a user or group to the Name box, click Add.
5. In the Select Users, Computers, or Groups dialog box, double-click each user
and group you want to add. (You can also highlight each user or group and then
click Add, but double-clicking is faster and easier.) As you double-click each
user or group, the user or group appears in the bottom portion of the dialog
box. Click OK.
6. In the file or folder’s Properties dialog box, each user or group you added is auto-
matically assigned the Read and Read & Execute NTFS permissions to a file, or
the Read, Read & Execute, and List Folder Contents NTFS permissions to a folder.
To change the NTFS permissions of a user or group you added, highlight the user
or group in the Name box, then select or clear the appropriate check boxes in the
Permissions box.
If you want this file or folder to inherit NTFS permissions from its parent folder,
accept the default setting of “Allow inheritable permissions from parent to
propagate to this object.”
4701-1 ch11.f.qc 4/24/00 09:27 Page 768

768 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

If you want to block inheritance of NTFS permissions from this file or folder’s par-
ent folder, clear the check box next to “Allow inheritable permissions from parent
to propagate to this object.”

CAUTION
Exercise care when blocking inheritance — you could end up denying
yourself permission to access or assign permissions to the file or folder.
If you intend to block inheritance, make sure you specifically assign
yourself the Allow – Full Control NTFS permission to the file or folder
before you block inheritance.

7. If you selected the check box next to “Allow inheritable permissions from parent
to propagate to this object” in Step 6, the Security dialog box shown in Figure
11-13 appears.

FIGURE 11-13 Copying or removing inherited permissions

If you want to keep all of this file or folder’s inherited permissions, but convert
them to explicit permissions instead of inherited permissions, click Copy.
If you want to delete all of this file or folder’s inherited permissions, so that only
the users and groups that you explicitly assign permissions to this file or folder
remain, click Remove.
If you’ve changed your mind after all of this and decide you don’t want to block
inheritance after all, click Cancel.
8. In the file or folder’s Properties dialog box, click OK.
9. Exit Windows Explorer.
4701-1 ch11.f.qc 4/24/00 09:27 Page 769

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 769

The standard NTFS file and folder permissions I’ve talked about so far
are used in most situations.The standard permissions actually consist of the
most commonly used combinations of special permissions, which are some-
times called advanced permissions.
For example, the Read NTFS permission consists of the List
Folder/Read Data, Read Attributes, and Read Extended Attributes special
permissions.You might encounter a situation where assigning a special per-
mission to a user or group for a file or folder would better accomplish your
security goals than assigning a standard permission.
Special NTFS permissions are assigned by clicking the Advanced com-
mand button on the Security tab in a file or folder’s Properties dialog box.
Like regular NTFS permissions, special permissions are specifically allowed
or denied to a specific user or group.

STEP BY STEP

CONFIGURING ADVANCED NTFS PERMISSIONS

1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪ Windows

Explorer.)
2. In the left pane, expand folders as necessary until the file or folder to which you
want to assign advanced NTFS permissions is displayed in the right pane. In the
right pane, highlight that file or folder. Select File ➪ Properties. (Or, right-click the
file or folder, and select Properties from the menu that appears.)
3. In the file or folder’s Properties dialog box, click the Security tab.
4. On the Security tab, click Advanced.
5. The Access Control Settings dialog box for the file or folder appears, as shown in
Figure 11-14. Notice the “Reset permissions on all child objects . . .” check box at
the bottom of the dialog box. This check box is only available on folders — it is not
available when configuring files.

CAUTION
Think twice before selecting the “Reset permissions on all child objects . . .”
check box. If you select this check box, you will reset NTFS permissions on
all subfolders and files of this folder to match the users, groups, and NTFS
permissions set in the Permission Entries list box for this folder.
4701-1 ch11.f.qc 4/24/00 09:27 Page 770

770 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 11-14 Configuring NTFS permissions and inheritance

When this check box is selected, permissions will even be reset on files and
subfolders that are currently configured to block inheritance, and inheritance
will be enabled on those files and subfolders.
To remove a user or group from the Permission Entries list box, highlight
the user or group and click Remove.
To view or edit current NTFS permissions for a user or group, highlight the
user or group and click View/Edit. Assign advanced permissions as appropriate.
Click OK.
To add a user or group to the Permission Entries list box, click Add.
6. In the Select User, Computer, or Group dialog box, double-click the user or group
you want to add.
7. The Permission Entry dialog box for the folder appears, as shown in Figure 11-15.
Notice the long list of permissions in the Permissions list box — these are the
special (or advanced) NTFS permissions.
Assign special permissions to the user or group you added by selecting the
appropriate Allow or Deny check boxes.
4701-1 ch11.f.qc 4/24/00 09:27 Page 771

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 771

STEP BY STEP Continued

FIGURE 11-15 Setting special NTFS permissions

Then, select the appropriate option from the “Apply onto” drop-down list box.
This setting determines how the permissions you set in this dialog box will be
inherited. The possible selections are:
 This folder, subfolders and files — this is the default setting
 This folder only
 This folder and subfolders
 This folder and files
 Subfolders and files only
 Subfolders only
 Files only
The selection you make in this drop-down list box works in conjunction with the
“Apply these permissions to objects and/or containers within this container only”
check box at the bottom of the dialog box. If you select this check box (and any
option in the “Apply onto” box that includes subfolders), the permissions you set
will be applied to the subfolder, but will not be applied to any files or folders
within the subfolder.
Click OK.
4701-1 ch11.f.qc 4/24/00 09:27 Page 772

772 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

8. In the Access Control Settings dialog box for the file or folder, click OK.
9. In the file or folder’s Properties dialog box, click OK.

How User and Group NTFS Permissions Combine

As with share permissions, it is not uncommon for a user to have one set of
NTFS permissions to a file or folder, and to be a member of multiple
groups that have different NTFS permissions to the file or folder. When
this occurs, the user and group permissions are additive, and normally the
least restrictive combination of permissions applies.
An exception to this rule occurs when a user is specifically denied an
NTFS permission. A denied permission always overrides an allowed permission.
Whenever a user is specifically denied a permission to a file or folder, or is a
member of a group that is specifically denied a permission to a file or folder,
the user is denied that permission to the file or folder. For example, if a user
is allowed the Full Control NTFS permission to a file or folder, but is a
member of a group that is denied the Full Control NTFS permission to
that file or folder, the user is denied all access to the file or folder. For this
reason, you should exercise care in denying a specific NTFS permission.

How NTFS Permissions Are Applied to New,

Moved, and Copied Files and Folders
When new files or subfolders are created in a folder on an NTFS volume,
the new files or subfolders inherit all of the inheritable NTFS permissions
from the folder in which they are created. For example, if you create a new
file in the Public folder, and the Everyone group is allowed the Modify
NTFS permission to the Public folder, the new file inherits the NTFS
permissions from the Public folder, and the Everyone group is allowed
the Modify permission to the file.
When files or folders are moved or copied, their NTFS permissions
often change. Normally, when files or folders are moved or copied, they
inherit the inheritable NTFS permissions from the destination folder.
4701-1 ch11.f.qc 4/24/00 09:27 Page 773

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 773

The only exception to this rule is when the moved files or folders are
moved to a new folder on the same NTFS volume — in this case, the moved
files or folders retain their original NTFS permissions, even if these
permissions were inherited from the folder in which they were originally
contained. In this situation, the moved files or folders do not inherit the
NTFS permissions from the destination folder.
The following examples illustrate how NTFS permissions are applied to
moved or copied files.The same rules apply to moved or copied folders.

Example 1: Moving a File to a Folder on a Different Volume

You move the D:\Public\Readme.txt file (to which the Everyone
group is allowed the Read NTFS permission) to the E:\Data folder (to
which the Everyone group is allowed the Full Control NTFS permission).
When a file is moved to a folder on a different volume, it inherits the
inheritable NTFS permissions from the destination folder. In this case, the
Readme.txt file inherits the NTFS permission from the E:\Data folder,
so the Everyone group is now allowed the Full Control NTFS permission
to the Readme.txt file.

Example 2: Copying a File to a Different Folder on the

Same Volume
You copy the D:\Data\Busplan.doc file (to which the Managers group
is allowed the Read NTFS permission) to the D:\Public folder (to
which the Everyone group is allowed the Modify permission, and the
Managers group is not assigned any NTFS permissions). When a file is
copied to a different folder on the same NTFS volume, the file inherits the
inheritable NTFS permissions from the destination folder.Therefore, after
the Busplan.doc file is copied to the D:\Public folder, the Everyone
group is allowed the Modify NTFS permission to the file, and the
Managers group is no longer assigned any NTFS permissions to the file.

Example 3: Moving a File to a Different Folder on the

Same Volume
You move the D:\Data\Forecast.doc file (to which the Managers
group is allowed the Read NTFS permission, and the Everyone group is
not assigned any NTFS permissions) to the D:\Public folder (to which
the Everyone group is allowed the Modify NTFS permission).When a file
is moved to a folder on the same volume, it retains all of its original NTFS
4701-1 ch11.f.qc 4/24/00 09:27 Page 774

774 Part III ▼ Managing and Securing Resources

permissions — it does not inherit the inheritable NTFS permissions from

the destination folder. In this case, after the Forecast.doc file is
moved, the Managers group is still allowed the Read NTFS permission to
the file, and the Everyone group is not assigned any NTFS permissions to
the file.

TIP
Because FAT and FAT32 volumes don’t support NTFS permissions, any
files or folders that you copy or move to a FAT or FAT32 volume lose all of
their NTFS permissions, along with the security that those permissions
provided.

How NTFS and Share Permissions Interact

When users access a file or folder (in a share located on an NTFS volume)
over the network, both NTFS and share permissions are used to determine
the user’s effective permission to the file or folder in the share.
When NTFS and share permissions differ, the most restrictive permission
becomes the user’s effective permission to the file or folder in the share.
This means that if either the NTFS or the share permissions deny a user
access, access is denied.
The following two examples illustrate how NTFS and share permissions
interact.

Example 1
A folder named Documents is shared on an NTFS volume.The Everyone
group is allowed the Change share permission to the Documents share. In
addition, the Everyone group is allowed the Full Control NTFS permis-
sion to all files and folders in the Documents share. Users who access
the Documents share over the network are only allowed the Change
permission to the files and folders in the share, because Change is the most
restrictive permission.

Example 2
A folder named Apps is shared on an NTFS volume.The Everyone group
is allowed the Full Control share permission to the Apps share. In addition,
the Everyone group is allowed the Read NTFS permission to the files and
folders in the Apps share. Users who access the Apps share over the
4701-1 ch11.f.qc 4/24/00 09:27 Page 775

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 775

network only have the Read permission to the files and folders in this
share, because Read is the most restrictive permission.

TIP
Remember, share permissions only apply when users connect to a share
over the network. NTFS permissions are the only permissions that apply
to users who log on locally to the computer that contains the share.

Keep in mind that when you combine share and NTFS permissions, both
the share permissions and NTFS permissions must permit a user to perform
a task. For example, if a user is allowed the Change share permission to a
share, and also is allowed the Read NTFS permission to the shared folder,
the user’s effective permission to the share is Read, for two reasons. First,
Read is the most restrictive permission. Second, the Change share permis-
sion includes the functionality of the Read permission, so in effect, both the
share permission and NTFS permission grants the user the ability to Read.
Sometimes, however, there isn’t any overlap between share and NTFS
permissions, and the user ends up not having any effective permissions to a
resource. For example, if a user has the Allow – Read share permission to a
share, and also has the Allow – Write NTFS permission to the shared
folder, the user won’t be able to either Read or Write, because there is no
overlap in the functionality of these two permissions.

Taking Ownership of Files and Folders

The creator of a file or folder is its owner (except that when a member of
the Administrators group on the local computer creates a file or folder, the
Administrators group — not the user — is the owner of the file or folder).
The owner of a file or folder has special status and can always assign or
change NTFS permissions to users and groups for that file or folder. Only
files and folders on NTFS volumes have owners.
Occasionally you may need to change or assign permissions to a file or
folder, but not have the Full Control NTFS permission (or the Change
Permissions special NTFS permission) to the file or folder.Without being
the owner of the file or folder, or having the Full Control or Change
Permissions NTFS permission to the file or folder, the only way you
change or assign permissions to the file or folder is to take ownership of the
file or folder.
4701-1 ch11.f.qc 4/24/00 09:27 Page 776

776 Part III ▼ Managing and Securing Resources

A common situation where taking ownership becomes necessary is

when a user (who created a folder and was its owner) leaves the company,
and no one else has the Full Control or Change Permissions NTFS
permission to the folder. To change the permissions on the folder, the
Administrator must first take ownership of it.
A user can take ownership of a file or folder only if one or more of the
following criteria are met:
■ The user is a member of the Administrators group on the local
computer on which the file or folder is located. (If the computer
is a domain controller, the user must be a member of the
Administrators group in the domain.)
■ The user has the Full Control or Change Permissions NTFS
permission to the file or folder.
■ The user has the “Take ownership of files or other objects” user right.

STEP BY STEP

TAKING OWNERSHIP OF A FILE OR FOLDER

1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪ Windows

Explorer.)
2. In the left pane, expand folders as necessary until the file or folder you want to
take ownership of is displayed in the right pane. In the right pane, highlight that
file or folder. Select File ➪ Properties. (Or, right-click the file or folder, and select
Properties from the menu that appears.)
3. In the file or folder’s Properties dialog box, click the Security tab.
4. If you currently do not have permission to view or edit permissions to the file or
folder, Windows 2000 displays a Security warning dialog box, as shown in Figure
11-16. Notice that the message indicates that you can take ownership. Click OK.

FIGURE 11-16 Security warning message

5. The Security tab in the file or folder’s Properties dialog box is displayed. Click
Advanced.
4701-1 ch11.f.qc 4/24/00 09:27 Page 777

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 777

STEP BY STEP Continued

6. In the Access Control Settings dialog box for the file or folder, click the Owner tab.
7. The Owner tab is displayed, as shown in Figure 11-17. Notice that Windows
2000 is unable to display the current owner (because you don’t have permissions
to view the ownership information for the file or folder).

FIGURE 11-17 Taking ownership of a folder

In the “Change owner to” box, highlight the user (or group, if listed) that you want
to become the new owner of the file or folder.
If you are taking ownership of a folder, and you also want to become the owner of
all subfolders and files in this folder, select the check box next to “Replace owner
on subcontainers and objects.”
Click OK.
8. If you selected the check box next to “Replace owner on subcontainers and
objects” in Step 7, Windows 2000 displays a security warning dialog box, indicat-
ing that you don’t have permission to read the contents of the folder. The dialog
box also asks if you want to grant yourself the Full Control permission to the
folder and to all of its contents. Click Yes.
9. The Security tab reappears. Click OK.
4701-1 ch11.f.qc 4/24/00 09:27 Page 778

778 Part III ▼ Managing and Securing Resources

Configuring and Monitoring Disk Quotas

Disk quotas are volume management mechanisms that are enabled on a vol-
ume-by-volume basis. Disk quotas are disabled by default. Once enabled,
disk quotas automatically track disk space usage on a user-by-user basis,
and can prevent individual users from exceeding the disk space limitations
that an Administrator has assigned.
Disk quotas are normally only used on servers, although they can be
used on any Windows 2000 computer. Enabling disk quotas puts an extra
strain on the computer’s processor. Because of this, you shouldn’t enable
disk quotas unless you have a need for them.
Disk quotas can only be used on NTFS volumes, because only NTFS
volumes maintain ownership information on files and folders.
You can use Windows Explorer to configure and monitor disk quotas.
Only members of the Administrators group on the local computer can
configure disk quotas. (If the computer is a domain controller, the user
must be a member of the Administrators group in the domain.)

STEP BY STEP

CONFIGURING AND MONITORING DISK QUOTAS

1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪ Windows

Explorer.)
2. In the left pane, expand folders as necessary until the volume on which you want
to configure disk quotas is displayed. Highlight that volume (such as C:, D:, and
so on). Select File ➪ Properties. (Or, right-click the volume and select Properties
from the menu that appears.)
3. In the volume’s Properties dialog box, click the Quota tab.
4. On the Quota tab, select the check box next to “Enable quota management,” as
shown in Figure 11-18. (Remember, disk quotas are disabled by default.)
There are several configurable options on this tab:
 Deny disk space to users exceeding quota limit: If you select this check
box, users are prevented from using more than their assigned amount of disk
space. This option is not selected by default.
 Do not limit disk usage: If you select this option, Windows 2000 will track
disk space usage of this volume on a user-by-user basis, but it will not limit
an individual’s disk usage.
4701-1 ch11.f.qc 4/24/00 09:27 Page 779

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 779

STEP BY STEP Continued

FIGURE 11-18 Enabling disk quotas

TIP
By default, once quotas are enabled, this option is selected, and disk
space on this volume is limited to 1K per user. You’ll almost certainly
want to increase this setting.

 Limit disk space to: If you select this option, all users of this volume (that
don’t have an individual disk quota assigned) will be assigned a disk quota in
the amount of disk space specified.
Enforcement of this quota depends on whether the “Deny disk space to
users exceeding quota limit” check box is selected.
You can configure disk space limit on a user-by-user basis, thus allotting
different users different amounts of disk space. I’ll show you how to do this
when I discuss Quota Entries later in this section.
 Set warning level to: This setting determines when Windows 2000 will
generate a warning message in the Quota Entries dialog box (and in the
System Log in Event Viewer if so configured). Users are not notified when
they exceed their warning level. The warning level must be less than or
equal to the user’s disk space limit.
4701-1 ch11.f.qc 4/24/00 09:27 Page 780

780 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

 Log event when a user exceeds their quota limit: If this check box is
selected, Windows 2000 writes an event to the System Log in Event Viewer
when the user exceeds the disk space limit.
 Log event when a user exceeds their warning level: If this check box is
selected, Windows 2000 writes an event to the System Log in Event Viewer
when the user exceeds the warning level limit.
Select and configure the appropriate options on this tab. Click Apply.
5. A Disk Quota warning dialog box is displayed. Click OK to enable the quota system.
6. On the Quota tab, click Quota Entries to view disk quota utilization for this
volume and to configure disk space limits for individual users.
7. The Quota Entries dialog box for the volume appears, as shown in Figure 11-19.
Notice the three types of indicators in the Status column: Above Limit, Warning,
and OK.

FIGURE 11-19 Monitoring disk quotas

This dialog box is primarily used for monitoring disk quota usage for individual
users and groups. You can view the exact amount of disk space currently used by
each user, as well as each user’s disk quota limit, warning level, and percent of
allowed disk space used.
4701-1 ch11.f.qc 4/24/00 09:27 Page 781

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 781

STEP BY STEP Continued

In addition, you can modify the disk quota limit and warning level for any user or
group listed in the dialog box. You can also add users to the dialog box and
assign them disk quota limits.
To modify an individual user’s disk quota limit, double-click the entry.
8. The Quota Settings dialog box for the user appears, as shown in Figure 11-20.

FIGURE 11-20 Configuring a user’s disk quota

If you want Windows 2000 to track the user’s disk usage, but you don’t want to
limit the user’s disk usage, select the “Do not limit disk usage” option.
If you want to limit the user to a specific amount of disk space, select the “Limit
disk space to” option and configure the user’s limit. You should also configure the
user’s warning level — this level can’t be greater than the user’s disk space limit.

TIP
When an individual user is assigned a disk quota, the user won’t be pre-
vented from exceeding his or her assigned disk space limit unless the
“Deny disk space to users exceeding quota limit” check box is selected
on the Quota tab for the volume.

Click OK.
9. To add a user to the Quota Entries list, select Quota ➪ New Quota Entry in the
Quota Entries dialog box.
4701-1 ch11.f.qc 4/24/00 09:27 Page 782

782 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

10. In the Select Users dialog box, double-click the user you want to add. Click OK.
(You can select more than one user to add, but if you do, you end up assigning
them all identical disk space limits. Unless you want all users to have the same
disk quota limit, add the users one at a time.)
11. In the Add New Quota Entry dialog box, make the appropriate disk limit
configurations for the user you’re adding and click OK.
12. The user is added to the top of the Quota Entries list. When you’re finished
configuring and monitoring disk quotas, close Quota Entries.
13. In the volume’s Properties dialog box, click OK.

If you enable disk quotas on a volume, and configure Windows 2000 to

deny disk space to users exceeding their quota limit, when a user takes any
action that would exceed this limit, the user is notified that “there is not
enough free disk space.”This may happen when a user tries to save or copy
a file or folder. It may even happen when the user attempts to log on if
there is not enough space (in the user’s quota) to create the user’s profile.

IN THE REAL WORLD

Once, after I configured disk quotas, one of my users (a notorious disk
hog) exceeded his disk quota and proceeded to create quite a stir in the
office by telling everyone that the server’s disk was full. It took me quite a
while to calm everyone down and explain the situation.

Disk quotas can create problems if not configured appropriately. If you

set disk space limits too low, you can hamper users’ ability to perform their
day-to-day tasks, because they won’t be able to save or copy documents
when they need to.You’ll also have to deal with users telling you that the
server’s disk is full, when in fact the server is not full — the user has simply
exceeded his or her disk quota limit.

Optimizing Access to Files and Folders

There is no one right way to optimize access to your network resources.
However, there are several common-sense practices you can use to optimize
access to files and folders. Consider using one or more of the following tips
4701-1 ch11.f.qc 4/24/00 09:27 Page 783

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 783

to optimize security for network resources, to optimize administration of

shared files and folders, and to optimize access to files and folders.
To optimize security for network resources:
■ Consider making it a practice to always assign the most restrictive
permission that still permits a user to accomplish the tasks he or
she needs to perform.
■ Consider storing important data on NTFS volumes instead of on
FAT or FAT32 volumes because of the greater security possible on
NTFS volumes.
■ When you want to assign permissions to all users in the domain,
consider assigning appropriate permissions to the Domain Users
group and then removing the Everyone group from the permissions
list (or access control list) to the resource.This closes up the security
loophole that the Everyone group inherently produces.
■ Always store data files and application files in different folders.This
helps prevent accidental deletion of application files and simplifies
backup and restore procedures.
To optimize administration of shared files and folders:
■ When assigning permissions, assign permissions to groups, rather
than individual users, when possible.
■ When planning a folder structure (on an NTFS volume), keep
inheritance in mind, and try to increase the amount of access users
are allowed to a resource as you go farther down the tree. In other
words, assign the most restrictive permissions at the top of the
folder structure, and assign the least restrictive permissions toward
the bottom of the tree. If you do this, you won’t ever have to
block inheritance.
■ Consider assigning the Domain Admins global group the Full
Control share permission to all shares, with the exception of
users’ home folders.
■ In high-security environments, consider assigning the Domain
Users group the Full Control or the Change share permission to
shared folders, and using NTFS permissions to control access to
individual files and folders within the shared folder.This prevents
the administrative nightmare of always having to determine the
most restrictive combination of share and NTFS permissions for
4701-1 ch11.f.qc 4/24/00 09:27 Page 784

784 Part III ▼ Managing and Securing Resources

a given user or group to a resource.When this strategy is used, the

NTFS permission to the file or folder is always the user’s effective
permission.
■ In low-security environments, consider assigning the Domain
Users group the Full Control NTFS permission to all files and
folders on a volume, and using share permissions to control access
to shared folders.This is the simplest way to control access to
shared files and folders in a low security environment, because the
share permission is always the user’s effective permission to all
contents of the share.
■ Consider storing operating systems on a separate volume from data
files, home folders, and applications.This makes backup, restore, and
administration easier.
To optimize access to shared files and folders:
■ Assign share names that are easily recognized by users, that
appropriately describe the resources contained in the share, and
that are of appropriate length (so users of all client computers
can access the share).
■ When users routinely log on to more than one Windows 2000
computer on the network, consider using roaming user profiles
to optimize users access to their profiles.
■ If roaming user profiles are used, consider redirecting the My
Documents folder within users’ profiles to a shared folder on a
network server.This prevents the My Documents folder from
being copied to and from the server each time the user logs on
and logs off. If users use laptop computers and you redirect the
My Documents folder, consider configuring “Automatic Caching
for Documents” on the shared folder to which My Documents is
redirected. (This will ensure that recently accessed documents are
cached locally on users’ computers, so that users can access the
documents when their laptops aren’t connected to the network.)
■ If you use Dfs, consider making it a policy to use domain Dfs roots
(instead of stand-alone Dfs roots) and to create at least one additional
replica of each domain Dfs root.This will ensure that even if one of
the servers that hosts the domain Dfs root is unavailable, users will
still be able to access the Dfs root.
4701-1 ch11.f.qc 4/24/00 09:27 Page 785

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 785

Troubleshooting Common Resource

Access and Permission Problems
When a user can’t access a resource (that he or she is supposed to be able
to access), the administrator must determine why this is happening
and correct the problem. Many resource access problems are caused by
incorrectly configured or conflicting permissions.
Here are some recommended troubleshooting tips to help you solve
various resource access and permission problems.

Problem 1: A User Can’t Access Files in a

Shared Folder
Ensure that the user (or a group that the user is a member of) is allowed
permissions to the shared folder.Also look for conflicting share and NTFS
permissions.To do this, you’ll need to determine which groups the user is
a member of (including groups in other domains), and determine the
user’s effective share permission and effective NTFS permissions to the
shared folder. Finally, look for permissions that have specifically been
denied to the user or to any groups to which the user belongs. Remember
that a denied permission always overrides an allowed permission.

Problem 2: A New Group Member Can’t Access a

Share That Other Group Members Can Access
One of the simplest things you can do try to resolve this problem is to have
the user log off and then log on again, so that the user’s group membership
information will be updated.You may also need to examine the new group
member’s other existing group memberships. It’s possible that the user may
be a member of another group that is denied access to the share.

Problem 3: A User Is Unable to Access a File After

It Has Been Moved
This problem is likely the result of the file being moved to a different
NTFS volume.When a file is moved to a different NTFS volume, the file
loses all of its original NTFS permissions and inherits the inheritable
NTFS permissions from the destination folder it is moved to. You may
4701-1 ch11.f.qc 4/24/00 09:27 Page 786

786 Part III ▼ Managing and Securing Resources

need to reassign NTFS permissions to users or groups in order for them to

access the moved file.

Problem 4: Users Report Slow Server Response

When They Access a Shared Folder That Was
Recently Compressed
Using compression places an increased load on the server’s processor, thus
slowing the server’s response to users when they access compressed files
and folders. Compression should only be used on files and folders that are
accessed infrequently. If files and folders are accessed frequently, choose to
add disk space instead of using compression.

Problem 5: Users Report That Their Files Are

No Longer Encrypted After You Compress an
NTFS Volume
Compression and encryption are mutually exclusive — you can use one or
the other, but not both. If users require encryption, uncompress the folders
users need to encrypt.

Problem 6: A User Reports That He Can’t Locate a

File That He Saved to a Domain Dfs Root Yesterday
The most likely cause of this problem is that the file was saved in a Dfs
root, the file was not automatically replicated to the Dfs root replica(s), and
the next day the user accessed a replica instead of the Dfs root. Determine
whether automatic replication is configured between the Dfs root and
its replica(s). If automatic replication is not configured, either configure
automatic replication, or instruct users not to store files in the Dfs root.

Problem 7: Users Report That They Are Unable to

Connect to a Stand-alone Dfs Root
The most likely cause of this problem is that the server that hosts the Dfs
root is unavailable. Either bring the server back on line or consider using a
domain Dfs root with a replica to provide fault tolerance.
4701-1 ch11.f.qc 4/24/00 09:27 Page 787

Chapter 11 ▼ Sharing, Securing, and Accessing Files and Folders 787

KEY POINT SUMMARY

This chapter introduced several important Windows 2000 file and folder topics:
■ Windows 2000 files and folders have various attributes, some of which the
administrator can use to provide a limited amount of data protection. You can
assign or change attributes by using Windows Explorer.
■ In Windows 2000, folders are shared to enable users to access network
resources. A shared folder appears in Windows Explorer as a folder with a
hand under it. A shared folder is often referred to as a share.
■ Shared folder permissions (often called share permissions) control user
access to shared folders, and only apply when users connect to the folder
over the network.
■ When user and group permissions conflict, the permissions are additive,
and normally the least restrictive permission is the user’s effective permission.
However, there is an exception: a denied permission always overrides an
allowed permission.
■ The Distributed file system (Dfs) enables an administrator to make shares that
are stored on various servers on the network appear to users as though they
are stored within a single share on a single server. This makes finding network
resources easier for users.
■ A Dfs root is a special type of shared folder that can contain files, folders, Dfs
links, and other Dfs roots. A Dfs link is a special type of subfolder in a Dfs root
that acts as a pointer to a specific shared folder on the network.
■ NTFS permissions, which can only be assigned to files and folders on
NTFS volumes, protect data from unauthorized access when users connect
to the share locally or over the network. There are standard and special
NTFS permissions.
■ When NTFS and share permissions differ, the most restrictive permission
becomes the user’s effective permission to the file or folder in the share. If
either the NTFS or the share permissions deny a user access, access is denied.
■ If the Administrator needs to change the permissions assigned to a file or folder,
but doesn’t have the Full Control or Change Permissions NTFS permission to
the file or folder, the Administrator must take ownership of the file or folder.
4701-1 ch11.f.qc 4/24/00 09:27 Page 788

788 Part III ▼ Managing and Securing Resources

■ Disk quotas are volume management mechanisms that, once enabled,

automatically track disk space usage on a user-by-user basis, and can
prevent individual users from exceeding the disk space limitations they
have been assigned by an Administrator.
4701-1 ch11.f.qc 4/24/00 09:27 Page 789

789

STUDY GUIDE
This section contains several exercises that are designed to solidify your
knowledge about sharing, securing, and accessing files and folders on the
network, and to help you prepare for the Windows 2000 Professional and
Server exams:
■ Assessment questions: These questions test your knowledge of the
various Windows 2000 file and folder topics covered in this chapter.
You’ll find the answers to these questions at the end of this chapter.
■ Scenarios: The situation-based questions in scenarios challenge you
to apply your understanding of the material to solve a hypothetical
problem. In this chapter’s scenario, you are asked to troubleshoot and
optimize various situations involving access to shared files and fold-
ers.You don’t need to be at a computer to do scenarios.Answers to
this chapter’s scenarios are presented at the end of this chapter.
■ Lab exercises: These exercises are hands-on practice activities that
you perform on a computer.The lab in this chapter gives you an
opportunity to practice several common Windows 2000 file and
folder tasks.

Assessment Questions
1. You want to protect application files located on an NTFS volume on
a Windows 2000 computer so that users can’t accidentally delete these
files.Which attribute should you assign to the application files?
A. Hidden
B. System
C. Encrypt
D. Read-only
2. You want to share a folder located on a FAT32 volume on a
Windows 2000 computer.Which tool should you use?
A. System Tools
B. Folder Options
C. Windows Explorer
4701-1 ch11.f.qc 4/24/00 09:27 Page 790

790

D. Local Security Policy

3. You want to map a network drive on your Windows 2000 client
computer to a folder named Invoices that is stored in a share
named Accounting on a Windows 2000 Server computer named
Corp02.What UNC name should you specify?
A. \\CORP02\Accounting
B. \\CORP02\Accounting\Invoices
C. C:\CORP02\Accounting
D. E:\CORP02\Accounting\Invoices
4. You want to prevent the creation of administrative shares on a
Windows 2000 Server computer.What should you do?
A. Nothing.You can’t prevent the creation of administrative shares.
B. Configure the Advanced options in Configure Your Server.
C. Configure the Advanced settings on the View tab in
Folder Options.
D. Use Regedt32.exe or the System Policy Editor to edit
the registry.
5. JeffB is allowed the Full Control share permission to a folder named
Payroll. Jeff is a member of three groups, which have the following
share permissions to the Payroll folder:

Group Share Permission to the Payroll Folder

Domain Users No permissions assigned

Accounting Allow – Change
Managers Allow – Read

What is JeffB’s effective permission to the Payroll folder?

A. Allow – Read
B. Allow – Change
C. Allow – Full Control
D. Deny – Full Control
6. You want to assign NTFS permissions to a shared folder located on
an NTFS volume on a Windows 2000 Server computer.Which tool
should you use?
4701-1 ch11.f.qc 4/24/00 09:27 Page 791

791

A. Windows Explorer
B. Disk Management
C. Folder Options
D. System Tools
7. You move a file from an NTFS volume on a Windows 2000 client
computer to a folder on an NTFS volume on a Windows 2000 Server
computer.What effect does moving this file have on the NTFS
permissions assigned to the file?
A. The moved file retains all of its original NTFS permissions.
B. The moved file loses all of its original NTFS permissions, and
now has no permissions.
C. The moved file loses some of its original NTFS permissions, and
inherits some of the NTFS permissions from its destination folder.
D. The moved file loses all of its original NTFS permissions,
and inherits all of the inheritable NTFS permissions from its
destination folder.
8. BetsyR is a member of one group,Technicians, that is allowed the
Full Control share permission to the Support share. BetsyR is a
member of another group, Managers, that is allowed the Modify
NTFS permission to the Support share. BetsyR is not assigned
any specific share or NTFS permissions as an individual user.
What is BetsyR’s effective permission to the Support share?
A. Allow – Modify
B. Allow – Full Control
C. Allow – Read & Execute
D. Deny – Full Control
4701-1 ch11.f.qc 4/24/00 09:27 Page 792

792

Scenarios
The following scenarios provide you with an opportunity to apply the
knowledge you’ve gained in this chapter about working with files and
folders in a Windows 2000 environment.
Users can have difficulty accessing shared resources for a number of rea-
sons. For each of the following problems, consider the given situation and
facts, and state what course of action you would take to try to resolve the
problem or optimize the situation.
1. A user, NancyW, reports that she can’t save files to the
AccountingData share located on an NTFS volume on a Windows
2000 computer. NancyW is a member of the following groups that
have various share and NTFS permissions to the AccountingData
share.

Group Share Permissions Assigned NTFS Permissions

for AccountingData Assigned for AccountingData

Everyone Allow – Read No permissions assigned

Accounting No permissions assigned Allow – Full Control
Domain Users No permissions assigned Allow – Read

2. A user reports that her personal, sensitive data files are no longer
encrypted.You just enabled compression on the NTFS volume on the
Windows 2000 Server computer that contains the user’s data files.
3. A user, JohnS, has worked at your company as a sales representative
for five years. JohnS was recently made a manager of the company.
He reports that he can’t access the ManagersData share located on
an NTFS volume on a Windows 2000 computer. John is a member
of several groups that have various NTFS permissions to the
ManagersData share.

Group NTFS Permissions Assigned for ManagersData

Administrators Allow – Full Control

Managers Allow – Modify
Sales Deny – Full Control
4701-1 ch11.f.qc 4/24/00 09:27 Page 793

793

4. Users report that they cannot access the Data stand-alone Dfs root
that is hosted by a Windows 2000 Server computer named Server03.
5. Yesterday you saved a file in a domain Dfs root.Today, when you map
a network drive to the domain Dfs root, the file is not listed in the
contents of the Dfs root.
6. Several users in your company report that they are having difficulty
locating shared folders that contain documents they need to access to
perform their daily tasks.

Lab Exercises
The following lab is designed to give you practical experience working
with files and folders in a Windows 2000 environment.

Lab 11-1 Sharing, Securing, and Accessing Files

and Folders
 Professional
 Server
EXAM
MATERIAL

The purpose of this lab is to provide you with an opportunity to practice

configuring, managing, sharing, securing, and accessing files and folders on
a Windows 2000 computer.
There are five parts to this lab:
■ Part 1: Sharing Folders and Configuring Share and NTFS Permissions
■ Part 2: Configuring a Dfs Root and Connecting to Shared Resources
■ Part 3: Configuring Data Compression
■ Part 4: Configuring Data Encryption
■ Part 5: Configuring and Monitoring Disk Quotas
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.
4701-1 ch11.f.qc 4/24/00 09:27 Page 794

794

Part 1: Sharing Folders and Configuring Share and

NTFS Permissions
In this part, you use Windows Explorer to create and share several folders.
Then you assign share and NTFS permissions to these folders.
1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪
Windows Explorer.)
2. In the left pane, click the + next to My Computer. Highlight Local
Disk (C:). Select File ➪ Properties.
3. In the Local Disk (C:) Properties dialog box, click the Security tab.
4. On the Security tab, click Add.
5. In the Select Users, Computers, or Groups dialog box, scroll down
and double-click the Domain Admins group. Click OK.
6. On the Security tab, highlight the Domain Admins group. Select the
Allow check box next to the Full Control permission. Highlight the
Everyone group and click Remove. Click OK.
7. In Windows Explorer, select File ➪ New ➪ Folder.
8. In the right pane, type in a new folder name of SharedData and
press Enter.
9. Double-click the newly created SharedData folder. Select File ➪
New ➪ Folder.
10. In the right pane, type in a new folder name of Managers and
press Enter.
11. Select File ➪ New ➪ Folder.
12. In the right pane, type in a new folder name of Accounting and
press Enter.
13. Select File ➪ New ➪ Folder.
14. In the right pane, type in a new folder name of Sales and press Enter.
You should now have three new folders in the right pane, named
Managers, Accounting, and Sales.
15. In the right pane, highlight the Managers folder. Select File ➪ Sharing.
16. In the Managers Properties dialog box, select the option next to
“Share this folder.”Type ManagersData in the “Share name” text
box. Click Permissions.
4701-1 ch11.f.qc 4/24/00 09:27 Page 795

795

17. In the Permissions for ManagersData dialog box, notice that the
Everyone group is allowed the Full Control share permission to
the folder. Click Add.
18. In the Select Users, Computers, or Groups dialog box, scroll down
and double-click the Domain Users group. Click OK.
19. In the Permissions for ManagersData dialog box, highlight the
Domain Users group, and select the Allow check box for the Full
Control permission. Highlight the Everyone group, and click
Remove. Click OK.
20. In the Managers Properties dialog box, click the Security tab.
21. On the Security tab, click Add.
22. In the Select Users, Computers, or Groups dialog box, scroll down
and double-click the Managers group. Click OK.
23. On the Security tab, highlight the Managers group. Select the Allow
check box next to the Full Control NTFS permission. Click OK.
24. In the right pane, highlight the Accounting folder. Select File ➪
Sharing.
25. In the Accounting Properties dialog box, select the option next to
“Share this folder.”Type AccountingData in the “Share name”
text box. Click Permissions.
26. In the Permissions for AccountingData dialog box, click Add.
27. In the Select Users, Computers, or Groups dialog box, scroll
down and double-click the Domain Users group. Click OK.
28. In the Permissions for AccountingData dialog box, highlight the
Domain Users group, and select the Allow check box for the
Full Control permission. Highlight the Everyone group, and
click Remove. Click OK.
29. In the Accounting Properties dialog box, click the Security tab.
30. On the Security tab, click Add.
31. In the Select Users, Computers, or Groups dialog box, scroll down
and double-click the Accountants group.Then double-click the
Managers group. Click OK.
32. On the Security tab, highlight the Managers group. Select the
Allow check box next to the Full Control NTFS permission.Then
highlight the Accountants group. Select the Allow check box next
to the Modify NTFS permission. Click OK.
4701-1 ch11.f.qc 4/24/00 09:27 Page 796

796

33. In the right pane, highlight the Sales folder. Select File ➪ Sharing.
34. In the Sales Properties dialog box, select the option next to “Share
this folder.”Type SalesData in the “Share name” text box. Click
Permissions.
35. In the Permissions for SalesData dialog box, click Add.
36. In the Select Users, Computers, or Groups dialog box, scroll down
and double-click the Domain Users group. Click OK.
37. In the Permissions for SalesData dialog box, highlight the Domain Users
group, and select the Allow check box for the Full Control permission.
Highlight the Everyone group, and click Remove. Click OK.
38. In the Sales Properties dialog box, click the Security tab.
39. On the Security tab, click Add.
40. In the Select Users, Computers, or Groups dialog box, scroll down
and double-click the Managers group.Then double-click the Sales
group. Click OK.
41. On the Security tab, highlight the Managers group. Select the Allow
check box next to the Full Control NTFS permission.Then highlight
the Sales group. Select the Allow check box next to the Modify
NTFS permission. Click OK.
You’ve now shared the three new folders, and assigned both share and
NTFS permissions to these shared folders. Close Windows Explorer.

Part 2: Configuring a Dfs Root and Connecting to Shared

Resources
In this part, you use the Distributed File System tool to create and configure
a Dfs root and three Dfs links to the shared folders you created in Part 1.
Then you map a network drive to connect to the Dfs root.
1. Start the Distributed File System tool. (Select Start ➪ Programs ➪
Administrative Tools ➪ Distributed File System.)
2. In the Distributed File System dialog box, select Action ➪ New
Dfs Root.
3. The New Dfs Root Wizard starts. Click Next.
4. In the Select the Dfs Root Type screen, select the “Create a
standalone Dfs root” option. Click Next.
4701-1 ch11.f.qc 4/24/00 09:28 Page 797

797

5. In the Specify the Host Server for the Dfs Root screen, accept the
default Server name of server01.domain1.mcse. Click Next.
6. In the Specify the Dfs Root Share screen, select the “Create a new
share” option. In the “Path to share” text box, type C:\Data. In the
“Share name” text box, type Data and click Next.
7. Windows 2000 asks if you want to create the C:\Data folder.
Click Yes.
8. In the Name the Dfs Root screen, enter a Comment of Company
Shared Data. Click Next.
9. In the Completing the New Dfs Root Wizard screen, click Finish.
10. Windows 2000 creates the new Dfs root. It appears in the left pane
in the Distributed File System dialog box. Highlight the new Dfs root
named \\SERVER01\Data and select Action ➪ New Dfs Link.
11. In the Create a New Dfs Link dialog box, type in a Link name of
ManagersData. In the “Send the user to this shared folder” text
box, type \\Server01\ManagersData. Click OK.
12. The new Dfs link appears in the left pane. Highlight the Dfs root
named \\SERVER01\Data and select Action ➪ New Dfs Link.
13. In the Create a New Dfs Link dialog box, type in a Link name of
AccountingData. In the “Send the user to this shared folder” text
box, type \\Server01\AccountingData. Click OK.
14. The new Dfs link appears in the left pane. Highlight the Dfs root
named \\SERVER01\Data and select Action ➪ New Dfs Link.
15. In the Create a New Dfs Link dialog box, type in a Link name of
SalesData. In the “Send the user to this shared folder” text box,
type \\Server01\SalesData. Click OK.
16. The new Dfs link appears in the left pane.You’ve now created a Dfs
root and three Dfs links. Close the Distributed File System.
17. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪
Windows Explorer.)
18. In the left pane, click the + next to My Computer. Select Tools ➪
Map Network Drive.
19. In the Map Network Drive dialog box, select a Drive letter of V:
(from the Drive drop-down list box) and type in a Folder name of
\\Server01\Data. Click Finish.
4701-1 ch11.f.qc 4/24/00 09:28 Page 798

798

20. Windows 2000 connects you to the Dfs root, and displays the Data
on Server01 dialog box. Notice the three folders in the right pane.
These folders correspond to the three Dfs links you created. If you
open one of these folders, Dfs will automatically open the shared
folder associated with the Dfs link. Close both Windows Explorer
dialog boxes.

Part 3: Configuring Data Compression

In this part, you use Windows Explorer to assign the Compress attribute to a
folder and all of its files.After observing the change in disk space used by the
folder, you remove the Compress attribute from the folder and all of its files.
1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪
Windows Explorer.)
2. In the left pane, click the + next to My Computer. Highlight Local
Disk (C:). In the right pane, highlight the Program Files folder.
Select File ➪ Properties.
3. In the Program Files Properties dialog box, notice the “Size on disk”
information. Click Advanced.
4. In the Advanced Attributes dialog box, select the check box next to
“Compress contents to save disk space.” Click OK.
5. In the Program Files Properties dialog box, click Apply.
6. A Confirm Attribute Changes dialog box appears. Select the “Apply
changes to this folder, subfolder and files” option. Click OK.
7. Windows 2000 applies the Compress attribute and compresses all files
in the folder.This may take several minutes. If an Error Applying
Attributes dialog box appears, click Ignore All.
In the Program Files Properties dialog box, notice the “Size on disk”
entry now.The size should have decreased substantially. Click Advanced.
8. In the Advanced Attributes dialog box, clear the check box next to
“Compress contents to save disk space.” Click OK.
9. In the Program Files Properties dialog box, click OK.
10. In the Confirm Attribute Changes dialog box, select the “Apply
changes to this folder, subfolder and files” option. Click OK.
11. Windows 2000 removes the Compress attribute, and uncompresses all
of the files in the folder. Continue on to Part 4.
4701-1 ch11.f.qc 4/24/00 09:28 Page 799

799

Part 4: Configuring Data Encryption

In this part, you use Windows Explorer to first create a folder and a file, and
then to assign the Encrypt attribute to the folder and its contents.
Then you test encryption by trying to access the file while logged on as a
different user.
1. In the left pane of Windows Explorer, highlight the My Documents
folder. Select File ➪ Properties.
2. In the My Documents Properties dialog box, click the General tab.
3. On the General tab, click Advanced.
4. On the Advanced Attributes tab, select the check box next to
“Encrypt contents to secure data.” Click OK.
5. On the General tab, click OK.
6. In the Confirm Attribute Changes dialog box, select the “Apply
changes to this folder, subfolders and files” option. Click OK.
7. Windows 2000 applies the Encrypt attribute and encrypts all of the
files in the folder. Select File ➪ New ➪ Text Document.
8. In the right pane, type in a name for the new text document of
Encrypted.txt and press Enter. Double-click the Encrypted.txt
file.
9. In the Encrypted.txt - Notepad dialog box, type in the following text:
This file is encrypted!
Select File ➪ Save. Select File ➪ Exit.
10. Close Windows Explorer.
11. Select Start ➪ Shut Down.
12. In the Shut Down Windows dialog box, select “Log off administrator”
from the drop-down list box. Click OK.
13. Press Ctrl+Alt+Delete.
14. In the Log On to Windows dialog box, type in a User name of SteveS
and a password of password. (Remember that SteveS, a user you created
in Chapter 9, is a member of the Domain Admins group. He should
have the Full Control NTFS permissions to all files and folders on the
local computer.) Click OK.
15. From the desktop, start Windows Explorer. (Select Start ➪ Programs ➪
Accessories ➪ Windows Explorer.)
4701-1 ch11.f.qc 4/24/00 09:28 Page 800

800

16. In the left pane, click the + next to My Computer. Highlight Local
Disk (C:). Click the Search command button in the toolbar. In the
“Search for files or folders named” text box, type Encrypted.txt
and click Search Now.
17. In the right pane, double-click the Encrypted.txt file.
18. A Notepad warning dialog box appears, indicating that access is
denied. Even though SteveS has permissions to all files and folder
on the local computer, he is unable to open this file because it is
encrypted. Click OK.
19. Close the Untitled - Notepad dialog box.
20. Close Windows Explorer.
21. Select Start ➪ Shut Down.
22. In the Shut Down Windows dialog box, select “Log off SteveS”
from the drop-down list box. Click OK.
23. Press Ctrl+Alt+Delete.
24. In the Log On to Windows dialog box, type in a User name of
Administrator and a password of password. Click OK.

Part 5: Configuring and Monitoring Disk Quotas

In this part, you use Windows Explorer to configure and monitor disk quotas.
1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪
Windows Explorer.)
2. In the left pane, click the + next to My Computer. Highlight Local
Disk (C:). Select File ➪ Properties.
3. In the Local Disk (C:) Properties dialog box, click the Quota tab.
4. On the Quota tab, select the check box next to “Enable quota man-
agement.” Accept the default “Limit disk space to” option. Configure
this option to 25MB. Set the warning level to 20MB. Click Apply.
5. In the Disk Quota warning dialog box, click OK to enable the quota
system now.
6. On the Quota tab, click Quota Entries.
7. In the Quota Entries dialog box for Local Disk (C:), notice the users
and groups listed, their respective quota limits, and the percent of
their quotas used. Select Quota ➪ New Quota Entry.
4701-1 ch11.f.qc 4/24/00 09:28 Page 801

801

8. In the Select Users dialog box, double-click Colleen Green and

click OK.
9. In the Add New Quota Entry dialog box, accept the default “Limit
disk space to” option and configure a disk space limit of 10MB and a
warning level of 1MB. Click OK.
10. Notice the new entry in the Quota Entries dialog box for Local Disk
(C:). Close the Quota Entries dialog box.
11. In the Local Disk (C:) Properties dialog box, click OK.
12. Close Windows Explorer.

Answers to Chapter Questions

Chapter Pre-Test
1. The seven Windows 2000 file and folder attributes are:Archive,
Compress, Encrypt, Hidden, Index, Read-only, and System.
2. A shared folder appears in Windows Explorer with a hand under it.
3. User and group share permissions are additive, and normally the least
restrictive permission is the user’s effective permission.
4. When NTFS and share permissions differ, the most restrictive
permission becomes the user’s effective permission to the file or
folder in the share.
5. Disk quotas are used to automatically track disk space usage by
users and to prevent individual users from exceeding the disk space
limitations assigned to them by an Administrator.

Assessment Questions
1. D. Assign the Read-only attribute to application files to protect
them from accidental deletion by users.
2. C. Windows Explorer is used to share folders on Windows 2000
computers.
3. B. UNC names are specified in the format:
\\Server_name\Share_name\Subfolder_name\File_name
4. D. Edit the registry to prevent the creation of administrative shares.
4701-1 ch11.f.qc 4/24/00 09:28 Page 802

802

5. C. User and group share permissions are additive, and the least restrictive
permission is typically the user’s effective permission.
6. A. Windows Explorer is used to assign NTFS permissions to files
and folders.
7. D. When a file or folder is moved to a new folder on a different
volume, it inherits all of the inheritable NTFS permissions from the
destination folder.
8. A. When share and NTFS permissions combine, the most restrictive
permission is applied.

Scenarios
1. When share and NTFS permissions combine, the most restrictive
permission is applied. In this case, NancyW’s effective permission to
the AccountingData share is Read.To enable NancyW to save files
to the share, you could assign the Allow – Full Control share permis-
sion to the Accounting group for the AccountingData share.This
would give the Accounting group the Full Control share permission
and the Full Control NTFS permission to the AccountingData
share (for an effective permission of Full Control).
2. Compression and encryption are mutually exclusive — you can use
one or the other, but not both.A possible solution for this case, if the
user requires encryption, would be to uncompress the folder that
contains the user’s sensitive data files.
3. JohnS is unable to access the ManagersData share because he is a
member of a group that is specifically denied access to this share.To
solve the problem, you could remove the Sales group from the access
control list to the ManagersData folder. Or, you could remove JohnS
from the Sales group.
4. Determine whether Server03 is accessible on the network. If not, take
the action to bring it back on line.Another possible solution that will
prevent this problem from recurring would be to implement a
domain Dfs root with a replica to provide fault tolerance.
4701-1 ch11.f.qc 4/24/00 09:28 Page 803

803

5. The most likely cause of this problem is that the file was saved in one
replica of the domain Dfs root, the file was not automatically copied
to the Dfs root replicas, and today you accessed a different replica of
the Dfs root.To solve the problem, first determine whether automatic
replication is configured between the Dfs root and its replicas. If auto-
matic replication is not configured, either configure automatic repli-
cation, or discontinue your practice of saving files in the Dfs root.
6. One solution to this problem would be to assign more intuitive
names to shared folders so that users can quickly locate the resources
they need.Another possible solution is to make shares from multiple
servers available in a single Dfs root.
4701-1 ch12.f.qc 4/24/00 09:28 Page 804

 Professional
 Server
EXAM
MATERIAL  Directory Services

EXAM OBJECTIVES

Professional  Exam 70-210

■ Connect to local and network print devices.
■ Manage printers and print jobs.
■ Control access to printers by using permissions.
■ Connect to an Internet printer.
■ Connect to a local print device.
■ Monitor, configure, and troubleshoot I/O devices, such as printers,
scanners, multimedia devices, mouse, keyboard, and smart card
reader.

Server  Exam 70-215

■ Monitor, configure, troubleshoot, and control access to printers.

Directory Services  Exam 70-217

■ Publish resources in Active Directory.
4701-1 ch12.f.qc 4/24/00 09:28 Page 805

C HAP TE R

12
Managing Printing

T his chapter covers printing in a Windows 2000 environment from A to Z.

I’ll begin with a discussion of Windows 2000 printing terminology, and
then explore the print process. Then I’ll explain how to add and connect to
printers, how to share a printer, and how to configure printer and print server
properties. I’ll also cover how to manage print jobs and give you some tips for
troubleshooting common printing problems. If it concerns Windows 2000
printing, you’ll find it in this chapter.

805
4701-1 ch12.f.qc 4/24/00 09:28 Page 806

806 Part III ▼ Managing and Securing Resources

Chapter Pre-Test
1. In Windows 2000 printing terminology, what is a printer?
2. Which Windows 2000 printing term is defined as a printer that
has multiple ports (and multiple print devices) assigned to it?
3. What are the three Windows 2000 printer permissions?
4. Which Windows 2000 printer permission, when combined with
other permissions, overrides and takes precedence over all other
printer permissions?
5. If you experience print job failures due to lack of free space on
the volume where your spool folder is located, what can you do
to resolve the problem?
4701-1 ch12.f.qc 4/24/00 09:28 Page 807

Chapter 12 ▼ Managing Printing 807

Printing Terminology
Before you can fully understand printing with Windows 2000, you need to
understand a couple of basic terms.
In the terminology associated with Windows 2000, the term printer does
not represent a physical device that produces printed output. Rather, a
printer is the software interface between the Windows 2000 operating sys-
tem and the device that produces the printed output.
If you are used to working with a different operating system, such as
NetWare or UNIX, you may be used to thinking of what Windows 2000
calls a printer as a combination of a print queue (or print spooler) plus a
driver for the device that produces printed output.
In Windows 2000, the term print device (or printing device) refers to the
physical device that produces printed output — what is more commonly
referred to as a “printer.”

EXAM TIP
Be sure that you know the Windows 2000 printing terminology cold.
Otherwise, you may become confused when taking the exams.
Remember: a printer is software, and a print device (or printing device) is
hardware. Beat this into your head with a large wooden mallet!

Now that you have a grasp of basic Windows 2000 printing terminol-
ogy, you’re ready to move on to the nuts and bolts of printing in Windows
2000.

Windows 2000 Printing Overview

This section explains how Windows 2000 processes print jobs from the
time the user selects Print in an application until the paper comes out of
the print device. It also explains how enhanced metafiles (EMFs) are used
in the network printing process.

The Print Process

Perhaps the easiest way to understand the Windows 2000 print process is to
follow the steps that occur when a document is printed from an applica-
tion in Windows 2000.
4701-1 ch12.f.qc 4/24/00 09:28 Page 808

808 Part III ▼ Managing and Securing Resources

1. A user at a Windows 2000 computer starts the print process from an

application, such as Word, usually by selecting Print from the File
menu.This action creates the print job. (A print job is all of the data
and commands needed to print a document.)
2. The application hands off the print job to the Graphics Device
Interface (GDI).
3. The GDI initiates a request to the driver for the print device.
4. The driver for the print device converts the application’s output (the
print job) into either a Windows 2000 enhanced metafile (EMF) or into
the RAW format. (The RAW format is ready to print, as is, and no fur-
ther processing is required.) The driver then returns the converted print
job to the GDI.
5. The GDI hands off the print job to the Windows 2000 spooler.
6. The Windows 2000 spooler determines whether the print device is
managed by the computer that initiated the print job or by a net-
work-connected computer.
If the print device is managed by the local computer (the computer
that initiated this print job), the spooler copies the print job to a tem-
porary storage area on the local computer’s hard disk.
If the print device is managed by a network-connected computer,
the spooler hands off the print job to the spooler on the network-
connected computer.Then that spooler copies the print job to a
temporary storage area on that computer’s hard disk.
7. Once the spooler has copied the file to temporary storage, the print
job is handed off to the local print provider on the computer that has
the print job spooled to its hard disk.
8. The local print provider initiates a request to the print processor to
perform any additional conversions needed on the file, such as con-
verting from EMF to RAW. (Print jobs are always sent to the print
device in the RAW format.) The print processor then returns the
converted print job to the local print provider.
9. The local print provider adds a separator page to the print job (if it’s
configured to do so) and then hands off the print job to the print
monitor.
4701-1 ch12.f.qc 4/24/00 09:28 Page 809

Chapter 12 ▼ Managing Printing 809

10. The print monitor communicates directly with the print device and
sends the ready-to-print print job to the print device.
11. The print device produces the printed document.

Figure 12-1 graphically illustrates the steps in the Windows 2000 print
process. Notice that the spooler routes the print job to the local hard disk
if the print device is managed by the local computer, and routes the print
job to the spooler on the network-connected computer if the print device
is managed by the network-connected computer.

Local computer Network-connected computer

functioning as a print server
User starts the
print process

Windows
application (for
example, Word)

USER MODE USER MODE

KERNEL MODE KERNEL MODE

GDI Print device driver

Print device is managed by a

Spooler network-connected computer
Spooler on network-
(local or remote
connected computer
printing?)

Print device is managed locally

Hard disk on network-
Local hard disk
connected computer

Local print provider Print processor Local print provider Print processor
(Adds separator (Adds separator
page if needed) page if needed)

Print monitor Print monitor

Laser printer Laser printer

(Print device) (Print device)

FIGURE 12-1 The Windows 2000 print process

4701-1 ch12.f.qc 4/24/00 09:28 Page 810

810 Part III ▼ Managing and Securing Resources

Using EMFs in Network Printing

A Windows 2000 enhanced metafile (EMF) is an intermediate printing file
format created by a Windows 2000 client computer when it prints to a
shared network printer on a Windows 2000 computer. An EMF requires
less processor time to produce than a RAW file, and is smaller in size than
a RAW file for the same print job. Using Windows 2000 EMFs can signif-
icantly increase the performance of printing across a network because:
■ Windows 2000 creates an EMF faster than it can create a RAW
format file.
■ Windows 2000 splits the overhead of the print process between the
local computer (which creates the EMF) and the network-connected
computer (which converts the EMF to the RAW format).
This means that the user who creates the print job at the local computer
experiences faster printing when EMFs are used than if the user’s com-
puter creates a RAW format file.

TIP
All client computers that use any operating system other than Windows
2000 send print jobs to Windows 2000 printers using the RAW format.

Adding and Connecting to Printers

Before you can print on a Windows 2000 computer, you must first add a
printer.There are two types of printers you can add: local printers and net-
work printers.
Adding a local printer involves installing and configuring all of the drivers
needed for the Windows 2000 computer to use the print device, and associ-
ating the print device with a local port, such as LPT1:. In most cases you use
the Add Printer Wizard in the Printers folder to add a local printer.
Adding a network printer involves installing and configuring all of the
drivers needed to use a print device managed by another computer on the
network, and associating this print device with a UNC path to the network
printer.To add a network printer, you can either use the Add Printer Wizard
in the Printers folder, or you can use Internet Explorer to connect to a
network printer that supports the Internet Printing Protocol (IPP).Adding
a network printer is often referred to as “connecting to a printer.”
4701-1 ch12.f.qc 4/24/00 09:28 Page 811

Chapter 12 ▼ Managing Printing 811

You must be a member of either the Administrators or Power Users

built-in local group to add a printer on a Windows 2000 computer that is
not a domain controller.You must be a member of either the Administrators
or Print Operators built-in local group on a domain controller to add a
printer on a domain controller.
In the next sections I’ll explain how to add Plug and Play printers, how
to add other local printers, how to add printers on a remote computer, and
how to connect to shared network printers and Internet printers.

Adding Local Plug and Play Printers

Adding a local Plug and Play printer is fairly straightforward. The actual
steps used to add a local Plug and Play printer depend on whether you’re
adding a USB or a non-USB Plug and Play printer.

Adding USB Plug and Play Printers

Adding a local USB (which stands for universal serial bus) Plug and Play
printer is one of the easiest tasks you’ll probably ever perform on a
Windows 2000 computer. USB print devices are connected to a Windows
2000 computer by using a USB cable that is plugged into a USB port on
the computer.Almost all computers that have a Pentium II or later proces-
sor have a USB port.
USB print devices are easy to add because when you connect and
power on the device,Windows 2000 automatically detects it, and automat-
ically starts the Found New Hardware Wizard.

STEP BY STEP

ADDING A LOCAL USB PLUG AND PLAY PRINTER

1. Power on the print device and connect it to the Windows 2000 computer’s USB
port.
2. Windows 2000 detects the new device and displays a Found New Hardware dia-
log box. Eventually, Windows 2000 starts the Found New Hardware Wizard. Click
Next.
3. The Install Hardware Device Drivers screen is displayed, as shown in Figure 12-2.
Notice that the specific print device being added is displayed.
4701-1 ch12.f.qc 4/24/00 09:28 Page 812

812 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 12-2 Installing device drivers for a USB print device

Select one of the two options on this screen:

 Search for a suitable driver for my device (recommended): This is the
default option, and should be selected when you want Windows 2000 to
automatically search for and install the appropriate drivers for the device
you’re adding. This option is the best choice for 99 percent of all situations.
 Display a list of the known drivers for this device so that I can
choose a specific driver: This option should only be selected when you
want to manually select the driver Windows 2000 will use for this device.
Click Next.
4. On the Local Driver Files screen, specify where you want Windows 2000 to
search for appropriate drivers for the new print device. The wizard will search
the Windows 2000 driver database on your computer’s hard drive and any other
additional locations you select, including: floppy disk drives, CD-ROM drives,
a location you specify, and Microsoft Windows Update. The default additional
search locations are floppy disk drives and CD-ROM drives. Select the appropri-
ate check boxes and click Next.
5. The Driver Files Search Results screen appears. If the wizard located a suitable
driver for the device, the screen indicates that “Windows found a driver for this
device.” Click Next.
6. On the Completing the Found New Hardware Wizard screen, click Finish.
7. Windows 2000 adds the printer and returns you to the desktop.
4701-1 ch12.f.qc 4/24/00 09:29 Page 813

Chapter 12 ▼ Managing Printing 813

Adding Non-USB Plug and Play Printers

Because Windows 2000 supports Plug and Play, you would think that
adding any Plug and Play printer would cause Windows 2000 to automat-
ically detect the device and automatically start the Found New Hardware
Wizard. After all, it works like that in Windows 95 and Windows 98. But
no, you must manually start the Add Printer Wizard to add a local Plug and
Play printer that uses a parallel port on a Windows 2000 computer (this
includes most non-USB Plug and Play printers).

STEP BY STEP

ADDING A LOCAL NON-USB PLUG AND PLAY PRINTER

1. Open the Printers folder. (Select Start ➪ Settings ➪ Printers.)

TIP
You can also access the Printers folder in Windows Explorer or
Control Panel.

2. In the Printers folder, double-click Add Printer.

3. The Add Printer Wizard begins. Click Next.
4. The Local or Network Printer screen appears, as shown in Figure 12-3. Notice
the check box next to “Automatically detect and install my Plug and Play printer,”
and that this check box is selected by default. Click Next.

FIGURE 12-3 Installing a non-USB Plug and Play printer

4701-1 ch12.f.qc 4/24/00 09:29 Page 814

814 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

5. A Found New Hardware dialog box is displayed. Then, the New Printer Detection
screen appears, indicating that a Plug and Play printer was detected and
installed, and asking you if you want to print a test page. Choose Yes or No, and
click Next.
6. On the Completing the Add Printer Wizard screen, click Finish.
7. If you chose to print a test page in Step 5, a dialog box is displayed asking if the
test page printed. Click OK.
8. The new printer you just added is displayed in the Printers folder. Close the
Printers folder.

Adding Other Local Printers

Occasionally you may need to add a local printer that isn’t Plug and Play.
Or, you may need to add a printer for a print device that is connected
directly to the network (or that uses an HP JetDirect adapter or similar
device to connect to the network). When a print device is connected
directly to the network, Windows 2000 treats the device as a local, rather
than a network, device.

EXAM TIP
Make sure you know when to add a local printer and when to add a net-
work printer. For the purposes of adding a printer, only shared printers
on other Windows-based computers and NetWare servers are consid-
ered network printers. All other printers and print devices, even those
connected directly to the network, are considered local printers.

To add these kinds of printers, you also use the Add Printer Wizard in
the Printers folder. The process is similar to adding a local non-USB
Plug and Play printer, only more manual configuration is required to
accomplish the task.
Use the following general steps to add a non-Plug and Play local (or a
directly connected network) printer. If you want to add an HP (DLC)
printer, a standard TCP/IP printer, a UNIX printer, or an AppleTalk
printer, see the sections that follow for additional information and tips.
4701-1 ch12.f.qc 4/24/00 09:29 Page 815

Chapter 12 ▼ Managing Printing 815

STEP BY STEP

ADDING A LOCAL PRINTER

1. Open the Printers folder. (Select Start ➪ Settings ➪ Printers.)

2. In the Printers folder, double-click Add Printer.
3. The Add Printer Wizard begins. Click Next.
4. The Local or Network Printer screen appears. Ensure that the check box next to
“Automatically detect and install my Plug and Play printer” is cleared. Click Next.
5. The Select the Printer Port screen appears, as shown in Figure 12-4. Notice that
LPT1: is the default selection.

FIGURE 12-4 Selecting a port for a print device

Select the port that the print device is connected to from the list.
If the port you want to use is not displayed, select the “Create a new port” option,
and select the type of port you want to create from the Type drop-down list box.
Then follow the instructions presented on-screen to create the new port.
Click Next.
6. The Add Printer Wizard screen is displayed, as shown in Figure 12-5.
Select your print device’s manufacturer from the list on the left. Then select the
print device’s model from the list on the right.
If your print device does not appear in the list, and you have drivers for the device
(either on a floppy disk, CD-ROM, or downloaded from the Internet), click Have
Disk and follow the instructions on-screen.
4701-1 ch12.f.qc 4/24/00 09:29 Page 816

816 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 12-5 Selecting a print device’s manufacturer and model

Click Next.
7. On the Name Your Printer screen, either accept the default name displayed for
this printer, or type in a different name in the “Printer name” text box. Also choose
whether you want this printer to be the default printer for all Windows-based pro-
grams on this Windows 2000 computer. Click Next.
8. On the Printer Sharing screen, choose whether or not to share this printer.
If you’re adding a printer on a Windows 2000 Professional computer, the default
selection is “Do not share this printer.” If you’re adding a printer on a Windows
2000 Server computer, the default selection is “Share as.”
If you choose to share the printer, either accept the default name displayed for the
shared printer, or type in a different name in the “Share as” text box. Click Next.
9. If you chose to share the printer in Step 8, a Location and Comment screen appears
on which you can describe the location and features of the printer you’re adding. All
entries on this screen are optional. Enter information as appropriate and click Next.
10. The Print Test Page screen is displayed. Select Yes to print a test page, or select
No to skip printing a test page. Click Next.
11. On the Completing the Add Printer Wizard screen, click Finish.
12. If you chose to print a test page in Step 10, a dialog box is displayed asking if the
test page printed. Click OK.
13. The new printer you added is displayed in the Printers folder. Close the
Printers folder.
4701-1 ch12.f.qc 4/24/00 09:29 Page 817

Chapter 12 ▼ Managing Printing 817

Adding an HP (DLC) Printer

Occasionally you may need to add a printer for an older Hewlett-Packard
print device that is directly connected to the network (or that uses an HP
JetDirect adapter to connect to the network) and that does not support
TCP/IP printing. Windows 2000 considers this type of printer to be a
local printer.
Before you can add this kind of printer on a Windows 2000 computer,
the DLC protocol must be installed. If you didn’t choose to install the
DLC protocol when you installed Windows 2000, you can use the
Network and Dial-up Connections folder (in Control Panel) to
install the DLC protocol.

CROSS REFERENCE
I’ll cover how to use the Network and Dial-Up Connections
folder in detail in Chapter 15.

When you use the Add Printer Wizard to add an HP (DLC) printer, you
must assign the printer to a Hewlett-Packard Network Port. To do this,
select the “Create a new port” option on the Select the Printer Port screen,
and select “Hewlett-Packard Network Port” from the Type drop-down list
box.
When you create the new Hewlett-Packard Network Port, you’ll be
asked to select a card address (MAC address) for the HP JetDirect adapter
used by the print device you’re adding. If you have more than one HP
JetDirect adapter on your network, you’ll need to know which one is con-
nected to the print device you’re adding.
One last item you might want to consider when adding this kind of a
printer is whether the printer will use a Job Based or Continuous connec-
tion. This option is configured by clicking Timers in the Add Hewlett-
Packard Network Peripheral Port dialog box, and then selecting the
appropriate option button.
The default setting is Continuous, which, if accepted, causes this
Windows 2000 computer to monopolize all DLC connections to the HP
JetDirect adapter, and permits only this computer to connect to the HP
print device using the DLC protocol. If more than one computer must
connect to the HP JetDirect adapter using DLC, select a Job Based con-
nection. A Job Based connection permits all Windows 2000 (and Windows
NT 4.0) computers on the network that have the DLC protocol installed
to access the HP JetDirect adapter for printing.
4701-1 ch12.f.qc 4/24/00 09:29 Page 818

818 Part III ▼ Managing and Securing Resources

Adding a Standard TCP/IP Printer

On most of today’s corporate networks, the majority of print devices used
are directly connected to the network. In addition, nearly all of these print
devices support TCP/IP printing.When you add a printer for this type of
print device, you add a local printer, even though the print device is
directly connected to the network.
When you need to add a new printer of this type, you don’t need to
install any additional protocols because the TCP/IP protocol is installed by
default during the installation of Windows 2000.
When you use the Add Printer Wizard to add a standard TCP/IP
printer, you must assign the printer to a standard TCP/IP port.To do this,
select the “Create a new port” option on the Select the Printer Port screen,
and select “Standard TCP/IP Port” from the Type drop-down list box.
After you do this, the Add Standard TCP/IP Printer Port Wizard starts.
This wizard prompts you to enter several informational items, including:
■ A printer name (or IP address) of the internal or external network
adapter that the print device is connected to
■ A name that Windows 2000 will use for the standard TCP/IP port
you’re creating
■ The parallel port that this print device is connected to (if the net-
work adapter you specify is external to the print device and has
more than one parallel port)

Adding a UNIX Printer

You may need to add a printer for a UNIX print device that is physically
connected to a UNIX computer on your network.When you add a printer
for this type of print device, you add a local printer, even though the print
device is directly connected to a UNIX computer on your network.
There are a couple of UNIX terms you should probably know: LPD
and LPR. LPD stands for line printer daemon, and is the print server soft-
ware used by UNIX computers. LPR stands for line printer remote, and is
the client software used to access LPD printers.
Before you can add a UNIX printer on a Windows 2000 computer,
Print Services for Unix must be installed. (Adding a UNIX printer also
requires that TCP/IP be installed, but it’s installed by default, so you
shouldn’t have to add it.) If you didn’t choose to install Print Services for
Unix when you installed Windows 2000, you can use the Add/Remove
Programs application (in Control Panel) to install Print Services for Unix.
4701-1 ch12.f.qc 4/24/00 09:29 Page 819

Chapter 12 ▼ Managing Printing 819

When you use the Add Printer Wizard to add a UNIX printer, you must
assign the printer to an LPR port. To do this, select the “Create a new
port” option on the Select the Printer Port screen, and select “LPR Port”
from the Type drop-down list box. After you do this, Windows 2000
prompts you to provide the name (or IP address) of the UNIX server that
the print device is connected to and the name of the print queue on that
UNIX computer that is associated with the print device you’re adding.

Adding an AppleTalk Printer

Occasionally, you may need to add a printer for an Apple print device that
is either connected directly to the network or shared by a computer on the
network that supports AppleTalk printing.The terms Apple and AppleTalk
are normally associated with Apple or Apple Macintosh computers.When
you add an AppleTalk printer, you add a local printer.
Before you can add an AppleTalk printer on a Windows 2000 computer,
the AppleTalk protocol must be installed. If you didn’t choose to install the
AppleTalk protocol when you installed Windows 2000, you can use the
Network and Dial-up Connections folder (in Control Panel) to
install the AppleTalk protocol.
When you use the Add Printer Wizard to add an AppleTalk printer, you
must assign the printer to an AppleTalk Printing Devices port.To do this,
select the “Create a new port” option on the Select the Printer Port screen,
and select “AppleTalk Printing Devices” from the Type drop-down list
box. After you do this, Windows 2000 prompts you to select a specific
AppleTalk print device from a list it displays.
Before you can finish adding an AppleTalk printer, you must choose
whether or not to capture the AppleTalk print device. If you choose to
capture the print device, it’s the same as choosing a Continuous connec-
tion when adding an HP (DLC) printer. The Windows 2000 computer
will monopolize the connection to the AppleTalk print device, and no
other computer on the network will be able to access the AppleTalk print
device. If you choose not to capture an AppleTalk print device, it’s the
same as choosing a Job Based connection when adding an HP (DLC)
printer. All Windows 2000 (and Windows NT 4.0) computers on the net-
work that have the AppleTalk protocol installed will be able to access the
AppleTalk print device for printing.
4701-1 ch12.f.qc 4/24/00 09:29 Page 820

820 Part III ▼ Managing and Securing Resources

Adding a Printer on a Remote Computer

You don’t have to be logged on interactively at a Windows 2000 computer
to add or manage a printer on that computer. You can use Windows
Explorer to access the Printers folder on a remote computer, and then
use the Add Printer Wizard in the remote computer’s Printers folder to
add a printer on the remote computer.

STEP BY STEP

CONNECTING TO THE PRINTERS FOLDER ON A REMOTE COMPUTER

1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪ Windows

Explorer.)
2. In the left pane, click the + next to My Network Places. Click the + next to Entire
Network. Click the + next to Microsoft Windows Network. Click the + next to the
domain or workgroup that contains the computer on which you want to add a
printer. Click the + next to the computer on which you want to add a printer.
Highlight the Printers folder.
3. The contents of the Printers folder on the remote computer appear in the
right pane. To start the Add Printer Wizard on the remote computer, double-click
Add Printer. Follow the instructions presented earlier in this chapter to add a
printer.

Once you connect to the Printers folder on a remote computer, you

can use it to manage printers on the remote computer in the same way you
use the Printers folder on your local computer to manage printers.

Connecting to Shared Network Printers

When you want to configure a Windows 2000 computer to use a print
device that is connected to and shared by a Windows-based computer or
NetWare server on your network, you’ll need to connect to a shared net-
work printer.This process is also called adding a network printer.
Before you add a network printer, you need to configure the Windows
2000 computer on which you’re adding a network printer so that it can
4701-1 ch12.f.qc 4/24/00 09:29 Page 821

Chapter 12 ▼ Managing Printing 821

communicate with the other computer on the network that hosts the
shared printer:
■ If the computer that hosts the shared printer is a Windows-based
computer (Windows 2000,Windows NT,Windows 95, or
Windows 98), you must ensure that the Windows 2000 computer
you’re configuring and the computer that hosts the shared printer
have at least one network protocol in common. Network protocols
include the Internet Protocol (TCP/IP), the NetBEUI protocol,
and the NWLink IPX/SPX/NetBIOS Compatible Transport pro-
tocol.To add a protocol on a Windows 2000 computer, use the
Network and Dial-up Connections folder (in Control Panel).
■ If the computer that hosts the shared printer is a Novell NetWare
server that uses the IPX protocol, you must ensure that the Windows
2000 computer you’re configuring has the NWLink IPX/SPX/
NetBIOS Compatible Transport protocol and Gateway (or Client)
Service(s) for NetWare installed. If you need to install this protocol
or service, use the Network and Dial-up Connections folder
(in Control Panel).
■ If the computer that hosts the shared printer is a Novell NetWare
server that uses only the TCP/IP protocol, you must ensure that
the Windows 2000 computer you’re configuring has the TCP/IP
protocol and Novell’s Windows 2000 client software installed.
(Because TCP/IP is installed by default on Windows 2000 com-
puters, you shouldn’t have to add it.) To install the Novell client
software on a Windows 2000 computer, follow the product
instructions.
Once your Windows 2000 computer is configured to communicate
with the computer that is hosting the shared network printer, you’re ready
to connect your Windows 2000 computer to the shared network printer.
In other words, you’re ready to add a network printer.

STEP BY STEP

ADDING A NETWORK PRINTER

1. On the Windows 2000 computer, open the Printers folder. (Select Start ➪
Settings ➪ Printers.)
2. In the Printers folder, double-click Add Printer.
4701-1 ch12.f.qc 4/24/00 09:29 Page 822

822 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

3. The Add Printer Wizard begins. Click Next.

4. The Local or Network Printer screen appears. Select the option next to “Network
printer.” Click Next.
5. The Locate Your Printer screen appears, as shown in Figure12-6.

FIGURE 12-6 Locating a shared network printer

On this screen, you specify how you want Windows 2000 to locate the shared
network printer you’re adding. The options you can select from are:
 Find a printer in the Directory: Select this option if you want to have
Windows 2000 search Active Directory for the shared network printer. If you
select this option (which is the default setting), you can use the Find Printers
dialog box to search Active Directory for the printer.
 Type the printer name, or click Next to browse for a printer: Select
this option if you want to specify a UNC path to the shared network printer,
or if you want to browse the network for this printer. If you select this option,
you can select the shared network printer from a browse list.
 Connect to a printer on the Internet or on your intranet: Select this
option if you want to specify a URL for an Internet printer. (I’ll cover connect-
ing to Internet printers more in the next section.) Browsing is not supported
for this option.
Select the appropriate option, and click Next.
4701-1 ch12.f.qc 4/24/00 09:29 Page 823

Chapter 12 ▼ Managing Printing 823

STEP BY STEP Continued

6. If the computer that hosts the shared network printer you’re adding does not have
drivers for the print device that are supported by Windows 2000, Windows 2000
prompts you to install drivers on the local Windows 2000 computer to enable it
to print to the shared network printer.
If this Connect to Printer warning dialog box does not appear, skip to Step 8.
If this Connect to Printer warning dialog box appears, click OK and continue.
7. In the Add Printer Wizard dialog box, select the shared network print device’s
manufacturer from the list on the left. Then select the print device’s model from
the list on the right.
If the shared network print device does not appear in the list, and you have drivers
for the device (either on a floppy disk, CD-ROM, or downloaded from the Internet),
click Have Disk and follow the instructions on-screen.
Click Next.
8. On the Default Printer screen, choose whether the network printer you’re adding
will be the default printer for all Windows-based programs on this Windows 2000
computer. Click Next.
9. On the Completing the Add Printer Wizard screen, click Finish.
10. The network printer you just added is displayed in the Printers folder. Close
the Printers folder.

Connecting to Internet Printers

An Internet printer is a printer that is published (made available) on a Web
server for the purpose of making the printer available to client computers
on the Internet, client computers on your company’s intranet, or both.
Publishing a printer on a Web server is just another method of making a
printer available to end users.Think of an Internet printer as a printer that
is shared by a Web server.
When you share a printer on a Windows 2000 computer that has Internet
Information Services installed,Windows 2000 automatically shares the printer
as an Internet printer at the same time.You can access Internet printers on a
Windows 2000 computer at http://Server_name/Printers.In this URL,
Server_name can be either the Windows 2000 computer’s name or FQDN.
Client computers communicate with Internet printers by using the
Internet Printing Protocol (IPP). Because this protocol is a component of
both Internet Information Services and Internet Explorer, you don’t need
4701-1 ch12.f.qc 4/24/00 09:29 Page 824

824 Part III ▼ Managing and Securing Resources

to install this protocol on either your client computers or on the Web

server that hosts the Internet printer.
Assuming that the Web server that hosts the Internet printer has the
appropriate printer drivers installed for your client operating system, there
are no prerequisites (other than the TCP/IP protocol and Internet
Explorer, both of which are installed by default during the installation of
Windows 2000) that must be met before you can connect your Windows
2000 client computer to an Internet printer.
There are basically two ways to connect to an Internet printer:
■ You can use the Add Printer Wizard to add a network printer,
select the “Connect to a printer on the Internet or on your
intranet” option, and specify a URL for an Internet printer.You
must know the exact URL to use this method. (Browsing is not
supported.) URLs for Internet printers are often long and cryptic.
■ You can use Internet Explorer to connect to an Internet printer.
This is the simplest method to connect to an Internet printer.
Because I covered how to use the Add Printer Wizard to add a network
printer in the previous section, I’ll show you how to connect to an
Internet printer by using Internet Explorer now.

STEP BY STEP

USING INTERNET EXPLORER TO CONNECT TO AN INTERNET PRINTER

1. On your Windows 2000 desktop, double-click Internet Explorer.

2. In the Address text box, type the URL of the Printers folder on the Web
server that hosts the Internet printer you want to connect to (such as http://
Server01/Printers) and press Enter.
3. Internet Explorer connects you to the Printers folder on that computer and
displays a list of available Internet printers, as shown in Figure 12-7. Notice that
each Internet printer’s status and number of print jobs waiting is displayed.
Click the name of the Internet printer to which you want to connect.
4. Internet Explorer displays the management Web page for the printer you selected
in Step 3, as shown in Figure 12-8. Notice the View, Printer Actions, and
Document Actions menus in the left pane.
To connect to this printer, click Connect in the Printer Actions menu in the left pane.
5. Windows 2000 installs any necessary drivers for the associated print device and
connects your computer to the shared Internet printer. This printer is added to the
Printers folder on your Windows 2000 computer.
4701-1 ch12.f.qc 4/24/00 09:29 Page 825

Chapter 12 ▼ Managing Printing 825

STEP BY STEP Continued

FIGURE 12-7 Viewing shared Internet printers

FIGURE 12-8 Viewing the management console of an Internet printer

6. To print to this printer, select this printer (in any Windows-based application) in
the same manner you would select any other printer. Close Internet Explorer.
4701-1 ch12.f.qc 4/24/00 09:29 Page 826

826 Part III ▼ Managing and Securing Resources

Windows 2000 computers aren’t the only computers that can connect
to and use Internet printers. You can also use Internet Explorer on
Windows NT, Windows 95, and Windows 98 computers to connect to
Internet printers.

EXAM TIP
Spend all the time you need to become thoroughly familiar with connect-
ing to Internet printers. Because this task is a stated objective (on the
Professional exam) and because it’s a new feature for Windows 2000,
this topic is sure to be tested.

Sharing a Printer
The purpose of sharing a printer on a Windows 2000 computer is to
enable users of other computers on the network to connect to and to send
print jobs to the shared printer.The computer that hosts the shared printer
is called a print server. The print server performs all of the spooling, print
job management, scheduling, and sending of the final print jobs to the
print device.
When you share a printer on a Windows 2000 computer that is a mem-
ber of a Windows 2000 domain, by default, the printer is automatically
published in Active Directory at the same time. Of course, you can choose
not to publish a printer in Active Directory when you share it by clearing
the appropriate check box on the Sharing tab.
When you share a printer on your Windows 2000 computer, the types
of computers on the network that can access the shared printer are some-
what dependent upon the protocols and services installed in the Windows
2000 computer.
When you install Windows 2000, the File and Printer Sharing for
Microsoft Networks service is installed by default. If you have not installed
any other services and you share a printer on your Windows 2000 com-
puter, only computers that have client software for Microsoft networks can
access the shared printer.
If Internet Information Services (IIS) is installed on your Windows 2000
computer, when you share a printer on that computer, Windows 2000
automatically shares the printer as an Internet printer at the same time.
Windows-based computers that have Internet Explorer installed can access
shared Internet printers.
4701-1 ch12.f.qc 4/24/00 09:29 Page 827

Chapter 12 ▼ Managing Printing 827

If Print Services for Unix is installed on your Windows 2000 computer

and you have started the TCP/IP Print Server service (which is automati-
cally installed with Print Services for Unix), when you share a printer on
your Windows 2000 computer, two kinds of computers can access this
shared printer: computers that have client software for Microsoft networks,
and computers that support TCP/IP printing (such as UNIX computers).
If Print Services for Macintosh is installed on your Windows 2000
Server computer, when you share a printer on that computer, two kinds of
computers can access this shared printer: computers that have client soft-
ware for Microsoft networks, and Apple or Apple Macintosh computers.
Print Services for Macintosh can only be installed on Windows 2000
Server and Advanced Server computers.
If more than one print server service (such as File and Printer Sharing
for Microsoft Networks, Print Services for Unix, and so on) is installed and
started on your Windows 2000 computer, when you share a printer on that
computer, the printer is shared on all running print server services installed
on the computer.
Now that you’re up to your eyeballs in lots of printer sharing rules,
allow me to show you how to share a printer on a Windows 2000 com-
puter. Printers are shared on a Windows 2000 computer in that computer’s
Printers folder.

STEP BY STEP

SHARING A PRINTER, PUBLISHING IT IN ACTIVE DIRECTORY, AND

INSTALLING ADDITIONAL PRINTER DRIVERS

1. Open the Printers folder. (Select Start ➪ Settings ➪ Printers.)

2. In the Printers folder, right-click the printer you want to share, and select
Sharing from the menu that appears.
3. The printer’s Properties dialog box appears with the Sharing tab on top, as shown
in Figure 12-9.
To share the printer, select the “Shared as” option. Then, either accept the default
name for the shared printer or type in the name you want to use for this shared
printer.

TIP
I recommend you use intuitive names for shared printers so that end
users can easily identify each shared printer’s type, capabilities, and,
when appropriate, location.
4701-1 ch12.f.qc 4/24/00 09:29 Page 828

828 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 12-9 Sharing a printer

If your Windows 2000 computer is a member of a Windows 2000 domain, the “List
in the Directory” check box is automatically selected when you share a printer. If you
don’t want to publish this shared printer in Active Directory, clear this check box.
If you have client computers on your network that don’t run Windows 2000, and if
these client computers will print to this shared printer, you may want to install
additional drivers to support these client’s operating systems.
If you don’t want to install additional drivers, click OK. Windows 2000 shares the
printer. Close the Printers folder, and stop here.
If you want to install additional drivers, click Additional Drivers.
4. The Additional Drivers dialog box appears, as shown in Figure 12-10. Notice that
the only check box selected is the box next to Intel Windows 2000.
Select the check box next to each processor and operating system combination
that is used by client computers on your network that will print to this shared
printer. Click OK.
5. If prompted, insert the appropriate operating system compact disc(s) that contain
the additional printer drivers and click OK.
4701-1 ch12.f.qc 4/24/00 09:29 Page 829

Chapter 12 ▼ Managing Printing 829

STEP BY STEP Continued

TIP
The Intel drivers for Windows NT 4.0, Windows 95, and Windows 98 are
contained on the Windows 2000 product compact disc.

FIGURE 12-10 Installing additional drivers

6. In the printer’s Properties dialog box, click Close.

7. Close the Printers folder.

Configuring Printer Properties

In Windows 2000 you can configure options for a printer in the printer’s
Properties dialog box. This dialog box is printer specific, and is titled
Printer_name Properties, where Printer_name stands for the name of the
selected printer.
A printer’s Properties dialog box is accessed through the Printers
folder on a Windows 2000 computer, as the following steps explain.
4701-1 ch12.f.qc 4/24/00 09:29 Page 830

830 Part III ▼ Managing and Securing Resources

STEP BY STEP

ACCESSING A PRINTER’S PROPERTIES DIALOG BOX

1. Open the Printers folder. (Select Start ➪ Settings ➪ Printers.)

2. In the Printers folder, right-click the printer you want to configure, and select
Properties from the menu that appears.
3. The printer’s Properties dialog box appears.

In the following sections I’ll explain how to perform many printer con-
figuration tasks, including: configuring printer pools, scheduling printers,
setting printer priorities, assigning a separator page, configuring printer
permissions, and assigning forms to paper trays.

Configuring Printer Pools

When a printer has multiple ports (and multiple print devices) assigned to
it, this is called a printer pool. Users print to a single printer, and the printer
load balances its print jobs between the print devices assigned to it.
A printer pool is a useful tool when both of the following criteria are met:
■ All print devices assigned to the printer use the same print device
driver. (Usually, this means that identical print devices are used.)
■ All print devices assigned to the printer pool are located physically
close to each other.

IN THE REAL WORLD

A printer pool is a good solution when the desired number of printed
pages is more output than one print device can handle. A printer pool is
a bad idea if the print devices are located at opposite ends of a building,
because users would have to check both locations to find their print jobs.

STEP BY STEP

CONFIGURING PRINTER POOLING

1. Access the Properties dialog box of the printer you want to configure as a printer
pool. (See the steps to do this in the previous section.)
4701-1 ch12.f.qc 4/24/00 09:29 Page 831

Chapter 12 ▼ Managing Printing 831

STEP BY STEP Continued

2. In the Properties dialog box, click the Ports tab.

3. On the Ports tab, select the check box next to “Enable printer pooling,” and then
select each of the ports that will be used in the printer pool. (For printer pooling to
occur, a minimum of two ports must be selected.) Click OK.
Figure 12-11 shows a Ports tab of a printer that has been configured for printer
pooling.
4. Close the Printers folder.

FIGURE 12-11 Printer pooling configured

When a user prints to a printer pool, the print job is sent to the first
listed print device in the port list that is not busy printing another print
job.The entire print job is sent to the same port (and therefore to the same
print device). In a printer pool the print spooler — not the user — deter-
mines the print device to which the print job is sent.
4701-1 ch12.f.qc 4/24/00 09:29 Page 832

832 Part III ▼ Managing and Securing Resources

Scheduling Printers
Scheduling printers is a technique you can use to help manage the flow of
print jobs on your Windows 2000 network. Scheduling a printer means
assigning the hours a specific print device is available for use by a specific
printer.
When scheduling a printer, the hours of availability apply only to the
print device, not to the printer. This means that users can print to the
printer at any time during the day (or night), and the printer then spools
the jobs to the hard disk. However, the print jobs are sent to the print
device only during the print device’s hours of availability.

CAUTION
If you decide to schedule a printer, be sure to reserve plenty of hard disk
space to spool print jobs while they wait for the print device to become
available.

So why would you want to schedule a printer? Well, suppose that you’re
the administrator for a small network that has 20 Windows 2000 comput-
ers. The owner of the company recently bought a laser print device for
network printing, and doesn’t want to spend any more money on print
devices. One of the employees occasionally generates a print job that is 500
to 600 pages long. This report ties up the one available print device for a
long time, frustrating other employees. The large reports are for archival
and reference purposes, and are not needed immediately.
You solve the problem by scheduling printers. First, you create a second
printer that prints to the laser print device. Then you schedule the new
printer so that it only sends print jobs to the print device during nonbusi-
ness hours.You instruct the employee who creates the large print jobs to
use the new printer for the large print jobs.The result is that the employee
can generate large print jobs at any time without inconveniencing other
employees.The large print jobs are spooled to the hard disk, and then sent
to the print device during nonbusiness hours.

TIP
If you schedule printers to be available during nonbusiness hours, be
sure the print device is stocked with plenty of paper at the close of busi-
ness each day.
4701-1 ch12.f.qc 4/24/00 09:29 Page 833

Chapter 12 ▼ Managing Printing 833

STEP BY STEP

SCHEDULING PRINTERS

1. Access the Properties dialog box of the printer you want to schedule. (See the
steps in the “Configuring Printer Properties” section earlier in this chapter.)
2. In the Properties dialog box, click the Advanced tab.
3. On the Advanced tab, select the “Available from” option, and then configure the
hours that you want the print device associated with this printer to be available.
Click OK.
Figure 12-12 shows the Advanced tab after a printer has been scheduled. Notice
that the printer is only available from 9:00 P.M. to 5:00 A.M. Print jobs sent to this
printer will only be sent to the print device during these nonbusiness hours.

FIGURE 12-12 Scheduling a printer

4. Close the Printers folder.

Setting Printer Priorities

Another technique you can use to help manage the flow of print jobs on
your Windows 2000 network is setting printer priorities.When more than
4701-1 ch12.f.qc 4/24/00 09:29 Page 834

834 Part III ▼ Managing and Securing Resources

one printer sends print jobs to the same print device, setting printer prior-
ities may be useful.
If two printers are configured to use the same print device, and you
configure one of these printers to have a higher priority than the other
printer, then all print jobs from the higher-priority printer will be sent to
the print device before any print jobs from the lower-priority printer
are sent.
The highest printer priority is 99, and the lowest printer priority is 1.
All printers have a priority of 1 by default.
Here’s an example of a situation in which setting printer priorities could
be beneficial. Suppose you have two printers on a Windows 2000 Server
computer that both send print jobs to the print device (an HP LaserJet)
connected to LPT1:. One printer is named HPSales, and the other printer
is named HPManagers.
The managers at your company, who think their work is more impor-
tant than everyone else’s, tell you — the network administrator — that they
want their print jobs printed before anyone else’s.
So what’s a network administrator to do? You decide to configure
printer security so that everyone can use the HPSales printer, but that only
members of the Managers group can use the HPManagers printer. Then
you set the priority on the HPManagers printer to a value higher than 1.
Once this is done, the managers’ print jobs will take priority.
Suppose there are 100 print jobs waiting to print in the HPSales printer,
and a manager sends a print job to the HPManagers printer. The current
print job from the HPSales printer will finish printing, then the manager’s
print job will be printed, even though there are 100 other print jobs in the
HPSales printer that were generated before the manager’s print job.

STEP BY STEP

CONFIGURING PRINTER PRIORITY

1. Access the Properties dialog box of the printer for which you want to set printer
priority. (See the steps in the “Configuring Printer Properties” section earlier in
this chapter.)
2. In the Properties dialog box, click the Advanced tab.
3. On the Advanced tab, set the printer’s priority number in the Priority spin box.
Remember, the highest priority is 99, and the lowest is 1. Click OK.
4. Close the Printers folder.
4701-1 ch12.f.qc 4/24/00 09:29 Page 835

Chapter 12 ▼ Managing Printing 835

Assigning a Separator Page

You can configure a printer on a Windows 2000 computer so that a separa-
tor page is printed at the beginning of every document. Using separator
pages at the beginning of print jobs enables users to locate their print jobs
at the print device easily. Separator pages are sometimes called banner pages.

IN THE REAL WORLD

Banner pages use a lot of paper, and are often not used for this reason.
Make sure your users need banner pages before you enable them.

STEP BY STEP

CONFIGURING A SEPARATOR PAGE

1. Access the Properties dialog box of the printer you want to generate separator
pages. (See the steps in the “Configuring Printer Properties” section earlier in this
chapter.)
2. In the Properties dialog box, click the Advanced tab.
3. On the Advanced tab, click Separator Page.
4. In the Separator Page dialog box, click Browse.
5. The next Separator Page dialog box appears, as shown in Figure 12-13. Notice
the four files that end with a .sep extension. These are the premade Windows
2000 separator page files.

FIGURE 12-13 Assigning a separator page to a printer

4701-1 ch12.f.qc 4/24/00 09:29 Page 836

836 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

The four separator page files you can select from are:
 pcl.sep This separator page file switches a dual language print device to
PCL printing, and causes a separator page to be printed at the beginning of
each print job.
 pscript.sep This separator page file switches a dual language print
device to PostScript printing, but does not cause a separator page to be
printed at the beginning of each print job.
 sysprint.sep This separator page file switches a dual language print
device to PostScript printing, and causes a separator page to be printed at
the beginning of each print job.
 sysprtj.sep This separator page file switches a dual language print
device to PostScript printing and selects the print device’s Japanese fonts (if
any), but does not cause a separator page to be printed at the beginning of
each print job.
Double-click the separator page file you want to assign to the printer.
6. In the Separator Page dialog box, click OK.
7. In the printer’s Properties dialog box, click OK.
8. Close the Printers folder.

Configuring Printer Permissions

You can use Windows 2000 printer security to control access to a printer
by assigning printer permissions to users and groups. Printer security is
configured on the Security tab in a printer’s Properties dialog box.
Printer permissions control which tasks a user can perform on a specific
printer. Table 12-1 lists and describes the Windows 2000 printer permis-
sions, from most restrictive to least restrictive.
TABLE 12-1 Windows 2000 Printer Permissions
Printer Permission Description and Functionality

Print A user with this permission can connect to the printer and
send print jobs to the printer. By default, the Print
permission is assigned to the Everyone group.
Manage Documents A user with this permission can pause, resume, restart, and
delete print jobs sent to the printer. By default, members of
the Creator Owner group are assigned the Management
Documents printer permission. This enables users who
create print jobs to manage their own print jobs.
4701-1 ch12.f.qc 4/24/00 09:29 Page 837

Chapter 12 ▼ Managing Printing 837

Printer Permission Description and Functionality

Manage Printers A user with this permission can perform all tasks included in
the Print permission. In addition, the user can pause, restart,
and share the printer; can change spooler settings; can
assign printer permissions (including the Manage Documents
permission); and can change the printer’s properties.

Printer permissions are specifically allowed or denied to individual users

and groups.As Table 12-1 states, by default, the Print permission is allowed
to the Everyone group. User and group printer permissions are additive,
and typically, the least restrictive combination of printer permissions applies.
An exception to this rule occurs when a user or group is specifically
denied a printer permission. If a user is denied a printer permission, or any
group the user is a member of is denied a printer permission, then the user
is denied that printer permission. A denied permission always overrides a
corresponding allowed permission.
Printer permissions are set on a printer-by-printer basis.These permis-
sions apply both when the printer is accessed over the network and when
the printer is accessed from the local computer.

STEP BY STEP

ASSIGNING PRINTER PERMISSIONS

1. Access the Properties dialog box of the printer for which you want to assign per-
missions. (See the steps in the “Configuring Printer Properties” section earlier in
this chapter.)
2. In the Properties dialog box, click the Security tab.
3. The Security tab appears, as shown in Figure 12-14. Notice the default printer
permissions assigned to the Administrators group.
Also notice the Allow and Deny check boxes.
 Allow: When the Allow check box next to a specific printer permission is
selected for a user or group, the user or group is granted the selected per-
mission to the printer.
 Deny: When the Deny check box next to a specific printer permission is
selected for a user or group, the user or group is specifically denied that per-
mission to the printer, even if the user or group is allowed that permission
through membership in another group.
 Neither: When neither the Allow or Deny check box next to a specific printer
permission is selected for a user or group, the user or group is not assigned
that permission to the printer.
4701-1 ch12.f.qc 4/24/00 09:29 Page 838

838 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 12-14 Assigning printer permissions

When a user or group is not listed in the Name box, the user or group has no per-
missions (and no access) to the printer unless the user or group is a member of a
group that is listed in the Name box.
To change the printer permissions currently assigned to a user or group listed in
the Name box, highlight the user or group, then select or clear the appropriate
check boxes in the Permissions box.
To remove a user or group from the permissions list for the printer, highlight the
user or group in the Name box, and click Remove.
To add a user or group to the Name box, click Add.
4. In the Select Users, Computers, or Groups dialog box, double-click each user
and group you want to add. As you double-click each user or group, the user or
group appears in the bottom portion of the dialog box. Click OK.
4701-1 ch12.f.qc 4/24/00 09:29 Page 839

Chapter 12 ▼ Managing Printing 839

STEP BY STEP Continued

5. On the Security tab in the printer’s Properties dialog box, the users and groups
you added appear in the Name box. Each user or group you added is automati-
cally assigned the Print permission to the printer. To change the printer permis-
sions of a user or group you added, highlight the user or group in the Name
box, then select or clear the appropriate check boxes in the Permissions box.
Click OK.
6. Close the Printers folder.

Assigning Forms to Paper Trays

Assigning forms to specific paper trays can be helpful in managing docu-
ment printing on a network. Once a form is assigned to a paper tray, print
jobs that specify that form are automatically printed using that paper tray.
This can be useful when users want a print job to be printed on an odd-
sized or different color paper that is always kept in a particular paper tray.A
key benefit of this feature is that users don’t even need to know which tray
contains the letterhead, legal size, or other specific paper they want to
use — once they select a particular form (such as Legal), that print job will
always be printed using paper from the assigned paper tray.
Windows 2000 has several built-in forms you can choose from. In addi-
tion, you can create your own custom forms, as I’ll explain a bit later in this
chapter.

STEP BY STEP

ASSIGNING A FORM TO A PAPER TRAY

1. Access the Properties dialog box of the printer for which you want to assign a
form to a paper tray. (See the steps in the “Configuring Printer Properties” sec-
tion earlier in this chapter.)
2. In the Properties dialog box, click the Device Settings tab.
3. The Device Settings tab appears, as shown in Figure 12-15. Notice that by
default the Letter form is assigned to each tray.
Highlight the tray to which you want to assign a particular form. Then, in the drop-
down list box that appears, select the form you want to assign to this tray.
When you’ve finished assigning forms to paper trays, click OK.
4701-1 ch12.f.qc 4/24/00 09:29 Page 840

840 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

4. Close the Printers folder.

FIGURE 12-15 Assigning a form to a paper tray

Configuring Print Server Properties

A print server is a computer that hosts a shared printer.The print server per-
forms all of the spooling, print job management, scheduling, and sending of
the final print jobs to the print device.The Windows 2000 service that per-
forms many of the functions of the print server is the Print Spooler service.
You can configure several of a print server’s properties. Print server
properties are configured in the Print Server Properties dialog box, which
is accessed from the Printers folder. In the following sections I’ll explain
how to create forms, manage ports, manage printer drivers, and change the
location of the spool folder.
4701-1 ch12.f.qc 4/24/00 09:29 Page 841

Chapter 12 ▼ Managing Printing 841

Creating Forms
Windows 2000 offers several built-in forms. However, occasionally you
may want to create your own custom forms.You can create forms on the
Forms tab in the Print Server Properties dialog box. Options that you can
configure include form name, paper size, and printer area margins.
Once you’ve created a form, you can assign that form to a specific paper
tray on a printer. (See the section earlier in this chapter on “Assigning
Forms to Paper Trays.”) Once a form is assigned to a paper tray, documents
that specify that form are automatically printed using that paper tray.
Some network administrators create a separate printer for each form
and paper tray assignment to ease administration, and to enable users to
select forms in a more intuitive manner.

STEP BY STEP

CREATING A FORM

1. Select Start ➪ Settings ➪ Printers.

2. In the Printers folder, select File ➪ Server Properties.
3. The Print Server Properties dialog box appears, with the Forms tab on top, as
shown in Figure 12-16.

FIGURE 12-16 Creating a form

4701-1 ch12.f.qc 4/24/00 09:29 Page 842

842 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

4. To create a new form, highlight an existing form in the “Forms on” list box that is
similar to the form you want to create. Select the check box next to “Create a
New Form.”
In the “Form Description for” text box, type in a name for your new form.
Modify settings in the Measurements section of this dialog box to meet your
needs. You can select either metric or English measurements, and you can spec-
ify the form’s paper size and printer area margins.
When you are finished, click Save Form.
5. Windows 2000 creates the new form and adds it to the “Forms on” list box.
Click Close.
6. Close the Printers folder.

You can also use the Forms tab to modify forms that you’ve created.
However, you can’t modify the premade Windows 2000 forms.

Managing Ports
You can use the Ports tab in the Print Server Properties dialog box to add,
delete, and configure ports.
The capabilities of the Ports tab in the Print Server Properties dialog
box are virtually identical to those of the Ports tab in a printer’s Properties
dialog box.

STEP BY STEP

CONFIGURING, DELETING, AND ADDING PORTS

1. Select Start ➪ Settings ➪ Printers.

2. In the Printers folder, select File ➪ Server Properties.
3. In the Print Server Properties dialog box, click the Ports tab.
4. The Ports tab appears, as shown in Figure 12-17. Notice the three command but-
tons: Add Port, Delete Port, and Configure Port.
To configure a port, highlight the port you want to configure, and click
Configure Port. A port-specific dialog box is displayed, which will have different
configuration options, depending on the port selected. Configure the port to meet
your needs and click OK.
4701-1 ch12.f.qc 4/24/00 09:29 Page 843

Chapter 12 ▼ Managing Printing 843

STEP BY STEP Continued

To delete a port, highlight the port you want to delete and click Delete Port. In
the Delete Port dialog box, click Yes to delete the port.
To add a port, click Add Port.

FIGURE 12-17 Managing ports

TIP
Some ports can’t be deleted. Windows 2000 displays a warning box
when it is unable to delete the specified port.

5. The Printer Ports dialog box appears, as shown in Figure 12-18. Notice the avail-
able port types listed. The port types displayed in this dialog box will vary, depend-
ing on the protocols and services installed on your Windows 2000 computer.
Highlight the type of port you want to add and click New Port.
6. Depending on the type of port you’re adding, various wizard screens or dialog
boxes may be displayed. Follow the instructions presented on screen to create
your new port.
7. The Printer Ports dialog box reappears. Click Close.
8. In the Print Server Properties dialog box, click Close.
9. Close the Printers folder.
4701-1 ch12.f.qc 4/24/00 09:29 Page 844

844 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 12-18 Adding a port

Managing Printer Drivers

You can use the Drivers tab in the Print Server Properties dialog box to
add, remove, update, and configure the properties of printer drivers on
your Windows 2000 computer.
Figure 12-19 shows the Drivers tab. Notice the list of installed printer
drivers.

FIGURE 12-19 Managing printer drivers

4701-1 ch12.f.qc 4/24/00 09:29 Page 845

Chapter 12 ▼ Managing Printing 845

The configuration options in this dialog box are straightforward. In

addition, administrators typically don’t use this tab often.

Changing the Location of the Spool Folder

The spool folder is used by the Windows 2000 Print Spooler service as a
temporary storage area for print jobs waiting to be sent to a print device.
The default location for the spool folder is SystemRoot\System32\
spool\PRINTERS.
If the volume that contains the spool folder doesn’t have enough free
space to store print jobs, you may experience print job failures. On a busy
Windows 2000 Server computer with multiple shared printers, for exam-
ple, you might need between 25MB and several hundred MB of free space
for the spool folder, depending on the number, type, and size of print jobs
that are spooled on this server.
If you experience print job failures due to a lack of free space in the vol-
ume that contains your spool folder, you can specify that a folder on a dif-
ferent volume (that has more free space) be used as the spool folder.
If you move the spool folder to a volume that has more restrictive per-
mission settings than the original volume, ensure that users are allowed at
least the Modify NTFS permission to the relocated spool folder, or users
may be unable to print. In addition, ensure that disk quotas are not enabled
on the volume to which the spool folder has been moved, because disk
quotas can also prevent users from being able to print.

STEP BY STEP

CHANGING THE LOCATION OF THE SPOOL FOLDER

1. Select Start ➪ Settings ➪ Printers.
2. In the Printers folder, select File ➪ Server Properties.
3. In the Print Server Properties dialog box, click the Advanced tab.
4. The Advanced tab appears, as shown in Figure 12-20. Notice the “Spool folder”
text box.
Type in a new location for the spool folder (over the default location) and
click OK.
5. Close the Printers folder.
4701-1 ch12.f.qc 4/24/00 09:29 Page 846

846 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 12-20 Changing the location of the spool folder

Managing Print Jobs

Almost every network administrator has to give some thought to manag-
ing print jobs on a network. Printing is just one of those things that seems
to consume a lot of administrator time and attention.
In Windows 2000, you can use the Printers folder to manage print
jobs.You can also use Internet Explorer to manage print jobs. Finally, you
can redirect print jobs to another print device if the original print device
fails. I’ll discuss how to perform these tasks in the sections that follow.

Using the Printers Folder to Manage Print Jobs

You can use the Printers folder to manage print jobs that users have sent
to printers. As you probably recall, printers are managed on a printer-by-
printer basis.
4701-1 ch12.f.qc 4/24/00 09:29 Page 847

Chapter 12 ▼ Managing Printing 847

To manage print jobs that have been sent to a printer, double-click the
printer in the Printers folder.This action brings up the printer’s dialog
box. In this dialog box you can pause, resume, restart, and cancel (delete)
print jobs.You can also set a print job’s priority and schedule the time a
print job may be printed.
Figure 12-21 shows a printer’s dialog box. Notice the Document menu,
and the various options it contains.Also notice the Status column.The sta-
tus of a print job can sometimes be helpful when troubleshooting printers.

FIGURE 12-21 Managing print jobs

I want to discuss the difference between two of the options in the

Document menu: Resume and Restart. When you select the Resume
option,Windows 2000 will resume printing the print job from the point at
which it was paused.Windows 2000 does not reprint the entire print job.
When you select the Restart option, Windows 2000 reprints the entire
print job.

Using Internet Explorer to Manage Print Jobs

You can use Internet Explorer to manage print jobs that users have sent to
an Internet printer. Internet Explorer makes it convenient to manage print
jobs sent to printers that are hosted by remote computers, as well as print
jobs sent to printers on the local computer.
The management tasks you can perform on print jobs in Internet
Explorer are quite similar to those you can perform by using the printer’s
dialog box (in the Printers folder), with the exception of the Restart
command, which is not available when using Internet Explorer to manage
print jobs.
4701-1 ch12.f.qc 4/24/00 09:29 Page 848

848 Part III ▼ Managing and Securing Resources

STEP BY STEP

USING INTERNET EXPLORER TO MANAGE PRINT JOBS

1. On your Windows 2000 desktop, double-click Internet Explorer.

2. In the Address text box, type the URL of the Printers folder on the Web
server that hosts the Internet printer that has print jobs you want to manage
(such as http://Server03/Printers) and press Enter.
3. In the All Printers on Server_name dialog box, click the name of the Internet
printer that has print jobs you want to manage.
4. Internet Explorer displays the management Web page for the printer you selected,
as shown in Figure 12-22. Notice the list of print jobs and the various actions you
can take in the Document Actions menu.

FIGURE 12-22 Managing print jobs on an Internet printer

To manage a print job, select the option button next to the print job (in the
Document column), and then click the action you want to take from the
Document Actions menu in the left pane.

TIP
If you frequently need to manage documents for this printer, consider
adding it to your Favorites in Internet Explorer.

5. When you’re finished managing print jobs, close Internet Explorer.

4701-1 ch12.f.qc 4/24/00 09:29 Page 849

Chapter 12 ▼ Managing Printing 849

Redirecting Print Jobs to Another Print Device

When a print device fails on a network, it’s not uncommon for a printer to
have several print jobs waiting to be sent to that print device. If the print
device can’t be rapidly repaired, you’ll probably want to redirect the wait-
ing print jobs to another print device so that users can obtain their printed
documents.
To successfully redirect print jobs to another print device, the device
you redirect print jobs to must use the same printer drivers as the origi-
nally specified print device. This often means redirecting print jobs to an
identical (or nearly identical) print device.You can redirect print jobs to
any print device, but the printed output will probably be unusable unless
the print devices use the same printer drivers.

STEP BY STEP

REDIRECTING PRINT JOBS TO A DIFFERENT PRINT DEVICE

1. Open the Printers folder. (Select Start ➪ Settings ➪ Printers.)

2. In the Printers folder, right-click the printer that has the print jobs you want to
redirect, and select Properties from the menu that appears.
3. In the printer’s Properties dialog box, click the Ports tab.
4. On the Ports tab, select the port that is connected to the print device to which
you want to redirect the printer’s print jobs. (Windows 2000 clears the check box
next to the original port.) Click OK.
Once a new port (and new associated print device) is selected, all waiting print
jobs will be sent to the new print device.
5. Close the Printers folder.

When the original print device is repaired and brought back online, you
can repeat the preceding steps, this time selecting the port that is associated
with the original print device. Print jobs will then be sent to the original
print device.
4701-1 ch12.f.qc 4/24/00 09:29 Page 850

850 Part III ▼ Managing and Securing Resources

Troubleshooting Common Printing

Problems
Printing problems can occur on a Windows 2000 network for several rea-
sons. Some of the most common printing problems involve users who do
not have the permissions they need to access the printer, or users who have
the Manage Documents permission accidentally deleting print jobs that
belong to other users. A good first step, when troubleshooting printer
problems, is to ensure that users have appropriate printer permissions.
Table 12-2 lists some common Windows 2000 printing problems, their
probable causes, and recommended solutions.
TABLE 12-2 Troubleshooting Windows 2000 Printing Problems
Probable Cause/
Problem Recommended Solution

A user reports that he is unable to The most probable cause of this problem is
print to a printer. You have specifically that the user is a member of a group that is
allowed the Print permission to this denied the Print permission to the printer.
user for this printer. Either remove the user from the group or
remove the Deny – Print permission from
the group.
You are unable to add a standard The most common cause of this problem is
TCP/IP local printer on a Windows an incorrect configuration of a TCP/IP
2000 computer. parameter on either the Windows 2000
computer or on the TCP/IP print device.
Ensure that the IP address, subnet mask,
and default gateway parameters are set
correctly on both.
You experience a paper jam in the The cause of the paper jam isn’t important
middle of printing an important print here, but being able to reprint the entire
job. You want to reprint the entire print job is. To solve this problem,
print job, but it is not possible immediately double-click the printer in the
to reprint the job from the application Printers folder. Then pause the print
because you deleted the document job. Then clear the paper jam at the print
after you created the print job. device. Finally, select Restart in the printer’s
dialog box to reprint the entire print job.
(Don’t select Resume, because this option
won’t reprint the entire print job.)
Print jobs aren’t being sent from the The most likely cause of this problem is a
printer to the print device. A print job stalled print spooler. Stop and restart the
with a size of 0 bytes is at the top of Print Spooler service, and printing should
the print job list for the printer. Other resume.
documents are also listed in the
print job list, and users can still send
print jobs to the printer.
4701-1 ch12.f.qc 4/24/00 09:29 Page 851

Chapter 12 ▼ Managing Printing 851

Probable Cause/
Problem Recommended Solution

When users print to a printer pool, The most likely cause of this problem is
documents sent to one of the print that nonidentical print devices are being
devices in the printer pool are not used in the printer pool. Remove the
printed correctly. device that is not printing correctly from
the printer pool, or replace the device with
a print device that is identical to all other
print devices in the printer pool.
An HP (DLC) printer has stopped This problem usually occurs when another
sending print jobs to its assigned computer on the network is configured to
print device. use DLC to connect to the print device by
using a Continuous connection. If you want
more than one printer to be able to access
a print device by using DLC, configure a
Job Based connection for all printers.

KEY POINT SUMMARY

This chapter introduced several important Windows 2000 printing topics:

■ A printer, in Windows 2000 terminology, is the software interface between the
Windows 2000 operating system and the device that produces the printed
output. A print (or printing) device is the physical device that produces printed
output — what is more commonly referred to as a “printer.”
■ Before you can print on a Windows 2000 computer, you must first add a
printer. There are two types of printers you can add: local printers and network
printers. You can use the Add Printer Wizard in the Printers folder to add most
printers.
■ An Internet printer is a printer that is published on a Web server for the pur-
pose of making the printer available to client computers on the Internet, client
computers on your company’s intranet, or both. You can use the Add Printer
Wizard or Internet Explorer to connect to an Internet printer.
■ The purpose of sharing a printer on a Windows 2000 computer is to enable
users of other computers on the network to connect to and to send print jobs
to the shared printer. The computer that hosts the shared printer is called a
print server.
■ When you share a printer on a Windows 2000 computer that is a member of
a Windows 2000 domain, by default, the printer is automatically published in
Active Directory at the same time.
4701-1 ch12.f.qc 4/24/00 09:29 Page 852

852 Part III ▼ Managing and Securing Resources

■ You can configure options for a printer in the printer’s Properties dialog box.
This dialog box is accessed through the Printers folder. You can configure
printer pools, schedule printers, set printer priorities, assign a separator page,
configure printer permissions, and assign forms to paper trays in this dialog box.
■ The three Windows 2000 printer permissions are Print, Manage Documents,
and Manage Printers. Printer permissions are specifically allowed or denied to
individual users and groups. User and group printer permissions are additive,
and typically the least restrictive combination of printer permissions applies.
■ You can configure several of a print server’s properties. Print server properties
are configured in the Print Server Properties dialog box, which is accessed
from the Printers folder. In this dialog box you can create forms, manage ports,
manage printer drivers, and change the location of the spool folder.
■ There are several tools and techniques you can use to manage print jobs. You
can use the Printers folder to manage print jobs. You can also use Internet
Explorer to manage print jobs on Internet printers. Finally, you can redirect print
jobs to another print device if the original print device fails.
■ Printing problems can occur on a Windows 2000 network for several reasons.
A good first step, when troubleshooting printer problems, is to ensure that
users have appropriate printer permissions.
4701-1 ch12.f.qc 4/24/00 09:29 Page 853

853

STUDY GUIDE
This section contains several exercises that are designed to solidify your
knowledge about Windows 2000 printing, and to help you prepare for the
Professional, Server, and Directory Services exams:
■ Assessment questions: These questions test your knowledge of
the printing topics covered in this chapter.You’ll find the answers
to these questions at the end of this chapter.
■ Scenarios: The situation-based questions in scenarios challenge
you to apply your understanding of the material to solve a hypo-
thetical problem. In this chapter’s scenario, you are asked to trou-
bleshoot various Windows 2000 printing problems.You don’t need
to be at a computer to do scenarios.Answers to this chapter’s sce-
nario are presented at the end of this chapter.
■ Labs: These exercises are hands-on practice activities that you per-
form on a computer.The lab in this chapter gives you an opportu-
nity to practice several basic Windows 2000 printing tasks.

Assessment Questions
1. You want to add a printer on your Windows 2000 Professional com-
puter that is connected to an HP JetDirect adapter that does not sup-
port TCP/IP printing.What should you install on your Windows
2000 Professional computer before you add the printer?
A. The DLC protocol
B. The NetBEUI protocol
C. Print Services for Unix
D. Client Service for NetWare
2. What must you do before you can publish a Windows 2000 printer in
Active Directory?
A. Share the printer.
B. Install the NetBEUI protocol.
C. Install printer drivers for other operating systems.
D. Assign the Everyone group the Allow – Manage Documents
permissions to the printer.
4701-1 ch12.f.qc 4/24/00 09:29 Page 854

854

3. What must be installed on a Windows 2000 computer to make all of

its shared printers available as Internet printers? (Choose two.)
A. Print Services for Unix
B. Internet Information Services (IIS)
C. The DLC protocol
D. The NetBEUI protocol
E. The TCP/IP protocol
4. Which tools can you use to manage printers on Windows 2000
computers? (Choose two.)
A. Internet Explorer
B. The Printers Folder
C. Computer Management
D. Internet Services Manager
E. Active Directory Users and Computers
5. Which tools can you use to connect to an Internet printer?
(Choose two.)
A. Control Panel
B. Internet Explorer
C. The Add Printer Wizard
D. The Network and Dial-up Connections folder
E. Active Directory Users and Computers
6. Which Windows 2000 printer permission allows you to assign printer
permissions?
A. Print
B. Manage Documents
C. Manage Printers
7. How can you redirect print jobs to a different print device?
A. Copy the print jobs from one printer to another printer.
B. Assign the printer to a port that is connected to a different type
of print device.
C. Cancel all of the print jobs, then delete the printer. Create a new
printer with the same name, and assign it to a different port.
D. Assign the printer to a port that is connected to another identical
print device.
4701-1 ch12.f.qc 4/24/00 09:29 Page 855

855

8. A print job with a size of 0 bytes is listed at the top of the print job
list, and other print jobs in the print job list are not being sent to the
print device.What should you do?
A. Delete the print job at the top of the print job list.
B. Pause the printer, then restart the printer.
C. Stop the Print Spooler service, then restart the Print Spooler
service.
D. Delete the printer, then recreate the printer.

Scenarios
The following scenarios provide you with an opportunity to apply the
knowledge you’ve gained in this chapter about troubleshooting printing
problems in a Windows 2000 environment. Printing problems can occur
on a Windows 2000 network for several reasons. For each of the following
problems, consider the given facts and answer these questions:
1. A user, JohnT, reports that he is unable to print to a printer on your
Windows 2000 network.You specifically allowed JohnT the Print
permission for this printer about a month ago.
a. What do you think is the most likely cause of the printing
problem?
b. What course of action would you take to try to resolve the
problem?
2. Several users report that when they print to a printer pool on a
Windows 2000 Server computer, documents printed by one of the
print devices in the printer pool are not printed correctly.The
printed pages contain garbled, unreadable text.
a. What do you think is the most likely cause of the printing
problem?
b. What course of action would you take to try to resolve the
problem?
4701-1 ch12.f.qc 4/24/00 09:29 Page 856

856

Lab Exercises
The following lab is designed to give you practical experience working
with printers in a Windows 2000 environment.

Lab 12-1 Managing Windows 2000 Printing

 Professional
 Server
EXAM  Directory Services
MATERIAL

The purpose of this lab is to provide you with an opportunity to practice

numerous Windows 2000 printing tasks.
There are three parts to this lab:
■ Part 1:Adding a Printer
■ Part 2: Sharing, Publishing, and Configuring a Printer
■ Part 3: Printing to a Printer and Managing Print Jobs
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.

Part 1: Adding a Printer

In this part, you add a local printer and connect to a local print device.
1. Open the Printers folder. (Select Start ➪ Settings ➪ Printers.)
2. In the Printers folder, double-click Add Printer.
3. The Add Printer Wizard begins. Click Next.
4. In the Local or Network Printer screen, ensure that the “Local
printer” option is selected, and that the check box next to
“Automatically detect and install my Plug and Play printer” is cleared.
Click Next.
5. In the Select the Printer Port screen, highlight the LPT3: port and
click Next.
6. In the Add Printer Wizard screen, select Agfa in the Manufacturers list
box and select AGFA-AccuSet v52.3 in the Printers list box. Click
Next.
7. On the Name Your Printer screen, accept the default name displayed.
Ensure that the No option is selected. Click Next.
4701-1 ch12.f.qc 4/24/00 09:29 Page 857

857

8. On the Printer Sharing screen, ensure that the “Do not share this
printer” option is selected. Click Next.
9. On the Print Test Page screen, ensure that the No option is selected,
and click Next.
10. On the Completing the Add Printer Wizard screen, click Finish.
11. The new local printer you added is displayed in the Printers folder.
Continue on to Part 2.

Part 2: Sharing, Publishing, and Configuring a Printer

In this part, you share the printer you created in Part 1, and publish this
printer in Active Directory. Then you schedule this printer and configure
printer permissions for this printer.
1. In the Printers folder, right-click the AGFA-AccuSet v52.3
printer, and select Sharing from the menu that appears.
2. In the AGFA-AccuSet v52.3 Properties dialog box, select the “Shared
as” option.Then, in the “Shared as” text box, type AGFA.
Ensure that the check box next to “List in the Directory” is selected.
This will cause the printer to be published in Active Directory.
Click the Advanced tab.
3. On the Advanced tab, select the “Available from” option, and config-
ure the printer’s available hours from 4:00 A.M. to 4:30 A.M. Click
the Security tab.
4. On the Security tab, click Add.
5. In the Select Users, Computers, or Groups dialog box, double-click
Mike Calhoun, the Information Services Manager. Click OK.
6. On the Security tab, select the Allow check boxes next to the Manage
Printers and Manage Documents permissions, so that Mike Calhoun has
all of the Windows 2000 printer permissions for this printer. Click OK.
7. Close the Printers folder.

Part 3: Printing to a Printer and Managing Print Jobs

In this part, you use Internet Explorer to print to a printer, to connect to
an Internet printer, and to manage print jobs sent to the Internet printer.
1. On your Windows 2000 desktop, double-click Internet Explorer.
2. In the Address text box, type http://Server01/Printers and press
Enter.
4701-1 ch12.f.qc 4/24/00 09:29 Page 858

858

3. Internet Explorer connects you to the Printers folder, and displays

a list of available Internet printers. Select File ➪ Print.
4. The Print dialog box appears. In the Select Printer box, select the
AGFA-AccuSet v52.3 printer. Click Print.
5. In the Internet Explorer dialog box, select View ➪ Refresh. Notice
that there is now one print job for the AGFA-AccuSet v52.3 printer.
Click the AGFA-AccuSet v52.3 printer.
6. Internet Explorer connects you to the management Web page for the
AGFA-AccuSet v52.3 Internet printer.
(If this printer was located on another computer, a Connect option
would be displayed in the Printer Actions menu. Selecting this option
would enable you to connect to the printer.)
Notice the document that is waiting to be printed, and the informa-
tion about that document that is displayed. Select the option button
next to the document. In the Document Actions menu, click Cancel.
You have just deleted this print job.
7. Close Internet Explorer.

Answers to Chapter Questions

Chapter Pre-Test
1. In Windows 2000 printing terminology, a printer is the software
interface between the Windows 2000 operating system and the device
that produces the printed output.
2. A printer pool
3. The three Windows 2000 printer permissions are Print, Manage
Documents, and Manage Printers.
4. Any permission that is specifically denied, for example, Deny – Print,
Deny – Manage Documents, or Deny – Manage Printers, always
overrides the corresponding allowed permission.
5. You can specify that a different folder on another volume (that has
more free space) be used as your spool folder.
4701-1 ch12.f.qc 4/24/00 09:29 Page 859

859

Assessment Questions

1. A. The DLC protocol must be installed to support HP JetDirect

adapters that do not support TCP/IP.
2. A. Only printers that have been shared can be published in Active
Directory.
3. B and E. You need to ensure that Internet Information Services
(IIS) and TCP/IP are installed on a Windows 2000 computer if you
want all of its shared printers to be advertised as Internet printers.
4. A and B. You can use Internet Explorer to manage Windows 2000
Internet printers, and you can use the Printers folder to manage all
Windows 2000 printers.
5. B and C. You can use Internet Explorer or the Add Printer Wizard
(in the Printers folder) to connect to Internet printers.
6. C. The Manage Printers permission allows you to assign printer
permissions.
7. D. You need to assign the printer to a different port that is connected
to the same type of print device.
8. C. You should use the Services tool in Computer Management to
stop and then restart the Print Spooler service.

Scenarios
1. The most likely cause of this problem is that JohnT is a member
of a group that is denied the Print permission to this printer. Either
remove JohnT from the group or remove the Deny – Print permis-
sion from the group.
2. The most likely cause of this problem is that nonidentical print
devices are being used in the printer pool. Remove the device that
is not printing correctly from the printer pool, or replace the device
with a print device that is identical to (or at least uses the same
printer drivers as) all other print devices in the printer pool.
4701-1 ch13.f.qc 4/24/00 09:30 Page 860

 Professional
 Server
EXAM
MATERIAL  Directory Services

EXAM OBJECTIVES

Professional  Exam 70-210

■ Implement, configure, manage, and troubleshoot local user
settings
■ Implement, configure, manage, and troubleshoot auditing.
■ Implement, configure, manage, and troubleshoot a security
configuration.

Server  Exam 70-215

■ Implement, configure, manage, and troubleshoot auditing.
■ Implement, configure, manage, and troubleshoot security by
using the Security Configuration Tool Set.

Directory Services  Exam 70-217

■ Configure and troubleshoot security in a Directory Services
infrastructure.
■ Create, analyze and modify security configurations by using
Security Configuration and Analysis and Security Templates.
■ Implement an audit policy.
■ Monitor and analyze security events.
4701-1 ch13.f.qc 4/24/00 09:30 Page 861

C HAP TE R

13
Auditing and Security

T his chapter is all about managing auditing and security on your Windows
2000 computer and on your Windows 2000 network. First, I’ll show you
how to enable and configure auditing. You’ll learn how to audit Active Directory
objects as well as files, folders, and printers. Next, I’ll explain how you can use
Event Viewer to view, monitor, and analyze audit and security events.
From there, I’ll explore how to use the Security Templates snap-in to cre-
ate and implement a security template that can be used to apply a predefined
security policy to one or more computers. Next, I’ll introduce you to another
snap-in, Security Configuration and Analysis, that you can use to compare a
computer’s existing security policy settings against a predefined set of secu-
rity policy settings. I’ll also tell you about a command-line version of this snap-
in that can make security analysis on your network easier for you. Finally, I’ll
give you some helpful tips for troubleshooting auditing and security problems.

861
4701-1 ch13.f.qc 4/24/00 09:30 Page 862

862 Part III ▼ Managing and Securing Resources

Chapter Pre-Test
1. What are the two areas Windows 2000 auditing is divided into?
2. What types of objects you can audit in Windows 2000?
3. What Windows 2000 tool can you use to view the results of
auditing?
4. What is a security template?
5. What MMC snap-in can you use to create, edit, and manage secu-
rity templates?
6. What are the two primary ways to implement a security template?
7. What MMC snap-in can you use to compare a computer’s security
configuration settings against the predefined security configura-
tion settings in a security template?
4701-1 ch13.f.qc 4/24/00 09:30 Page 863

Chapter 13 ▼ Auditing and Security 863

Managing Auditing
When enabled, auditing produces a log of specified security events and
activities that occur on a Windows 2000 computer. By default, auditing is
not enabled.
Windows 2000 auditing is divided into two areas: auditing of access to
the system and auditing of access to objects. System access auditing pri-
marily involves tracking accesses and attempted accesses to the Windows
2000 operating system. Object access auditing involves tracking accesses
and attempted accesses to specific objects, such as Active Directory objects
(including users, groups, computers, OUs, domains, and so on), files, fold-
ers, and printers.
You must be a member of the Administrators group to enable and con-
figure auditing. In the next sections, I’ll show you how to enable and con-
figure both system access and object access auditing.

Enabling and Configuring System Access Auditing

Enabling and configuring system access auditing is done by configuring
Audit Policy.You can configure an audit policy that is applied to an indi-
vidual computer, or, depending on the tool you use, you can configure an
audit policy that is applied to all of the Windows 2000 computers in an
Active Directory container, such as a site, a domain, or an OU.
You can use a number of tools used to configure Audit Policy.The tool
you use to configure an audit policy depends on which computers you
want the audit policy to apply to:
■ To configure an audit policy for the local Windows 2000 com-
puter, use the Local Security Policy tool in Administrative Tools.
(Select Start ➪ Settings ➪ Control Panel, then double-click
Administrative Tools, then double-click Local Security Policy.)
■ To configure an audit policy for all Windows 2000 computers in
a domain, use the Domain Security Policy tool in Administrative
Tools. (Select Start ➪ Programs ➪ Administrative Tools ➪ Domain
Security Policy.) This tool is available on Windows 2000 domain
controllers, or on other Windows 2000 computers that have the
ADMINPAK installed.
4701-1 ch13.f.qc 4/24/00 09:30 Page 864

864 Part III ▼ Managing and Securing Resources

CAUTION
Auditing is disabled by default in the Default Domain Controllers Policy
GPO. Even if you enable auditing for all Windows 2000 computers in a
domain, auditing will not be enabled on domain controllers until you
enable it in the Default Domain Controllers Policy GPO by using the
Domain Controller Security Policy tool.

■ To configure an audit policy for all domain controllers in a domain,

use the Domain Controller Security Policy tool in Administrative
Tools. (Select Start ➪ Programs ➪ Administrative Tools ➪ Domain
Controller Security Policy.) This tool modifies the security settings
in the Default Domain Controllers Policy GPO.This tool is avail-
able on Windows 2000 domain controllers, or on other Windows
2000 computers that have the ADMINPAK installed.
■ To configure an audit policy for all Windows 2000 computers
located in a particular OU or domain, use Active Directory Users
and Computers to configure a Group Policy object (GPO) for the
OU or the domain. (Select Start ➪ Programs ➪ Administrative Tools
➪ Active Directory Users and Computers.) This tool is available
on Windows 2000 domain controllers or on other Windows 2000
computers that have the ADMINPAK installed.
■ To configure an audit policy for all Windows 2000 computers
located in a particular site, use Active Directory Sites and Services
to configure a Group Policy object (GPO) for the site. (Select
Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Sites
and Services.) This tool is available on Windows 2000 domain
controllers, or on other Windows 2000 computers that have the
ADMINPAK installed.
Audit Policy, like all other Windows 2000 policies, can be configured at
several different levels: at the local computer level, at the OU level, at the
domain level, and so on. Because of this, it’s possible that the settings in an
audit policy can conflict with settings in an audit policy set at another
level.The point to remember is that when audit policy settings conflict, the
audit policy that is applied last is the audit policy that takes precedence.
Audit Policy is applied in the same order as Group Policy.
4701-1 ch13.f.qc 4/24/00 09:30 Page 865

Chapter 13 ▼ Auditing and Security 865

CROSS-REFERENCE
If you need refreshing on Group Policy, see Chapter 10.

Now I’ll show you how to configure an audit policy for all Windows
2000 computers in the domain by using the Domain Security Policy tool.
Because the Windows 2000 user interfaces for the Domain Security Policy
tool, the Domain Controller Security Policy tool, and the Local Security
Policy tool are substantially similar, you can use these same steps to config-
ure an audit policy for domain controllers or for the local Windows 2000
computer — all you need to do is start the appropriate tool and follow the
steps in the next section.

STEP BY STEP

CONFIGURING AN AUDIT POLICY FOR WINDOWS 2000 COMPUTERS IN

A DOMAIN

1. Start the Domain Security Policy tool. (Select Start ➪ Programs ➪ Administrative
Tools ➪ Domain Security Policy.)
2. In the left pane of the Domain Security Policy dialog box, click the + next to
Security Settings. Then click the + next to Local Policies. Highlight Audit Policy. A
list of specific audit policies that you can configure is displayed in the right pane,
as shown in Figure 13-1.

FIGURE 13-1 Configuring Audit Policy

3. In the right pane, double-click the audit policy you want to configure.
4701-1 ch13.f.qc 4/24/00 09:30 Page 866

866 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

4. A Security Policy Setting dialog box for the audit policy you selected appears, as
shown in Figure 13-2.

FIGURE 13-2 Defining an individual audit policy

Figure 13-2 shows the Security Policy Setting dialog box for the “Audit account
logon events” audit policy. However, the dialog boxes for each of the other audit
policies are identical to this one.
Select the check box next to “Define these policy settings.” Then, select either the
check box next to Success, Failure, or both.
When the Success check box is selected, Windows 2000 generates an audit
event each time a user successfully performs the audited task (in this case, each
time a user logs on).
When the Failure check box is selected, Windows 2000 generates an audit
event each time a user attempts to perform an audited task but fails (usually
because of a lack of permissions or user rights).
When both the Success and Failure check boxes are selected, an audit
event is generated each time a user attempts to perform an audited task, whether
successfully or unsuccessfully.
Click OK.
5. The Domain Security Policy dialog box reappears. Repeat Steps 3 and 4 to con-
figure additional audit policies as necessary. Close the Domain Security Policy
dialog box.

Table 13-1 lists and describes the types of Windows 2000 system events
you can audit.
4701-1 ch13.f.qc 4/24/00 09:30 Page 867

Chapter 13 ▼ Auditing and Security 867

TABLE 13-1 Auditable System Events in Windows 2000

Event Description

Account logon events A domain controller receives an account validation

request.
Account management A user account or group is created, modified, or
deleted; or, a user account is renamed, disabled, or
enabled, or a user’s password is changed.
Directory service access A user accesses an Active Directory object (such as a
user, group, computer, OU, domain, and so on) that is
also configured for auditing.
Note: To audit access to an Active Directory object, you
must enable auditing of Directory service access events
and configure auditing on the specific Active Directory
object.
Logon events A user logs on to or logs off the Windows 2000
computer.
Object access A user accesses a file, folder, or printer that is
configured for auditing.
Note: To audit access to a file, folder, or printer, you
must enable auditing of object access events and
configure auditing on the specific file, folder, or printer.
Policy change The user rights, security, audit, or trust relationship
policies are modified.
Privilege use A user exercises an assigned user right (other than the
“Log on locally” or “Access this computer from the
network” user rights).
Process tracking An event, such as program activation, some forms of
handle duplication, indirect object accesses, or process
exit occurs. This event is not often selected for audit by
administrators.
System events A user restarts or shuts down the Windows 2000
computer, or a system security or Security Log event
occurs.

TIP
Carefully consider which events you need to audit. If you choose to audit
everything, the computer’s performance will be slowed significantly, your
Security Log will fill up quickly, and you’ll find yourself sifting through vol-
umes of useless information to find the auditing data you need.
4701-1 ch13.f.qc 4/24/00 09:30 Page 868

868 Part III ▼ Managing and Securing Resources

Enabling and Configuring Object Access Auditing

As I mentioned earlier, object access auditing makes it possible for you to
track access and attempted access to specific objects, such as Active
Directory objects (including users, groups, computers, OUs, domains, and
so on), files, folders, and printers.
Enabling object access auditing is a two-part process:
■ You must enable and configure either the directory service access
or object access audit policy for the Windows 2000 computer on
which the object you want to audit access to is stored. (I explained
how to enable and configure system access auditing for these
events in the previous section.)
■ You must configure auditing for the specific object you want to
audit access and attempted access to. Object access auditing is
configured in the Properties dialog box for the specific object.
The exception to this rule is auditing of Active Directory objects.
Auditing of all Active Directory objects in an Active Directory
domain is configured by default.
It doesn’t really matter which order you perform these two tasks in.

EXAM TIP
A favorite exam-writer trick is to tell you that auditing has been configured
for an object, but that no audit events are being written to the Security
Log. Remember that system access auditing (for either directory service
access or object access) must also be enabled and configured before
object auditing will occur.

In the next sections I’ll show you how to configure auditing of Active
Directory objects, files, folders, and printers.

Configuring Auditing of Active Directory Objects

You can configure auditing of access and attempted access to Active
Directory objects and their properties.You can configure auditing for any
Active Directory object, including users, groups, computers, OUs, domains,
sites, and so on.
4701-1 ch13.f.qc 4/24/00 09:30 Page 869

Chapter 13 ▼ Auditing and Security 869

When you configure auditing of Active Directory objects, remember to

take inheritance into account. All of the rules you learned about inheri-
tance and blocking inheritance in Chapter 8 apply to auditing of Active
Directory objects, as well.
By default, auditing is configured for the domain, and this auditing con-
figuration is inherited by all Active Directory objects in the domain.This
means that, once system access auditing of directory service access is
enabled, all actions that modify objects in the domain are audited.You can
modify this auditing configuration to meet your needs.
To modify the auditing configuration of most Active Directory objects,
you can use Active Directory Users and Computers.To modify the audit-
ing configuration of a site, use Active Directory Sites and Services.

STEP BY STEP

MODIFYING THE AUDITING CONFIGURATION OF ACTIVE

DIRECTORY OBJECTS

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, click the
+ next to the name of the domain that contains the Active Directory object for
which you want to modify the auditing configuration. Continue expanding contain-
ers until the object for which you want to modify auditing is displayed in the right
pane. In the right pane, double-click the object for which you want to modify audit-
ing. Or, you can right-click the object, and select Properties from the menu that
appears.
3. The object’s Properties dialog box appears. Click the Security tab.
4. On the Security tab, click Advanced.
5. An Access Control Settings dialog box for the object appears. Click the
Auditing tab.
6. The Auditing tab for the object is displayed, as shown in Figure 13-3. Notice that
in this case the Active Directory object selected is a user named Alan R. Carter.
Also notice that the check box next to “Allow inheritable auditing entries from par-
ent to propagate to this object” is selected — this is the default setting.
Finally, notice that this object has an auditing entry for the Everyone group. This
entry, which was created by default during the installation of Active Directory, is
inherited from the domain.
To modify an auditing entry, highlight the entry and click View/Edit. Then skip
to Step 8.
To remove an auditing entry, highlight the entry and click Remove.
4701-1 ch13.f.qc 4/24/00 09:30 Page 870

870 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 13-3 The Auditing tab

TIP
You can’t remove auditing entries that are inherited from parent objects.

To add an auditing entry, click Add.

7. In the Select User, Computer, or Group dialog box, double-click the user, com-
puter, or group for which you want to audit access to this Active Directory object.
8. The Auditing Entry dialog box for the object appears, as shown in Figure 13-4.
Notice there are two tabs in this dialog box: Object and Properties.
On the Object tab, configure auditing for accesses to the Active Directory object
itself. You can configure successful accesses, failed accesses, or both, for each
type of access.
On the Properties tab, configure auditing for accesses to the properties of the
Active Directory object. Again, you can configure successful accesses, failed
accesses, or both, for each type of access.
When you are finished configuring the auditing entry, click OK.
4701-1 ch13.f.qc 4/24/00 09:30 Page 871

Chapter 13 ▼ Auditing and Security 871

STEP BY STEP Continued

FIGURE 13-4 Configuring an auditing entry

9. In the Access Control Settings dialog box for the object, click OK.
10. In the object’s Properties dialog box, click OK.
11. Close Active Directory Users and Computers.

TIP
Remember, you must also enable and configure system access auditing
for directory service access before object auditing of Active Directory
objects will occur.

Configuring Auditing of Files and Folders

You can configure auditing of files and folders located on NTFS volumes
on Windows 2000 computers. You can’t configure auditing of files and
folders located on FAT or FAT32 volumes. By default, auditing is not con-
figured on any files or folders on a Windows 2000 computer.
4701-1 ch13.f.qc 4/24/00 09:30 Page 872

872 Part III ▼ Managing and Securing Resources

When configuring auditing of files and folders, make sure that you take
inheritance into account. When auditing is configured for a volume or a
folder, all files and folders in that volume or folder inherit the auditing set-
tings configured on the parent object.
The task of configuring auditing of files and folders is normally per-
formed by using Windows Explorer, as the following steps explain.

STEP BY STEP

CONFIGURING AUDITING OF FILES OR FOLDERS

1. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪ Windows

Explorer.)
2. In the left pane, click the + next to My Computer, then expand volumes and fold-
ers until the file or folder for which you want to configure auditing is displayed in
the right pane.
3. In the right pane, right-click the file or folder for which you want to configure audit-
ing, and select Properties from the menu that appears.
4. In the file or folder’s Properties dialog box, click the Security tab.
5. On the Security tab, click Advanced.
6. In the Access Control Settings dialog box for the file or folder, click the
Auditing tab.
7. On the Auditing tab, click Add to add an auditing entry for the file or folder.
8. In the Select User, Computer, or Group dialog box, double-click the user,
computer, or group for which you want to audit access to this file or folder.
9. The Auditing Entry dialog box for the file or folder appears, as shown in
Figure 13-5. Notice the “Apply onto” drop-down list box.
Select the appropriate option from the “Apply onto” drop-down list box. This set-
ting determines how the auditing entries you set in this dialog box will be inher-
ited. The possible selections are:
 This folder, subfolders and files — this is the default setting
 This folder only
 This folder and subfolders
 This folder and files
 Subfolders and files only
 Subfolders only
 Files only
4701-1 ch13.f.qc 4/24/00 09:30 Page 873

Chapter 13 ▼ Auditing and Security 873

STEP BY STEP Continued

FIGURE 13-5 Configuring an auditing entry for

the Apps folder

The selection you make in this drop-down list box works in conjunction with the
“Apply these auditing entries to objects and/or containers within this container
only” check box at the bottom of the dialog box. If you select this check box (and
any option in the “Apply onto” box that includes subfolders), the auditing entries
you set will be applied to the subfolder, but will not be applied to any files or
folders within the subfolder.
Next, configure auditing for accesses to the file or folder. You can configure suc-
cessful accesses, failed accesses, or both, for each type of access.
When you’re finished configuring audit entries, click OK.
10. In the Access Control Settings dialog box for the file or folder, click OK.
11. If system access auditing of object access has not yet been enabled for this com-
puter, Windows 2000 displays a Security dialog box, as shown in Figure 13-6.
Click OK, and remember to enable auditing of object access after you complete
these steps.
4701-1 ch13.f.qc 4/24/00 09:30 Page 874

874 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 13-6 Security warning message

12. In the file or folder’s Properties dialog box, click OK.

13. Close Windows Explorer.

Configuring Auditing of Printers

You can configure auditing of printers on Windows 2000 computers. By
default, auditing is not configured on printers. In addition, there are no
inheritance issues to worry about when configuring auditing for printers
on a Windows 2000 computer.
Configuring auditing of printers is normally done by using the
Printers folder, as the following steps explain.

STEP BY STEP

CONFIGURING AUDITING OF PRINTERS

1. Open the Printers folder. (Select Start ➪ Settings ➪ Printers.)

2. In the right pane of the Printers dialog box, right-click the printer for which you
want to configure auditing, and select Properties from the menu that appears.
3. In the printer’s Properties dialog box, click the Security tab.
4. On the Security tab, click Advanced.
5. In the Access Control Settings dialog box for the printer, click the Auditing tab.
6. On the Auditing tab, click Add.
4701-1 ch13.f.qc 4/24/00 09:30 Page 875

Chapter 13 ▼ Auditing and Security 875

STEP BY STEP Continued

7. In the Select User, Computer, or Group dialog box, double-click the user, com-
puter, or group for which you want to audit accesses to this printer.
8. The Auditing Entry dialog box for the printer appears, as shown in Figure 13-7.
Notice the “Apply onto” drop-down list box.

FIGURE 13-7 Configuring an auditing entry for a printer

Select the appropriate option in the “Apply onto” drop-down list box. In this list
box you can choose whether to apply these auditing settings to this printer only,
to this printer’s documents only, or to this printer and its documents.
Next, configure auditing for accesses to the printer. You can configure successful
accesses, failed accesses, or both, for each type of access.
When you’re finished configuring printer auditing, click OK.
9. In the Access Control Settings dialog box for the printer, click OK.
10. In the printer’s Properties dialog box, click OK.
11. Close the Printers folder.
4701-1 ch13.f.qc 4/24/00 09:30 Page 876

876 Part III ▼ Managing and Securing Resources

Monitoring and Analyzing Security Events

You can use Event Viewer to view, monitor, and analyze the results of the
auditing you have configured. Event Viewer has several logs, including the
System Log, the Application Log, and the Security Log.The Security Log
contains the data generated by auditing.
You can view the Security Log in its entirety, or you can filter events by
date and type of audit event.You can clear the Security Log when it is full;
and you can save (archive) the log to be analyzed at a later date by using
Event Viewer, a text editor, or a spreadsheet or database program.You can
also configure the maximum size of the log and event log wrapping (how
the log handles additional auditing data when it becomes full).
An important consideration, from an administrative standpoint, is sched-
uling time to regularly monitor and analyze auditing events in the Security
Log.The data gathered by auditing is of no value if it is not used.
The sections that follow explain how to access the Security Log in
Event Viewer, how to view security events, how to filter security events,
how to archive and clear the Security Log, and finally, how to configure
the maximum size of the Security Log and Security Log wrapping.

STEP BY STEP

VIEWING SECURITY EVENTS IN EVENT VIEWER

1. Start Event Viewer. (Select Start ➪ Programs ➪ Administrative Tools ➪ Event

Viewer.)
2. The Event Viewer dialog box appears. In the left pane, highlight the Security
Log. Figure 13-8 shows the Security Log on a Windows 2000 computer.
Notice that some events are marked with keys (these designate successful
events) and that some events are marked with locks (these designate unsuc-
cessful [failed] events).
To view the details of an event, double-click the event.
3. The Event Properties dialog box appears, as shown in Figure 13-9.
Notice the types of information included in this dialog box. Click OK.
4701-1 ch13.f.qc 4/24/00 09:30 Page 877

Chapter 13 ▼ Auditing and Security 877

STEP BY STEP Continued

FIGURE 13-8 The Security Log in Event Viewer

FIGURE 13-9 Viewing the details of a Security Log event

4701-1 ch13.f.qc 4/24/00 09:30 Page 878

878 Part III ▼ Managing and Securing Resources

When you first open the Security Log, there may be so many events
listed that you despair of ever locating the event you’re looking for. To
make it easier to locate specific events, you can filter the Security Log so
that only events of the type(s) you select are displayed. Filtering Security
Log events can help you to analyze the specific type(s) of events you want
to monitor.

STEP BY STEP

FILTERING SECURITY LOG EVENTS

1. Start Event Viewer. (Select Start ➪ Programs ➪ Administrative Tools ➪ Event

Viewer.)
2. The Event Viewer dialog box appears. In the left pane, highlight the Security Log.
Select View ➪ Filter.
3. The Security Log Properties dialog box appears with the Filter tab on top, as
shown in Figure 13-10. Notice the event types that you can select.

FIGURE 13-10 Filtering events

Select the check box next to the event type(s) you want displayed in the
Security Log.
4701-1 ch13.f.qc 4/24/00 09:30 Page 879

Chapter 13 ▼ Auditing and Security 879

STEP BY STEP Continued

Then, select the event source from the “Event source” drop-down list box.
Generally, the default selection of All is appropriate. However, if you only want
to view security events from a specific source, such as Directory Services, select
the appropriate source from this drop-down list box.
Finally, if you want to view only those events that occurred during a specific time
period, you can configure the time period by selecting Events On in the From and
To drop-down list boxes, and then specifying a start and stop date and time.
When you finish configuring filtering, click OK.
4. The Security Log in Event Viewer reappears. Only the events that meet the criteria
you configured on the Filter tab are displayed.

If you want to archive the events in the Security Log, you can save them
by using Event Viewer.After you archive the log, you should clear it so that
the archived events are no longer displayed, and there is room for the log to
accumulate new events.

STEP BY STEP

ARCHIVING AND CLEARING THE SECURITY LOG

1. Start Event Viewer. (Select Start ➪ Programs ➪ Administrative Tools ➪ Event

Viewer.)
2. The Event Viewer dialog box appears. In the left pane, highlight the Security Log.
Select Action ➪ Save Log File As.
3. In the Save “Security Log” As dialog box, select the folder in which you want to
save the Security Log from the “Save in” drop-down list box. Then, in the “File
name” text box, type in a name for the Security Log data you are saving.
Finally, in the “Save as type” drop-down list box, select the appropriate file
type. Select a file type of .evt if you plan to view this file later by using Event
Viewer. Select a file type of .txt if you want to view the file later by using a
text editor. Select a file type of .csv if you plan to export this data for later
analysis in a spreadsheet or database program.
Click Save.
4. After you’ve saved the Security Log, you may want to clear it. In the Event Viewer
dialog box, select Action ➪ Clear all Events.
4701-1 ch13.f.qc 4/24/00 09:30 Page 880

880 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

5. Event Viewer asks if you want to save the Security Log before you clear it.
Because you just saved the Security Log, click No to continue.
6. Windows 2000 clears the Security Log and creates a success audit event with a
description that states “The audit log was cleared.” The description of this audit
event also includes the user name of the user who cleared the log.

There are a couple of additional settings you may want to configure on

the Security Log.You can configure the maximum size of the log, and the
action that Windows 2000 will take when the log becomes full.

STEP BY STEP

CONFIGURING SECURITY LOG PROPERTIES

1. Start Event Viewer. (Select Start ➪ Programs ➪ Administrative Tools ➪ Event

Viewer.)
2. The Event Viewer dialog box appears. In the left pane, highlight the Security Log.
Select Action ➪ Properties.
3. The Security Log Properties dialog box appears, as shown in Figure 13-11.

FIGURE 13-11 Configuring Security Log properties

4701-1 ch13.f.qc 4/24/00 09:30 Page 881

Chapter 13 ▼ Auditing and Security 881

STEP BY STEP Continued

In this dialog box, configure the maximum size of the Security Log. The default
maximum log size is 512K, which may be much smaller than you need if you plan
to audit multiple security events.
Next, select one of the three options to choose the action that Windows 2000
will take when the maximum log size is reached. Click OK.
4. Close Event Viewer.

Using Security Templates

A security template is a text-based .inf file that contains predefined security
settings that can be applied to one or more computers.A security template
can also be used to compare a computer’s existing security configuration
against a predefined, standard security configuration. Security templates are
particularly useful on large networks. An administrator can create a single
security configuration that can be applied to multiple computers, instead
of having to manually create the security configuration on each and every
computer.
Security templates can be created, edited, and managed by using the
Security Templates snap-in to the MMC. You must be a member of the
Administrators group to create, save, and implement security templates.

TIP
The Security Templates snap-in was originally included as part of the
Security Configuration Tool Set, but Microsoft split this tool set into two
components: the Security Templates snap-in and the Security Config-
uration and Analysis snap-in.

Microsoft has included several predefined security templates with

Windows 2000. These templates are stored, by default, in SystemRoot\
Security\Templates. Some of the most commonly used templates
include:
■ Default workstation (basicwk.inf)
■ Default server (basicsv.inf)
■ Default domain controller (basicdc.inf)
■ Compatible workstation or server (compatws.inf)
4701-1 ch13.f.qc 4/24/00 09:30 Page 882

882 Part III ▼ Managing and Securing Resources

■ Secure workstation or server (securews.inf)

■ Highly secure workstation or server (hisecws.inf)
■ Secure domain controller (securedc.inf)
■ Highly secure domain controller (hisecdc.inf)
In the next two sections I’ll explain how to create and implement a
security template.

Creating a Security Template

Before you can create a security template, you should create an MMC
console that contains the Security Templates snap-in. This snap-in is then
used to create a security template.

STEP BY STEP

CREATING A NEW MMC CONSOLE

1. From the desktop, select Start ➪ Run.

2. In the Run dialog box, type mmc and click OK.
3. A new MMC console, named Console1, is displayed. Select Console ➪
Add/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Add Standalone Snap-in dialog box, scroll down and highlight Security
Templates. Click Add. Then click Close.
6. In the Add/Remove Snap-in dialog box, click OK.
7. In the Console1 (Console Root) dialog box, select Console ➪ Save As.
8. In the Save As dialog box, type a name for your security console (such as
Security Console) in the “File name” text box, and click Save. By default,
Windows 2000 saves this new MMC console to your Administrative
Tools folder.
9. Close your security console.

There are two ways to create a security template. You can either edit
then save one of the predefined security templates, or you can create a
security template from scratch. By far the most common technique used is
modifying an existing security template.
4701-1 ch13.f.qc 4/24/00 09:30 Page 883

Chapter 13 ▼ Auditing and Security 883

STEP BY STEP

CREATING A NEW SECURITY TEMPLATE BY EDITING AN

EXISTING TEMPLATE

1. Open the security console you created in the previous set of steps. (Select
Start ➪ Programs ➪ Administrative Tools ➪ Security Console.)
2. In the left pane of the security console, click the + next to Security Templates.
Then click the + next to C:\WINNT\Security\Templates. All of the secu-
rity templates on your computer, including the predefined security templates, are
displayed in the left pane, as shown in Figure 13-12.

FIGURE 13-12 Security templates

Highlight the existing security template you want to modify. Select Action ➪
Save As.
3. In the Save As dialog box, type in the name you want to assign to the new tem-
plate you’re creating in the “File name” text box. Click Save.
4. In the left pane of the security console, click the + next to the name of the security
template you just created. Further expand the components of the security tem-
plate as necessary. Figure 13-13 shows the contents of a new security template I
created. Notice that the configurable settings in a security template are the same
as the configurable settings available in Local Security Policy, Domain Security
Policy, and Domain Controller Security Policy.
4701-1 ch13.f.qc 4/24/00 09:30 Page 884

884 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

FIGURE 13-13 Contents of a security template

Modify the individual security settings in the template to meet your needs.
5. When you’re finished configuring the security template, highlight the name of your
security template in the left pane, and select Action ➪ Save.
6. Close the security console. If prompted, click Yes to save console settings to your
security console.

You may decide you want to create a security template from scratch.
The following steps explain how to perform this process.

STEP BY STEP

CREATING A NEW SECURITY TEMPLATE FROM SCRATCH

1. Open the security console you created earlier in this chapter. (Select Start ➪
Programs ➪ Administrative Tools ➪ Security Console.)
2. In the left pane of the security console, click the + next to Security Templates.
Then click the + next to C:\WINNT\Security\Templates.
4701-1 ch13.f.qc 4/24/00 09:30 Page 885

Chapter 13 ▼ Auditing and Security 885

STEP BY STEP Continued

To create a new security template, highlight C:\WINNT\Security\

Templates, and select Action ➪ New Template.
3. In the C:\WINNT\Security\Templates dialog box, type a name for your new secu-
rity template in the “Template name” text box. You can also enter a description for
the new template if you want to. Click OK.
4. In the right pane of the security console dialog box, double-click the new security
template you just created.
5. Modify the individual security settings in the new security template to meet
your needs.
6. When you finish configuring the security template, highlight the name of your
security template in the left pane, and select Action ➪ Save.
7. Close the security console. If prompted, click Yes to save console settings to your
security console.

Implementing a Security Template

Once you’ve chosen a security template to use (either one of the precon-
figured ones or one that you’ve created), you need to implement it.There
are two primary ways to implement a security template: you can either
apply the security template directly to the local computer; or you can
import the security template into a Group Policy object (GPO) in Active
Directory, where it will be applied to all computers affected by that GPO.
To apply a security template to the local computer, use the Local
Security Policy tool, as explained in the following steps.

STEP BY STEP

APPLYING A SECURITY TEMPLATE TO THE LOCAL COMPUTER

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Local Security Policy.

2. In the Local Security Settings dialog box, select Action ➪ Import Policy.
3. In the Import Policy From dialog box, the security templates on this computer are dis-
played. Double-click the security template you want to apply to the local computer.
4. Close the Local Security Settings dialog box.
4701-1 ch13.f.qc 4/24/00 09:30 Page 886

886 Part III ▼ Managing and Securing Resources

When you apply a security template to the local computer, it’s impor-
tant to keep in mind how the security settings in Group Policy are applied.
If the computer you are applying the security template to is a member of a
domain, it may be affected by other security settings configured at the
domain level or set in various GPOs in Active Directory.

CROSS-REFERENCE
For more information on how Group Policy is applied, see Chapter 10.

If you want a security template to be applied to a group of computers,

you might consider importing that security template into a GPO that
affects those computers. The next set of steps explains how to import a
security template into a GPO associated with a domain or an OU.

STEP BY STEP

IMPORTING A SECURITY TEMPLATE INTO A GPO

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the domain or OU associated with the GPO
to which you want to import a security template is displayed in the left pane.
Highlight the domain or OU, then select Action ➪ Properties.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, highlight the GPO to which you want to import a secu-
rity template and click Edit. (Or, you can double-click the GPO.)
5. The Group Policy dialog box appears. Click the + next to the Windows
Settings folder in the Computer Configuration section. Then highlight the
Security Settings container. Select Action ➪ Import Policy.
6. In the Import Policy From dialog box, the security templates on this computer are
displayed. Double-click the security template you want to import into the GPO.
7. Close the Group Policy dialog box.
8. In the domain or OU’s Properties dialog box, click OK.
9. Close Active Directory Users and Computers.
4701-1 ch13.f.qc 4/24/00 09:30 Page 887

Chapter 13 ▼ Auditing and Security 887

Using Security Configuration and Analysis

Security Configuration and Analysis is another snap-in to the MMC.You
can use this snap-in to compare the security configuration on a Windows
2000 computer against a predefined security configuration in a security
template that is loaded into the Security Configuration and Analysis snap-
in.You can also use this snap-in to apply a security template’s settings to the
local computer. Like the Security Templates snap-in, you must be a mem-
ber of the Administrators group to use the Security Configuration and
Analysis snap-in.

EXAM TIP
Both the Server and Directory Services exams have objectives relating to
security configuration and analysis. Make sure you are very comfortable
with both the Security Templates and the Security Configuration and
Analysis snap-ins before you take these exams.

Before you can use the Security Configuration and Analysis snap-in,
you’ll probably want to add it to the security console you created earlier in
this chapter.

STEP BY STEP

ADDING THE SNAP-IN TO YOUR SECURITY CONSOLE

1. Open the security console you created earlier in this chapter. (Select Start ➪
Programs ➪ Administrative Tools ➪ Security Console.)
2. In the security console dialog box, select Console ➪ Add/Remove Snap-in.
3. In the Add/Remove Snap-in dialog box, click Add.
4. In the Add Standalone Snap-in dialog box, scroll down and highlight Security
Configuration and Analysis. Click Add. Then click Close.
5. In the Add/Remove Snap-in dialog box, click OK.
6. In the security console dialog box, select Console ➪ Save.
7. Close the security console dialog box.

I’ll show you how to use the Security Configuration and Analysis snap-
in in the following sections.
4701-1 ch13.f.qc 4/24/00 09:30 Page 888

888 Part III ▼ Managing and Securing Resources

Creating and Opening a Database

Before you can use the Security Configuration and Analysis snap-in to
analyze a computer’s security configuration, you must first create or open a
database within the snap-in.This database will contain the settings from a
security template against which the computer’s security configuration will
be compared.

STEP BY STEP

CREATING AND OPENING A DATABASE

1. Open the security console you created earlier in this chapter. (Select Start ➪
Programs ➪ Administrative Tools ➪ Security Console.)
2. In the left pane of the security console, highlight Security Configuration and
Analysis. Select Action ➪ Open database. (Or, you can right-click Security
Configuration and Analysis and select Open database from the menu that
appears.)
3. The Open database dialog box appears. The contents of the Database folder
on this computer are displayed. By default, this folder is empty.
To open a database that you have previously created, double-click the
database.
To create a new database, type in a name for the database in the “File name”
text box, and click Open.
4. In the Import Template dialog box, the security templates on this computer are dis-
played. Double-click the security template you want to import into the database.
5. Windows 2000 creates the database and returns you to the security console dialog
box. Leave this dialog box open if you plan to analyze or configure your computer.

Analyzing a Computer
Once you’ve created a database (or opened an existing database) in the
Security Configuration and Analysis snap-in, you’re ready to use this snap-
in to analyze your computer.What really happens here is that the Security
Configuration and Analysis snap-in compares your computer’s security
configuration settings against the security configuration settings in the
security template you’ve loaded into the database.
4701-1 ch13.f.qc 4/24/00 09:30 Page 889

Chapter 13 ▼ Auditing and Security 889

Once the analysis is performed, you can view the results of the analysis
by using the Security Configuration and Analysis snap-in, and determine
whether your computer meets the security standards specified in the secu-
rity template.

STEP BY STEP

ANALYZING A COMPUTER’S SECURITY CONFIGURATION

1. Open the security console you created earlier in this chapter. (Select Start ➪
Programs ➪ Administrative Tools ➪ Security Console.)
2. If you haven’t already done so, follow the steps in the previous section to create
or open a database.
3. In the left pane of the security console, highlight Security Configuration and
Analysis. Select Action ➪ Analyze Computer Now.
4. In the Perform Analysis dialog box, click OK to accept the default error log
file path.
5. Security Configuration and Analysis analyzes the computer.
6. To view the results of the analysis, in the left pane of the security console dialog
box, click the + next to Security Configuration and Analysis. Then continue
expanding containers and folders until the container or folder that contains the
security settings for which you want to view the analysis results is displayed in
the left pane. Highlight that container or folder.
7. The analysis results are displayed in the right pane of the security console, as
shown in Figure 13-14. Notice the symbols used to indicate compliance or non-
compliance with the security settings in the database. An X in a red circle indi-
cates noncompliance, and a check mark in a white circle indicates compliance.
Also notice the Database Setting and Computer Setting columns. The Database
Setting column displays the desired security settings, as specified by the security
template settings contained in the database. The Computer Setting column dis-
plays the computer’s actual security settings.
8. When you finish viewing the results of the analysis, close the security console. Or,
if you want to apply the security settings in the database to the computer, leave
the security console open — I’ll show you how to apply these settings to your com-
puter in the next section.
4701-1 ch13.f.qc 4/24/00 09:31 Page 890

890 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

]
FIGURE 13-14 Viewing analysis results

Configuring a Computer
Once you’ve analyzed your computer against a predefined set of security
settings, you may decide that you want to apply the security template set-
tings contained in the Security Configuration and Analysis database to the
local computer. For example, if the results of the analysis show that your
computer doesn’t meet your company’s security settings standard (as set
forth in the security template you used in the database to analyze the com-
puter), you may need to use the Security Configuration and Analysis snap-
in to apply the settings in the template to the noncompliant computer.
4701-1 ch13.f.qc 4/24/00 09:31 Page 891

Chapter 13 ▼ Auditing and Security 891

STEP BY STEP

APPLYING SECURITY SETTINGS TO THE LOCAL COMPUTER

1. Open the security console you created earlier in this chapter. (Select Start ➪
Programs ➪ Administrative Tools ➪ Security Console.)
2. If you haven’t already done so, follow the steps in the previous section to create
or open a database. Make sure you select a database that contains the security
settings you want to apply to this computer.
Optionally, you may want to analyze the computer to compare its security settings
with those contained in the database.
3. In the left pane of the security console, highlight Security Configuration and
Analysis. Select Action ➪ Configure Computer Now.
4. In the Configure System dialog box, click OK to accept the default error log
file path.
5. Security Configuration and Analysis configures your computer’s security settings.
This takes a few minutes.
6. Close the security console dialog box. If prompted, click Yes to save settings to
the security console.

Using the Command-Line Version of Security

Configuration and Analysis
You can use a command-line version of the Security Configuration and
Analysis snap-in, called secedit.exe, to perform the same tasks you can
perform by using the snap-in. You can use secedit.exe to create and
open a database, analyze a computer, and apply security settings to a com-
puter. In addition to performing security configuration and analysis tasks,
you can use secedit.exe to force an immediate refresh of Group Policy
settings on the local computer.
So why would you want to use a command-line version of a tool when
you can use a nice, GUI version? Well, let me ask you, do you want to sit
down at each and every computer on your network and perform security
analysis? Or would you rather configure a computer startup script that
includes secedit.exe commands to analyze the computer’s security
configuration for you automatically? You can even specify the network
location where secedit.exe will store the results of the analysis, so you
can view the log files at a later time.
4701-1 ch13.f.qc 4/24/00 09:31 Page 892

892 Part III ▼ Managing and Securing Resources

The syntax and parameters for secedit.exe are beyond the scope of
this book. However, you can easily access the Windows 2000 Help for the
secedit.exe command-line utility.

STEP BY STEP

ACCESSING HELP FOR SECEDIT.EXE

1. Select Start ➪ Run.

2. In the Run dialog box, type secedit /? in the Open text box, and click OK.
3. The Automating Security Configuration Management Help dialog box appears,
which contains extensive information on using secedit.exe.

Troubleshooting Auditing and Security

Auditing and security problems are sometimes difficult to diagnose. Often,
you don’t even know a problem exists until someone violates your net-
work’s security. Auditing and security problems typically fall into one of
two categories: either a user who is supposed to have access to a particular
network resource is unable to access that resource, or a user who isn’t sup-
posed to be able to access a resource has somehow been able to breach
your security and gain access.
No matter which category your auditing and security problem falls into,
the troubleshooting approach you use to solve it is the same. I recommend
that you first identify, as clearly as possible, your problem, including which
user(s) and resource(s) are affected by the problem. Once you’ve clearly
identified your problem, I recommend that you analyze the security con-
figuration for the resource in question and determine the cause of the
problem. Finally, you can take the appropriate steps to resolve the problem.
That said, here are a few tips to help you diagnose and resolve auditing
and security problems.
■ If you’ve configured object access auditing in the Properties dialog
box of an object, but no events are appearing in the Security Log,
ensure that you have also enabled the appropriate type of system
4701-1 ch13.f.qc 4/24/00 09:31 Page 893

Chapter 13 ▼ Auditing and Security 893

access auditing (either auditing of object access or auditing of

directory service access, depending on the object you want to
audit). Remember that until auditing is configured in both places,
object access auditing won’t occur.
■ Suppose that you’ve enabled system access auditing, and you’ve
also enabled object access auditing for a specific object.You log on
as a user with no permissions to access the object and try to gain
access to the object multiple times. However, when you view the
Security Log, no audit events indicating your attempts to access the
object are displayed. In this situation, ensure that the Failure check
box is selected for system access auditing, and also that the Failed
check box is selected for all types of access to the object.These
check boxes will produce audit events for unsuccessful attempted
accesses to the object.
■ Suppose that you’ve applied an audit policy to a Windows 2000
computer (that is a member of a domain) by using Local Security
Policy, but when you view the effective audit policy settings in
Local Security Policy, the effective settings are listed as “No audit-
ing.” In this case, you should check the audit policy settings that
may be set at another level of the network, including the audit pol-
icy settings in each Group Policy object that affects this computer.
Remember the Group Policy inheritance rules, and that the Group
Policy applied last is the one that takes precedence.
■ If you’re concerned that users and other administrators have modi-
fied security settings on their Windows 2000 computers away from
the company’s standard security settings, you can use the Security
Configuration and Analysis snap-in to compare these computers
against the predefined security settings adopted by your company.
If differences are detected, you can also use Security Configuration
and Analysis to apply the company’s security settings to noncom-
pliant computers.
■ If you’ve imported security templates into a GPO to provide secu-
rity for your Directory Services infrastructure, but the template
isn’t being applied the way you thought it would be applied, ensure
that inheritance is not preventing the application of the security
settings in the GPO.
4701-1 ch13.f.qc 4/24/00 09:31 Page 894

894 Part III ▼ Managing and Securing Resources

KEY POINT SUMMARY

This chapter introduced several important auditing and security topics:

■ When enabled, auditing produces a log of specified security events that occur
on a Windows 2000 computer. Audited events are written to the Security Log
in Event Viewer. By default, auditing is not enabled.
■ Windows 2000 auditing is divided into two areas: system access auditing and
object access auditing. If you want to perform object access auditing, you
must also enable system access auditing.
■ There are a number of tools you can use to configure Audit Policy, including
Local Security Policy, Domain Security Policy, Domain Controller Security
Policy, Active Directory Users and Computers, and so on. The tool you use
depends on which computer(s) you want the audit policy to apply to.
■ To modify the auditing configuration of Active Directory Objects, use Active
Directory Users and Computers (or Active Directory Sites and Services, if you
want to modify the auditing configuration of a site).
■ Use Windows Explorer to configure auditing of files or folders.
■ Use the Printers folder to configure auditing of printers.
■ You can use Event Viewer to view, monitor, and analyze the results of the
auditing.
■ A security template is a text-based .inf file that contains predefined security
settings that can be applied to one or more computers. You can use the
Security Templates snap-in to the MMC to create, edit, and manage security
templates.
■ You can either apply a security template directly to the local computer, or you
can import a security template into a GPO where it will be applied to all com-
puters affected by that GPO.
■ The Security Configuration and Analysis snap-in is used to compare the exist-
ing security configuration of a Windows 2000 computer against a predefined
security configuration in a security template.
■ There is a command-line version of the Security Configuration and Analysis
snap-in — it’s called secedit.exe.
4701-1 ch13.f.qc 4/24/00 09:31 Page 895

895

STUDY GUIDE
This section contains several exercises that are designed to solidify your
knowledge about auditing and security, and to help you prepare for the
Professional, Server, and Directory Services exams:
■ Assessment Questions: These questions test your knowledge of
the auditing and security topics covered in this chapter.You’ll find
the answers to these questions at the end of this chapter.
■ Scenarios: The situation-based questions in scenarios challenge
you to apply your understanding of the material to solve a hypo-
thetical problem. In this chapter’s scenarios, you are asked to trou-
bleshoot auditing and security problems and answer the questions
following each problem.You don’t need to be at a computer to do
scenarios.Answers to this chapter’s scenarios are presented at the
end of this chapter.
■ Lab Exercises: These exercises are hands-on practice activities
that you perform on a computer.The lab in this chapter gives you
an opportunity to practice managing auditing and security in
Windows 2000.

Assessment Questions
1. You want to enable system access auditing on a Windows 2000 Server
computer that is a domain controller.Which tool should you use?
A. System
B. Windows Explorer
C. Domain Security Policy
D. Domain Controller Security Policy
2. You want to enable auditing of several folders on a Windows 2000
Professional computer.You have already enabled system access audit-
ing.Which tool should you use?
A. Local Security Policy
B. Windows Explorer
C. Folder Options
D. System
4701-1 ch13.f.qc 4/24/00 09:31 Page 896

896

3. Three days ago you configured auditing of a printer on a Windows

2000 computer that is a member of a domain, but no audit events are
being written to the Security Log, even though you know that users
have printed more than 100 documents to this printer.What should
you do to resolve the problem?
A. Either wait for the audit policy to be propagated to this com-
puter, or use secedit.exe to force a refresh of audit policy on
this computer.
B. Enable system access auditing on the Windows 2000 computer.
C. Configure the filter on the Security Log so that both “Success
audit” and “Failure audit” events are displayed.
D. Shut down and restart the computer so the audit policy will
take effect.
4. Which Event Viewer log can you use to view the results of auditing?
A. Application Log
B. Security Log
C. System Log
D. Directory Service log
5. You recently used Domain Security Policy to set Audit Policy for all
of the Windows 2000 computers in a domain. However, the Audit
Policy settings are not being applied to your domain controller. In
fact, when you configured object access auditing for folders on the
domain controller, you received a Security message indicating that
“the current Audit Policy for this computer does not have auditing
turned on.”What should you do to resolve the problem?
A. Use Add/Remove Programs to add and enable the auditing
feature on the domain controller.
B. Use Local Security Policy to enable auditing on the domain
controller.
C. Use Domain Controller Security Policy to enable auditing on the
domain controller.
D. Wait until the Audit Policy is propagated from the domain to the
domain controller.Then reconfigure object access auditing to the
folders.
4701-1 ch13.f.qc 4/24/00 09:31 Page 897

897

6. Which tasks can you perform by using the Security Templates snap-in
to the MMC? (Choose all that apply.)
A. Create security templates.
B. Edit security templates.
C. Import security templates.
D. Compare a computer’s security configuration settings against the
security configuration settings in a specific security template.
7. What is the name of the command-line utility you can use to
perform the same tasks as you can perform by using Security
Configuration and Analysis?
A. gpedit.msc
B. secpol.msc
C. poledit.exe
D. secedit.exe
8. You are archiving a Security Log for later analysis in a spreadsheet.
Which file type should you assign to the log when you save it?
A. .evt
B. .txt
C. .csv
D. .exe

Scenarios
Troubleshooting auditing and security on a Windows 2000 computer or a
Windows 2000 network can be a painstaking, though necessary, task. For
each of the following troubleshooting problems, consider the given facts
and answer the questions that follow.
1. You recently configured object access auditing for multiple files and
folders on a Windows 2000 Server computer, but no auditing events
are appearing in the Security Log.
a. What is the most likely cause of this problem?
b. What should you do to resolve this problem?
4701-1 ch13.f.qc 4/24/00 09:31 Page 898

898

2. You recently configured a security policy on a Windows 2000 Pro-

fessional computer (that is a member of a domain) by using Local
Security Policy.You also configured security policy settings in multi-
ple GPOs in Active Directory that apply to various computers
throughout the domain. However, when you view the effective set-
tings for Security Options in Local Security Policy, the effective
settings are listed as “Not defined.”
a. What is the most likely cause of this problem?
b. What should you do to resolve this problem?

Lab Exercises
Lab 13-1 Managing Auditing and Security
 Professional
 Server
EXAM
MATERIAL
 Directory Services

The purpose of this lab is to provide you with an opportunity to manage

auditing and security in a Windows 2000 environment.
There are four parts to this lab:
■ Part 1: Implementing Auditing and Audit Policy
■ Part 2: Monitoring and Analyzing Security Events
■ Part 3: Implementing Security by Using a Security Template
■ Part 4:Analyzing and Applying a Security Configuration
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.

Part 1: Implementing Auditing and Audit Policy

In this part, you implement a domain audit policy, refresh your computer’s
policy settings, and then configure auditing of a folder, a printer, and an
Active Directory object.
1. Select Start ➪ Programs ➪ Administrative Tools ➪ Domain Controller
Security Policy.
4701-1 ch13.f.qc 4/24/00 09:31 Page 899

899

2. In the left pane of the Domain Controller Security Policy dialog box,
click the + next to Security Settings.Then click the + next to Local
Policies. Highlight Audit Policy.
3. In the right pane, double-click “Audit directory service access.”
4. In the Security Policy Setting dialog box, select the check box next to
“Define these policy settings.”Then, ensure that the check boxes next
to Success and Failure are both selected. Click OK.
5. In the right pane, double-click “Audit logon events.”
6. In the Security Policy Setting dialog box, select the check box next to
“Define these policy settings.”Then ensure that the check boxes next
to Success and Failure are both selected. Click OK.
7. In the right pane, double-click “Audit object access.”
8. In the Security Policy Setting dialog box, select the check box next to
“Define these policy settings.”Then ensure that the check boxes next
to Success and Failure are both selected. Click OK.
9. Close the Domain Controller Security Policy dialog box.
10. Select Start ➪ Run.
11. In the Run dialog box, type
secedit /refreshpolicy machine_policy
and click OK.
12. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪
Windows Explorer.)
13. In the left pane, click the + next to My Computer, then highlight
Local Disk (C:).
14. In the right pane, right-click the Program Files folder and select
Properties from the menu that appears.
15. In the Program Files Properties dialog box, click the Security tab.
16. On the Security tab, click Advanced.
17. In the Access Control Settings for Program Files dialog box, click the
Auditing tab.
18. On the Auditing tab, click Add.
19. In the Select User, Computer, or Group dialog box, double-click the
Authenticated Users group.
4701-1 ch13.f.qc 4/24/00 09:31 Page 900

900

20. In the Auditing Entry for Program Files dialog box, select the
Successful and Failed check boxes next to List Folder/Read Data.
Click OK.
21. In the Access Control Settings for Program Files dialog box,
click OK.
22. In the Program Files Properties dialog box, click OK.
23. In the left pane, scroll down and click the + next to Control Panel.
Then highlight the Printers folder.
24. In the right pane, right-click the AGFA-AccuSet v52.3 printer, and
select Properties from the menu that appears.
25. In the AGFA-AccuSet v52.3 Properties dialog box, click the
Security tab.
26. On the Security tab, click Advanced.
27. In the Access Control Settings for AGFA-AccuSet v52.3, click the
Auditing tab.
28. On the Auditing tab, click Add.
29. In the Select User, Computer, or Group dialog box, double-click the
Everyone group.
30. In the Auditing Entry for AGFA-AccuSet v52.3, select the Successful
and Failed check boxes next to Print. (The Read Permissions check
boxes are automatically checked when you select the Print check
boxes.) Click OK.
31. In the Access Control Settings for AGFA-AccuSet v52.3 dialog box,
click OK.
32. In the AGFA-AccuSet v52.3 Properties dialog box, click OK.
33. Close the Printers folder.
34. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory
Users and Computers.
35. In the left pane of the Active Directory Users and Computers dialog
box, highlight domain1.mcse. Select Action ➪ Properties.
36. In the domain1.mcse Properties dialog box, click the Security tab.
37. On the Security tab, click Advanced.
38. In the Access Control Settings for domain1 dialog box, click the
Auditing tab.
4701-1 ch13.f.qc 4/24/00 09:31 Page 901

901

39. On the Auditing tab, double-click the default auditing entry named
Everyone.
40. In the Auditing Entry for domain1 dialog box, notice the default set-
tings on both the Object and Properties tabs.Then, on the Object tab,
select the Successful and Failed check boxes next to List Contents.
Click OK.
41. In the Access Control Settings for domain 1 dialog box, click OK.
42. In the domain1.mcse Properties dialog box, click OK.
43. Close Active Directory Users and Computers.

Part 2: Monitoring and Analyzing Security Events

In this part, you create a failure audit event, and then use Event Viewer to
view, filter, and analyze auditing and security events.
1. Select Start ➪ Shut Down.
2. In the Shut Down Windows dialog box, select Log off Administrator
from the drop-down list box. Click OK.
3. Press Ctrl + Alt + Delete. In the Log On to Windows dialog box,
type in a user name of Administrator, a password of wrongo, and
click OK.
4. In the Logon Message dialog box, click OK.
5. In the Log On to Windows dialog box, type in a user name of
Administrator, a password of password, and click OK.
6. Select Start ➪ Programs ➪ Administrative Tools ➪ Event Viewer.
7. In the left pane of the Event Viewer dialog box, highlight the Security
Log. Notice the large number of events that appear in the right pane.
Select View ➪ Filter.
8. In the Security Log Properties dialog box, clear the check boxes next
to Information,Warning, Error, and Success audit. Click OK.
9. The Security Log in Event Viewer reappears. Notice that now only
failure audit events are listed in the right pane. In the right pane, dou-
ble-click the most recent failure audit event. (This is the event at the
top of the list.)
4701-1 ch13.f.qc 4/24/00 09:31 Page 902

902

10. In the Event Properties dialog box, read the detailed information
about the audit event. Notice that the failure event is a logon failure
due to an unknown user name or a bad password. (This is the event
you generated in Step 3.) Click OK.
11. Close Event Viewer.

Part 3: Implementing Security by Using a Security Template

In this part, you add the Security Templates snap-in and the Security
Configuration and Analysis snap-in to an MMC console.Then you use the
Security Templates snap-in to create a new security template. Finally, you
apply the new security template to both the local computer and to a GPO
in Active Directory.
1. From the desktop, select Start ➪ Run.
2. In the Run dialog box, type mmc and click OK.
3. A new MMC console, named Console1, is displayed. Maximize the
Console Root dialog box within the Console 1 dialog box. Select
Console ➪ Add/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Add Standalone Snap-in dialog box, scroll down and double-
click Security Templates.Then double-click Security Configuration
and Analysis.Then click Close.
6. In the Add/Remove Snap-in dialog box, click OK.
7. In the Console1 (Console Root) dialog box, select Console ➪ Save As.
8. In the Save As dialog box, type Security Configuration Tool Set
in the “File name” text box, and click Save.
9. In the left pane of the console, click the + next to Security Templates.
Then click the + next to C:\WINNT\Security\Templates.All of
the security templates on your computer, including the predefined
security templates, are displayed in the left pane. Highlight basicsv.
Then select Action ➪ Save As.
10. In the Save As dialog box, type My Security Template in the “File
name” text box. Click Save.
11. In the left pane of the console, click the + next to My Security
Template.Then click the + next to Local Policies. Highlight
Security Options. In the right pane, double-click “Clear virtual
memory pagefile when system shuts down.”
4701-1 ch13.f.qc 4/24/00 09:31 Page 903

903

12. In the Template Security Policy Setting dialog box, select the check
box next to “Define this policy setting in the template.”Then select
the Enabled option. Click OK.
13. In the left pane of the console, highlight My Security Template,
and select Action ➪ Save.
14. Close the Security Configuration Tool Set dialog box.When
prompted, click Yes to save console settings to the Security
Configuration Tool Set.
15. Select Start ➪ Programs ➪ Administrative Tools ➪ Local Security Policy.
16. In the Local Security Settings dialog box, select Action ➪ Import Policy.
17. In the Import Policy From dialog box, double-click My Security
Template.
18. Close the Local Security Settings dialog box.
19. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory
Users and Computers.
20. In the left pane of the Active Directory Users and Computers dialog
box, highlight domain1.mcse. Select Action ➪ Properties.
21. In the domain1.mcse Properties dialog box, click the Group Policy tab.
22. On the Group Policy tab, highlight the Default Domain Policy GPO,
and click Edit.
23. In the Group Policy dialog box, click the + next to the Windows
Settings folder in the Computer Configuration section.Then high-
light the Security Settings container. Select Action ➪ Import Policy.
24. In the Import Policy From dialog box, double-click My Security
Template.
25. Close the Group Policy dialog box.
26. In the domain1.mcse Properties dialog box, click OK.
27. Close Active Directory Users and Computers.

Part 4: Analyzing a Security Configuration

In this part, you use Security Configuration and Analysis to analyze your
Windows 2000 Server computer’s current security configuration.
1. Select Start ➪ Programs ➪ Administrative Tools ➪ Security
Configuration Tool Set.
4701-1 ch13.f.qc 4/24/00 09:31 Page 904

904

2. In the left pane of the console, highlight Security Configuration and

Analysis. Select Action ➪ Open database.
3. In the Open database dialog box, type My Database in the “File
name” text box, and click Open.
4. In the Import Template dialog box, double-click hisecdc.
5. Windows 2000 creates the database and returns you to the console
dialog box. In the left pane of the console, highlight Security
Configuration and Analysis. Select Action ➪ Analyze Computer Now.
6. In the Perform Analysis dialog box, click OK to accept the default
error log file path.
7. Security Configuration and Analysis analyzes the computer.
8. To view the results of the analysis, in the left pane of the console,
click the + next to Security Configuration and Analysis. Click the +
next to Local Policies.Then highlight Security Options.
9. The analysis results are displayed in the right pane. Notice that this
computer is not compliant with the security settings in the hisecdc
security template. Close the Security Configuration Tool Set dialog
box. If prompted, click Yes to save console settings to the Security
Configuration Tool Set.

Answers to Chapter Questions

Chapter Pre-Test
1. Windows 2000 auditing is divided into two areas: auditing of access
to the system (often called system access auditing) and auditing of
access to objects (often called object access auditing).
2. You can audit a number of different objects in Windows 2000, such as
Active Directory objects (including users, groups, computers, OUs,
domains, and so on), files, folders, and printers.
3. Event Viewer
4. A security template is a text-based .inf file that contains predefined
security settings that can be applied to one or more computers.A secu-
rity template can also be used to compare a computer’s existing security
configuration against a predefined, standard security configuration.
4701-1 ch13.f.qc 4/24/00 09:31 Page 905

905

5. You can use the Security Templates snap-in to create, edit, and man-
age security templates.
6. There are two primary ways to implement a security template: you
can either apply the security template directly to the local computer;
or you can import the security template into a Group Policy object
(GPO) in Active Directory, where it will be applied to all computers
affected by that GPO.
7. The Security Configuration and Analysis snap-in

Assessment Questions
1. D. Using Domain Controller Security Policy is the best choice.
You can set audit policy in Domain Security Policy, but auditing
will not be enabled on domain controllers until you enable it in
the Default Domain Controllers Policy GPO by using either the
Domain Controller Security Policy tool,Active Directory Users
and Computers, or the Group Policy snap-in to the MMC.
2. B. Once system access auditing has been enabled, you can enable
object access auditing of folders by configuring the folders’ Properties
dialog boxes in Windows Explorer.
3. B. The most likely cause of the lack of audit events in the Security
Log is that system access auditing has not yet been enabled on this
Windows 2000 computer.To audit access to an object, such as a
printer, you must not only configure object access auditing, you
must configure system access auditing as well.
4. B. Audited events are written to the Security Log in Event Viewer.
5. C. Because the domain controller’s Audit Policy is being overridden
by the Default Domain Controllers Policy GPO, you should use
Domain Controller Security Policy (or Active Directory Users and
Computers) to modify this GPO and thereby enable auditing on the
domain controller.
4701-1 ch13.f.qc 4/24/00 09:31 Page 906

906

6. A, B. You can create, edit, delete, and save security templates by using
the Security Templates snap-in. However, if you want to import a
security template you’ll need to use another tool, such as Local
Security Policy or Active Directory Users and Computers. If you
want to compare a computer’s security configuration against the con-
figuration of a specific template, you’ll need to use Security
Configuration and Analysis.
7. D.
8. C. Saving the Security Log as a comma-delimited file is probably the
best choice if you want to analyze the data later in a spreadsheet.

Scenarios
1. The most likely cause of this problem is that system access auditing
for object access has not been enabled on the Windows 2000 Server
computer.To resolve the problem, use the appropriate tool (Local
Security Policy, Domain Security Policy, Domain Controller Security
Policy, and so on) to enable system access auditing on the Windows
2000 Server computer.Then auditing of the files and folders will
occur, and the audit events will be written to the Security Log.
2. The most likely cause of this problem is that security policy settings
in a GPO are overriding the security policy settings you set on this
Windows 2000 Professional computer by using Local Security Policy.
Check the security policy settings set at other levels of the network,
including each GPO that may affect this computer. Remember the
Group Policy inheritance rules, and that the Group Policy applied last
is the one that takes precedence.
4701-1 ch13.f.qc 4/24/00 09:31 Page 907
4701-1 ch14.f.qc 4/24/00 09:32 Page 908

 Professional
 Server
EXAM
MATERIAL  Directory Services

EXAM OBJECTIVES

Professional  Exam 70-210

■ Monitor and configure removable media, such as tape devices.
■ Recover systems and user data.
■ Recover systems and user data by using Windows Backup.
■ Troubleshoot system restoration by using Safe Mode.
■ Recover systems and user data by using the Recovery Console.

Server  Exam 70-215

■ Manage and optimize availability of system state data and user data.
■ Recover systems and user data.
■ Recover systems and user data by using Windows Backup.
■ Troubleshoot system restoration by using Safe Mode.
■ Recover systems and user data by using the Recovery Console.

Directory Services  Exam 70-217

■ Back up and restore Active Directory.
■ Perform an authoritative restore of Active Directory.
■ Recover from a system failure.
4701-1 ch14.f.qc 4/24/00 09:32 Page 909

C HAP TE R

14
Backup and Recovery

T his chapter covers backup and recovery in a Windows 2000 environ-

ment. If you’re reading this book, it’s probably important for you to know
how to back up and restore data. I’ll begin by discussing how to manage and
optimize the availability of data on your network. I’ll also define a couple of key
terms: user data and System State data. Next, I’ll jump right in to using
Backup, the backup utility that ships with Windows 2000. I’ll cover what to
back up and backup types and strategies, as well as how to actually use
Backup to perform backups, schedule backups, and create an Emergency
Repair Disk.
Then I’ll move on to using Backup to restore user data and System State
data. In this section I’ll address restoring the Active Directory database, which
is a component of System State data, and the differences between performing
a nonauthoritative restore versus an authoritative restore.
Next, I’ll explore how to recover from a system failure. You’ll learn how to
use Safe Mode to troubleshoot and restore a system, and how to use the
Recovery Console and the Emergency Repair Disk to restore a system. Finally,
I’ll discuss monitoring and configuring removable media.

909
4701-1 ch14.f.qc 4/24/00 09:32 Page 910

910 Part III ▼ Managing and Securing Resources

Chapter Pre-Test
1. What is user data?
2. What is System State data?
3. How can you access the Windows 2000 backup program
called Backup?
4. What are the three primary tasks you can perform by
using Backup?
5. What is an Emergency Repair Disk?
6. Who can perform backups and restores?
7. What are the two types of restores you can perform of Active
Directory?
8. List three Windows 2000 tools you can use to recover from a
system failure.
9. What is the name of the Windows 2000 management tool used
to manage removable media?
4701-1 ch14.f.qc 4/24/00 09:32 Page 911

Chapter 14 ▼ Backup and Recovery 911

Managing and Optimizing the Availability

of User Data and System State Data
As a network administrator, it’s your job to manage and optimize the
availability of data on your network. In a nutshell, this means you have to
secure the data on your company’s network, protect it from loss, and ensure
that it’s always available when users need it.That’s a tall order.
The data on your Windows 2000 network can be divided into two
primary types: user data and System State data.
User data is a broad category that includes application files and folders,
operating system files and folders, and user-created files and folders. In
short, user data includes all files and folders on the Windows 2000
computer that aren’t held open at all times by Windows 2000.
System State data includes various critical operating system files, folders,
and databases.The actual components of System State data vary depending
on the Windows 2000 operating system you’re using and the services
installed on that operating system. For all Windows 2000 computers,
System State data includes the operating system boot files, the registry, and
the COM+ Class Registration database. On a Windows 2000 Server
computer that has Certificate Services installed, System State data also
includes the Certificate Services database. Finally, on a Windows 2000
Server that is a domain controller, System State data also includes the
Active Directory data store and the contents of the SYSVOL folder.

EXAM TIP
Make sure you know what’s included in System State data — and what’s
not — on both domain controllers and nondomain controllers when you
take the exams.

In this book, I’ve already discussed several ways you can manage and
optimize the availability of your network’s data, including using NTFS and
permissions to restrict access to files and folders and using mirrored volumes
and RAID-5 volumes to provide fault tolerance.Another important part of
your overall fault tolerance plan is performing regular backups of data.
A tape backup is not a replacement for other fault tolerance methods,
such as mirrored volumes and RAID-5 volumes.Tape backup is an addi-
tional safety precaution to use when other fault tolerance methods fail. I
don’t recommend that you rely solely on mirrored volumes, RAID-5
4701-1 ch14.f.qc 4/24/00 09:32 Page 912

912 Part III ▼ Managing and Securing Resources

volumes, or tape backup. A comprehensive fault tolerance policy typically

should include two or more of these strategies.

Backing Up User Data and System

State Data
As I mentioned in the previous section, backing up data is an important part
of your network fault tolerance plan. Planning and adhering to a regular
backup schedule can make recovering from a corrupt file or a failed hard
disk a straightforward, if somewhat painful, task. Failing to make regular
backups of your system’s critical data can be harmful (or even fatal) to your
business, to your employment status, or both.
Always remember that a tape backup is your last line of defense against
data loss. If the data on the tape is too old to be of value, or if it is corrupt,
or if the tape has been damaged due to fire or other causes, then you have
nothing.And having nothing is very hard to explain to upper management.

IN THE REAL WORLD

On more than one occasion I’ve had to explain to a client that both disks
in a mirrored volume (or two disks in a RAID-5 volume) have failed, and
that the most recent tape backup is corrupt. This is a difficult and
extremely unpleasant thing to explain to a client or to your manager.

I can’t stress enough the importance of carefully performing regular tape

backups, and periodically testing the validity of those backups. Once
you’ve experienced a partial or total disk failure, you’ll never regret the
time it takes you to perform backups again.
In the following sections I’ll discuss what to back up, backup types,
backup strategies, and how to use Backup to perform various tasks.

What to Back Up
Before you can create a backup strategy, you need to determine which data
on your network will be backed up. I recommend that all network data be
backed up regularly.This includes both user data and System State data.
In general, operating systems, applications, and System State data need to
be backed up less frequently than user-created data files.You may find it
sufficient to back up these types of data once a week, once a month, or
4701-1 ch14.f.qc 4/24/00 09:32 Page 913

Chapter 14 ▼ Backup and Recovery 913

even less often. An exception to this general rule is System State data on
domain controllers. System State data on Windows 2000 domain
controllers should be backed up fairly frequently because it contains the
Active Directory data store.
Depending on the importance of your data, user-created data files can be
backed up once a week, once a day, once an hour, or at any frequency that
meets your organization’s needs.When determining which files to back up
and how often, ask yourself how much data you can really afford to lose. For
example, if you decide to back up only once a week, can you afford to lose
six days of sales information and other employee-created data?

Backup Types
Before I talk about the specific backup types, a short discussion on the
archive attribute, and how the operating system and backup programs use
this attribute, is in order.
The archive attribute is a marker that the operating system automatically
assigns to all files and folders when they are first installed or created.
Depending on the backup type, backup programs remove the archive
attribute from a file or folder to indicate that the file or folder has been
backed up. If a file or folder is modified after it is backed up, the operating
system reassigns the archive attribute to it.
There are five standard types of backups you can perform:
■ Normal: A normal backup backs up all selected files and folders.
It removes the archive attribute from the backed up files and folders.
A normal backup is a full, complete backup — it is the backbone
of your backup plan or strategy.
■ Copy: A copy backup backs up all selected files and folders. It does
not remove or otherwise affect the archive attribute.The copy
backup can be performed without disrupting the normal backup
schedule, because it does not affect the archive attribute.You could
use a copy backup to create an extra backup to store off-site.
■ Incremental: An incremental backup backs up all selected files
and folders that have changed since the last normal or incremental
backup.An incremental backup removes the archive attribute from
the backed up files and folders.An incremental backup is not
cumulative — it contains only the changes made since the last
normal or incremental backup. If a normal backup is performed
4701-1 ch14.f.qc 4/24/00 09:32 Page 914

914 Part III ▼ Managing and Securing Resources

on Sunday, and incremental backups are performed Monday

through Friday, Monday’s incremental backup will contain all
changes made to data on Monday,Tuesday’s incremental backup
will contain all changes made to data only on Tuesday,Wednesday’s
incremental backup will contain all changes made to data only on
Wednesday, and so on. Because less data is backed up, an incremental
backup takes less time to perform than a normal backup, and also
takes less time to perform than a differential backup.
■ Differential: A differential backup backs up all selected files
and folders that have changed since the last normal backup.A
differential backup does not remove the archive attribute from
any files and folders.A differential backup is a cumulative backup
since the last normal backup. Because the differential backup does
not remove the archive attribute, if a normal backup is performed
on Sunday, and differential backups are performed Monday
through Friday, Monday’s differential backup will contain all
changes made to data on Monday;Tuesday’s differential backup
will contain all changes made to data on Monday and Tuesday;
Wednesday’s differential backup will contain all changes made to
data on Monday,Tuesday, and Wednesday, and so on.A differential
backup is often used in between normal backups, because it takes
less time to perform a differential backup than a normal backup.
■ Daily: A daily backup backs up all selected files and folders that
have changed during the day the backup is made. It does not
remove or otherwise affect the archive attribute.
Companies often use a combination of the standard backup types in
their backup strategy.

Backup Strategies
There are a number of acceptable backup strategies, and three fairly
common ones:
■ Perform a normal backup every day. This is the most time-
consuming of the three common strategies in terms of the time
required to perform backups. However, should a restore be
necessary, only the last normal backup is required, and restore
time is greatly less than either of the other two strategies.
4701-1 ch14.f.qc 4/24/00 09:32 Page 915

Chapter 14 ▼ Backup and Recovery 915

■ Perform a weekly normal backup and daily differential

backups. As the week progresses, the time required to perform
the differential backups increases. However, should a restore be
necessary, only two backup sets will be needed — the most recent
normal backup, and the most recent differential backup. (This is
because the most recent differential backup contains all files and
folders that have changed since the last normal backup.) The
restore can be accomplished relatively quickly.
■ Perform a weekly normal backup and daily incremental
backups. Incremental backups tend to take about the same
amount of time each day, and are considered the fastest backup
method. However, should a restore be necessary, multiple backup
sets will be required — the most recent normal backup, and every
incremental backup since the most recent normal backup. (This is
because the incremental backups eachcontain different data and are
not cumulative.) The restore will typically take more time than if a
differential backup had been used.
When planning your backup strategy, the big trade-off you need to
consider is time — the time it takes to perform backups versus the time it
takes to restore data.

Security Considerations
When planning your company’s backup strategy, there are a few security
considerations to take into account:
■ If the data is of a sensitive nature, consider physically securing the
tape drive and the backup tapes in a locked room.While your server
may require a password and permissions to access confidential data,
when a backup tape is taken and restored on another server, your
server’s security measures are defeated.
■ Consider rotating backup tapes to an off-site location.This can
prevent or minimize data loss due to a single catastrophic event,
such as a theft, fire, flood, or earthquake. Consider using a third-
party company that will store your data tapes in a secure, climate-
controlled environment.
■ If you store backup tapes in a fireproof safe, remember that fireproof
doesn’t necessarily mean that heat or smoke can’t destroy the data
on magnetic tapes. Make sure the safe is capable of protecting
magnetic media as well as papers and other important items.
4701-1 ch14.f.qc 4/24/00 09:32 Page 916

916 Part III ▼ Managing and Securing Resources

■ Finally, depending on your organization’s security needs, consider

who should perform backups. In very high-security environments,
consider allowing only administrators to perform backups. In
medium- to low-security situations, consider separating the backup
and restore functions by designating certain personnel to perform
only backups, and other employees to perform only restores.

Tape Rotation
Most organizations rotate their magnetic tapes in order to reduce the
cost of backups. Instead of using a new tape every day, tapes are reused in a
systematic manner.
There are probably almost as many tape rotation methods as there are
network administrators. Consider the following tape rotation example,
which is illustrated in Table 14-1.
TABLE 14-1 Sample Backup Tape Rotation Scheme
Monday Tuesday Wednesday Thursday Friday

Tape #1 Tape #2 Tape #3 Tape #4 Tape #5

Tape #1 Tape #2 Tape #3 Tape #4 Tape #6
Tape #1 Tape #2 Tape #3 Tape #4 Tape #7
Tape #1 Tape #2 Tape #3 Tape #4 Tape #8 — Archived

This example requires eight tapes for a four-week period. Tapes one
through four are reused each week, with the Monday tape used again the
following Monday, and so on. Depending on the amount of data backed
up and the tape’s capacity, the data from the previous backup can be
appended or replaced. A different tape is used for the backup made each
Friday, so that files that are deleted during the course of the previous weeks
can be recovered. The eighth tape is permanently archived and removed
from the tape rotation scheme.
When choosing a tape rotation method, consider the following:
■ The useful life of a tape: Tapes need to be eventually removed
from the rotation scheme and replaced with new tapes.The number
of times a magnetic tape can be reused depends on the tape’s quality
and storage conditions.
4701-1 ch14.f.qc 4/24/00 09:32 Page 917

Chapter 14 ▼ Backup and Recovery 917

■ Tape cost versus the cost of lost data: Some tapes are guaranteed
for life — but only for the cost of the tape.The cost of lost data is
not guaranteed.
■ Archiving tapes: Removing a tape from the rotation schedule
weekly, monthly, or quarterly is a good way to provide a perma-
nent, long-term archive of your company’s data.These tapes are
often stored off-site for disaster recovery purposes (such as in the
case of a fire).

Documenting Backups
Documenting your backups will make restoring after a failure a much
easier task. Consider keeping a backup log book that documents each
backup procedure performed. You should record the date and time the
backup was performed, a brief description of the data backed up, the name
of the person who performed the backup, the tape number used, and its
storage location.You can also include a detailed or summarized printed log
of the backup. If you have this information readily available, the person
performing the restore will be able to quickly identify and locate the most
recent backup tape(s) needed.
Speaking of logs, most backup programs can be configured to create
detailed logs that list the individual files and folders backed up. These logs
can be quite helpful if a user tells you that he or she has accidentally deleted
an important file, and asks you to restore it from tape.A log (either printed,
or written to a file on a disk) will enable you to locate the appropriate tape
needed to restore the file quickly and easily.

Using Backup to Perform a Backup

Windows 2000 ships with a backup program called Backup. Backup is a
basic tape backup program that gives you full capability to back up and
restore a Windows 2000 computer, including user data on local and
network drives, and System State data on the local computer.

EXAM TIP
You can’t use Backup to back up or restore System State data on a remote
Windows 2000 computer. In other words, you can’t back up or restore
System State data over the network. Keep this in mind when you take
the exams.
4701-1 ch14.f.qc 4/24/00 09:32 Page 918

918 Part III ▼ Managing and Securing Resources

You can use Backup to back up files and folders to a local disk, a
network drive, or a tape device. I recommend you ensure that your tape
drive is listed on the Windows 2000 Hardware Compatibility List (HCL)
and that it has enough capacity to back up your entire server on a single
tape.This is a big help, especially if you perform unattended tape backups.
Before you perform a tape backup, make sure that you have the
appropriate permissions and user rights to perform a backup.To perform a
backup, you need to be a member of the Administrators or Backup
Operators groups, or you need to have the “Back up files and directories”
user right assigned to you. If you are backing up a Windows 2000 domain
controller, members of the Server Operators group also have the necessary
permissions to back up files and folders on this computer.
Consider the time of day when performing backups. Because of the use
of processor and memory during backups, it’s normally best to perform
this task during the periods of lowest server and network usage — often
during nonbusiness hours.
Backup provides you with two different methods to perform a backup.
You can either use the Backup Wizard, or you can manually configure a
backup on the Backup tab.

STEP BY STEP

PERFORMING A BACKUP BY USING THE BACKUP WIZARD

1. Select Start ➪ Programs ➪ Accessories ➪ System Tools ➪ Backup.

2. The Backup dialog box appears, as shown in Figure 14-1. Notice the three but-
tons in this dialog box: Backup Wizard, Restore Wizard, and Emergency Repair
Disk. Click the button next to Backup Wizard.
3. The Backup Wizard starts. Click Next.
4. In the What to Back Up screen, select the types of data you want to back up.
Options available include:
 Back up everything on my computer
 Back up selected files, drives, or network data
 Only back up the System State data
Select the appropriate option and click Next.
5. Depending on the option you selected in Step 4, an “Items to Back Up screen”
may appear. In this screen, select the check boxes next to the drives, files, or fold-
ers you want to back up. Click Next.
4701-1 ch14.f.qc 4/24/00 09:32 Page 919

Chapter 14 ▼ Backup and Recovery 919

STEP BY STEP Continued

FIGURE 14-1 The opening Backup dialog box

6. In the Where to Store the Backup screen, select the backup media type you want
to use for this backup from the “Backup media type” drop-down list box. Media
types include files and any tape devices installed and configured on your
Windows 2000 computer.
Then, if you selected a backup media type of file, in the “Backup media or file
name” text box, either accept the default path or type in a complete path to the
file that will contain your backup data. You can browse for this file if you want to.
If you selected a specific tape drive in the “Backup media type” drop-down list
box, select the specific media you want to use in the “Backup media or file name”
drop-down list box.
Click Next.
7. The Completing the Backup Wizard screen appears. If you are finished configuring
your backup, click Finish and skip to Step 14.
If you want to configure advanced backup options, such as the type of backup,
click Advanced.
8. If you clicked Advanced, the Type of Backup screen appears. In this screen, select
the type of backup you want to perform. Available options include: Normal, Copy,
Incremental, Differential, and Daily. Click Next.
4701-1 ch14.f.qc 4/24/00 09:32 Page 920

920 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

9. In the How to Back Up screen, you can configure Backup to verify your data after
it is backed up, to use your tape device’s hardware compression capabilities, if
any, or both. If you select the check box next to “Verify data after backup,” this
will approximately double the time it takes to perform the backup. Select the
appropriate option(s), and click Next.
10. In the Media Options screen, you can specify whether Backup will append the
data in this backup to the data already contained on the backup tape or file, or
whether Backup will replace (overwrite) the data on the tape or file with this
backup. Select the appropriate option and click Next.
11. In the Backup Label screen, either accept the default backup and media labels,
or type in different backup and media labels to meet your needs. Click Next.
12. In the When to Back Up screen, you configure whether the backup will run now
or at a later time. If you select the “Later” option, you can schedule the backup
to start at the date and time you choose. Select and configure the appropriate
option, and click Next.
13. In the Completing the Backup Wizard screen, click Finish.
14. If you configured the backup to run now, Windows 2000 performs the backup.
At the completion of the backup, a Backup Progress dialog box is displayed, as
shown in Figure 14-2. Notice that various backup statistics are displayed, and
that you can choose to view a report containing even more detailed information
about the backup.

FIGURE 14-2 The Backup Progress dialog box

4701-1 ch14.f.qc 4/24/00 09:32 Page 921

Chapter 14 ▼ Backup and Recovery 921

STEP BY STEP Continued

If you want to view the backup report, click Report. Close Notepad when you
finish viewing the report.
Click Close.
15. Close Backup.

If you’re comfortable using the Backup user interface, you may decide
to configure backups manually instead of using the Backup Wizard. I’ll
show you how to manually configure a backup in the steps that follow.

STEP BY STEP

MANUALLY CONFIGURING A BACKUP

1. Select Start ➪ Programs ➪ Accessories ➪ System Tools ➪ Backup.

2. In the Backup dialog box, click the Backup tab.
3. The Backup tab appears, as shown in Figure 14-3. Notice the check box next to
System State.

FIGURE 14-3 The Backup tab

4701-1 ch14.f.qc 4/24/00 09:32 Page 922

922 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

On this tab, select the check box next to the drives, files, and folders you want to
back up. You can expand drives and folders as necessary by clicking the + next to
the drive or folder.
Next, select the destination for this backup from the “Backup destination” drop-
down list box. Destinations include File and any tape devices installed and
configured on your Windows 2000 computer.
Then, if you selected a backup destination of File, in the “Backup media or file
name” text box, either accept the default path or type in a complete path to the
file that will contain your backup data. You can browse for this file if you want to.
If you selected a specific tape drive in the “Backup destination” drop-down list
box, select the specific media you want to use in the “Backup media or file name”
drop-down list box.
4. On the Backup tab, view the Backup options displayed. If you want to modify any
of these options, select Tools ➪ Options.
5. The Options dialog box appears. This dialog box contains five tabs: General,
Restore, Backup Type, Backup Log, and Exclude Files. You can use these tabs
to customize your backup. Make the appropriate configurations, then click OK.
6. In the Backup dialog box, click Start Backup.
7. The Backup Job Information dialog box appears, as shown in Figure 14-4. Notice
that you can schedule the backup, configure advanced backup options, enter a
backup description, choose whether to append or replace data on the backup
tape, and start the backup in this dialog box.

FIGURE 14-4 Configuring backup job information

Configure the appropriate options, and either click Start Backup or Schedule, as
appropriate.
4701-1 ch14.f.qc 4/24/00 09:32 Page 923

Chapter 14 ▼ Backup and Recovery 923

Scheduling Backups
Not only can you schedule an individual backup when you configure it,
you can use the Schedule Jobs tab in Backup to view the backup schedule
and to schedule periodic backups on your Windows 2000 computer.
The Schedule Jobs tab enables you to automate the implementation of
your company’s backup strategy.You can use this tool to schedule recurring
unattended normal, incremental, differential, and other types of backups.
The Schedule Jobs tab is fairly straightforward to use.

STEP BY STEP

SCHEDULING A BACKUP

1. Select Start ➪ Programs ➪ Accessories ➪ System Tools ➪ Backup.

2. In the Backup dialog box, click the Schedule Jobs tab.
3. The Schedule Jobs tab appears, as shown in Figure 14-5. Notice that no jobs
appear yet on the schedule.

FIGURE 14-5 The Schedule Jobs tab

If you have already scheduled jobs, you can view them on this schedule.
To add a job to the schedule, click Add Job.
4701-1 ch14.f.qc 4/24/00 09:32 Page 924

924 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

4. The Backup Wizard starts. Follow the instructions presented on-screen to

schedule one or more periodic backups. (Detailed instructions on using this
wizard were presented in the step-by-step section titled “ Performing a Backup
by Using the Backup Wizard” earlier in this chapter.)
5. Once you’ve scheduled one or more backups, these jobs appear on the Schedule
Jobs tab. Close Backup.

Using Backup to Create an Emergency Repair Disk

You can also use Backup to create an Emergency Repair Disk. An
Emergency Repair Disk is a floppy disk used to repair Windows 2000 system
files that become accidentally corrupted or erased due to viruses or other
causes.An Emergency Repair Disk is primarily used to repair and restart a
Windows 2000 computer that won’t boot. I’ll cover how to use an
Emergency Repair Disk later in this chapter, but before you can use one,
you have to create it.
To create an Emergency Repair Disk, you’ll need one blank, formatted
floppy disk.

STEP BY STEP

CREATING AN EMERGENCY REPAIR DISK

1. Select Start ➪ Programs ➪ Accessories ➪ System Tools ➪ Backup.

2. In the Backup dialog box, click the Emergency Repair Disk button.
3. The Emergency Repair Diskette dialog box appears. By default, the computer’s
registry is not copied to the Emergency Repair Disk, nor to the computer’s
repair folder, which is located in SystemRoot\repair. If you want the
registry to be copied to the computer’s repair folder (and I recommend that
you do so), select the check box in this dialog box.

TIP
Unlike Windows NT 4.0, in Windows 2000 the computer’s registry is
never copied to the Emergency Repair Disk.

Insert a blank, formatted floppy disk into your computer’s A: drive and click OK.
4701-1 ch14.f.qc 4/24/00 09:32 Page 925

Chapter 14 ▼ Backup and Recovery 925

STEP BY STEP Continued

4. Windows 2000 creates the Emergency Repair Disk. After the Emergency Repair
Disk is successfully created, remove it from the computer’s A: drive and store it
in a safe place. Click OK in the Emergency Repair Diskette dialog box.
5. Close Backup.

Recovering User Data and System

State Data
Hopefully, you’ll never have to restore files and folders after a catastrophic
data loss. Nevertheless, it’s a good practice to be comfortable with the
process of restoring data to your system, just in case.
For this reason, and also to ensure that your backup tapes contain valid
copies of your data files, you should periodically test your backup by
performing a trial restore.A trial restore involves restoring at least one folder
that contains several data files to a different folder than it was originally
backed up from. The folder you restore is a test folder, and probably
shouldn’t contain files that are critical to your operations. For example, you
could restore the D:\Public folder to D:\Public2 or to E:\Public2.
The trial restore process verifies that the tape can be read, and that files and
folders can be restored from it.
Once you’ve performed a trial restore of your test folder, you should
compare its contents with the contents of the original folder on your
computer’s hard disk.To determine whether the files in the two folders are
identical, you can use the comp.exe command-line utility. If there are no
differences between the files in the two folders, then presumably all of the
files on the backup tape are valid and not corrupt.
The same Backup program you used to back up data on your Windows
2000 computer is also used to restore data. In order to restore data, you need
to be a member of the Administrators or Backup Operators groups, or you
need to have the “Restore files and directories” user right assigned to you. If
you’re restoring data on a Windows 2000 domain controller, members of
the Server Operators group also have the necessary permissions to restore
files and folders on this computer.
4701-1 ch14.f.qc 4/24/00 09:32 Page 926

926 Part III ▼ Managing and Securing Resources

In the following sections I’ll explain how to use Backup to restore user
data, System State data, and the Active Directory data store.

Using Backup to Restore User Data

You can use Backup to perform a full or partial restore of user data from a
backup created by using Backup.You can restore user data to both local
and network drives.
Backup provides you with two different methods to perform a restore.
You can either use the Restore Wizard, or you can manually configure a
restore on the Restore tab.

STEP BY STEP

RESTORING USER DATA BY USING THE RESTORE WIZARD

1. Select Start ➪ Programs ➪ Accessories ➪ System Tools ➪ Backup.

2. In the Backup dialog box, click the Restore Wizard button.
3. The Restore Wizard starts. Click Next.
4. In the What to Restore screen, select the check boxes next to the drives, files, or
folders you want to restore. Click Next.
5. The Completing the Restore Wizard screen appears. If you are finished configur-
ing your restore, click Finish and skip to Step 10.
If you want to configure advanced restore options, such as the location to which
files should be restored, click Advanced.
6. In the Where to Restore screen, select the location to which you want
the selected files and folders to be restored. Available options include
“Original location,” “Alternate location,” or “Single folder.” The default option
is “Original location.” Select the appropriate option.
If you select an option other than “Original location,” you also need to specify a
complete path to the desired restoration location in the “Alternate location” text
box. Click Next.
7. In the How to Restore screen, select from one of the three options for restoring a
file that already exists in the restoration location:
 Do not replace the file on my disk (recommended and default option)
 Replace the file on disk only if it is older than the backup copy
 Always replace the file on disk
Click Next.
4701-1 ch14.f.qc 4/24/00 09:32 Page 927

Chapter 14 ▼ Backup and Recovery 927

STEP BY STEP Continued

8. In the Advanced Restore Options screen, select one or more of the appropriate
options:
 Restore security
 Restore Removable Storage database
 Restore junction points, not the folders and file data they reference
Click Next.
9. In the Completing the Restore Wizard screen, click Finish.
10. If you are restoring from a file, the Enter Backup File Name dialog box appears. If
this dialog box appears, ensure that the name of the file that contains the backup
you want to restore from is displayed in the “Restore from backup file” text box.
You can browse for this file if you need to. Click OK.
11. Windows 2000 performs the restore. At the completion of the restore, a
Restore Progress dialog box is displayed. This dialog box displays various
restore statistics.
The Restore Progress dialog box also has an option that enables you to view a
report on the restore. To view this report, click Report. Close Notepad when you
finish viewing the report.
Click Close.
12. Close Backup.

Using Backup to Restore System State Data

In addition to restoring user data, you can also use Backup to restore
System State data from a backup created by using Backup. Remember, you
can only restore System State data on the local computer.You can’t restore
System State data over the network to a remote Windows 2000 computer.
Restoring System State data is an all-or-nothing proposition. Unlike
restoring user data, you can’t pick and choose which parts of System State
data will be restored.
Restoring System State data returns your Windows 2000 computer to
the state it was in when the System State data was backed up.Any changes
you have made to the system will be lost.
4701-1 ch14.f.qc 4/24/00 09:32 Page 928

928 Part III ▼ Managing and Securing Resources

CAUTION
Only restore System State data when you have to. Typically, this is a last-
resort measure that is only used when all other attempts to correct a
damaged Windows 2000 system configuration (including using Safe
Mode and the Emergency Repair Disk) have failed.

Restoring System State Data on Nondomain Controllers

Restoring System State data is fairly straightforward. However, there are
some differences in the process, depending on which computer on your
network you’re restoring System State data to. First, I’ll take a look at how to
restore System State data on a Windows 2000 computer that is not a domain
controller. (A bit later in this chapter, I’ll cover how to restore System State
data, including the Active Directory data store, on domain controllers.)

STEP BY STEP

RESTORING SYSTEM STATE DATA ON A NONDOMAIN CONTROLLER

1. Select Start ➪ Programs ➪ Accessories ➪ System Tools ➪ Backup.

2. In the Backup dialog box, click the Restore Wizard button.
3. The Restore Wizard starts. Click Next.
4. In the “What to Restore” screen, expand components in the left pane until
System State is displayed. Select the check box next to System State, as
shown in Figure 14-6. Click Next.

FIGURE 14-6 Restoring System State data

4701-1 ch14.f.qc 4/24/00 09:32 Page 929

Chapter 14 ▼ Backup and Recovery 929

STEP BY STEP Continued

5. The Completing the Restore Wizard screen appears. If you want to configure
advanced restore options, such as the location to which the System State
data should be restored, click Advanced. (For information on how to configure
Advanced options, see Steps 6 through 8 in the step-by-step section titled
“Restoring User Data by Using the Restore Wizard” earlier in this chapter.)
Otherwise, click Finish.
6. If you are restoring from a file, the “Enter Backup File Name” dialog box appears.
If this dialog box appears, ensure that the name of the file that contains the
backup you want to restore from is displayed in the “Restore from backup
file” text box. You can browse for this file if you need to. Click OK.
7. Windows 2000 performs the restore of System State data. At the completion of
the restore, a Restore Progress dialog box is displayed. This dialog box displays
various restore statistics.
The Restore Progress dialog box also has an option that enables you to view a
report on the restore. To view this report, click Report. Close Notepad when you
finish viewing the report.
Click Close.
8. A Backup warning dialog box appears, indicating that you must shut down and
restart your computer to complete the restore. Click Yes.

Restoring System State Data on Domain Controllers

Because System State data includes the Active Directory data store on a
Windows 2000 domain controller, restoring System State data on a domain
controller includes restoring Active Directory.
There are two types of restores you can perform of Active Directory:
■ Nonauthoritative restore of Active Directory: This is a full
restore of System State data, including Active Directory, on a
Windows 2000 domain controller.When this type of restore is
performed,Active Directory entries on other domain controllers
(that are more recent than the corresponding entries that have
been restored from backup) will replace the restored entries when
replication of Active Directory occurs.You should use this type
of restore when you only have one domain controller on your
network, or when you are primarily concerned with restoring the
other components of System State data, such as the registry and
system boot files, and you don’t want to overwrite the more
4701-1 ch14.f.qc 4/24/00 09:32 Page 930

930 Part III ▼ Managing and Securing Resources

recent copy of Active Directory located on other domain controllers

on your network.
■ Authoritative restore of Active Directory: Like a nonauthori-
tative restore, this is also a full restore of System State data, including
Active Directory, on a Windows 2000 domain controller.After the
restore is completed, however, an additional step is required. Some
or all of the restored Active Directory objects are marked as being
authoritative. During this process, the objects’ attribute version
numbers are increased.When this type of restore is performed,
the restored Active Directory entries that are marked as authorita-
tive will replace the corresponding Active Directory entries on
other domain controllers on your network when replication of
Active Directory occurs.You should use this type of restore
when the Active Directory data store on your network’s domain
controllers is damaged, or when a portion of Active Directory
has been accidentally deleted.
So, whether you decide to perform a nonauthoritative or an authoritative
restore of Active Directory, the first step will be to perform a restore of
System State data on your domain controller. I’ll show you how to perform
this task in the steps that follow.

TIP
In order to restore System State data on a domain controller, which
includes the Active Directory data store, you’ll need the Administrator’s
password that was entered in the “Directory Services Restore Mode
Administrator Password” screen during the installation of Active Directory.

STEP BY STEP

RESTORING SYSTEM STATE DATA, INCLUDING ACTIVE DIRECTORY

1. Shut down and restart the domain controller. During the boot process, press F8.
2. On the Windows 2000 Advanced Options Menu, select Directory Services
Restore Mode and press Enter.
3. If you have more than one operating system installed on this computer, select
Microsoft Windows 2000 Server and press Enter.
4. Windows 2000 Server boots in Safe Mode – Directory Services Repair. Press
Ctrl+Alt+Delete.
4701-1 ch14.f.qc 4/24/00 09:32 Page 931

Chapter 14 ▼ Backup and Recovery 931

STEP BY STEP Continued

5. In the Log On to Windows dialog box, accept the default user name of administra-
tor. Enter the Administrator’s password that was entered in the “Directory Services
Restore Mode Administrator Password” screen during the installation of Active
Directory. (This is probably not the current Administrator’s password.) Click OK.
6. A Desktop warning message appears, indicating that Windows is running in Safe
Mode. Click OK.
7. Select Start ➪ Programs ➪ Accessories ➪ System Tools ➪ Backup.
8. In the Backup dialog box, click the Restore Wizard button.
9. The Restore Wizard starts. Click Next.
10. In the “What to Restore” screen, expand components in the left pane until System
State is displayed. Select the check box next to System State. Click Next.
11. The Completing the Restore Wizard screen appears. If you want to configure
advanced restore options, such as the location to which the System State data
should be restored, click Advanced. (For information on how to configure Advanced
options, see Steps 6 through 8 in the step-by-step section titled “Restoring User
Data by Using the Restore Wizard” earlier in this chapter.) Otherwise, click Finish.
12. If you are restoring from a file, the Enter Backup File Name dialog box appears. If
this dialog box appears, ensure that the name of the file that contains the backup
you want to restore from is displayed in the “Restore from backup file” text box.
You can browse for this file if you need to. Click OK.
13. Windows 2000 performs the restore of System State data, including Active
Directory. At the completion of the restore, a Restore Progress dialog box is
displayed. This dialog box displays various restore statistics, and contains an
option that enables you to view a report on the restore. To view this report, click
Report. Close Notepad when you finish viewing the report. Click Close.
14. A Backup warning dialog box appears, indicating that you must shut down and
restart your computer to complete the restore.
If you are performing a nonauthoritative restore of Active Directory, click
Yes. Reboot the domain controller normally.
If you are performing an authoritative restore of Active Directory, click
No, close Backup, and complete the steps listed in the next section.

CAUTION
Don’t reboot the domain controller now if you’re performing an authorita-
tive restore — if you do, you’ll have to do the restore all over again before
you can mark objects.
4701-1 ch14.f.qc 4/24/00 09:32 Page 932

932 Part III ▼ Managing and Securing Resources

So, as the previous steps point out, if you’re performing a nonauthorita-

tive restore of Active Directory, your work is done. However, if you’re
performing an authoritative restore of Active Directory, you’ll need to use
the ntdsutil.exe command-line utility to mark some or all of the
restored Active Directory objects as being authoritative. The next set of
steps explains how to accomplish this task.

STEP BY STEP

MARKING RESTORED ACTIVE DIRECTORY OBJECTS

AS AUTHORITATIVE

1. After performing a restore of System State data on your domain controller,

but before rebooting the computer, select Start ➪ Programs ➪ Accessories ➪
Command Prompt.
2. In the Command Prompt dialog box, at the command prompt, type ntdsutil and
press Enter.
3. At the ntdsutil: prompt, type authoritative restore and press Enter.
4. To restore the entire Active Directory data store, at the authoritative
restore: prompt, type restore database and press Enter.
Or, to restore a portion of the Active Directory data store, at the authoritative
restore: prompt, type
restore subtree OU=OU_name,DC=domain_name,DC=root_domain

and press Enter. For example, to restore only an OU named London in a domain
named domain2.com, you would type
restore subtree OU=London,DC=domain2,DC=com

5. In the Authoritative Restore Confirmation Dialog box, click Yes.

6. Windows 2000 marks the objects you selected by increasing their attribute ver-
sion numbers. At the authoritative restore: prompt, type quit and
press Enter.
7. At the ntdsutil: prompt, type quit and press Enter.
8. At the command prompt, type exit and press Enter.
9. Shut down the domain controller, and restart it normally.

For additional syntax information on the ntdsutil.exe command-

line utility, type help at any ntdsutil prompt in the Command Prompt
dialog box.
4701-1 ch14.f.qc 4/24/00 09:32 Page 933

Chapter 14 ▼ Backup and Recovery 933

Recovering from a System Failure

When you can’t get a Windows 2000 computer to boot, you’ve got a
system failure on your hands. If the computer that won’t boot has any
importance at all in your organization, your plans for the day have just
been changed. Unfortunately, recovering from a system failure is a
difficult — and sometimes impossible — task.
There are several tools you can use to attempt to recover from a
Windows 2000 system failure. In this section I’ll explain how to use three
Windows 2000 tools: Safe Mode, the Recovery Console, and the
Emergency Repair Disk. Sometimes these tools will enable you to quickly
restore your system, and sometimes they won’t. If you are unable to recover
your Windows 2000 system by using these tools, you can try restoring
System State data on the computer experiencing the problem. If that
doesn’t work, you’ll probably have to reinstall Windows 2000 on the
computer, and then restore all user and System State data from a backup.
You do have a backup, don’t you?
Before you use any of these tools to recover from a system failure, make
sure you’re not really dealing with a hardware problem in the computer. I
recommend you use your computer manufacturer’s hardware diagnostics
to rule out hardware problems first.You don’t really want to reconfigure
your operating system if your problem is an overheated processor.

Using Safe Mode to Troubleshoot and Restore

a System
Safe Mode is a special startup mode of Windows 2000 that uses default
settings and the minimum number of files and device drivers required to
start Windows 2000. If a Windows 2000 computer won’t boot normally,
you may be able to boot it in Safe Mode.
When you boot a Windows 2000 computer in Safe Mode, there are
several versions of Safe Mode you can choose from:
■ Safe Mode: This is the basic, bare-bones version of Safe Mode.
■ Safe Mode with Networking: This is regular Safe Mode plus
the services and drivers required to start networking.
■ Safe Mode with Command Prompt: This is regular Safe
Mode except that when the computer boots in this mode, the
computer starts at a command prompt, rather than at the Windows
2000 desktop.
4701-1 ch14.f.qc 4/24/00 09:32 Page 934

934 Part III ▼ Managing and Securing Resources

Safe Mode can be helpful when you are troubleshooting a Windows

2000 computer. For example, if a computer’s problem does not occur
when you start the computer in Safe Mode, you can rule out the default
Windows 2000 settings and minimum drivers as causes of that problem.
Safe Mode can also be used to restore a system. For example, suppose
that a newly installed device or a recently updated driver is causing a
problem.You can start the computer in Safe Mode, and then uninstall the
device or reverse the change you previously made to the device driver.
Finally, Safe Mode isn’t helpful if the files required to boot Windows
2000 are accidentally deleted or damaged, although the Emergency Repair
Disk (covered later in this chapter) might be.

STEP BY STEP

BOOTING A WINDOWS 2000 COMPUTER IN SAFE MODE

1. Start the Windows 2000 computer. During the boot process, press F8.
2. On the Windows 2000 Advanced Options Menu, select Safe Mode (or Safe
Mode with Networking, or Safe Mode with Command Prompt) and press Enter.
3. If you have more than one operating system installed on this computer, select the
operating system you want to start in Safe Mode and press Enter.
4. Windows 2000 boots in Safe Mode. Press Ctrl+Alt+Delete.
5. In the Log On to Windows dialog box, enter your user name and password for
this computer.

TIP
If this computer is a domain controller, you must log on as Administrator
and enter the Administrator’s password that was entered in the “Directory
Services Restore Mode Administrator Password” screen during the
installation of Active Directory. (This is probably not the current
Administrator’s password.)

Click OK.
6. A Desktop warning message appears, indicating that Windows is running in Safe
Mode. Click OK.
7. The Windows 2000 desktop is displayed.
4701-1 ch14.f.qc 4/24/00 09:32 Page 935

Chapter 14 ▼ Backup and Recovery 935

Once you’ve started a Windows 2000 computer in Safe Mode, you can
use Windows 2000 applications and tools to diagnose and correct your
computer’s problem. For example, you can use Control Panel applications,
such as the Add/Remove Hardware application and Device Manager
(a component of the System application) to diagnose and resolve hardware,
hardware configuration, and device driver problems.You can also use the
various Troubleshooters in Help to aid you in diagnosing the problem.

TIP
Because only the minimum files and drivers are used when Windows
2000 boots in Safe Mode, don’t be surprised when many services and
devices don’t work. For example, in regular Safe Mode you won’t be able
to access any network resources.

After you’ve resolved your Windows 2000 computer’s problem in Safe

Mode, shut down the computer and try restarting it normally.
Another option to consider, instead of selecting Safe Mode, is selecting
the Last Known Good Configuration from the Windows 2000 Advanced
Options Menu when you start your Windows 2000 computer.This configu-
ration boots Windows 2000 by using the registry settings that were saved the
last time you successfully logged on to the computer. This option can be
useful when you need to reverse a configuration change you made the last
time you were logged on. You should be aware, however, that all changes
made to the computer’s configuration during the last logon session will
be lost.

Using the Recovery Console to Restore a System

The Windows 2000 Recovery Console is a limited version of the Windows
2000 operating system that only has a command-line interface. Consider
using the Recovery Console when you aren’t able to resolve a computer’s
problem by using Safe Mode or the Emergency Repair Disk. The
Recovery Console is helpful when you need to manually start or stop a
service, repair the master boot record, or manually copy files from a floppy
disk or compact disc to the computer’s hard disk to restore a system.
4701-1 ch14.f.qc 4/24/00 09:32 Page 936

936 Part III ▼ Managing and Securing Resources

CAUTION
Only experienced system administrators with extensive troubleshooting
and diagnostic skills should use the Recovery Console because it’s easy
to damage critical operating system files and because the Recovery
Console’s interface is not particularly user-friendly.

There are two ways you can start the Recovery Console.You can boot
the computer from the Windows 2000 compact disc and select Recovery
Console from the menu that appears; or, if the Recovery Console has been
installed in the computer’s boot menu, you can select the Recovery
Console option from the boot loader menu when the computer starts.
You need to log on as Administrator to use the Recovery Console.

STEP BY STEP

STARTING THE RECOVERY CONSOLE BY BOOTING FROM THE

WINDOWS 2000 CD

1. Place the Windows 2000 compact disc in your Windows 2000 computer’s
CD-ROM drive. Start the computer and boot from the compact disc.
2. If your compact disc contains an evaluation version of Windows 2000,
when prompted, press Enter to continue.
3. The Welcome to Setup screen appears. Press R.
4. In the Windows 2000 Repair Options screen, press C to start the Recovery
Console.
5. The Recovery Console starts. If you have more than one Windows 2000
installation on your computer, type in the number of the installation you want
to repair and press Enter.
6. When prompted, type the Administrator password (this is the password for the
Administrator on the local computer) and press Enter.

TIP
If this computer is a domain controller, type the Administrator’s password that
was entered in the “Directory Services Restore Mode Administrator
Password” screen during the installation of Active Directory and press Enter.

7. Use the appropriate Recovery Console commands to perform the necessary

system repairs.
8. To quit the Recovery Console, at the command prompt, type exit and press Enter.
9. Remove the Windows 2000 compact disc and start the computer normally.
4701-1 ch14.f.qc 4/24/00 09:32 Page 937

Chapter 14 ▼ Backup and Recovery 937

Many of the commands available in the Recovery Console are identical to

MS-DOS commands. For a complete list of the commands available for use
in the Recovery Console, at the Recovery Console command prompt, type
help and press Enter. For information about a specific command, at the
Recovery Console command prompt, type help command_name and press
Enter. For example, to get more information on the fixmbr command, at the
command prompt, type help fixmbr and press Enter.
There is an easier way to access the Recovery Console, but you have to
think about it ahead of time — before your computer has a problem that
renders it unbootable. You can add the Recovery Console to the boot
menu of a healthy Windows 2000 computer.Then, if at some later point a
problem arises and you need it, you can easily select it from the computer’s
boot loader menu.

STEP BY STEP

ADDING THE RECOVERY CONSOLE TO THE BOOT MENU

1. Place your Windows 2000 compact disc into your computer’s CD-ROM drive.
Close the Microsoft Windows 2000 CD dialog box.
2. Select Start ➪ Programs ➪ Accessories ➪ Command Prompt.
3. In the Command Prompt dialog box, at the command prompt, type in the drive let-
ter of your CD-ROM drive followed by a colon (for example, D:) and press Enter.
4. At the command prompt, type cd \i386 and press Enter.
5. At the command prompt, type winnt32 /cmdcons and press Enter.
6. A Windows 2000 Setup dialog box appears, as shown in Figure 14-7.

FIGURE 14-7 Installing the Recovery Console as a startup option

4701-1 ch14.f.qc 4/24/00 09:32 Page 938

938 Part III ▼ Managing and Securing Resources

STEP BY STEP Continued

Click Yes to install the Recovery Console as an option in the boot loader menu.
7. A Windows 2000 Setup wizard starts and installs the Recovery Console. When
the installation is complete, a Microsoft Windows 2000 [Server or Professional]
Setup dialog box appears, notifying that the Recovery Console has been success-
fully installed. Click OK.
8. At the command prompt, type exit and press Enter.

Using the Emergency Repair Disk to Restore

a System
An Emergency Repair Disk is a floppy disk used to restore Windows 2000
system files that become accidentally corrupted or erased due to viruses or
other causes. Earlier in this chapter I explained how to create an
Emergency Repair Disk, and in this section I’ll show you how to use it.
An Emergency Repair Disk is primarily used to repair and restart a
Windows 2000 computer that won’t boot. In particular, an Emergency
Repair Disk is useful for repairing damaged Windows 2000 operating
system files and the partition boot sector. You can’t use an Emergency
Repair Disk to repair the registry or other System State data.

TIP
You need to create the Emergency Repair Disk on your Windows 2000
computer when it’s functioning properly. If you don’t think about making
an Emergency Repair Disk before you have a problem, you’ll be out of
luck, because you can’t create one on a computer that won’t start.

You should only use an Emergency Repair Disk to repair the computer
on which it was created. If you attempt to use an Emergency Repair Disk
to repair another computer, changes to the computer’s configuration and
startup files (AUTOEXEC.NT and CONFIG.NT) may occur. In addition,
the disk may not contain the information needed to successfully repair
the computer.
4701-1 ch14.f.qc 4/24/00 09:32 Page 939

Chapter 14 ▼ Backup and Recovery 939

STEP BY STEP

PERFORMING THE EMERGENCY REPAIR PROCESS

1. Place the Windows 2000 compact disc in your Windows 2000 computer’s
CD-ROM drive. Start the computer and boot from the compact disc.
2. If your compact disc contains an evaluation version of Windows 2000, when
prompted, press Enter to continue.
3. The Welcome to Setup screen appears. Press R.
4. In the Windows 2000 Repair Options screen, press R to start the emergency
repair process.
5. In the Windows 2000 Professional Setup screen, select from one of two options:
 Manual Repair: To choose from a list of repair options, press M.
 Fast Repair: To perform all repair options, press F and skip to Step 7.
6. In the next screen, select one or more of the following repair tasks:
 Inspect startup environment
 Verify Windows 2000 system files
 Inspect boot sector
All three tasks are selected by default. When you finished making your selections,
highlight “Continue (perform selected tasks)” and press Enter.
7. When prompted, insert your Windows 2000 Emergency Repair Disk into drive A:
and press Enter.
8. Windows 2000 performs the emergency repair process and replaces any dam-
aged system files that it detects. When prompted, remove your Emergency Repair
Disk from drive A:. Windows 2000 restarts your computer.

After you’ve performed the emergency repair process and restarted your
Windows 2000 computer, you should reapply any Windows 2000 Service
Packs that were previously installed on this computer.

Monitoring and Configuring

Removable Media
I don’t want to leave a chapter on backup and recovery without discussing
how to monitor and configure removable media, such as tapes and
optical discs.
4701-1 ch14.f.qc 4/24/00 09:32 Page 940

940 Part III ▼ Managing and Securing Resources

Windows 2000 includes a management tool, called Removable Storage,

which works in conjunction with your data-management programs, such
as Backup.You can use Removable Storage to:
■ Perform specific maintenance tasks, such as ejecting, preparing,
mounting, and dismounting tapes and other removable media.
■ Organize removable media into media pools, which can be
accessed by all of the data-management programs on a Windows
2000 computer.
■ Manage the removable media within a jukebox or a media changer.
■ Configure the properties of removable media devices, including
permissions.
■ Configure a media library, or an individual drive or a cleaning
cartridge within a media library.
■ Monitor the various removable media tasks that have been
completed by users, as well as tasks that are waiting in the work
queue to be completed.
■ Monitor the assignment of removable media to media pools and to
specific applications.
■ View all removable media associated with the Windows 2000
computer, whether this media is currently online or offline.
To access Removable Storage, from the desktop, right-click My
Computer and select Manage from the menu that appears.Then, in the left
pane of the Computer Management dialog box, expand Removable Storage
and select the specific Removable Storage component you want to use.
Using Removable Storage is fairly straightforward, and, to a large degree,
self-explanatory. The Removable Storage tool has a standard MMC user
interface, which by now you’ve had a fair amount of experience with.
Because Removable Storage is included in Computer Management, you
can use Removable Storage on the local computer, or you can connect
to another computer and use Removable Storage to remotely manage
removable media on another Windows 2000 computer on your network.

CAUTION
If you use Removable Storage as a part of your backup strategy, be sure
to test it thoroughly to ensure that it is working correctly, and that you are
getting the backups you want.
4701-1 ch14.f.qc 4/24/00 09:32 Page 941

Chapter 14 ▼ Backup and Recovery 941

KEY POINT SUMMARY

This chapter introduced several important backup and recovery topics:

■ User data includes application files and folders, operating system files and
folders, and user-created files and folders.
■ System State data includes critical operating system files, folders, and data-
bases. The actual components of System State data vary depending on the
Windows 2000 operating system you’re using and the services installed on
that operating system.
■ Tape backup is an important part of your overall network fault tolerance plan.
There are five standard backup types: Normal, Copy, Incremental, Differential, and
Daily. A backup strategy often includes a combination of these backup types.
■ The backup utility that ships with Windows 2000 is called Backup. You can
use this program to perform backups, schedule backups, perform restores, and
create an Emergency Repair Disk.
■ An Emergency Repair Disk is a floppy disk used to repair Windows 2000 system
files that become accidentally corrupted or erased due to viruses or other causes.
■ You can back up and restore user data to both local and network drives.
However, you can only back up and restore System State data on the
local computer.
■ In order to perform a backup (or restore) you need to be a member of the
Administrators or Backup Operators groups, or have the “Back up files and
directories” (or the “Restore files and directories”) user right assigned to you.
On a domain controller, members of the Server Operators group can also
back up (and restore) files and folders.
■ To restore the Active Directory data store, you must also have the
Administrator’s password that was entered during the installation of
Active Directory.
■ There are two types of restores you can perform of Active Directory: a
nonauthoritative restore, and an authoritative restore.
■ There are several Windows 2000 tools you can use to attempt to recover
from a system failure, including: Safe Mode, the Recovery Console, and the
Emergency Repair Disk.
4701-1 ch14.f.qc 4/24/00 09:32 Page 942

942 Part III ▼ Managing and Securing Resources

■ Removable Storage is a Windows 2000 management tool you can use to man-
age, monitor, and configure removable media associated with your Windows
2000 computer.
4701-1 ch14.f.qc 4/24/00 09:32 Page 943

943

STUDY GUIDE
This section contains several exercises that are designed to solidify your
knowledge about backup and recovery, and to help you prepare for the
Professional, Server, and Directory Services exams:
■ Assessment questions: These questions test your knowledge of
the backup and recovery topics covered in this chapter.You’ll find
the answers to these questions at the end of this chapter.
■ Scenarios: The situation-based questions in scenarios challenge you
to apply your understanding of the material to solve a hypothetical
problem. In this chapter’s scenarios, you are asked to analyze several
situations involving backup and recovery-related topics.You don’t
need to be at a computer to do scenarios.Answers to this chapter’s
scenarios are presented at the end of this chapter.
■ Lab Exercises: These exercises are hands-on practice activities
that you perform on a computer.The lab in this chapter gives you
an opportunity to practice numerous backup and recovery tasks.

Assessment Questions
1. You want to create an Emergency Repair Disk for your Windows
2000 computer.Which tool should you use?
A. Windows 2000 Setup
B. Backup
C. System
D. ntdsutil.exe
2. You perform a normal backup for your company once a week. In
addition, you want to perform a backup of data each day in between
normal backups.You want to minimize the amount of time it takes
to perform these backups.Which backup type should you use on
the days in between normal backups?
A. Normal
B. Incremental
4701-1 ch14.f.qc 4/24/00 09:32 Page 944

944

C. Differential
D. Copy
3. Which Windows 2000 tool should you use to perform a restore of
user data on a domain controller?
A. Backup
B. Active Directory Users and Computers
C. Computer Management
D. Disk Management
4. Your Windows 2000 computer won’t boot.Which tools can you use
to attempt to recover from the system failure? (Choose all that apply.)
A. Backup
B. Recovery Console
C. Emergency Repair Disk
D. Safe Mode
5. You want to monitor and configure your organization’s removable
media, including a tape library and optical discs.Which Windows
2000 tool can you use to do this?
A. Remote Storage
B. Sounds and Multimedia
C. Imaging
D. Removable Storage
6. You recently discovered that another administrator on your network
accidentally deleted an OU and all of its users.As a result of replication,
the Active Directory data store on all of your network’s domain con-
trollers is damaged.You want to restore Active Directory so that the
restored Active Directory objects will replace the corresponding Active
Directory entries on other domain controllers on your network when
replication of Active Directory takes place.What kind of restore should
you perform on the domain controller?
A. An authoritative restore
B. A nonauthoritative restore
C. A partial restore of user data
D. A full restore of user data
4701-1 ch14.f.qc 4/24/00 09:32 Page 945

945

7. You want to add the Recovery Console to the boot loader menu
of your Windows 2000 computer.You place your Windows 2000
compact disc into your CD-ROM drive and start a command
prompt.At the command prompt, you change to the drive letter
of the CD-ROM drive, and then change directories to the i386
folder.What should you type at the command prompt?
A. winnt32 /rcvcons
B. winnt /rcvcons
C. winnt32 /cmdcons
D. winnt /cmdcons
8. You are performing an authoritative restore of Active Directory.After
performing a restore of System State data on your domain controller,
but before rebooting the computer, you start a command prompt.
What should you type at the command prompt?
A. authoritative restore
B. restore database
C. restore subtree
D. ntdsutil

Scenarios
I introduced a lot of backup and recovery-related topics in this chapter,
and here’s your chance to sink your teeth into a few situations that you
might encounter in real life. For each of the scenarios listed, consider the
given facts and answer the questions that follow.
1. When you arrived at the office this morning, you found your
Windows 2000 Server computer locked up, and you were unable to
reboot it successfully.
a. What are three tools you can use to attempt to recover from the
system failure?
b. If none of these attempts works, what should you do next?
4701-1 ch14.f.qc 4/24/00 09:32 Page 946

946

2. You are the new administrator of your company’s Windows 2000

network. Part of your job responsibilities include managing and
optimizing the availability of user data and System State data on
your network.What techniques can you use to accomplish this?
3. Your job, as assistant administrator for your organization’s Windows
2000 network, is to manage your company’s removable media libraries.
Specifically, you want to:
 Configure the properties of your removable media changers,

including security
 Monitor all removable media associated with your company’s

Windows 2000 computers

How can you accomplish these tasks?

Lab Exercises
Lab 14-1 Backup and Recovery
 Professional
 Server
EXAM  Directory Services
MATERIAL

The purpose of this lab is to provide you with an opportunity to use

several Windows 2000 backup and recovery tools.
There are four parts to this lab:
■ Part 1: Backing Up User Data and System State Data, Including
Active Directory
■ Part 2: Restoring User Data and System State Data, Including an
Authoritative Restore of Active Directory
■ Part 3: Installing and Using the Recovery Console
■ Part 4: Using Safe Mode
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.
4701-1 ch14.f.qc 4/24/00 09:32 Page 947

947

Part 1: Backing Up User Data and System State Data,

Including Active Directory
In this part, you use Backup to back up the Apps folder and all of the
System State data (including the Active Directory data store) on your
Windows 2000 domain controller.
1. Select Start ➪ Programs ➪ Accessories ➪ System Tools ➪ Backup.
2. In the Backup dialog box, click the button next to Backup Wizard.
3. The Backup Wizard starts. Click Next.
4. In the What to Back Up screen, select the “Back up selected files,
drives, or network data” option. Click Next.
5. In the Items to Back Up screen, click the + next to My Computer.
Click the + next to C:. Select the check box next to the Apps folder.
Scroll down and select the check box next to System State. Click Next.
6. In the Where to Store the Backup screen, select a backup media type
of File (if this option is not already selected and grayed out) from the
“Backup media type” drop-down list box.Then, in the “Backup
media or file name” text box, type C:\Backup.bkf. Click Next.
7. The Completing the Backup Wizard screen appears. Click Advanced.
8. In the Type of Backup screen, select Normal from the drop-down
list box. Click Next.
9. In the How to Back Up screen, accept the default selections and
click Next.
10. In the Media Options screen, select the “Replace the data on the
media with this backup” and click Next.
11. In the Backup Label screen, accept the default backup and media
labels, and click Next.
12. In the When to Back Up screen, ensure that the Now option is
selected and click Next.
13. In the Completing the Backup Wizard screen, click Finish.
14. Windows 2000 performs the backup. (This process takes a few
minutes.) If a Replace Data dialog box appears during the backup,
click Yes.When the Backup Progress dialog box indicates that the
backup is complete, click Report and view the backup report.
Close Notepad when you finish viewing the report. Click Close.
15. Close Backup.
4701-1 ch14.f.qc 4/24/00 09:32 Page 948

948

Part 2: Restoring User Data and System State Data, Including

an Authoritative Restore of Active Directory
In this part, you use Backup to restore the Apps folder and all of the
System State data on your Windows 2000 domain controller.You perform
an authoritative restore of Active Directory by using Backup and the
ntdsutil.exe command-line utility.

1. Shut down and restart your Windows 2000 Server computer (which is
configured as a domain controller). During the boot process, press F8.
2. On the Windows 2000 Advanced Options Menu, select Directory
Services Restore Mode and press Enter.
3. Select Microsoft Windows 2000 Server from the boot loader menu
and press Enter.
4. Windows 2000 Server boots in Safe Mode – Directory Services
Repair.When prompted, press Ctrl+Alt+Delete.
5. In the Log On to Windows dialog box, accept the default user name
of administrator. Enter a password of password. Click OK.
6. A Desktop warning message appears, indicating that Windows is
running in Safe Mode. Click OK.
7. Select Start ➪ Programs ➪ Accessories ➪ System Tools ➪ Backup.
8. In the Backup dialog box, click the Restore Wizard button.
9. The Restore Wizard starts. Click Next.
10. In the What to Restore screen, click the + next to File. Click the +
next to “Media created date.” Select the check boxes next to C: and
System State. Click Next.
11. The Completing the Restore Wizard screen appears. Click Advanced.
12. In the Where to Restore screen, accept the default selection of
Original location and click next.
13. In the How to Restore screen, select the “Always replace the file on
disk” option and click Next.
14. In the Advanced Restore Options screen, accept the default selections
and click Next.
15. In the Completing the Restore Wizard screen, click Finish.
16. In the Enter Backup File Name dialog box, ensure that C:\Backup.
bkf is displayed in the “Restore from backup file” text box. Click OK.
4701-1 ch14.f.qc 4/24/00 09:32 Page 949

949

17. Windows 2000 performs the restore of the Apps folder and System
State data, including Active Directory.When the Restore Progress
dialog box indicates that the restore is complete, click Report to
view the restore report. Close Notepad when you finish viewing
the report. Click Close.
18. When a Backup warning dialog box appears, click No, and
close Backup.

CAUTION
Don’t click Yes — If you do, you’ll have to re-perform Part 2 of this lab up
to this point.

19. Select Start ➪ Programs ➪ Accessories ➪ Command Prompt.

20. In the Command Prompt dialog box, at the command prompt, type
ntdsutil and press Enter.
21. At the ntdsutil: prompt, type authoritative restore and
press Enter.
22. At the authoritative restore: prompt, type restore database
and press Enter.
23. In the Authoritative Restore Confirmation Dialog box, click Yes.
24. Windows 2000 opens the Active Directory database and marks the
objects you selected by increasing their attribute version numbers.At
the authoritative restore: prompt, type quit and press Enter.
25. At the ntdsutil: prompt, type quit and press Enter.
26. At the command prompt, type exit and press Enter.
27. Shut down your computer, and restart it normally. Boot to Windows
2000 Server and log on as Administrator.

Part 3: Installing and Using the Recovery Console

In this part, you install the Recovery Console in your computer’s boot
loader menu. Then you start the Recovery Console and view Recovery
Console help.
1. Place your Windows 2000 compact disc into your computer’s
CD-ROM drive. Close the Microsoft Windows 2000 CD dialog box.
2. Select Start ➪ Programs ➪ Accessories ➪ Command Prompt.
4701-1 ch14.f.qc 4/24/00 09:32 Page 950

950

3. In the Command Prompt dialog box, at the command prompt,

type in the drive letter of your CD-ROM drive followed by a
colon (for example, D:) and press Enter.
4. At the command prompt, type cd \i386 and press Enter.
5. At the command prompt, type winnt32 /cmdcons and press Enter.
6. In the Windows 2000 Setup dialog box, click Yes to install the
Recovery Console as an option in the boot loader menu.
7. A Windows 2000 Setup wizard starts and installs the Recovery
Console.When the installation is complete, a Microsoft Windows
2000 Server Setup dialog box appears, notifying that the Recovery
Console has been successfully installed. Click OK.
8. At the command prompt, type exit and press Enter.
9. Remove the Windows 2000 compact disc from your computer’s
CD-ROM drive.Then shut down your computer and restart it.
During the boot process, select Microsoft Windows 2000 Recovery
Console from the boot loader menu and press Enter.
10. The Recovery Console starts.When prompted, type 1 to log on to
the Windows 2000 Server installation and press Enter.
11. When prompted, type the Administrator password (it’s password)
and press Enter.
12. At the command prompt, type help and press Enter. Notice the
various commands that you can use in the Recovery Console. Press
the spacebar to view the remaining commands.
13. At the command prompt, type enable /? and press Enter to view the
help for the enable command.
14. At the command prompt, type exit and press Enter.
15. Windows 2000 restarts your computer. Press F8 during the reboot
process, and continue to Part 4.

Part 4: Using Safe Mode

In this part, you boot your Windows 2000 computer in Safe Mode.Then
you use Device Manager and one of the Windows 2000 Troubleshooters.
1. After you have pressed F8 during the reboot process, select Safe Mode
from the Windows 2000 Advanced Options Menu and press Enter.
2. Select Microsoft Windows 2000 Server from the boot loader menu
and press Enter.
4701-1 ch14.f.qc 4/24/00 09:32 Page 951

951

3. Windows 2000 Server boots in Safe Mode. Press Ctrl+Alt+Delete.

4. In the Log On to Windows dialog box, enter a user name of
Administrator and a password of password. Click OK.
5. A Desktop warning message appears, indicating that Windows is
running in Safe Mode. Click OK.
6. The Safe Mode version of the Windows 2000 desktop is displayed.
Right-click My Computer, and select Properties from the menu
that appears.
7. In the System Properties dialog box, click the Hardware tab.
8. On the Hardware tab, click Device Manager.
9. Device Manager starts. Click the + next to “Mice and other pointing
devices.” Double-click your mouse underneath this heading.
10. In the Mouse Properties dialog box, click Troubleshooter.
11. The Mouse Troubleshooter starts.You can use this troubleshooter to
diagnose a mouse problem.You can access many other Troubleshooters
by using Device Manager. Close the Windows 2000 dialog box.
12. In the Mouse Properties dialog box, click OK.
13. Close Device Manager.
14. In the System Properties dialog box, click OK.
15. Shut down your Windows 2000 computer.

Answers to Chapter Questions

Chapter Pre-Test
1. User data is a broad category that includes application files and folders,
operating system files and folders, and user-created files and folders. In
short, user data includes all files and folders on the Windows 2000
computer that aren’t held open at all times by Windows 2000.
2. System State data includes various critical operating system files,
folders, and databases.The actual components of System State data
vary depending on the Windows 2000 operating system you’re using
and the services installed on that operating system. For all Windows
2000 computers, System State data includes the operating system
boot files, the registry, and the COM+ Class Registration database.
4701-1 ch14.f.qc 4/24/00 09:32 Page 952

952

On a Windows 2000 Server computer that has Certificate Services

installed, System State data also includes the Certificate Services
database. Finally, on a Windows 2000 Server that is a domain
controller, System State data also includes the Active Directory
data store and the contents of the SYSVOL folder.
3. From the desktop select Start ➪ Programs ➪ Accessories ➪ System
Tools ➪ Backup.
4. You can use Backup to perform a backup, to perform a restore, and
o create an Emergency Repair Disk.
5. An Emergency Repair Disk is a floppy disk used to repair Windows
2000 system files that become accidentally corrupted or erased due to
viruses or other causes.An Emergency Repair Disk is primarily used
to repair and restart a Windows 2000 computer that won’t boot.
6. In order to backup (or restore) data you need to be a member of the
Administrators or Backup Operators groups, or you need to have the
“Backup files and directories” (or the “Restore files and directories”)
user right assigned to you. If you’re backing up or restoring data on a
Windows 2000 domain controller, members of the Server Operators
group also have the necessary permissions to backup and restore files
and folders on this computer.
7. You can perform a nonauthoritative restore or an authoritative restore
of Active Directory.
8. Safe Mode, the Recovery Console, and the Emergency Repair Disk
9. Removable Storage

Assessment Questions
1. B. Of the choices presented, only the Backup program can be used
to create an Emergency Repair Disk.You can boot your computer to
the Windows 2000 compact disc and use the Windows 2000 Setup
program to use the Emergency Repair Disk, but you can’t create it
by using this program.
2. B. In terms of the time it takes to perform backups, the incremental
backup will take the least amount of time because it is not a cumulative
backup, like the differential backup.
4701-1 ch14.f.qc 4/24/00 09:32 Page 953

953

3. A. Use Backup to perform restores as well as backups.

4. A, B, C, D. You can start by using the Recovery Console, the
Emergency Repair Disk, and the Recovery Console to recover
from the system failure. If none of these tools work, you can use
Backup to try to restore System State data to the Windows 2000
computer. If none of these things work, you’ll probably have to
reinstall Windows 2000.
5. D. Removable Storage is the Windows 2000 tool used to manage
removable media. Remote Storage is not the correct answer here
because it is used to manage nonremovable (fixed) media on a
Windows 2000 computer.
6. A. In order for the restored Active Directory objects to replace
existing objects on the other domain controllers when replication
occurs, you’ll need to perform an authoritative restore of Active
Directory on the domain controller.
7. C. Winnt32 /cmdcons is the appropriate command to install the
Recovery Console.
8. D. At the first command prompt, you must type ntdsutil.At
subsequent command prompts you type authoritative restore and
restore database (or restore subtree, depending on whether you
are restoring all or a portion of the Active Directory data store).

Scenarios
1. You can use Safe Mode, the Recovery Console, and the Emergency
Repair Disk to attempt to recover from the system failure. If none of
these techniques work, you could also try restoring System State data
on the Windows 2000 Server computer.
2. There are several techniques you could consider when you want to
manage and optimize the availability of your network’s data. For
example, you can use NTFS and permissions to restrict access to
files and folders, and use mirrored volumes and RAID-5 volumes to
provide fault tolerance.Another important part of your overall fault
tolerance plan is performing regular backups of data.
4701-1 ch14.f.qc 4/24/00 09:33 Page 954

954

3. To manage your company’s removable media libraries, you can use

the Removable Storage tool in Computer Management.To access
Removable Storage, from the desktop, right-click My Computer and
select Manage from the menu that appears.Then, in the left pane of
the Computer Management dialog box, expand Removable Storage
and select the specific Removable Storage component you want to
use.To configure the properties of a removable media changer, right-
click the specific device under the Physical Locations folder,
and select Properties from the menu that appears.To monitor all
removable media associated with a Windows 2000 computer, view
the contents of each of the media pools.
4701-1 ch14.f.qc 4/24/00 09:33 Page 955
4701-1 ch15.f.qc 4/24/00 09:38 Page 958

 Professional
 Server
EXAM
MATERIAL  Network

EXAM OBJECTIVES

Professional  Exam 70-210

■ Implement, Manage, and Troubleshoot input and output
(I/O) devices.
■ Install, configure, and manage modems.
■ Connect to computers by using dial-up networking.
■ Connect to computers by using a virtual private network
(VPN) connection.
■ Create a dial-up connection to connect to a remote
access server.
■ Connect to the Internet by using dial-up networking.
■ Configure and troubleshoot Internet Connection Sharing.

Server  Exam 70-215

■ Install and configure network services for interoperability.
■ Install, configure, and troubleshoot shared access.
■ Install, configure, and troubleshoot network protocols.
■ Install and configure network services.
■ Configure the properties of a connection.

Network  Exam 70-216

■ Install, configure, and troubleshoot network protocols.
■ Install the NWLink protocol.
■ Configure network bindings.
■ Install Internet Connection Sharing.
4701-1 ch15.f.qc 4/24/00 09:38 Page 959

C HAP TE R

15
Creating and Configuring
Network and Dial-up
Connections

C hapter 15 is all about creating and configuring network and dial-up

connections on a Windows 2000 computer. You may not think about
connections every day, but they’re vital to your computer’s ability to function
on the network — without connections your computer can’t access the local
area network, the Internet, or other computers.
I’ll start by explaining how Windows 2000 automatically creates a local
area connection for each network adapter in your computer. Then I’ll briefly
discuss how to install and configure modems, which are required for dial-up
connections. Then I’ll spend some time showing you how to create several
different types of connections, including: dial-up connections to the Internet,
dial-up connections to a remote access server, direct connections between
computers, and virtual private network (VPN) connections.
In the second half of this chapter I’ll explore how to configure connection
properties. I’ll show you how to configure modem properties and how to enable
Internet Connection Sharing. Then I’ll explain how to install and configure proto-
cols, clients, and services on your Windows 2000 computer. Finally, I’ll discuss
configuring a few other connection properties, including security options.

959
4701-1 ch15.f.qc 4/24/00 09:38 Page 960

960 Part IV ▼ Networking and Interoperability

Chapter Pre-Test
1. What does Windows 2000 automatically create for each network
adapter that is installed (and detected) in a Windows 2000
computer?
2. What is a VPN connection?
3. What must you have installed in your Windows 2000 computer
before you can create a dial-up connection?
4. In what situation might you want to use Internet Connection
Sharing?
5. What are bindings and provider order?
6. In addition to installing network protocols, you may also need
to install and configure additional network clients and services
to fully support the connections on your Windows 2000 computer,
and to support _______________ with other ___________
___________.
7. What function do network clients perform?
8. What function do services perform?
4701-1 ch15.f.qc 4/24/00 09:38 Page 961

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 961

Creating Connections
Connections provide your Windows 2000 computer with access to a
network or another computer, and also provide other computers on
the network with access to your computer. A connection includes all of
the hardware and software required to communicate on the network that
your computer is connected to. Windows 2000 supports several different
kinds of connections:
■ Local area connections: These are connections between a
computer and a local area network that require the computer
to have a network adapter installed.
■ Dial-up connections: These are connections between two
computers that use modems for communication.
■ Direct connections: These are connections between two
computers that involve the use of a cable or infrared port.
■ Virtual private network (VPN) connections: These are
private, encrypted connections between two computers that
can already communicate with each other by using TCP/IP.
■ Incoming connections: These are inbound connections to a
computer that can use a modem, cable, or infrared port.
The Network and Dial-up Connections folder in Control Panel is
used to create, configure, and manage all of these types of connections.

EXAM TIP
The Professional exam has several objectives on using these various
types of connections. Make sure you fully understand how to create and
use these connections to connect to other computers and networks.

During installation, Windows 2000 automatically creates a local area

connection for each network adapter that it detects in your computer. All
other types of connections must be created. In the sections that follow I’ll
explain how to create new connections by installing network adapters,
how to install and configure modems, how to create various types of
dial-up connections, and how to create a VPN connection.
4701-1 ch15.f.qc 4/24/00 09:38 Page 962

962 Part IV ▼ Networking and Interoperability

Creating New Connections by Installing

Network Adapters
If you have a network adapter in your computer when you install Windows
2000,Windows 2000 automatically creates a local area connection for that
network adapter. If you install an additional network adapter in your
computer,Windows 2000 creates an additional local area connection.
The point is this:Windows 2000 — not you — controls how many local
area connections your computer has. Of course, you can configure the
connection(s) that you have, and I’ll cover how to do that in the last half of
this chapter, but you can’t just use a wizard to create local area connections
on your computer.

Installing and Configuring Modems

Before you can create dial-up connections to the Internet, remote access
servers, and so on, you need to install and configure at least one modem in
your Windows 2000 computer.
Installing a modem is a two-part process. First, you need to either
physically install the modem (if it’s an internal device), or connect the
modem to your computer (it it’s an external device). Then, if Windows
2000 doesn’t automatically detect and install the drivers for the modem,
you’ll need to perform that part of the process manually. In the next
section, I’m referring to the second part of this process, where the drivers
for the modem are installed.

Installing Modems
You can use either the Phone and Modem Options or the Add/Remove
Hardware applications in Control Panel to install a modem.You must be a
member of the Administrators group to add and configure modems.
The process of installing a modem is quite similar whether you use
Add/Remove Hardware or Phone and Modem Options. Using Phone and
Modem Options is slightly faster because it saves you from having to com-
plete several of the beginning screens in the Add/Remove Hardware Wizard.

CROSS-REFERENCE
If you decide to use Add/Remove Hardware to install your modem, you
can find specific instructions for using this application in the
“Add/Remove Hardware” section in Chapter 5.
4701-1 ch15.f.qc 4/24/00 09:38 Page 963

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 963

STEP BY STEP

INSTALLING A MODEM BY USING PHONE AND MODEM OPTIONS

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Phone and Modem Options.
3. In the Phone And Modem Options dialog box, click the Modems tab.
4. The Modems tab appears, as shown in Figure 15-1. To install a modem, click Add.

FIGURE 15-1 The Modems tab in Phone And Modem Options

5. The Add/Remove Hardware Wizard starts and displays the Install New Modem
screen. If you want Windows 2000 to automatically detect your modem, ensure
that the check box next to “Don’t detect my modem, I will select it from a list”
is cleared. If you want to manually select your modem, select this check box.
Click Next.
6. Follow the instructions presented on-screen to complete the installation of
your modem.

Configuring Modems
Once you’ve installed a modem you can use the Phone and Modem
Options application in Control Panel to configure your modem’s properties.
4701-1 ch15.f.qc 4/24/00 09:38 Page 964

964 Part IV ▼ Networking and Interoperability

When you use Phone and Modem Options to configure a modem,

you’re configuring the default properties of that modem, which will be
used by any new connections that you create.Any modem settings that you
configure in Phone and Modem Options, however, will not affect the
settings in currently existing connections. I should also point out that you
can configure a modem differently for each connection that uses that
modem. I’ll discuss how to configure modem properties for a specific
connection later in this chapter.

STEP BY STEP

CONFIGURING A MODEM IN PHONE AND MODEM OPTIONS

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Phone and Modem Options.
3. In the Phone And Modem Options dialog box, click the Modems tab.
4. On the Modems tab, highlight the modem you want to configure, and click
Properties.
5. The modem’s Properties dialog box appears, as shown in Figure 15-2. Notice the
three tabs in this dialog box: General, Diagnostics, and Advanced.

FIGURE 15-2 Configuring a modem’s properties

4701-1 ch15.f.qc 4/24/00 09:38 Page 965

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 965

STEP BY STEP Continued

There are three primary configurations you can make on the General tab:
 Speaker volume: You can move the slider to adjust the modem’s speaker
volume to the desired level. Some modems only permit an on or off setting.
 Maximum Port Speed: In this drop-down list box, you can select a
maximum port speed for this modem. The possible range is from 300 bps
to 115200 bps. The default setting of 115200 is appropriate for most
56 Kbps modems.
 Dial Control — Wait for tone before dialing: If you select this check box,
the modem will wait for a dial tone before it dials. This check box is selected
by default.
Configure the appropriate options on this tab. Click the Diagnostics tab.
6. On the Diagnostics tab, select the check box next to “Record a Log” if you want
Windows 2000 to record a log file of modem connection activity. This log file,
though not necessary for normal modem operations, can be extremely useful for
troubleshooting modem connection problems.
Later, when you want to view this log file, return to this tab, and click the
“View log” command button, which brings up the log as a Notepad text file.
Click the Advanced tab.
7. On the Advanced tab, you can specify a custom modem initialization string in
the “Extra initialization commands” text box. This is an advanced setting that is
not required for most modem applications. You can also configure advanced
port settings on the Advanced tab, and change default settings for call and data
connection preferences. Again, these settings do not require configuration for
most situations. Make the appropriate configurations on this tab and click OK.
8. In the Phone And Modem Options dialog box, click OK. Close Control Panel.

Creating a Dial-up Connection to the Internet

Probably the most common connection configured on a Windows 2000
computer is a dial-up connection to the Internet. Before you can connect
your Windows 2000 computer to the Internet by using a modem, you
need to create a dial-up connection to the Internet.You can create such a
dial-up connection, like other connections, by using the Network
Connection Wizard in the Network and Dial-up Connections folder.
4701-1 ch15.f.qc 4/24/00 09:38 Page 966

966 Part IV ▼ Networking and Interoperability

STEP BY STEP

CREATING A DIAL-UP CONNECTION TO THE INTERNET

1. Access the Network and Dial-up Connections folder. (Select Start ➪

Settings ➪ Network and Dial-up Connections.)
2. In the Network and Dial-up Connections folder, double-click Make
New Connection.
3. The Network Connection Wizard starts. Click Next.
4. The Network Connection Type screen is displayed, as shown in Figure 15-3.
Notice the many types of connections you can choose from in this dialog box.

FIGURE 15-3 Network connection types

Select the “Dial-up to the Internet” option. Click Next.

5. The Internet Connection Wizard starts. Select one of the three options presented:
I want to sign up for a new Internet account. (My telephone line is connected
to my modem.)
I want to transfer my existing Internet account to this computer. (My telephone
line is connected to my modem.)
I want to set up my Internet connection manually, or I want to connect through
a local area network (LAN).
Select the appropriate option, and click Next. (I selected the “I want to set up my
Internet connection manually” option, so the next steps are based on that choice.
If you select one of the other options, follow the instructions presented on-screen
to complete the creation of your dial-up connection to the Internet.)
4701-1 ch15.f.qc 4/24/00 09:38 Page 967

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 967

STEP BY STEP Continued

6. In the “Setting up your Internet connection” screen, select one of the two
following options:
I connect through a phone line and a modem
I connect through a local area network (LAN)
(I selected the “I connect through a phone line and a modem” option.) Click Next.
7. In the Choose Modem screen, select the modem you want to use for this dial-up
connection from the drop-down list box. Click Next.
8. In the “Step 1 of 3: Internet account connection information” screen, enter your
area code and telephone number of your Internet service provider (ISP) in the text
boxes provided. Select the country you are located in from the “Country/region
name and code” drop-down list box.
If your ISP instructs you to configure a manual logon, a logon script, to use the
SLIP or C-SLIP connection protocols, or if you need to manually configure the
static IP address your computer will use for this connection, click Advanced,
make the necessary configurations specified by your ISP, and click OK.
Click Next.
9. In the “Step 2 of 3: Internet account logon information” screen, enter the user
name and password to log on to your ISP. Click Next.
10. In the “Step 3 of 3: Configuring your computer” screen, either accept the default
name for this connection, or type in a new one. Click Next.
11. In the Set Up Your Internet Mail Account screen, select the Yes option to set up
an Internet mail account now.
If you don’t want to set up an Internet mail account now, select No and skip to
Step 16.
Click Next.
12. In the Your Name screen, type your name, as you want it to appear, in e-mail
messages that you send. Click Next.
13. In the Internet E-mail Address screen, type your e-mail address, and click Next.
14. In the E-mail Server Names screen, select your incoming mail server type from the
drop-down list box. Then type in the FQDN of the incoming mail server in the text
box provided. Finally, type in the FQDN of your outgoing mail server in the text box
provided. Click Next.
15. In the Internet Mail Logon screen, type in the account name and password you
will use to send and receive e-mail through your ISP. (Your ISP provides you with
this information.) Click Next.
16. In the Completing the Internet Connection Wizard screen, click Finish.
17. In the “Web page unavailable while offline” dialog box that appears, click Connect
to connect to the Internet.
4701-1 ch15.f.qc 4/24/00 09:39 Page 968

968 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

18. Windows 2000 attempts to connect to the Internet. If your connection is config-
ured correctly, a Connection Complete dialog box is displayed. Click OK. (If error
messages are displayed, you may need to reconfigure this connection.)
19. To disconnect the connection, right-click the connection in the Network and
Dial-up Connections folder, and select Disconnect from the menu that
appears. Or, right-click the network connection icon in the taskbar (near the
clock) and select Disconnect from the menu that appears.

Creating a Dial-up Connection to a Remote

Access Server
Many companies use a remote access server to enable their employees to
access the corporate network from home or while traveling by using a
dial-up connection. Before you can connect your Windows 2000
computer to a remote access server by using a modem, you need to create
a dial-up connection to that server.You can create a dial-up connection to
a remote access server by using the Network Connection Wizard in the
Network and Dial-up Connections folder.
Creating a dial-up connection to a remote access server is similar to
creating a dial-up connection to the Internet, but there are a few differences.

STEP BY STEP

CREATING A DIAL-UP CONNECTION TO A REMOTE ACCESS SERVER

1. Access the Network and Dial-up Connections folder. (Select Start ➪
Settings ➪ Network and Dial-up Connections.)
2. In the Network and Dial-up Connections folder, double-click Make
New Connection.
3. The Network Connection Wizard starts. Click Next.
4. In the Network Connection Type screen, select the “Dial-up to private network”
option. Click Next.
5. In the Select a Device screen, select the check box next to the modem you want
to use for this connection, and click Next.
4701-1 ch15.f.qc 4/24/00 09:39 Page 969

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 969

STEP BY STEP Continued

6. In the Phone Number to Dial screen, type in the area code and phone number of
the remote access server you want to connect to in the text boxes provided. Then
select the country you are dialing from in the “Country/region code” drop-down list
box. Click Next.
7. In the Connection Availability screen, select whether this connection will be
available to all users of this computer, or only available to the currently logged
on user. Click Next.
8. In the Internet Connection Sharing screen, you can select a check box to
enable Internet Connection Sharing for this connection. However, most dial-up
connections to remote access servers should not be configured to use Internet
Connection Sharing. Click Next.
9. In the Completing the Network Connection Wizard screen, either accept the
default name for this connection or type in a new name. If desired, select the
check box to add a shortcut to your desktop for this connection. Click Finish.
10. The Connect dialog box for your newly created dial-up connection appears.
If you want to connect to the remote access server now to test your connection,
enter a user name and password for the remote access server, and click Dial.
Windows 2000 connects to the remote access server and displays the
Connection Complete dialog box. Click OK.
If you don’t want to connect now, click Cancel.

Creating a Connection to Another Computer

Occasionally you may want to directly connect two Windows 2000
computers by using a serial cable, parallel cable, or infrared ports.The most
common reason for connecting two computers in this manner is to share
files between the two computers.
Before you can directly connect the two Windows 2000 computers, you
need to perform two tasks. First, you need to configure one of the
computers to accept an incoming connection.Then, you need to configure
the other computer to directly connect to another computer. You can
accomplish both of these tasks by using the Network Connection Wizard
in the Network and Dial-up Connections folder.
4701-1 ch15.f.qc 4/24/00 09:39 Page 970

970 Part IV ▼ Networking and Interoperability

TIP
You can’t configure a Windows 2000 Server computer that is a member
of a domain to accept incoming connections by using the Network
Connection Wizard. If you need to make this configuration, you must use
the Routing and Remote Access administrative tool.

There are two ways you can configure a computer to accept incoming
connections. You can select the “Accept incoming connections” option
while using the Network Connection Wizard. Or, you can select the
“Connect directly to another computer” option, and configure this
computer to play the role of “Host” for this connection. I’ll explain how to
use both of these methods in the next two sets of steps.

STEP BY STEP

CONFIGURING A COMPUTER TO ACCEPT INCOMING CONNECTIONS

1. Access the Network and Dial-up Connections folder. (Select Start ➪

Settings ➪ Network and Dial-up Connections.)
2. In the Network and Dial-up Connections folder, double-click Make
New Connection.
3. The Network Connection Wizard starts. Click Next.
4. In the Network Connection Type screen, select the “Accept incoming connec-
tions” option. Click Next.
5. The Devices for Incoming Connections screen appears, as shown in Figure 15-4.
Select the check box next to each device on which you want to enable incoming
connections. If you don’t select a device, your computer won’t be able to accept
an incoming connection using that device. Click Next.
6. In the Incoming Virtual Private Connection screen, choose whether to allow virtual
private connections (VPNs) on this computer. In order for a computer to accept
an incoming VPN, it must already be configured with a connection to the Internet
that has a static IP address. Click Next.
7. In the Allowed Users screen, select the check box next to each user you want
to permit to use the incoming connection to this computer. Click Next.
8. In the Networking Components screen, you can install (or remove) networking
components (such as clients, services, and protocols) on this computer to
accommodate the computers that will connect to this computer by using an
incoming connection. Ensure that the check box next to each client, service, and
protocol that you want to enable for incoming connections is selected. Click Next.
9. In the Completing the Network Connection Wizard screen, either accept the
default name for the connection or type in a new one. Click Finish.
4701-1 ch15.f.qc 4/24/00 09:39 Page 971

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 971

STEP BY STEP Continued

FIGURE 15-4 Selecting connection devices

CONFIGURING A COMPUTER TO CONNECT DIRECTLY TO

ANOTHER COMPUTER

1. Access the Network and Dial-up Connections folder. (Select Start ➪

Settings ➪ Network and Dial-up Connections.)
2. In the Network and Dial-up Connections folder, double-click Make
New Connection.
3. The Network Connection Wizard starts. Click Next.
4. In the Network Connection Type screen, select the “Connect directly to another
computer” option. Click Next.
5. In the Host or Guest screen, configure the role this computer will play in the
direct connection — either the host (the computer that has the resources to share)
or the guest (the computer that will initiate the connection and will access the
shared resources on the host computer).

TIP
If you select Host, this connection will be configured as an incoming con-
nection. (The result will be the same as if you had selected the “Accept
incoming connections” option in Step 4.) If you select Guest, this con-
nection will be configured as a direct connection.

Click Next.
4701-1 ch15.f.qc 4/24/00 09:39 Page 972

972 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

6. In the Connection Device (or Select a Device) screen, select the device that
will be used for the direct connection from the drop-down list box. Options may
include: Communications Port (COM 1, COM2, and so on), Direct Parallel
(LPT1, LPT2, or LPT3), and Infrared Port (IRDA1-0). Click Next.
7. If you selected the Host option in Step 5, in the Allowed Users screen,
select the check box next to each user you want to permit to use the incoming
connection to this computer. Click Next.
Or, if you selected the Guest option in Step 5, in the Connection Availability
screen, select whether this connection will be available to all users of this computer,
or only available to the currently logged on user. Click Next.
8. In the Completing the Network Connection Wizard screen, either accept the
default name for the connection or type in a new one. Click Finish.

Creating a VPN Connection

As I explained at the beginning of this chapter, a virtual private network
(VPN) connection is a private, encrypted connection between two
computers that can already communicate with each other by using
TCP/IP. VPNs are typically used by corporations who want to enable
employees to access the corporate network via the Internet. In addition,
the corporation wants to ensure that all such connections are secure and
encrypted so that the company’s data is protected.
Before you can create a VPN connection, both computers that will be
involved in the VPN connection must have TCP/IP installed, and each
must have an established connection to either the Internet or another
TCP/IP network.
Like all of the other connections on a Windows 2000 computer, you can
create a VPN connection by using the Network Connection Wizard in the
Network and Dial-up Connections folder.
4701-1 ch15.f.qc 4/24/00 09:39 Page 973

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 973

STEP BY STEP

CREATING A VPN CONNECTION

1. Access the Network and Dial-up Connections folder. (Select Start ➪

Settings ➪ Network and Dial-up Connections.)
2. In the Network and Dial-up Connections folder, double-click Make
New Connection.
3. The Network Connection Wizard starts. Click Next.
4. In the Network Connection Type screen, select the “Connect to a private network
through the Internet” option. Click Next.
5. In the Public Network screen, select one of two options:
 Do not dial the initial connection: Select this option if you’re configuring
a VPN connection on a computer that has a full-time Internet connection,
such as a cable modem or DSL connection.
 Automatically dial this initial connection: Select this option if you’re
configuring a VPN connection on a computer that uses a modem and a dial-
up connection to the Internet. If you select this option, also select the specific
dial-up connection to the Internet that you want this VPN connection to use
from the drop-down list box.
Click Next.
6. In the Destination Address screen, type the host name or IP address of the
computer you will connect to by using this VPN connection. Click Next.
7. In the Connection Availability screen, select whether this connection will be
available to all users of this computer, or only available to the currently logged
on user. Click Next.
8. In the Internet Connection Sharing screen, you can select a check box to enable
Internet Connection Sharing for this connection. However, most VPN connections
should not be configured to use Internet Connection Sharing. Click Next.
9. In the Completing the Network Connection Wizard screen, either accept the
default name for this connection or type in a new name. If desired, select the
check box to add a shortcut to your desktop for this connection. Click Finish.
4701-1 ch15.f.qc 4/24/00 09:39 Page 974

974 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

10. If you selected the “Automatically dial this initial connection” option in Step 5,
the Initial Connection dialog box for your newly created VPN connection appears.
If you want to test your VPN connection, click Yes to connect to the Internet
using the dial-up connection to the Internet you selected in Step 5, and follow
the instructions presented on-screen. If you don’t want to test your VPN
connection now, click No.
If you selected the “Do not dial the initial connection” option in Step 5, the Connect
dialog box for the VPN connection appears, prompting you to enter the user name
and password for the computer you’re connecting to. If you want to test your VPN
connection, enter this information and click Connect. If you don’t want to test your
VPN connection now, click Cancel.

Configuring Connection Properties

After you’ve created connections on your Windows 2000 computer, you
may want to configure them. Often, administrators need to configure a
specific property of a connection that isn’t configurable in the Network
Connection Wizard.
There are numerous properties of connections that can be configured.
You can configure modem properties; enable Internet Connection
Sharing; install and configure clients, services, and protocols; configure
security options; rename connections; and create shortcuts to connections.
The specific properties you can configure for a given connection are
largely based on the type of connection you’re configuring.
Generally, most of a connection’s properties can be configured by
accessing the connection’s Properties dialog box from the Network and
Dial-up Connections folder.

Configuring Modem Properties

When you need to configure how a modem functions within a specific
dial-up connection, you can make that configuration in the dial-up
connection’s Properties dialog box. All configurations you make in this
dialog box will apply to this modem only as it is used by this specific dial-up
connection. If you want to make configuration changes to your modem that
4701-1 ch15.f.qc 4/24/00 09:39 Page 975

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 975

will apply to all newly created connections, I recommend you use either
Device Manager or the Phone and Modem Options application.

Configuring a Modem and Phone Number

You can configure a dial-up connection’s modem and phone number (or a
direct connection’s port) by using the General tab in the connection’s
Properties dialog box. Figure 15-5 shows the General tab for a dial-up
connection.

FIGURE 15-5 Configuring options on the General tab

STEP BY STEP

CONFIGURING A DIAL-UP CONNECTION’S MODEM

1. In the Network and Dial-up Connections folder, right-click the

dial-up connection associated with the modem you want to configure, and
select Properties from the menu that appears.
2. In the connection’s Properties dialog box, click the General tab.
3. On the General tab, click Configure.
4. The Modem Configuration dialog box appears, as shown in Figure 15-6.
4701-1 ch15.f.qc 4/24/00 09:39 Page 976

976 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 15-6 Configuring a dial-up connection’s modem

There are numerous items you can configure in this dialog box. Remember that
the configurations you make in this dialog box apply to this modem only as it is
used by this specific dial-up connection.
 Maximum speed (bps): In this drop-down list box you can select the
maximum speed the modem will use for this connection. If you don’t
configure this option, Windows 2000 automatically selects a maximum
speed based on the make and model of modem installed in your computer.
 Modem protocol: This configuration is grayed out and not available unless
the manufacturer of your modem supplies you with a custom installation
(.inf) file.
The Hardware features section includes these options:
 Enable hardware flow control: Selecting this check box causes Windows
2000 to use the RTS and CTS hardware signals to control the flow of data to
and from the modem. This option should be used with high-speed modems,
or when modem compression is enabled. This option is selected by default.
 Enable modem error control: Selecting this check box causes Windows
2000 to negotiate an error correction method with the remote modem (the
modem you are dialing in to). Error correction detects and corrects data
corruption during transmission over analog phone lines. If no error correction
method can be agreed upon, error correction is not used. This option is
selected by default.
4701-1 ch15.f.qc 4/24/00 09:39 Page 977

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 977

STEP BY STEP Continued

 Enable modem compression: Selecting this check box causes Windows

2000 to negotiate a compression method (such as MNP 5 or V.42bis) with
the remote modem. If no compression method can be agreed upon, modem
compression is not used. If modem compression is enabled, hardware flow
control should also be enabled. If software compression is already used on
the connection, modem compression should not be used, because software
compression is more efficient. This option is selected by default.
The Initialization section includes these options:
 Show terminal window: If you select this check box, a terminal window
will be displayed each time you initialize this connection. This terminal
window enables you to send commands from the keyboard directly to the
dial-up server. Don’t select this option unless the remote server requires
it — if you do, your connection may not work correctly.
 Run script: If you select this check box, you can specify a script that will
send commands from your computer directly to the dial-up server. This
process automates the connection process and takes the place of using a
terminal window. Several default scripts are available in the drop-down list
box in this dialog box, or, if you want to write your own script, you can click
Edit to display a copy of the Switch.inf file in the Notepad text editor.
The Switch.inf file includes instructions for creating new script files.
Don’t select this option unless the remote server requires you to send
specific commands to establish the connection — if you do, your
connection may not work correctly.
 Enable modem speaker: Selecting this check box turns on the modem’s
speaker so that you can monitor the connection process. Once a connection
is established, the speaker is automatically turned off.
Once you have made all appropriate modem configurations, click OK.

In addition to configuring a modem, you can also use the General tab to
configure a phone number (and alternates), whether or not to use dialing
rules, and whether to show a connection icon in the taskbar when the
connection is active.
To configure a phone number, enter the area code and phone number in
the text boxes provided. If you want to configure alternate phone numbers,
click Alternates and follow the directions presented on-screen.
If you want to use dialing rules, select the check box next to “Use dialing
rules” and then click Rules.Windows 2000 displays the Dialing Rules tab in
4701-1 ch15.f.qc 4/24/00 09:39 Page 978

978 Part IV ▼ Networking and Interoperability

the Phone and Modem Options application. Follow the instructions pre-
sented on-screen to configure your dialing rules.

Configuring Dialing Options

You can configure numerous dialing options on the Options tab in a
dial-up or direct connection’s Properties dialog box. Figure 15-7 shows the
Options tab.

FIGURE 15-7 Configuring dialing options

As Figure 15-7 shows, there are numerous dialing and redialing options
in this dialog box. In the Dialing options section are the following options:
■ Display progress while connecting: If you select this check
box,Windows 2000 displays a dialog box during the connection
attempt that enables you to view the activity taking place during
the process, such as “Dialing,”“Verifying user name and password,”
“Registering your computer on the network,” and so on.This
option is selected by default.
■ Prompt for name and password, certificate, etc.: Selecting this
check box causes Windows 2000 to display a dialog box that prompts
you to enter a user name and password before the connection is
4701-1 ch15.f.qc 4/24/00 09:39 Page 979

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 979

dialed.When this dialog box is displayed and you enter your user
name and password, you can select an option to have Windows
2000 save (remember) your password for this connection. Once
you’ve selected the save password option, you can then clear the
check box for “Prompt for name and password, certificate, etc.” and
Windows 2000 will always use your saved user name and password
(without prompting you) for this connection.This option is selected
by default.

CAUTION
Having Windows 2000 save (remember) your user name and password
can save you time, but it can also be a potential breach of security,
because anyone using your computer can connect to the remote server
without having to provide a user name and password. If security is
important to you, I recommend that you don’t select this option.

■ Include Windows logon domain: This check box works in con-

junction with the “Prompt for name and password, certificate, etc.”
option.When both of these check boxes are selected,Windows 2000
displays an additional text box in the dialog box that prompts you to
enter a user name and password.This additional text box enables you
to specify a Windows 2000 domain that will authenticate your user
name and password for this connection.This option is typically used
only when there are multiple Windows 2000 domains on the remote
network you’re connecting to.
■ Prompt for phone number: Selecting this check box causes
Windows 2000 to display a dialog box that prompts you to enter
a phone number to be used for the connection. In this dialog box
you can use the default phone number displayed, select one of the
alternate numbers in the drop-down list box, or type in a new
phone number to be used for the connection. If you use this
option in conjunction with the “Prompt for name and password,
certificate, etc.” option, all prompts (for user name, password, and
phone number) are displayed in a single dialog box. For dial-up
connections, this option is selected by default.
The “Prompt for phone number” option is not present on direct
connections, because the computers involved in the connection
are directly cabled together, and no phone line is used.
4701-1 ch15.f.qc 4/24/00 09:39 Page 980

980 Part IV ▼ Networking and Interoperability

In the Redialing options section are the following options:

■ Redial attempts: In this spin box you can specify the number of
times Windows 2000 will attempt to connect if the first connection
attempt fails.The default number of redial attempts is 3, and you
can configure from 0 to 32,767 attempts.
■ Time between redial attempts: In this drop-down list box, you
can configure the amount of time Windows 2000 will wait between
each connection attempt.The default time is 1 minute.You can
select from several options ranging from 1 second to 10 minutes.
■ Idle time before hanging up: In this drop-down list box you
can specify the amount of time Windows 2000 will permit the
connection to continue, with no activity, before it disconnects.
The default setting is “never,” and you can select from several
options ranging from 1 minute to 24 hours.

TIP
Configuring a long “Idle time before hanging up” setting is no guarantee
that the connection will not be dropped by the remote server, which may
have a shorter idle time-out setting.

■ Redial if line is dropped: Selecting this check box causes

Windows 2000 to automatically redial if the connection is dropped
for any reason other than the user disconnecting the connection.
■ X.25: Clicking X.25 brings up a dialog box that enables you to
configure various X.25 settings, including network, X.121 address,
user data, and facilities.You should only configure this option if the
network you’re connecting to is an X.25 network.The X.25 option
is not present on direct connections, because the computers involved
in the connection are directly cabled together, and no phone line
is used.

Configuring Internet Connection Sharing

If you have a connection to the Internet on your Windows 2000 computer
(either dial-up or local area), and you want to enable other computers on
your local area network to use that connection to access the Internet, you
can enable Internet Connection Sharing for the specific connection that
will be shared.
4701-1 ch15.f.qc 4/24/00 09:39 Page 981

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 981

EXAM TIP
The Professional, Server, and Network exams each have an objective on
Internet Connection Sharing. Be sure you know when Internet
Connection Sharing should and should not be used, how to enable
Internet Connection Sharing, and which connection should be shared.

Internet Connection Sharing is a Windows 2000 feature that is com-

monly used in a home or small-office network setting when a single
Internet connection must be shared by multiple computers. Internet
Connection Sharing should not be used on networks that have existing
routers, DNS servers, or DHCP servers, because once Internet Connection
Sharing is enabled on a computer,Windows 2000 automatically makes that
computer into the gateway, DNS proxy server, and DHCP server for that
network segment, and assigns this computer an IP address of 192.168.0.1. If
you have a network that has existing routers, DNS servers, or DHCP
servers, you might want to consider using a Windows 2000 Server feature
called Connection Sharing (NAT). I’ll cover this feature in Chapter 16.

CAUTION
You should only enable Internet Connection Sharing on one computer on
your network. If you enable Internet Connection Sharing on more than
one computer, you may experience serious TCP/IP connectivity prob-
lems on your network.

Enabling Internet Connection Sharing

In order to enable Internet Connection Sharing on a Windows 2000
computer, the computer must have both a local area connection and a
connection (either dial-up or local area) to the Internet. In addition, you
must be a member of the Administrators group on the local computer to
enable Internet Connection Sharing.You can enable Internet Connection
Sharing by using the Network and Dial-up Connections folder, as
the following steps explain.

STEP BY STEP

ENABLING INTERNET CONNECTION SHARING

1. In the Network and Dial-up Connections folder, right-click the Internet

connection you want to share. (This can be either a dial-up or local area connec-
tion to the Internet.) Select Properties from the menu that appears.
4701-1 ch15.f.qc 4/24/00 09:39 Page 982

982 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

2. In the connection’s Properties dialog box, click the Sharing tab.

3. The Sharing tab appears, as shown in Figure 15-8.

FIGURE 15-8 Enabling Internet Connection Sharing

Select the check box next to “Enable Internet Connection Sharing for this
connection.” Once this check box is selected, the “Enable on demand dialing”
check box is also automatically selected if the connection being configured is
a dial-up connection.
If you want to make a specific Internet application (such as a game) available
to users on your network, or, if another computer on your network runs a service
(such as a Web server or an FTP server) that needs to be accessed by users who
connect to your network by using this shared Internet connection, click Settings
and add and configure the application or service. When you finish configuring
applications and services, click OK.
Click OK.
4. A Network and Dial-up Connections confirmation dialog box appears. Click Yes to
enable Internet Connection Sharing.
4701-1 ch15.f.qc 4/24/00 09:39 Page 983

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 983

STEP BY STEP Continued

5. Close the Network and Dial-up Connections folder.

6. Configure all computers that will use this shared connection as DHCP clients.
(For detailed information on configuring a Windows 2000 computer to be a
DHCP client, see Chapter 16.)

Troubleshooting Internet Connection Sharing

Typically, once Internet Connection Sharing is enabled and configured, it
doesn’t cause too many problems. If you do have problems with Internet
Connection Sharing, they’re most likely to appear during the initial
enabling and configuring process, or when a new computer is added to the
network after Internet Connection Sharing has been enabled. Here are a
few tips to help you when you’re troubleshooting an Internet Connection
Sharing problem:
■ Ensure that the appropriate connection is shared. Internet
Connection Sharing requires two connections: one to the Internet
(which can be either a dial-up or local area connection) and one
local area connection. Make sure the connection to the Internet is
the one on which you enable Internet Connection Sharing.
■ Ensure that all computers on your network are configured
as DHCP clients. Because the computer on which you enable
Internet Connection Sharing becomes that network segment’s
DHCP and DNS servers, it’s imperative that the computers that
share this connection are configured to receive their IP addresses
automatically from a DHCP server.
■ Ensure that no other DHCP server or DNS server is
present on the network segment. If another DHCP or DNS
server is present, your may experience TCP/IP connectivity
problems on your network, and computers that share this
connection may not be able to connect to the Internet.
4701-1 ch15.f.qc 4/24/00 09:39 Page 984

984 Part IV ▼ Networking and Interoperability

Installing, Configuring, and Troubleshooting Protocols

Depending on the types of connections you’ve created on your Windows
2000 computer, you may need to install additional protocols to fully support
those connections. Most of the time,TCP/IP is the only protocol required,
because virtually all operating systems support TCP/IP, and it is the protocol
used on the Internet. However, other protocols may be required to support
interoperability with other operating systems.
Table 15-1 lists and describes the network protocols supported by
Windows 2000.
TABLE 15-1 Windows 2000 Network Protocols
Protocol Description

AppleTalk Protocol This protocol enables a Windows 2000 computer

to connect to AppleTalk network print devices.
(AppleTalk is usually associated with Macintosh
computers and printers.) This protocol also
enables Macintosh computers to communicate
with Windows 2000 Server and Advanced
Server computers that have File or Print
Services for Macintosh installed.
DLC Protocol This protocol is a datalink protocol. DLC is
primarily used by Windows 2000 computers to
communicate with older Hewlett-Packard printers
that don’t support TCP/IP, and to communicate
with IBM mainframe computers.
Internet Protocol (TCP/IP) This protocol is a fast, routable enterprise
protocol, and is the protocol used on the Internet.
TCP/IP is supported by most operating systems,
including: Windows 3.x, Windows 95, Windows
98, Windows NT, Macintosh, NetWare, UNIX,
Linux, MS-DOS, and IBM mainframes.
NetBEUI Protocol This protocol is designed for small, nonrouted
networks. It doesn’t require any configuration
and has minimal overhead. NetBEUI is included
with Windows 2000 primarily to provide
backward compatibility with earlier networking
software that uses NetBEUI as its only protocol.
Network Monitor Driver This protocol enables Network Monitor to capture
packets from the local network segment and to
gather network statistics.
NWLink IPX/SPX/NetBIOS This protocol is a routable protocol usually
Compatible Transport Protocol associated with NetWare networks. This protocol
is included with Windows 2000 primarily to provide
connectivity with older NetWare servers.
4701-1 ch15.f.qc 4/24/00 09:39 Page 985

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 985

In the next sections I’ll show you how to install network protocols
and configure network bindings, as well as provide you with some tips for
troubleshooting network protocols.

Installing and Configuring Network Protocols

All network protocols are installed by configuring the properties of a
connection in the Network and Dial-up Connections folder.
When you install a network protocol, it is generally available to all
connections on your computer — whether local area, incoming, direct,
dial-up, or VPN — (even though you accomplish the protocol installation
task by configuring the properties of a specific connection). For example, if
you install NetBEUI by configuring a local area connection, NetBEUI
will be available for all local area, incoming, direct, dial-up, and VPN
connections on your Windows 2000 computer.
There are two exceptions to this rule:
■ The DLC protocol is only available for (and can only be installed
by configuring) local area connections.
■ The AppleTalk protocol is only available for (and can only be
installed by configuring) local area and incoming connections.

STEP BY STEP

INSTALLING NETWORK PROTOCOLS

1. Access the Network and Dial-up Connections folder. (Select Start ➪

Settings ➪ Network and Dial-up Connections.)
2. In the Network and Dial-up Connections folder, right-click any Local
Area Connection, and select Properties from the menu that appears.
3. In the Local Area Connection Properties dialog box, click Install.
4. The Select Network Component Type dialog box appears, as shown in Figure
15-9. Notice that you can select from three types of network components: clients,
services, and protocols. Highlight Protocol and click Add.
5. The Select Network Protocol dialog box appears, as shown in Figure 15-10.
Notice the network protocols, such as Internet Protocol (TCP/IP), and NWLink
IPX/SPX/NetBIOS Compatible Transport Protocol, that you can install.
4701-1 ch15.f.qc 4/24/00 09:39 Page 986

986 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 15-9 Selecting a network component type

FIGURE 15-10 Adding a protocol

TIP
Only the network protocols that are not already installed on your com-
puter appear in this dialog box. So, depending on your Windows 2000
computer’s configuration, your dialog box may differ from the one
presented here.

Highlight the protocol you want to add. If the protocol you want to add is not dis-
played, you can click Have Disk and insert a floppy disk containing the protocol
you want to add, and then follow the instructions presented on-screen. Click OK.
4701-1 ch15.f.qc 4/24/00 09:39 Page 987

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 987

STEP BY STEP Continued

6. Windows 2000 installs the protocol you selected, and returns you to the Local
Area Connection Properties dialog box. The installation process may take a
minute or so. Click Close.

Occasionally you may need to configure an installed network protocol

to make your Windows 2000 computer function correctly on the network.
Although most protocols, once installed, are available for all connections,
protocols are configured on a connection-by-connection basis.The specific
settings you can configure vary greatly from protocol to protocol.

STEP BY STEP

CONFIGURING PROTOCOLS

1. Access the Network and Dial-up Connections folder. (Select Start ➪

Settings ➪ Network and Dial-up Connections.)
2. In the Network and Dial-up Connections folder, right-click the con-
nection for which you want to configure a protocol, and select Properties from the
menu that appears.
3. In the connection’s Properties dialog box, highlight the protocol you want to con-
figure and click Properties.
4. In the protocol’s Properties dialog box, configure the protocol as desired. Click OK.
5. In the connection’s Properties dialog box, click OK.

Troubleshooting Network Protocols

Troubleshooting network protocols can be a detailed, painstaking task.
TCP/IP, for example, is easy to configure improperly. Several settings must
be typed on each computer that uses the protocol, including IP address,
subnet mask, and default gateway. The best way to prevent configuration
problems in a TCP/IP environment is to use a DHCP server to configure
TCP/IP automatically on each computer on the network. If you don’t use
DHCP, you should manually verify that the settings are correctly entered
on each computer that experiences a network communications problem.
4701-1 ch15.f.qc 4/24/00 09:39 Page 988

988 Part IV ▼ Networking and Interoperability

The NWLink IPX/SPX/NetBIOS Compatible Transport Protocol also

has several configuration settings, and thus is prone to human error during
protocol configuration. When troubleshooting NWLink, verify that all of
the settings for this (and every other) protocol are correctly entered on
each computer that experiences a network communications problem.
The most common configuration problem for the NWLink
IPX/SPX/NetBIOS Compatible Transport Protocol is a frame type
mismatch. NWLink supports four frame types: Ethernet_II, Ethernet_
802.3, Ethernet_802.2, and Ethernet_Snap. Older NetWare operating
systems commonly use the Ethernet_802.3 frame type, and newer ones use
Ethernet_802.2. It is not uncommon to have networks that use both frame
types. When this happens, you must manually configure NWLink to
support both frame types also.

Installing and Configuring Network Clients and

Services for Interoperability
In addition to installing network protocols, you may also need to install
and configure additional network clients and services to fully support the
connections on your Windows 2000 computer, and to support interoper-
ability with other operating systems.
Network clients enable your computer to access resources located on
other servers on the network. Services enable computers that run other
operating systems to access resources on the Windows 2000 computer.
Table 15-2 lists and describes the clients that ship with Windows 2000,
and Table 15-3 lists and describes the services that ship with Windows 2000.
Some clients and services are installed by default during the installation of
Windows 2000. Other clients and services can be added (or removed) after
installation by using the Network and Dial-up Connections folder or
other Windows 2000 tools.

EXAM TIP
Before you take the Server exam, I recommend you memorize the
information in Tables 15-2 and 15-3. You should know which clients and
services can be installed on Professional computers, and which clients
and services are available for Server computers only. You should also
know what each of these clients and services does.
4701-1 ch15.f.qc 4/24/00 09:39 Page 989

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 989

TABLE 15-2 Windows 2000 Clients

Server/
Advanced
Client Professional Server Description

Client for ✓ ✓ This client enables a Windows

Microsoft Networks 2000 computer to access
resources on networks that
use Microsoft Windows-
based networking.
Client Service ✓ This client enables Windows
for NetWare 2000 Professional computers
to log in to NetWare servers and
to access files and printers on
NetWare servers.
Gateway (and Client) ✓ This client enables Windows
Services for NetWare 2000 Server/ Advanced Server
computers to log in to NetWare
servers and to access files and
printers on NetWare servers.
This client also enables these
Windows 2000 Servers to
share NetWare files, folders,
and printers with client
computers that run Client
for Microsoft Networks.

TABLE 15-3 Windows 2000 Services

Server/
Advanced
Service Professional Server Description

Certificate Services ✓ This service enables an

organization to issue and
manage digital certificates. This
service provides authentication
support for clients and services
that use the digital certificates
issued by this service.
Connection Manager ✓ This service enables you
Components to create custom dial-up
connection profiles that enable
authorized users to connect to
your network over phone lines
or over the Internet.

Continued 
4701-1 ch15.f.qc 4/24/00 09:39 Page 990

990 Part IV ▼ Networking and Interoperability

TABLE 15-3 (continued)

Server/
Advanced
Service Professional Server Description

Cluster Service ✓ This service, which is available

only on Windows 2000
Advanced Server computers,
enables client computers to
view a group of 2 to 32
Windows 2000 Advanced
Server Computers as a
single computer. This service
provides high availability and
load balancing of mission-
critical applications.
COM Internet ✓ This service enables distributed
Services Proxy HTTP applications to commu-
nicate with each other over
the network by using Internet
Information Services (IIS).
Domain Name ✓ This service is a TCP/IP-based
System (DNS) name resolution service. It is
used to resolve a host name
or FQDN to its associated
IP address.
Dynamic Host ✓ This service enables a
Configuration Windows 2000 Server or
Protocol (DHCP) Advanced Server computer to
provide TCP/IP addresses
and other TCP/IP configuration
information to DHCP-enabled
client computers.
File and Printer ✓ ✓ This service enables a computer
Sharing for to share its resources with client
Microsoft Networks computers that run Client for
Microsoft Networks.
File Transfer ✓ ✓ This service enables a computer
Protocol to function as an FTP server.
(FTP) Server
File Services for ✓ This service enables a Windows
Macintosh 2000 Server or Advanced
Server computer to share its files
with Macintosh client computers.
FrontPage 2000 ✓ ✓ This service enables users of
Server Extensions FrontPage to publish Web
pages on Web servers.
4701-1 ch15.f.qc 4/24/00 09:39 Page 991

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 991

Server/
Advanced
Service Professional Server Description

Indexing Service ✓ ✓ This service indexes the

documents on your computer’s
disks into a catalog. This service
then enables you to search the
catalog to locate a document
that contains a particular
word, phrase, or property
of the document.
Internet ✓ This service provides
Authentication authentication for users that
Service (IAS) dial-in to the network, or
connect to the network over the
Internet using a VPN.
Internet ✓ ✓ This service enables you to
Information publish information on your
Services (IIS) intranet or on the Internet. With
IIS, you can host Web sites
and publish Web pages, host
FTP sites, and host news and
mail services.
Message Queuing ✓ ✓ This service enables distributed
Services applications to communicate with
each other over the network,
even if the applications run at
different times. This service was
formerly known as MSMQ.
Network Load ✓ This service, which is only
Balancing available on Windows 2000
Advanced Server computers,
is associated with Cluster
Service. It enables multiple
Windows 2000 Advanced
Server computers to work
together to provide Web and/or
other services to more clients
than a single server could serve.
See Cluster Service.
Network ✓ This service enables you to
Monitor Tools capture and analyze packets
sent over the network to or
from the server. This is a limited
version of the Network Monitor
tool that ships with Microsoft
Systems Management Server.

Continued 
4701-1 ch15.f.qc 4/24/00 09:39 Page 992

992 Part IV ▼ Networking and Interoperability

TABLE 15-3 (continued)

Server/
Advanced
Service Professional Server Description

NNTP Service ✓ This service enables a Windows

2000 Server or Advanced Server
computer to function as a news
server. NNTP stands for Network
News Transfer Protocol.
Print Services ✓ This service enables a Windows
for Macintosh 2000 Server or Advanced Server
computer to share its printers
with Macintosh client computers.
Print Services ✓ ✓ This service enables a Windows
for Unix 2000 computer to share its
printers with UNIX computers
or other computers that support
LPR printing.
QoS Admission ✓ This service enables you
Control Service to manage the allocation of
network bandwidth to individual
network applications. QoS
stands for Quality of Service.
QoS Packet ✓ ✓ This service enables computers
Scheduler to participate in scheduled
delivery of network packets.
This service should be installed
on all Windows 2000 computers
that use applications managed
by the QoS Admission Control
Service.
Remote Installation ✓ This service enables you
Services (RIS) to install Windows 2000
Professional remotely on
client computers.
Remote Storage ✓ This service extends disk space
on Windows 2000 Server and
Advanced Server computers by
copying infrequently accessed
files from local hard disks to
either local or remote tape
backup libraries.
4701-1 ch15.f.qc 4/24/00 09:39 Page 993

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 993

Server/
Advanced
Service Professional Server Description

RIP Listener ✓ This service enables a Windows

2000 Professional computer
to listen to RIP messages
between routers, and to use
this information to update its
routing tables. RIP Listener
is also called silent RIP.
SAP Agent ✓ ✓ This service enables a Windows
2000 computer to maintain and
advertise a list of servers (such
as NetWare servers) that use
the NWLink IPX/SPX/NetBIOS
Compatible Transport Protocol.
Script Debugger ✓ ✓ This service enables you to
identify errors in scripts that
run on the local computer.
Simple Network ✓ ✓ This service enables a Windows
Management 2000 computer to send trap
Protocol (SNMP) messages to, and be managed
by, an SNMP management
station.
Simple TCP/IP ✓ ✓ This service is actually a
Services collection of five TCP/IP
services: Character Generator,
Daytime, Discard, Echo, and
Quote of the Day.
Site Server ✓ This service enables a Windows
ILS Services 2000 Server or Advanced
Server computer to publish IP
multicast conferences on the
network. It can also be used to
publish IP address mappings for
IP telephony (H.323). ILS stands
for Internet Locator Server.
SMTP Service ✓ ✓ This service enables a Windows
2000 computer to receive
e-mail messages from e-mail
clients, and to forward these
messages to the appropriate
mail server on the Internet.
SMTP stands for Simple Mail
Transfer Protocol.

Continued 
4701-1 ch15.f.qc 4/24/00 09:39 Page 994

994 Part IV ▼ Networking and Interoperability

TABLE 15-3 (continued)

Server/
Advanced
Service Professional Server Description

Terminal Services ✓ This service enables a

Windows 2000 Server or
Advanced Server computer
to run applications for client
computers that are functioning
as terminals.
Terminal Services ✓ This service registers and tracks
Licensing client licenses for clients that
use Terminal Services.
Visual InterDev ✓ ✓ This service enables you to
RAD Remote deploy applications remotely on
Deployment Support your Web server.
Windows Internet ✓ This service enables a Name
Service Windows 2000 Server or
(WINS) Advanced Server computer
to function as a TCP/IP-based
NetBIOS name server. It
enables client computers to
register NetBIOS names and
to resolve NetBIOS names
to IP addresses.
Windows Media ✓ This service enables a Windows
Services 2000 Server or Advanced Server
computer to stream multimedia
content to network users.
World Wide ✓ ✓ This service enables a Windows
Web Server 2000 computer to function as an
HTTP Web server.

CAUTION
Windows 2000 requires you to reboot your computer after the installa-
tion of some clients and services. Because of this fact, I recommend that
you install clients and services at a time when you are able to reboot the
server without disrupting service to users of client computers.

In the following sections I’ll explain how to install network clients

and services, how to configure bindings and provider order, and how to
configure services.
4701-1 ch15.f.qc 4/24/00 09:39 Page 995

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 995

Installing Network Clients

Installing network clients is a simple task. All network clients are installed
by using the Network and Dial-up Connections folder.
As with network protocols, when you install a client, the client is available
to all connections on your computer, even if you accomplish the installation
task by configuring the properties of a specific connection. For example, if you
install Client Service for NetWare by configuring a local area connection, it
will be available for all connections on your Windows 2000 computer.

STEP BY STEP

INSTALLING A NETWORK CLIENT

1. Access the Network and Dial-up Connections folder. (Select Start ➪

Settings ➪ Network and Dial-up Connections.)
2. In the Network and Dial-up Connections folder, right-click any Local
Area Connection, and select Properties from the menu that appears.
3. In the Local Area Connection Properties dialog box, click Install.
4. In the Select Network Component Type dialog box, highlight Client and click Add.
5. In the Select Network Client dialog box, highlight the client you want to add.
Click OK.

TIP
Only the network clients that are not already installed on your computer
appear in this dialog box.

6. Windows 2000 installs the client you selected. When prompted, click Yes to shut
down and restart your computer to complete the installation.

Configuring Gateway (and Client) Services for NetWare

Most of the configuration options for Gateway Services for NetWare
(GSNW) are pretty straightforward, however, one of its features deserves
special attention. GSNW enables a Windows 2000 Server computer to
share folders from NetWare servers with Windows 2000 client computers.
To configure this option, you must provide GSNW with a username and a
password that GSNW will use when accessing the NetWare server. This
user account must be a member of a group on the NetWare Server named
NTGATEWAY.The NTGATEWAY group must have all of the necessary
4701-1 ch15.f.qc 4/24/00 09:39 Page 996

996 Part IV ▼ Networking and Interoperability

permissions to the folder on the NetWare server that is being shared with
Windows 2000 client computers.The administrator of the NetWare server
must create this group — it does not exist by default. If the NTGATEWAY
group does not exist on the NetWare server, or if the user account you
supply to GSNW for accessing the NetWare server is not a member of the
NTGATEWAY group, this feature will not work correctly.

EXAM TIP
This particular configuration is very specific and detail oriented, and most
people I know can’t remember exactly how to configure it off the top of
their heads. For these reasons, this is a favorite topic of exam authors.
Memorize this information before you take the exams.

Installing Services
Installing services is fairly straightforward. The hardest thing about it is
determining which program to use to perform the installation. I’ll try to
boil it down:
■ You can use the Network and Dial-up Connections folder to
install the QoS Packet Scheduler service and the SAP Agent service.
Just like protocols and clients, these services are installed by modify-
ing the properties of one of the computer’s connections.
■ You can install all other services by using the Add/Remove
Programs application.Alternatively, some of these services can
be installed by using the Optional Networking Components
option in the Advanced menu in the Network and Dial-up
Connections folder.

In the steps that follow, I’ll explain how to install a service by modifying
the properties of a connection in the Network and Dial-up
Connections folder. For detailed steps on installing a service by using the
Add/Remove Programs application, see the steps titled “Using
Add/Remove Programs to Add/Remove Optional Windows 2000
Components” in the “Add/Remove Programs” section in Chapter 5.
4701-1 ch15.f.qc 4/24/00 09:39 Page 997

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 997

STEP BY STEP

INSTALLING A SERVICE BY MODIFYING THE PROPERTIES OF

A CONNECTION

1. Access the Network and Dial-up Connections folder. (Select Start ➪

Settings ➪ Network and Dial-up Connections.)
2. In the Network and Dial-up Connections folder, right-click any Local
Area Connection, and select Properties from the menu that appears.
3. In the Local Area Connection Properties dialog box, click Install.
4. In the Select Network Component Type dialog box, highlight Service and click Add.
5. In the Select Network Service dialog box, highlight the service you want to add.
Click OK.

TIP
Only the services that are not already installed on your computer appear
in this dialog box.

6. Windows 2000 installs the service you selected, and returns you to the Local
Area Connection Properties dialog box. Click Close.

Configuring Bindings and Provider Order

You may need to configure bindings and provider order to optimize how a
Windows 2000 computer accesses network resources through its connec-
tions.There are two primary reasons for configuring bindings and provider
order — to increase performance and to limit the availability of network
services for a connection.
Bindings are local area connection configuration options that specify
three specific properties of a local area connection:
■ Which installed client(s) or service(s) the connection uses
■ Which protocol(s) are used by (or bound to) each selected client
or service
■ The order in which selected protocols are used by each associated
client or service
4701-1 ch15.f.qc 4/24/00 09:39 Page 998

998 Part IV ▼ Networking and Interoperability

Provider order is a connection configuration option that specifies which

installed client the computer’s connections will use first when it attempts
to connect to a server or a printer.
Bindings are configured for each local area connection on a Windows
2000 computer. Provider order is configured once for all connections on a
Windows 2000 computer.You can configure bindings and provider order
in the Network and Dial-up Connections folder by selecting
Advanced ➪ Advanced Settings.
Configuring bindings and provider order to increase performance is
primarily a client computer issue.To optimize the performance of a client
computer, the first thing you need to do is determine which type of
server(s) the client computer accesses most often. The type of server
accessed most frequently will determine both the optimum protocol order
and the optimum provider order.
For example, suppose that you have a Windows 2000 Professional com-
puter that frequently accesses several Windows 2000 Server computers, and
also accesses, on a less frequent basis, a NetWare server.The Windows 2000
Server computers primarily use TCP/IP, and the NetWare server uses IPX.
The bindings and provider order currently configured for this client com-
puter are shown in Figures 15-11 and 15-12, respectively. Notice, on the
Adapters and Bindings tab in Figure 15-11, that the NWLink
IPX/SPX/NetBIOS Compatible Transport Protocol is listed first under
the Client for Microsoft Networks.Also notice, on the Provider Order tab
in Figure 15-12, that NetWare or Compatible Network is listed first under
Network Providers.
To optimize performance of this client computer, you would first
configure, on the Adapters and Bindings tab, the bindings used by the local
area connection on this computer. You would change the order of the
protocols used by the Client for Microsoft Networks so that the Internet
Protocol (TCP/IP) is at the top of the list (because TCP/IP is the primary
protocol used by the Windows 2000 Server computers this client computer
most frequently accesses), and so that the NWLink IPX/SPX/NetBIOS
Compatible Transport Protocol is at the bottom of the list.To do this, select
the NWLink Protocol in the list, and click the down-arrow button on the
right of the dialog box.
4701-1 ch15.f.qc 4/24/00 09:39 Page 999

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 999

FIGURE 15-11 Bindings on a client computer

FIGURE 15-12 Provider order on a client computer

4701-1 ch15.f.qc 4/24/00 09:39 Page 1000

1000 Part IV ▼ Networking and Interoperability

To further optimize performance of this client computer, you would

then configure, on the Provider Order tab, the provider order of this client
computer so that the Microsoft Windows Network is listed as the first net-
work provider, and so that the NetWare or Compatible Network is listed
as the second provider.To do this, select NetWare or Compatible Network
in the list, and click the down-arrow button on the right of the dialog box.
Again, the reason you make this change is because this client computer
primarily connects to Windows 2000 Server computers, which use the
Microsoft Windows Network provider.
So, you may be wondering, why will making these two configuration
changes increase the performance of this client computer? It all boils down
to time, and more specifically, to time-outs.When a Windows 2000 client
computer attempts to connect to a server, it tries to connect by using the
first protocol listed (on the Adapters and Bindings tab) for the first network
provider listed (on the Provider Order tab). If the server the client
computer is trying to connect to doesn’t support this protocol or provider,
the client computer receives no reply from the server, and the connection
attempt eventually times out. Then the Windows 2000 client computer
tries to connect to the server by using the second protocol listed for the
first network provider listed. If this doesn’t work, after another time out,
Windows 2000 tries to connect to the server by using the first protocol
listed for the second network provider, and so on, until a connection is
established, or until all provider/protocol combinations have been tried. If
you configure a client computer to use the primary network provider and
protocol of the server(s) it uses most often, you’ll increase performance by
eliminating (or at least decreasing) time outs.
I’d like to point out one more not-so-obvious tip about configuring
provider order.When you change provider order, what you’re really doing
is configuring the order in which Windows 2000 will use a client (Client
for Microsoft Networks, Client Service for NetWare, and so on) when
attempting to connect to a server. So, when you put Microsoft Windows
Network at the top of the network providers list, what you’re doing is
telling Windows 2000 to use the Client for Microsoft Networks first.
Never mind that the providers and clients aren’t called by the same name.
Just remember that the Microsoft Windows Network provider is the
equivalent of the Client for Microsoft Networks, and that the NetWare or
Compatible Network provider is the equivalent of the Client Service
for NetWare.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1001

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 1001

STEP BY STEP

CONFIGURING BINDINGS AND PROVIDER ORDER

1. Access the Network and Dial-up Connections folder. (Select Start ➪

Settings ➪ Network and Dial-up Connections.)
2. In the Network and Dial-up Connections folder, select Advanced ➪
Advanced Settings.
3. The Advanced Settings dialog box appears, with the Adapters and Bindings tab
on top. If you have more than one local area connection on your computer, in the
Connections box, highlight the connection you want to configure.

TIP
If you have more than one local area connection on your computer, you
can configure the order the connections will be used in this box.
Highlight the connection, then click either the up arrow or the down
arrow button to move the connection up or down in the list.

4. To configure bindings, in the Bindings for Local Area Connection box, highlight
the protocol for which you want to change the binding order. Then, to the right of
this box, click either the up arrow or the down arrow button to move the protocol
up or down in the list.
5. To configure provider order, click the Provider Order tab.
6. On the Provider Order tab, in the “Network providers” box, highlight the provider
you want to reorder. Then, to the right of this box, click either the up arrow or the
down arrow button to move the provider up or down in the list.
7. When you finish configuring bindings and provider order, click OK.

Configuring bindings to limit availability of network services is

primarily a server security issue. For example, suppose you have a server
that has two network adapter cards — one of which is connected to your
local network, and the other is connected to the Internet. In this situation,
you might want to disable File and Printer Sharing for Microsoft
Networks for the connection that accesses the Internet so that users on the
Internet can’t access shared files and folders on your server.
You can configure a connection’s bindings to limit availability of
services by using either the Advanced Settings dialog box, or by using the
connection’s Properties dialog box. I prefer to use the connection’s
Properties dialog box, because this dialog box lists all protocols and services
that are installed on the computer — the Advanced Settings dialog box
4701-1 ch15.f.qc 4/24/00 09:39 Page 1002

1002 Part IV ▼ Networking and Interoperability

does not. In either the Advanced Settings or the connection’s Properties

dialog box, to unbind a service for that connection, simply clear the check
box next to the service’s name, and click OK. Figure 15-13 shows File and
Printer Sharing for Microsoft Networks unbound from the local area
connection. Notice that the check box next to File and Printer Sharing for
Microsoft Networks is cleared.

FIGURE 15-13 Unbinding a service

Configuring Services
After you install services on your Windows 2000 computer, you may need
to configure them. For example, you may need to start or stop a service,
configure the startup type of a service, or configure a service to log on by
using a specific user account, or to enable or disable a specific service
within a hardware profile.
You can perform all of these service configuration tasks, on both the
local computer as well as remote computers, by using the Services tool in
Computer Management.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1003

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 1003

STEP BY STEP

STARTING THE SERVICES TOOL

1. On the desktop, right-click My Computer, and select Manage from the menu that
appears. Windows 2000 starts the Computer Management MMC.
2. If you want to manage services on the local computer, skip to Step 4.
If you want to manage services on a remote computer, in the left pane of the
Computer Management dialog box, right-click Computer Management (Local)
and select “Connect to another computer” from the menu that appears.
3. In the Select Computer dialog box, double-click the name of the computer to
which you want to connect.
4. In the left pane of the Computer Management dialog box, click the + next to
Services and Applications. Highlight Services.
5. In the right pane, a list of all of the services installed on the Windows 2000
computer is displayed, as shown in Figure 15-14.

FIGURE 15-14 Using Services in Computer Management

In the next several sections I’ll explain how to perform numerous service
configuration tasks by using the Services tool.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1004

1004 Part IV ▼ Networking and Interoperability

Starting, Stopping, Pausing, Resuming, or Restarting a Service The Services

tool is useful for starting, stopping, pausing, resuming, and restarting a service.
These are easy tasks to perform.

STEP BY STEP

USING SERVICES TO START, STOP, PAUSE, RESUME, OR RESTART

A SERVICE

1. Start the Services tool (see the steps on “Starting the Services Tool “ in the
previous section).
2. In the right pane, right-click the specific service you want to start, stop, pause,
resume, or restart. Then select Start, Stop, Pause, Resume, or Restart from the
menu that appears.

TIP
Depending on the service you select and the current status of this
service, not all actions will be available in this menu.

3. Close Computer Management.

Configuring the Startup Type of a Service You can also use the Services
tool to configure the startup type of a service. There are three possible
startup types:
■ Automatic: If you select automatic,Windows 2000 starts the service
automatically every time the computer is booted.
■ Manual: If you choose manual, a user or an application must start
the service.
■ Disabled: If you select disabled, the service can’t be started by a
user or application.
For example, suppose you want to enable remote users to establish
Telnet command-line sessions with your Windows 2000 Server computer.
Because the default startup type of the Telnet service is Manual, you decide
to change its startup type to Automatic. I’ll show you how to perform this
task in the steps that follow.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1005

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 1005

CAUTION
Exercise caution when using the Services tool. Changing the startup
type of a service or disabling a service can render your computer unable
to access (or provide) network resources.

STEP BY STEP

CHANGING THE STARTUP TYPE OF A SERVICE

1. Start the Services tool (see the steps on “Starting the Services Tool” earlier in
this chapter).
2. In the right pane, right-click the specific service for which you want to change the
startup type, and then select Properties from the menu that appears. (Or, you can
double-click the service.)
3. The service’s Properties dialog box appears, as shown in Figure 15-15. Notice
the information displayed about the service, including its startup type and status.

FIGURE 15-15 Telnet service properties

In the “Startup type” drop-down list box, select the startup type you want to
assign to this service. Click OK.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1006

1006 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

TIP
If you change the startup type of a service to Automatic, the service
doesn’t automatically start until the next time you boot the computer. If
you want the service to start now ( without rebooting the computer),
right-click the service, and select Start from the menu that appears.

4. Close Computer Management.

Configuring a Service to Log on Using a User Account Occasionally you

might want to configure a service to log on using a specific user account.
For example, you can configure a service to log on using a user account that
is a member of the Guests group. Because the Guests group has few
permissions, anyone accessing this service (locally, over the network, or over
the Internet) will only have access to the data that is available to members of
the Guests group. Administrators sometimes use this technique as a means
to limit access to sensitive data on a server, particularly for services that don’t
require users to log on, such as Internet-based services. Configuring a
service to log on using a specific user account can help protect your server
from unauthorized Internet access.

STEP BY STEP

CONFIGURING A SERVICE TO LOG ON BY USING A USER ACCOUNT

1. Start the Services tool (see the steps on “Starting the Services Tool” earlier in
this chapter).
2. In the right pane, right-click the specific service you want to configure to log on by
using a user account, and then select Properties from the menu that appears.
3. In the service’s Properties dialog box, click the Log On tab.
4. On the Log On tab, select the “This account” option, then click Browse to display
a list of user accounts. Select the user account you want this service to log on
using, and click OK.
5. In the service’s Properties dialog box, type the password of the user account
you selected in Step 4 in the Password text box. Retype this password in the
“Confirm password” text box. Click OK.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1007

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 1007

STEP BY STEP Continued

Figure 15-16 shows the Properties dialog box of a service that has been config-
ured to log on using a user account. Notice that in this case the FTP Publishing
Service has been configured to log on by using the Guest account.

FIGURE 15-16 A service configured to log on by using a user account

6. Windows 2000 displays a message indicating that the selected user account
has been granted the Log On As A Service right. Click OK.
7. Another message is displayed, indicating that the new logon name will not take
effect until you stop and restart the service. Click OK.
8. In the right pane, right-click the service you have just configured, and select
Restart from the menu that appears. Selecting Restart stops and immediately
restarts the service.
9. Close Computer Management.

Enabling or Disabling a Service within a Hardware Profile You can use the
Services tool to enable or disable a service within a hardware profile.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1008

1008 Part IV ▼ Networking and Interoperability

CROSS-REFERENCE
I explained how to use the Services tool to perform this task when I
covered hardware profiles in the “System” section in Chapter 5.

Configuring Recovery Options for a Service The Services tool has a useful
new feature that enables you to configure, in advance of a service failure,
the recovery actions that Windows 2000 will take when the service fails.
You can configure it to take one of four specific actions on the service’s
first, second, and subsequent failures:
■ Take No Action: Selecting this option causes Windows 2000
to do the obvious — nothing.This is the default setting for all
service failures.
■ Restart the Service: Selecting this option causes Windows 2000
to attempt to restart a service that has failed.
■ Run a File: Selecting this option causes Windows 2000 to
run a specified file (such as a batch file or a script file) when the
service fails.
■ Reboot the Computer: Selecting this option causes Windows
2000 to restart the computer when the service fails.This is probably
not the option of choice in most situations.

STEP BY STEP

CONFIGURING RECOVERY OPTIONS FOR A SERVICE

1. Start the Services tool (see the steps on “Starting the Services Tool” earlier in
this chapter).
2. In the right pane, right-click the specific service you want to configure recovery
options for, and then select Properties from the menu that appears.
3. In the service’s Properties dialog box, click the Recovery tab.
4. On the Recovery tab, select the options you want Windows 2000 to take if this
service fails. Select an option for the service’s first, second, and subsequent
failures. Figure 15-17 shows the World Wide Web Publishing Service after
its recovery options have been configured.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1009

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 1009

STEP BY STEP Continued

FIGURE 15-17 Configuring a service’s recovery options

Notice that you can configure the number of days after which the service’s fail
count will be reset to 0. Also note that the service will be restarted, by default, after
1 minute. Change either or both of these two configuration settings, as needed.
If you select the Run a File option for any service failure, you must specify the
complete path to the file that will be run in the File text box. If you don’t know the
complete path to the file, you can click Browse to find it. Also specify any com-
mand line parameters for this file in the “Command line parameters” text box.
If you select the Reboot the Computer option for any service failure, you can
click the Restart Computer Options button (grayed out in Figure 15-17) to set
the number of minutes that Windows 2000 will wait, after the service failure, to
restart the computer. You can also configure a message that will be sent to all
connected computers prior to restarting the computer.
Click OK when you are finished configuring this tab.
5. Close Computer Management.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1010

1010 Part IV ▼ Networking and Interoperability

Using Services to View Service Dependencies Another nice feature of the

Services tool, particularly for troubleshooting, is that you can use it to view
service dependencies. Service dependencies are the services and drivers
that must be running before the service in question can start. Suppose that
you’re having trouble starting the Messenger service on your Windows
2000 computer.You receive the warning message shown in Figure 15-18.

FIGURE 15-18 Dependency service error message

The message indicates that a service or group of services that the

Messenger service is dependent on is not started.You can use the Services
tool to view the service dependencies of the Messenger service. Once you
know which services the Messenger service is dependent on, you can
ensure that they are all started and running. Then, you should be able to
successfully start the Messenger service.

STEP BY STEP

USING SERVICE TO VIEW SERVICE DEPENDENCIES

1. Start the Services tool (see the steps on “Starting the Services Tool” earlier in
this chapter).
2. In the right pane, right-click the specific service for which you want to view
service dependencies, and then select Properties from the menu that appears.
3. In the service’s Properties dialog box, click the Dependencies tab.
4. The Dependencies tab appears, as shown in Figure 15-19. Notice the list of
services that the Messenger service is dependent on. Click OK.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1011

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 1011

STEP BY STEP Continued

FIGURE 15-19 Viewing service dependencies

5. Close Computer Management.

Configuring the SNMP service

Configuring the SNMP service is fairly straightforward, however, one of its
features deserves special mention.The SNMP service is capable of sending
out SNMP trap messages to other Windows 2000 computers that are
configured to receive traps and record them in the receiving computers
event log, or to a third-party SNMP management station. Trap messages
are sent out when errors occur, or when significant system events (such as
shutdown) occur. Figure 15-20 shows the Traps tab in the SNMP proper-
ties dialog box.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1012

1012 Part IV ▼ Networking and Interoperability

FIGURE 15-20 Configuring SNMP trap options

There are two configurable options in this dialog box, and both should
be configured to enable the Windows 2000 computer to send traps.
■ Community name: A community name is like an SNMP pass-
word. If your computer doesn’t have the appropriate community
name, the computer it is sending traps to will not accept the traps.
In this text box, type in the appropriate community name and click
Add to list. public is the most commonly used community name.
You can add multiple community names if you are sending traps to
multiple computers that each require a different community name.
■ Trap destinations: This box displays the list of all computers
to which trap messages will be sent.To add a computer to this
list (which is empty by default) click Add, and then type in the
computer’s name in the SNMP Service Configuration dialog
box that appears.You can add multiple trap destinations.

Configuring Other Connection Properties

In addition to configuring a connection’s modem, protocols, clients, and
services, you can also configure security options (for dial-up and direct
4701-1 ch15.f.qc 4/24/00 09:39 Page 1013

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 1013

connections), rename connections, and create shortcuts for connections on

your desktop.

Configuring Security Options for Dial-up and Direct Connections

You can use the Security tab in a direct or dial-up connection’s Properties
dialog box to configure security options for that connection. Figure 15-21
shows the Security tab for a dial-up connection, in this case, a dial-up
connection to a remote access server.

FIGURE 15-21 Configuring security options

There are several options you can configure on this tab.The Security
options on this tab are
■ Typical (recommended settings): This security setting option,
which is selected by default, is appropriate for most situations.
If you select this option, you can define security settings by
configuring three common suboptions:
 Validate my identify as follows: This configuration determines

the type of authentication Windows 2000 requires when establishing

this connection.You can select from three options:You can choose
to “Allow unsecured password,” which means that Windows 2000
4701-1 ch15.f.qc 4/24/00 09:39 Page 1014

1014 Part IV ▼ Networking and Interoperability

will use the least secure method of authentication accepted by the

remote server.This option is selected by default. Or, you can choose
to “Require secured password,” which means that Windows 2000
will encrypt your password before sending it to the remote server
to establish a connection, and that Windows 2000 won’t be able to
connect to the remote server if it does not support some form of
encrypted authentication. Or, you can choose “Use smart card,”
which means that Windows 2000 will require you to insert
your smart card into a smart card reader on your computer
to authenticate you to the remote server.
 Automatically use my Windows logon name and password

(and domain if any): This option is only available if you

selected “Require secured password” in the “Validate my identity
as follows” drop-down list box. Selecting this option causes
Windows 2000 to automatically make the connection by using
your currently logged on user name and encrypted password.
 Require data encryption (disconnect if none): This option is

only available if you selected “Require secured password” or “Use

smart card” in the “Validate my identity as follows” drop-down list
box. Selecting this option causes Windows 2000 to require that all
data sent on the connection (both to and from the remote server)
be sent in an encrypted format. If the remote server does not
support data encryption,Windows 2000 will automatically
disconnect your computer from the remote server.
■ Advanced (custom settings): Selecting this option enables you
to choose which specific password authentication methods can be
used by this connection, and whether or not data encryption will
be used. If you select this option, you should have a knowledge
of authentication protocols, and the security implications of using
each of these protocols. Once you select the Advanced (custom
settings) option, click Settings to configure specific security settings
to be used by this connection.
The options in the Interactive logon and scripting section are:

TIP
Only dial-up connections have an option to configure interactive logon
and scripting — direct and VPN connections do not.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1015

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 1015

■ Show terminal window: If you select this check box, a terminal

window will be displayed each time you initialize this connection.
This terminal window enables you to send commands from the
keyboard directly to the dial-up server. Don’t select this option
unless the remote server requires it — if you do, your connection
may not work correctly.
■ Run script: If you select this check box, you can specify a
script that will send commands from your computer directly to
the dial-up server.This process automates the connection process
and takes the place of using a terminal window. Several default
scripts are available in the drop-down list box in this dialog box,
or, if you want to write your own script, you can click Edit to
display a copy of the Switch.inf file in the Notepad text editor.
The Switch.inf file includes instructions for creating new script
files. Don’t select this option unless the remote server requires you
to send specific commands to establish the connection — if you
do, your connection may not work correctly.

Renaming Connections and Creating Shortcuts

Occasionally you might want to rename a connection, or create a shortcut
to a connection on your desktop.
Probably the most common reason for renaming a connection is to
make it more readily apparent to users what the connection is used for. For
example, suppose you have a dial-up connection named “Connection to
636-0031.” It’s pretty difficult for a user to know whether this is a connec-
tion to an ISP, or a dial-up connection to the company network. If you
rename the connection “Connection to the Internet,” it will alleviate
uncertainty for users.
All types of connections can be renamed except Incoming
Connections. Renaming a connection is quite simple: In the Network
and Dial-up Connections folder, right-click the connection you want
to rename, then select Rename from the menu that appears. Type a new
name for the connection, and press Enter.
If you use a dial-up, direct, or VPN connection frequently, you may find
it useful to create a shortcut to the connection on your desktop.To create
a shortcut to a connection, in the Network and Dial-up Connections
folder, right-click the connection to which you want to create a shortcut,
then select Create Shortcut from the menu that appears. Click Yes when
Windows 2000 asks if you want the shortcut to be placed on the desktop.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1016

1016 Part IV ▼ Networking and Interoperability

TIP
You can also create a shortcut to a connection by dragging the
connection from the Network and Dial-up Connections folder
and dropping it on your desktop.

KEY POINT SUMMARY

This chapter introduced several important connection-related topics:

■ Windows 2000 supports several different kinds of connections: local area
connections, dial-up connections, direct connections, virtual private network
(VPN) connections, and incoming connections.
■ A VPN connection is a private, encrypted connection between two computers
that can already communicate with each other by using TCP/IP.
■ During installation, Windows 2000 automatically creates a local area
connection for each network adapter that it detects in your computer.
All other types of connections must be created.
■ The Network and Dial-up Connections folder is used to create,
configure, and manage connections. You can use the Network Connection
Wizard in this folder to create connections.
■ Before you can create dial-up connections to the Internet, remote access
servers, and so on, you need to install and configure at least one modem in
your Windows 2000 computer.
■ Configuring two Windows 2000 computers to directly connect to each
other (via a cable or infrared ports) involves configuring one of the computers
to accept an incoming connection, and configuring the other computer to
directly connect to the other.
■ Modem properties configured by using Phone and Modem Options will apply
to the modem as it is used by all newly created connections. Modem properties
configured by using a dial-up connection’s Properties dialog box will apply to
the modem only as it is used by that dial-up connection.
■ Internet Connection Sharing is commonly used in a home or small-office
network setting when a single Internet connection must be shared by multiple
computers. In order to enable this feature, the computer must have both a
local area connection and a connection to the Internet.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1017

Chapter 15 ▼ Creating and Configuring Network and Dial-up Connections 1017

■ You may need to install and configure additional network clients, services, and
protocols to fully support the connections on your Windows 2000 computer,
and to support interoperability with other operating systems.
■ When you install a network client, service, or protocol, it is generally available
to all connections on your computer, even if you accomplish the installation
task by configuring the properties of a specific connection.
■ All network clients and network protocols can be installed by using the
Network and Dial-up Connections folder. You can also use this
folder to install the QoS Packet Scheduler service and the SAP Agent service.
All other services can be installed by using Add/Remove Programs.
■ Bindings specify three specific properties of a local area connection: which
installed client(s) or service(s) the connection uses, which protocol(s) are
used by (or bound to) each selected client or service, and the order in which
selected protocols are used by each associated client or service.
■ You can use the Services tool in Computer Management to perform configuration
tasks, including: starting and stopping a service, configuring a service’s startup
type, configuring a service to log on by using a user account, and so on.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1018

1018

STUDY GUIDE
This section contains several exercises that are designed to solidify your
knowledge about creating and configuring connections on a Windows
2000 computer, and to help you prepare for the Professional, Server, and
Network exams:
■ Assessment Questions: These questions test your knowledge
of the connection topics covered in this chapter.You’ll find the
answers to these questions at the end of this chapter.
■ Scenarios: The situation-based questions in scenarios challenge you
to apply your understanding of the material to solve a hypothetical
problem. In this chapter’s scenario, you are asked to troubleshoot
some common connection problems.You don’t need to be at a
computer to do scenarios.Answers to this chapter’s scenarios are
presented at the end of this chapter.
■ Lab Exercise: These exercises are hands-on practice activities that
you perform on a computer.The lab in this chapter gives you an
opportunity to practice creating and configuring connections on
your Windows 2000 computer.

Assessment Questions
1. You want to create a virtual private network (VPN) connection on a
Windows 2000 computer.What tool should you use?
A. Phone and Modem Options
B. Wireless Link
C. Internet Connection Wizard
D. Network and Dial-up Connections folder
2. You want to enable Internet Connection Sharing on a Windows
2000 computer.The computer has several existing connections. On
which connection should you enable Internet Connection Sharing?
A. VPN Connection
B. Local Area Connection
4701-1 ch15.f.qc 4/24/00 09:39 Page 1019

1019

C. Dial-up Connection to the Internet

D. Dial-up Connection to Remote Access Server
3. You are considering enabling Internet Connection Sharing on a
Windows 2000 computer on your network.You are concerned
about the changes that enabling Internet Connection Sharing will
cause on this computer.What changes will Windows 2000 make
to this computer once Internet Connection Sharing is enabled?
(Choose all that apply.)
A. The computer will become a domain controller.
B. The computer will become a DHCP server.
C. The computer will become a DNS proxy server.
D. The computer’s IP address will be changed.
4. You want to connect two computers, Computer_A and Computer_B,
to each other by using infrared ports.What type of connection (or
connections) should you configure?
A. Configure Computer_A to accept incoming connections, and
configure Computer_B to directly connect to Computer_A.
B. Configure both Computer_A and Computer_B with virtual
private connections.
C. Configure Computer_A to directly connect to Computer_B, and
configure Computer_B with a dial-up connection to a remote
access server.
D. Configure a new local area connection on both Computer_A
and Computer_B.
5. You are planning to install and configure network services for inter-
operability on your Windows 2000 Server computer.You specifically
want this server to maintain and advertise a list of servers that use the
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol.What
service should you install?
A. Indexing Service
B. NNTP Service
C. RIP Listener
D. SAP Agent
4701-1 ch15.f.qc 4/24/00 09:39 Page 1020

1020

6. You want to configure a Windows 2000 Server computer so that it

can log in to an older NetWare server and access the files and printers
on that NetWare server.Which client and network protocol should
you install and configure on the Windows 2000 Server computer?
A. Client Service for NetWare, and NetBEUI Protocol
B. Client Service for NetWare, and NWLink IPX/SPX/NetBIOS
Compatible Transport Protocol
C. Gateway (and Client) Services for NetWare, and NWLink
IPX/SPX/NetBIOS Compatible Transport Protocol
D. Gateway (and Client) Services for NetWare, and DLC Protocol
7. You want to configure bindings and provider order on a Windows
2000 computer.Which tool should you use?
A. Network and Dial-up Connections folder
B. Windows Explorer
C. System
D. Device Manager
8. You want to configure a service to log on by using a specific user
account.Which tool should you use?
A. System
B. Services
C. Active Directory Users and Computers
D. Network and Dial-up Connections folder

Scenarios
Troubleshooting connection problems on a Windows 2000 computer
requires attention to detail and can be quite painstaking. For each of the
following problems, consider the facts given and answer the questions
that follow.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1021

1021

1. Your Windows 2000 computer has two local area connections. One
local area connection is connected to your home network, and the
other is connected to a cable modem for Internet access.You recently
enabled Internet Connection Sharing for one of these connections,
but users on your home network report that they are unable to access
the Internet.
a. What is the most likely cause of this problem?
b. What should you do to resolve the problem?
2. You recently installed and configured TCP/IP on your Windows 2000
computer. However, your computer is now unable to communicate
with all other computers on your network that use TCP/IP.
a. What is the most likely cause of this problem?
b. What should you do to resolve the problem?

Lab Exercise
Lab 15-1 Creating and Configuring Connections
 Professional
 Server
EXAM  Network
MATERIAL

The purpose of this lab is to provide you with an opportunity to create

and configure connections on your Windows 2000 computer.
There are five parts to this lab:
■ Part 1: Installing and Configuring a Modem
■ Part 2: Creating and Configuring Connections
■ Part 3: Configuring Internet Connection Sharing
■ Part 4: Installing and Configuring Protocols, Clients, and Services
■ Part 5: Configuring Bindings
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1022

1022

Part 1: Installing and Configuring a Modem

In this part you install and configure a modem on your Windows 2000
computer that will be used by the dial-up connections you’ll create later in
this lab.

TIP
You’ll be installing device drivers for a modem in this part, but you don’t
have to actually have a modem.

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Phone and
Modem Options.
3. In the Phone And Modem Options dialog box, click the
Modems tab.
4. On the Modems tab, click Add.
5. The Add/Remove Hardware Wizard starts and displays the Install
New Modem screen. Select the check box next to “Don’t detect
my modem, I will select it from a list.” Click Next.
6. In the next Install New Modem screen, select a manufacturer
of “(Standard Modem Types),” and select a model of Standard
56000 bps V90 Modem. Click Next.
7. In the next Install New Modem screen, ensure that the “Selected
ports” option is selected.Then highlight one of the COM ports
and click Next.
8. Windows 2000 installs the modem. Click Finish.
9. In the Phone And Modem Options dialog box, click OK.
10. Close Control Panel.

Part 2: Creating and Configuring Connections

In this part you use the Network and Dial-up Connections folder
to create and configure several connections. First, you create dial-up
connections to the Internet and to a remote access server.Then, you create
a VPN connection.
1. Select Start ➪ Settings ➪ Network and Dial-up Connections.
2. In the Network and Dial-up Connections folder, double-click
Make New Connection.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1023

1023

3. The Network Connection Wizard starts. Click Next.

4. In the Network Connection Type screen, select the “Dial-up to the
Internet” option. Click Next.
5. The Internet Connection Wizard starts. Select the “I want to set up
my Internet connection manually” option, and click Next.
6. In the “Setting up your Internet connection” screen, select the “I
connect through a phone line and a modem “option. Click Next.
7. In the Choose Modem screen, select the Standard 56000 bps V90
Modem from the drop-down list box. Click Next.
8. In the “Step 1 of 3: Internet account connection information” screen,
enter your area code in the “Area code” text box.Then enter
555-1212 in the “Telephone number” text box. Click Next.
9. In the “Step 2 of 3: Internet account logon information” screen,
accept the default user name of Administrator, and type in a password
of password. Click Next.
10. In the “Step 3 of 3: Configuring your computer” screen, enter a
connection name of Internet Connection in the text box provided.
Click Next.
11. In the Set Up Your Internet Mail Account screen, select the No
option. Click Next.
12. In the Completing the Internet Connection Wizard screen, clear the
check box next to “To connect to the Internet immediately, select
this check box” and click Finish.
13. Windows 2000 creates the Internet Connection and displays it in the
Network and Dial-up Connections folder. Double-click Make
New Connection.
14. The Network Connection Wizard starts. Click Next.
15. In the Network Connection Type screen, select the “Dial-up to
private network” option. Click Next.
16. In the Select a Device screen, select the check box next to
“Modem - Standard 56000 bps V90 Modem.” Ensure that all
other check boxes are cleared. Click Next.
17. In the Phone Number to Dial screen, type 555-1212 in the
“Phone number” text box. Click Next.
18. In the Connection Availability screen, select the “For all users”
option. Click Next.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1024

1024

19. In the Internet Connection Sharing screen, ensure that the check box
next to “Enable Internet Connection Sharing for this connection” is
cleared. Click Next.
20. In the Completing the Network Connection Wizard screen, type in a
connection name of Remote Access Server in the text box provided.
Click Finish.
21. In the Connect Remote Access Server dialog box, click Cancel.
22. Your new Remote Access Server connection is displayed in the
Network and Dial-up Connections folder. Double-click
Make New Connection.
23. The Network Connection Wizard starts. Click Next.
24. In the Network Connection Type screen, select the “Connect to a
private network through the Internet” option. Click Next.
25. In the Public Network screen, ensure that the “Automatically dial this
initial connection” option is selected, and that “Internet Connection”
is selected in the drop-down list box. Click Next.
26. In the Destination Address screen, type server01.domain1.mcse in
the text box and click Next.
27. In the Connection Availability screen, select the “For all users”
option. Click Next.
28. In the Internet Connection Sharing screen, ensure that the check box
next to “Enable Internet Connection Sharing for this connection” is
cleared. Click Next.
29. In the Completing the Network Connection Wizard screen, accept
the default name for this connection of Virtual Private Connection.
Click Finish.
30. In the Initial Connection dialog box, click No.
31. Windows 2000 creates the VPN and displays it in the Network and
Dial-up Connections folder. Continue to Part 3.

Part 3: Configuring Internet Connection Sharing

In this part, you enable Internet Connection Sharing on your dial-up
connection to the Internet.
4701-1 ch15.f.qc 4/24/00 09:39 Page 1025

1025

CAUTION
This part of the lab will modify your computer’s TCP/IP configuration. If
you are connected to a live network, I recommend you don’t do this part.

1. In the Network and Dial-up Connections folder, right-click the

connection named Internet Connection, and select Properties from
the menu that appears.
2. In the Internet Connection Properties dialog box, click the Sharing tab.
3. On the Sharing tab, select the check box next to “Enable Internet
Connection Sharing for this connection.” Click OK.
4. In the Network and Dial-up Connections confirmation dialog box,
click Yes.
5. In the real world, you’d be done enabling Internet Connection
Sharing at this point. However, in order to successfully complete
the rest of the labs in this book, you’ll need to disable Internet
Connection Sharing. So, in the Network and Dial-up
Connections folder, right-click the connection named Internet
Connection, and select Properties from the menu that appears.
Then click the Sharing tab.Then, on the Sharing tab, clear the
check box next to “Enable Internet Connection Sharing for
this connection.” Click OK. Continue on to Part 4.

Part 4: Installing and Configuring Protocols, Clients,

and Services
In this part, you install and configure the NWLink IPX/SPX/NetBIOS
Compatible Transport Protocol on your Windows 2000 computer. Then,
you install the SAP Agent and Gateway (and Client) Services for NetWare.
1. In the Network and Dial-up Connections folder, right-click
your Local Area Connection, and select Properties from the menu
that appears.
2. In the Local Area Connection Properties dialog box, click Install.
3. In the Select Network Component Type dialog box, highlight
Protocol and click Add.
4. In the Select Network Protocol dialog box, highlight NWLink
IPX/SPX/NetBIOS Compatible Transport Protocol. Click OK.
4701-1 ch15.f.qc 4/24/00 09:40 Page 1026

1026

5. Windows 2000 installs the protocol you selected, and returns you to
the Local Area Connection Properties dialog box.The installation
process may take a minute or so.
6. In the Local Area Connection Properties dialog box, highlight
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol, and
click Properties.
7. In the NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
Properties dialog box, type in an internal network number of 48972345.
Select the “Manual frame type detection” option, and click Add.
8. In the Manual Frame Detection dialog box, select a frame type of
Ethernet 802.2 from the “Frame type” drop-down list box.Type in
a network number of 29987. Click OK.
9. In the NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
Properties dialog box, click OK.
10. In the Local Area Connection Properties dialog box, click Install.
11. In the Select Network Component Type dialog box, highlight Service
and click Add.
12. In the Select Network Service dialog box, highlight the SAP Agent
and click OK.
13. In the Local Area Connection Properties dialog box, click Install.
14. In the Select Network Component Type dialog box, highlight Client
and click Add.
15. In the Select Network Client dialog box, highlight Gateway
(and Client) Services for NetWare. Click OK.
16. Two dialog boxes appear, one after the other. In the Select NetWare
Logon dialog box (the second dialog box that appears), click OK. In
the Local Network dialog box, click Yes to restart your computer now.
17. Reboot your computer to Windows 2000 Server and log on as
Administrator. Continue to Part 5.

Part 5: Configuring Bindings

In this part, you configure bindings on your Windows 2000 Server computer.
1. Select Start ➪ Settings ➪ Network and Dial-up Connections.
4701-1 ch15.f.qc 4/24/00 09:40 Page 1027

1027

2. In the Network and Dial-up Connections folder, select

Advanced ➪ Advanced Settings.
3. In the Advanced Settings dialog box, highlight the Local Area
Connection in the Connections box.
4. In the Bindings for Local Area Connection box, in the protocol list
under the Client for Microsoft Networks, highlight the NWLink
IPX/SPX/NetBIOS Compatible Transport Protocol.Then, to the
right of this box, click the down arrow button to move the protocol
down in the list.When you finish this procedure, Internet Protocol
(TCP/IP) will be the first protocol in the list under Client for
Microsoft Networks, and NWLink will be the second protocol in
the list. Click OK.
5. Close the Network and Dial-up Connections folder.

Answers to Chapter Questions

Chapter Pre-Test
1. Windows 2000 automatically creates a local area connection for each
network adapter that it detects in a Windows 2000 computer.
2. A virtual private network (VPN) connection is a private, encrypted
connection between two computers that can already communicate
with each other by using TCP/IP.
3. Before you can create a dial-up connection, you must have a modem
installed in your Windows 2000 computer.
4. If you have a connection to the Internet on your Windows 2000
computer, and you want to enable other computers on your local
area network to use that connection to access the Internet, you might
want to enable Internet Connection Sharing for the specific connec-
tion that will be shared. Internet Connection Sharing is commonly
used in a home or small-office network setting when a single
Internet connection must be shared by multiple computers.
4701-1 ch15.f.qc 4/24/00 09:40 Page 1028

1028

5. Bindings are local area connection configuration options that specify

three specific properties of a local area connection:
a. Which installed client(s) or service(s) the connection uses
b. Which protocol(s) are used by (or bound to) each selected client
or service
c. The order in which selected protocols are used by each associated
client or service
Provider order is a connection configuration option that specifies
which installed client the computer’s connections will use first when
it attempts to connect to a server or a printer.
6. In addition to installing network protocols, you may also need to
install and configure additional network clients and services to fully
support the connections on your Windows 2000 computer, and to
support interoperability with other operating systems.
7. Network clients enable your Windows 2000 computer to access
resources located on other servers on the network.
8. Services enable computers that run other operating systems to access
resources on the Windows 2000 computer.

Assessment Questions
1. D. Use the Network Connection Wizard in the Network and
Dial-up Connections folder to make new connections.
2. C. Internet Connection Sharing should always be enabled on the
connection that the computer uses to connect to the Internet. In this
case, that’s a dial-up connection to the Internet.
3. B, C, D. Internet Connection Sharing should not be used on networks
that have existing routers, DNS servers, or DHCP servers, because once
Internet Connection Sharing is enabled on a computer,Windows 2000
automatically makes that computer into the gateway, DNS proxy server,
and DHCP server for that network segment, and assigns this computer
an IP address of 192.168.0.1.
4. A. To directly connect the two computers by using infrared ports, you
must configure one of the computers to accept incoming connections,
and configure the other computer to directly connect to the other.
4701-1 ch15.f.qc 4/24/00 09:40 Page 1029

1029

5. D. The SAP Agent enables a Windows 2000 computer to maintain

and advertise a list of servers (such as NetWare servers) that use the
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol.
6. C. The correct client is Gateway (and Client) Services for
NetWare.Any answer that contains Client Service for NetWare is
incorrect because this client can only be installed on Windows 2000
Professional computers, not on Windows 2000 Server computers.
The correct protocol is NWLink IPX/SPX/NetBIOS Compatible
Transport Protocol.
7. A. Use the Advanced Settings option in the Advanced menu in the
Network and Dial-up Connections folder to configure bindings
and provider order.
8. B. You can use the Services tool in Computer Management to
configure services.

Scenarios
1. The most likely cause of this problem is that you enabled Internet
Connection Sharing on the wrong connection. Internet Connection
Sharing must be enabled on the connection that is used to access the
Internet. In this case, Internet Connection Sharing must be enabled
on the connection that is connected to the cable modem.To resolve
the problem, disable Internet Connection Sharing on the local area
connection that connects to your home network, and enable it on
the connection that is connected to your cable modem.
2. The most likely cause of this problem is an incorrect TCP/IP setting,
such as the computer’s IP address.To resolve the problem, ensure that
all TCP/IP settings on your computer are configured correctly, with
settings that are compatible with the other computers on your
network that use TCP/IP.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1030

 Professional
 Server
EXAM
MATERIAL  Network

EXAM OBJECTIVES

Professional  Exam 70-210

■ Configure and troubleshoot the TCP/IP protocol.

Server  Exam 70-215

■ Install, configure, and troubleshoot network protocols.
■ Install and configure network services.

Network  Exam 70-216

■ Install, configure and troubleshoot DHCP.
■ Install the DHCP Server service.
■ Create and manage DHCP scopes, superscopes, and
multicast scopes.
■ Configure DHCP for DNS integration.
■ Authorize a DHCP server in Active Directory.
■ Manage and monitor DHCP.
■ Install, configure, and troubleshoot network protocols.
■ Install and configure TCP/IP.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1031

■ Configure TCP/IP packet filters.

■ Configure and troubleshoot network protocol security.
■ Configure and troubleshoot IPSec.
■ Enable IPSec.
■ Configure IPSec for transport mode.
■ Configure IPSec for tunnel mode.
■ Customize IPSec policies and rules.
■ Manage and monitor IPSec.
■ Install, configure, and troubleshoot WINS.
■ Configure WINS replication.
■ Configure NetBIOS name resolution.
■ Manage and Monitor WINS.
■ Install, configure, and troubleshoot IP routing protocols.
■ Update a Windows 2000-based routing table by means
of static routes.
■ Implement Demand-Dial Routing.

1031
4701-1 ch16.f.qc 4/24/00 09:41 Page 1032

EXAM OBJECTIVES (continued)

■ Manage and monitor IP routing.

■ Manage and monitor border routing.
■ Manage and monitor internal routing.
■ Manage and monitor IP routing protocols.
■ Install NAT.
■ Configure NAT properties.
■ Configure NAT interfaces.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1033

C HAP TE R

16
Networking with TCP/IP

C hapter 16 focuses on TCP/IP and several TCP/IP-related features as

they are used on a Windows 2000 network. After a brief overview of
TCP/IP, I’ll discuss IP addressing and how to configure TCP/IP. Next, I’ll cover
how to install and configure a DHCP server, which is frequently used to auto-
matically provide IP addressing information to client computers. Then I’ll move
on to the topic of NetBIOS name resolution, where I’ll explain how to use
lmhosts files or a WINS server to resolve NetBIOS names.
Next, I’ll explore routing in a Windows 2000 Server environment. In this
section you’ll discover the differences between static and dynamic routing.
Then I’ll show you how to configure a router, as well as how to manage ports,
routing interfaces, and demand-dial routing. I’ll also introduce you to the
numerous routing protocols that ship with Windows 2000 Server. Finally, I’ll
cover monitoring and troubleshooting TCP/IP routing.
In the last part of this chapter, I’ll explain how to implement two TCP/IP
security features: TCP/IP packet filtering and IPSec.

1033
4701-1 ch16.f.qc 4/24/00 09:41 Page 1034

1034 Part IV ▼ Networking and Interoperability

Chapter Pre-Test
1. What is TCP/IP?
2. True or False: All computers located on the same network
segment should have the same network ID.
3. What does a default gateway address specify?
4. What are the two ways in which you can assign an IP address
to a Windows 2000 computer?
5. What is a DHCP scope?
6. What is WINS?
7. How can you enable routing on a Windows 2000 Server
computer?
8. What are the five routing protocols that ship with Windows 2000
Server?
9. What are two security features of TCP/IP in Windows 2000?
4701-1 ch16.f.qc 4/24/00 09:41 Page 1035

Chapter 16 ▼ Networking with TCP/IP 1035

Overview of TCP/IP
The Transmission Control Protocol/Internet Protocol (TCP/IP) is a widely
used transport protocol that provides robust capabilities for Windows 2000
networking.

TIP
In the Windows 2000 interface, TCP/IP is called “Internet Protocol
(TCP/IP).” But I prefer to simply call it what it is — TCP/IP.

TCP/IP is a fast, routable enterprise protocol that is used on the Internet. In

addition to being supported by Windows 2000,TCP/IP is supported by many
other operating systems, including:Windows 95,Windows 98,Windows NT,
NetWare, Macintosh, UNIX, MS-DOS, and IBM mainframes.TCP/IP is typ-
ically the recommended protocol for large, heterogeneous networks.
Microsoft includes several TCP/IP-based protocols and services with
Windows 2000 that enhance networking, including: the Dynamic Host
Configuration Protocol (DHCP) service, the Domain Name System
(DNS) service, Windows Internet Name Service (WINS), RIP Version 2
for Internet Protocol, Open Shortest Path First (OSPF), Network Address
Translation (NAT), IGMP, and IPSec. I’ll discuss each of these protocols
and services in this chapter.
By now, you’re probably getting the idea that TCP/IP is a huge topic —
and you’re right. Although volumes have been written on this subject, this
chapter covers only the basics of TCP/IP that are required for the
Network exam, and also for the Professional and Server exams.
A good place to begin a basic discussion of TCP/IP is with IP addressing,
including subnet masks, default gateway addresses, and DNS server addresses.

IP Addressing
An IP address is a 32-bit binary number, broken into four 8-bit sections
(often called octets), that uniquely identifies a computer or other network
device on a network that uses TCP/IP. IP addresses must be unique — no
two computers or other network devices on an internetwork should have the same IP
address. If two computers have the same IP address, one or both of the com-
puters may be unable to communicate over the network. An IP address is
not the same as a network adapter card’s hardware (or MAC) address.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1036

1036 Part IV ▼ Networking and Interoperability

Although an IP address is a 32-bit binary number, it is normally repre-

sented in a dotted decimal format. Each 8-bit octet is represented by a
whole decimal number between 0 and 255. The following numbers are
sample IP addresses:
192.168.59.5
172.31.151.1
An IP address contains two important identifiers: a network ID and a
host ID. One portion of each IP address identifies the network segment on
which a computer (or other network device) is located. This portion is
called the network ID.All computers located on the same network segment
should have the same network ID. The portion of the IP address used for
the network ID is variable and is specified by the subnet mask used in con-
junction with the IP address. (I’ll discuss subnet masks in more detail in the
next section.)
The second portion of each IP address identifies the individual com-
puter or network device.This portion is called the host ID. Each computer
or other network device on a given network segment must have a unique
host ID.
To ensure that unique IP addresses are used, if you plan to connect your
network to the Internet, you should contact your Internet service provider
(ISP) to obtain a range of valid IP addresses for your network.

Subnet Masks
A subnet mask specifies which portion of an IP address represents the net-
work ID and which portion represents the host ID. A subnet mask allows
TCP/IP to determine whether network traffic destined for a given IP
address should be transmitted on the local subnet, or whether it should be
routed to a remote subnet. A subnet mask should be the same for all com-
puters and other network devices on a given network segment.
A subnet mask is a 32-bit binary number, broken into four 8-bit sections
(octets), that is normally represented in a dotted decimal format. Each 8-bit
section is represented by a whole number between 0 and 255.
A common subnet mask is 255.255.255.0. This particular subnet mask
specifies that TCP/IP will use the first three octets of an IP address as the net-
work ID, and will use the last octet as the host ID.This subnet mask is some-
4701-1 ch16.f.qc 4/24/00 09:41 Page 1037

Chapter 16 ▼ Networking with TCP/IP 1037

times referred to as a 24-bit subnet mask, because when 255.255.255.0 is

converted to a 32-bit binary number, the first 24 bits of this number are all 1’s.
Another common subnet mask is 255.255.0.0.This subnet mask specifies
that TCP/IP will use the first two octets of an IP address as the network ID,
and will use the last two octets as the host ID.This subnet mask is sometimes
referred to as a 16-bit subnet mask, because when 255.255.0.0 is converted
to a 32-bit binary number, the first 16 bits of this number are all 1’s.
There are two ways that subnets masks are commonly presented. First, a
subnet mask can be presented in dotted decimal format in conjunction
with its network ID. An example of this presentation is 192.168.59.0
255.255.255.0. In this example, 192.168.59.0 specifies the network id, and
255.255.255.0 specifies that 24 bits (the first three octets) are used as the
subnet mask. Recently, a shortcut notation has come into common use,
where the network id and subnet mask combination in the previous
example would be expressed as 192.168.59.0/24. In this shortcut notation,
192.168.59.0 specifies the network ID, and /24 specifies that a 24-bit sub-
net mask (255.255.255.0) is used.
Without getting into too much binary math, an octet number of 255
specifies that the entire octet is part of the network ID, and an octet num-
ber of 0 specifies that the entire octet is part of the host ID. Numbers
between 0 and 255 specify that part of the octet corresponds to the net-
work ID, and the remaining part corresponds to the host ID.

TIP
For more information on subnetting and subnet masks, see Network+
Certification Study System, by Joseph J. Byrne (IDG Books Worldwide).

Table 16-1 lists all of the subnet masks normally used on TCP/IP net-
works, the number of bits specified by each subnet mask, and the maxi-
mum number of host IDs that can be used on a single subnet with that
subnet mask.
TABLE 16-1 Common Subnet Masks
Maximum number of
Number of bits host IDs that can be
specified by the used on a single subnet
Subnet mask subnet mask with this subnet mask

255.0.0.0 8 16,777,214
255.128.0.0 9 8,388,606

Continued 
4701-1 ch16.f.qc 4/24/00 09:41 Page 1038

1038 Part IV ▼ Networking and Interoperability

TABLE 16-1 (continued)

Maximum number of
Number of bits host IDs that can be
specified by the used on a single subnet
Subnet mask subnet mask with this subnet mask

255.192.0.0 10 4,194,302
255.224.0.0 11 2,097,150
255.240.0.0 12 1,048,574
255.248.0.0 13 524,286
255.252.0.0 14 262,142
255.254.0.0 15 131,070
255.255.0.0 16 656,534
255.255.128.0 17 32,766
255.255.192.0 18 16,382
255.255.224.0 19 8,190
255.255.240.0 20 4,094
255.255.248.0 21 2,046
255.255.252.0 22 1,022
255.255.254.0 23 510
255.255.255.0 24 254
255.255.255.128 25 126
255.255.255.192 26 62
255.255.255.224 27 30
255.255.255.240 28 14
255.255.255.248 29 6
255.255.255.252 30 2

If subnet masks are incorrectly configured, network communications

problems due to routing errors may occur. For example, TCP/IP may
incorrectly determine that a computer on the local subnet is located on a
remote subnet and attempt to route a packet to the remote subnet. In this
instance, the computer on the local subnet would never receive the packet
intended for it.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1039

Chapter 16 ▼ Networking with TCP/IP 1039

Default Gateway Addresses

A default gateway address specifies the IP address of a router on the local
network segment. When a computer that uses TCP/IP determines that
the computer it wants to communicate with is located on a remote sub-
net, it sends all network messages intended for the remote computer to
the default gateway address, instead of directly to the destination com-
puter.Then the router on the local subnet specified by the default gateway
address forwards the messages to the destination computer on the remote
subnet, either directly or via other routers.
If a computer’s default gateway address does not specify a router on the
local subnet, then that computer will be unable to communicate with
computers or other network devices located on other network segments.
When a router is used to connect two network segments, it has two net-
work adapter cards and two IP addresses. Figure 16-1 illustrates how
default gateway addresses are used to specify the IP address of a router on
the local subnet.

IP address: 192.168.75.122
Default gateway: 192.168.75.1

Computer_A

Subnet_A

IP address: 192.168.75.1

Router

IP address: 192.168.70.1

Subnet_B

IP address: 192.168.70.31
Default gateway: 192.168.70.1

Computer_B

FIGURE 16-1 Default gateway addresses specify a local router

4701-1 ch16.f.qc 4/24/00 09:41 Page 1040

1040 Part IV ▼ Networking and Interoperability

Notice in Figure 16-1 that the default gateway address of Computer_A

matches the IP address of its local router, and the default gateway address of
Computer_B matches the IP address of its local router.

DNS Server Addresses

A DNS server address specifies the IP address of a DNS server on your
company’s network.The DNS server does not have to reside on the local
network segment.A DNS server address, like all other IP addresses, is a 32-
bit binary number, broken into four 8-bit sections (octets), that is normally
represented in a dotted decimal format.
When a Windows 2000 computer wants to resolve a host name or an
FQDN to an IP address, it sends the host name or FQDN to the DNS
server for name resolution.The DNS server then performs the resolution
and returns the IP address of the host name or FQDN to the requesting
computer.
All client computers on a Windows 2000 network use DNS servers to
locate Active Directory domain controllers. Because of this, if a client com-
puter is not configured with the address of a DNS server, it won’t be able
to function on the network.

Configuring TCP/IP
IP addresses must be configured on each connection in a Windows 2000
computer when TCP/IP is installed. Because TCP/IP is automatically
installed during most installations of Windows 2000, IP address configura-
tion is often done as part of the installation process.After the installation of
Windows 2000, when a new connection is created, it is configured, by
default, to receive its IP addressing information from a DHCP server.
You can assign an IP address to a Windows 2000 computer in one of
two ways: by manually specifying a computer’s IP address configuration, or
by configuring a computer to obtain IP addressing information automati-
cally from a DHCP server.

Manually Configuring TCP/IP

IP addresses are typically configured manually only when a DHCP server
is not available, or when the computer being configured requires a static IP
4701-1 ch16.f.qc 4/24/00 09:41 Page 1041

Chapter 16 ▼ Networking with TCP/IP 1041

address. Configuring IP addresses manually is both more time-consuming

than using a DHCP server and more prone to error, because an IP address
must be manually typed for each connection on each individual computer.
However, configuring an IP address manually is sometimes the only way to
get the job done.

STEP BY STEP

CONFIGURING AN IP ADDRESS MANUALLY

1. Select Start ➪ Settings ➪ Network and Dial-up Connections.

2. In the Network and Dial-up Connections folder, right-click the con-
nection for which you want to configure IP addressing information, and select
Properties from the menu that appears.

TIP
When you’re configuring TCP/IP addressing information on a Windows
2000 computer so it can function on your company’s local area network,
you would normally select the computer’s Local Area Connection during
this step.

3. If the connection you selected is not a local area connection, in the connection’s
Properties dialog box, click the Networking tab.
Then, for all connection types, highlight Internet Protocol (TCP/IP) and click
Properties.
4. The Internet Protocol (TCP/IP) Properties dialog box appears, as shown in Figure
16-2. Notice the IP address, Subnet mask, Default gateway, and Preferred DNS
server text boxes.
Ensure that the “Use the following IP address” option is selected. Then complete
the following text boxes:
 IP address: Enter the IP address you want to assign to this connection.
This is a mandatory setting.
 Subnet mask: Enter the subnet mask you want to assign to this connec-
tion. This is a mandatory setting.
 Default gateway: Enter the default gateway address that will be used by
this connection. This is an optional setting. However, if you don’t configure
this setting, this computer won’t be able to communicate with computers
located on other network segments.
If you want the computer to use a DNS server, complete the following text boxes:
 Preferred DNS server: Enter the IP address of the DNS server you want
this connection to use.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1042

1042 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

 Alternate DNS server: Optionally, you can enter the IP address of an addi-
tional DNS server that will be used by this connection if the preferred DNS
server is not available.

FIGURE 16-2 Manually configuring IP addressing information

Click OK.
5. In the connection’s Properties dialog box, click OK.
6. Close the Network and Dial-up Connections folder.

Configuring TCP/IP by Using a DHCP Server

The most convenient method for assigning IP addresses to multiple com-
puters, in terms of administration time required, is to configure each of the
computers to obtain its IP address from a Dynamic Host Configuration
Protocol (DHCP) server. When a client computer obtains an IP address
from a DHCP server, the DHCP server assigns that client computer the
next available IP address. That IP address is leased to the client computer
for a specific period of time, usually several days.The client computer can
4701-1 ch16.f.qc 4/24/00 09:41 Page 1043

Chapter 16 ▼ Networking with TCP/IP 1043

then renew that lease, enabling a client computer to use the same IP
address indefinitely, unless the computer is turned off for several days (long
enough for the lease to expire).
Assigning IP addresses by using a DHCP server is the preferred method
because:
■ Using a DHCP server makes it possible for you to manage IP
addresses centrally, thus ensuring that addresses are valid and not
duplicated.
■ Using a DHCP server reduces the amount of administration time
required to manage and maintain IP addresses for each connection
on each computer on the network.
■ Using a DHCP server reduces the likelihood of human error when
IP addresses are assigned, because no need exists to enter an IP
address manually for each connection on every individual computer.
■ Using a DHCP server enables an administrator to centrally change
the IP address that each client computer uses to contact a DNS or
WINS server, instead of having to manually reconfigure each client
computer.
■ Using a DHCP server enables you to regain the use of an IP
address no longer assigned to a host when the DHCP lease period
for this IP address expires.
Before you can assign an IP address to a connection on a Windows 2000
computer by using a DHCP server, you must have a DHCP server on your
network. (I’ll explain how to install and configure a DHCP server a little
later in this chapter.)

STEP BY STEP

CONFIGURING A COMPUTER TO OBTAIN AN IP ADDRESS FROM A

DHCP SERVER

1. Select Start ➪ Settings ➪ Network and Dial-up Connections.

2. In the Network and Dial-up Connections folder, right-click the con-
nection for which you want to configure automatic IP addressing, and select
Properties from the menu that appears.
3. If the connection you selected is not a local area connection, in the connection’s
Properties dialog box, click the Networking tab.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1044

1044 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

Then, for all connection types, highlight Internet Protocol (TCP/IP) and click
Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, select the “Obtain an IP
address automatically” option.
If you also want a DNS server address to be automatically assigned, select the
“Obtain DNS server address automatically” option.
Figure 16-3 shows a connection configured to receive both its IP addressing
information and its DNS server address automatically. Click OK.

FIGURE 16-3 Configuring a connection to automatically

obtain IP addressing information

5. In the connection’s Properties dialog box, click OK.

6. Close the Network and Dial-up Connections folder.

Troubleshooting TCP/IP Configuration Problems

There are several common TCP/IP connectivity problems. Most TCP/IP
connectivity problems are caused by incorrectly configured TCP/IP set-
tings on the computer that is experiencing the problem.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1045

Chapter 16 ▼ Networking with TCP/IP 1045

TCP/IP connectivity problems commonly reported by users include:

■ A user is unable to access a computer located on another subnet.
■ A user is unable to access the Internet.
■ A user is unable to access computers on both the local and remote
subnets.
■ TCP/IP fails to initialize on the user’s computer.
When troubleshooting a TCP/IP connectivity problem, carefully check
the TCP/IP settings on the computer experiencing the problem, including
the IP address, subnet mask, default gateway, and DNS server address.
■ IP address: Make sure the computer’s IP address is not a duplicate
of another IP address used on the network, and that it is an appro-
priate IP address for the local subnet. Remember that the network
ID portion of the IP address must be the same for all computers on
the local subnet.
■ Subnet mask: Ensure that the computer’s subnet mask is the
same subnet mask used by all computers and routers located on
that subnet.
■ Default gateway: Ensure that the computer’s default gateway
address matches the IP address of a router on the local subnet.
■ DNS server address: Ensure that the computer’s DNS server
address matches the IP address of your company’s DNS server.
Two command-line utilities that can help when you’re troubleshooting
TCP/IP connectivity problems are ipconfig.exe and ping.exe.
Ipconfig.exe displays the computer’s current IP configuration
settings, including IP address, subnet mask, and default gateway. To use
ipconfig.exe, select Start ➪ Programs ➪ Accessories ➪ Command Prompt.
At the command prompt, type ipconfig and press Enter.To view detailed IP
addressing for all connections on the computer, at the command prompt, type
ipconfig /all | more and press Enter.
Ping.exe verifies network communications between the local com-
puter and any other computer specified on the network.To use ping.exe,
select Start ➪ Programs ➪ Accessories ➪ Command Prompt. At the com-
mand prompt, type ping IP_address and press Enter. (The IP address
entered should be the IP address of the computer with which you are
attempting to communicate. Alternatively, instead of typing an IP address
4701-1 ch16.f.qc 4/24/00 09:41 Page 1046

1046 Part IV ▼ Networking and Interoperability

you can type the host name or FQDN of the computer with which you are
trying to communicate.) If your computer is able to communicate with the
remote computer specified, ping.exe displays four replies from the remote
computer.The following is an example of a successful ping response.
Reply from 192.168.59.5: bytes=32 time<10ms TTL=128
Reply from 192.168.59.5: bytes=32 time<10ms TTL=128
Reply from 192.168.59.5: bytes=32 time<10ms TTL=128
Reply from 192.168.59.5: bytes=32 time<10ms TTL=128

If your computer is unable to communicate with the remote computer

specified, ping.exe usually displays “Request timed out.” four times.
You can ping your own computer’s IP address to determine whether
TCP/IP is correctly configured and initialized on the local computer. If
TCP/IP is correctly configured on the local computer, ping.exe will dis-
play four replies from the local computer.

Installing and Configuring a DHCP Server

Microsoft includes a DHCP server product with Windows 2000 Server
(and Advanced Server), called the Dynamic Host Configuration Protocol
(DHCP) service. (I’ll call this the DHCP service for short.) The DHCP
service provides centralized management of IP address assignment. The
DHCP service can be installed on any Windows 2000 Server computer
that has a manually assigned static IP address for each connection on the
computer. When the DHCP service is installed and configured on a
Windows 2000 Server computer, that computer becomes a DHCP server.

EXAM TIP
The Network exam has six objectives on DHCP. Be sure you’re good and
comfortable with all facets of DHCP before you take the Network exam.

In the next few sections I’ll show you how to install the DHCP service;
how to authorize a DHCP server in Active Directory; how to configure
DHCP for integration with a DNS server; how to configure DHCP
scopes, superscopes, and multicast scopes; and how to monitor a DHCP
server. I’ll also provide you with some tips for troubleshooting DHCP.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1047

Chapter 16 ▼ Networking with TCP/IP 1047

Installing the DHCP Service

Before you can install the DHCP service on a Windows 2000 Server/
Advanced Server computer, TCP/IP must be installed on the computer,
and a static IP address must be manually configured for each connection in
the Windows 2000 computer.

STEP BY STEP

INSTALLING DHCP

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Add/Remove Programs.
3. In the Add/Remove Programs dialog box, click Add/Remove Windows
Components.
4. In the Windows Components Wizard dialog box, highlight Networking Services,
and click Details.
5. In the Networking Services dialog box, select the check box next to Dynamic Host
Configuration Protocol (DHCP), and click OK.
6. In the Windows Components Wizard dialog box, click Next.
7. Windows 2000 configures components and installs DHCP. In the Completing the
Windows Components Wizard screen, click Finish.
8. Close Add/Remove Programs. Then close Control Panel.

Authorizing a DHCP Server in Active Directory

When the DHCP service is installed on a Windows 2000 Server computer
that is a member of a domain (either a member server or a domain con-
troller), before the service can start, the service must be authorized in
Active Directory for that specific computer. This is referred to as “autho-
rizing a DHCP server in Active Directory.”
The purpose of authorizing DHCP servers in Active Directory is to
prevent nonauthorized DHCP servers from disrupting network commu-
nications. Only Windows 2000 DHCP servers that are installed, config-
ured, and authorized by an Administrator are permitted to start and run on
the network.This feature can prevent an employee from accidentally creat-
ing a DHCP server containing inappropriate IP address assignments,
4701-1 ch16.f.qc 4/24/00 09:41 Page 1048

1048 Part IV ▼ Networking and Interoperability

which could wreak havoc on your company’s network. Such an unautho-

rized DHCP server is sometimes referred to as a “rogue” DHCP server.
Only Windows 2000 DHCP servers must be authorized in Active
Directory — DHCP servers on computers that run Windows NT, UNIX,
or other operating systems don’t need to be authorized.
When the DHCP service is installed on a Windows 2000 Server com-
puter that is not a member of a domain, the DHCP server does not need to
be authorized in Active Directory.
You can use the DHCP administrative tool to authorize a DHCP server
in Active Directory, as the steps that follow explain.You can also perform
this task in Computer Management.

STEP BY STEP

AUTHORIZING A DHCP SERVER

1. Select Start ➪ Programs ➪ Administrative Tools ➪ DHCP.

2. In the left pane of the DHCP dialog box, highlight the DHCP server you want to
authorize. Select Action ➪ Authorize.
3. Wait a minute or two, then select Action ➪ Refresh.
4. The DHCP Server is now authorized. Notice that the icon next to the DHCP
server now contains a green, upward pointing arrow (instead of a red, downward
pointing arrow).
5. Close DHCP.

Configuring DHCP for DNS Integration

By default, all Windows 2000 computers that have TCP/IP installed auto-
matically register their IP address and host name information with the
DNS server on the network (if the DNS server supports dynamic updates).
Not all computers support this feature. For example, Windows NT,
Windows 95, and Windows 98 computers aren’t capable of dynamically
registering their IP address and host name information with a DNS server.
To overcome this limitation, you can configure your Windows 2000
DHCP server to dynamically register the IP address and host name informa-
tion of Windows-based client computers with a DNS server on the net-
work. This is often called “configuring a DHCP server for DNS
integration.”
4701-1 ch16.f.qc 4/24/00 09:41 Page 1049

Chapter 16 ▼ Networking with TCP/IP 1049

TIP
Windows 2000 computers only register their host name to IP address
information (called forward lookup information) with the DNS Server.
Windows 2000 computers do not register their IP address to Host name
information (called reverse lookup information) with the DNS server. If
you want to register reverse lookup information, you must configure the
DHCP server to perform DNS registration.

In order for this feature to be implemented, the DNS server must sup-
port dynamic updates. If your DNS server is a Windows 2000 Server com-
puter running the Windows 2000 Domain Name System (DNS) service,
you shouldn’t have any problems here, because the Windows 2000 DNS
service fully supports dynamic updates.

STEP BY STEP

CONFIGURING A DHCP SERVER FOR DNS INTEGRATION

1. Select Start ➪ Programs ➪ Administrative Tools ➪ DHCP.

2. In the left pane of the DHCP dialog box, highlight the DHCP server you want to
configure for DNS integration. Select Action ➪ Properties.
3. In the DHCP server’s Properties dialog box, click the DNS tab.
4. The DNS tab appears, as shown in Figure 16-4. Notice the blank check box next
to “Enable updates for DNS clients that do not support dynamic update.”
To configure the DHCP server to provide IP address and host name information
of Windows-based (but non-Windows 2000) client computers to the DNS server,
select the check box next to “Enable updates for DNS clients that do not support
dynamic update.”
In addition, if you want the DHCP server to update the DNS server for Windows
2000 client computers, even if the clients don’t request this update, select the
“Always update DNS” option. Selecting this option ensures that the DNS server
has the most recent IP address and host name information for Windows 2000
client computers, and it also registers reverse lookup information for Windows
2000 client computers.
Click OK.
5. Close DHCP.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1050

1050 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 16-4 The DNS tab

DHCP Scopes, Superscopes, and Multicast Scopes

A DHCP scope is a range of IP addresses on a DHCP server that can be
assigned to DHCP clients that reside on a single subnet.You must create
at least one scope on a DHCP server before it can assign IP addresses to
DHCP clients. In addition to a regular DHCP scope, there are two special
kinds of DHCP scopes you should know about:
■ Superscope: This type of scope contains a range of IP addresses
that spans several subnets. In fact, a superscope actually contains
several scopes — one for each subnet spanned by the superscope’s
range. Because of this, a superscope can be used to assign IP
addresses to client computers on multiple subnets.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1051

Chapter 16 ▼ Networking with TCP/IP 1051

■ Multicast scope: This type of scope contains a range of Class D

multicast IP addresses, and is used to assign these addresses to client
computers that request them. I’ll get into more details about this
type of scope a little later in this chapter.
By default, no scopes exist on a Windows 2000 DHCP server. Until you
create at least one scope, the DHCP server can’t assign IP addresses to client
computers, because it doesn’t have any IP addresses to assign. I’ll show you
how to create these different types of scopes in the sections that follow.

Creating DHCP Scopes and Superscopes

The task of creating a DHCP scope or superscope is fairly straightforward.
The only difference between creating a scope and a superscope is the range
of IP addresses you assign to the scope — a scope is assigned a range of IP
addresses that can be assigned to DHCP clients that reside on a single sub-
net, and a superscope is assigned a range of IP addresses that can be
assigned to DHCP clients that reside on multiple subnets.
You can use the DHCP administrative tool (or Computer Manage-
ment) to create scopes.

STEP BY STEP

CREATING A SCOPE

1. Select Start ➪ Programs ➪ Administrative Tools ➪ DHCP.

2. In the left pane of the DHCP dialog box, highlight the DHCP server on which you
want to create a scope. Select Action ➪ New Scope.
3. The New Scope wizard starts. Click Next.
4. In the Scope Name screen, type in a name and a description for the scope in the
text boxes provided. Click Next.
5. The IP Address Range screen appears. In the “Start IP address” and “End IP
address” text boxes, enter the IP addresses that will define the range of the
scope.
To configure the subnet mask for the scope, you can either type in the subnet
mask in the “Subnet mask” text box, or you can specify the length of the subnet
mask as whole number between 1 and 31. If you enter a number in the Length
spin box, the subnet mask is automatically calculated for you. Click Next.
Figure 16-5 shows the IP Address Range screen after it has been configured
with a range of IP addresses that spans multiple subnets, and after its subnet
mask has been configured.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1052

1052 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

6. If you configured a range of IP addresses in Step 5 that spans more than one
subnet, the Create Superscope screen is displayed. If you want to create a super-
scope, select the Yes option and click Next. If you don’t want to create a super-
scope, click Back and reconfigure your IP address range to only include IP
addresses from a single subnet.

FIGURE 16-5 Configuring the IP address range of a scope

If you configured a range of IP addresses in Step 5 from only one subnet, the
Add Exclusions screen is displayed. In this screen, you can specify IP addresses
(or ranges of IP addresses) within the scope that will not be assigned to DHCP
client computers by the DHCP server.

TIP
You should exclude from the scope IP addresses of any computers, such
as routers and DHCP servers, that have been assigned static IP
addresses.

To exclude IP addresses, enter the start and end IP address of the range you
want to exclude and click Add. (If you only want to exclude a single IP address,
use this IP address as both the start and end IP address of the exclusion range.)
When you finish configuring exclusions, click Next.
7. In the Lease Duration screen, either accept the default DHCP lease duration of
eight days, or configure a custom lease duration. Click Next.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1053

Chapter 16 ▼ Networking with TCP/IP 1053

STEP BY STEP Continued

8. In the Configure DHCP Options screen, choose whether to configure DHCP

options for this scope (such as routers, DNS, and WINS settings) now. For
completeness, I’ll assume you choose the Yes option. Click Next.
9. In the Router (Default Gateway) screen, enter the IP address of the router that
will function as the default gateway for this scope and click Add. Click Next.
10. In the Domain Name and DNS Servers screen, in the “Parent domain” text box,
enter the name of the domain that DHCP client computers that obtain IP addresses
from this scope are members of.
Then, either specify the name of the DNS server on your network and click
Resolve, or enter the IP address of the DNS server. Click Add. If you have more
than one DNS server, you can repeat this process and click Add again. If you
have more than one DNS server, the first DNS server in the list becomes the
primary DNS server for the DHCP client computers. Click Next.
11. In the WINS Servers screen, either specify the name of the WINS server on your
network and click Resolve, or enter the IP address of the WINS server. Click
Add. If you have more than one WINS server, you can repeat this process and
click Add again. If you have more than one WINS server, the first WINS server
in the list becomes the primary WINS server for the DHCP client computers.
Click Next.
Or, if you don’t have a WINS server on your network, just click Next.
12. In the Activate Scope screen, select whether to activate this scope now. Your
options are Yes or No. A DHCP server can’t assign addresses from a scope until
the scope is activated. Make your selection and click Next.
13. In the Completing the New Scope Wizard screen, click Finish.
14. Windows 2000 creates the scope. It is displayed in the right pane of the DHCP
dialog box. Close DHCP.

Another way to create a superscope is to first create multiple scopes, and

then to use the New Superscope wizard to combine these existing scopes
into a superscope. You can start this wizard by selecting Action ➪ New
Superscope in DHCP.This method is sometimes preferred if the ranges of
IP addresses you want to include in the superscope are not contiguous.

Creating DHCP Multicast Scopes

Multicasting is the process of sending packets to all client computers on a
routed (or nonrouted) TCP/IP network that have joined a specific multi-
cast group. A multicast group is defined by a single multicast IP address.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1054

1054 Part IV ▼ Networking and Interoperability

The purpose of multicasting is to enable a computer to send data once, and

to have that data delivered to all computers on a network that are members
of the multicast group. Multicasting is primarily used to transmit multime-
dia data, such as a televised speech or a radio program, to multiple users on
a routed TCP/IP network.
IP addresses that are reserved specifically for multicasting are called Class
D IP addresses. Only IP addresses from 224.0.0.0 to 239.255.255.255 may
be used in a multicast scope. A DHCP server can then use this multicast
scope to assign these addresses to client computers that request them. For
example, a multimedia application on a server might request a multicast IP
address from the DHCP server in order to establish a multicast group.Then
the multimedia application can transmit multimedia data to members of
that group.
The multimedia application must use the Multicast Address Dynamic
Client Allocation Protocol (MADCAP) when it requests a multicast IP
address from the DHCP server. A DHCP server that is configured with a
multicast scope is also referred to as a MADCAP server.
You can use the DHCP administrative tool (or Computer Manage-
ment) to create multicast scopes.

STEP BY STEP

CREATING A MULTICAST SCOPE

1. Select Start ➪ Programs ➪ Administrative Tools ➪ DHCP.

2. In the left pane of the DHCP dialog box, highlight the DHCP server on which you
want to create a multicast scope. Select Action ➪ New Multicast Scope.
3. The New Multicast Scope wizard starts. Click Next.
4. In the Multicast Scope Name screen, type in a name and a description for the
multicast scope in the text boxes provided. Click Next.
5. The IP Address Range screen appears. In the “Start IP address” and “End IP
address” text boxes, enter the IP addresses that will define the range of this multi-
cast scope. Only Class D IP addresses from 224.0.0.0 to 239.255.255.255 may
be used.
In the TTL (Time to Live) spin box, enter the maximum number of routers through
which multicast packets can pass. The default TTL is 32. The range is from 1 to
255. Click Next.
6. The Add Exclusions screen is displayed. In this screen, you can specify IP
addresses (or ranges of IP addresses) within the multicast scope that will
not be assigned to DHCP client computers by the DHCP server.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1055

Chapter 16 ▼ Networking with TCP/IP 1055

STEP BY STEP Continued

To exclude IP addresses, enter the start and end IP address of the range you
want to exclude and click Add. (If you only want to exclude a single IP address,
use this IP address as both the start and end IP address of the exclusion range.)
When you finish configuring exclusions, click Next.
7. In the Lease Duration screen, either accept the default DHCP multicast lease
duration of 30 days, or configure a custom lease duration. Click Next.
8. In the Activate Multicast Scope screen, select whether to activate this multicast
scope now. Your options are Yes or No. A DHCP server can’t assign addresses
from a multicast scope until the scope is activated. Make your selection and click
Next.
9. In the Completing the New Multicast Scope Wizard screen, click Finish.
10. Windows 2000 creates the multicast scope. It is displayed in the right pane of
the DHCP dialog box. Close DHCP.

Configuring DHCP Options

DHCP options are additional configuration settings, such as IP addresses
for routers, DNS servers, and WINS servers.You can set DHCP options by
using either Server Options or Scope Options within the DHCP adminis-
trative tool.
When you use Server Options, all configuration settings apply to all
scopes on the DHCP server.When you use Scope Options, all configura-
tion settings apply only to the specific scope you’re configuring. Settings
made by using Scope Options will override conflicting settings made by
using Server Options.
The steps involved in configuring DHCP options are the same regard-
less of whether you use Server Options or Scope options.

STEP BY STEP

CONFIGURING DHCP OPTIONS

1. Select Start ➪ Programs ➪ Administrative Tools ➪ DHCP.

2. In the left pane of the DHCP dialog box, expand the DHCP server (and its scopes)
until the Scope Options and Server Options folders are displayed.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1056

1056 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

If you want to configure server options, right-click the Server Options folder
and select Configure Options from the menu that appears.
If you want to configure scope options, right-click the Scope Options folder,
and select Configure Options from the menu that appears.
3. The Server Options or Scope Options dialog box appears. In the Available
Options list, select the check box next to the option you want to configure. Once
you select the check box, the configurable options for this item are displayed in
the bottom portion of the dialog box, as shown in Figure 16-6.

FIGURE 16-6 Configuring scope options

Enter the appropriate information (such as server name or IP address) for the
option you selected.
Repeat this step until you have configured all of the server options or scope
options you need to configure. When you finish configuring options, click OK.
4. The DHCP dialog box appears, with your scope or server options displayed in
the right pane, as shown in Figure 16-7. Close DHCP.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1057

Chapter 16 ▼ Networking with TCP/IP 1057

STEP BY STEP Continued

FIGURE 16-7 Scope Options configured

Notice the scope options I’ve configured in figure 16-7: a router, a DNS
server, a DNS domain name, a WINS server, and a WINS/NBT node type.
These are the most commonly used DHCP options on a Windows 2000
network, and the options on which you’re most likely to be tested on the
Windows 2000 exams.
I’ll get into WINS a little later in this chapter, but for now you should
know that if you want your DHCP server to provide client computers
with the information they need to use a WINS server, you need to config-
ure the following two options:
■ 044 WINS/NBNS Servers: This option is used to specify the IP
address of one or more WINS servers for client computers.This
option provides DHCP clients with the IP addressing information
they need to be able to use a WINS server.This option is com-
monly configured on a DHCP server so that the administrator
doesn’t have to manually configure each client computer to use
a WINS server.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1058

1058 Part IV ▼ Networking and Interoperability

■ 046 WINS/NBT Node Type: This option is used to specify the

method client computers use to resolve computer names to IP
addresses.The possible methods are: by broadcasting on the local
network, by contacting a WINS server, or both.The preferred
method for a Windows 2000 client computer is to first contact a
WINS server, and then, if that fails, to broadcast on the local net-
work. Client computers that use this method are referred to as
H-nodes, and the value entry for this method is 0x8.

Configuring DHCP Address Reservations

A DHCP address reservation is an IP address that can only be assigned to a
specific network adapter card — the IP address is said to be reserved for that
network adapter card.An IP address reservation is commonly used when a
DHCP client computer, such as a Web server or mail server, must have the
same IP address for a long period of time, so that other computers can
access that server by its known IP address.
DHCP address reservations are configured for the specific scope that
contains the IP address being reserved.

STEP BY STEP

CONFIGURING A DHCP ADDRESS RESERVATION

1. Select Start ➪ Programs ➪ Administrative Tools ➪ DHCP.

2. In the left pane of the DHCP dialog box, expand the DHCP server that contains
the scope for which you want to configure a reservation. Then expand the scope.
Highlight Reservations and select Action ➪ New Reservation.
3. The New Reservation dialog box appears, as shown in Figure 16-8.
Type in a name for the reservation in the “Reservation name” text box. The host
name of the computer for which the reservation is being made is often used.
Then, in the “IP address” text box, configure the IP address that you want to be
reserved.
Next, enter the MAC address of the network adapter card in the computer for
which the reservation is being made in the text box provided. Enter the MAC
address as a 12-digit hexadecimal number, without any dashes. If you don’t
know the MAC address of the network adapter card, type ipconfig /all at the
command prompt on the computer that contains the network adapter card. The
physical address information displayed, less the dashes in the number, is the
MAC address of the network adapter card.
Enter a description for the reservation if you want to.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1059

Chapter 16 ▼ Networking with TCP/IP 1059

STEP BY STEP Continued

FIGURE 16-8 Configuring an IP address reservation

Finally, select one of the three options in the “Supported types” section:
 DHCP only: Select this option if you only want to permit the DHCP client
(for which an IP address is reserved) to request that address by using the
DHCP protocol.
 BOOTP only: Select this option if you only want to permit the DHCP client
(for which an IP address is reserved) to request that address by using the
BOOTP protocol. The BOOTP protocol is an older protocol that is consid-
ered the predecessor to DHCP.
 Both: Select this option if you want to permit the DHCP client (for which an
IP address is reserved) to request that address by using either the DHCP or
BOOTP protocol. This is the default selection.
Click Add.
4. Repeat Step 3 until all desired IP address reservations are configured. Click
Close.
5. Close DHCP.

Monitoring a DHCP Server

An administrator should periodically monitor the DHCP server to ensure
that it has an adequate supply of unassigned IP addresses, and that the
DHCP server has adequate system resources (such as memory, processor,
and disk) to handle all of its client requests.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1060

1060 Part IV ▼ Networking and Interoperability

You can use the DHCP administrative tool to provide you with a great
deal of information about how your DHCP server is functioning. In
DHCP you can display statistics about each DHCP server, such as the
number of scopes and IP addresses it has, and how many of those IP
addresses are in use.To view these statistics, in the DHCP dialog box, right-
click the DHCP server for which you want to view statistics, and select
Display Statistics from the menu that appears. Figure 16-9 shows statistics
for a DHCP server.

FIGURE 16-9 Viewing DHCP server statistics

You can also view information about address leases. When a DHCP
client computer obtains an IP address from a DHCP server, the client com-
puter is said to lease that IP address for a preset period of time, called a lease
duration. In DHCP, you can view a list of all IP addresses assigned to DHCP
clients, the host name of the client computer to which each IP address is
assigned, and lease expiration information for each lease. Lease information
is provided on a scope-by-scope basis.To view IP address lease information,
in the DHCP dialog box, expand the scope for which you want to view
lease information, and highlight the Address Leases folder. Lease infor-
mation is displayed in the right pane, as shown in Figure 16-10.
You can also use System Monitor, a Performance tool, to monitor the
DHCP Server object and its many counters.The DHCP Server object and
its counters are available in System Monitor after DHCP is installed on a
Windows 2000 Server computer. You can also use System Monitor to
determine if your DHCP server has adequate memory, processor, and disk
resources.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1061

Chapter 16 ▼ Networking with TCP/IP 1061

FIGURE 16-10 Viewing address leases for a scope

CROSS-REFERENCE
I cover how to use System Monitor in Chapter 21.

Troubleshooting DHCP
Typically, DHCP servers don’t require much troubleshooting. Once your
DHCP server is up and running, it normally just works.
Two of the most common DHCP problems reported by users include
the inability to lease an address from the DHCP server, and the inability to
renew a leased address. If you face either of these two problems, try one or
more of the following tips to resolve the problem:
■ Use the Services tool in Computer Management to verify that the
DHCP Server service is started. If it’s not, start this service.
■ If the DHCP server was recently installed and configured, ensure
that the DHCP server has been authorized in Active Directory.
■ Use the DHCP administrative tool to verify that a scope exists on
the DHCP server, that the scope contains an adequate number of
IP addresses, and that the IP addresses are appropriate for the net-
work segment.
■ Use the DHCP administrative tool to verify that the scope is active.
A scope can’t be used to assign IP addresses until it is activated.
■ Verify that the DHCP client computer has been configured to use
a DHCP server, and that its physical connection to the network
(including network adapter card, cable, hub, and so on) is functioning.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1062

1062 Part IV ▼ Networking and Interoperability

■ If the DHCP client computer is located on a different subnet than

the DHCP server, verify that the router is configured to forward
DHCP requests to the DHCP server.

NetBIOS Name Resolution

A NetBIOS name is the computer name, up to 15 characters in length,
assigned during the installation of all Windows-based operating systems.
NetBIOS names are used to connect to resources located on other com-
puters when a user browses the network, maps to a network drive, or uses
the Net use command from the command prompt.
When a user attempts to connect to a computer selected from a browse
list by the remote computer’s NetBIOS name, the user’s computer must
first obtain the IP address associated with the remote computer’s NetBIOS
name.This process is called NetBIOS name resolution. Once the user’s com-
puter has resolved the remote computer’s NetBIOS name to its IP address,
it can then establish TCP/IP network communications with the remote
computer.
NetBIOS name resolution is not the same as host name resolution. A
computer’s host name is often the same as its NetBIOS name, but this is
not always the case. In addition, a host name can be up to 63 characters in
length. NetBIOS name resolution is initiated by programs and applications
that use the NetBIOS protocol. Host name resolution is initiated by pro-
grams and applications that use Windows Sockets (also called Winsock).
A pure Windows 2000 network doesn’t need to use NetBIOS name res-
olution, because it can perform all name resolution functions by using
DNS servers. However, because very few of us have pure Windows 2000
networks, and because all previous versions of Windows require NetBIOS
name resolution, you’ll probably still have to configure NetBIOS name
resolution on your network.
NetBIOS name resolution can be performed in several ways. The two
most common methods are manually configuring an lmhosts file on each
individual computer on the network, and installing a WINS server and
configuring the client computers on the network to use it.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1063

Chapter 16 ▼ Networking with TCP/IP 1063

Using Lmhosts Files to Resolve NetBIOS Names

An lmhosts file is a text file that contains a list that maps the IP addresses
of all servers on the network to their associated NetBIOS names.
Using an lmhosts file for NetBIOS name resolution is a manual
method that requires a great deal of administrator time.When an lmhosts
file is used to perform NetBIOS name resolution, every time a server is
added to or removed from the network, the lmhosts file on each individ-
ual computer on the network must be manually updated. Because of the
amount of time required to keep lmhosts files up-to-date, their use has
declined since WINS servers have become available.
By default, all Windows 2000 computers have an lmhosts file that con-
tains instructions for constructing an lmhosts file that would be appro-
priate for your network. The default lmhosts file does not contain any
mapping entries.You can use Notepad (or your favorite text editor) to cre-
ate and edit an lmhosts file.When you create an lmhosts file, be sure to
save it without a file extension — programs such as Notepad often auto-
matically add a file extension to a filename when it is saved.
On Windows 2000 (and Windows NT) computers, the lmhosts file is
stored in SystemRoot\system32\drivers\etc. On Windows 95 and
Windows 98 computers, the lmhosts file is stored in the C:\Windows
folder.
Listing 16-1 shows a sample lmhosts file.
LISTING 16-1 Sample lmhosts file

192.168.0.1 wolf #DOM:domain2

192.168.0.2 server01 #DOM:domain1
192.168.0.3 lotsadisks
192.168.0.4 nat #DOM:domain1
192.168.0.5 minitower1
192.168.0.6 alan
192.168.0.7 presarioserver
4701-1 ch16.f.qc 4/24/00 09:41 Page 1064

1064 Part IV ▼ Networking and Interoperability

Notice the #DOM: portion of the entries for wolf, server01, and nat.The
#DOM: portion is used to specify that the computer is a domain controller
for the domain whose name immediately follows #DOM. In this example,
wolf is a domain controller for domain2, and server01 and nat are domain
controllers for domain1.

Using a WINS Server to Resolve NetBIOS Names

Windows Internet Name Service (WINS) is a Windows 2000 Server ser-
vice that provides NetBIOS name resolution services to client computers.
A Windows 2000 Server computer that has WINS installed on it is called a
WINS server.
Installing a WINS server and configuring client computers to use it is
the preferred method of handling NetBIOS name resolution on Windows
2000 networks. When this method is used, the WINS server dynamically
updates its NetBIOS name to IP address tables whenever computers are
added to or removed from the network. Using a WINS server requires a lot
less administrator time than using lmhosts files.
WINS can only be installed on Windows 2000 Server computers. On
small networks, WINS is often installed on the domain controller. On
larger networks,WINS is often installed on multiple Windows 2000 Server
computers.
In the next sections I’ll discuss how to install and configure WINS, how
to configure WINS proxies, how to plan and configure WINS replication,
and how to monitor and troubleshoot WINS.

Installing WINS
Before you can install WINS on a Windows 2000 Server computer,
TCP/IP must be installed, and the computer’s local area connection must
be configured with a static IP address.

STEP BY STEP

INSTALLING A WINS SERVER

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Add/Remove Programs.
3. In the Add/Remove Programs dialog box, click Add/Remove Windows
Components.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1065

Chapter 16 ▼ Networking with TCP/IP 1065

STEP BY STEP Continued

4. In the Windows Components Wizard dialog box, highlight Networking Services,

and click Details.
5. In the Networking Services dialog box, select the check box next to Windows
Internet Name Service (WINS), and click OK.
6. In the Windows Components Wizard dialog box, click Next.
7. When prompted, insert your Windows 2000 Server compact disc into your
computer’s CD-ROM drive and click OK. Close the Microsoft Windows 2000
CD dialog box. Windows 2000 configures components and installs WINS. In
the Completing the Windows Components Wizard screen, click Finish.
8. Close Add/Remove Programs. Then close Control Panel.

Before your newly installed WINS server will do you any good, you’ll
need to configure each client computer on the network to use the WINS
server for NetBIOS name resolution.You can either accomplish this task
by manually configuring each client computer to use the WINS server, or
by configuring a DHCP server to supply each client computer with the IP
addressing information it needs to use the WINS server. I’ll discuss how to
configure NetBIOS name resolution options on client computers a little
later in this chapter.

Configuring WINS Proxies

A WINS proxy is a computer on a subnet that forwards NetBIOS name
resolution broadcasts that come from client computers that don’t support
WINS, to a WINS server on another subnet, and broadcasts the name res-
olution response back to the client computer. Since all Microsoft Windows
clients support WINS, WINS proxies are rarely used. However, there are
still client operating systems that use NetBIOS, and do not support WINS.
A WINS proxy should be configured on each subnet that contains client
computers that don’t support WINS.
Windows 2000 Professional and Server computers can be configured to
function as WINS Proxies.You have to manually edit the Registry to config-
ure a Windows 2000 computer as a WINS Proxy.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1066

1066 Part IV ▼ Networking and Interoperability

STEP BY STEP

CONFIGURING A WINDOWS 2000 COMPUTER TO FUNCTION

AS A WINS PROXY.

1. Select Start ➪ Run.

2. In the Run dialog box, type Regedt32 in the Open drop-down list box. Click OK.
3. In the Registry Editor dialog box, select Windows ➪ HKEY_LOCAL_MACHINE
on Local Machine.
4. Maximize the HKEY_LOCAL_MACHINE on Local Machine window.
5. Double-click the System Folder. Under the SYSTEM folder, double-click the
CurrentControlSet folder. Double-click the Services folder. Double-click
the NetBT folder. Click the Parameters folder. Select Edit ➪ Add Value.
6. The Add Value dialog box appears. Type EnableProxy in the Value Name text
box. Select REG_SZ from the Data Type drop-down list box. Click OK.
7. The String Editor dialog box appears. Type 1 in the String text box and click OK.
8. Close Registry Editor. The computer will function as a WINS proxy after it is
rebooted.

Planning and Configuring WINS Replication

WINS replication is the process of keeping the NetBIOS name to IP
address databases on multiple WINS servers synchronized. If you have a
small network with a single WINS server, you’ll never have to worry about
WINS replication — except, of course, when you take the Network exam.
Where WINS replication, and the managing of this replication, becomes
important is in a large network that has multiple WINS servers in multiple
locations that are connected by slow WAN links. If you have a network like
this, you’ll want to have a WINS server on each side of the slow WAN link
so that client computers are able to obtain NetBIOS name resolution ser-
vices from the local network, instead of tying up precious bandwidth by
using the WAN link.You’ll also probably want to configure replication on
each of these WINS servers so that replication traffic over the WAN link
only occurs during nonbusiness hours, when network traffic on the WAN
link is at a minimum.
In order to configure WINS replication, you must have at least two
WINS servers. You can configure WINS replication by using the WINS
administrative tool, as the following steps explain.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1067

Chapter 16 ▼ Networking with TCP/IP 1067

STEP BY STEP

CONFIGURING WINS SERVER REPLICATION

1. Select Start ➪ Programs ➪ Administrative Tools ➪ WINS.

2. In the left pane of the WINS dialog box, click the + next to the WINS server for
which you want to configure replication. Then highlight Replication Partners.
Select Action ➪ New Replication Partner.
3. In the New Replication Partner dialog box, type the name or IP address of the
other WINS server with which you want this WINS server to replicate. You can
browse for this server if necessary. Click OK.
4. The WINS server that this server will replicate with (the replication partner)
appears in the right pane. At this point, replication is configured to take place
automatically whenever a change to the IP address to NetBIOS name database
takes place.
5. To configure replication to occur at a specified time, in the right pane, highlight
the replication partner, and select Action ➪ Properties.
6. The replication partner’s Properties dialog box appears. Click the Advanced tab.
7. The Advanced tab appears, as shown in Figure 16-11.

FIGURE 16-11 Configuring properties of the WINS

replication partner
4701-1 ch16.f.qc 4/24/00 09:41 Page 1068

1068 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

This is an important dialog box that contains all of the settings that need to be
configured for WINS replication:
In the “Replication partner type” drop-down list box, select one of the three avail-
able options:
 Push/Pull: Selecting this option configures the replication partner to notify
this WINS server when its database changes (this is called a push), and to
request database changes from this WINS server (this is called a pull). This
is the default option and should be used between two WINS servers that are
connected by a local area network or other high-speed link.
 Push: Selecting this option configures the replication partner to notify this
WINS server when its database changes (but not to request database
changes from this WINS server). This setting is often used when the WINS
server you’re configuring (not the replication partner) is located on the other
side of a remote WAN link where no other servers (other than the WINS
server itself) exist. Because NetBIOS name resolution is primarily concerned
with resolving server IP addresses, and there are no other servers on the
remote network with the isolated WINS server, there’s no need to update
the replication partner with this WINS server’s database changes.
 Pull:Selecting this option configures the replication partner to request data-
base changes from this WINS server (but not to notify this WINS server
when its database changes). This setting is often used when the two WINS
servers are separated by a slow WAN link, and when the replication partner
needs to be updated with this WINS server’s database changes.
8. If you selected a replication partner type of Push/Pull or Pull, complete the “Pull
replication section” of this dialog box.
If you want this WINS server to maintain a constant connection with its replication
partner, accept the default selection of the check box next to “Use persistent con-
nection for replication.” This option should only be selected when the two WINS
servers are connected by a high-speed link or are on a local area network. This
option speeds up the replication process between the WINS servers, because
they don’t have to take time to establish a connection each time replication occurs.
By default, WINS replication occurs every 30 minutes. If you want to schedule
when replication occurs, in the “Start time” section, configure the time of day you
want WINS replication to start. Then, configure the frequency of WINS replica-
tion by configuring the “Replication interval” section.
9. If you selected a replication partner type of Push/Pull or Push, complete the
“Push replication” section of this dialog box.
If you want this WINS server to maintain a constant connection with its replica-
tion partner, accept the default selection of the check box next to “Use persistent
connection for replication.” This option should only be selected when the two
WINS servers are connected by a high-speed link or are on a local area network.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1069

Chapter 16 ▼ Networking with TCP/IP 1069

STEP BY STEP Continued

Then, in the “Number of changes in version ID before replication” spin box, spec-
ify the number of database changes that must occur before the replication partner
will notify this WINS server of its database changes.
10. When you finish configuring the properties of the replication partner, click OK.

In order for bidirectional replication between the two WINS servers to

occur, you need to repeat this process on the replication partner.When you
repeat these steps on the replication partner, keep in mind that the config-
urations you make must complement the settings you configured on the
first WINS server.

Monitoring a WINS Server

An administrator should periodically monitor the WINS server to ensure
that replication (if configured) is occurring at appropriate intervals, and
that the WINS server has adequate system resources (such as memory,
processor, and disk) to handle all of its client requests.
You can use the WINS administrative tool to provide you with infor-
mation about how your WINS server is performing. In WINS you can dis-
play statistics about each WINS server, such as the date and time of the last
replication, the total number of queries for NetBIOS name resolution the
WINS server has received from client computers, and so on.To view these
statistics, in the WINS dialog box, right-click the WINS server for which
you want to view statistics, and select Display Server Statistics from the
menu that appears. Figure 16-12 shows statistics for a WINS server.

FIGURE 16-12 Viewing WINS server statistics

4701-1 ch16.f.qc 4/24/00 09:41 Page 1070

1070 Part IV ▼ Networking and Interoperability

You can also view the WINS server database that contains the NetBIOS
name to IP address mappings for servers and client computers that are con-
figured to use this WINS server.

STEP BY STEP

VIEWING THE WINS SERVER DATABASE

1. Select Start ➪ Programs ➪ Administrative Tools ➪ WINS.

2. In the left pane of the WINS dialog box, click the + next to the WINS server
that contains the database you want to view. Then highlight the Active
Registrations folder. Then right-click this folder and select Find by Owner
from the menu that appears.
3. In the Find by Owner dialog box, select one of the two options:
 All owners: Select this option if you want to view WINS records for all com-
puters that are configured to use this WINS server or one of its replication
partners.
 This owner: Select this option if you want to view WINS records for only
those computers that are configured to use this WINS server. If you select
this option, you also need to select the WINS server for which you want to
view records from the list.
Configure the appropriate option, then click Find Now.
4. The database is displayed in the right pane of the WINS dialog box, as shown in
Figure 16-13.

FIGURE 16-13 Viewing the WINS server database

When you finish viewing the database, close WINS.

4701-1 ch16.f.qc 4/24/00 09:41 Page 1071

Chapter 16 ▼ Networking with TCP/IP 1071

You can also use System Monitor, a Performance tool, to monitor the
WINS Server object and its many counters.The WINS Server object and
its counters are available in System Monitor after WINS is installed on a
Windows 2000 Server computer. You can also use System Monitor to
determine if your WINS server has adequate memory, processor, and disk
resources.

CROSS-REFERENCE
I cover how to use System Monitor in Chapter 21.

Troubleshooting WINS
Like DHCP servers, WINS servers don’t normally require much trou-
bleshooting. Once your WINS server is installed and correctly configured,
it normally just works.
That said, the most common WINS problem is the inability to resolve a
NetBIOS name to its associated IP address. This problem typically shows
up when a user tries to map a network drive to a server by using the
server’s name, and receives an error message stating “The network path
\\server_name\share_name could not be found.”
If you experience this problem, here are some tips that might help you:
■ Use the Services tool in Computer Management to verify that the
Windows Internet Name Service (WINS) is started. If it’s not, start
this service.
■ Verify that the client computer (or computers) experiencing the
problem are configured to use the WINS server.
■ Verify that the server (or other resource) that the client is attempting
to connect to is configured to use the WINS server.
■ Use ping.exe to verify that the client computer experiencing
the problem can communicate with the WINS server by using
TCP/IP.
■ If you have multiple WINS servers on the network, verify that
WINS server replication is correctly configured on each WINS
server, and that replication is occurring.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1072

1072 Part IV ▼ Networking and Interoperability

Configuring NetBIOS Name Resolution Options

on Client Computers
If you plan to use lmhosts files to provide NetBIOS name resolution ser-
vices for your client computers, you don’t have to configure NetBIOS name
resolution options on these client computers, because Windows 2000 com-
puters are automatically configured to use lmhosts files by default.You do,
however, have to manually edit the lmhosts file on each computer.
If you plan to use one or more WINS servers to provide NetBIOS name
resolution services for your client computers, you do need to configure the
client computers on your network to use the WINS server(s) before
NetBIOS name resolution will take place.

TIP
When I say “client computer,” I’m referring to clients of the WINS server,
which include all computers on the network, including the WINS server
itself. You need to configure all of the computers on your network for
NetBIOS name resolution.

You can configure client computers to use a WINS server in one of two
ways.You can either manually configure each client computer to use the
WINS server, or you can configure your DHCP server to supply each
client computer with the IP addressing information it needs to use the
WINS server. (In the section earlier in this chapter on “Configuring
DHCP Options,” I discussed the two important options that should be
configured if you want your DHCP server to supply client computers with
the information they need to use a WINS server.)
In the following steps, I’ll show you how to configure a Windows 2000
client computer to use a WINS server for NetBIOS name resolution.

STEP BY STEP

MANUALLY CONFIGURING NETBIOS NAME RESOLUTION OPTIONS

1. Select Start ➪ Settings ➪ Network and Dial-up Connections.

2. In the Network and Dial-up Connections folder, right-click the com-
puter’s Local Area Connection, and select Properties from the menu that appears.
3. In the Local Area Connection Properties dialog box, highlight the Internet
Protocol (TCP/IP) and click Properties.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1073

Chapter 16 ▼ Networking with TCP/IP 1073

STEP BY STEP Continued

TIP
If the computer has more than one Local Area Connection, you’ll need to
perform these steps on each of the connections.

4. In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.

5. In the Advanced TCP/IP Settings dialog box, click the WINS tab.
6. The WINS tab appears, as shown in Figure 16-14.

FIGURE 16-14 Configuring NetBIOS name resolution

options on the WINS tab

To configure the computer to use a WINS server, click Add. In the TCP/IP
WINS Server dialog box, enter the IP address of the WINS server, and click Add.
If you want this computer to use more than one WINS server, repeat this process
until IP addresses for all WINS servers have been added.
If you want this computer to use both a WINS server and an lmhosts
file, accept the default selection in the check box next to “Enable LMHOSTS
lookup.”
If you want this computer to only use the WINS server, and to not use
an lmhosts file, clear the check box next to “Enable LMHOSTS lookup.”
4701-1 ch16.f.qc 4/24/00 09:41 Page 1074

1074 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

7. In the bottom of this dialog box, select one of the following three options:
 EnableNetBIOS over TCP/IP: If you have any non-Windows 2000
Windows-based computers on your network (such as Windows NT,
Windows 95 or 98) select this option. This option is selected by default.
 Disable NetBIOS over TCP/IP: If all of the computers on your network are
Windows 2000 computers, and you don’t use any programs or applications
that require NetBIOS, select this option.
 Use NetBIOS setting from the DHCP server: If you want to use your
DHCP server to control whether NetBIOS is enabled on this computer
(instead of enabling or disabling NetBIOS on the local computer), select
this option.
Click OK.
8. In the Internet Protocol (TCP/IP) Properties dialog box, click OK.
9. In the Local Area Connection Properties dialog box, click OK.
10. Close the Network and Dial-up Connections folder.

Routing TCP/IP
IP routing is a function of the Internet Protocol (IP) that uses IP address
information to send data packets from a source computer on one network
segment across one or more routers to a destination computer on another
network segment. Hardware devices that perform routing are called routers.
Windows 2000 Server computers can function as routers, but Windows
2000 Professional computers can’t.

EXAM TIP
The Network exam has more objectives on routing than you can shake a
stick at. This is an extremely complex subject. Make sure you know the
features each of the Windows 2000 Server routing protocols has to
offer, and when and how each protocol should be used.

Windows 2000 Server computers that have multiple network adapter

cards can function as IP routers. These computers are sometimes called
multihomed computers, because they have more than one network adapter
card. In addition, even if a Windows 2000 Server computer only has one
4701-1 ch16.f.qc 4/24/00 09:41 Page 1075

Chapter 16 ▼ Networking with TCP/IP 1075

network adapter card, it may still be able to function as an IP router if it has

a modem or other communications device (such as an ISDN adapter, an
X.25 adapter, and so on) installed.
Routing, like TCP/IP, is an immense topic. In the next several sections
I’ll explore several important routing topics, including: static routing; con-
figuring a router; managing ports, interfaces, and demand-dial routing; and
dynamic routing. Finally, I’ll discuss monitoring and troubleshooting
TCP/IP routing.

Static Routing
Static routing is basic, no-frills IP routing. No additional software is neces-
sary to implement static routing in Windows 2000 Server computers. In
order to function as a router, the Windows 2000 Server computer must
have at least one network adapter card installed. In addition, it must have
either an additional network adapter card or a communications device,
such as a modem, installed.

Enabling Routing
When you enable routing on a Windows 2000 Server computer (without
installing additional routing software or protocols), you are configuring
your Windows 2000 Server computer to function as a static router.
You can use the Routing and Remote Access administrative tool to enable
routing on a Windows 2000 Server computer, as the following steps explain.

STEP BY STEP

ENABLING ROUTING ON A WINDOWS 2000 SERVER COMPUTER

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.
2. In the left pane of the Routing and Remote Access dialog box, right-click the
server on which you want to enable routing, and select “Configure and Enable
Routing and Remote Access” from the menu that appears.
3. The Routing and Remote Access Server Setup wizard starts. Click Next.
4. In the Common Configurations screen, select the “Network router” option, as
shown in Figure 16-15. Click Next.

CROSS-REFERENCE
See Chapter 17 for information on how to configure a remote access
server and a VPN server.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1076

1076 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 16-15 Configuring a Windows 2000 Server computer to be a router

5. In the Routed Protocols screen, verify that all network protocols required on the
server are listed. Commonly listed protocols include IPX, TCP/IP, and AppleTalk.
If you need to add additional protocols, select the “No, I need to add protocols”
option. If you select this option, the wizard stops, and directs you install the nec-
essary protocols in the Network and Dial-up Connections folder, and
then to run this wizard again.
If all the protocols you need are listed, accept the default option of “Yes, all of the
available protocols are on this list.” Click Next.
6. In the Demand-Dial Connections screen, choose whether to use demand-dial
connections on this server. A demand-dial connection is a type of dial-up (or
VPN) connection that is used by a router only when it needs to transmit data to a
remote network. Your two choices are Yes or No, and the default selection is No.
You can change this option later if you change your mind. Make your selection,
then click Next.
7. If you selected Yes in Step 6, the IP Address Assignment screen appears. Select
the method you want to use for assigning IP addresses to remote routers when
they connect to this computer using a demand-dial connection. Your choices are
“Automatically” (this is the default setting), or “From a specified range of addresses.”
Click Next.
8. In the Completing the Routing and Remote Access Server Setup Wizard screen,
click Finish.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1077

Chapter 16 ▼ Networking with TCP/IP 1077

STEP BY STEP Continued

9. Windows 2000 starts the Routing and Remote Access service. Your Windows
2000 Server computer is now configured as a static router. Close Routing and
Remote Access.

Updating a Routing Table by Adding Static Routes

Static routers are not capable of automatically building a routing table. A
routing table contains a list of network IDs, each of which is associated with
the IP address of the router on the network that can forward data packets
over the shortest path to the specified destination network. These entries
are called static routes. In a static routing environment, administrators must
manually configure the routing table on each individual router. If the net-
work layout changes, the administrator must manually update the routing
tables by adding or removing static routes to reflect these changes.
There are two ways to manually configure the routing table on a
Windows 2000 Server computer that is configured as a static router.You
can perform this task by using Routing and Remote Access, or you can use
the route.exe command-line utility.

STEP BY STEP

USING ROUTING AND REMOTE ACCESS TO ADD A STATIC ROUTE

TO A ROUTING TABLE

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the left pane of the Routing and Remote Access dialog box, click the + next to
the server that contains the routing table you want to configure. Then click the +
next to IP Routing. Then right-click Static Routes, and select New Static Route
from the menu that appears.
3. The Static Routes dialog box appears, as shown in Figure 16-16.
In the Interface drop-down list box, select the connection to which this route
applies. Your choices will depend on the number and type of connections config-
ured on your Windows 2000 Server computer.
In the Destination text box, enter the IP address of the remote network segment
for which you are configuring the static route.
In the Network mask text box, enter the subnet mask that is used on the remote
network segment.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1078

1078 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 16-16 Adding a static route

In the Gateway text box, enter the IP address of the router that can forward
packets to this remote network segment.
In the Metric spin box, select the number of routers that packets must pass
through in order to reach the remote network segment by using this static route.
Click OK.
4. The static route is created, and is displayed in the right pane. Close Routing and
Remote Access.

For information on using the route.exe command-line utility to

manually update a routing table, type route /help at the command
prompt, and press Enter. I recommend that you use Routing and Remote
Access to add static routes because the command line syntax for the
route.exe command is very complex.

Configuring a Router
Once you’ve configured your Windows 2000 Server computer to function
as a router, you may need to configure the router’s properties to meet your
network’s needs. You can use Routing and Remote access to configure
several router properties, including security, protocol, and event logging
options.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1079

Chapter 16 ▼ Networking with TCP/IP 1079

STEP BY STEP

CONFIGURING A ROUTER’S PROPERTIES

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the left pane of the Routing and Remote Access dialog box, right-click the
server for which you want to configure routing properties, then select Properties
from the menu that appears.
3. The server’s Properties dialog box appears, with the General tab on top, as
shown in Figure 16-17. If you have additional protocols installed (such as NWLink
IPX/SPX/NetBIOS Compatible Transport Protocol or the AppleTalk Protocol),
each protocol will have its own additional tab in this dialog box.

FIGURE 16-17 Configuring the general properties of a router

On this tab, you can enable or disable routing. You can also configure whether
this server will function as a remote access server (I cover remote access servers
in great detail in Chapter 17).
Assuming you want this server to function as a router (and you have selected the
check box next to Router), you should choose either to limit routing to the local
area network only, or to enable both local area network and demand-dial routing
to a remote network.
Make the appropriate configurations. To configure security options, click the
Security tab.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1080

1080 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

TIP
If you want this router to support demand-dial routing, but you didn’t
configure it to support demand-dial connections when you used the wiz-
ard to enable routing, you must select the “LAN and demand-dial rout-
ing” option on this tab.

4. On the Security tab, you can select an authentication provider that will be used
for demand-dial and remote access connections. Your choices are Windows
Authentication or RADIUS Authentication. The default selection is Windows
Authentication, and is acceptable unless you’re using a RADIUS server to
authenticate remote access clients for multiple servers.
If you need to modify the authentication methods this server will use when it
authenticates remote clients or routers, click Authentication Methods and make
the necessary configurations. This option is normally only used by administrators
with advanced knowledge of authentication protocols.
You can also select the accounting provider this server will use. The accounting
provider logs all sessions with the router. You can select either Windows
Accounting (this is the default), RADIUS Accounting, or None.
Make the appropriate configurations. To configure IP options, click the IP tab.
5. The IP tab appears, as shown in Figure 16-18.

FIGURE 16-18 Configuring a router’s IP options

4701-1 ch16.f.qc 4/24/00 09:41 Page 1081

Chapter 16 ▼ Networking with TCP/IP 1081

STEP BY STEP Continued

Notice that the “Enable IP routing” check box is selected. This is the default config-
uration. This check box must be selected in order for this computer to function as
an IP router.
If you want this router to support IP on all of its connections, ensure that the
“Allow IP-based remote access and demand-dial connections” check box is
selected. If this check box is cleared (and the “Enable IP Routing” check box
is selected), IP will only be used on local area connections.

TIP
If you want this router to support IP on demand-dial connections, make
sure to select this check box.

Next, you can configure how this computer will assign IP addresses to computers
and routers connecting to it. By default, the server is configured to use a DHCP
server for IP address assignment. However, you can configure it to use a static IP
address pool if you want to.
Make the appropriate configurations. To configure PPP options, click the PPP tab.
6. On the PPP tab, you can configure several Point-to-Point Protocol (PPP) options.
In general, you only need to concern yourself with this tab if your computer is con-
figured as a remote access server, or if your router supports demand-dial connec-
tions. By default, all PPP options are selected. The options are:
 Multilink connections
 Dynamic bandwidth control using BAP or BACP
 Link control protocol (LCP) extensions
 Software compression
Make any necessary changes. To configure Event Logging, click the Event
Logging tab.
7. On the Event Logging tab, you can configure how Windows 2000 will handle
event logging for routing and remote access events. You can select one of the
following four levels of logging:
 Log errors only
 Log errors and warnings (this is the default setting)
 Log the maximum amount of information
 Disable event logging
In addition to selecting a logging level, you can enable or disable PPP logging in
this dialog box. (It is disabled by default.)
When you finish configuring event logging options, click OK.
8. Close Routing and Remote Access.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1082

1082 Part IV ▼ Networking and Interoperability

Managing Ports, Interfaces, and Demand-Dial

Routing
Before I move on to the topic of dynamic routing, I need to explain a lit-
tle about ports and routing interfaces. Routing ports may include all of the
ports on your Windows 2000 Server computer, including VPN ports,
modems, infrared ports, and parallel ports. A routing interface is a portal
through which packets are routed.A routing interface can either be a hard-
ware connection, such as a network adapter card or modem; or it can be a
software connection, such as a VPN connection.
By default, when routing is enabled, all of the Windows 2000 Server
computer’s modems, infrared ports, and parallel ports are automatically
enabled as routing ports. In addition to these ports, when either routing or
remote access is enabled on a Windows 2000 Server computer, Windows
2000 creates and enables five PPTP ports and five L2TP ports.
By default, when you configure a Windows 2000 Server computer to
function as a router, Windows 2000 automatically configures and enables
all of the local area connections on the computer as routing interfaces. In
addition, Windows 2000 creates and enables a loopback routing interface
and an internal routing interface. A loopback interface is a routing interface
that uses the TCP/IP loopback address of 127.0.0.1.This interface is pri-
marily used by TCP/IP and is normally not used for actual routing. An
internal interface is a virtual routing interface that is required and used only
by the IPX protocol.
There’s one more special kind of routing interface you need to know
about. It’s called a demand-dial interface, and it’s used for demand-dial rout-
ing. In demand-dial routing, a routing connection is established from this
server to a remote router only when data needs to be transmitted to or
from the remote router. The routing connection is established by using a
demand-dial interface. (The demand-dial interface is called a demand-dial
connection in the Routing and Remote Access Server Setup wizard.)
Demand-dial interfaces don’t exist by default — they must be created by
using Routing and Remote Access. A demand-dial interface requires the
use of a modem, a VPN port, or any other port on the Windows 2000
Server computer.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1083

Chapter 16 ▼ Networking with TCP/IP 1083

So, there are a lot of tasks you need to perform to enable demand-dial
routing on your Windows 2000 Server computer:
1. First, you must first configure your Windows 2000 Server computer
to enable “LAN and demand-dial routing” and to “Allow IP-based
remote access and demand-dial connections.”You may have chosen
to use demand-dial connections when you used the wizard to enable
routing on your computer, or you can manually configure these
options in the server’s Properties dialog box in Routing and Remote
Access. (I explained how to do this in the “Configuring a Router”
section earlier in this chapter.)
2. Next, because a port is required by a demand-dial interface, you
should ensure that the port you want this interface to use is config-
ured to support demand-dial routing connections.
3. Finally, before demand-dial routing will occur, you need to create and
configure a demand-dial interface.

TIP
Windows 2000 won’t permit you to configure a port or to create a
demand-dial interface until you have enabled demand-dial routing on the
server.

I’ll show you how to configure a port and how to create and configure
a demand-dial interface in the steps that follow.

STEP BY STEP

CONFIGURING A PORT
1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.
2. In the left pane of the Routing and Remote Access dialog box, click the + next to
the server that contains the port you want to configure. Right-click Ports, and
select Properties from the menu that appears.
3. In the Ports Properties dialog box, highlight the modem or port you want to con-
figure, and click Configure.
4. The Configure Device dialog box for the port you selected appears, as shown in
Figure 16-19.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1084

1084 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 16-19 Configuring a port

Select the check box next to “Remote access connections (inbound only)” if this
computer functions as a remote access server and you want to permit this port to
be used for inbound connections from remote clients.
Select the check box next to “Demand-dial routing connections (inbound and out-
bound)” if this computer functions as a router and you want to permit this port to
be used for demand-dial connections.
If you’re configuring a modem port, enter the phone number of the modem.
Finally, if you’re configuring a PPTP or L2TP port, you can configure the maximum
number of ports of this type that the Windows 2000 Server computer will sup-
port. The range can be between 0 and 30,000.
When you finish configuring the port, click OK.
5. In the Ports Properties dialog box, click OK.
6. Close Routing and Remote Access.

CREATING AND CONFIGURING A DEMAND-DIAL INTERFACE

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the left pane of the Routing and Remote Access dialog box, click the + next to
the server on which you want to create a demand-dial interface. Right-click
Routing Interfaces, and select New Demand-dial Interface from the menu that
appears.
3. The Demand Dial Interface wizard starts. Click Next.
4. In the Interface Name screen, either accept the default name of Remote Router,
or type in a new name for this interface. Click Next.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1085

Chapter 16 ▼ Networking with TCP/IP 1085

STEP BY STEP Continued

5. In the Connection Type screen, choose whether you want this interface to use
a physical device (such as a modem, ISDN adapter, and so on) or a VPN port.
Click Next.
6. If you selected a physical device in Step 5, the “Select a device” screen
appears. Select the modem or other physical device you want this interface to
use. Click Next.
If you selected a VPN port in Step 5, the VPN Type screen appears. Select
the type of VPN port you want to use. Your choices are: Automatic selection (this
is the default), Point to Point Tunneling Protocol (PPTP), and Layer 2 Tunneling
Protocol (L2TP). Click Next.
7. If you selected a physical device in Step 5, the Phone Number screen
appears. Enter the phone number of the dial-up server or router that this
interface will connect to. Click Next.
If you selected a VPN port in Step 5, the Destination Address screen
appears. Enter the FQDN or IP address of the remote router that this
interface will connect to. Click Next.
8. The Protocols and Security screen appears, as shown in Figure 16-20.

FIGURE 16-20 Selecting protocol and security options for the interface

Depending on whether you selected a physical device or a VPN port, some of

these options may be grayed out and unavailable. Select the check box next to
each of the protocol and security options you want to enable for this interface.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1086

1086 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

TIP
If a remote router will use this interface to connect to this computer,
select the check box next to “Add a user account so a remote router can
dial in.” If you don’t select this check box, you’ll have to manually create a
user account later for the remote router.

Click Next.
9. In the Dial Out Credentials screen, enter the user name, domain name, and pass-
word that this interface will use when it connects to a remote router. Click Next.
10. In the “Completing the demand-dial interface wizard” screen, click Finish.
11. If you need to change any of the settings you configured for this interface, you
can do so by using Routing and Remote Access. In the left pane of the Routing
and Remote Access dialog box, highlight Routing Interfaces. Then, in the right
pane, right-click the demand-dial interface, and select Properties from the menu
that appears. Make any necessary configuration changes, and click OK.
12. Close Routing and Remote Access.

Dynamic Routing
Dynamic routing is intelligent IP routing. A dynamic router is capable of
automatically building and updating a routing table. In a dynamic routing
environment, administrators don’t have to configure the routing table on
each router manually. As changes are made to the network, dynamic
routers automatically adjust their routing tables to reflect these changes.
So, how does dynamic routing work? Periodically, each dynamic router
on the network broadcasts packets containing the contents of its routing
table. Dynamic routers that receive these packets add the routing table infor-
mation received to their own routing tables. In this way, dynamic routers can
recognize other routers as they are added to and removed from the network.
The process of updating routing tables on routers is not instantaneous. It
may take from several seconds to several minutes before all routers on the
network have accurate, up to date routing tables. The time it takes for a
change to the network to be reflected in the routing tables of all routers on
the network is called the convergence interval, or convergence time.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1087

Chapter 16 ▼ Networking with TCP/IP 1087

Dynamic routing requires the use of additional software in Windows

2000 Server computers. Until this software is installed, a Windows 2000
Server computer can only function as a static router.
In Windows 2000, this additional software comes in the form of three
dynamic IP routing protocols:
■ RIP Version 2 for Internet Protocol
■ Open Shortest Path First (OSPF)
■ IGMP Version 2, Router and Proxy
These routing protocols are included with Windows 2000 Server. By
installing one of these protocols, a Windows 2000 Server computer can be
transformed from a mere static router into a dynamic router.In addition,
Windows 2000 includes two other routing protocols that, although not
technically dynamic routing protocols, provide special functionality and
may be used in conjunction with a dynamic routing protocol.These are the
Network Address Translation Agent (NAT) and the DHCP Relay Agent.
I’ll discuss how to install, configure, and manage all of these routing pro-
tocols in the sections that follow.

Installing and Configuring RIP Version 2 for Internet Protocol

RIP Version 2 for Internet Protocol (RIP v2) is a dynamic IP routing pro-
tocol that is designed for small- to medium-sized networks. RIP v2 is a
simple routing protocol that is relatively easy to install and maintain.
However, this protocol uses a substantial amount of network bandwidth to
maintain its routing tables. In addition, on large networks, it can take sev-
eral minutes or more for the routing tables on all routers to converge when
changes to the network occur.
RIP v2 can be installed on any Windows 2000 Server computer on
which TCP/IP is installed and routing has been enabled.

STEP BY STEP

INSTALLING RIP VERSION 2 FOR INTERNET PROTOCOL

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the Routing and Remote Access dialog box, click the + next to the server on
which you want to install RIP Version 2 for Internet Protocol. Then click the + next
to IP Routing. Right-click General, and select New Routing Protocol from the
menu that appears.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1088

1088 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

3. In the New Routing Protocol dialog box, select RIP Version 2 for Internet Protocol
from the list. Click OK.
4. The protocol is installed.

After RIP v2 is installed, you need to configure its properties. In addi-

tion, you need to configure this protocol to use one or more of the rout-
ing interfaces in your Windows 2000 Server computer. Until you
configure RIP v2 to use at least one routing interface, RIP v2 won’t be
able to dynamically update your routing tables.

STEP BY STEP

CONFIGURING RIP VERSION 2 FOR INTERNET PROTOCOL

1. In the left pane of the Routing and Remote Access dialog box, right-click RIP, and
select Properties from the menu that appears.
2. In the RIP Properties dialog box, you can configure the maximum number of sec-
onds the router will wait before it sends triggered updates. (Triggered updates
are high-priority updates that are generated when a router is added to or removed
from the network. These updates are sent immediately instead of waiting until the
next periodic update.) The default setting is 5 seconds.
You can also configure event logging in this dialog box. You can choose to: log
errors only, log errors and warnings, log the maximum amount of information, or
disable event logging. The default selection is “Log errors only.”
To configure security options for the RIP v2, click the Security tab.
3. On the Security tab, select one of three options:
 Accept announcements from all routers: Select this option if you don’t
want or need to use security. This is the default selection.
 Accept announcements from listed routers only: Select this option if
you want to prevent your routing tables from accepting updates from
unknown routers. If you select this option, you must create a list of routers,
by IP address, that this router will accept updates from.
 Ignore announcements from all listed routers: Select this option if you
want to prevent your routing table from accepting updates from specific,
known routers on your network. If you select this option, you must create a
list of routers, by IP address, that this router will not accept updates from.
When you finish configuring security options, click OK.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1089

Chapter 16 ▼ Networking with TCP/IP 1089

STEP BY STEP Continued

4. To configure RIP v2 to use a routing interface in the computer, right-click RIP, and
select New Interface from the menu that appears.
5. In the New Interface for RIP Version 2 for Internet Protocol dialog box, highlight
the interface you want to configure this protocol to use. Click OK.
6. The RIP Properties dialog box for the interface you selected appears, as shown in
Figure 16-21.

FIGURE 16-21 Configuring RIP v2 properties for an interface

In the “Operation mode” drop-down list box, select either the “Periodic update
mode” or the “Auto-static update mode.” Periodic update is the default for LAN
connections. If this mode is selected, RIP v2 sends out updates every 30 sec-
onds. Auto-static update mode is the default for demand-dial connections. If
this mode is selected, RIP v2 sends out updates only when the remote router
requests them.
In the “Outgoing packet protocol” drop-down list box, select the protocol that will
be used by this router to send updates to other routers. The four choices are: RIP
version 1 broadcast, RIP version 2 broadcast, RIP version 2 multicast, and Silent
RIP. The default protocol is RIP version 2 broadcast. If you select Silent RIP, this
router will accept updates from other routers, but won’t send out any updates of
its own.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1090

1090 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

In the “Incoming packet protocol” drop-down list box, select the protocol that will
be accepted by this router for incoming RIP packets. The four choices are: Ignore
incoming packets, RIP version 1 and 2, RIP version 1 only, and RIP version 2 only.
The default protocol is RIP version 1 and 2.
If you want this router to send a password when it communicates with other
routers, and require that other routers send a password when they communicate
with this router, select the check box next to “Activate authentication” and enter
the password.
When you finish configuring options on this tab, click the Security tab.
7. The Security tab appears, as shown in Figure 16-22.

FIGURE 16-22 Configuring RIP v2 security for an interface

On this tab you can configure security for incoming and outgoing routes. The
default selection for both incoming routes and outgoing routes is “Accept all
routes.” Selecting this option provides no security.
If security is needed, you can configure RIP v2 to either accept or ignore all
routes in the ranges you specify. (If you select either of these two options, you
must specify one or more ranges of IP addresses.)
When you finish configuring security options, click the Neighbors tab.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1091

Chapter 16 ▼ Networking with TCP/IP 1091

STEP BY STEP Continued

8. On this tab, you can specify how RIP v2 will communicate with neighbor routers.
(A neighbor, in router-speak, is a router that is physically connected to any of the
subnets that this router is physically connected to.) By default, RIP v2 uses
broadcasts and multicasts when it sends out updates to its routing table. This
means that the updates are not directed toward any specific router or computer.
You can configure RIP v2 to send packets directly to neighbor routers (by speci-
fying the router’s IP address) in addition to using broadcasts or multicasts; or,
you can configure RIP v2 to send packets directly to neighbor routers instead of
using broadcasts or multicasts.
When you finish making configurations on this tab, click the Advanced tab.
9. The Advanced tab appears, as shown in Figure 16-23. Notice the settings on this
tab. This is the default configuration for RIP v2 on a local area connection.

FIGURE 16-23 Configuring advanced RIP v2 properties for an interface

The options on this tab are seldom configured by administrators. For more infor-
mation on any of the options, right-click the option’s text, and select “What’s
This?” from the menu that appears. Windows 2000 displays a description of
the option.
Make any necessary configuration changes, and click OK.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1092

1092 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

10. The interface you just configured RIP v2 to use is displayed in the right pane of
the Routing and Remote Access dialog box. If you need to configure RIP v2 to
use additional routing interfaces, repeat Steps 4 through 9 for each additional
interface. Close Routing and Remote Access.

Installing and Configuring Open Shortest Path First (OSPF)

Open Shortest Path First (OSPF) is a dynamic IP routing protocol that is
designed for use in medium- to large-sized networks. OSPF is a link-state
protocol that is relatively complex to configure and maintain. However,
this protocol uses much less network bandwidth to maintain its routing
table than RIP v2 uses, and its convergence time is much lower than RIP
v2 on large networks — less than a minute. On the other hand, OSPF uses
substantially more processor time than RIP v2 because it has to perform
complex calculations to determine the shortest path to remote networks.
OSPF uses numerous difficult concepts and terms that you’ll need to
come to grips with. Here are some terms that you’ll need to have under
your belt before you can really understand OSPF and use it effectively on
your network.
■ Routing area: You can think of a routing area as a site — it’s a
group of IP subnets connected by high-speed links. In fact, if
you’re using Active Directory sites, it makes sense to configure a
routing area for each site. Each routing area is identified by a num-
ber, called an area ID, that looks just like an IP address, only it has
nothing to do with IP addressing — it simply identifies the area.
■ Backbone area (Area 0): This is the area automatically created
when OSPF is installed.This area is the core of OSPF routing.
Normally, all other areas are connected to the backbone area.This
area’s ID is always 0.0.0.0 (hence the name,Area 0).
■ Internal routing: This is routing that is occurs within a single
routing area.
■ Internal router: This is a router that performs internal routing.
All of this router’s interfaces are connected to subnets in a single
routing area.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1093

Chapter 16 ▼ Networking with TCP/IP 1093

■ Area border router: This is a router that, unlike an internal

router, has interfaces that are connected to subnets in more than
one routing area. Normally, at least one interface of an area border
router is connected to the backbone area, but this is not a require-
ment.Area border routers are used to route packets between rout-
ing areas.
■ Autonomous system: All routing areas under the control of a
single organization or company are referred to an autonomous
system.You can think of an autonomous system as all of your
company’s networked routing areas.
■ Autonomous system boundary router: This is a router that
connects your autonomous system with either the Internet or
another organization’s autonomous system.
Now that your brain is overflowing with OSPF terminology, how about
discussing something easier, like installing OSPF? OSPF can be installed on
any Windows 2000 Server computer on which TCP/IP is installed and
routing has been enabled.

STEP BY STEP

INSTALLING OPEN SHORTEST PATH FIRST (OSPF)

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the Routing and Remote Access dialog box, click the + next to the server on
which you want to install OSPF. Then click the + next to IP Routing. Right-click
General, and select New Routing Protocol from the menu that appears.
3. In the New Routing Protocol dialog box, select Open Shortest Path First (OSPF)
from the list. Click OK.
4. The protocol is installed.

Configuring OSPF to Use a Routing Interface After you install OSPF, you
need to configure it to use one or more of the routing interfaces in your
Windows 2000 Server computer. Until you configure OSPF to use at least
one routing interface, OSPF will be unable to dynamically update your
routing tables.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1094

1094 Part IV ▼ Networking and Interoperability

If you want to configure your OSPF router to perform internal routing

only, ensure that all of the router’s interfaces are connected to subnets
within a single routing area.

STEP BY STEP

CONFIGURING OSPF TO USE AN INTERFACE

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the Routing and Remote Access dialog box, click the + next to the server on
which OSPF is installed. Then click the + next to IP Routing. Right-click OSPF,
and select New Interface from the menu that appears.
3. In the New Interface for Open Shortest Path First (OSPF) dialog box, highlight
the interface you want to configure OSPF to use. Click OK.
4. The OSPF Properties dialog box for the interface you selected appears, as shown
in Figure 16-24. Notice the default settings for a local area connection.

FIGURE 16-24 Configuring OSPF properties for an interface

Also notice that by default the check box next to “Enable OSPF for this address”
is selected and that the IP address beneath it is grayed out. This is the default
configuration for an interface that has only one IP address.
In the Area ID drop-down list box, select the routing area that this interface is
physically connected to.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1095

Chapter 16 ▼ Networking with TCP/IP 1095

STEP BY STEP Continued

Either accept the default router priority and cost, or adjust them to meet your
network’s requirements.
In the Password text box, enter the password that will be used in the routing area
you selected. If you don’t configure a password, the default password is
“12345678.”
Finally, select the type of network this interface is connected to:
 Broadcast: Select this network type for all local area connections. If you are
configuring a local area connection, this option is selected by default.
 Point-to-point: Select this network type for all demand-dial interfaces. If
you’re configuring a demand-dial interface, this option is selected by default.
 Non-broadcast multiple access (NBMA): Select this network type for all
connections to X.25 or Frame Relay networks. If you’re configuring an X.25
or Frame Relay interface, this option is selected by default.
When you finish configuring options on this tab, click the NBMA Neighbors tab.
5. On the NBMA Neighbors tab, specify a list of neighbor routers, by IP address,
that this interface will use. The options on this tab are only available if you
selected a network type of “Non-broadcast multiple access (NBMA)” on the
General tab.
When you finish configuring this tab, click the Advanced tab.
6. The Advanced tab appears, as shown in Figure 16-25.

FIGURE 16-25 Configuring advanced OSPF

properties for an interface
4701-1 ch16.f.qc 4/24/00 09:41 Page 1096

1096 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

The options on this tab are seldom configured by administrators. For more informa-
tion on any of the options, right-click the option’s text, and select “What’s This?”
from the menu that appears. Windows 2000 displays a description of the option.
Make any necessary configuration changes, and click OK.
7. The interface you just configured OSPF to use is displayed in the right pane of
the Routing and Remote Access dialog box. If you need to configure OSPF to
use additional interfaces, repeat Steps 2 through 6 for each additional interface.
Close Routing and Remote Access.

TIP
Remember, if you want this routing to perform internal routing only, make
sure that all interfaces you configure this router to use are connected to
subnets within the same routing area.

Configuring Routing Areas OSPF uses routing areas to break up its large,
complex routing tables into manageable-sized chunks. Remember how I said
that OSPF uses a lot of processor time to calculate the shortest path to each
destination subnet? Well, if the routing table becomes too large, more demand
may be placed on the router’s hardware than it is capable of providing. So, the
solution is to configure additional routing areas, which enable routers to
maintain a portion of the company’s routing table, instead of all of it.
Not all networks require multiple routing areas. If your network is small,
you may only require a single routing area. In this case, Area 0 (the back-
bone area), which is automatically created when OSPF is installed, may be
sufficient for your network’s needs.
Routing areas are specified as one or more network number and subnet
mask combinations. Each of these network number and subnet mask com-
binations specifies a subnet within the routing area. Because a subnet con-
tains a range of IP addresses, these combinations are referred to as ranges.

STEP BY STEP

CONFIGURING OSPF AREAS

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the Routing and Remote Access dialog box, click the + next to the server on
which OSPF is installed. Then click the + next to IP Routing. Right-click OSPF,
and select Properties from the menu that appears.
4701-1 ch16.f.qc 4/24/00 09:41 Page 1097

Chapter 16 ▼ Networking with TCP/IP 1097

STEP BY STEP Continued

3. In the OSPF Properties dialog box, click the Areas tab.

4. The Areas tab appears, with the backbone area (0.0.0.0) displayed.
To edit an area’s configuration, highlight the area, click Edit, and make any
necessary configuration changes. Click OK.

TIP
If you want to configure additional routing areas, you must edit Area 0
(the backbone area) and specify the network number and subnet mask
combinations for the subnets you determine Area 0 should contain.

To add an additional area, click Add.

5. In the OSPF Area Configuration dialog box, enter the area ID for the new area.
Click the Ranges tab.
6. On the Ranges tab, enter the network number and subnet mask combination for a
subnet in the routing area. Click Add. Repeat this process until you’ve specified
all subnets within the routing area. Click OK.
7. To define and configure additional routing areas, repeat Steps 4 through 6 until
you’ve configured all desired routing areas. On the Areas tab, click OK.
8. Close Routing and Remote Access.

Configuring Border Routing Border routing is OSPF routing that spans more
than one routing area. It requires the use of area border routers, which each
have interfaces that are connected to subnets in more than one routing area.
Configuring border routing is much the same as configuring internal
routing — the only difference is that in internal routing, all of the router’s
interfaces are connected to subnets within a single routing area; and in bor-
der routing, the router’s interfaces are connected to subnets in more than
one routing area. So, configuring border routing is simply a matter of con-
figuring OSPF to use interfaces that are connected to subnets in different
routing areas.
As I mentioned earlier, normally at least one interface of an area border
router is connected to the backbone area, but this is not a requirement. In
fact, sometimes, due to a company’s network design, this is not possible. For
example, suppose that you have a series of routing areas, and that Area 0 is
connected to Area 10.0.0.0 by a router, and Area 10.0.0.0 is connected to
Area 192.196.0.0 by a router, but Area 192.196.0.0 is not connected to
Area 0 by a router. In this situation, the area border router that connects
4701-1 ch16.f.qc 4/24/00 09:42 Page 1098

1098 Part IV ▼ Networking and Interoperability

Area 10.0.0.0. to Area 192.196.0.0. will not have a physical interface that is
connected to Area 0. Instead, this border router will use an OSPF “virtual
interface” to connect to Area 0 (the backbone area).
A virtual interface is simply a mapping that tells the border router which
routing area is connected to Area 0 (and the IP address of a border router
in the routing area that has an interface connecting it to Area 0) so that it
has a way to forward packets to Area 0.
You can configure a virtual interface by configuring OSPF’s properties
on the border router that does not have an interface connecting it to Area 0.

STEP BY STEP

CONFIGURING AN OSPF VIRTUAL INTERFACE

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the Routing and Remote Access dialog box, click the + next to the server on
which you want to configure an OSPF virtual interface. Then click the + next to IP
Routing. Right-click OSPF, and select Properties from the menu that appears.
3. In the OSPF Properties dialog box, click the Virtual Interfaces tab.
4. On the Virtual Interfaces tab, click Add.
5. The OSPF Virtual Interface Configuration dialog box appears, as shown in
Figure 16-26.

FIGURE 16-26 Configuring an OSPF virtual interface

4701-1 ch16.f.qc 4/24/00 09:42 Page 1099

Chapter 16 ▼ Networking with TCP/IP 1099

STEP BY STEP Continued

In the “Transit area ID” drop-down list box, select the area that is connected to
Area 0.
In the “Virtual neighbor router ID” text box, enter the IP address of the border
router in the transit area you specified that has an interface connected to Area 0.
The default selections for the remaining configurable options on this tab are
acceptable for most situations. However, you must enter the password used by
the virtual neighbor router in the “Plaintext password” text box.
Click OK.
6. In the OSPF Properties dialog box, click OK.
7. Close Routing and Remote Access.

Installing and Configuring Network Address Translation (NAT)

Network Address Translation (NAT) is an IP routing protocol that enables
computers (on a private network) that use private IP addresses to commu-
nicate with computers on the Internet that use registered IP addresses.
The cool thing about NAT is that a company only needs to have one
registered IP address for its connection to the Internet, instead of having to
pay for a registered IP address for each computer on its network. In addi-
tion, NAT prevents computers on the Internet from directly contacting
computers on the private network, thus providing a measure of protection
for corporate resources. I’m not saying that NAT is a full-blown firewall,
but it’s certainly better than no protection at all.
Speaking of security, I recommend that you install NAT on a member
server or a stand-alone server that doesn’t contain sensitive corporate
information, not on a domain controller.The reason for this is that if NAT
is installed on a domain controller, this computer, because it has a public IP
address and has an interface that is connected to the Internet, is potentially
vulnerable to hackers.
If you’re thinking that NAT sounds like Internet Connection Sharing,
you’re right on the money.The main differences between the two are that
NAT is configured on a router, and NAT doesn’t cause TCP/IP conflicts
with existing IP routers, DHCP servers, or DNS servers on the network.
In addition, NAT is more configurable than Internet Connection Sharing
and is designed for larger networks.While Internet Connection Sharing is
useful for home or very small office networks that don’t use a Windows
4701-1 ch16.f.qc 4/24/00 09:42 Page 1100

1100 Part IV ▼ Networking and Interoperability

2000 domain, NAT is useful for small to medium-sized corporate net-

works that use Windows 2000 domains and Active Directory.
All computers on a network that uses NAT can use private IP addresses
from the published private IP address ranges. Private IP addresses can’t be
used on the Internet, because Internet routers are configured not to for-
ward packets addressed to these addresses.There are three ranges of private
IP addresses:
10.0.0.1 – 10.255.255.254
172.16.0.1 – 172.31.255.254
192.168.0.1 – 192.168.255.254
For more information on private IP addresses, see RFC 1597,“Address
Allocation for Private Internets.”
The interface on the Windows 2000 Server computer on which NAT is
installed does need to have a registered IP address for the shared connection
to the Internet.
NAT can be installed on any Windows 2000 Server computer on which
TCP/IP is installed and routing has been enabled.

STEP BY STEP

INSTALLING NAT

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the Routing and Remote Access dialog box, click the + next to the server on
which you want to install NAT. Then click the + next to IP Routing. Right-click
General, and select New Routing Protocol from the menu that appears.
3. In the New Routing Protocol dialog box, select Network Address Translation
(NAT) from the list. Click OK.
4. The protocol is installed.

Configuring NAT Properties NAT is a highly configurable IP routing pro-

tocol.You can configure event logging and TCP and UDP port translation.
In addition, if another computer on your network runs a network applica-
tion or service (such as a Web server or an FTP server) that needs to be
accessed by users on the Internet, you can configure NAT to enable those
users to access this application. Finally, you can choose whether to use
4701-1 ch16.f.qc 4/24/00 09:42 Page 1101

Chapter 16 ▼ Networking with TCP/IP 1101

NAT as a DHCP server, a DNS proxy server, or both.A DNS proxy server
receives name resolution requests from client computers, performs the
name resolution by using DNS servers on the Internet, and then passes the
results of the resolution back to the client computer.

STEP BY STEP

CONFIGURING NAT PROPERTIES

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the Routing and Remote Access dialog box, click the + next to the server on
which NAT is installed. Then click the + next to IP Routing. Right-click Network
Address Translation (NAT), and select Properties from the menu that appears.
3. In the Network Address Translation (NAT) Properties dialog box, there are four
tabs: General, Translation, Address Assignment, and Name Resolution.
On the General tab, configure how you want NAT to handle event logging. Select
one of four logging levels: log errors only, log errors and warnings, log the maxi-
mum amount of information, or disable event logging.
When you finish event logging options, click the Translation tab.
4. On the Translation tab, you can set the number of minutes after which NAT will
remove TCP and UDP port mappings. The default settings are 1440 minutes
(24 hours) for TCP mappings, and 1 minute for UDP port mappings.
If you want to make a specific Internet application available to users on your net-
work, click Applications and add the application in the dialog box provided.
Click OK.
Click the Address Assignment tab.
5. The Address Assignment tab appears, as shown in Figure 16-27. Notice that
by default, the check box next to “Automatically assign IP addresses by using
DHCP” is not selected. NAT is not configured, by default, to function as a DHCP
server for your network.
If you want to use NAT as a DHCP server, select the check box next to
“Automatically assign IP addresses by using DHCP.” Then, either accept the
default IP address and mask, or specify a different IP address range. If you’ve
manually assigned some static IP addresses to computers or devices on your
network, you can exclude these addresses by clicking Exclude and specifying
the reserved addresses that NAT will not assign.

TIP
If you select this option, when NAT assigns IP addressing information to
client computers, it will specify this Windows 2000 Server computer as
the network’s default gateway and DNS server.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1102

1102 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 16-27 Configuring NAT to function as a DHCP server

If you don’t select this option, you’ll have to configure computers on your network
to use this computer as their default gateway, and, if no DNS server is installed
on the network, as their DNS server as well. Otherwise, computers on your net-
work won’t be able to access computers on the Internet.
After you finish making the appropriate configuration changes on this tab, click
the Name Resolution tab.
6. On the Name Resolution tab, you can configure NAT to function as a DNS proxy
server for the network. A DNS proxy server receives name resolution requests
from client computers, performs the name resolution by using DNS servers on the
Internet, and then passes the results of the resolution back to the client computer.

CAUTION
If the Windows 2000 Server computer on which NAT is installed is
already functioning as a DNS server, this option should not be selected.

If this computer is not currently functioning as a DNS server, select the check box
next to “Clients using Domain Name System (DNS).” In addition, if you are using
another computer on your network as a DNS server, your existing DNS server
must be configured to use the NAT server as a DNS forwarder.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1103

Chapter 16 ▼ Networking with TCP/IP 1103

STEP BY STEP Continued

If you select the check box next to “Clients using Domain Name System (DNS),” and
NAT is configured to use a demand-dial connection to the Internet, select the check
box next to “Connect to the public network when a name needs to be resolved,” and
select the appropriate demand-dial interface from the drop-down list box.
Make the appropriate configurations on this tab, and click OK.
7. Close Routing and Remote Access.

Configuring NAT Interfaces NAT must be configured to use two or more

of the routing interfaces in your Windows 2000 Server computer. One of
these interfaces must be the connection to the Internet. At least one other
interface must be connected to your company’s private network — this is
normally a local area connection.
Until you configure NAT to use these routing interfaces, users on your
company’s private network won’t be able to use NAT to communicate
with computers on the Internet. In the next section, I’ll show you how to
configure NAT to use the routing interface connected to your company’s
private network. It’s a very easy task to perform.

STEP BY STEP

CONFIGURING NAT TO USE THE INTERFACE CONNECTED TO YOUR

PRIVATE NETWORK

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the Routing and Remote Access dialog box, click the + next to the server on
which NAT is installed. Then click the + next to IP Routing. Right-click Network
Address Translation (NAT), and select New Interface from the menu that appears.
3. In the New Interface for Network Address Translation (NAT) dialog box, highlight
the interface connected to your private network that you want NAT to use. (This is
usually a Local Area Connection.) Click OK.
4. In the Network Address Translation Properties dialog box, ensure that the “Private
interface connected to private network” option is selected. Click OK.

Unfortunately, configuring NAT to use a routing interface connected to

the Internet is a more complex task.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1104

1104 Part IV ▼ Networking and Interoperability

STEP BY STEP

CONFIGURING NAT TO USE THE INTERFACE CONNECTED TO

THE INTERNET

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the Routing and Remote Access dialog box, click the + next to the server on
which NAT is installed. Then click the + next to IP Routing. Right-click Network
Address Translation (NAT), and select New Interface from the menu that appears.
3. In the New Interface for Network Address Translation (NAT) dialog box, highlight
the interface connected to the Internet that you want NAT to use. Click OK.
4. The Network Address Translation Properties dialog box for the interface you
selected appears, shown in Figure 16-28.

FIGURE 16-28 Configuring NAT to use an interface connected to the Internet

Ensure that the “Public interface connected to the Internet” option is selected. In
addition, if you want users on your network to be able to access resources on the
Internet, ensure that the check box next to “Translate TCP/UDP headers” check
box is selected.
Click the Address Pool tab.
5. On the Address Pool tab, you can enter any public (registered) IP addresses
assigned to you by your ISP that you want to associate with specific computers
on your network.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1105

Chapter 16 ▼ Networking with TCP/IP 1105

STEP BY STEP Continued

For example, if you have a Web server on your company’s network (that runs on
a computer other than the NAT server), you could associate one of the public IP
addresses assigned to you with the private IP address of the Web server. Once
this assignment is made, when the NAT server receives requests from users on
the Internet that are addressed to the public IP address, the NAT server will for-
ward these requests directly to the Web server’s private IP address.
To make this assignment, first add the public IP addresses on this tab, then click
Reservations, and associate the public IP address with the appropriate private
IP address of the computer on your network.
When you finish making configurations on this tab, click the Special Ports tab.
6. The Special Ports tab enables you to redirect specific types of network traffic
(such as http traffic) sent to a specific public IP address to the associated private
IP address of a computer on your private network.
Configurations on this tab are not the same as making a reservation on the
Address Pool tab. If you make an address reservation, all traffic sent to the speci-
fied public IP address is forwarded to the associated private IP address of the
computer on your private network. If you use the Special Ports tab, only traffic
that is sent to the specified public IP address and that uses a specific TCP or
UDP port will be forwarded to the associated private IP address of the computer
on your internal network.
The Special Ports feature gives you more granular control of what type of traffic
is forwarded to the computers on your internal network, but requires substantial
knowledge of TCP and UDP port numbers, including the applications associated
with these port numbers. For more information on TCP and UDP port numbers,
see RFC 1700, “Assigned Numbers.”
Make any necessary configurations on this tab. Click OK.
7. Close Routing and Remote Access.

Installing and Configuring the DHCP Relay Agent

The DHCP Relay Agent is a Windows 2000 routing protocol that for-
wards DHCP client configuration requests to a DHCP server on another
network segment. The DHCP Relay Agent enables computers on one
subnet to receive IP addresses from a DHCP server located on a different
subnet.
The DHCP Relay Agent is typically installed on Windows 2000 Server
computers that are functioning as static or dynamic IP routers, however any
Windows 2000 Server computer on a network segment can function as the
4701-1 ch16.f.qc 4/24/00 09:42 Page 1106

1106 Part IV ▼ Networking and Interoperability

DHCP Relay Agent. If you are not using Windows 2000 computers as
routers, you may want to use the DHCP relay service that comes with your
router (if there is one), instead of the Windows 2000 DHCP Relay Agent.

STEP BY STEP

INSTALLING AND CONFIGURING THE DHCP RELAY AGENT

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the Routing and Remote Access dialog box, click the + next to the server on
which you want to install the DHCP Relay Agent. Then click the + next to IP
Routing. Right-click General, and select New Routing Protocol from the menu
that appears.
3. In the New Routing Protocol dialog box, select DHCP Relay Agent from the list.
Click OK.
4. The protocol is installed. In the left pane of the Routing and Remote Access dia-
log box, right-click DHCP Relay Agent, and select Properties from the menu that
appears.
5. In the DHCP Relay Agent Properties dialog box, enter the IP address of the DHCP
server you want this router to forward DHCP client requests to, and click Add.
Repeat this step if you want to specify more than one DHCP server. Click OK.
6. You must also bind the DHCP Relay Agent to all interfaces and connections on
which you want it to be used. Until it is bound to an interface or connection, the
DHCP Relay Agent won’t function. To bind the DHCP Relay Agent to an interface
or connection, in the left pane, right-click the DHCP Relay Agent, and select New
Interface from the menu that appears.
7. In the New Interface for DHCP Relay Agent dialog box, select the interface you
want to add. (The selections in this dialog box depend on the types of connec-
tions and routing interfaces you have configured on this computer.) Click OK.
8. The DHCP Relay Properties dialog box for the interface or connection you speci-
fied appears. Typically, the default selections in this dialog box are adequate and
don’t require modification. Make any necessary changes, and click OK.
9. Close Routing and Remote Access.

Installing and Configuring IGMP

IGMP Version 2, Router and Proxy (which I’ll call IGMP for short) is a
dynamic IP routing protocol used to manage the propagation of multicast
traffic throughout a routed TCP/IP network. IGMP stands for Internet
Group Management Protocol.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1107

Chapter 16 ▼ Networking with TCP/IP 1107

When IGMP is installed and configured on a Windows 2000 Server

computer, it maintains a table of multicast group members on the network
(and the IP addresses of the subnets on which these members reside), and
only forwards multicast traffic to the subnets on which multicast group
members reside. In addition, like other dynamic routers, an IGMP router
periodically forwards the contents of its IGMP tables to other IGMP
routers on the network.
IGMP can be installed on any Windows 2000 Server computer on
which TCP/IP is installed and routing has been enabled. After IGMP is
installed, its properties can be configured, and IGMP must be configured
to use one or more routing interfaces.

STEP BY STEP

INSTALLING AND CONFIGURING IGMP

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the Routing and Remote Access dialog box, click the + next to the server on
which you want to install IGMP. Then click the + next to IP Routing. Right-click
General, and select New Routing Protocol from the menu that appears.
3. In the New Routing Protocol dialog box, select “IGMP Version 2, Router and
Proxy” from the list. Click OK.
4. The protocol is installed. To configure IGMP, in the left pane of the Routing and
Remote Access dialog box, right-click IGMP, and select Properties from the menu
that appears.
5. In the IGMP Properties dialog box, there is only one configuration to be made.
Select the event logging level you want IGMP to use. You can choose from the
following options: “Log errors only,” “Log errors and warnings,” “Log the maximum
amount of information,” or “Disable event logging.” The default selection is “Log
errors only.” Click OK.
6. To configure IGMP to use an interface, in the left pane of the Routing and
Remote Access dialog box, right-click IGMP, and select New Interface from the
menu that appears.
7. In the New Interface for IGMP Version 2, Router and Proxy dialog box, select the
interface you want IGMP to use, and click OK.
8. The IGMP Properties dialog box appears for the interface you selected, as shown
in Figure 16-29. Notice that the check box next to “Enable IGMP” is selected.
This is the default setting.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1108

1108 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 16-29 Configuring IGMP to use a routing interface

Select one of two modes:

 IGMP router: Select this mode if you want IGMP to use information
received by this interface to update the router’s multicast group membership
tables. Selecting this mode provides full IGMP functionality on this interface.
This is the default selection.
 IGMP proxy: Select this mode if you want IGMP to use this interface only
for forwarding multicast traffic. If the interface you are configuring is con-
nected to a network that uses multicast routing protocols other than IGMP,
select this mode. Only one interface in a router can be configured to use
this mode.
When proxy mode is selected, all multicast packets received on router inter-
faces that are configure as IGMP routers are forwarded by the proxy mode
interface. All multicast packets received by the proxy interface are forwarded
by all interfaces that are configured as IGMP routers.
Then, select the IGMP protocol version you want IGMP to use on this interface.
The version you select from the drop-down list box should match the version of
IGMP in use by other IGMP routers on the network segment this interface is con-
nected to. Your choices are either Version 1 or Version 2. Version 2 is the default
selection and is supported by most implementations of IGMP.
Click the Router tab.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1109

Chapter 16 ▼ Networking with TCP/IP 1109

STEP BY STEP Continued

9. The Router tab appears, as shown in Figure 16-30. Notice the default settings on
this tab.

FIGURE 16-30 Configuring router options on an IGMP interface

The default configurations on this tab are acceptable for most situations. If you
want more information about any of the options, right-click the text of an option
and select “What’s This?” from the menu that appears.
When you finish configuring router options, click OK.
10. Close Routing and Remote Access.

Monitoring TCP/IP Routing

As an administrator, you should periodically monitor TCP/IP routing on
the Windows 2000 Server computer you’ve configured to function as a
router. In addition to monitoring the status of your server, interfaces, and
ports and viewing various TCP/IP routing statistics, you’ll want to ensure
that routing tables are being constructed and maintained, and that the
server has sufficient resources (such as memory, processor, and disk) to han-
dle its routing tasks.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1110

1110 Part IV ▼ Networking and Interoperability

You can perform several monitoring tasks in Routing and Remote

Access:
■ By highlighting Server Status, you can view the status of this server
and determine whether the Routing and Remote Access service is
started.
■ By highlighting Routing Interfaces, you can view a list of all rout-
ing interfaces configured for this server and the connection state
(connected or disconnected) of each interface.
■ By highlighting Ports, you can view a list of all ports in this com-
puter and the port status (active or inactive) of each port.
■ By right-clicking General (under IP Routing), you can view
TCP/IP information (such as the number of IP routes, the number
of IP datagrams forwarded, and so on). In addition, if IGMP is
installed, you can view the multicast forwarding table and multicast
statistics.
■ By right-clicking Static Routes, you can view the IP routing table.
This table includes any static entries you’ve configured, as well as
dynamic entries generated by the routing protocols installed on
this computer. Figure 16-31 shows a portion of an IP routing table.

FIGURE 16-31 Viewing an IP routing table in Routing and Remote Access

■ By highlighting any specific routing protocol, you can view the

interfaces that protocol is configured to use and various statistics
for those interfaces.
■ By right-clicking a specific routing protocol, you can view various
information pertaining to that protocol. Depending on the proto-
col, you may be able to view such items as: a list of neighbor
routers (RIP and OSPF), a group table (IGMP), areas and the
link-state database (OSPF), and DHCP allocator and DNS proxy
information (NAT).
4701-1 ch16.f.qc 4/24/00 09:42 Page 1111

Chapter 16 ▼ Networking with TCP/IP 1111

In addition to using Routing and Remote Access, you can use System
Monitor, a Performance tool, to monitor the IP object and its many coun-
ters. In particular, the Datagrams Forwarded/sec counter is helpful for deter-
mining how many packets your router has forwarded. You can also use
System Monitor to determine if your Windows 2000 Server computer that
is functioning as a router has adequate memory, processor, and disk resources.

CROSS-REFERENCE
I’ll cover how to use System Monitor in Chapter 21.

Troubleshooting TCP/IP Routing

Most TCP/IP routing problems occur during the initial implementation
of routing, and are the result of an incorrectly configured routing protocol,
an incorrectly configured routing interface(s), or both, on your Windows
2000 Server computer.
The most common TCP/IP routing problem is the inability of a com-
puter on one subnet to communicate with a computer located on another
subnet.When this occurs, assuming that the hardware components of your
network infrastructure (cables, hubs, and so on) are functioning properly,
the most likely cause of the problem is an incorrect routing configuration
or a failed router.
There are two primary tools you can use to help you diagnose and
resolve TCP/IP routing problems: the tracert.exe command-line util-
ity, and the Routing and Remote Access administrative tool.
Tracert is short for “trace route.” This command-line utility is useful
for determining where routing communications have broken down. The
tracert.exe command-line utility works by sending a test communica-
tion packet across the network to a remote computer. It then displays the
path the packet takes on its journey from the source computer (the com-
puter on which tracert.exe is run) to the destination computer, includ-
ing all routers along the way. If tracert.exe is unable to contact the
destination computer, you can easily view where the communications path
between the two computers broke down, and specifically you can tell
which router failed to correctly forward the message.
To use the tracert.exe command-line utility, start a command prompt
on the source computer. At the command prompt, type tracert
remote_computer_name (or remote_IP_address) and press Enter. Tracert.exe
4701-1 ch16.f.qc 4/24/00 09:42 Page 1112

1112 Part IV ▼ Networking and Interoperability

will trace the communications path between the two computers, and then
display the trace information.
The Routing and Remote Access administrative tool is also helpful for
troubleshooting TCP/IP routing problems. By using this tool you can
view the status of the server that’s functioning as a router, determine
whether the Routing and Remote Access service is started, and determine
whether Routing and Remote Access is enabled on that server. If the ser-
vice is not started, you can use the Services tool in Computer Manage-
ment to start the Routing and Remote Access service. If Routing and
Remote Access has been disabled for some reason, you can use the
Routing and Remote Access tool to enable it.
You can also use Routing and Remote Access to verify that the routing
protocols appropriate for your network are installed and configured cor-
rectly. In addition, you can verify that each routing protocol is configured
to use the appropriate routing interface(s) on the computer.

Configuring TCP/IP Packet Filters

Windows 2000 has a TCP/IP security feature called TCP/IP packet filter-
ing.You can use TCP/IP packet filtering (often called TCP/IP filtering for
short) to control the type of TCP/IP packets that a Windows 2000 com-
puter on your network will receive. For example, you can prevent your
Windows 2000 Server computer (that is functioning as a Web server) from
receiving ping messages, which hackers sometimes use in an attempt to
crash a server.
You can also use TCP/IP packet filtering to control the type of TCP/IP
packets that each routing interface on your Windows 2000 Server com-
puter (when it’s functioning as a router) will receive, forward, or both.
TCP/IP filtering was called TCP/IP Security in Windows NT 4.0.
TCP/IP packet filtering is not enabled by default.TCP/IP packet filter-
ing for a computer is configured in the Network and Dial-Up
Connections folder. TCP/IP packet filtering for a router is configured,
on an interface-by-interface basis, by using the Routing and Remote
Access administrative tool.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1113

Chapter 16 ▼ Networking with TCP/IP 1113

STEP BY STEP

CONFIGURING TCP/IP PACKET FILTERING FOR A COMPUTER

1. Select Start ➪ Settings ➪ Network and Dial-up Connections.

2. In the Network and Dial-up Connections folder, right-click any Local
Area Connection, and select Properties from the menu that appears. (The set-
tings you make on this connection will be applied to all Local Area Connections
on the computer.)
3. In the Local Area Connection Properties dialog box, highlight the Internet
Protocol (TCP/IP) and click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.
5. In the Advanced TCP/IP Settings dialog box, click the Options tab.
6. On the Options tab, highlight “TCP/IP filtering” and click Properties.
7. The TCP/IP Filtering dialog box appears, as shown in Figure 16-32. Notice that,
by default, the check box next to “Enable TCP/IP Filtering” is cleared.

FIGURE 16-32 Configuring TCP/IP filtering for a Windows 2000 computer

To enable TCP/IP filtering on this computer, select the check box next to “Enable
TCP/IP Filtering (All adapters).”
Then, to specify the types of traffic that will be permitted, select either the Permit
All or Permit Only option for TCP Ports, UDP Port, and IP Protocols. If you select
the Permit Only option, you must specify the types of traffic that will be accepted
by this computer. If you select Permit Only and don’t specify the type of traffic
that will be accepted, no traffic of that type will be accepted by the computer.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1114

1114 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

For example, if you select Permit Only for TCP Ports, you must specify the actual
port numbers of all TCP ports that will be accepted by this computer.

TIP
To configuring packet filtering for IP protocols, you must specify each
allowed IP protocol by its associated protocol number. If you don’t know
what number is assigned to a protocol, you can use Notepad to view the
SystemRoot\system32\drivers\etc\protocol file, or you
can consult RFC 1700, “Assigned Numbers.”

When you finish configuring packet filtering, click OK.

8. In the Advanced TCP/IP Settings dialog box, click OK. In the Internet Protocol
(TCP/IP) Properties dialog box, click OK. In the Local Area Connection
Properties dialog box, click OK.
9. Close the Network and Dial-up Connections folder.

STEP BY STEP

CONFIGURING TCP/IP PACKET FILTERING FOR A ROUTER

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the left pane of the Routing and Remote Access dialog box, click the + next to
the server (that functions as a router) on which you want to configure TCP/IP
packet filtering. Then click the + next to IP Routing. Highlight General. Then, in
the right pane, right-click the interface for which you want to configure filtering,
and select Properties from the menu that appears.
3. If you want to limit the type of network traffic this interface will receive,
click Input Filters.
If you want to limit the type of network traffic this interface will send or
forward, click Output Filters.
4. The Input Filters (or Output Filters) dialog box appears. You’ll come back to this
dialog box in a minute, but for now you need to decide whether you want to add
filters that will exclude specified types of traffic, or add filters that will permit only
specified types of traffic. Click Add.
5. In the Add IP Filter dialog box, you can filter network traffic that comes from a
specific source network (subnet) or that is addressed to a specific destination
network (subnet). Or, you can filter network traffic by IP protocol type or by TCP
or UDP port number. When you finish configuring the filter, click OK.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1115

Chapter 16 ▼ Networking with TCP/IP 1115

STEP BY STEP Continued

6. Repeat Steps 4 and 5 until you’ve added all of the filters you need for this interface.
7. Then, if you’re creating an input filter, choose one of the following options that
specify how the filters you’ve created will be applied to this interface:
 Receive all packets except those that meet the criteria below
 Drop all packets except those that meet the criteria below.
Or, if you’re creating an output filter, choose one of the following options that
specify how the filters you’ve created will be applied to this interface:
 Transmit all packets except those that meet the criteria below
 Drop all packets except those that meet the criteria below.
Select the appropriate option and click OK.
8. In the Properties dialog box for the interface, click OK.
9. Close Routing and Remote Access.

Configuring and Troubleshooting IPSec

IPSec is short for Internet Protocol security. IPSec is a collection of secu-
rity protocols and cryptography services that encrypts TCP/IP traffic
between two computers, thus preventing unauthorized users who capture
network traffic from viewing or modifying sensitive data.Windows 2000 is
the first Windows operating system that provides support for IPSec.
The most common use of IPSec is on corporate networks that transmit
sensitive data over their internal networks. IPSec is also used for communi-
cations between two private networks via the Internet.
Some advantages of using IPSec are that IPSec is relatively easy to
implement on a Windows 2000 network, it provides seamless functionality
to users, and it can provide a high level of security.The only disadvantage is
the increased processor utilization required to encrypt and decrypt
TCP/IP traffic.

EXAM TIP
Expect to see several tough IPSec questions on the Network exam. Be
sure you know how to create and configure IPSec policies, rules, and fil-
ters, and that you know when to use transport mode and tunnel mode.
I recommend you practice configuring these elements before taking
the exam.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1116

1116 Part IV ▼ Networking and Interoperability

There are a couple of IPSec terms you should be familiar with: transport
mode and tunnel mode. IPSec is implemented in one of these two modes.
IPSec’s default mode is transport mode. In this mode, IPSec encrypts the
data portion of each IP packet, and then sends the IP packet to the destina-
tion computer.This mode is typically used on a company’s internal network.
IPSec can be configured to use tunnel mode. Tunnel mode is typically
used between two routers that are connected via a public network such as
the Internet. Tunnel mode is very similar to a VPN, and is often used for
the same reasons. In tunnel mode, IPSec first encrypts the entire IP packet.
Then, IPSec uses the encrypted packet as the data portion of a new IP
packet that it creates and sends, usually over the Internet, to the destination
computer.The original IP packet is said to be “tunneled” within the new
IP packet.
In the following sections I’ll explain how to enable IPSec, how to create
and customize IPSec policies, and how to configure IPSec for tunnel
mode. Finally, I’ll cover monitoring and troubleshooting IPSec.

Enabling IPSec
IPSec is not enabled by default. IPSec is implemented in Windows 2000 as
a security policy. Because of this, the tool you use to enable IPSec depends
on which computer(s) on your network you want to enable IPSec for:
■ To enable IPSec on an individual Windows 2000 computer, you
can configure the advanced TCP/IP settings for any Local Area
Connection in the Network and Dial-up Connections
folder, or you can use the Local Security Policy tool in Adminis-
trative Tools. (Select Start ➪ Settings ➪ Control Panel, double-click
Administrative Tools, then double-click Local Security Policy.) Or,
you can use the local Group Policy editor (gpedit.msc).
■ To enable IPSec on all Windows 2000 computers in a domain, you
can use the Domain Security Policy tool in Administrative Tools.
(Select Start ➪ Programs ➪ Administrative Tools ➪ Domain Security
Policy.) This tool is available on Windows 2000 domain controllers,
or on other Windows 2000 computers that have the ADMINPAK
installed.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1117

Chapter 16 ▼ Networking with TCP/IP 1117

■ To enable IPSec on all domain controllers in a domain, you can

use the Domain Controller Security Policy tool in Administrative
Tools. (Select Start ➪ Programs ➪ Administrative Tools ➪ Domain
Controller Security Policy.) This tool is available on Windows 2000
domain controllers, or on other Windows 2000 computers that
have the ADMINPAK installed.
■ To enable IPSec on all Windows 2000 computers in a particular OU
in a domain, you can use Active Directory Users and Computers to
configure a Group Policy object (GPO) that enables IPSec on all of
the computers in the OU.
The easiest way to enable IPSec for a large number of computers on a
network is by using Group Policy. I’ll show you how to do this in the steps
that follow.

STEP BY STEP

ENABLING IPSEC BY USING GROUP POLICY

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the domain or OU associated with the GPO
for which you want to enable IPSec is displayed in the left pane. Highlight the
domain or OU, then select Action ➪ Properties.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, highlight the GPO you want to use to enable IPSec,
and click Edit. (You can also double-click the GPO.)
5. The Group Policy dialog box appears. Click the + next to the Windows
Settings folder in the Computer Configuration section. Then click the + next
to Security Settings. Highlight IP Security Policies on Active Directory. The three
default IPSec policies are displayed in the right pane.
6. To enable IPSec, you must select one of these policies and assign it to the com-
puters to which this GPO applies. The three default policies are:
 Client (Respond Only): If you select this policy, the computers in the
domain or OU (to which this GPO applies) won’t use IPSec for regular com-
munications — they will only use IPSec to communicate with a computer that
requests the use of IPSec.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1118

1118 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

 Secure Server (Require Security): If you select this policy, the computers
in the domain or OU (to which this GPO applies) will use IPSec for all com-
munication with other computers. Other computers on the network that don’t
have IPSec enabled won’t be able to communicate with the computers to
which this GPO applies.
 Server (Request Security): If you select this policy, the computers in the
domain or OU (to which this GPO applies) will use IPSec for all communica-
tion with other computers in the domain or OU. Other computers on the net-
work that don’t have IPSec enabled will be able to communicate with the
computers to which this GPO applies.

TIP
A Windows 2000 computer can have only one IPSec policy.

In the right pane, right-click the policy you want to assign, and select Assign from
the menu that appears.
7. Close the Group Policy dialog box.
8. In the domain or OU’s Properties dialog box, click OK.
9. Close Active Directory Users and Computers.

IPSec is now enabled on the computers to which the GPO applies.

Creating and Customizing IPSec Policies

When you enabled IPSec, you were introduced to the three default IPSec
policies. In most cases, these default policies will be adequate to implement
IPSec on your network. However, it’s conceivable that your network may
have special needs that require you to create or customize an IPSec policy.
But before I get into the nuts and bolts of creating and customizing poli-
cies, I want to explain a little about IPSec policies.
As I mentioned earlier, a Windows 2000 computer can have only one
IPSec policy. An IPSec policy consists of one or more IPSec rules. IPSec
rules specify how IPSec will be applied on the computer.When an IPSec
policy has more than one rule, Windows 2000 applies the most specific
rule (that is, the rule containing the most restrictive IP filter) first, and
applies the most general rule last. An administrator can’t specify the order
4701-1 ch16.f.qc 4/24/00 09:42 Page 1119

Chapter 16 ▼ Networking with TCP/IP 1119

in which rules are applied — Windows 2000 determines this order. Each
rule contains several IPSec configuration settings:
■ IP Filter: When you configure a rule, you choose an IP filter that
spells out what specific type of IP traffic this IPSec rule applies to.
■ IP Filter Action: You also choose a filter action, which deter-
mines whether IPSec will either require encryption of the IP
traffic specified by the filter, request encryption of this traffic, or
permit unencrypted traffic.
■ Authentication Method: This setting involves selecting how this
computer will authenticate itself to the destination computer.
There are three methods: the Windows 2000 default method
(Kerberos V5 protocol), using a certificate from a specified certifi-
cate authority, and using a predetermined encryption key.
■ Tunnel Setting: This option specifies whether IPSec will be used
in transport mode or tunnel mode. By default, IPSec is used in
transport mode. If tunnel mode is used, you must specify the IP
address of the destination computer with which the tunnel will
be established.
■ Connection Type: This setting specifies whether this rule applies
to all network connections, only to local area connections, or only
to remote access connections.
Now that you have a better understanding of the contents of an IPSec
policy, I’ll show you how to create and customize one.

STEP BY STEP

CREATING AN IPSEC POLICY

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the domain or OU associated with the GPO
for which you want to create an IPSec policy is displayed in the left pane.
Highlight the domain or OU, then select Action ➪ Properties.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, highlight the GPO for which you want to create an
IPSec policy, and click Edit.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1120

1120 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

5. The Group Policy dialog box appears. Click the + next to the Windows
Settings folder in the Computer Configuration section. Then click the + next
to Security Settings. Right-click IP Security Policies on Active Directory, and
select Create IP Security Policy from the menu that appears.
6. The IP Security Policy Wizard starts. Follow the instructions presented on-screen
to create the IPSec policy.

Once you’ve created the new IPSec policy,Windows 2000 prompts you
to edit and customize this policy.The following steps explain how to cus-
tomize any IPSec policy.

STEP BY STEP

CUSTOMIZING AN IPSEC POLICY

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the domain or OU associated with the GPO
for which you want to customize an IPSec policy is displayed in the left pane.
Highlight the domain or OU, then select Action ➪ Properties.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, highlight the GPO for which you want to customize an
IPSec policy, and click Edit.
5. The Group Policy dialog box appears. Click the + next to the Windows
Settings folder in the Computer Configuration section. Then click the + next
to Security Settings. Highlight IP Security Policies on Active Directory. In the
right-pane, right-click the policy you want to customize and select Properties from
the menu that appears.
6. The IPSec policy’s Properties dialog box appears, as shown in Figure 16-33. This
happens to be a Properties dialog box for a newly created IPSec policy. Notice
that, by default, a newly created policy only has the Default Response rule associ-
ated with it.
On the Rules tab you can add, remove, and edit rules for this IPSec policy. To
add a rule, click Add.
7. The Create IP Security Rule wizard starts. Click Next.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1121

Chapter 16 ▼ Networking with TCP/IP 1121

STEP BY STEP Continued

FIGURE 16-33 Configuring an IPSec policy

8. In the Tunnel Endpoint screen, select from one of two options:

 This rule does not specify a tunnel: This is the default setting. If chosen,
IPSec functions in transport mode.
 The tunnel endpoint is specified by this IP address: Select this option
if you want to configure IPSec for tunnel mode. If you select this option,
specify the IP address of the destination computer with which the tunnel will
be established. (This is usually the IP address of a router that connects a
company’s private network to the Internet.)
Click Next.
9. In the Network Type screen, select the type of network connections to which this
rule will apply. Your options are:
 All network connections
 Local area network (LAN)
 Remote access
Click Next.
10. The Authentication Method screen appears, as shown in Figure 16-34.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1122

1122 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 16-34 Selecting an authentication method for an IPSec rule

Select the appropriate method, make any additional configurations needed, and
click Next.
11. The IP Filter List screen appears, as shown in Figure 16-35.

FIGURE 16-35 Selecting an IP filter for an IPSec rule

4701-1 ch16.f.qc 4/24/00 09:42 Page 1123

Chapter 16 ▼ Networking with TCP/IP 1123

STEP BY STEP Continued

Either select the IP filter you want this rule to use, or click Add to create a new fil-
ter. You can create a filter that specifies an IP protocol, a TCP or UDP source or
destination port, a source IP address (or IP address range), or a destination IP
address (or IP address range). You can create a complex filter that combines one
or more of these options. In addition, when you create a new IP filter, the filter will
be available for all IPSec rules, not just this one. When you finish selecting or cre-
ating an IP filter, click Next.
12. The Filter Action screen appears, as shown in Figure 16-36. Notice the three
default filter actions you can select from: Permit, Request Security (Optional),
and Require Security.

FIGURE 16-36 Selecting an IP filter action for an IPSec rule

Either select the filter action you want this rule to use, or click Add to create a
new filter action. When you finish selecting or creating a filter action, click Next.
13. The Completing the New Rule Wizard screen appears. If you need to edit the rule
you’ve just created, accept the default selection in the check box next to “Edit
properties.” If you don’t want to edit this rule, clear this check box. Click Finish.
14. If you accepted the default selection in the previous step, the rule’s Properties
dialog box appears, as shown in Figure 16-37.
Notice the five tabs in this dialog box: IP Filter List, Filter Action, Authentication
Methods, Tunnel Setting, and Connection Type. Edit this rule as desired, and
click OK.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1124

1124 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 16-37 Configuring the properties of an IPSec rule

15. The IPSec policy’s Properties dialog box reappears. Ensure that the check box
next to each rule you want this policy to use is selected. These rules are displayed
in the order they are created — not necessarily in the order that Windows 2000
will apply them. Click Close.
16. Close Group Policy. In the domain or OU’s Properties dialog box, click OK. Close
Active Directory Users and Computers.

Monitoring IPSec
Windows 2000 includes a nice tool for monitoring IPSec — it’s called IP
Security Monitor.You can use IP Security Monitor to:
■ Determine whether IPSec is enabled on the monitored Windows
2000 computer (this can either be the local computer on which
you run IP Security Monitor, or a remote computer specified
when you start IP Security Monitor).
4701-1 ch16.f.qc 4/24/00 09:42 Page 1125

Chapter 16 ▼ Networking with TCP/IP 1125

■ Determine if IPSec security is being used when the monitored

Windows 2000 computer communicates with other computers.
■ View various IPSec statistics.
IP Security Monitor is available on both Windows 2000 Professional
and Windows 2000 Server computers.

STEP BY STEP

USING IP SECURITY MONITOR

1. From the desktop, select Start ➪ Run.

2. In the Run dialog box, type ipsecmon computer_name and press Enter.
Computer_name represents the name of the computer for which you want to
monitor IPSec. If you don’t specify a computer name, IP Security Monitor will
monitor the local computer.
3. IP Security Monitor starts. Figure 16-38 shows the IP Security Monitor dialog
box. Notice the box in the lower right portion of the screen that indicates whether
IP Security (IPSec) is enabled on this computer.

FIGURE 16-38 Using IP Security Monitor

4701-1 ch16.f.qc 4/24/00 09:42 Page 1126

1126 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

By default, the statistics in this dialog box are updated every 15 seconds. To
change this frequency, click Options and enter the number of seconds you want
IP Security Monitor to wait between refreshes.
When you finish monitoring IPSec, close the IP Security Monitor dialog box.

Troubleshooting IPSec
If you use the default policies and default rules when configuring IPSec,
it’s not likely that you’ll run into too many problems. However, if you cre-
ate custom rules, IP filters, filter actions, and so on, things can become
pretty complex, and even confusing. If you’re having problems getting
IPSec up and running on your Windows 2000 network, here are a few tips
that might help:
■ Use IP Security Monitor to determine whether IPSec is enabled
on a Windows 2000 computer, and whether IPSec security is being
used for this computer’s communications with other computers.
■ If you’ve recently implemented an IPSec policy on a Windows
2000 computer, but IPSec is either not enabled or IPSec security
is not being used by this computer, try rebooting the computer
before performing more complex troubleshooting actions.
■ If you enable IPSec by using Group Policy, but IPSec is not
enabled on the intended computers, follow standard Group Policy
troubleshooting methods to ensure that Group Policy (including
IPSec policy) is being applied appropriately.
■ If you’ve customized one or more of the three default IPSec poli-
cies, and you want to restore these policies to their original configu-
rations, you can highlight IP Security Policies on Active Directory
(in Group Policy editor) and select Action ➪ All Tasks ➪ Restore
Default Policies.
■ If multiple administrators can edit IPSec policies and you’re concer-
ned that the policies may be corrupt, you can check the integrity of
these policies by highlighting IP Security Policies on Active Directory
(in Group Policy editor) and select Action ➪ All Tasks ➪ Check Policy
4701-1 ch16.f.qc 4/24/00 09:42 Page 1127

Chapter 16 ▼ Networking with TCP/IP 1127

Integrity. If the IPSec policies are not corrupt,Windows 2000

displays a dialog box indicating that the integrity of these policies has
been verified.
■ If you think that the system files used to implement IPSec may be
damaged or missing, you can reinstall these files by removing, and
then reinstalling,TCP/IP on the Windows 2000 computer.

KEY POINT SUMMARY

This chapter introduced several important TCP/IP topics:

■ The Transmission Control Protocol/Internet Protocol (TCP/IP) is a widely used
transport protocol. It is a fast, routable enterprise protocol that is used on the
Internet. In addition to being supported by Windows 2000, TCP/IP is sup-
ported by many other operating systems.
■ IP addresses must be unique — no two computers or other network devices on
an internetwork should have the same IP address.
■ You can assign an IP address to a Windows 2000 computer either by manu-
ally specifying a computer’s IP address configuration, or by configuring a com-
puter to obtain IP addressing information automatically from a DHCP server.
■ When the DHCP service is installed on a Windows 2000 Server computer
that is a member of a domain, before the service can start, you must authorize
the DHCP server in Active Directory.
■ A DHCP server requires one or more scopes to assign IP addressing informa-
tion to client computers. You can use the DHCP administrative tool to create
scopes, superscopes, and multicast scopes.
■ NetBIOS name resolution is normally accomplished in one of two ways. You
can either manually configure an lmhosts file on each individual computer on
the network, or install a WINS server and configure client computers on the
network to use it.
■ IP routing is a function of the Internet Protocol (IP) that uses IP address infor-
mation to send data packets from a source computer on one network segment
across one or more routers to a destination computer on another network
segment.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1128

1128 Part IV ▼ Networking and Interoperability

■ In order to function as a router, a Windows 2000 Server computer must have

at least one network adapter card installed. In addition, it must have either
an additional network adapter card or a communications device, such as a
modem, installed.
■ Routing is enabled on a Windows 2000 Server computer by using the Routing
and Remote Access administrative tool. If no additional routing protocols are
installed, the computer will function as a static router.
■ The five routing protocols that ship with Windows 2000 Server are: RIP
Version 2 for Internet Protocol, Open Shortest Path First (OSPF), Network
Address Translation (NAT), the DHCP Relay Agent, and IGMP.
■ When a routing protocol is installed, it must be configured to use at least one
(and sometimes more) interfaces on the Windows 2000 Server computer.
■ TCP/IP packet filtering is a TCP/IP security feature used to control the type of
TCP/IP packets that a Windows 2000 computer will receive. It is also used to
control the type of TCP/IP packets that each routing interface on a Windows
2000 Server computer (that’s functioning as a router) will receive, forward, or
both.
■ IPSec is another security feature of TCP/IP in Windows 2000. IPSec is a col-
lection of security protocols and cryptography services that encrypts TCP/IP
traffic between two computers, thus preventing unauthorized users who cap-
ture network traffic from viewing or modifying sensitive data.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1129

1129

STUDY GUIDE
This section contains several exercises that are designed to solidify your
knowledge about TCP/IP and to help you prepare for the Professional,
Server, and Network exams:
■ Assessment questions: These questions test your knowledge of
the TCP/IP topics covered in this chapter.You’ll find the answers
to these questions at the end of this chapter.
■ Scenarios: The situation-based questions in scenarios challenge
you to apply your understanding of the material to solve a hypo-
thetical problem. In this chapter’s scenarios, you are asked to ana-
lyze TCP/IP, DHCP,WINS, routing, and IPSec configurations or
problems.You don’t need to be at a computer to do scenarios.
Answers to this chapter’s scenarios are presented at the end of this
chapter.
■ Lab Exercises: These exercises are hands-on practice activities
that you perform on a computer.The two labs in this chapter give
you an opportunity to practice configuring TCP/IP, installing and
configuring DHCP and WINS, configuring routing, and enabling
IPSec.

Assessment Questions
1. You are manually configuring TCP/IP addressing information on a
Windows 2000 Professional computer on your network.What should
you enter in the “Default gateway” text box?
A. The IP address of a WINS server on the local network segment
B. The IP address of a router on the local network segment
C. The local network segment’s subnet mask
D. The local network segment’s network ID
2. You just finished installing the Dynamic Host Configuration Protocol
(DHCP) service on a Windows 2000 Server computer that is a domain
controller on your network.What must you do before the DHCP ser-
vice can start?
4701-1 ch16.f.qc 4/24/00 09:42 Page 1130

1130

A. Authorize the DHCP server in Active Directory

B. Configure a scope, a superscope, and a multicast scope
C. Configure a DHCP address reservation
D. Configure the DHCP server for DNS integration
3. You want to create a scope on your Windows 2000 Server DHCP
server that will contain a range of Class D IP addresses so that the
DHCP server can assign these addresses to client computers that
request them.What kind of scope should you create?
A. A scope
B. A superscope
C. A multicast scope
D. Any of the above scope types
4. You recently installed WINS on a Windows 2000 Server computer
on your network. Prior to installing WINS, you configured the com-
puter’s local area connection with a static IP address. Because of your
network’s size, only a single WINS server will be needed.What else
must you do in order for the WINS server to begin providing
NetBIOS name resolution services on your network?
A. Add IP address-to-NetBIOS name entries to the lmhosts file
on each client computer
B. Configure WINS replication
C. Authorize the WINS server in Active Directory
D. Configure each client computer to use the WINS server
5. You are the administrator of a medium-sized private network.You
have existing routers and DHCP servers on this network.You want
to enable computers on your company’s network that use private IP
addresses to communicate with computers on the Internet that use
registered IP addresses.Which Windows 2000 feature or protocol
should you use to accomplish this?
A. Internet Connection Sharing
B. OSPF
C. NAT
D. DHCP Relay Agent
4701-1 ch16.f.qc 4/24/00 09:42 Page 1131

1131

6. You want to enable dynamic routing on a Windows 2000 Server com-

puter on your TCP/IP network.You want this computer to manage
the propagation of multicast traffic throughout your network.Which
routing protocol should you use?
A. IGMP Version 2, Router and Proxy
B. Open Shortest Path First (OSPF)
C. RIP Version 2 for Internet Protocol
D. Network Address Translation (NAT)
7. You want to enable static routing on a Windows 2000 Server com-
puter on your network.TCP/IP is installed and configured on this
computer, and the computer has two network adapter cards installed.
You use the Routing and Remote Access administrative tool to
enable routing.What additional protocol must be installed before sta-
tic routing can occur?
A. RIP Version 2 for Internet Protocol
B. NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
C. Open Shortest Path First (OSPF)
D. No additional protocols need to be installed
8. You want to provide security for TCP/IP communications on your
company’s routed Windows 2000 network.What features or protocols
can you use to provide security? (Choose all that apply.)
A. TCP/IP packet filtering
B. IPSec
C. IP Security Monitor
D. Internet Connection Sharing

Scenarios
In this chapter I introduced you to numerous TCP/IP and TCP/IP-related
topics. Here’s your chance to tackle a few situations you might encounter
in real life. For each of the following problems, consider the given facts and
answer the question or questions that follow.
1. Users of two computers on your Windows 2000 network report that
they are unable to communicate with other computers on the net-
work. Figure 16-39 shows the configuration of several components
on this network subnet.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1132

1132

IP address: 10.105.232.8 IP address: 10.105.232.9

Default gateway: 10.105.232.1 Default gateway: 10.105.232.1
The
Internet
IP address: 10.105.232.1
Default gateway: 10.105.232.1

Client_A Client_B Router/NAT

Ethernet

Client_C Client_D Server_A

IP address: 10.105.232.8 IP address: 10.105.232.12 IP address: 10.105.232.18
Default gateway: 10.105.232.1 Default gateway: 10.105.232.1 Default gateway: 10.105.232.1

FIGURE 16-39 Network configuration for problem 1

a. What is causing the TCP/IP connectivity problem in this

situation?
b. What should you do to resolve the problem?
2. You recently installed and configured the DHCP service on a
Windows 2000 Server computer on your network.The computer is
a member server of Domain4.You’ve created several scopes on the
DHCP server, but client computers are not able to obtain their IP
addressing information from this server.
a. What is the most likely cause of this problem?
b. What should you do to resolve the problem?
3. You recently enabled IPSec for all computers in your Windows 2000
domain by using Group Policy. However, you discover, by using IP
Security Monitor, that IPSec is not enabled on any of the computers
in one of the OUs in the domain.
a. What is the most likely cause of this problem?
b. What should you do to resolve the problem?
4. Your company’s Windows 2000 network has two WINS servers, one
in San Francisco and the other in Houston.The two locations are
connected by a 56 Kbps WAN link.You are in the process of config-
uring WINS replication between these two servers.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1133

1133

a. Which replication partner type should you select for each of

these servers?
b. What additional replication configuration will you probably want
to make?
5. A user of one of the Windows 98 client computers on your Windows
2000 network reports that she is unable to connect to servers on the
network by using the servers’ NetBIOS names.You use both WINS
and DNS servers on your network.
a. What is the most likely cause of this problem?
b. What should you do to resolve this problem?
6. You are the administrator for a large, routed TCP/IP network that
spans multiple locations and uses numerous routers and WAN links.
Your Windows 2000 computer is unable to connect to a Windows
2000 Server computer located on a remote subnet.What tool can you
use to determine where the network communications are breaking
down?

Lab Exercises
Lab 16-1 Configuring TCP/IP
 Professional
 Server
EXAM
MATERIAL
 Network

The purpose of this lab is to provide you with an opportunity to practice

the TCP/IP configuration skills you learned in this chapter. Specifically,
you’ll manually configure TCP/IP on your Windows 2000 Professional
computer, and configure a TCP/IP packet filter.
Begin this lab by booting your computer to Windows 2000 Professional
and logging on as Administrator.
1. Select Start ➪ Settings ➪ Network and Dial-up Connections.
2. In the Network and Dial-up Connections folder, right-click
the Local Area Connection, and select Properties from the menu that
appears.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1134

1134

3. In the Local Area Connection Properties dialog box, highlight

Internet Protocol (TCP/IP) and click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, ensure that
the “Use the following IP address” option is selected.Then change
the computer’s IP address by adding 100 to the number that repre-
sents the fourth octet. For example, if your IP address is currently
192.168.59.101, change it to 192.168.59.201.

CAUTION
If you’re on a live company network, changing your computer’s IP
address could cause TCP/IP communications problems on the network,
so you may not want to perform this step.

Click Advanced.
5. In the Advanced TCP/IP Settings dialog box, click the Options tab.
6. On the Options tab, highlight TCP/IP filtering and click Properties.
7. In the TCP/IP Filtering dialog box, select the check box next to
“Enable TCP/IP Filtering (All adapters).”Then, in the IP Protocols
section, select the Permit Only option, and click Add.
8. In the Add Filter dialog box, type 6 in the IP Protocol text box.
Click OK.
9. In the TCP/IP Filtering dialog box, in the IP Protocols section,
click Add again.
10. In the Add Filter dialog box, type 17 in the IP Protocol text box.
Click OK.
11. In the TCP/IP Filtering dialog box, in the IP Protocols section,
click Add again.
12. In the Add Filter dialog box, type 1 in the IP Protocol text box.
Click OK.
13. In the TCP/IP Filtering dialog box, notice that three protocols are
listed in the IP Protocols section.You have just configured a filter that
permits only IP traffic that uses the ICMP (1),TCP (6), and UDP
(17) protocols. Click OK.
14. In the Advanced TCP/IP Settings dialog box, click OK.
15. In the Internet Protocol (TCP/IP) Properties dialog box, click OK.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1135

1135

16. In the Local Area Connection Properties dialog box, click OK.
17. In the Local Network dialog box, click Yes to restart your computer
now. Boot your computer to Windows 2000 Server and log on as
Administrator to perform the next lab.

Lab 16-2 Managing TCP/IP on Your Network

 Professional
 Server
EXAM  Network
MATERIAL

The purpose of this lab is to provide you with an opportunity to practice

using many of the TCP/IP-related services, protocols, and features you
learned about in this chapter.
There are five parts to this lab:
■ Part 1: Installing Network Services (DHCP and WINS)
■ Part 2: Configuring DHCP
■ Part 3: Configuring NetBIOS Name Resolution and Monitoring
WINS
■ Part 4: Configuring and Monitoring Routing
■ Part 5: Enabling, Configuring, and Monitoring IPSec
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.

Part 1: Installing Network Services (DHCP and WINS)

In this part, you install the DHCP and WINS services on your Windows
2000 Server computer.
1. Select Start ➪ Settings ➪ Control Panel.
2. In the Control Panel dialog box, double-click Add/Remove
Programs.
3. In the Add/Remove Programs dialog box, click Add/Remove
Windows Components.
4. In the Windows Components Wizard dialog box, highlight
Networking Services, and click Details.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1136

1136

5. In the Networking Services dialog box, select the check boxes next to
Dynamic Host Configuration Protocol (DHCP) and Windows
Internet Name Service (WINS), and click OK.
6. In the Windows Components Wizard dialog box, click Next.
7. When prompted, insert your Windows 2000 Server compact disc into
your computer’s CD-ROM drive and click OK.When the Microsoft
Windows 2000 CD dialog box appears, close it.Windows 2000 con-
figures components and installs DHCP and WINS. In the Completing
the Windows Components Wizard screen, click Finish.
8. Close Add/Remove Programs.Then close Control Panel. Remove
your Windows 2000 Server compact disc from your computer’s
CD-ROM drive.

Part 2: Configuring DHCP

In this part, you configure the DHCP service. First, you authorize the
DHCP server in Active Directory and configure DHCP for DNS integra-
tion. Next, you create a superscope and five scopes, and configure DHCP
options for those scopes. Next, you create a multicast scope. Finally, you
monitor DHCP by using the DHCP administrative tool.
1. Select Start ➪ Programs ➪ Administrative Tools ➪ DHCP.
2. In the left pane of the DHCP dialog box, highlight
server01.domain1.mcse. Select Action ➪ Authorize.
3. Wait a minute or two, then select Action ➪ Refresh.
4. The DHCP Server is now authorized. Notice that the icon next
to the DHCP server now contains a green, upward pointing arrow
(instead of a red, downward pointing arrow).
5. In the DHCP dialog box, select Action ➪ Properties.
6. In the server01.domain1.mcse Properties dialog box, click the
DNS tab.
7. On the DNS tab, select the “Always update DNS” option.Then select
the check box next to “Enable updates for DNS clients that do not
support dynamic update.” Click OK.
8. In the DHCP dialog box, select Action ➪ New Scope.
9. The New Scope wizard starts. Click Next.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1137

1137

10. In the Scope Name screen, type in a name of Superscope and a

description of A superscope containing 6 scopes in the text
boxes provided. Click Next.
11. The IP Address Range screen appears. In the “Start IP address” text
box, type 192.168.59.1. In the “End IP address” text box, type
192.168.64.254.Accept the default Length and Subnet mask settings.
Click Next.
12. In the Create Superscope screen, select the Yes option and click Next.
13. In the Lease Duration screen, accept the default DHCP lease duration
of 8 days, and click Next.
14. In the Configure DHCP Options screen, accept the default selection
of “Yes, I want to configure these options now,” and click Next.
15. In the Router (Default Gateway) screen, enter an IP address of
192.168.59.1 and click Add. Click Next.
16. In the Domain Name and DNS Servers screen, in the “Parent
domain” text box, type domain1.mcse.Then, in the IP address
text box, type in the IP address of this computer, which should be
192.168.59.101 unless you have been instructed to use a different
IP address. Click Add. Click Next.
17. In the WINS Servers screen, enter an IP address of 192.168.59.101.
Click Add. Click Next.
18. In the Activate Scope screen, accept the default selection of Yes.
Click Next.
19. In the Completing the New Scope Wizard screen, click Finish.
20. Windows 2000 creates the scope. It is displayed in the right pane of
the DHCP dialog box. Select Action ➪ New Multicast Scope.
21. The New Multicast Scope wizard starts. Click Next.
22. In the Multicast Scope Name screen, type in a name of Multicast in
the text box provided. Click Next.
23. The IP Address Range screen appears. In the “Start IP address” text
box, type 239.0.0.1. In the “End IP address” text box, type
239.0.5.254.Accept the TTL of 32. Click Next.
24. In the Add Exclusions screen, click Next.
25. In the Lease Duration screen, accept the default DHCP multicast
lease duration of 30 days, and click Next.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1138

1138

26. In the Activate Multicast Scope screen, select Yes. Click Next.
27. In the Completing the New Multicast Scope Wizard screen, click
Finish.
28. Windows 2000 creates the multicast scope. It is displayed in the right
pane of the DHCP dialog box. Click the + next to Superscope
Superscope 0. Click the + next to Scope 192.168.59.0. Highlight
Address Leases.The right pane is probably empty right now, but nor-
mally, after the DHCP server has been up and running for a while,
and clients have been configured to obtain their IP addressing infor-
mation from the DHCP server, there will be several leases listed.
29. In the left pane, right-click server01.domain1.mcse and select Display
Statistics from the menu that appears.
30. Notice the DHCP server statistics that are displayed. Click Close.
31. Close DHCP.

Part 3: Configuring NetBIOS Name Resolution and

Monitoring WINS
In this part, you configure NetBIOS name resolution options on your
Windows 2000 Server computer, and then you monitor your WINS server.
1. Select Start ➪ Settings ➪ Network and Dial-up Connections.
2. In the Network and Dial-up Connections folder, right-click the
computer’s Local Area Connection, and select Properties from the
menu that appears.
3. In the Local Area Connection Properties dialog box, highlight the
Internet Protocol (TCP/IP) and click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, click
Advanced.
5. In the Advanced TCP/IP Settings dialog box, click the WINS tab.
6. On the WINS tab, click Add.
7. In the TCP/IP WINS Server dialog box, type 192.168.59.101 (or the
IP address of this computer, if you have been instructed to use a dif-
ferent IP address). Click Add.
8. On the WINS tab, click OK.
9. In the Internet Protocol (TCP/IP) Properties dialog box, click OK.
10. In the Local Area Connection Properties dialog box, click OK.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1139

1139

11. Close the Network and Dial-up Connections folder.

12. Shut down and restart your computer so that it will register its IP
address with the WINS server. Reboot your computer to Windows
2000 Server, and log on as Administrator.
13. Select Start ➪ Programs ➪ Administrative Tools ➪ WINS.
14. In the left pane of the WINS dialog box, click the + next to
SERVER01.Then right-click SERVER01, and select Display Server
Statistics from the menu that appears.
15. The WINS Server ‘SERVER01’ Statistics dialog box is displayed.View
your WINS server’s statistics, then click Close.
16. In the left pane of the WINS dialog box, highlight the Active
Registrations folder.Then right-click this folder and select Find
by Owner from the menu that appears.
17. In the Find by Owner dialog box, select the “All owners” option, and
click Find Now.
18. The WINS database is displayed in the right pane of the WINS dialog
box.When you finish viewing the database, close WINS.

Part 4: Configuring and Monitoring Routing

In this part, you enable routing on your Windows 2000 server computer.
Next, you update a routing table by adding a static route. Then, you add
two routing interfaces and implement demand-dial routing. Next, you
install and configure routing protocols, including OSPF and NAT. Then
you implement internal routing and border routing. Finally, you monitor
IP routing statistics.
1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and
Remote Access.
2. In the left pane of the Routing and Remote Access dialog box, right-
click SERVER01, and select “Configure and Enable Routing and
Remote Access” from the menu that appears.
3. The Routing and Remote Access Server Setup wizard starts.
Click Next.
4. In the Common Configurations screen, select the “Network router”
option. Click Next.
5. In the Routed Protocols screen, click Next.
4701-1 ch16.f.qc 4/24/00 09:42 Page 1140

1140

6. In the Demand-Dial Connections screen, select the Yes option, and

click Next.
7. In the IP Address Assignment dialog box, accept the default selection
of Automatically, and click Next.
8. In the Completing the Routing and Remote Access Server Setup
Wizard screen, click Finish.
9. Windows 2000 starts the Routing and Remote Access service.Your
Windows 2000 Server computer is now configured as a static router.
10. In the left pane of the Routing and Remote Access dialog box, click
the + next to SERVER01. Click the + next to IP Routing. Right-
click Static Routes, and select New Static Route from the menu that
appears.
11. In the Static Route dialog box, select Local Area Connection from
the Interface drop-down list box.Then enter the following informa-
tion in the appropriate text boxes:
Destination: 10.99.0.0
Network mask: 255.255.0.0
Gateway: 192.168.59.254
Metric: 1
Click OK.
12. In the left pane of the Routing and Remote Access dialog box, right-
click Routing Interfaces, and select New Demand-dial Interface from
the menu that appears.
13. The Demand Dial Interface wizard starts. Click Next.
14. In the Interface Name screen, accept the default name of Remote
Router. Click Next.
15. In the Connection Type screen, accept the default option of
“Connect using a modem, ISDN adapter, or other physical device.”
Click Next.
16. In the “Select a device” screen, select “Standard 56000 bps V90
Modem” from the list. Click Next.
17. In the Phone Number screen, type in 5551212. Click Next.
18. In the Protocols and Security screen, accept the default selection and
click Next.
4701-1 ch16.f.qc 4/24/00 09:43 Page 1141

1141

19. In the Dial Out Credentials screen, enter a user name of Adminis-
trator, a domain name of domain1, and a password of password.
Confirm the password by retyping it. Click Next.
20. In the “Completing the demand-dial interface wizard” screen,
click Finish.
21. In the left pane of the Routing and Remote Access dialog box, right-
click Routing Interfaces, and select New Demand-dial Interface from
the menu that appears.
22. The Demand Dial Interface wizard starts. Click Next.
23. In the Interface Name screen, type in a name of Internet. Click
Next.
24. In the Connection Type screen, accept the default option of
“Connect using a modem, ISDN adapter, or other physical device.”
Click Next.
25. In the “Select a device” screen, select “Standard 56000 bps V90
Modem” from the list. Click Next.
26. In the Phone Number screen, type in 5559998. Click Next.
27. In the Protocols and Security screen, accept the default selection and
click Next.
28. In the Dial Out Credentials screen, enter a user name of Adminis-
trator, a domain name of ISP, and a password of password. Confirm
the password by retyping it. Click Next.
29. In the “Completing the demand-dial interface wizard” screen, click
Finish.
30. In the left pane of the Routing and Remote Access dialog box, right-
click General (under IP Routing), and select New Routing Protocol
from the menu that appears.
31. In the New Routing Protocol dialog box, highlight Open Shortest
Path First (OSPF) and click OK.
32. In the left pane of the Routing and Remote Access dialog box, right-
click General (under IP Routing), and select New Routing Protocol
from the menu that appears.
33. In the New Routing Protocol dialog box, highlight Network Address
Translation (NAT) and click OK.
4701-1 ch16.f.qc 4/24/00 09:43 Page 1142

1142

34. In the left pane of the Routing and Remote Access dialog box, right-
click Network Address Translation (NAT), and select Properties from
the menu that appears.
35. In the Network Address Translation (NAT) Properties dialog box,
select the “Log the maximum amount of information” option and
click OK.
36. In the left pane of the Routing and Remote Access dialog box, right-
click Network Address Translation (NAT), and select New Interface
from the menu that appears.
37. In the New Interface for Network Address Translation (NAT) dialog
box, select Local Area Connection and click OK.
38. In the Network Address Translation Properties – Local Area
Connection dialog box, ensure that the “Private interface connected
to private network” option is selected. Click OK.
39. In the left pane of the Routing and Remote Access dialog box, right-
click Network Address Translation (NAT), and select New Interface
from the menu that appears.
40. In the New Interface for Network Address Translation (NAT) dialog
box, select Internet and click OK.
41. In the Network Address Translation Properties – Internet dialog box,
ensure that the “Public interface connected to the Internet” option is
selected, and that the check box next to “Translate TCP/UDP head-
ers” is also selected. Click OK.
42. In the left pane of the Routing and Remote Access dialog box, right-
click OSPF, and select Properties from the menu that appears.
43. In the OSPF Properties dialog box, click the Areas tab.
44. On the Areas tab, click Edit.
45. In the OSPF Area Configuration dialog box, click the Ranges tab.
46. On the Ranges tab, enter a Destination of 192.168.0.0 and a
Network mask of 255.255.0.0 and click Add. Click OK.
47. On the Areas tab, click Add.
48. In the OSPF Area Configuration dialog box, enter an Area ID of
10.200.0.0 and click the Ranges tab.
49. On the Ranges tab, enter a Destination of 10.200.0.0 and a Network
mask of 255.255.0.0 and click Add. Click OK.
4701-1 ch16.f.qc 4/24/00 09:43 Page 1143

1143

50. On the Areas tab, click OK.

51. In the left pane of the Routing and Remote Access dialog box, right-
click OSPF, and select New Interface from the menu that appears.
52. In the New Interface for Open Shortest Path First (OSPF), select
Local Area Connection and click OK.
53. In the OSPF Properties – Local Area Connection Properties dialog
box, ensure that the Area ID is 0.0.0.0. Click OK.
54. In the left pane of the Routing and Remote Access dialog box, right-
click OSPF, and select New Interface from the menu that appears.
55. In the New Interface for Open Shortest Path First (OSPF), select
Remote Router and click OK.
56. In the OSPF Properties – Remote Router Properties dialog box,
select an Area ID of 10.200.0.0 from the drop-down list box.
Click OK.
57. In the left pane of the Routing and Remote Access dialog box, high-
light Server Status.Then, in the right pane, view the status of your
router.
58. Highlight Routing Interfaces.Then, in the right pane, view all of the
local area and demand-dial interfaces on your router.
59. Right-click General (under IP Routing), and select Show TCP/IP
Information from the menu that appears.
60. The SERVER01 – TCP/IP Information dialog box is displayed.View
the statistics in this dialog box, then close the dialog box.
61. Right-click OSPF, and select Show Link-state Database from the
menu that appears.
62. The SERVER01 – OSPF Link State Database dialog box appears.
View this database. Close the dialog box.
63. Close Routing and Remote Access.

Part 5: Enabling, Configuring, and Monitoring IPSec

In this part, you enable IPSec on your Windows 2000 Server computer,
and configure and customize IPSec policies and rules for domain1.mcse
and for server01.You also configure IPSec for transport mode and tunnel
mode. Finally, you use IP Security Monitor to view and monitor IPSec.
1. Select Start ➪ Programs ➪ Administrative Tools ➪ Domain Security
Policy.
4701-1 ch16.f.qc 4/24/00 09:43 Page 1144

1144

2. In the left pane of the Domain Security Policy dialog box, highlight
IP Security Policies on Active Directory. In the right pane, right-click
Server (Request Security) and select Properties from the menu that
appears.
3. In the Server (Request Security) Properties dialog box, click Add.
4. The Create IP Security Rule wizard starts. Click Next.
5. In the Tunnel Endpoint screen, select the “The tunnel endpoint is
specified by this IP address” option.Then enter an IP address of
192.168.200.1 and click Next.
6. In the Network Type screen, accept the default option of “All net-
work connections” and click Next.
7. In the Authentication Method screen, click Next.
8. In the IP Filter List screen, click Add.
9. In the IP Filter List dialog box, type in a name of Tunnel Mode and
a description of All IP traffic for remote network and click Add.
10. The IP Filter wizard starts. Click Next.
11. In the IP Traffic Source screen, select a source address of “Any IP
address” from the drop-down list box. Click Next.
12. In the IP Traffic Destination screen, select a destination address of “A
specific IP subnet” from the drop-down list box.Then enter an IP
address of 192.168.240.0 and a subnet mask of 255.255.255.0 and
click Next.
13. In the IP Protocol Type screen, select a protocol type of Any from the
drop-down list box. Click Next.
14. In the Completing the IP Filter Wizard screen, ensure that the “Edit
properties” check box is cleared, and click Finish.
15. In the IP Filter List dialog box, click Close.
16. In the IP Filter List screen in the Security Rule Wizard, select the
Tunnel Mode filter from the IP filter lists box. Click Next.
17. In the Filter Action screen, select Require Security. Click Next.
18. In the Completing the New Rule Wizard screen, ensure that the
“Edit properties” check box is cleared and click Finish.
19. In the Server (Request Security) Properties dialog box, notice the
new Tunnel Mode rule that you created is displayed and selected.
Click Close.
4701-1 ch16.f.qc 4/24/00 09:43 Page 1145

1145

20. In the right pane of the Domain Security Policy dialog box, right-
click Server (Request Security) and select Assign from the menu that
appears.
21. Close Domain Security Policy.
22. Select Start ➪ Run.
23. In the Run dialog box, type secedit /refreshpolicy machine_
policy and click OK.
24. Select Start ➪ Run.
25. In the Run dialog box, type ipsecmon server01 and click OK
26. The IP Security Monitor on server01 dialog box appears. Notice in
the lower right corner of this dialog box that IP Security is enabled
on this computer.View the various IPSec statistics displayed in this
dialog box. Close IP Security Monitor.

Answers to Chapter Questions

Chapter Pre-Test
1. The Transmission Control Protocol/Internet Protocol (TCP/IP) is a
widely used transport protocol. It is a fast, routable, enterprise proto-
col that is used on the Internet. In addition to being supported by
Windows 2000,TCP/IP is supported by many other operating sys-
tems.TCP/IP is typically the recommended protocol for large, het-
erogeneous networks.
2. True
3. A default gateway address specifies the IP address of a router on the
local network segment.
4. You can assign an IP address to a Windows 2000 computer in one of
two ways: by manually specifying a computer’s IP address configura-
tion, or by configuring a computer to obtain IP addressing informa-
tion automatically from a DHCP server.
5. A DHCP scope is a range of IP addresses on a DHCP server that can
be assigned to DHCP clients that reside on a single subnet.
4701-1 ch16.f.qc 4/24/00 09:43 Page 1146

1146

6. Windows Internet Name Service (WINS) is a Windows 2000 Server

service that provides NetBIOS name resolution services to client
computers.
7. You can use the Routing and Remote Access administrative tool to
enable routing on a Windows 2000 Server computer.
8. The five routing protocols that ship with Windows 2000 are: RIP
Version 2 for Internet Protocol, Open Shortest Path First (OSPF),
Network Address Translation (NAT), the DHCP Relay Agent,
and IGMP.
9. TCP/IP packet filtering and IPSec

Assessment Questions

1. B. The default gateway address must specify the IP address of a router

on the local network segment.
2. A. Before the DHCP service can start, the DHCP server must be
authorized in Active Directory.
3. C. A superscope is the only type of scope that can contain other
scopes.
4. D. When WINS is used, lmhosts files are not needed. If only one
WINS server will be used,WINS replication does not need to be
configured.A WINS server doesn’t need to be authorized in Active
Directory.
5. C. Network Address Translation (NAT) is the best answer. Internet
Connection Sharing won’t work because there are already existing
routers and DHCP servers on the network.
6. A. IGMP is the only routing protocol that manages multicast traffic.
7. D. Dynamic routing requires the installation of additional protocols,
but static routing does not.
8. A, B. Neither IP Security Monitor nor Internet Connection Sharing
provide any security.
4701-1 ch16.f.qc 4/24/00 09:43 Page 1147

1147

Scenarios

1. The problem in this situation is that Client_A has the same IP address
as Client_C. Duplicate IP addresses are not permitted.To resolve the
problem, you should change either Client_A’s or Client_C’s IP address
so that it is a unique IP address.
2. The most likely cause of this problem is that the DHCP server has
not been authorized in Active Directory. Until the DHCP server is
authorized, the DHCP service won’t start on the server.You should
use the DHCP administrative tool to authorize the DHCP server in
Active Directory.
3. The most likely cause of this problem is that the OU is configured
to block policy inheritance, or has a conflicting GPO.You should
reconfigure Group Policy on the OU so that inheritance is no longer
blocked, or that the conflicting GPO for the OU is removed, reorder-
ed, or reconfigured.
4. You should select a replication type of Pull for both servers. In addi-
tion, you might want to schedule WINS replication to occur during
nonbusiness hours.
5. The most likely cause of this problem is that the Windows 98 com-
puter is not configured to use the WINS server for NetBIOS name
resolution.You should configure the Windows 98 computer to use
the WINS server by specifying the IP address of your WINS server.
6. You should use the tracert.exe command-line utility to view the
path through the network that attempted communication from your
computer is taking, and to determine where network communication
stops.Then you’ll know which router is failing to correctly forward
TCP/IP packets to the remote server.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1148

 Server
EXAM  Network
MATERIAL

EXAM OBJECTIVES

Server  Exam 70-215

■ Install, configure, and troubleshoot a virtual private network (VPN).
■ Configure, monitor, and troubleshoot remote access.
■ Configure inbound connections.
■ Create a remote access policy.
■ Configure a remote access profile.

Network  Exam 70-216

■ Configure and troubleshoot remote access.
■ Configure inbound connections.
■ Create a remote access policy.
■ Configure a remote access profile.
■ Configure a virtual private network (VPN).
■ Configure multilink connections.
■ Configure Routing and Remote Access for DHCP Integration.
■ Manage and monitor remote access.
■ Configure remote access security.
■ Configure authentication protocols.
■ Configure encryption protocols.
■ Configure a remote access policy.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1149

C HAP TE R

17
Managing Remote Access

T his chapter is all about remote access in a Windows 2000 environment.

Remote access is a critical networking function for today’s highly
mobile workforce. With remote access, users can connect to their company’s
network from home, from a hotel room, or from any computer connected to the
Internet. The same service that provides routing functionality in Windows
2000 also provides remote access capability — the Routing and Remote
Access service.
I’ll begin by providing an overview of remote access, including a discus-
sion of the remote access connection types, and the connection and transport
protocols supported by the Routing and Remote Access Service. Then I’ll
show you how to enable remote access and how to configure the remote
access server. I’ll also explain how to add and configure inbound connection
ports. Next, I’ll show you how to control access to a remote access server by
creating and using remote access policies.
Finally, I’ll cover the tools you can use to monitor remote access and pro-
vide some tips for troubleshooting common remote access problems.

1149
4701-1 ch17.f.qc 4/24/00 09:44 Page 1150

1150 Part IV ▼ Networking and Interoperability

Chapter Pre-Test
1. What is a virtual private network (VPN) connection?
2. How do PPTP and L2TP differ from each other?
3. Which transport protocols are supported by the Routing and
Remote Access service?
4. What is a multilink connection?
5. What kinds of ports are supported by the Routing and Remote
Access service?
6. What is a remote access policy?
4701-1 ch17.f.qc 4/24/00 09:44 Page 1151

Chapter 17 ▼ Managing Remote Access 1151

Overview of Remote Access

Remote access is a feature that enables client computers to use dial-up and
VPN connections to connect to a remote access server. (A remote access
server is a Windows 2000 Server computer that runs the Routing and
Remote Access service and is configured to provide remote access.) Once
a connection with the remote access server is established, the client com-
puter has access to the network the remote access server is connected to.
Remote access enables users of remote computers to use the network as
though they were directly connected to it. There is no difference in net-
work functionality for the remote access client, except that the speed of
the link is often much slower than a direct connection to the LAN.
Remote access is an important networking function in light of today’s
highly mobile workforce. With remote access, users can connect to their
company’s network from home, from a hotel room, from a client’s remote
office, or from any computer connected to the Internet.
The Routing and Remote Access service is a Windows 2000 Server ser-
vice that enables a Windows 2000 Server computer to function both as a
router and as a remote access server. I introduced you to this service in
Chapter 16, where you learned all about the routing features of this service.
In this chapter I’ll tackle the other half of this service — remote access.
The Routing and Remote Access service is only available on Windows
2000 Server computers — in other words, it’s not available on Windows
2000 Professional computers.

EXAM TIP
Remote access is a complex topic. Even administrators who manage
remote access servers on a daily basis are well advised to study the
details and nuances presented in this chapter before taking the Server or
Network exam.

Client computers that run MS-DOS,Windows for Workgroups,Windows

95,Windows 98,Windows NT 4.0, and Windows 2000 can be configured as
remote access clients of a Windows 2000 remote access server. In addition,
any computer that supports the Point-to-Point Protocol (PPP) can connect
to a Windows 2000 remote access server.
As implemented in Windows 2000, remote access supports multiple
connection types, connection protocols, and transport protocols, as the fol-
lowing sections explain.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1152

1152 Part IV ▼ Networking and Interoperability

Remote Access Connection Types

Remote access client computers can connect to a Windows 2000 remote
access server by using a variety of connection types, including:
■ A standard telephone line (also called a Public Switched Telephone
Network or PSTN) and modem
■ A digital link
■ ISDN
■ X.25
■ Virtual private network (VPN), including PPTP and L2TP
Probably the most common connection type is a standard analog tele-
phone line and modem.This service is inexpensive and widely available.
A digital link is a new connection type in which the remote access
server uses a digital connection to the public telephone system, and remote
access clients connect to the remote access server by using V.90 modems.
This connection type enables remote access clients to communicate at
speeds of up to 33.6 Kbps, and enables the remote access server to com-
municate with its clients at speeds of up to 56 Kbps.
Integrated Services Digital Network (ISDN) is a digital, dial-up tele-
phone service that supports faster data transmission rates than a standard
analog telephone line. The standard ISDN connection is called an ISDN
Basic Rate Interface (BRI) line.An ISDN BRI line consists of three sepa-
rate data channels.Two of these channels (called B channels) support tele-
phone or data communications at a rate of up to 64 Kbps. The third
channel is called a D channel, and is used to establish and maintain the
connection. If both B channels are used together, data transmission rates of
up to 128 Kbps can be supported.
X.25 is a packet-switching protocol that is used on dial-up or leased
lines. X.25 is available in most countries. An X.25 connection requires a
fair amount of hardware, including an X.25 adapter card, with either a
built-in or external Packet Assembler/Disassembler (PAD) in both the
remote access server and the remote access client. In addition, access to an
X.25 packet-switched network is required at both the remote access server
and remote access client locations.
A virtual private network (VPN) is not a physical connection type.
Rather, it’s a virtual connection that is tunneled inside of an existing
TCP/IP network connection. VPNs can be established by using either
4701-1 ch17.f.qc 4/24/00 09:44 Page 1153

Chapter 17 ▼ Managing Remote Access 1153

PPTP or L2TP. Both of these protocols support encryption of the data sent
over the VPN connection. Because a VPN uses an existing TCP/IP network
connection, no additional hardware is required.VPN connections are com-
monly used between two computers that communicate over the Internet.

Connection Protocols Supported by

Remote Access
Remote access in Windows 2000 can be carried out over several connection
protocols. These protocols provide the data-link connectivity for remote
access connections in much the same way as Ethernet or Token Ring pro-
vide the data-link connectivity on a local area network. Each of these proto-
cols has different features and capabilities. The connection protocols
Windows 2000 supports for remote access include: Point-to-Point Protocol
(PPP), Point-to-Point Multilink Protocol, Point-to-Point Tunneling Proto-
col, Layer Two Tunneling Protocol (L2TP), Serial Line Internet Protocol
(SLIP), and the Microsoft RAS protocol (also called AsyBEUI).
The Point-to-Point Protocol (PPP) is currently the industry standard
remote connection protocol. PPP connections support multiple transport
protocols, including TCP/IP, NWLink IPX/SPX/NetBIOS Compatible
Transport Protocol,AppleTalk, and NetBEUI.
The Point-to-Point Multilink Protocol is an extension of PPP. Point-to-
Point Multilink Protocol combines the bandwidth from multiple physical
connections into a single logical connection. This means that multiple
modem, ISDN, digital link, or X.25 connections can be bundled together
to form a single logical connection with a much higher bandwidth than a
single connection can support.
The Point-to-Point Tunneling Protocol (PPTP) permits a virtual private net-
work (VPN) connection between two computers over an existing TCP/IP
network connection.The existing TCP/IP network connection can be over
the Internet, a local area network, or a remote access TCP/IP connection.All
standard transport protocols are supported within the PPTP connection.
The Layer Two Tunneling Protocol (L2TP), like PPTP, permits a VPN con-
nection between two computers over an existing TCP/IP network con-
nection.The major difference between PPTP and L2TP is that PPTP uses
Microsoft Point-to-Point Encryption (MPPE) while L2TP uses IPSec for
encryption. In addition, L2TP is rapidly becoming the industry standard
tunneling protocol. Currently, only Windows 2000 remote access clients
and remote access servers support L2TP.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1154

1154 Part IV ▼ Networking and Interoperability

TIP
If you plan to use L2TP VPN connections, you must install computer
(machine) certificates on both the Windows 2000 remote access server
and the remote access client. For more information on Certificate
Services, see Chapter 18.

The Serial Line Internet Protocol (SLIP) is an older connection protocol

commonly associated with UNIX computers. SLIP connections are only
supported on the client side of the remote access connection — a Windows
2000 remote access server doesn’t support incoming SLIP connections.The
only transport protocol that SLIP supports is TCP/IP.
The Microsoft RAS protocol (also called AsyBEUI) is supported by the
Windows 2000 Routing and Remote Access service to enable inbound
connections from legacy client computers, including MS-DOS, Windows
for Workgroups, and Windows NT 3.1. The only transport protocol that
can be used with AsyBEUI is NetBEUI.

Transport Protocols Supported by Remote Access

All Windows 2000 standard transport protocols are supported by the
Routing and Remote Access service. Remote access clients can connect to
a Windows 2000 remote access server by using:
■ TCP/IP
■ IPX — including NWLink IPX/SPX/NetBIOS Compatible
Transport Protocol
■ NetBEUI
■ AppleTalk
The DLC protocol is not supported by remote access in Windows 2000.
Remote access clients can use one or more of these transport protocols on
a remote access connection. For example, a client computer that needs to
access a Windows 2000 Server and a NetWare server via a remote access
server can use both TCP/IP and NWLink IPX/SPX/NetBIOS Compatible
Transport Protocol during a single remote access connection.
A Windows 2000 remote access server can act as a router for remote
access client computers that use TCP/IP, IPX, or AppleTalk, enabling these
remote access clients to access other computers on the network.A Windows
2000 remote access server can also function as a NetBIOS gateway for
remote access clients that use the NetBEUI protocol.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1155

Chapter 17 ▼ Managing Remote Access 1155

Enabling and Configuring Remote Access

The Routing and Remote Access Service is installed by default on all
Windows 2000 Server (and Advanced Server) computers. However, remote
access is not automatically enabled.
If you haven’t enabled routing on your Windows 2000 Server computer,
you can use the Routing and Remote Access Server Setup wizard to enable
remote access.
If you have already enabled routing on your Windows 2000 Server
computer, enabling remote access is as simple as selecting a check box in
the server’s Properties dialog box in Routing and Remote Access.
I’ll show you how to use both of these methods to enable remote access.

STEP BY STEP

ENABLING REMOTE ACCESS WHEN ROUTING HAS NOT BEEN ENABLED

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the left pane of the Routing and Remote Access dialog box, right-click the
server on which you want to enable remote access and select “Configure and
Enable Routing and Remote Access” from the menu that appears.
3. The Routing and Remote Access Server Setup wizard starts. Click Next.
4. The Common Configurations screen appears. Select the “Remote access server”
option. Or, if this server will be used only for incoming VPN connections, select
the “Virtual private network (VPN) server” option. Figure 17-1 shows this screen
configured for a remote access server. Click Next.
5. In the Remote Client Protocols screen, verify that all network protocols required on
the server are listed. Commonly listed protocols include TCP/IP, IPX, and AppleTalk.
If you need to add additional protocols, select the “No, I need to add protocols”
option. If you select this option, the wizard stops and directs you to install the
necessary protocols in the Network and Dial-up Connections folder,
and then to run this wizard again.
If all the protocols you need are listed, accept the default option of “Yes, all of the
available protocols are on this list.” Click Next.
6. If your Windows 2000 Server computer has multiple network adapter cards
installed, a list of the local area connections on this computer and their corre-
sponding network adapters is displayed. Select the local area connection for
which you want to enable remote access. Remote access clients will access
resources on your LAN by using the selected local area connection. Click Next.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1156

1156 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 17-1 Enabling remote access

7. In the IP Address Assignment screen, select the method you want to use for
assigning IP addresses to remote access clients. Your choices are “Automatically”
(this is the default setting), or “From a specified range of addresses.” Select
Automatically if you use a DHCP server on your network. Click Next.

TIP
If you choose to use a DHCP server to assign IP addresses to Remote
Access clients, and the DHCP service is not installed on the Remote
Access Server, you must install the DHCP Relay Agent on the Remote
Access server to enable remote clients to receive IP Addresses from
your DHCP server.

8. In the Managing Multiple Remote Access Servers screen, choose whether this
remote access server will authenticate remote access clients directly, or will use a
RADIUS server for client authentication. If you choose to use a RADIUS server,
you will be prompted for a primary and alternate RADIUS server host name and
for a shared secret password that this server will use to connect to the RADIUS
server. Make your selection and click Next.
9. In the Completing the Routing and Remote Access Server Setup Wizard screen,
click Finish.
10. If you chose to use a DHCP server for IP address assignments in Step 7, and this
server is not a DHCP server, a warning dialog box appears, indicating that you
must install and configure the DHCP Relay Agent on this server. (See Chapter 16
for information on installing and configuring this routing protocol.) Click OK.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1157

Chapter 17 ▼ Managing Remote Access 1157

STEP BY STEP Continued

11. Windows 2000 starts the Routing and Remote Access service. Your Windows
2000 Server computer is now configured as a remote access server (or a VPN
server). Close Routing and Remote Access.

If you have previously enabled routing on your Windows 2000 Server

computer, the steps to enable remote access are much simpler.

STEP BY STEP

ENABLING REMOTE ACCESS WHEN ROUTING IS ENABLED

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the left pane of the Routing and Remote Access dialog box, right-click the
server on which you want to enable remote access and select Properties from the
menu that appears.
3. The server’s Properties dialog box appears, as shown in Figure 17-2. Select the
check box next to “Remote access server.” Click OK.

FIGURE 17-2 Enabling remote access when routing is already enabled

4701-1 ch17.f.qc 4/24/00 09:44 Page 1158

1158 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

4. A Routing and Remote Access warning message appears, indicating that the
router must be stopped and restarted. Click Yes.
5. Windows 2000 stops and restarts the Routing and Remote Access service.
Close Routing and Remote Access.

Once remote access is enabled, you want to configure it, and you’ll cer-
tainly want to add and configure inbound connection ports. I’ll describe
how to perform these tasks in the following sections.

Configuring the Properties of the Remote

Access Server
Like many services in Windows 2000, Routing and Remote Access has its
own administrative tool for configuring and managing the service. This
tool is called Routing and Remote Access, and is accessed from the
Administrative Tools menu. Alternately, you can access the Routing and
Remote Access tool by using Computer Management.You can configure a
Windows 2000 remote access server by accessing the server’s Properties
dialog box.

STEP BY STEP

TO ACCESS A REMOTE ACCESS SERVER’S PROPERTIES DIALOG BOX

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.
2. In the left pane of the Routing and Remote Access dialog box, right-click the
remote access server you want to configure, and select Properties from the menu
that appears.
3. The remote access server’s Properties dialog box is displayed. Figure 17-2 shows
this dialog box. Once you access this dialog box, you can configure settings on
its many tabs.

You can configure numerous properties of a Windows 2000 remote

access server, including security options, settings for all transport protocols
4701-1 ch17.f.qc 4/24/00 09:44 Page 1159

Chapter 17 ▼ Managing Remote Access 1159

installed on the server, and event logging. I’ll discuss each of these proper-
ties in the following sections.

Configuring Security
You can configure an authentication provider and an accounting provider
on the Security tab in a Windows 2000 remote access server’s Properties
dialog box.You can also select the authentication methods this server will
use. Figure 17-3 shows the Security tab.

FIGURE 17-3 The Security tab

The first item you can configure on this tab is an authentication

provider. An authentication provider determines if the remote user’s cre-
dentials are valid, and whether the remote user has permission to connect
to the remote access server.The possible choices in this drop-down list box
are Windows Authentication and RADIUS Authentication.
If Windows Authentication is selected, the Windows 2000 remote access
server compares the user’s name and password against information stored
in the local user account database on the remote access server, or against
information stored in Active Directory. Windows Authentication is the
most commonly used authentication provider, and is always selected unless
a RADIUS server is used.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1160

1160 Part IV ▼ Networking and Interoperability

If RADIUS Authentication is selected, this remote access server will use

a specified RADIUS server to perform authentication of remote access
clients. RADIUS (Remote Authentication Dial-In User Service) is an
industry-standard authentication service. It is typically used by ISPs to
maintain a centralized user accounts database. RADIUS is often used in an
enterprise environment to provide centralized authentication and account-
ing services for multiple remote access servers. If you select RADIUS
Authentication, you must configure this remote access server to use one or
more RADIUS servers.To do this, click Configure.
Next, you need to select an accounting provider. An accounting
provider logs all connection attempts and session activity on the remote
access server. The possible choices in this drop-down list box are: None,
Windows Accounting, and RADIUS Accounting.
If you don’t want to track accesses and attempted accesses to the Windows
2000 remote access server, select None. Otherwise, select an accounting
provider that matches the authentication provider you selected in the top part
of this dialog box. If you select RADIUS Accounting, centralized accounting
of activity on all remote access servers is maintained by the RADIUS server.
If you select RADIUS Accounting, you must configure this remote access
server to use one or more RADIUS servers.To do this, click Configure.
Finally, you can select the authentication methods that will be used by
this remote access server to authenticate remote access clients. To select
these methods, click Authentication Methods. Figure 17-4 shows the
Authentication Methods dialog box. Notice that two versions of Microsoft
encrypted authentication are selected by default.

FIGURE 17-4 Selecting authentication methods

4701-1 ch17.f.qc 4/24/00 09:44 Page 1161

Chapter 17 ▼ Managing Remote Access 1161

You can select one or more of the following authentication methods.

■ Extensible authentication protocol (EAP): This protocol is
designed to enable the remote access client and the remote access
server to negotiate a common authentication method. EAP can be
used with Transport Layer Security (TLS) to support the use of a
smart card and PIN number to authenticate remote users. EAP can
also be used with biometrics devices, such as a thumbprint reader.
■ Microsoft encrypted authentication version 2 (MS-CHAP
v2): This protocol uses a mutual authentication process that enables
the remote access client to verify the server, and the remote access
server to verify the client.This protocol causes the remote access
server to send a challenge to the remote access client that includes
a session key and a challenge key.Then the remote access client
responds by encrypting and sending the remote user’s name, pass-
word, session key, and challenge key to the remote access server.The
remote access server (or RADIUS server) verifies the remote user’s
information and sends an authentication response back to the
client.The client verifies the response, and completes the connec-
tion to the remote access server.Version 2 of Microsoft encrypted
authentication is a more secure authentication method than the
original version and provides stronger security.
■ Microsoft encrypted authentication (MS-CHAP): This pro-
tocol causes the remote access server to send a challenge to the
remote access client that includes a session key and a challenge
key.Then the remote access client responds by sending the remote
user’s name in clear text format, and an encrypted version of the
user’s password, session key, and challenge key to the remote access
server.The remote access server (or RADIUS server) verifies the
remote user’s information and authenticates the user.
■ Encrypted authentication (CHAP): This protocol is similar to
Microsoft encrypted authentication (MS-CHAP). However, it uses a
different encryption scheme for passwords, called Message Digest 5
(MD5).This protocol is often used to support remote access clients
that don’t support MS-CHAP or MS-CHAP v2. If you select this
authentication method, you must configure users to store their pass-
words in a reversibly encrypted form by configuring a password pol-
icy in Domain Security Policy or Group Policy.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1162

1162 Part IV ▼ Networking and Interoperability

■ Shiva Password Authentication Protocol (SPAP): This pro-

vides support for remote users that use the Shiva LANRover client
to connect to the remote access server.The protocol works simi-
larly to CHAP but is generally less secure.
■ Unencrypted password (PAP): This is a clear text credential
exchange protocol that you should avoid unless the remote access
client does not support any of the preceding encryption protocols,
and security is not a major concern.
■ Allow remote systems to connect without authentication:
If you select this option, the remote access server is prevented from
performing authentication — all remote access clients will be per-
mitted to connect.This option is normally not recommended.

Configuring IP and DHCP Integration

You can configure several IP settings on the IP tab in a Windows 2000
remote access server’s Properties dialog box. You can also configure the
remote access server for DHCP integration on this tab. This tab is only
available when TCP/IP is installed on the remote access server. Figure 17-5
shows the IP tab.

FIGURE 17-5 The IP tab

4701-1 ch17.f.qc 4/24/00 09:44 Page 1163

Chapter 17 ▼ Managing Remote Access 1163

The first item you can configure on this tab is a check box that enables
IP routing on the remote access server. Select this check box to enable
remote access clients to access services on the network (to which the
remote access server is connected) by using TCP/IP. If you clear this check
box (which is selected by default), remote access clients will only be able to
use TCP/IP to access resources on the remote access server.
The next item you can configure on this tab is the “Allow IP-based
remote access and demand-dial connections” check box. If you clear this
check box (which is selected by default), remote access clients won’t be
able to use TCP/IP to connect to the remote access server.
The next configuration option determines how the remote access server
assigns IP addresses to remote access clients. If you select the Dynamic Host
Configuration Protocol (DHCP) option, the remote access server will be
configured for integration with the DHCP server on the network, and the
DHCP server (not the remote access server) will automatically assign IP
addresses to remote access clients. If you select this option and a DHCP
server is not available when a remote access client connects, the remote
access server will assign an IP address to the client by using the Windows
2000 automatic private IP addressing feature. If you select the “Static address
pool” option, you can specify one or more ranges of IP addresses that the
remote access server will use to assign to remote access clients.
Finally, in the Adapter drop-down list box, either select the Local Area
Connection you want the remote access server to use to obtain DHCP,
DNS, and WINS addresses for remote access clients, or select the option
that enables the remote access server to automatically select a connection.

Configuring IPX
You can configure several IPX settings on the IPX tab in a Windows 2000
remote access server’s Properties dialog box.This tab is only available when
the NWLink IPX/SPX/NetBIOS Compatible Transport Protocol is
installed on the remote access server. Figure 17-6 shows the IPX tab.
The first item you can configure on this tab is the “Allow IPX-based
remote access and demand-dial connections” check box. If you clear this
check box (which is selected by default), remote access clients won’t be
able to use IPX-based protocols, such as NWLink IPX/SPX/NetBIOS
Compatible Transport Protocol, to connect to the remote access server.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1164

1164 Part IV ▼ Networking and Interoperability

FIGURE 17-6 The IPX tab

The next item you can configure is a check box that enables network
access for remote clients and demand-dial connections. Selecting this
check box enables IPX routing on the remote access server.This check box
is selected by default. Select this check box if remote access clients will
access services on the network to which the remote access server is con-
nected by using an IPX-based protocol. If you clear this check box, remote
access clients will only be able to use IPX to access resources on the
remote access server, but not the network.
The next several options control how the remote access server assigns
IPX network and node numbers to remote access clients.You can either
configure the remote access server to automatically assign IPX network
numbers, or configure the server to assign these numbers from a prede-
fined range.
You can configure the remote access server to use the same IPX net-
work number for all IPX remote access clients. (This option is selected by
default.) If you clear this check box, the remote access server will assign a
different IPX network number to each remote access client.
Finally, you can configure the remote access server to permit remote
access clients to request a specific IPX node number.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1165

Chapter 17 ▼ Managing Remote Access 1165

Configuring NetBEUI
There are a couple of configurable options on the NetBEUI tab in a
Windows 2000 remote access server’s Properties dialog box. This tab is
only available when NetBEUI is installed on the remote access server.
Figure 17-7 shows the NetBEUI tab. Notice that by default, remote access
clients that use NetBEUI are permitted to access the remote access server
and the entire network to which the remote access server is connected.

FIGURE 17-7 The NetBEUI tab

If you want to permit remote access clients to use NetBEUI to connect

to the remote access server, but you don’t want these clients to access
resources on the network to which the remote access server is connected,
select the “This computer only” option.
If you want to prevent remote access clients from using NetBEUI to
connect to the remote access server, clear the check box next to “Allow
NetBEUI based remote access clients to access.”

Configuring AppleTalk
There is only one configurable option on the AppleTalk tab in a Windows
2000 remote access server’s Properties dialog box.This tab is only available
when the AppleTalk protocol is installed on the remote access server.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1166

1166 Part IV ▼ Networking and Interoperability

By default, remote access clients are permitted to access the remote

access server (and the network to which the remote access server is con-
nected) by using AppleTalk. If you want to prevent remote access clients
from using AppleTalk to connect to the remote access server, clear the
check box next to “Enable AppleTalk remote access.”

Configuring PPP
You can configure several PPP settings on the PPP tab in a Windows 2000
remote access server’s Properties dialog box. Figure 17-8 shows the PPP
tab. Notice that all of the options in this dialog box are selected by default.

FIGURE 17-8 The PPP tab

When the check box next to “Multilink connections” is selected,

remote access clients are permitted to combine the bandwidth from mul-
tiple physical connections into a single logical connection.This means that
multiple modem, ISDN, digital link, or X.25 connections can be bundled
together to form a single logical connection with a much higher band-
width than a single connection can support. When this check box is
selected, the Point-to-Point Multilink Protocol is enabled on the remote
access server.
The next option on this tab is an additional setting that is only available
when multilink connections are enabled. When the check box next to
4701-1 ch17.f.qc 4/24/00 09:44 Page 1167

Chapter 17 ▼ Managing Remote Access 1167

“Dynamic bandwidth control using BAP or BACP” is selected, the remote

access server and remote access client are permitted to negotiate the
dynamic addition and deletion of physical connections as bandwidth needs
change during the remote access session.
When the check box next to “Link control protocol (LCP) extensions”
is selected, the remote access server uses Link Control Protocol (LCP)
extensions when communicating with remote access clients that use PPP. I
recommend, for optimum remote access server functionality, that you leave
this check box selected unless you have a specific need that requires you to
clear it.
When the check box next to “Software compression” is selected, the
remote access server will compress the data it sends to remote access
clients. If you configure compression on this tab, you should disable
modem compression for modems on the remote access server. Software
compression is more efficient than modem compression.

Configuring Event Logging

You can configure the level of remote access event logging on the Event
Logging tab in a Windows 2000 remote access server’s Properties dialog
box. Figure 17-9 shows the Event Logging tab. Notice that the “Log errors
and warnings” option is selected by default.

FIGURE 17-9 The Event Logging tab

4701-1 ch17.f.qc 4/24/00 09:44 Page 1168

1168 Part IV ▼ Networking and Interoperability

There are three levels of event logging you can select from: log errors
only (this setting logs the least amount of information), log errors and
warnings, and log the maximum amount of information. These logging
events are written to the System log, which you can view by using Event
Viewer. Or, you can disable event logging altogether.
Finally, you can choose whether to enable Point-to-Point Protocol
(PPP) logging. If you select this check box, the remote access server will
log information about the establishment of all PPP connections to the
SystemRoot\Tracing\ppp.log file on the remote access server. If you
select this option, you must stop and restart the Routing and Remote
Access service before PPP logging will occur.
PPP logging can be used as an advanced troubleshooting tool when
remote access clients are unable to establish PPP connections with the
remote access server.You can use Notepad or your favorite text editor to
view the ppp.log file.

Adding and Configuring Inbound Connection Ports

A remote access server must have one or more communications ports that
accept inbound connections from remote access clients. A remote access
server often has both hardware ports (such as modems, parallel ports,
infrared ports, and so on) and VPN ports, including PPTP and L2TP ports.
In order to support VPN ports, the remote access server must have one
or more network adapter cards. Typically, when VPN ports are used, the
remote access server has two network adapter cards installed — one is used
for incoming VPN connections (usually from the Internet) and the other is
used to communicate with the local area network to which the remote
access server is connected.
In the following sections I’ll explain how to add and configure hardware
ports and VPN ports.

Adding and Configuring Hardware Ports

By default, when you enable remote access on a Windows 2000 Server
computer,Windows 2000 automatically enables all of the computer’s exist-
ing hardware ports for remote access.
If you add hardware ports to a Windows 2000 Server computer after
remote access is enabled, usually Windows 2000 (because of its Plug and
Play capabilities) will automatically detect, install, configure, and enable the
hardware ports for remote access.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1169

Chapter 17 ▼ Managing Remote Access 1169

If Windows 2000 doesn’t automatically detect and install your newly

installed modem (or other hardware device), you can use a Control Panel
application, such as Add/Remove Hardware or the Phone and Modem
Options application, to install and configure the device.

CROSS-REFERENCE
For more information on using Add/Remove Hardware, see Chapter 5.
For detailed steps on installing and configuring modems by using Phone
and Modem Options, see Chapter 15.

You can view and modify the configurable properties of all remote
access ports (both hardware and VPN) by using Routing and Remote
Access. However, not all options are available for each port type.

STEP BY STEP

CONFIGURING A REMOTE ACCESS PORT

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the left pane of the Routing and Remote Access dialog box, click the + next to
the server that contains the remote access port you want to configure. Right-click
Ports, and select Properties from the menu that appears.
3. The Ports Properties dialog box appears, as shown in Figure 17-10. Notice that
both hardware and VPN ports are listed. Also notice that there are five PPTP and
five L2TP ports.
Highlight the remote access port you want to configure, and click Configure.
4. The Configure Device dialog box for the port you selected appears, as shown in
Figure 17-11.
Ensure that the check box next to “Remote access connections (inbound only)” is
selected if you want this port to be used for inbound connections from remote
access clients.
Select the check box next to “Demand-dial routing connections (inbound and out-
bound)” if this computer also functions as a router and you want to enable this
port for demand-dial connections.
If you’re configuring a modem port, enter the phone number of the modem.
Finally, if you’re configuring a PPTP port, an L2TP port, or a multiport hardware
device, you can configure the maximum number of ports of this type that the
Windows 2000 remote access server will support.
When you finish configuring the port, click OK.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1170

1170 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 17-10 Viewing ports in Routing and Remote Access

FIGURE 17-11 Configuring a remote access port

5. In the Ports Properties dialog box, click OK.

6. Close Routing and Remote Access.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1171

Chapter 17 ▼ Managing Remote Access 1171

Adding and Configuring VPN Ports

By default, when you configure your Windows 2000 Server computer as a
remote access server,Windows 2000 automatically creates and enables five
PPTP ports and five L2TP ports. If you configure the Windows 2000
Server computer as a VPN server,Windows 2000 automatically creates and
enables 128 PPTP ports and 128 L2TP ports.
To configure PPTP or L2TP ports, use the steps in the previous section
titled “Configuring a Remote Access Port.” To add additional PPTP or
L2TP ports, use the same steps, and in the Configure Device – WAN
Miniport (PPTP or L2TP) dialog box, specify a larger number in the
Maximum ports spin box. Figure 17-12 shows this dialog box after I have
increased the number of L2TP ports to 256.A Windows 2000 remote access
server can support up to 30,000 PPTP ports and up to 30,000 L2TP ports.

FIGURE 17-12 Remote access server configured to support 256 L2TP ports

Using Remote Access Policies to

Control Access
Security is a critical consideration when implementing remote access on
your network. After all, you don’t want to expose your remote access
server, and potentially your entire local area network, to just anybody out
there who happens to have a modem and the telephone number of your
remote access server.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1172

1172 Part IV ▼ Networking and Interoperability

In Windows 2000, access to the remote access server is controlled by

using remote access policies.A remote access policy has three components:
■ Conditions: These are one or more predefined attributes that must
be matched by the remote access client attempting to connect to the
remote access server. Common conditions include: day and time
restraints, telephone number from which the remote access connec-
tion is initiated, remote access client computer name, and so on. If
more than one condition is specified, all conditions must be matched.
■ Permissions: A remote access permission either specifically grants
access or denies access to the remote access server.
■ Profile: This is a collection of settings that specify numerous prop-
erties that are applied to the remote access connection established
by a remote access client using the remote access policy that con-
tains the profile.The available settings in a profile include dial-in
constraints, IP address assignment options, multilink options,
authentication methods, encryption options, and so on.
The elements contained in a remote access policy are applied to a remote
access client in a predetermined order. First, the remote access client must
meet all conditions specified in a remote access policy. If the remote access
client meets all of the policy’s conditions, then the remote access client must
be granted permission to access the remote access server. Finally, if all con-
ditions are met and permission is granted, the settings of the profile are
applied to the connection the remote access client is establishing.
A user can connect to a Windows 2000 remote access server only if a
remote access policy permits the user to do so. Windows 2000 creates a
default remote access policy when remote access is enabled. The default
remote access policy is a basic policy that permits any remote user that is
allowed the dial-in remote access permission to connect to the remote
access server. In addition, you can create multiple remote access policies for
a remote access server.
Remote access policies are not stored in Active Directory, and should
not be confused with Group Policy. Rather, remote access policies are
stored on the Windows 2000 remote access server. Remote access policies,
then, are applied on a server-by-server basis. In this way, administrators can
place varying degrees of control on each remote access server, depending
on the security requirements of their network. Optionally, if you use a
RADIUS server for remote access authentication, you can centrally man-
age remote access policies by creating them on the RADIUS server (or on
4701-1 ch17.f.qc 4/24/00 09:44 Page 1173

Chapter 17 ▼ Managing Remote Access 1173

an Internet Authentication Service (IAS) server, which is the Windows

2000 implementation of RADIUS).
You can use the Routing and Remote Access administrative tool to
create new remote access policies.

STEP BY STEP

CREATING A REMOTE ACCESS POLICY

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the left pane of the Routing and Remote Access dialog box, click the + next to
the server for which you want to create a new remote access policy. Right-click
Remote Access Policies, and select New Remote Access Policy from the menu
that appears.
3. The Add Remote Access Policy dialog box appears. Type in a name for the
remote access policy. Click Next.
4. In the screens that follow, specify conditions, permissions, and a profile for the
policy. (I’ll cover details on each of these items in the next several sections.) After
you complete these steps, click Finish.
5. Close Routing and Remote Access.

You can also use Routing and Remote Access to configure or edit any
existing remote access policy.

STEP BY STEP

CONFIGURING A REMOTE ACCESS POLICY

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.
2. In the left pane of the Routing and Remote Access dialog box, click the + next to
the server that has the remote access policy you want to configure. Highlight
Remote Access Policies. Then, in the right pane, double-click the remote access
policy you want to configure.
3. The policy’s Properties dialog box appears. Configure conditions, permissions,
and the policy’s profile as appropriate. (I’ll cover details on each of these items in
the next several sections.) Click OK
4. Close Routing and Remote Access.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1174

1174 Part IV ▼ Networking and Interoperability

In the following sections I’ll show you how to specify conditions for a
remote access policy, how to configure remote access permission options,
and how to configure a profile for a remote access policy. I’ll also discuss
the order in which multiple remote access policies are applied.

Specifying Conditions for a Remote Access Policy

A remote access policy must have at least one condition, and may have
multiple conditions. You can specify a remote access policy’s conditions
either when you first create the remote access policy, or later in the policy’s
Properties dialog box. (To access a remote access policy’s Properties dialog
box, follow the steps titled “Configuring a Remote Access Policy” in the
previous section.)
Table 17-1 lists and describes the conditions you can assign to a remote
access policy.
TABLE 17-1 Remote Access Policy Conditions
Condition Description

Called-Station-ID Phone number dialed by the remote access client

Calling-Station-ID Phone number from which call originated
Client-Friendly-Name Friendly name for the RADIUS client (IAS only) (IAS is the
Windows 2000 implementation of the RADIUS server standard.)
Client-IP-Address IP address of RADIUS client (IAS only)
Client-Vendor Manufacturer of RADIUS proxy or NAS (IAS only) (NAS stands
for network access server. A NAS is a proprietary, hardware-
based remote access server.)
Day-And-Time- Time periods and days of the week during which the
Restrictions remote access client is permitted to connect
Framed-Protocol The connection protocol to be used by the remote access
client (PPP, AppleTalk Remote Access Protocol [ARAP], X.25,
and so on)
NAS-Identifier String identifying the NAS originating the request (IAS only)
NAS-IP-Address IP address of the NAS originating the request (IAS only)
NAS-Port-Type Type of physical port used by the NAS originating the request
(IAS only)
Service-Type Type of service the remote access client has requested (such
as Login, Callback, and so on)
4701-1 ch17.f.qc 4/24/00 09:44 Page 1175

Chapter 17 ▼ Managing Remote Access 1175

Condition Description

Tunnel-Type Tunneling protocols that can be used by the remote access

client (such as PPTP, L2TP, and so on)
Windows-Groups Windows security groups to which the remote access user
belongs

Probably the two most commonly used conditions are Windows-

Groups and Day-And-Time-Restrictions. Windows-Groups are used to
allow (or deny) access to remote users that are members of a particular
security group. Day-And-Time Restrictions allow you to specify which
days and hours connections to the remote access server are permitted.
You may have noticed that the descriptions for several of the conditions
listed in Table 17-1 indicate “IAS only.” IAS, which stands for Internet
Authentication Service, is a Windows 2000 Server service that enables a
Windows 2000 Server computer to function as a RADIUS server. These
conditions should only be used for remote access policies on a Windows
2000 Server computer that has IAS installed and is functioning as a
RADIUS server.

Configuring Remote Access Permission Options

There are two methods of assigning permissions for remote access clients.
You can assign permissions by modifying a user’s account properties, or by
configuring the properties of a remote access policy. The method you
choose to assign permissions to remote access clients depends on the size
of your network, and whether your Windows 2000 domain is operating in
native-mode or mixed-mode.
If you have a large network, you’ll probably decide to manage permissions
for remote access clients by using remote access policies. On a small net-
work, you might decide to manage these permissions on a user-by-user basis.
When your Windows 2000 domain is operating in mixed-mode, you
must manage permissions for remote access clients on a user-by-user
basis — you can’t use remote access policies to manage permissions. If your
Windows 2000 domain is operating in native-mode, you can use either
method to assign permissions to remote access clients.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1176

1176 Part IV ▼ Networking and Interoperability

STEP BY STEP

ASSIGNING REMOTE ACCESS PERMISSIONS TO USER ACCOUNTS

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, click the
+ next to the name of the domain that contains the user account you want to con-
figure. Highlight the Users folder or the OU that contains that user account. In
the right pane, double-click the user account. Or, you can right-click the user
account, and select Properties from the menu that appears.
3. In the user’s Properties dialog box, click the Dial-in tab.
4. The Dial-in tab appears, as shown in Figure 17-13. This figure shows a user
account’s properties in a Windows 2000 domain operating in native-mode. In a
Windows 2000 domain operating in mixed-mode, the Control access through
Remote Access Policy, Verify Caller-ID, Assign a Static IP address, and Apply
Static Routes options are grayed out and not available.

FIGURE 17-13 Configuring remote access permissions for a user account

4701-1 ch17.f.qc 4/24/00 09:44 Page 1177

Chapter 17 ▼ Managing Remote Access 1177

STEP BY STEP Continued

There are numerous options you can configure in this dialog box:
 Allow access: Select this option if you want to permit this user to connect
to the remote access server.
 Deny access: Select this option if you want to prevent this user from con-
necting to the remote access server.
 Control access through Remote Access Policy: Select this option if you
want the remote access policy — not the user account — to determine whether
the user can connect to the remote access server.

TIP
Remote access permissions configured in a user’s properties dialog box
override permission settings in a remote access policy unless the user
account is configured to “Control access through Remote Access Policy.”

 Verify Caller-ID: Select this option if you want to prevent the user from
using any telephone number — except the one number you specify — to initiate
a connection with the remote access server. If you select this option, you’ll
need to enter the number from which the user is permitted to connect. Often
this is a user’s home telephone number.
 No Callback: Select this option if you want to prevent the user from
requesting that the remote access server break the connection and call the
user back. When this option is selected, it ensures that the user dialing in —
not the server — is billed for any long-distance telephone charges.
 Set by Caller (Routing and Remote Access Service only): Select this
option if you want to permit the user to request that the remote access
server break the connection and call the user back at a user-specified tele-
phone number.
 Always Callback to: Select this option if you want the remote access
server to automatically break the connection and call the user back at a pre-
specified telephone number. This option provides a measure of security,
because the remote access server will only call the user back at one pre-
specified number. If you select this option, you must specify the telephone
number that the remote access server will call back.
 Assign a Static IP Address: Select this option when the user dialing in
requires a specific static IP address. If you select this option, you must specify
an IP address that will be assigned to the user during remote access connec-
tions. This option is often used when a user account is used to authenticate a
demand-dial routing connection.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1178

1178 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

 Apply Static Routes: Select this option if this user account is used to
authenticate a demand-dial routing connection, and you want to specify sta-
tic routes that will be added to the remote router’s routing table when the
connection is established. If you select this option, you must also configure
the static routes.
When you finish configuring options on this tab, click OK.
5. Close Active Directory Users and Computers.

You can specify a remote access policy’s permissions either when you first
create the remote access policy, or later in the policy’s Properties dialog box.
To access the policy’s Properties dialog box in Routing and Remote Access,
see the steps titled “Configuring a Remote Access Policy” in the “Using
Remote Access Policies to Control Access” section earlier in this chapter.
Figure 17-14 shows the Properties dialog box for the default remote access
policy, which is named “Allow access if dial-in permission is enabled.”

FIGURE 17-14 Configuring remote access permissions in a remote access policy

4701-1 ch17.f.qc 4/24/00 09:44 Page 1179

Chapter 17 ▼ Managing Remote Access 1179

As Figure 17-14 shows, there are only two permissions options in this
dialog box:
■ Grant remote access permission: If this option is selected, the
user is permitted to connect to the remote access server as long as
the remote access client meets the policy’s conditions, unless the
user’s account properties are configured to “Deny access.”
■ Deny remote access permission: If this option is selected, the
user is prevented from connecting to the remote access server if the
remote access client meets the policy’s conditions, unless the user’s
account properties are configured to “Allow access.”

Configuring a Profile for a Remote Access Policy

Once you’ve specified conditions for a remote access policy and configured
permissions, you’re ready to configure a profile for the remote access policy.
A remote access policy’s profile is a collection of settings that specify
numerous properties that are applied to the remote access connection
established by a remote access client using the remote access policy that
contains the profile.
You might wonder why a remote access policy even needs a profile,
because many of the profile settings mirror the types of settings you can
define in a remote access policy’s conditions. However, conditions only
determine which policy is applied to the remote access client, while the
profile specifies how the connection operates.
You can configure a remote access policy’s profile either when you first
create the remote access policy, or later in the policy’s Properties dialog
box.To access the policy’s Properties dialog box in Routing and Remote
Access, see the steps titled “Configuring a Remote Access Policy” in the
“Using Remote Access Policies to Control Access” section earlier in this
chapter. To configure a remote access policy’s profile, click Edit Profile in
the policy’s Properties dialog box.
The available settings in a profile are contained on six tabs in this dialog
box: Dial-in Constraints, IP, Multilink, Authentication, Encryption, and
Advanced. I’ll show you how to configure each of these tabs in the next
several sections.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1180

1180 Part IV ▼ Networking and Interoperability

Configuring Dial-in Constraints

Dial-in constraint settings do what their name implies — they restrict cer-
tain aspects of the remote access connection.You can configure these set-
tings on the Dial-in Constraints tab, which is shown in Figure 17-15.

FIGURE 17-15 Configuring dial-in constraints

There are five configurable options on this tab:

■ Disconnect if idle for: If you select this option, you can specify
the number of minutes the remote access server will permit the
connection to be idle before it disconnects the remote access client.
■ Restrict maximum session to: If you select this option, you can
limit the length of the dial-in connection to a specified number of
minutes.When this time limit is reached, the remote access server
disconnects the remote access client.
■ Restrict access to the following days and times: If you select
this option, you can specify the days of the week and the hours
during the day when dial-in connections will be permitted.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1181

Chapter 17 ▼ Managing Remote Access 1181

■ Restrict Dial-in to this number only: If you select this option,

remote access clients are only permitted to establish a dial-up con-
nection by using the one telephone number you specify in the
corresponding text box.
■ Restrict Dial-in media: If you select this option, you can specify
the types of connections that will be permitted. For example, if you
only want remote access clients to connect to the remote access
server by using a modem, you can select this option and then select
the Async (Modem) check box.

Configuring IP Address Assignment

You can configure IP address assignment policy and define IP packet filter-
ing for the remote access connection on the IP tab, which is shown in
Figure 17-16.

FIGURE 17-16 Configuring IP address assignment policy

4701-1 ch17.f.qc 4/24/00 09:44 Page 1182

1182 Part IV ▼ Networking and Interoperability

There are three IP address assignment policy options on this tab:

■ Server must supply an IP address: Select this option if you
want the remote access server to assign an IP address to the remote
access client for the connection.
■ Client may request an IP address: Select this option if you want
to permit the remote access client to request a specific IP address.
■ Server settings define policy: Select this option if you want the
IP settings configured in the remote access server’s Properties dialog
box to govern how IP addresses are assigned to remote access clients.
In addition to configuring IP address assignment policy, you can define
IP packet filters that will apply during the remote access connection. To
specify an IP packet filter that filters the IP traffic sent from the remote
access client, click “From client” and configure a packet filter.To specify an
IP packet filter that filters the IP sent from the remote access server to the
remote access client, click “To client” and configure a packet filter.

CROSS-REFERENCE
Configuring TCP/IP packet filters was covered in Chapter 16.

Configuring Multilink Connection Options

You can configure various multilink options on the Multilink tab, which is
shown in Figure 17-17.
You may recall that multilink connections permit remote access clients to
combine the bandwidth from multiple physical connections into a single
logical connection.This means that multiple modem, ISDN, digital link, or
X.25 connections can be bundled together to form a single logical connec-
tion with a much higher bandwidth than a single connection can support.
There are three multilink options on this tab:
■ Default to server settings: If you select this option, the multilink
settings configured on the PPP tab in the remote access server’s
Properties dialog box will determine whether multilink is used for
this remote access connection.
■ Disable multilink (restrict client to single port): If you select
this option, remote access clients won’t be able to use multilink for
the remote access connection.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1183

Chapter 17 ▼ Managing Remote Access 1183

FIGURE 17-17 Configuring multilink options

■ Allow Multilink: If you select this option, remote access clients

will be permitted to use multilink for the remote access connection.
You can also specify Bandwidth Allocation Protocol (BAP) settings on
the Multilink tab. If usage of the remote access connection falls below a
specified capacity of the combined lines for the specified number of min-
utes, the remote access server will disconnect one of the lines used in the
multilink connection.You can also require that BAP be used for requests
made by the remote access client to dynamically add or remove lines dur-
ing the multilink connection.

Configuring Authentication Methods

You can configure authentication methods for the remote access connec-
tion on the Authentication tab, which is shown in Figure 17-18. Only the
authentication methods you select on this tab will be used to authenticate
remote access users who connect by using the remote access policy that
contains this profile.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1184

1184 Part IV ▼ Networking and Interoperability

FIGURE 17-18 Configuring authentication methods

The options in this dialog box are virtually identical to the authentica-
tion methods that can be configured for the remote access server. If you
need more information on any of the authentication methods listed on this
tab, see the “Configuring Security” section earlier in this chapter.

Configuring Encryption
You can select one or more encryption options that the remote access
client can choose to use on the connection.The remote access client must
use one of the options selected. Figure 17-19 shows the Encryption tab.
Notice the four options on this tab.The last option, Strongest, is only avail-
able after you’ve downloaded and installed the Windows 2000 High
Encryption Pack from the Microsoft Web site (http://www.microsoft.
com/windows2000/downloads/).
Here’s a list of the encryption options and what each specifies:
■ No Encryption: If you select this option, remote access clients
can connect to the remote access server without using any encryp-
tion. If you want to require the remote access client to use encryp-
tion, ensure that this check box is cleared.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1185

Chapter 17 ▼ Managing Remote Access 1185

FIGURE 17-19 Selecting encryption options

■ Basic: If you select this option, remote access clients can use IPSec
56-bit DES or MPPE 40-bit encryption. If the remote access client
uses “basic” encryption, it will use IPSec for all L2TP VPN con-
nections, and Microsoft Point-to-Point Encryption (MPPE) 40-bit
encryption for all other types of remote access connections.
■ Strong: If you select this option, remote access clients can use
IPSec 56-bit DES or MPPE 56-bit encryption. If the remote
access client uses “strong” encryption, it will use IPSec for all L2TP
VPN connections, and MPPE 56-bit encryption for all other types
of remote access connections.
■ Strongest: If you select this option, remote access clients can use
IPSec Triple DES (3DES) or MPPE 128-bit encryption. If the
remote access client uses “strongest” encryption, it will use IPSec
3DES for all L2TP VPN connections, and MPPE 128-bit encryp-
tion for all other types of remote access connections.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1186

1186 Part IV ▼ Networking and Interoperability

Configuring Advanced Connection Attributes

The last tab in the profile’s dialog box is the Advanced tab. On this tab, you
can specify additional RADIUS attributes that will be sent from the
RADIUS server to the remote access client during the connection estab-
lishment process. Figure 17-20 shows the Advanced tab.

FIGURE 17-20 Configuring advanced RADIUS options

To add additional parameters, click Add and select from the numerous
available RADIUS attributes.As you might guess, you only need to config-
ure options on this tab if you’re using a RADIUS server for authentication.

How Remote Access Policies Are Applied

It’s common for multiple remote access policies to exist on a remote access
server. When a remote access client attempts to connect to the remote
access server and multiple remote access policies exist, the remote access
server performs the following actions:
1. The remote access server compares the conditions of each remote access
policy, one at a time (in the order the policies are listed in the Routing
and Remote Access console), with the conditions of the attempted
4701-1 ch17.f.qc 4/24/00 09:44 Page 1187

Chapter 17 ▼ Managing Remote Access 1187

connection.When the remote access server locates a policy that has

conditions that match the conditions of the attempted connection, that
policy is applied to the attempted connection. If the conditions of the
attempted connection don’t match the conditions of any remote access
policy, the remote access server rejects the connection attempt.
2. The remote access server evaluates the permissions in the policy and
the remote user’s remote access permissions and determines whether
the remote user is granted or denied permission to the connection. If
the remote user is denied permission to the connection, the remote
access server rejects the connection attempt.
3. The remote access server applies the conditions and settings con-
tained in the remote access policy’s profile to the connection. If any
conditions in the profile are not met, the remote access server rejects
the connection attempt. Otherwise, the remote access server estab-
lishes the connection.
These steps assume that multiple policies exist on a remote access server.
If only a single policy exists, such as the default remote access policy, the
remote access client must meet the conditions of that policy or the remote
access server will reject the connection attempt. If no policy exists (perhaps
because an administrator has accidentally deleted all policies), the remote
access server will reject all connection attempts from remote access clients.
Figure 17-21 is a flow chart that shows a graphical representation of the
remote access connection process.This chart is a slightly more detailed ver-
sion of the steps I outlined in the previous paragraphs.

EXAM TIP
After reading a detailed description and a flow chart, you’re probably
getting the idea that how remote access policies are applied is impor-
tant. Make sure you completely understand and memorize this process,
and don’t be surprised if you see a couple of tough exam questions on
this topic.

I want to emphasize that the remote access server processes remote access
policies in the order they’re listed in the Routing and Remote Access console.You
might want to change the order in which policies are applied. Typically,
administrators place the most specific policies at the top of the list, and the
most general policies at the bottom of the list. If you don’t order policies in
4701-1 ch17.f.qc 4/24/00 09:44 Page 1188

1188 Part IV ▼ Networking and Interoperability

this manner, but instead place policies with few conditions at the top of the
list, remote users that have specially configured policies won’t be assigned
these policies because a more general policy will be applied first.

Remote access
client initiates a
connection

Are
there any No Deny the
remote access
connection
policies?

Yes
Examine remote
Go to the next
access policy
policy
conditions
Yes

Does the Is there

connection No another
match the remote access
conditions? policy?

Yes No

What
Allow access is the remote Deny access Deny the
access permission
connection
for the user?

Control access through remote

access policies

Does the
remote access No
permission on
the policy allow
access?

Yes

Do the
conditions and
settings in the No
profile match the
conditions of the
connection?

Yes
Apply the profile
settings and
establish the
connection

FIGURE 17-21 The remote access connection process

4701-1 ch17.f.qc 4/24/00 09:44 Page 1189

Chapter 17 ▼ Managing Remote Access 1189

STEP BY STEP

CHANGING THE ORDER IN WHICH REMOTE ACCESS

POLICIES ARE APPLIED

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the left pane of the Routing and Remote Access dialog box, click the + next to
the remote access server on which you want to change the order of remote
access policies. Highlight Remote Access Policies.
3. In the right pane, right-click any policy, and select Move Up or Move Down from
the menu that appears. Continue this process until the policies are in the desired
order. Figure 17-22 shows the Routing and Remote Access console after I’ve
configured the order of several remote access policies. Notice the policy that
matches the fewest number of remote access clients is at the top of the list, and
the most general policy is at the bottom of the list.

FIGURE 17-22 Ordering remote access policies

4. Close Routing and Remote Access.

Monitoring Remote Access

To ensure that your Windows 2000 remote access server is functioning at
its best, you should periodically monitor this server.You can monitor and
manage the remote access activity on the remote access server, and you can
use monitoring to determine whether the server has sufficient resources
(such as memory, processor, and disk) to handle its remote access tasks.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1190

1190 Part IV ▼ Networking and Interoperability

There are several valuable monitoring tasks you can perform in the
Routing and Remote Access console.You can view the status of the remote
access server, view a list of remote access clients currently connected to the
server, send a pop-up message to one (or all) remote access users, disconnect
a remote user, view the status of a remote access connection, view current
connections by port, and configure remote access logging.

STEP BY STEP

MONITORING REMOTE ACCESS CONNECTIONS

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and Remote Access.

2. In the left pane of the Routing and Remote Access dialog box, click the + next to
the remote access server you want to monitor.
3. To view the status of the Windows 2000 remote access server, highlight
Server Status. In the right pane, the current status of all remote access servers
that have been added to this console is displayed. You can view the number of
total ports and the number of ports in use on each server.
4. To view a list of the remote access clients currently connected to the
remote access server, highlight Remote Access Clients. In the right pane, a list
of remote access clients is displayed. You can view the remote user’s name, the
duration of the connection, and the number of ports used by this client.
To send a pop-up message to the remote access user (or to all remote
users currently connected), in the right pane, right-click the user, and select Send
Message (or Send to All) from the menu that appears. In the Send Message dia-
log box, type in your message to the remote user(s) and click OK. The message is
delivered immediately.
To disconnect a remote user, in the right pane, right-click the user, and select
Disconnect from the menu that appears. The user is disconnected immediately.
Select Action ➪ Refresh to verify that the user is no longer connected.
To view the status of a remote access connection, in the right pane, right-
click the remote access user, and select Status from the menu that appears.
The Status dialog box is displayed, as shown in Figure 17-23. Notice the various
statistics you can view for a connection.
Also notice that you can refresh the connection’s statistics and disconnect the
remote access client in this dialog box.
Finally, notice that once this dialog box is displayed, you can view the statistics for
any remote access connection by selecting the remote access client (by user
name) from the Connection drop-down list box. When you finish viewing statis-
tics, click Close.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1191

Chapter 17 ▼ Managing Remote Access 1191

STEP BY STEP Continued

FIGURE 17-23 Monitoring a connection’s status

5. To view current remote access connections by port, in the left pane of

Routing and Remote Access, highlight Ports. In the right pane, a list of all ports
on the remote access server is displayed. You can view the device used by each
port, and whether each port is active or inactive. You can also right-click any port,
and disconnect the remote access client or view the status of the connection, as
shown in Figure 17-24.

FIGURE 17-24 Viewing a port’s status

4701-1 ch17.f.qc 4/24/00 09:44 Page 1192

1192 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

6. To configure remote access logging (so you can later use the log file), in the
left pane of Routing and Remote Access, highlight Remote Access Logging. In
the right pane, double-click Local File.
7. The Local File Properties dialog box appears. On the Settings tab, you can con-
figure the types of information that Windows 2000 will write to the log file. You
can select one or more of these options:
 Log accounting requests (for example, accounting start or stop) —
recommended
 Log authentication requests (for example, access-accept or access-reject) —
recommended
 Log periodic status (for example, interim accounting requests)
On the Local File tab in this dialog box, you can select either a database-compati-
ble file format or an IAS format. If you select the IAS format, Windows 2000 cre-
ates a text file that uses comma-separated values. You can also specify how often
a new log file will be created. Finally, you can select a location in which the log file
will be stored. When you finish configuring logging, click OK.
To view log files created in IAS format, use Notepad or any text editor.
8. Close Routing and Remote Access.

In addition to using Routing and Remote Access, you can use System
Monitor, a Performance tool, to monitor the performance of the Windows
2000 remote access server. Remote access objects include RAS Port and
RAS Total. Each of these objects has multiple counters associated with it.
You can also use System Monitor to determine if your Windows 2000
remote access server has adequate memory, processor, and disk resources.

CROSS-REFERENCE
I’ll cover how to use System Monitor in Chapter 21.

Troubleshooting Remote Access

Remote access is a complex topic.There are many connection protocols,
networking protocols, authentication methods, encryption options, and
remote access policies that combine to form your remote access solution.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1193

Chapter 17 ▼ Managing Remote Access 1193

While these features make the service very flexible, they can also make
troubleshooting difficult when problems arise.
Table 17-2 lists some of the more common remote access problems you
may encounter and some possible solutions to these problems.
TABLE 17-2 Remote Access Problems and Solutions
Problem Recommended Solution

A remote access client can’t If the remote access client is using a modem, verify
establish a connection with that the correct telephone number is being dialed. If
a Windows 2000 remote the modem doesn’t have a speaker, use a regular
access server. telephone to dial the remote access server and verify
that a modem answers.
If the client is attempting to establish a
VPN connection, make sure your Internet connection
is working properly by pinging the FQDN of the VPN
server.
A remote access user is Ensure that the user has typed the user name and
denied access by the remote password correctly (remember, passwords are case-
access server after the user sensitive).
provides a user name and Verify that the user has remote access permissions.
password. Verify that there is at least one remote access policy
defined on the remote access server.
Verify that a remote access policy applies to this user,
and that the policy’s permission setting grants access.
You’ve configured Callback Make sure that the correct “Always Callback to”
but the remote access server telephone number is configured on the Dial-in tab in
isn’t calling the client back. the user’s Properties dialog box.
Verify that LCP extensions are enabled on the PPP tab
in the remote access server’s Properties dialog box.
When a remote access client Ensure that computer (machine) certificates are
uses L2TP to initiate a VPN installed on both the remote access server and the
connection, the user is unable remote access client.
to connect. However, the (Certificate Services is covered in Chapter 18.).
remote access client can
establish a VPN connection
by using PPTP.
A remote access client can Ensure that the IPX protocol has been installed and
access a Web server on the configured on both the remote access client and the
remote access server’s local remote access server.
area network, but can’t Ensure that the “Enable network access for remote
access a NetWare server on access clients and demand-dial connections” check
that network. box is selected on the IPX tab in the remote access
server’s Properties dialog box.

Continued 
4701-1 ch17.f.qc 4/24/00 09:44 Page 1194

1194 Part IV ▼ Networking and Interoperability

TABLE 17-2 (continued)

Problem Recommended Solution

A remote access client can Make sure that the network protocol used by the
connect to the remote access remote access client is installed and configured on the
server, but can’t access remote access server.
resources on the remote If the remote access client is using TCP/IP, ensure that
access server’s local area the “Enable IP routing” check box is selected on the IP
network. tab in the remote access server’s Properties dialog box.
If the remote access client is using NetBEUI, ensure
that the “Allow NetBEUI based remote access clients to
access” check box and the “The entire network” option
are selected on the NetBEUI tab in the remote access
server’s Properties dialog box.
If the remote access client is using AppleTalk, ensure
that the “enable AppleTalk remote access” check box is
selected on the AppleTalk tab in the remote access
server’s Properties dialog box.

KEY POINT SUMMARY

This chapter introduced several important remote access topics:

■ Remote access is a feature that enables client computers to use dial-up and
VPN connections to connect to a remote access server. Remote access is
implemented on Windows 2000 Server computers through the Routing and
Remote Access Service.
■ Although the Routing and Remote Access service is installed by default on
Windows 2000 Server computers, you must enable remote access.
■ A virtual private network (VPN) connection is a virtual connection that is tun-
neled inside of an existing TCP/IP network connection. VPN connections can
be established by using either PPTP or L2TP, and are commonly used
between two computers that communicate over the Internet.
■ A multilink connection permits a remote access client to combine the band-
width from multiple physical connections into a single logical connection. This
means that multiple modem, ISDN, digital link, or X.25 connections can be
bundled together to form a single logical connection with a much higher band-
width than a single connection can support.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1195

Chapter 17 ▼ Managing Remote Access 1195

■ The connection protocols Windows 2000 supports for remote access include
Point-to-Point Protocol (PPP), Point-to-Point Multilink Protocol, Point-to-Point
Tunneling Protocol, Layer Two Tunneling Protocol (L2TP), Serial Line Internet
Protocol (SLIP), and the Microsoft RAS protocol (also called AsyBEUI).
■ You can use Routing and Remote Access to configure numerous properties
of a Windows 2000 remote access server, including: security options, PPP
options, event logging options, and specific remote access options for
installed protocols, such as TCP/IP, IPX, NetBEUI, and AppleTalk.
■ RADIUS is an industry standard authentication service. IAS, which stands for
Internet Authentication Service, is a Windows 2000 Server service that
enables a Windows 2000 Server computer to function as a RADIUS server.
■ You can also use Routing and Remote Access to configure inbound connec-
tion ports for remote access, which may include hardware ports (such as
modems, parallel ports, infrared ports, and so on) and VPN ports, including
PPTP and L2TP ports.
■ In Windows 2000, access to the remote access server is controlled by remote
access policies. A remote access policy consists of conditions, permissions,
and a profile.
■ A user can connect to a Windows 2000 remote access server only if a remote
access policy permits the user to do so.
■ Remote access policies are not stored in Active Directory. They are stored on
the Windows 2000 remote access server.
■ There are numerous options you can configure in a remote access policy’s pro-
file, including dial-in constraints, IP address assignment options, multilink con-
nection options, authentication methods, encryption options, and advanced
connection attributes.
■ When multiple remote access policies exist, the remote access server selects
the policy to apply to the connection by matching conditions of the connection
to conditions of a remote access policy. Remote access policies are examined
by the server in the order in which they appear in the Routing and Remote
Access console.
■ You can use Routing and Remote Access to monitor many aspects of remote
access, including server status, ports, and connections. You can also configure
logging of remote access events in this console.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1196

1196

STUDY GUIDE
This section contains several exercises that are designed to solidify your
knowledge about deploying Windows 2000 and to help you prepare for
the Professional, Server, and Directory Services exams:
■ Assessment Questions: These questions test your knowledge
of the remote access topics covered in this chapter.You’ll find the
answers to these questions at the end of this chapter.
■ Scenarios: The situation-based questions in scenarios challenge
you to apply your understanding of the material to solve a hypo-
thetical problem. In this chapter’s scenarios, you are asked to trou-
bleshoot remote access problems and answer the question or
questions listed for each problem.You don’t need to be at a com-
puter to do scenarios.Answers to this chapter’s scenarios are pre-
sented at the end of this chapter.
■ Lab Exercise: These exercises are hands-on practice activities that
you perform on a computer.The lab in this chapter gives you an
opportunity to practice enabling, configuring, and using remote
access.

Assessment Questions
1. Your Windows 2000 domain operates in native-mode.You recently
enabled remote access on a Windows 2000 Server computer on the
network.What must you do before remote access users can connect
to the remote access server?
A. Authorize the Windows 2000 remote access server in Active
Directory.
B. Restart the Windows 2000 remote access server.
C. Change the default remote access policy so that it grants remote
access permission.
D. Change the Windows 2000 remote access server’s authentication
provider to Windows Authentication.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1197

1197

2. What components make up a remote access policy? (Choose all

that apply.)
A. Profile
B. Conditions
C. Encryption Settings
D. Permissions
3. Which authentication method supports smart cards?
A. Encrypted authentication (CHAP)
B. Extensible authentication protocol (EAP)
C. Shiva Password Authentication Protocol (SPAP)
D. Microsoft encrypted authentication version 2 (MS-CHAP v2)
4. Which authentication method provides the highest level of security?
A. Microsoft encrypted authentication version 2 (MS-CHAP v2)
B. Microsoft encrypted authentication (MS-CHAP)
C. Encrypted authentication (CHAP)
D. Shiva Password Authentication Protocol (SPAP)
5. Which remote access options can be configured on the Dial-in tab of
a user’s Properties dialog box? (Choose all that apply.)
A. Static IP address assignment
B. Allowed encryption methods
C. Callback options
D. Remote access permissions
E. Telephone number from which the user must dial-in
6. A remote user is attempting to connect to a Windows 2000 remote
access server at 9 P.M.The user has the “Allow access” permission.
The remote access server has only one remote access policy.The pol-
icy’s only condition is a Day-And-Time-Restriction that permits
access daily between 06:00 to 18:00.The policy’s profile restricts
access to 12:00 to 23:00 daily. How will the remote access server
respond to the remote user’s connection attempt?
A. The server will establish the connection for the remote user.
B. The server will deny access to the remote user because the remote
access policy’s condition prohibits connections at 9:00 P.M.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1198

1198

C. The server will deny access to the remote user because the
remote access policy’s profile prohibits connections at 9:00 P.M.
D. The server will deny access to the remote user because both the
condition and profile of the remote access policy prohibit con-
nections at 9:00 P.M.
7. You recently configured encryption options within a profile of
a remote access policy.You only selected the check box next to
“Strongest.”Which encryption method can be used by remote access
clients that establish PPTP VPN connections by using this remote
access policy?
A. IPSec 56-bit DES
B. IPSec 3DES
C. MPPE 56-bit
D. MPPE 128-bit
8. Which tool can you use to add hardware ports to a Windows 2000
remote access server?
A. Routing and Remote Access
B. Add/Remote Programs
C. Add/Remove Hardware
D. Network and Dial-up Connections folder

Scenarios
Troubleshooting remote access on your network can be a difficult task. For
each of the following problems, consider the given facts and answer the
question or questions that follow.
1. A remote user reports that she is initially able to dial up to a Windows
2000 remote access server on your network, but as soon as the con-
nection is established, she receives a message indicating that the remote
access server will call her back.The connection is broken. However,
the user doesn’t receive a call back.What would you do to resolve the
problem?
4701-1 ch17.f.qc 4/24/00 09:44 Page 1199

1199

2. A remote user reports that he can’t establish a VPN connection with

a Windows 2000 remote access server on your network.When he
attempts to connect, after typing in his correct user name and password,
the following error message is displayed: Error: 649:The account
does not have permission to dial in. The remote user is not able
to establish the VPN connection.What steps would you take to trou-
bleshoot this problem?
3. A remote user reports that he can successfully connect to the Windows
2000 remote access server and can access TCP/IP resources on the
remote access server’s local area network. However, the user is not able
to access resources on a NetWare server located on the same network.
A. What is the most likely cause of the problem?
B. What steps would you take to resolve the problem?

Lab Exercise
Lab 17-1 Enabling, Configuring, and Monitoring
Remote Access
 Server
 Networking
EXAM
MATERIAL

The purpose of this lab is to provide you with an opportunity to practice

enabling, configuring, and monitoring remote access in a Windows 2000
Server environment.
There are four parts to this lab:
■ Part 1: Enabling and Configuring Remote Access
■ Part 2: Creating and Configuring a Remote Access Policy
■ Part 3: Connecting to the Remote Access Server
■ Part 4: Monitoring Remote Access
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1200

1200

Part 1: Enabling and Configuring Remote Access

In this part, you enable remote access on your Windows 2000 Server com-
puter and then configure the remote access server. Specifically, you config-
ure the remote access server to support multilink connections, configure
remote access for DHCP integration, and configure security and authenti-
cation protocols. Finally, you create and configure inbound connection
ports, including VPN ports.
1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and
Remote Access.
2. In the left pane of the Routing and Remote Access dialog box, right-
click SERVER01 (local) and select Properties from the menu that
appears.
3. In the server’s Properties dialog box, select the check box next to
“Remote access server.” Click the Security tab.
4. On the Security tab, ensure that the Authentication provider is
Windows Authentication, and that the Accounting provider is
Windows Accounting. Click Authentication Methods.
5. In the Authentication Methods dialog box, ensure that Microsoft
encrypted authentication version 2 (MS-CHAP v2) and Microsoft
encrypted authentication (MS-CHAP) are selected.Also select the
check box next to Encrypted authentication (CHAP). Click OK.
Click the IP tab.
6. On the IP tab, ensure that the check boxes next to “Enable IP rout-
ing” and “Allow IP-based remote access and demand-dial connec-
tions” are selected. Select the Dynamic Host Configuration Protocol
(DHCP) IP address assignment option. Click the IPX tab.
7. On the IPX tab, clear the check box next to “Allow IPX-based
remote access and demand-dial connections.” Click the PPP tab.
8. Ensure that all four PPP options, including multilink connections, are
selected on this tab. Click OK.
9. A Routing and Remote Access warning message appears, indicating
that you must restart the Routing and Remote Access service. Click
Yes.Windows 2000 stops and restarts the service. If a Routing and
Remote Access dialog box appears asking if you want to view a help
topic on authentication methods, click No.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1201

1201

10. In the left pane of the Routing and Remote Access dialog box, right-
click the Ports container, and select Properties from the menu that
appears.
11. In the Ports Properties dialog box, highlight WAN Miniport (PPTP)
and click Configure.
12. In the Configure Device – WAN Miniport (PPTP) dialog box, ensure
that the check box next to “Remote access connections (inbound
only)” is selected.To create five additional PPTP ports, change the
“Maximum ports” spin box to 10. Click OK.
13. In the Ports Properties dialog box, notice that the number of WAN
Miniport (PPTP) ports is now 10. Click OK. Continue to Part 2.

Part 2: Creating and Configuring a Remote Access Policy

In this part, you create a new remote access policy that enables members of
the Domain Admins group to connect to the Windows 2000 remote access
server.You configure the policy’s profile to require the use of an encryption
protocol. You also configure remote access permissions in a user’s
Properties dialog box.
1. In the left pane of the Routing and Remote Access dialog box, right-
click Remote Access Policies, and select New Remote Access Policy
from the menu that appears.
2. In the Add Remote Access Policy dialog box, type in a policy friendly
name of Grant Administrators Dial-in Access. Click Next.
3. In the Conditions screen, click Add.
4. In the Select Attribute dialog box, highlight Windows-Groups.
Click Add.
5. In the Groups dialog box, click Add.
6. In the Select Groups dialog box, double-click the Domain Admins
group. Click OK.
7. In the Groups dialog box, click OK.
8. In the Conditions screen, click Next.
9. In the Permissions screen, select the “Grant remote access permis-
sion” option. Click Next.
10. In the User Profile screen, click Edit Profile.
11. In the Edit Dial-in Profile dialog box, click the Authentication tab.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1202

1202

12. On the Authentication tab, clear the check box next to “Microsoft
Encrypted Authentication (MS-CHAP).” Ensure that the check box
next to “Microsoft Encrypted Authentication version 2 (MS-CHAP
v2)” is selected. Click the Encryption tab.
13. On the Encryption tab, clear the check box next to No Encryption.
Click OK.
14. In the User Profile screen, click Finish.
15. In the right pane of the Routing and Remote Access dialog box,
right-click the Grant Administrators Dial-in Access policy. Select
Move Up from the menu that appears, so that this policy is the first
policy listed.
16. Close Routing and Remote Access.
17. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory
Users and Computers.
18. In the left pane of Active Directory Users and Computers, highlight the
Users folder.Then, in the right pane, right-click the Administrator user
account, and select Properties from the menu that appears.
19. In the Administrator Properties dialog box, click the Dial-in tab.
20. On the Dial-in tab, select the “Control access through Remote Access
Policy.” Click OK.
21. Close Active Directory Users and Computers.

Part 3: Connecting to the Remote Access Server

In this part, you use a VPN connection to connect to the remote access
server.
1. Select Start ➪ Settings ➪ Network and Dial-up Connections.
2. In the Network and Dial-up Connections folder, right-click
Virtual Private Connection, and select Properties from the menu that
appears.
3. In the Virtual Private Connection Properties dialog box, clear the
check box next to “Dial another connection first.” Click OK.
4. In the Network and Dial-up Connections folder, double-click
Virtual Private Connection.
5. In the Connect Virtual Private Connection dialog box, accept the
user name of Administrator and type in a password of password.
Click Connect.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1203

1203

6. A Network Protocol Connection Result dialog box appears, inform-

ing you that TCP/IP connected successfully, but IPX did not. Select
the check box next to “Do not request the failed protocols next
time.” Click Accept.The connection is established.
7. Close the Network and Dial-up Connections folder.

Part 4: Monitoring Remote Access

In this part, you monitor a VPN remote access connection and disconnect
the remote access client.
1. Select Start ➪ Programs ➪ Administrative Tools ➪ Routing and
Remote Access.
2. In the left pane of the Routing and Remote Access dialog box, high-
light Remote Access Clients (1). In the right pane, double-click
DOMAIN1\Administrator.
3. The Status dialog box appears.View the various statistics for your cur-
rent remote access connection. Click Disconnect. Click Close.
4. In the Routing and Remote Access dialog box, notice that the con-
nection no longer appears in the right pane. Close Routing and
Remote Access.

Answers to Chapter Questions

Chapter Pre-Test
1. A virtual private network (VPN) is not a physical connection type.
Rather, it’s a virtual connection that is tunneled inside of an existing
TCP/IP network connection.VPNs can be established by using
either PPTP or L2TP. Both of these protocols support encryption of
the data sent over the VPN connection. Because a VPN uses an exist-
ing TCP/IP network connection, no additional hardware is required.
VPN connections are commonly used between two computers that
communicate over the Internet.
2. Both PPTP and L2TP permit a virtual private network (VPN) con-
nection between two computers over an existing TCP/IP network
connection.The major difference between PPTP and L2TP is that
PPTP uses Microsoft Point-to-Point Encryption (MPPE) while L2TP
4701-1 ch17.f.qc 4/24/00 09:44 Page 1204

1204

uses IPSec for encryption. In addition, L2TP is rapidly becoming the

industry standard tunneling protocol. Currently, only Windows 2000
remote access clients and remote access servers support L2TP.
3. TCP/IP, IPX (including NWLink IPX/SPX/NetBIOS Compatible
Transport Protocol), NetBEUI, and AppleTalk
4. A multilink connection permits a remote access client to combine
the bandwidth from multiple physical connections into a single logi-
cal connection.This means that multiple modem, ISDN, digital link,
or X.25 connections can be bundled together to form a single logical
connection with a much higher bandwidth than a single connection
can support.
5. The Routing and Remote Access service supports both hardware
ports (such as modems, parallel ports, infrared ports, and so on) and
VPN ports, including PPTP and L2TP ports.
6. A remote access policy consists of conditions, permissions, and a pro-
file. Remote access policies are used to control access to the remote
access server.

Assessment Questions
1. C. By default, the default remote access policy is configured to deny
remote access permission.You must either modify the default remote
access policy to grant remote access permission, create another remote
access policy that grants permission to remote access users, or config-
ure each remote user account’s dial-in settings to “Allow access.”
2. A, B, D. Remote access policies are composed of conditions, permis-
sions, and a profile.While you can configure encryption options
within a profile, it is not considered a part of the remote access policy.
3. B. Only the Extensible authentication protocol (EAP) has the ability
to support smart cards.
4. A. Microsoft encrypted authentication version 2 (MS-CHAP v2) is
the most secure authentication method.
5. A, C, D, E. All answer choices except encryption can be configured
in the user’s Properties dialog box. Encryption settings are configured
in the profile portion of a remote access policy.
4701-1 ch17.f.qc 4/24/00 09:44 Page 1205

1205

6. B. When a remote access server processes a connection attempt, it

examines the conditions of a remote access policy first. Because there
is only one policy on the remote access server, and the condition of
that policy doesn’t match the conditions of the connection attempt,
the remote access server denies the connection.
7. D. Both IPSEC 3DES and MPPE 128 bit are “Strongest”, however
only MPPE 128 bit can be used with PPTP.
8. C. To add hardware ports, you can use either Add/Remove Hardware,
or a specialized application such as Phone and Modem Options.

Scenarios
1. Ensure that the correct “Always Callback to” telephone number is
configured on the Dial-in tab in the user’s Properties dialog box, and
instruct the user to only call in from that number. (It’s possible that
the callback telephone number is configured correctly, but the user is
not calling from this telephone number.)
2. The most likely cause of this problem is the remote user is explicitly
denied remote access permission, either on the Dial-in tab in the
user’s Properties dialog box, or by the remote access policy that
applies to the remote user.To enable the remote user to access the
remote access server, either grant the user the “Allow access” permis-
sion on the Dial-in tab, or reconfigure a remote access policy (that
grants remote access permission) to include the user.
3. The most likely cause of this problem is that the remote access client,
the remote access server, or both, are not correctly configured to sup-
port IPX on the remote access connection.To resolve the problem,
ensure that NWLink IPX/SPX/NetBIOS Compatible Transport
Protocol is installed and configured on both the remote access client
and the remote access server.Also ensure that the “Enable network
access for remote access clients and demand-dial connections” check
box is selected on the IPX tab in the remote access server’s Properties
dialog box.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1206

 Professional
 Server
EXAM
MATERIAL  Network

EXAM OBJECTIVES

Professional  Exam 70-210

■ Manage and troubleshoot Web server resources.

Server  Exam 70-215

■ Monitor, configure, troubleshoot, and control access to files and
folders via Web services.
■ Monitor, configure, troubleshoot, and control access to Web sites.

Network  Exam 70-216

■ Install and configure Certificate Authority (CA).
■ Create certificates.
■ Issue certificates.
■ Revoke certificates.
■ Remove the Encrypting File System (EFS) recovery keys.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1207

C HAP TE R

18
Managing Web and
Certificate Services

T his chapter focuses on several Windows 2000 Internet-related services.

I’ll begin by exploring Internet Information Services (IIS), Windows
2000’s Web server service. In addition to showing you how to install the vari-
ous components of IIS, I’ll explain how to configure a Web site and how to pub-
lish Web content by using virtual directories and virtual servers. Because
security is an ever-increasing concern for today’s networks, I’ll spell out several
things you can do to increase Web server security. Finally, I’ll explore how to
monitor Web site access and how to troubleshoot Web services.
Next, I’ll introduce you to the Indexing Service, a great feature of Windows
2000 that makes it possible for users to locate certain types of files by a word,
phrase, or property of the document, such as the author’s name.
The last half of this chapter is devoted to Certificate Services. I’ll explain
how to install this service on your Windows 2000 Server computer, and then
how to use it to issue and manage certificates. I’ll also show you how to revoke
certificates, and how to manage Encrypting File System (EFS) recovery agents.

1207
4701-1 ch18.f.qc 4/24/00 09:45 Page 1208

1208 Part IV ▼ Networking and Interoperability

Chapter Pre-Test
1. List three commonly used components of Internet Information
Services (IIS).
2. Which component of IIS provides Web server functionality to a
Windows 2000 computer?
3. What is Personal Web Manager?
4. What is a virtual directory?
5. What is a virtual server?
6. List three things you can do to increase security of a Windows
2000 Web server.
7. The __________ __________ is a Windows 2000 service that
indexes Web site content and other documents on a Windows
2000 computer so these items can be searched by users.
8. What is Certificate Services?
9. What term is used to refer to an organization that uses a com-
puter to create, issue, and manage certificates, and is also used
to refer to the actual server that performs the task of issuing and
managing certificates?
4701-1 ch18.f.qc 4/24/00 09:45 Page 1209

Chapter 18 ▼ Managing Web and Certificate Services 1209

Managing Web Services

In Windows 2000, Web services is an umbrella term that encompasses several
Internet-related services that enable users to publish on and communicate
over the Internet.With Web services, you can host Web sites, FTP sites, and
newsgroups. In Windows 2000, Web services is synonymous with Internet
Information Services (IIS).
IIS is Windows 2000’s Web server. IIS is actually a collection of several
services. Some of the most commonly used components of IIS are:
■ World Wide Web Server: This service enables a Windows 2000
computer to host one or more Web sites and function as a Web
server.
■ File Transfer Protocol (FTP) Server: This service enables a
Windows 2000 computer to host FTP sites. Client computers can
use these FTP sites to upload and download files.
■ FrontPage 2000 Server Extensions: This service enables users
of client computers that run Microsoft FrontPage to publish and
manage Web sites on the Windows 2000 computer that has
FrontPage 2000 Server Extensions installed.
■ SMTP Service: SMTP stands for Simple Mail Transfer Protocol.
This service enables a Windows 2000 computer to function as an
outgoing mail server.The SMTP Service makes it possible for Web
site clients to send e-mail messages directly from a Web site hosted
by the Windows 2000 computer.
■ NNTP Service (Server only): NNTP stands for Network News
Transport Protocol.This service enables a Windows 2000 Server
computer to host Internet newsgroups.
IIS 5.0 is an integral part of Windows 2000 Professional,Windows 2000
Server, and Windows 2000 Advanced Server. However, there are a few dif-
ferences in IIS as it is implemented in Windows 2000 Professional. In
Windows 2000 Professional, IIS is limited to a maximum of ten connec-
tions (versus unlimited connections in the Windows 2000 Server/Advanced
Server implementations). In addition, Internet Services Manager (HTML)
and the NNTP Service are not available on Windows 2000 Professional
computers.
Windows 2000 Professional has one exclusive IIS component that
Windows 2000 Server and Advanced Server don’t have — Personal Web
4701-1 ch18.f.qc 4/24/00 09:45 Page 1210

1210 Part IV ▼ Networking and Interoperability

Manager.This application is a simplified administrative tool that enables a

novice user to manage and monitor a Web site on a Windows 2000
Professional computer.
IIS requires the use of TCP/IP, which is installed by default during the
installation of Windows 2000 Professional, Windows 2000 Server, and
Windows 2000 Advanced Server.

Installing IIS Components

Some, but not all, IIS components are installed by default during the instal-
lation of Windows 2000. If you chose not to install IIS during your instal-
lation of Windows 2000, or if you need additional IIS components, you
can use the Add/Remove Programs application in Control Panel to install
IIS components.

STEP BY STEP

ADDING IIS COMPONENTS

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Add/Remove Programs.
3. In the Add/Remove Programs dialog box, click Add/Remove Windows
Components.
4. In the Windows Components Wizard dialog box, highlight Internet Information
Services (IIS), and click Details.
5. The Internet Information Services (IIS) dialog box appears, as shown in Figure
18-1. Notice that the check box next to many IIS components is already selected —
these components are already installed. The actual components installed on your
Windows 2000 computer may differ from the ones shown in this figure.
Select the check box next to each IIS component you want to add. Clear the
check box next to any IIS component you want to remove. Click OK.
6. In the Windows Components Wizard dialog box, click Next.
7. If prompted, insert your Windows 2000 compact disc into your computer’s
CD-ROM drive and click OK. Close the Microsoft Windows 2000 CD dialog box.
Windows 2000 configures components and installs the selected IIS components.
In the Completing the Windows Components Wizard screen, click Finish.
8. Close Add/Remove Programs. Then close Control Panel.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1211

Chapter 18 ▼ Managing Web and Certificate Services 1211

STEP BY STEP Continued

FIGURE 18-1 Selecting IIS components to install

Configuring a Web Site

Once the World Wide Web Server component of IIS is installed on your
Windows 2000 computer, that computer functions as a Web server.When
the World Wide Web Server is installed, it creates a Default Web Site on the
Windows 2000 computer.
The Default Web Site is basically empty when it’s first created. It does
have a help file, which is configured to be the default home page, and some
subfolders designed to support FrontPage 2000 Server Extensions. The
contents of the Default Web Site are located, by default, in the C:\
Inetpub\wwwroot folder on the Windows 2000 computer.
You can manage and configure the Default Web Site and any other Web
sites on your computer by using the Internet Services Manager adminis-
trative tool. Internet Services Manager is an MMC console like many of
the other administrative tools in Windows 2000.You can use this tool to
manage IIS on the local computer, or you can connect to another com-
puter on your network to manage IIS remotely.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1212

1212 Part IV ▼ Networking and Interoperability

In the steps that follow, I’ll show you the basics of configuring the
Default Web Site.You can also use these same steps to configure any other
Web site on your Windows 2000 Web server.

STEP BY STEP

CONFIGURING THE DEFAULT WEB SITE

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Internet Services Manager.

2. In the left pane of the Internet Information Services dialog box, click the + next to
the server that contains the Web site you want to configure. Right-click Default
Web Site, and select Properties from the menu that appears.
3. The Default Web Site Properties dialog box appears, as shown in Figure 18-2.
Notice the Description text box. You can change the name of the Default Web
Site by typing in a new name in this text box.

FIGURE 18-2 Configuring the Default Web Site

Configure the settings on the various tabs to meet your needs. (I’ll discuss each
of these tabs in the rest of this section.) Click OK.
4. Close the Internet Information Services dialog box.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1213

Chapter 18 ▼ Managing Web and Certificate Services 1213

There are numerous tabs in a Web site’s Properties dialog box. On the
Web Site tab, which is shown in Figure 18-2, you can assign one of the
computer’s IP addresses to this Web site.You can also configure the TCP
port number that will be used by Web clients to access this Web site. The
default port number of 80 is used for most Web sites.You can also config-
ure connection limits and connection time-outs on this tab. Windows
2000 Professional computers have a maximum limit of ten connections.
You can also enable logging and select a log file format on this tab.
On the Operators tab, you can specify which user accounts in the
domain can manage this Web site. This tab is not available on Windows
2000 Professional computers.
On the Performance tab, you can configure three performance options
for your Windows 2000 Web server. Figure 18-3 shows the Performance tab.

FIGURE 18-3 Configuring performance options

Use the Performance tuning slider to tune the performance of your Web
server, based on the number of anticipated hits the site will receive each day.
This slider configures the amount of the computer’s RAM that is reserved
for this Web site. If you want to prevent your Web server from using all of
the available bandwidth on its network segment, select the check box next
to “Enable bandwidth throttling” and specify the maximum amount of
4701-1 ch18.f.qc 4/24/00 09:45 Page 1214

1214 Part IV ▼ Networking and Interoperability

bandwidth you want the Web server to use, in kilobytes per second. Finally,
if you want to limit the amount of processor time used by this Web site, you
can select the “Enable process throttling” check box and specify a maximum
percentage of CPU usage. You must also select the check box next to
“Enforce limits,” or the CPU limitation you specified won’t be enforced —
Windows 2000 will simply write an event to the Event log when the limit
is exceeded.
On the ISAPI Filters tab, you can add and order ISAPI filters for the
Web site. An ISAPI filter is a custom Web server application that extends
the capabilities of a Web server.
On the Home Directory tab, you can manage and configure the home
folder for this Web site. Figure 18-4 shows the Home Directory tab. Notice
the path in the Local Path text box.This path specifies the location of the
Web site’s home folder. By default, for the Default Web Site, this is C:\
Inetpub\wwwroot.

FIGURE 18-4 Configuring home directory options

On this tab you can configure the location of the home directory.The
home directory for the Web site can be either a folder located on this com-
puter or a shared folder or URL on another computer.You can also spec-
ify Web permissions and application settings for the home directory.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1215

Chapter 18 ▼ Managing Web and Certificate Services 1215

On the Documents tab, you can specify which document will be dis-
played as the Web site’s home page to Web clients. Figure 18-5 shows the
Documents tab.

FIGURE 18-5 Configuring the default document

Notice that you can add and remove documents, and configure the
order of documents on this tab. The document at the top of the list
becomes the default document. If the check box next to “Enable Default
Document” is not selected,Web clients will have to specify the name of the
document they want to access in the URL they type in their browser — if
they don’t specify a document, an error message is displayed.
On the Directory Security tab, you can configure anonymous access
and authentication methods.You can also configure IP address and domain
name restrictions. Finally, you can assign a certificate to the Web site, and
configure secure, encrypted communications between the Web server and
Web clients. I’ll discuss this tab in greater detail in the “Managing Web
Server Security” section later in this chapter.
On the HTTP Headers tab, you can configure content expiration set-
tings, custom HTTP headers, and content ratings for the Web site. An
HTTP header is a value that is appended to all responses from the Web
server to the Web client. Content ratings are used to identify the level of
4701-1 ch18.f.qc 4/24/00 09:45 Page 1216

1216 Part IV ▼ Networking and Interoperability

violence, sex, nudity, and offensive language in the Web site’s content.
These levels range from 0 (least offensive) to 4 (most offensive) for each
category. If you don’t assign content ratings to your Web site, Web clients
who have configured content ratings in their Web browsers won’t be able
to access your Web site.
On the Custom Errors tab, you can specify a custom HTML document
that will be displayed to Web clients when the associated HTTP error
occurs on your Web server. Instead of using the default documents sup-
plied by Microsoft, you can associate a custom document (that perhaps has
a better explanation of the error) with a specific HTTP error number. For
most situations, the default documents are adequate.
The Server Extensions tab is not operational until you configure your
Windows 2000 Web server to use FrontPage Server Extensions.To accom-
plish this task, in the left pane of the Internet Information Services dialog
box, right-click the Default Web Site and select All Tasks ➪ Configure
Server Extensions. Then complete the Server Extensions Configuration
wizard. Once the server is configured to use FrontPage Server Extensions,
you can use the Server Extensions tab to configure Web content authoring
options and security settings.

Using Personal Web Manager

Personal Web Manager is an easy-to-use Windows 2000 Professional tool
that enables a novice user to manage and monitor a Web site on the local
Windows 2000 Professional computer. Personal Web Manager enables you
to stop and start the Default Web Site, view connection statistics, and man-
age Web site properties.
Personal Web Manager is an administrative tool.You can access it from
the Administrative Tools folder in Control Panel, or from the
Administrative Tools menu if you have configured the Administrative Tools
menu to be displayed in the Start Menu.

STEP BY STEP

WORKING WITH PERSONAL WEB MANAGER

1. On your Windows 2000 Professional computer, select Start ➪ Settings ➪

Control Panel.
2. In Control Panel, double-click the Administrative Tools folder.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1217

Chapter 18 ▼ Managing Web and Certificate Services 1217

STEP BY STEP Continued

3. In the Administrative Tools folder, double-click Personal Web Manager.

4. When the “Tip of the day” appears, click Close. The Personal Web Manager main
dialog box is displayed, as shown in Figure 18-6. Notice the statistics displayed in
the Monitoring section of this dialog box.

FIGURE 18-6 Personal Web Manager

To stop the Default Web Site, click Stop.

To view a product tour of IIS, click Tour.
To manage advanced Web site properties, such as enabling and configuring the
default document, configuring access and application permissions, and creating
virtual directories, click Advanced.
5. Close Personal Web Manager.

Publishing Web Content

At this point, you may be anxious to start publishing Web content on your
Windows 2000 Web server.You might want to begin by using a Web page
development tool to create your Web server’s home page. Once you’ve cre-
ated your home page, you’ll need to copy the home page (which consists
of an HTML file that should be named Default.htm, and any supporting
4701-1 ch18.f.qc 4/24/00 09:45 Page 1218

1218 Part IV ▼ Networking and Interoperability

graphics files) to the C:\Inetpub\wwwroot folder on your Windows

2000 Web server.
Anyone on your network (and, if your network is connected to the
Internet, any Internet user) can access the home page by typing http://
FQDN_of_your_Windows_2000_Web_server in their browser. For exam-
ple, if your Windows 2000 Web server is named WWW and is located in a
domain called domain1.mcse, you would type http://www.domain1.
mcse in Internet Explorer to access your Web server’s home page.
There are basically three ways to publish additional Web content on
your Windows 2000 Web server:
■ You can publish additional Web pages in the home folder of your
Default Web site.To do this, copy the additional Web pages into
this Web site’s home folder.
■ You can create a virtual directory and place Web pages in the
folder to which the virtual directory points.A virtual directory
is accessed by Web clients as though it were a subfolder of your
Default Web site or another Web site on the Web server.
■ You can create a virtual server and place Web pages in the virtual
server’s home folder.A virtual server appears to Web clients as a
separate server with its own FQDN, although it exists on the same
computer as the Default Web Site.You can only create virtual
servers on Windows 2000 Server and Advanced Server computers.
In the next two sections, I’ll show you how to create a virtual directory
and a virtual server.

Creating a Virtual Directory

A virtual directory is a child Web site that doesn’t contain Web content.
Rather, it is a pointer to an actual folder that contains its Web content. A
virtual directory is created on a Windows 2000 Web server.The folder con-
taining the Web content can be located either on the Windows 2000 Web
server or on any other computer on the network that is a member of the
domain to which the Web server belongs.
The primary purpose of virtual directories is to organize the content of
a large Web site into manageable-sized chunks, in much the same way you
would use folders to organize the contents of a volume.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1219

Chapter 18 ▼ Managing Web and Certificate Services 1219

Web clients access a virtual directory as though it were a subfolder of a

Web site. For example, the Windows2000 virtual directory in the www.
microsoft.com Web site is accessed as www.microsoft.com/
windows2000.A virtual directory can be a child of a Web site or a child of
another virtual directory on the Web server.
There is one drawback to using virtual directories: if the folder that
contains the Web content is stored on computer other than the Windows
2000 Web server, network traffic is increased because the content must
cross the network twice — once from the remote computer to the Web
server, and again from the Web server to the Web client that requested the
document.
There are two different ways you can create a virtual directory.You can
use Internet Services Manager (or Personal Web Manager) to create a vir-
tual directory on the Web server.You can also use Windows Explorer (on
the Windows 2000 Web server) to designate a folder on a local drive as a
virtual directory for one of the Web sites on this computer.

STEP BY STEP

USING INTERNET SERVICES MANAGER TO CREATE A

VIRTUAL DIRECTORY

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Internet Services Manager.

2. In the left pane of the Internet Information Services dialog box, click the + next to
the server that contains the Web site in which you want to create a virtual direc-
tory. Right-click the Web site, and select New ➪ Virtual Directory.
3. The Virtual Directory Creation wizard starts. Click Next.
4. In the Virtual Directory Alias screen, type in the user-friendly name that Web
clients will use to access this virtual directory. Click Next.
5. In the Web Site Content Directory screen, either enter the local path to the folder
that contains the Web content for this virtual directory, or enter a UNC path to the
shared folder on another server that contains the Web content for this virtual
directory. You can browse for this folder if you need to. Click Next.
6. The Access Permissions screen appears, as shown in Figure 18-7. Notice the
permissions listed in this dialog box.
Select the appropriateaccess permissions for the virtual directory. The selected
permissions are granted to all users who access the virtual directory. The “Read”
and “Run scripts” check boxes are selected by default. Click Next.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1220

1220 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 18-7 Setting access permissions for the virtual directory

7. In the “You have successfully completed the Virtual Directory Creation Wizard”
screen, click Finish.
8. Internet Services Manager creates the virtual directory and displays it in the left
pane of the Internet Information Services dialog box under the Web site in which
you created it.
9. If you want to configure the properties of the virtual directory, right-click the virtual
directory and select Properties from the menu that appears. Configuring a virtual
directory is similar to configuring a Web site.
10. Close the Internet Information Services dialog box.

STEP BY STEP

USING WINDOWS EXPLORER TO CREATE A VIRTUAL DIRECTORY

1. On the Windows 2000 Web server, right-click My Computer, and select Explore
from the menu that appears.
2. In the left pane, click the + next to the local drive that contains the folder you want
to designate as a virtual directory. Expand folders until the folder you want to des-
ignate is displayed in the left pane. Right-click this folder, and select Properties
from the menu that appears.
3. In the folder’s Properties dialog box, click the Web Sharing tab.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1221

Chapter 18 ▼ Managing Web and Certificate Services 1221

STEP BY STEP Continued

4. On the Web Sharing tab, select the Web site on the local computer that will con-
tain the virtual directory from the “Share on” drop-down list box. Then select the
“Share this folder” option.
5. In the Edit Alias dialog box, enter the user-friendly name that Web clients will use
to access this virtual directory in the Alias text box. Then select the appropriate
access permissions for the virtual directory. The selected permissions are granted
to all users who access the virtual directory. Click OK.
6. In the folder’s Properties dialog box, click OK.
7. Windows 2000 creates the virtual directory. Close Windows Explorer. (If you
want to configure the properties of the virtual directory, use Internet Services
Manager to do so.)

Creating a Virtual Server

A virtual server is a pseudo WWW server with its own unique fully qualified
domain name (FQDN), and often its own IP address. In Microsoft docu-
mentation, a virtual server is also called a Web site. To the Internet user
accessing the virtual server, a virtual server appears to be a separate server; but
in reality, a virtual server is not a separate server, but more like a shared folder
on the Windows 2000 Server Web server that is accessed by specifying a dif-
ferent FQDN. A Windows 2000 Server Web server can be configured to
accommodate multiple virtual servers. Each virtual server is assigned a sepa-
rate home folder.
For example, an ISP could use one Windows 2000 Server Web Server to
host virtual servers for several customers. Each customer could have its own
FQDN for its Web site, such as www.company_a.com, www.company_b.
com, www.company_c.com, and so on. To Internet users accessing these
Web sites, each FQDN appears to be located on a different server.
You can only create virtual servers on Windows 2000 Server and Advanced
Server computers — Windows 2000 Professional doesn’t support this feature.
Because not all Web browsers can access Web sites that don’t have unique
IP addresses, you may need to assign IP addresses to any virtual servers you
create. If you want to create a virtual server that will have its own IP address,
you should configure an additional IP address for the network adapter card
in your computer before you create the virtual server.To configure an addi-
tional IP address, in the Network and Dial-up Connections folder,
configure the advanced TCP/IP settings for the connection that Web clients
will use to access the virtual server.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1222

1222 Part IV ▼ Networking and Interoperability

STEP BY STEP

CREATING A VIRTUAL SERVER

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Internet Services Manager.

2. In the left pane of the Internet Information Services dialog box, right-click the
server on which you want to create a virtual server, and select New ➪ Web Site.
3. The Web Site Creation wizard starts. Click Next.
4. In the Web Site Description screen, type in a description for the Web site.
Click Next.
5. The IP Address and Port Settings dialog box appears, as shown in Figure 18-8.

FIGURE 18-8 Configuring IP address and port settings for a virtual server

Configure at least one of the following options:

 Ifyou want to assign the virtual server an IP address, select one from
the “Enter the IP address to use for this Web site” drop-down list box.
 Ifyou need to change the TCP port number this virtual server will
use, specify this number in the “TCP port this web site should use” text box.
 Ifyou want to specify the FQDN that Web clients will use to access
this virtual server (such as www.companyB.com), enter it in the “Host
Header for this site” text box.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1223

Chapter 18 ▼ Managing Web and Certificate Services 1223

STEP BY STEP Continued

TIP
You must specify either an IP address, a port number other than 80, or a
host header in this dialog box to differentiate the virtual server from all
other Web sites on this Windows 2000 Web server. Otherwise, the vir-
tual server won’t work. The most common item used to differentiate the
virtual server from other Web sites is an IP address.

Click Next.
6. In the Web Site Home Directory screen, enter the path to the home folder you
want to assign to the virtual server. This can be either a local path to the home
folder for this virtual server, or a UNC path to the shared folder on another server
that will function as the home folder for this virtual server. You can browse for this
folder if you need to. Click Next.
7. In the Web Site Access Permissions screen, select the appropriate access per-
missions for the virtual server’s home folder. The selected permissions are
granted to all users who access this home folder. The “Read” and “Run scripts”
check boxes are selected by default. Click Next.
8. In the “You have successfully completed the Web Site Creation Wizard” screen,
click Finish.
9. Internet Services Manager creates the virtual server, and displays it in the left
pane of the Internet Information Services dialog box. If you need to configure your
new virtual server, right-click the virtual server and select Properties from the
menu that appears. Configuring a virtual server is the same as configuring any
other Web site. Close Internet Information Services.

Managing Web Server Security

When it comes to managing a Web server, security is of paramount con-
cern.You’re concerned about protecting the resources on your Windows
2000 Web server.You also want to make sure only authorized users gain
access to your Web content. In addition, you may want to ensure that com-
munications to and from the Web server are secure and protected from
interception. In fact, there are so many things to be concerned about that
you could lose a lot of sleep at night worrying about Web security issues.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1224

1224 Part IV ▼ Networking and Interoperability

EXAM TIP
The Server exam has two objectives on controlling access to Web sites
and the files and folders they contain. Be sure you have Web server
security down cold when you take this exam.

There are several things you can do to enhance your Windows 2000
Web server’s security.You can:
■ Specify the authentication methods a particular Web site (or virtual
directory) will permit, including whether that site will permit
anonymous access.
■ Grant or deny access to a particular Web site (or virtual directory)
based on the Web client’s IP address or Internet domain name.
■ Configure encrypted communications to and from the Web server
by obtaining a certificate for the Web server.
■ Configure home directory security settings for a particular Web
site (or virtual directory).
■ Place all Web content on NTFS volumes.
■ Use physical and network security methods to protect the
Web server.
You can perform the first four items in this list by configuring the
Properties of the Web site. (For details on how to access this dialog box, see
the step-by-step section titled “Configuring the Default Web Site” earlier
in this chapter.) If you have more than one Web site on your Web server,
you must configure these security options for each Web site. Figure 18-9
shows the Directory Security tab in a Web site’s Properties dialog box (in
this case, the Default Web Site). Notice the three types of security that can
be configured on this tab.
To configure authentication methods, in the “Anonymous access and
authentication control” section on the Directory Security tab, click Edit.
The Authentication Methods dialog box appears, as shown in Figure 18-10.
Notice that, by default, anonymous access to the Web site is allowed. This
means that users are not required to provide a user name and password to
access this Web site.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1225

Chapter 18 ▼ Managing Web and Certificate Services 1225

FIGURE 18-9 Configuring Web site security

FIGURE 18-10 Configuring authentication methods for a Web site

4701-1 ch18.f.qc 4/24/00 09:45 Page 1226

1226 Part IV ▼ Networking and Interoperability

You can configure several authentication options in this dialog box:

■ Anonymous access: This option, which is selected by default, per-
mits users to access the Web site without providing a user name and
password. If Web content for this Web site is stored on an NTFS vol-
ume,Windows 2000 maps anonymous accesses to a specified user
account. If that user account doesn’t have the appropriate NTFS
permissions to the Web content, the anonymous user is prompted to
authenticate to the Windows 2000 Web server by using one of the
authentication methods selected in the lower portion of the dialog
box. By default, anonymous users are mapped to the IUSR_Server_
name user account, which is a member of the Guests group.To
change the account used for anonymous access, click Edit in the
“Anonymous access” section. If you don’t want to permit anony-
mous access to the Web site, clear this check box.
■ Basic authentication: If you select this method, users who
authenticate to the Windows 2000 Web server hosting this Web site
are permitted to send their user names and passwords in clear text
(without any encryption). If you select this option, you can option-
ally specify the Windows 2000 domain that will authenticate these
users.This method is not recommended because it exposes your
user names and passwords to anyone using a protocol analyzer to
capture packets sent over the Internet.
■ Digest authentication for Windows domain servers: If you
select this method, users who authenticate to the Windows 2000
Web server hosting this Web site are permitted to use digest authen-
tication.This method of authentication, which encrypts user names
and passwords, and which can be used through a proxy server or a
firewall, is currently only supported on Windows 2000 computers.
If you select this method, you must configure all user accounts that
will access this Web site to store their password using reversible
encryption. Digest authentication can only be used on Windows
2000 Web servers that are members of a Windows 2000 domain.
■ Integrated Windows authentication: This method, which is
selected by default, permits users who authenticate to the Windows
2000 Web server hosting this Web site to use their normal Windows
2000 logon authentication.This is the most secure method of
authentication, because, by default, it uses the Kerberos version 5
authentication protocol.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1227

Chapter 18 ▼ Managing Web and Certificate Services 1227

To grant or deny access to the Web site based on the Web client’s IP address
or Internet domain name, in the “IP address and domain name restrictions”
section on the Directory Security tab, click Edit.The IP Address and Domain
Name Restrictions dialog box appears, as shown in Figure 18-11.

FIGURE 18-11 Configuring IP address and domain name restrictions

If you select the “Granted Access” option, all Web clients will be granted
access to this Web site except those whose IP addresses or domain names
are explicitly listed in this dialog box. If you select the “Denied Access”
option, all Web clients will be denied access to this Web site except those
whose IP addresses or domain names are explicitly listed in this dialog box.
To add IP addresses (or domain names) to this dialog box, click Add.
To configure encrypted communications to and from the Web server by
obtaining a certificate for the Web server, in the “Secure communications”
section on the Directory Security tab, click Server Certificate.Then follow
the directions presented on-screen in the IIS Certificate Wizard to obtain a
certificate for this Web server. Once you’ve installed a certificate, you can
use Web server applications that use Secure Sockets Layer (SSL) encryption
on traffic to and from the Web server. In addition, you can configure the
Web server to authenticate Web clients by using certificates (such as those
contained on smart cards) instead of user names and passwords. (I’ll cover
how to use certificates in more detail later in this chapter.)
To configure home directory security settings for a Web site, you’ll need
to access the Home Directory tab in the Web site’s Properties dialog box.
Figure 18-12 shows the Home Directory tab.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1228

1228 Part IV ▼ Networking and Interoperability

FIGURE 18-12 Configuring home directory security options

There are several settings that affect your Web site’s security on this tab:
■ Script source access: If you select this option,Web clients will
be permitted to view the source code for scripts that run on this
Web site.This practice is normally not recommended if security
is a concern.
■ Read: This option, which is selected by default, enables Web
clients to access this Web site.You must ensure this option is
selected or else Web clients will be unable to open this Web
site’s Web pages.
■ Write: If you select this option,Web clients will be able to upload
files to this Web site.This practice is normally not recommended if
security is a concern.
■ Directory browsing: If you select this option,Web clients will be
able to use their Web browser to view a list of subfolders and files
contained in this Web site.This practice is normally not recom-
mended if security is a concern.
■ Log visits: This option, which is selected by default, causes the
Windows 2000 Web server to log each access to the Web site.This
option is recommended if you want to monitor Web site usage.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1229

Chapter 18 ▼ Managing Web and Certificate Services 1229

■ Index this resource: This option, which is selected by default,

causes the Indexing service to include this Web site’s contents in
its Index.The Indexing service is covered later in this chapter.
■ Execute Permissions: The setting determines whether Web
clients can run scripts and executables in this Web site.There are
three options in this drop-down list box: None, Scripts only, and
Scripts and Executables. Select the option that corresponds to the
type of content in the Web site. For example, if your Web site con-
tains executables, you should select the Scripts and Executables
option. If your Web site doesn’t contain any scripts or executables,
select None.

CAUTION
If you select Scripts and Executables, and you enable the Write permis-
sion to the Web site, you may end up exposing data in the Web site, and
potentially the entire Web server, to hackers, who could upload a file con-
taining a damaging executable (such as a virus).

You can also increase your Web server’s security by only placing Web con-
tent on NTFS volumes, and configuring NTFS permissions for the Web
content.

CROSS-REFERENCE
See Chapter 11 for detailed information on assigning NTFS permissions
to files and folders.

Finally, you can use physical and network security to safeguard your
Windows 2000 Web server. Physical security usually involves placing the
server in a locked room that only administrators have access to. Network
security often involves the use of firewalls to protect the Web server (and
the network to which it is attached) from unauthorized access.

Monitoring Access to Files and Folders in Web Sites

Web sites are frequently monitored to determine how much the Web site
is being utilized, which Web pages are being accessed most frequently, and
who is accessing the Web site. In addition, the Windows 2000 Web server
may be monitored periodically to ensure that its resources (memory,
processor, disk, and so on) are adequate for its Web server tasks.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1230

1230 Part IV ▼ Networking and Interoperability

Logging is enabled on all Web sites created on a Windows 2000 Web

server, by default.To view log files of Web site activity, including accesses to
the files and folders in the Web site, you can use Notepad or any other text
editor. By default, a Web site’s log file is stored in the SystemRoot\
system32\LogFiles folder.
Another way to manage logging is to select the ODBC Logging option
and configure the logging data to be exported directly to a database.Then
you can use the database’s report tool to generate a report of Web site
activity.This option is easier, from an administrator’s standpoint, than wad-
ing through voluminous text files.
If you store your Web content on NTFS volumes, and if you disable
anonymous access to the Web site, you can use Windows 2000 auditing to
track accesses (and attempted accesses) to files and folders in a Web site.

CROSS-REFERENCE
Auditing of files and folders was covered in Chapter 13.

You can also use System Monitor, a Performance tool, to monitor the
Web Service object and its many counters.The Web Service object and its
counters are available in System Monitor when the World Wide Web
Server component of IIS is installed on a Windows 2000 computer.You
can also use System Monitor to determine if your Web server has adequate
memory, processor, and disk resources.

CROSS-REFERENCE
I’ll cover how to use System Monitor in Chapter 21.

Troubleshooting Web Services

Typically,Windows 2000 Web servers don’t require much troubleshooting.
Once the Web server is up and running, it normally just works.
However, it’s not uncommon to experience difficulties when imple-
menting Web services on your corporate intranet or on the Internet. Most
often these problems are the result of an incorrectly configured option on
the Windows 2000 Web server or Web site.Table 18-1 lists some common
Web services problems and suggested solutions to those problems.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1231

Chapter 18 ▼ Managing Web and Certificate Services 1231

TABLE 18-1 Common Web Services Problems and Solutions

Problem Recommended Solution

Users report that they can’t Try to access the Web site by typing the IP address
access a Web site on your of the Web server instead of its FQDN in your Web
Windows 2000 Web server browser. If this works, ensure that the Web server,
by typing the FQDN of the Web including all of its aliases, is correctly listed in your
server in their Web browser. domain’s DNS server, and that the DNS server is
operating.
Users report that they are Verify that the anonymous user account
prompted to enter a user name (IUSR_Server_name) has the appropriate NTFS
and password to access a Web permissions to the files and folders in the Web site.
site even though you configured
that Web site to permit
anonymous access.
Your Web content developer Ensure that the properties of the Web site are
reports that the executables he configured so that the Execute Permissions (on
has included in your company’s the Home Directory tab) option specifies that both
Web site don’t run when he Scripts and Executables can be run in this Web
accesses this Web site from site. (The default setting for this option is Scripts
a Web browser. only.)
A user reports that she is able If you have implemented IP address and domain
to access your company’s Web name restrictions on this Web site, ensure that the
site from her computer at the user’s home computer is not denied access to the
office, but is unable to access Web site by IP address or domain name. Or, if
the Web site from her home you’re using a firewall, configure the firewall so that
computer. the user can connect to the Web site through the
firewall. Or, if security is critical to this Web site,
you may need to instruct the user to only access
the Web site from her computer at the office.
Users who use older versions of Because older Web browsers require an IP address
Internet Explorer and Netscape when accessing a virtual server, ensure that the
Navigator report that they are virtual server is configured with its own IP address.
unable to access a virtual server
on your Windows 2000
Web server.

Using the Indexing Service

The Indexing Service is a Windows 2000 service that indexes Web site con-
tent and other documents on a Windows 2000 computer so these items can
be searched by users.You can think of the Indexing Service as a Windows
2000 search engine.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1232

1232 Part IV ▼ Networking and Interoperability

The Indexing Service is installed on both Windows 2000 Professional and

Windows 2000 Server/Advanced Server computers by default. However, the
service is configured to start manually, which means the service isn’t enabled
until you start it.
When you first start the Indexing Service, it examines all HTML docu-
ments, plain-text documents, Microsoft Office 95 and later documents,
Internet mail and news files, and any other type of document for which a
document filter is available. Then the Indexing Service creates catalogs
(indexes) of the words and phrases contained in these files, as well as the
properties of these documents.The Indexing Service automatically creates
two catalogs: one for HTML and other documents contained in Web sites
on the computer (the Web catalog), and one for all other indexable docu-
ments on the computer (the System catalog).
After the catalogs are constructed, users can search all indexed docu-
ments by word, phrase, or other property of the file, such as the author’s
name. As existing files are modified and new files are added, the Indexing
Service updates its catalogs, automatically, in the background.
By default, all files and folders on a Windows 2000 computer’s local hard
disk are configured with the advanced attribute “For fast searching, allow
Indexing Service to index this file (folder).” In addition, by default, the
local hard disk is also configured to “Allow the Indexing Service to index
this disk for fast file searching.” Finally, all Web sites on a Windows 2000
Web server, by default, are configured to “Index this resource.”

CAUTION
The Indexing Service requires a fair amount of disk space (as much as 40
percent of the space used by indexable documents) for the catalogs it
generates. If space on your hard disk is an issue, you may not want to
enable this service.

Using the Index Service is as easy as starting the service (and changing
its startup type to automatic), waiting for the service to create the catalog,
and then performing searches.There are several search tools you can use:
■ The Search tool in the Start menu
■ The Search tool in Windows Explorer
■ The Indexing Service’s query tool in Computer Management
4701-1 ch18.f.qc 4/24/00 09:45 Page 1233

Chapter 18 ▼ Managing Web and Certificate Services 1233

TIP
Depending on the amount of data on your computer’s local hard disk, the
Indexing Service may require from 1 to 24 hours, or sometimes even
longer, to create the catalog.

STEP BY STEP

ENABLING THE INDEXING SERVICE

1. Right-click My Computer, and select Manager from the menu that appears.
2. In the left pane of the Computer Management dialog box, click the + next to
Services and Applications. Highlight Services. Then, in the right pane, right-click
the Indexing Service, and select Properties from the menu that appears.
3. In the Indexing Service Properties (Local Computer) dialog box, select Automatic
from the “Startup type” drop-down list box. Then click Start. Click OK.
4. The Indexing Service is started, and is configured to automatically start every time
the computer starts. Close Computer Management.

Because you’re probably already familiar with the Windows Explorer

Search tool (which is the same search tool found in the Start menu), I’ll
show you how to use the Indexing Service’s query tool in Computer
Management.

STEP BY STEP

USING THE INDEXING SERVICE TO QUERY THE CATALOG

1. Right-click My Computer, and select Manager from the menu that appears.
2. In the left pane of the Computer Management dialog box, click the + next to
Services and Applications. Click the + next to Indexing Service. Click the + next
to either Web or System, depending on whether you want to search the com-
puter’s Web sites or its other documents. Highlight Query the Catalog.
3. In the right pane, an Indexing Service Query Form appears, as shown in
Figure 18-13.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1234

1234 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 18-13 Querying a catalog

In the “Enter your free text query below” text box, type in the word or phrase you
want to search for. For information on constructing better queries, click the “Tips
for searching” link. Click Search.
4. The results of the search are returned in the right pane. Close Computer
Management.

Managing Certificate Services

Certificate Services is a Windows 2000 Server service used to create, issue,
and manage certificates on a Windows 2000 network. If your company’s
network isn’t connected to the Internet, you probably don’t have a need
for Certificate Services. However, if your network is connected to the
Internet, you may need the encryption and other security features that can
be provided by certificates and Certificate Services. Certificate Services
can be installed on any Windows 2000 Server computer, but can’t be
installed on Windows 2000 Professional computers.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1235

Chapter 18 ▼ Managing Web and Certificate Services 1235

An organization that uses a computer to create, issue, and manage cer-

tificates is called a certification authority (CA).This term is also used to refer
to the actual server that performs the task of issuing and managing certifi-
cates. In Windows 2000, the server on which Certificate Services is
installed is a CA, and is also called a certificate server. The CA receives
requests for certificates from other computers on the network, then verifies
the credentials in the request, and finally creates and issues the certificate.
A certificate is a cryptographic tool used for encrypting and decrypting
data, digitally signing files and other data, and performing user authentica-
tion. A certificate consists of two parts: a public key and a private key.The
public key is the part of the certificate that an organization makes available
to anyone requesting it. It’s not a secret. On the other hand, a private key is
the part of the certificate that is kept private, and not disclosed to anyone
other than the user (or computer) to which it was issued. When you use
certificates and their associated public and private keys, you are said to be
implementing a public key infrastructure (PKI).
Any data encrypted by using the public key can only be decrypted by
using the private key. Likewise, any file digitally signed by using the private
key can only be verified by using the public key. In addition, a certificate
can be stored on a smart card, and when used in conjunction with a smart
card reader and a PIN number, can be used for user authentication.
If you want to enable users to send encrypted e-mail messages, or enable
Web servers to perform encrypted two-way communication with Web
clients over the Internet, or you want to use certificates and smart cards to
authenticate users, you can either obtain certificates from a public CA,
such as Verisign, or you can create and issue your own certificates by using
Certificate Services. Because purchasing certificates from a public CA can
be costly, if you plan to use more than one or two certificates in your orga-
nization, you’ll probably want to install Certificate Services to create and
issue your own certificates.

EXAM TIP
The Network exam has five objectives on using Certificate Services. If
you don’t use this feature regularly on your network, spend some time
learning how to issue and manage certificates before you take this exam.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1236

1236 Part IV ▼ Networking and Interoperability

In the following sections, I’ll show you how to install and configure
Certificate Services, how to create and issue certificates, how to revoke
certificates, and finally, how to manage Encrypting File System (EFS)
recovery agents.

Installing and Configuring Certificate Services

Certificate Services can be installed during the installation of Windows
2000 Server, but is not normally installed until later. Before you install
Certificate Services, you should ensure that the World Wide Web Server
and the Common Files components of IIS are installed. It probably goes
without saying, but Certificate Services also requires TCP/IP.
You can use the Add/Remove Programs application in Control Panel to
install and configure Certificate Services.

STEP BY STEP

INSTALLING CERTIFICATE SERVICES AND CONFIGURING A CA

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Add/Remove Programs.
3. In the Add/Remove Programs dialog box, click Add/Remove Windows
Components.
4. In the Windows Components Wizard dialog box, select the check box next to
Certificate Services.
5. A warning dialog box appears, indicating that after Certificate Services is
installed, you will not be able to rename this computer, nor will you be able to join
a domain or remove the computer from the domain. Click Yes to continue.
6. In the Windows Components Wizard dialog box, click Next.
7. The Certification Authority Type screen appears, as shown in Figure 18-14.
Select the certification authority role this server will perform:
 Enterprise root CA: Select this option if you’re installing the first certificate
server in the forest. This type of CA is the most trusted CA on the network.
This CA signs its own CA certificate, and can issue certificates to subordi-
nate CAs. An enterprise root CA requires the use of Active Directory. Only a
member of the Domain Admins group can install an enterprise root CA.
 Enterprise subordinate CA: Select this option if you have already installed
an enterprise root CA in the forest, and you need an additional CA. This CA
must obtain its CA certificate from another CA in the forest. This type of CA
also requires the use of Active Directory.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1237

Chapter 18 ▼ Managing Web and Certificate Services 1237

STEP BY STEP Continued

FIGURE 18-14 Selecting a certification authority (CA) type

 Stand-alone root CA: Select this option if you’re installing the first certifi-
cate server that will become the root of a certificate authority hierarchy, and
you want to be able to isolate the CA from your network for security reasons.
This type of CA does not require the use of Active Directory.
 Stand-alone subordinate CA: Select this option if you have already
installed a stand-alone root CA and you need an additional CA. This CA
must obtain its CA certificate from another CA in the hierarchy. This type of
CA does not require the use of Active Directory.
To configure advanced CA options, such as cryptographic service providers, hash
algorithms, or key lengths, select the check box next to “Advanced options,” and
select the appropriate options on the following screen.
Click Next.
8. In the CA Identifying Information screen, enter the CA name, organization, city,
state, description, and so on, to identify the CA. Click Next.
9. In the Data Storage Location screen, either accept the default database and log
locations, or specify different locations. Click Next.
10. A warning dialog box appears, as shown in Figure 18-15. Notice that IIS must be
stopped to complete the installation of Certificate Services. Click OK.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1238

1238 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 18-15 Certificate Services warning message

11. When prompted, insert your Windows 2000 Server compact disc into the com-
puter’s CD-ROM drive and click OK. When the Microsoft Windows 2000 CD
dialog box appears, close it. Windows 2000 installs Certificate Services. In the
Completing the Windows Components Wizard screen, click Finish.
12. Close Add/Remove Programs. Then close Control Panel.

Creating and Issuing Certificates

Now that you’ve installed Certificate Services and configured a CA, you’re
ready to specify the types of certificates your certificate server can issue.
One CA can issue many different types of certificates, such as User,
Computer, Web Server, Code Signing, Smartcard Logon, EFS Recovery
Agent, and so on.
You can specify the types of certificates a CA can create and issue by
using the Certification Authority administrative tool.This tool, like many
other Windows 2000 administrative tools, is an MMC console.

STEP BY STEP

SPECIFYING THE TYPES OF CERTIFICATES A CA CAN CREATE

AND ISSUE
1. Select Start ➪ Programs ➪ Administrative Tools ➪ Certification Authority.
2. In the left pane of the Certification Authority dialog box, click the + next to the CA
you want to configure. Highlight the Policy Settings folder. In the right
pane, a list of certificate types this CA is currently permitted to issue is displayed,
as shown in Figure 18-16.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1239

Chapter 18 ▼ Managing Web and Certificate Services 1239

STEP BY STEP Continued

FIGURE 18-16 Viewing a CA’s policy settings

3. To specify an additional certificate type, select Action ➪ New ➪ Certificate to Issue.

4. The Select Certificate Template dialog box appears. This dialog box doesn’t dis-
play all possible types of certificates, but displays only the types of certificates
this CA is not yet authorized to issue. Highlight the additional type of certificate
you want this CA to be able to issue. For example, if you want this CA to be able
to issue IPSec certificates, select IPSEC. Click OK.
5. Repeat Steps 3 and 4 until you have specified all desired certificate types. Close
Certification Authority.

Once you’ve specified the types of certificates the CA can create and
issue, users and client computers can request the certificates they need
from the CA.When certificates are first implemented, the users and com-
puters that require certificates request and receive them from the CA.
Once issued, certificates are typically valid for one year. After certificates
are implemented on a network, users and computers don’t normally
request certificates very often. Users and computers only request certifi-
cates when they need to perform a task, such as code signing, for which a
certificate is required.
Users must manually request certificates for themselves. Users can also
manually request certificates for their computers. There are two methods
you can use to manually request certificates. Users of Windows 2000 com-
puters can use the Certificate snap-in to the MMC. Users of all other
computers can request certificates by using their Web browsers to access
the CA’s Web site at http://server_name_of_CA/certsrv.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1240

1240 Part IV ▼ Networking and Interoperability

In addition, an Administrator can use Group Policy to configure com-

puters to automatically request certificates, when needed, from the CA.

STEP BY STEP

USING THE CERTIFICATE SNAP-IN TO REQUEST A CERTIFICATE

1. On the Windows 2000 client computer, select Start ➪ Run.

2. In the Run dialog box, type mmc and click OK.
3. In the Console1 dialog box, select Console ➪ Add Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Add Standalone Snap-in dialog box, highlight Certificates. Click Add.
6. In the Certificates snap-in dialog box, select whether you want to manage certifi-
cates for your user account, for an account used by a Windows 2000 service, or
for a computer account. Click Finish.
7. In the Add Standalone Snap-in dialog box, click Close.
8. In the Add/Remove Snap-in dialog box, click OK.
9. Maximize the Console Root dialog box.
10. In the left pane of the Console 1 – (Console Root) dialog box, click the + next to
Certificates – Current User (or Service, or Local Computer). Click the + next to
the Personal folder. Highlight the Certificates folder. Select Action ➪ All
Tasks ➪ Request New Certificate.
11. The Certificate Request Wizard starts. Click Next.
12. In the Certificate Template screen, select the type of certificate you’re requesting.
Click Next.
13. In the Certificate Friendly Name and Description screen, enter a user-friendly
name and description for the new certificate. Click Next.
14. In the Completing the Certificate Request Wizard screen, click Finish.
15. The Certificate Request Wizard displays a dialog box, indicating that the certifi-
cate request was successful. Click Install Certificate.
16. Another Certificate Request Wizard dialog box is displayed. Click OK.
17. The new certificate is displayed in the right pane. Close the MMC console.

If you don’t want users to have to manually request certificates for their
computers, you can use Group Policy to configure a computer, or all of the
computers in an Active Directory container, such as a domain or OU, to
automatically request certificates from the CA.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1241

Chapter 18 ▼ Managing Web and Certificate Services 1241

STEP BY STEP

CONFIGURING THE COMPUTERS IN AN OU TO AUTOMATICALLY

REQUEST CERTIFICATES

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the OU you want to configure is displayed in
the left pane. Right-click the OU, and select Properties from the menu that
appears.
3. In the OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, double-click the Group Policy object (GPO) you want
to edit.
5. In the left pane of the Group Policy dialog box, click the + next to the Windows
Settings folder in the Computer Configuration section. Click the + next to the
Security Settings container. Click the + next to the Public Key Policies
folder. Highlight the Automatic Certificate Request Settings
folder.
6. Select Action ➪ New ➪ Automatic Certificate Request.
7. The Automatic Certificate Request Setup wizard starts. Click Next.
8. The Certificate Template screen appears, as shown in Figure 18-17.

FIGURE 18-17 Selecting a certificate template

4701-1 ch18.f.qc 4/24/00 09:45 Page 1242

1242 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

In this screen, highlight the type of certificate you want all of the computers in this
OU to automatically request. Click Next.
9. In the Certification Authority screen, select one or more CAs from which the com-
puters in this OU can automatically request certificates. Click Next.
10. In the Completing the Automatic Certificate Request Setup screen, click Finish.
11. The Automatic Certificate Request policy is displayed in the right pane. If you want
all of the computers in this OU to automatically request more than one type of cer-
tificate, repeat Steps 6 through 10 as needed. Close the Group Policy dialog box.
12. In the OU’s Properties dialog box, click OK.
13. Close Active Directory Users and Computers.

Revoking Certificates
Certificates should be revoked when the user (or computer) that uses the
certificate no longer performs the task for which the certificate was
requested. For example, if an employee leaves the company, you should
revoke all of the user certificates assigned to that employee. Or, if an
employee was issued a Code Signing certificate, but has recently been pro-
moted to a management position and no longer performs code signing
tasks, you should revoke that user’s certificate.
You can use the Certification Authority administrative tool to revoke
certificates.

STEP BY STEP

REVOKING A CERTIFICATE

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Certification Authority.

2. In the left pane of the Certification Authority dialog box, click the + next to the CA
that issued the certificate you want to revoke. Highlight the Issued
Certificates folder. In the right pane, right-click the certificate you want to
revoke, and select All Tasks ➪ Revoke Certificate.
3. A Certificate Revocation dialog box appears, asking if you’re sure you want to
revoke the certificate.
If you want to, you can specify a reason code for revoking this certificate, but this
configuration is optional.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1243

Chapter 18 ▼ Managing Web and Certificate Services 1243

STEP BY STEP Continued

TIP
If you think you might want to reinstate this certificate at a later date,
select a reason code of Certificate Hold. You can reinstate a held certifi-
cate by using the certutil.exe command-line utility.

Click Yes.
4. The certificate is revoked. The certificate is moved from the Issued
Certificates folder to the Revoked Certificates folder. Close
Certification Authority.

Managing Encrypting File System (EFS)

Recovery Agents
As you may recall, the Encrypting File System (EFS) enables you to store files
on an NTFS volume in an encrypted format, so that if an unauthorized
user removes a hard disk from your computer, that user will be unable to
access the data contained in the encrypted files. EFS is implemented in
Windows 2000 by assigning the Encrypt attribute to folders and files.The
Encrypt attribute is normally applied by a user to protect sensitive data that
should only be accessed by that user.
But what happens when the user that assigned the Encrypt attribute is
not available, or no longer works for the company, and you need to access
the data contained in the encrypted files? That’s when you need an EFS
recovery agent. An EFS recovery agent is a user account that is assigned an
EFS Recovery Agent certificate that permits the user to unencrypt (that is,
recover) all encrypted files on a computer. By default, the Administrator
account is a recovery agent.
However, depending on the sensitivity of your company’s data, it may
not always be desirable to grant any person — even an Administrator — the
permissions to open any encrypted file at any time. So, what many compa-
nies do to safeguard their data is designate a user (probably an administra-
tor) as a recovery agent, but then remove the user’s EFS Recovery Agent
certificate, so that the designated recovery agent can’t casually open and
view encrypted files.
4701-1 ch18.f.qc 4/24/00 09:45 Page 1244

1244 Part IV ▼ Networking and Interoperability

The actual process of configuring a recovery agent in this manner is

somewhat complicated:
1. The user who will function as the EFS recovery agent requests and
receives an EFS Recovery Agent certificate from the CA.
2. The user exports the EFS Recovery Agent certificate to a file on a
floppy disk.
3. The Administrator uses the floppy disk containing the certificate to
designate the user as an EFS recovery agent (for a domain or OU) in
Group Policy.Then the Administrator stores the floppy disk in a safe,
vault, or other secure location.
4. Finally, the user removes his or her EFS recovery agent certificate.

EXAM TIP
One of the objectives for the Network exam mentions removing “the
Encrypting File System (EFS) recovery keys.” What this objective is really
referring to is the entire process of designating a recovery agent, and
then removing all EFS Recovery Agent certificates.

Later, if a recovery agent is needed to unencrypt data, the Administrator

or designated user retrieves the floppy disk containing the EFS Recovery
Agent certificate. Then the designated user imports that certificate onto
the computer that will be used to recover the data. The designated user
unencrypts the needed files. Lastly, the designated user deletes the EFS
Recovery Agent certificate from the computer, and returns the floppy disk
to the secure location.
In the following sections I’ll show you how to designate a user as a
recovery agent and how to remove the designated user’s EFS Recovery
Agent certificate.

TIP
Only the user that will receive a certificate can request a certificate. If
someone other than yourself is designated as the recovery agent, that
user should log on and request an EFS Recovery Agent certificate. That
user should also export the certificate and later delete the certificate.
4701-1 ch18.f.qc 4/24/00 09:46 Page 1245

Chapter 18 ▼ Managing Web and Certificate Services 1245

STEP BY STEP

REQUESTING AN EFS RECOVERY AGENT CERTIFICATE

1. Select Start ➪ Run.

2. In the Run dialog box, type mmc and click OK.
3. In the Console1 dialog box, select Console ➪ Add Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Add Standalone Snap-in dialog box, highlight Certificates. Click Add.
6. In the Certificates snap-in dialog box, select the “My user account” option. Click
Finish.
7. In the Add Standalone Snap-in dialog box, click Close.
8. In the Add/Remove Snap-in dialog box, click OK.
9. Maximize the Console Root dialog box.
10. In the left pane of the Console 1 – (Console Root) dialog box, click the + next to
Certificates – Current User. Click the + next to the Personal folder. Highlight
the Certificates folder. Select Action ➪ All Tasks ➪ Request New
Certificate.
11. The Certificate Request Wizard starts. Click Next.
12. In the Certificate Template screen, select EFS Recovery Agent. Click Next.
13. In the Certificate Friendly Name and Description screen, enter a user-friendly
name and description for the EFS Recovery Agent certificate. Click Next.
14. In the Completing the Certificate Request Wizard screen, click Finish.
15. The Certificate Request Wizard displays a dialog box, indicating that the certifi-
cate request was successful. Click Install Certificate.
16. Another Certificate Request Wizard dialog box is displayed. Click OK.
17. The EFS Recovery Agent certificate is displayed in the right pane. Leave the
MMC console open and continue to the next set of steps.

After the designated user requests and receives an EFS Recovery Agent
certificate, that user should export the certificate to a floppy disk.

STEP BY STEP

EXPORTING THE EFS RECOVERY AGENT CERTIFICATE

1. Insert a floppy disk that will contain the EFS Recovery Agent certificate into your
computer’s A: drive.
4701-1 ch18.f.qc 4/24/00 09:46 Page 1246

1246 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

2. In the right pane of the MMC console that you opened and configured in the pre-
vious section, right-click the EFS Recovery Agency certificate, and select All
Tasks ➪ Export.
3. The Certificate Export wizard starts. Click Next.
4. In the Export Private Key screen, select the “No, do not export the private key”
option. Click Next.
5. In the Export File Format screen, ensure that the “DER encoded binary X.509
(.CER)” format is selected. Click Next.
6. In the File to Export screen, type an appropriate name for the certificate, such as
a:\efscert, and click Next.
7. In the Completing the Certificate Export Wizard screen, click Finish.
8. A Certificate Export Wizard message appears, indicating the export was success-
ful. Click OK.
9. Close the MMC console.

The next step in the process is designating the user as a recovery agent
by using Group Policy.An Administrator should perform this task.

TIP
Even if a user has requested and received an EFS Recovery Agent cer-
tificate, that user can’t unencrypt any files until they have been desig-
nated as a recovery agent in Group Policy.

STEP BY STEP

DESIGNATING A RECOVERY AGENT

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs as necessary until the domain or OU for which you want to
designate a recovery agent is displayed in the left pane. Right-click the domain or
OU, and select Properties from the menu that appears.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, double-click the Group Policy object (GPO) you want
to edit.
4701-1 ch18.f.qc 4/24/00 09:46 Page 1247

Chapter 18 ▼ Managing Web and Certificate Services 1247

STEP BY STEP Continued

5. In the left pane of the Group Policy dialog box, click the + next to the Windows
Settings folder in the Computer Configuration section. Click the + next to the
Security Settings container. Click the + next to the Public Key Policies
folder. Highlight the Encrypted Data Recovery Agents folder. Select
Action ➪ Add.
6. The Add Recovery Agent Wizard starts. Click Next.
7. The Select Recovery Agents screen appears. The easiest way to add a user to
the list of recovery agents is to retrieve the EFS Recovery Agent certificate from
the floppy disk. To do this, click Browse Folders.
8. In the Open dialog box, in the “File name” text box, type the full path to the
exported certificate file, for example, a:\efscert. Click Open.
9. In the Select Recovery Agents screen, click Next.
10. In the Completing the Add Recovery Agent Wizard screen, click Finish.
11. The newly designated recovery agent is displayed in the right pane. (If you have
previously designated other recovery agents that you no longer wish to use, high-
light them in the right pane, one at a time, and select Action ➪ Delete.) Close
Group Policy.
12. In the domain or OU’s Properties dialog box, click OK.
13. Close Active Directory Users and Computers.

The last part in the process is removing the designated user’s EFS
Recovery Agent certificate. The user who requested the EFS Recovery
Agent certificate should perform this task (or you should be logged on as
that user).You can use either the Internet Options application in Control
Panel or the Certificates snap-in to the MMC to remove the certificate.

STEP BY STEP

DELETING EFS RECOVERY AGENT CERTIFICATES

1. Select Start ➪ Settings ➪ Control Panel.

2. In Control Panel, double-click Internet Options.
3. In the Internet Properties dialog box, click the Content tab.
4. On the Content tab, click Certificates.
5. The Certificates dialog box appears. Highlight the certificate you want to delete.
4701-1 ch18.f.qc 4/24/00 09:46 Page 1248

1248 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

Before you delete the certificate, take special note of the “Certificate intended
purposes” section in the lower portion of this dialog box. Ensure that the
intended purpose of the certificate you’re deleting is “File Recovery.”
Click Remove.
6. A warning dialog box is displayed. Click Yes.
7. The certificate is deleted. In the Certificates dialog box, click Close.
8. In the Internet Properties dialog box, click OK.
9. Close Control Panel.

KEY POINT SUMMARY

This chapter introduced several important Web and Certificate Services topics:
■ Internet Information Services (IIS) is Windows 2000’s Web server. IIS is a col-
lection of many services. Some of the most commonly used components are
World Wide Web Server, File Transfer Protocol (FTP) Server, FrontPage 2000
Server Extensions, the SMTP Service, and the NNTP Service.
■ Some IIS components are installed by default during the installation of
Windows 2000. You can add additional components by using Add/Remove
Programs.
■ IIS requires the use of TCP/IP.
■ You can manage and configure the Default Web Site and any other Web sites
on your computer by using the Internet Services Manager administrative tool.
■ Personal Web Manager is an easy-to-use Windows 2000 Professional tool
that enables a novice user to manage and monitor a Web site on the local
Windows 2000 Professional computer.
■ A virtual directory is a child Web site that doesn’t contain Web content. Rather,
it is a pointer to an actual folder that contains its Web content.
■ A virtual server is a pseudo WWW server with its own unique fully qualified
domain name (FQDN), and often has its own IP address. To the Internet user
accessing the virtual server, a virtual server appears to be a separate server;
but in reality, a virtual server is not a separate server.
4701-1 ch18.f.qc 4/24/00 09:46 Page 1249

Chapter 18 ▼ Managing Web and Certificate Services 1249

■ You can do several things to increase security of your Windows 2000 Web
server, including:
 Specify the authentication methods a particular Web site (or virtual direc-
tory) will permit.
 Grant or deny access to a particular Web site (or virtual directory) based
on the Web client’s IP address or Internet domain name.
 Configure encrypted communications to and from the Web server by
obtaining a certificate for the Web server.
 Configure home directory security settings for a particular Web site (or vir-
tual directory).
 Place all Web content on NTFS volumes.
 Use physical and network security methods to protect the Web server.
■ Certificate Services is a Windows 2000 Server service used to create, issue,
and manage certificates on a Windows 2000 network.
■ An organization that uses a computer to create, issue, and manage certificates
is called a certification authority (CA). This term is also used to refer to the
actual server that performs the task of issuing and managing certificates.
■ You can use the Certification Authority administrative tool to manage the CA,
to specify the types of certificates the CA can issue, and to revoke certificates.
4701-1 ch18.f.qc 4/24/00 09:46 Page 1250

1250

STUDY GUIDE
This section contains several exercises that are designed to solidify your
knowledge about IIS and Certificate Services, and to help you prepare for
the Professional, Server, and Network exams:
■ Assessment Questions: These questions test your knowledge of
the IIS and Certificate Services topics covered in this chapter.
You’ll find the answers to these questions at the end of this chapter.
■ Scenarios: The situation-based questions in scenarios challenge
you to apply your understanding of the material to solve a hypo-
thetical problem. In this chapter’s scenarios, you are asked to trou-
bleshoot IIS problems and provide answers to the questions.You
don’t need to be at a computer to do scenarios.Answers to this
chapter’s scenarios are presented at the end of this chapter.
■ Lab Exercise: These exercises are hands-on practice activities that
you perform on a computer.The lab in this chapter gives you an
opportunity to practice installing and configuring IIS and
Certificate Services.

Assessment Questions
1. You want to install some additional Internet Information Services
components that were not installed during the installation of
Windows 2000 Server.Which tool should you use?
A. Internet Services Manager
B. Personal Web Server
C. Add/Remove Programs
D. Networking and Dial-up Connections folder
2. What protocol is required by Internet Information Services (IIS), the
Indexing Service, and Certificate Services?
A. TCP/IP
B. NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
C. NetBEUI
D. RIP Version 2 for Internet Protocol
4701-1 ch18.f.qc 4/24/00 09:46 Page 1251

1251

3. You want to configure the Web site on your Windows 2000

Professional Web server computer.What tool can you use?
A. Folder Options
B. Internet Options
C. Windows Explorer
D. Personal Web Manager
4. You want to configure performance tuning for a Web site on your
Windows 2000 Server computer on which Internet Information
Services (IIS) is installed.What tool should you use to configure the
Web site?
A. Internet Options
B. Internet Services Manager
C. Network and Dial-up Connections folder
D. Personal Web Manager
5. You work for an ISP that wants to host several Web sites for several of
its customers on a single Windows 2000 Server computer on which
Internet Information Services (IIS) is installed. Each of your cus-
tomers wants their own Web site to appear as though it is located
on a separate server. How can you accomplish this?
A. Create a virtual directory for each of the Web sites.
B. Create a virtual server for each of the Web sites.
C. Assign a certificate to each of the Web sites.
D. Use a third-party utility to give the appearance of each Web site
being located on a separate server.
6. Which of the following actions can improve security on a Windows
2000 Web server? (Choose all that apply.)
A. Place all Web content on FAT volumes.
B. Use IP address or Internet domain name restrictions.
C. Obtain a certificate for the Web server.
D. Select Basic authentication for all Web sites on the Web server.
E. Disable anonymous access to all Web sites on the Web server.
4701-1 ch18.f.qc 4/24/00 09:46 Page 1252

1252

7. You are preparing to install Certificate Services for the first time on
your Windows 2000 network.You plan to install Certificate Services
on a Windows 2000 Server computer that is a member of the domain.
You want the certification authority (CA) to be able to use Active
Directory.Which CA type should you select when you install
Certificate Services?
A. Enterprise root CA
B. Enterprise subordinate CA
C. Stand-alone root CA
D. Stand-alone subordinate CA
8. What must be true before a user can perform the role of an EFS
recovery agent? (Choose all that apply.)
A. The user must have an EFS Recovery Agent certificate.
B. The user must be an Administrator.
C. The user must be designated as an EFS recovery agent in Group
Policy.
D. The user must be logged on to a domain controller.

Scenarios
Troubleshooting access to Web servers and Web sites (and the files and
folders they contain) can be a complex task. For each of the following sit-
uations, consider the given facts and answer the question or questions that
follow.
1. Several users on your Windows 2000 network report that they are
prompted to enter a user name and password each time they access
an HTML file in a Web site on your company’s Windows 2000 Web
server, even though you configured that Web site to permit anony-
mous access.
a. What is the most likely cause of this problem?
b. What should you do to resolve the problem?
4701-1 ch18.f.qc 4/24/00 09:46 Page 1253

1253

2. An employee of your company, John, just started telecommuting three

days a week. John reports that he is unable to access the company’s
Web site when he is working at home, although he has no trouble
accessing the Web site from his computer at the office.
a. What is the most likely cause of this problem?
b. What should you do to resolve the problem?

Lab Exercise
Lab 18-1 Managing Web and Certificate Services
 Professional
 Server
EXAM
MATERIAL
 Network

The purpose of this lab is to provide you with an opportunity to practice

the concepts you learned in this chapter by installing and configuring IIS
and Certificate Services.
There are two parts to this lab:
■ Part 1: Configuring, Securing, and Monitoring IIS
■ Part 2: Installing, Configuring, and Using Certificate Services
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.

Part 1: Configuring, Securing, and Monitoring IIS

In this part, you use the Network and Dial-up Connections folder to
assign an additional IP address to your network adapter card.Then you cre-
ate a home folder, and use Internet Services Manager to create, configure,
and secure a virtual Web server. Finally, you view one of the log files cre-
ated by IIS to monitor access to the Web server.
1. Select Start ➪ Settings ➪ Network and Dial-up Connections.
2. In the Network and Dial-up Connections folder, right-click
Local Area Connection, and select Properties from the menu that
appears.
4701-1 ch18.f.qc 4/24/00 09:46 Page 1254

1254

3. In the Local Area Connection Properties dialog box, highlight

Internet Protocol (TCP/IP) and click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, click
Advanced.
5. In the Advanced TCP/IP Settings dialog box, in the IP addresses
section, click Add.
6. In the TCP/IP Address dialog box, enter an IP address of 192.168.
59.xxx, where xxx is a value that equals your current IP address plus
100. For example, if your IP address is currently 192.168.59.101,
enter an IP address of 192.168.59.201.Then, enter a subnet mask
of 255.255.255.0.
(Or, if you’re on a live network, use the IP address and subnet mask
provided to you by your administrator or instructor.)
Click Add.
7. In the Advanced TCP/IP Settings dialog box, click OK.
8. In the Internet Protocol (TCP/IP) Properties dialog box, click OK.
9. In the Local Area Connection Properties dialog box, click OK.
10. Close the Network and Dial-up Connections folder.
11. Select Start ➪ Programs ➪ Accessories ➪ Windows Explorer.
12. In the left pane, click the + next to My Computer. Click the +
next to Local Disk (C:). Highlight the Inetpub folder. Select File ➪
New ➪ Folder.
13. Type in a new name for the folder of Virtualwww and press Enter.
14. Close Windows Explorer.
15. Select Start ➪ Programs ➪ Administrative Tools ➪ Internet Services
Manager.
16. In the left pane of the Internet Information Services dialog box, click
the + next to server01.Then right-click server01, and select New ➪
Web Site.
17. The Web Site Creation wizard starts. Click Next.
18. In the Web Site Description screen, type in a description of Virtual
Server. Click Next.
19. In the IP Address and Port Settings dialog box, select the IP address
you just added from the “Enter the IP address to use for this Web
site” drop-down list box. Click Next.
4701-1 ch18.f.qc 4/24/00 09:46 Page 1255

1255

20. In the Web Site Home Directory screen, enter a path of c:\inetpub\
virtualwww and click Next.
21. In the Web Site Access Permissions screen, select the check box next
to Execute. Click Next.
22. In the “You have successfully completed the Web Site Creation
Wizard” screen, click Finish.
23. Internet Services Manager creates the virtual server and displays it in
the left pane of the Internet Information Services dialog box.To con-
figure your new virtual server, right-click Virtual Server and select
Properties from the menu that appears.
24. In the Virtual Server Properties dialog box, click the Directory
Security tab.
25. On the Directory Security tab, in the “IP address and domain name
restrictions” section, click Edit.
26. In the IP Address and Domain Name Restrictions dialog box, select
the “Denied Access” option.Then click Add.
27. In the Grant Access On dialog box, select the “Group of computers”
option.Type in a Network ID of 192.168.59.0 and enter a subnet
mask of 255.255.255.0.This setting enables all computers on the
192.168.59.0 subnet to access this Web site. Click OK.
28. In the IP Address and Domain Name Restrictions dialog box,
click OK.
29. On the Directory Security tab, click OK. Close the Internet
Information Services dialog box.
30. Right-click My Computer, and select Explore from the menu that
appears.
31. In the left pane, click the + next to Local Disk (C:). Click the + next
to the WINNT folder. Click the + next to the system32 folder. Click
the + next to the LogFiles folder. Highlight the W3SVC1 folder. In
the right pane, double-click the last log file listed.
32. Notepad opens the log file. Scroll down and view the contents of the
log file. Notice that you can view the users who have accessed the
Web site, and the IP addresses of the users’ computers. Close Notepad.
33. Close Windows Explorer.
4701-1 ch18.f.qc 4/24/00 09:46 Page 1256

1256

Part 2: Installing, Configuring, and Using Certificate Services

In this part, you install and configure Certificate Services and create a cer-
tificate authority (CA).Then you create and issue certificates, and export a
certificate.You also remove an EFS Recovery Agent certificate. Then you
designate an Encrypting File System (EFS) recovery agent in Group Policy.
Finally, you revoke a certificate.You’ll need a floppy disk to perform this
part of the lab.
1. Select Start ➪ Settings ➪ Control Panel.
2. In the Control Panel dialog box, double-click Add/Remove Programs.
3. In the Add/Remove Programs dialog box, click Add/Remove
Windows Components.
4. In the Windows Components Wizard dialog box, select the check box
next to Certificate Services.
5. A warning dialog box appears, indicating that after Certificate Services
is installed, you will not be able to rename this computer, nor will you
be able to join a domain, or remove the computer from the domain.
Click Yes.
6. In the Windows Components Wizard dialog box, click Next.
7. In the Certification Authority Type screen, select the “Enterprise root
CA” option and click Next.
8. In the CA Identifying Information screen, enter a CA name of
domain1, and an organization name of domain1.mcse.Then enter
your city, state or province, e-mail address, and a CA description of
CA for domain1.mcse. Click Next.
9. In the Data Storage Location screen, accept the defaults and click Next.
10. A warning dialog box appears. Click OK.
11. When prompted, insert your Windows 2000 Server compact disc into
the computer’s CD-ROM drive and click OK.When the Microsoft
Windows 2000 CD dialog box appears, close it.Windows 2000 installs
Certificate Services. In the Completing the Windows Components
Wizard screen, click Finish.
12. Close Add/Remove Programs.Then close Control Panel.
13. Select Start ➪ Run.
14. In the Run dialog box, type mmc and click OK.
15. In the Console1 dialog box, select Console ➪ Add Remove Snap-in.
4701-1 ch18.f.qc 4/24/00 09:46 Page 1257

1257

16. In the Add/Remove Snap-in dialog box, click Add.

17. In the Add Standalone Snap-in dialog box, highlight Certificates.
Click Add.
18. In the Certificates snap-in dialog box, select the “My user account”
option. Click Finish.
19. In the Add Standalone Snap-in dialog box, click Close.
20. In the Add/Remove Snap-in dialog box, click OK.
21. Maximize the Console Root dialog box.
22. In the left pane of the Console 1 – (Console Root) dialog box, click
the + next to Certificates – Current User. Click the + next to the
Personal folder. Highlight the Certificates folder.
23. Select Action ➪ All Tasks ➪ Request New Certificate.
24. The Certificate Request Wizard starts. Click Next.
25. In the Certificate Template screen, select EFS Recovery Agent.
Click Next.
26. In the Certificate Friendly Name and Description screen, enter a
Friendly name of EFS Recovery and click Next.
27. In the Completing the Certificate Request Wizard screen, click Finish.
28. The Certificate Request Wizard displays a dialog box, indicating that
the certificate request was successful. Click Install Certificate.
29. Another Certificate Request Wizard dialog box is displayed. Click OK.
30. The EFS Recovery Agent certificate is displayed in the right pane.
Repeat Steps 23 through 29 to request another certificate, except this
time select a certificate template of User, and enter a Friendly name
of User Cert when prompted.
31. Insert a floppy disk into your computer’s A: drive. In the right pane,
right-click the EFS Recovery Agency certificate that has a Friendly
Name of EFS Recovery, and select All Tasks ➪ Export.
32. The Certificate Export wizard starts. Click Next.
33. In the Export Private Key screen, select the “No, do not export the
private key” option. Click Next.
34. In the Export File Format screen, ensure that the “DER encoded
binary X.509 (.CER)” format is selected. Click Next.
35. In the File to Export screen, type a:\efscert and click Next.
4701-1 ch18.f.qc 4/24/00 09:46 Page 1258

1258

36. In the Completing the Certificate Export Wizard screen, click Finish.
37. A Certificate Export Wizard message appears, indicating the export
was successful. Click OK.
38. In the right pane of the MMC console, right-click the EFS Recovery
Agent certificate that has a Friendly Name of EFS Recovery, and
select Delete from the menu that appears.
39. When a Certificates warning dialog box appears, click Yes.
40. Close the MMC console.When prompted to save console settings,
click No.
41. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory
Users and Computers.
42. In the left pane of the Active Directory Users and Computers dialog
box, right-click domain1.mcse, and select Properties from the menu
that appears.
43. In the domain1.mcse Properties dialog box, click the Group Policy tab.
44. On the Group Policy tab, double-click the Default Domain Policy.
45. In the left pane of the Group Policy dialog box, click the + next to the
Windows Settings folder in the Computer Configuration section.
Click the + next to the Security Settings container. Click the + next to
the Public Key Policies folder. Highlight the Encrypted Data
Recovery Agents folder. Select Action ➪ Add.
46. The Add Recovery Agent Wizard starts. Click Next.
47. The Select Recovery Agents screen appears. Click Browse Folders.
48. In the Open dialog box, type a:\efscert.cer in the File name text
box. Click Open.
49. In the Select Recovery Agents screen, click Next.
50. In the Completing the Add Recovery Agent Wizard screen, click
Finish.
51. The newly designated recovery agent is displayed in the right pane.
Close Group Policy.
52. In the domain1.mcse Properties dialog box, click OK.
53. Close Active Directory Users and Computers.
54. Select Start ➪ Programs ➪ Administrative Tools ➪ Certification
Authority.
4701-1 ch18.f.qc 4/24/00 09:46 Page 1259

1259

55. In the left pane of the Certification Authority dialog box, click the +
next to domain1. Highlight the Issued Certificates folder. In
the right pane, there should be two certificates listed. Double-click
the last certificate in the list to open it.
56. In the Certificate dialog box, verify that this certificate is intended to
allow data on disk to be encrypted, protect e-mail messages, and prove
your identity to a remote computer. Click OK. If the certificate you
opened was intended for a different purpose, try double-clicking
another certificate in the console until you find the one just described.
57. In the right pane of the console, right-click the certificate that met the
criteria specified in Step 56, and select All Tasks ➪ Revoke Certificate.
58. A Certificate Revocation dialog box appears, asking if you’re sure you
want to revoke the certificate. Click Yes.
59. The certificate is revoked.The certificate is moved from the Issued
Certificates folder to the Revoked Certificates folder. Close
Certification Authority.

Answers to Chapter Questions

Chapter Pre-Test
1. The most commonly used components of IIS are World Wide Web
Server, File Transfer Protocol (FTP) Server, FrontPage 2000 Server
Extensions, the SMTP Service, and the NNTP Service.
2. World Wide Web Server
3. Personal Web Manager is an easy-to-use Windows 2000 Professional
tool that enables a novice user to manage and monitor a Web site on
the local computer.
4. A virtual directory is a child Web site that doesn’t contain Web content.
Rather, it is a pointer to an actual folder that contains its Web content.
5. A virtual server is a pseudo WWW server with its own unique fully
qualified domain name (FQDN), and often has its own IP address.To
the Internet user accessing the virtual server, a virtual server appears
to be a separate server; but in reality, a virtual server is not a separate
server, but more like a shared folder on the Windows 2000 Server
Web server that is accessed by specifying a different FQDN.
4701-1 ch18.f.qc 4/24/00 09:46 Page 1260

1260

6. You can do several things to increase security of your Web server,

including:
 Specify the authentication methods a particular Web site (or vir-

tual directory) will permit, including whether that site will permit
anonymous access.
 Grant or deny access to a particular Web site (or virtual directory)

based on the Web client’s IP address or Internet domain name.

 Configure encrypted communications to and from the Web

server by obtaining a certificate for the Web server.

 Configure home directory security settings for a particular Web

site (or virtual directory).

 Place all Web content on NTFS volumes.

 Use physical and network security methods to protect the

Web server.
7. The Indexing Service is a Windows 2000 service that indexes Web site
content and other documents on a Windows 2000 computer so these
items can be searched by users.
8. Certificate Services is a Windows 2000 Server service used to create,
issue, and manage certificates on a Windows 2000 network. Certificate
Services can be installed on any Windows 2000 Server computer, but
can’t be installed on Windows 2000 Professional computers.
9. Certification authority (CA)

Assessment Questions
1. C. Use the Add/Remove Programs application in Control Panel to
install additional IIS components.
2. A. When you think Internet (or anything Internet-related), think
TCP/IP.
3. D. Of the tools mentioned in the list, only Personal Web Manager
can be used to configure a Web site.
4. B. Use Internet Services Manager to configure the Web site.You
can’t use Personal Web Services in this situation because Personal
Web Services is a Windows 2000 Professional–only tool.
4701-1 ch18.f.qc 4/24/00 09:46 Page 1261

1261

5. B. Virtual servers are just what you need in this situation.You can use
Internet Services Manager to create them.
6. B, C, E. Placing Web content on FAT volumes doesn’t provide secu-
rity, but placing content on NTFS volumes does. Selecting Basic
authentication also provides no security — user names and passwords
are sent in clear text if this authentication method is selected.
7. A. Select Enterprise root CA if you’re installing the first certificate
server in the forest.This type of CA requires the use of Active
Directory.
8. A, C. To perform the role of an EFS recovery agent, a user must have
an EFS Recover Agent certificate, and must be designated as an EFS
recovery agent in Group Policy.

Scenarios
1. The most likely cause of this problem is that you have configured
NTFS permissions on the file, but have not granted the Web server’s
anonymous user account (IUSR_Server_name) permissions to access
this file.To resolve this problem, assign the Web server’s anonymous
user account NTFS permissions to the file.
2. The most likely cause of this problem is that you have enabled IP
address restrictions on the Web site.To resolve this problem, either
remove the IP address restrictions, or add the IP address of John’s
home computer to the list of IP addresses explicitly granted access
to the Web site.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1262

 Professional
 Server
EXAM
MATERIAL  Directory Services

EXAM OBJECTIVES

Professional  Exam 70-210

■ Perform an unattended installation of Windows 2000 Professional.
■ Install Windows 2000 Professional by using Windows 2000
Server Remote Installation Services (RIS).
■ Install Windows 2000 Professional by using the System
Preparation Tool.
■ Create unattended answer files by using Setup Manager to
automate the installation of Windows 2000 Professional.

Server  Exam 70-215

■ Perform an unattended installation of Windows 2000 Server.
■ Create unattended answer files by using Setup Manager to
automate the installation of Windows 2000 Server.
■ Create and configure automated methods for installation of
Windows 2000.

Directory Services  Exam 70-217

■ Deploy Windows 2000 by using Remote Installation Services (RIS).
■ Install an image on a RIS client computer.
■ Create a RIS boot disk.
■ Configure remote installation options.
■ Troubleshoot RIS problems.
■ Manage images for performing remote installations.
■ Configure RIS security.
■ Authorize a RIS server.
■ Grant computer account creation rights.
■ Prestage RIS client computers for added security and
load balancing.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1263

C HAP TE R

19
Deploying Windows 2000
on Your Network

I n the “olden days” of computer networks, which weren’t so very long ago,
deployment wasn’t a major issue. After all, most computer networks were
fairly simple and relatively small. Today, however, many computer networks are
vast enterprises encompassing several sites and thousands of workstations.
Because of this, deployment has become vastly more important. After all, who
wants to install Windows 2000 Professional on a thousand desktops?
Windows 2000 includes technologies to enable you to deploy Windows
2000 Professional and Server in a logical, organized, and — in most cases —
automated manner. In this chapter, I’ll examine the deployment tools and issues
you need to know as an administrator, and for the Windows 2000 exams.

1263
4701-1 ch19.f.qc 4/24/00 09:47 Page 1264

1264 Part IV ▼ Networking and Interoperability

Chapter Pre-Test
1. Where are the Windows 2000 deployment tools located?
2. Which deployment tool can you use to create answer files by
using a wizard?
3. What is the default name of a Windows 2000 unattended
installation answer file?
4. Which tool can be used to prepare a Windows 2000 computer
for disk duplication?
5. When using Sysprep, what additional tools do you need?
6. What must you do before a RIS server can respond to RIS
client requests?
7. What operating systems can you deploy by using RIS?
4701-1 ch19.f.qc 4/24/00 09:47 Page 1265

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1265

Overview of Windows 2000 Deployment

Consider these scenarios:Your company has just purchased 20 new servers.
You are handed a Windows 2000 Server installation CD-ROM and told to
get busy. Just think — hours and hours of answering the same setup questions,
endless reboots and hardware detection — just how you wanted to spend
your next week. Or, what if you are faced with installing Windows 2000
Professional on 3,000 client computers by using an installation compact disc?
Fortunately, these scenarios don’t have to be reality. Microsoft recognizes
the size and complexity of distributed networks today, and Windows 2000
gives you several deployment tools and options. In the past, the concept of
deployment referred to server-based deployment only, but in Windows
2000, deployment now refers to automated installations over the network
using deployment tools, such as Setup Manager, Sysprep, and Remote
Installation Services (RIS). For real-world deployment and for the
Windows 2000 exams, you need to know what these tools are and how to
use them.

Using Setup Manager

Windows 2000 includes a handy tool, the Windows 2000 Setup Manager
wizard (called Setup Manager for short), which enables you to easily create
answer files in order to automate Windows 2000 setup. Answer files are
designed to “answer” setup questions without intervention from the
administrator or user.You can use Setup Manager to automate over-the-net-
work unattended installations, Sysprep installations, and RIS installations —
all of which you’ll learn about in the upcoming sections. In a nutshell, you
can install many Windows 2000 Server or Professional computers over the
network without having to physically sit at the computer to answer the setup
questions.Answer files are not new, but Setup Manager simplifies the process
by giving you a wizard to create the answer file.
Setup Manager is not installed by default when you install Windows 2000,
and it is not a component that you can install by using Add/Remove
Programs in Control Panel. Rather, Setup Manager is found in the
\SUPPORT\TOOLS folder on both the Windows 2000 Professional and Server
compact discs. You can install Setup Manager and the other deployment
and support tools by copying them from the DEPLOY.CAB file in the
\SUPPORT\TOOLS folder.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1266

1266 Part IV ▼ Networking and Interoperability

STEP BY STEP

INSTALLING SETUP MANAGER

1. Insert your Windows 2000 compact disc (either Professional or Server) into your
computer’s CD-ROM drive. Close the Microsoft Windows 2000 CD dialog box.
2. From the desktop, right-click My Computer, and select Explore from the menu
that appears.
3. In the left pane, highlight Local Disk (C:). Select File ➪ New ➪ Folder.
4. In the right pane, type in a new folder name of Deployment and press Enter.
5. In the left pane, click the + next to your CD-ROM drive. Click the + next to the
SUPPORT folder. Highlight the TOOLS folder. In the right pane, double-click the
DEPLOY file. Select Edit ➪ Select All. Select Edit ➪ Copy To Folder.
6. In the Browse For Folder dialog box, click the + next to My Computer. Click the +
next to Local Disk (C:). Highlight Deployment. Click OK.
7. Windows 2000 extracts and copies the contents of the DEPLOY.CAB file to the
DEPLOYMENT folder. Close Windows Explorer.

Creating an Answer File by Using Setup Manager

An answer file is a file that responds to the Windows 2000 Setup program.
The file answers the questions the Setup program poses to the user.With
an answer file, you can completely automate the installation and setup of
Windows 2000 Professional or Windows 2000 Server.You can use Setup
Manager to create an answer file.

STEP BY STEP

CREATING AN ANSWER FILE BY USING SETUP MANAGER

1. Right-click My Computer, and select Explore from the menu that appears.
2. In the left pane, click the + next to Local Disk (C:). Highlight the Deployment
folder. In the right pane, double-click setupmgr.
3. The Windows 2000 Setup Manager wizard starts. Click Next.
4. The New or Existing Answer File screen appears. There are three basic options
on this screen:
 Create a new answer file: Select this option to create a new answer file.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1267

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1267

STEP BY STEP Continued

 Create an answer file that duplicates this computer’s configuration:

Select this option to create an answer file that mirrors your computer’s
current configuration. This method is effective if you want to create several
computers that are exactly the same.
 Modify an existing answer file: Select this option to edit an existing
answer file. If you select this option, you’ll need to enter the path to
the answer file you want to modify.
To create a new answer file, accept the default selection of “Create a new answer
file” and click Next.
5. In the Product to Install screen, select the Windows 2000 Unattended Installation
option, as shown in Figure 19-1. Click Next.

FIGURE 19-1 Creating an answer file for an unattended installation

6. In the Platform screen, select the operating system this answer file will be used
to install. Choose either Windows 2000 Professional or Windows 2000 Server.
Click Next.
7. The User Interaction Level screen appears, as shown in Figure 19-2. Notice
that a description of the selected option is displayed across the lower part of
the dialog box.
Select the appropriate option for the answer file you’re creating:
 Provide defaults: The user has full interaction with the Setup program.
The answer file provides the default Setup answers, and the user must
interact with the Setup program by accepting the default selections or
making changes. This is the default setting.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1268

1268 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 19-2 Selecting the level of user interaction during Windows Setup

 Fully automated: The user has no interaction with the Setup program
except for possibly entering a product key. A product key must be entered
for all OEM and retail versions of Windows 2000, but is not required for
versions purchased through a “select” agreement with Microsoft. All of the
answers are provided in the answer file, and the user cannot intervene or
make changes.
 Hide pages: The user has some interaction with the Setup program. Setup
screens for which the answer file provides answers are not displayed to the
user. Setup screens that are not answered are displayed to the user. This
feature enables you to automate some portions of Setup, but to collect
user-specific information as necessary.
 Read only: The user has no interaction with the Setup program. All Setup
screens are displayed to the user, but the user can’t make any changes to
these screens.
 GUI attended: The user has some interaction with the Setup program. The
text mode phase of the installation is automated, but the user must respond
to all of the screens in the Windows 2000 Setup Wizard phase.
Click Next.
8. If you selected the “Fully automated” option, the License Agreement screen
appears. Select the check box to accept the terms of the license agreement.
Click Next.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1269

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1269

STEP BY STEP Continued

9. In the Customize the Software screen, enter the default name and organization
name you want to use. Click Next.
10. The next several screens prompt you to enter information that the answer file
will use to install Windows 2000. The screens vary, depending on whether you
selected Windows 2000 Professional or Windows 2000 Server.
11. The Distribution Folder screen appears. In this screen, choose one of the following
options and click Next.
 Yes, create or modify a distribution folder: Select this option if this
answer file will be used for an over-the-network installation. If you select
this option, Setup Manager copies the Windows 2000 source files to a
folder on the local hard disk, and shares this folder, so that over-the-network
installations can be performed. If you select this option, Steps 12 through
17 prompt you to enter information about this distribution folder, including
its name and any additional files and drivers you may want copied to the
distribution folder.
 No, this answer file will be used to install from a CD: Select this
option if this answer file will be used to perform an installation using a
compact disc. If you select this option, skip to Step 18.
12. The Distribution Folder Name screen appears, as shown in Figure 19-3. Notice
the default names of the distribution folder and distribution share.

FIGURE 19-3 Specifying a distribution folder

4701-1 ch19.f.qc 4/24/00 09:47 Page 1270

1270 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

Choose whether you want to create a new distribution folder, or to modify an

existing distribution folder. Then, specify a full path to the distribution folder and
a share name that will be used by this folder. Click Next.
13. In the Additional Mass Storage Drivers screen, add any manufacturer-supplied
hard disk controller drivers for the computer(s) that this answer file will be used
to install Windows 2000 on. Use the Browse button to locate and select these
driver files. If you don’t have any additional device drivers, or once you have
selected the drivers, click Next.
14. In the Hardware Abstraction Layer screen, you can specify a custom HAL that
will be used by the answer file for installing Windows 2000. Use this option
only if your computer’s manufacturer supplies you with a custom HAL. Use
the Browse button to locate and select this file. Click Next.
15. In the Additional Commands screen, you can specify one or more commands that
will be run at the completion of the Windows 2000 installation and setup. These
commands are often used to install additional software. You can specify any
Windows 2000 command that doesn’t require you to be logged on. Add
commands as needed and click Next.
16. In the OEM Branding screen, you can specify a path to a custom logo and a path
to a custom background. This logo and background will be displayed during the
installation process. This screen is typically used by original equipment manufactur-
ers (OEMs) to customize their installations of Windows 2000 on new computers.
Configure this screen as needed and click Next.
17. In the Additional Files or Folders screen, you can specify additional files and
folders you want Windows 2000 Setup to copy to the hard disk of the computer
on which you plan to install Windows 2000 by using this answer file. If this
computer has more than one hard disk, you can specify which disk the files
and folders will be copied to. Add files and folders as needed, then click Next.
18. In the Answer File Name screen, either accept the default answer file location and
filename, or specify a new one. By default, the answer file is named unattend.
txt. Click Next.
19. If you chose to create or modify a distribution folder, the Location of Setup Files
screen appears. In this screen, specify whether Setup Manager will copy the
Windows 2000 source files from the Windows 2000 compact disc, or from a
specified location on the network. Make your selection, then click Next. The
wizard copies the files to the distribution folder.
20. In the Completing the Windows 2000 Setup Manager Wizard screen, click Finish.

When Setup Manager creates your answer file, it stores it in one of two
places. If you chose to create a distribution folder, the answer file is stored
4701-1 ch19.f.qc 4/24/00 09:47 Page 1271

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1271

in the distribution folder. If you chose not to create a distribution folder,

the answer file is stored in the folder from which you ran Setup Manager.
You can view or edit your answer file (which is named unattend.txt
by default) by using Notepad or any other text editor.

TIP
For more information on the format and parameters used in an answer
file, I recommend you print the unattend.doc file, which is located in
the folder in which you installed Setup Manager.

In addition to creating the answer file, Setup Manager creates one or

two more additional files and stores these files in the same location as the
answer file. First, an unattend.bat file is created.This is a batch file used
to launch the Windows 2000 installation.Then, if you specified more than
one computer name when you used the wizard, Setup Manager creates an
unattend.udf file. This file is a uniqueness database file that contains
differences between computers when multiple installations will be
performed by using a single answer file.
Now that you’ve created an answer file, you can use this answer file to
perform unattended installations of Windows 2000 on your network.

Using an Answer File to Perform an

Unattended Installation
Performing an unattended installation of Windows 2000 Professional or
Windows 2000 Server by using an answer file is fairly straightforward if
you have a good DOS background. However, there are a few different
steps in the process, depending on whether you’re installing from a
compact disc, or performing an over-the-network installation by using a
shared distribution folder.
TIP
If you need to get up to speed on DOS, try DOS for Dummies, third edition,
by Dan Gookin (IDG Books Worldwide) or A+ Certification Study System,
By Michael A. Pastore and Bill Karow.

If you’re installing Windows 2000 from a compact disc, the first thing
you should do is use MS-DOS (or Windows 95 DOS, or Windows 98
DOS) to partition and format the hard disk on the computer on which
you want to perform the installation (the target computer). Next, boot this
computer to DOS, and load CD-ROM drivers for the computer’s
4701-1 ch19.f.qc 4/24/00 09:47 Page 1272

1272 Part IV ▼ Networking and Interoperability

CD-ROM drive. Then place the Windows 2000 compact disc in the
CD-ROM drive. Next, copy the unattend.txt, the unattend.bat,
and, if appropriate, the unattend.udf files to a floppy disk and place this
disk in the A: drive on the target computer. At the DOS prompt, type A:
and press Enter, then type unattend and press Enter. (Or, if you have a
.udf file, type unattend computer_name and press Enter.) This starts the
unattended installation of Windows 2000.
To install Windows 2000 over-the-network by using a shared distribution
folder, the target computer must have a network adapter card installed in it.
The first thing you should do is use MS-DOS (or Windows 95 DOS, or
Windows 98 DOS) to partition and format the hard disk on the target
computer. Next, boot this computer to DOS, and load Client for Microsoft
Networks (or equivalent client software) to enable this computer to function
on the network.This software doesn’t ship with Windows 2000; however, it
was included with Windows NT Server 4.0. Map a network drive to the
shared distribution folder on the network server. At the DOS prompt,
change the default drive to the mapped network drive, then type unattend
and press Enter. (Or, if you have a .udf file, type unattend computer_name
and press Enter.) This starts the unattended installation of Windows 2000.

Using Sysprep
The System Preparation Tool (sysprep.exe), often referred to as Sysprep in
Microsoft documentation, is a Windows 2000 deployment tool designed for
large organizations and OEMs. Sysprep prepares a Windows 2000 computer’s
hard disk for duplication, thus making it possible for that computer’s hard disk
to be copied to other computers.This feature is particularly useful to OEMs
who install Windows 2000 along with a number of custom applications and
other data on multiple computers.

TIP
Sysprep works on both Windows 2000 Professional and Windows
2000 Server computers. However, it doesn’t work on Windows 2000
Server domain controllers.

Sysprep.exe is located in the same file as Setup Manager (the DEPLOY.

CAB file in the \SUPPORT\TOOLS folder), and is installed in the same
manner. In fact, if you’ve installed Setup Manager, Sysprep is installed at the
same time.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1273

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1273

Here’s how Sysprep is typically used. First, you install Windows 2000
and all desired applications and services on a computer — this is called the
master computer. Then you prepare the master computer’s hard disk for
duplication by using Sysprep. Sysprep works by removing user-specific data
from the original master computer and by placing a Mini-Setup routine
on the master computer’s hard disk. Next, you use a third-party software
utility, such as PowerQuest’s Drive Image Pro, to copy the master
computer’s hard disk, and to duplicate this copy on the hard disk of each
target computer. Finally, when the target computer boots for the first time,
a Mini-Setup wizard runs, which gathers user-specific information from
the user and assigns the target computer a unique SID.The whole process
enables you to deploy one disk image to many computers. The result —
cloned machines that are user unique.
In the next several sections I’ll show you how to perform the many steps
in this process.

Installing Windows 2000 and Applications on the

Master Computer
When you are preparing to use Sysprep, it’s important to keep in mind that
the purpose of this utility is to enable you to create a complete disk image.
This image is then copied to other computers that have identical hardware,
called target computers or clones.
Use care when installing and configuring the master computer. Every
installation or configuration option you select on the master computer will
be copied to the target computers. So, don’t do anything to the master
computer unless you want it duplicated on all of the target computers. For
example, don’t map network drives, connect to printers, create desktop
shortcuts, or install applications or drivers unless you want these items
duplicated. In addition, when you install Windows 2000 on the master
computer, be careful that you select only the Windows 2000 components
you want installed on the target computers. Remember, everything you do
on the master computer will be copied to the target computers.
After you’ve installed and configured the master computer, you must
copy the contents of the Administrator’s profile folder over the contents of
the Default User profile folder.This ensures that all of the applications,
shortcuts, and other user preference settings you configured on the master
computer will be available to the users of the target computers.When you
copy the Administrator’s profile, ensure that the Everyone group is permit-
ted to use the copied profile.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1274

1274 Part IV ▼ Networking and Interoperability

CROSS-REFERENCE
If you’ve forgotten how to copy user profiles, see Chapter 9.

Using Sysprep to Prepare the Master Computer

for Duplication
Now that your master computer is installed and configured, you’re almost
ready to use Sysprep. Before using Sysprep to prepare your master
computer, spend some time checking the hardware on the target computers.
Especially take note of the following issues:
■ The master and target computers must use the same Hardware
Abstraction Layer (HAL).
■ The master and target computers should have identical mass storage
controllers (either IDE or SCSI).
■ Hard disk sizes on the master and target computers must be identical,
unless your disk duplication software permits you to dynamically alter
partition sizes.
■ Modems, sound cards, video cards, and so on do not have to be
the same on the master and target computers. Plug and Play can
detect and install these devices, although you should have drivers
readily available.
Before you run Sysprep, you might want to create a sysprep.inf
file, which enables you to partially or fully automate Mini-Setup. You
can use Setup Manager to create this file.The process is similar to creating
an answer file.When you create the sysprep.inf file, you should save it
on the master computer in a folder named C:\sysprep.

STEP BY STEP

CREATING A SYSPREP.INF FILE

1. Right-click My Computer, and select Explore from the menu that appears.
2. In the left pane, click the + next to Local Disk (C:). Highlight the Deployment
folder. In the right pane, double-click setupmgr.
3. The Windows 2000 Setup Manager wizard starts. Click Next.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1275

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1275

STEP BY STEP Continued

4. In the New or Existing Answer file screen, select the “Create a new answer file”
option. Click Next.
5. In the Product to Install screen, select the Sysprep Install option, as shown in
Figure 19-4. Click Next.

FIGURE 19-4 Creating a Sysprep.inf file

6. In the Platform screen, select the appropriate Windows 2000 option

(Professional or Server), then click Next.
7. In the License Agreement screen, you choose whether to fully automate the
installation. If you select the Yes option, you are accepting the license agreement
for the end user. If you select the No option, the user must agree to the terms
of the license agreement during Mini-Setup. Select the appropriate option and
click Next.
8. In the Customize the Software screen, enter a default user name and organization,
then click Next.
9. In the Computer Name screen, enter a default computer name and click Next.
10. In the Administrator Password screen, provide an Administrator password or
choose the “Prompt the user for an Administrator password” option. Make your
selection and click Next.
11. In Display Settings screen, use the drop-down list boxes to select the desired
color, screen area, and refresh frequency, or accept the Windows default set-
tings. Click Next.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1276

1276 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

12. In the Network Settings screen, select either the Typical or Custom settings
option. If you select Custom settings, you will be prompted to select the
networking components you want to install. Click Next.
13. In the Workgroup or Domain screen, choose whether you want the computer
to be a member of a workgroup or a domain. Click Next.
14. In the Time Zone screen, specify a time zone if desired by using the drop-down
list box. Click Next.
15. In the Additional Settings screen, you can choose whether to edit additional
Windows settings. If you choose to edit additional settings, other screens will
prompt you to configure various Windows components. Make your selection
and click Next.
16. The Sysprep Folder screen appears, shown in Figure 19-5. This window enables
you to create a Sysprep folder where Setup Manager will store your Sysprep
files. I recommend that you create this folder. Select the Yes option, then click Next.

FIGURE 19-5 Creating a Sysprep folder

17. In the Additional Commands window, you can specify additional commands
or scripts that will run at the end of Mini-Setup. Add commands as needed and
click Next.
18. In the OEM Branding screen, you can specify a path to a custom logo and a path
to a custom background. Configure this screen as needed and click Next.
19. In the Additional Files and folders screen, specify any additional files and folders
you want copied to the hard disk of the target computer. Click Next.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1277

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1277

STEP BY STEP Continued

20. The OEM Duplicator String screen appears. In this screen you can enter Sysprep
information that will be written to the target computer’s registry. This information
enables you to determine which master computer was used to create the target
computer. Configure this screen as appropriate, then click Next.
21. In the Answer File Name screen, accept the default name for the sysprep.inf
file, and ensure that it will be saved in the C:\sysprep folder on the master
computer. Click Next.

TIP
The sysprep.inf file must be stored in the C:\sysprep folder on
the master computer, or it will not be used by Sysprep.

22. In the Completing the Windows 2000 Setup Manager Wizard screen, click Finish.

You’re almost ready to run Sysprep, but there are a few last tasks that
must be done. First, if you didn’t create a sysprep.inf file, you must
create a C:\sysprep folder on the master computer.Then, you must copy
setupcl.exe and sysprep.exe from the folder in which you’ve
installed Setup Manager to the C:\sysprep folder. This folder will also
contain the sysprep.inf file if you created one. Now you’re ready to run
Sysprep on the master computer.

STEP BY STEP

RUNNING SYSPREP ON THE MASTER COMPUTER

1. On the Windows 2000 master computer, select Start ➪ Programs ➪

Accessories ➪ Command Prompt.
2. At the command prompt, type cd sysprep and press Enter.
3. At the command prompt, type sysprep and press Enter.
Or, If your target computer has any hardware that is different from the master
computer, such as a different modem, sound card, and so on, type sysprep –pnp
and press Enter. The –pnp parameter will cause Mini-Setup to perform full Plug
and Play hardware detection when the target computer boots.
For more information on sysprep.exe command-line parameters, type
sysprep /? at the command prompt and press Enter.
4. A message appears indicating that you should not run Sysprep unless you are
preparing a disk for duplication. Click OK to continue.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1278

1278 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

5. Sysprep runs on the master computer. This may take a few minutes, and once this
is done, your computer should automatically shut down. If, after several minutes,
there is no activity on the master computer, power it off. The master computer
is now ready for disk duplication.
6. Later, after you’ve used a third-party utility to duplicate the master computer’s
hard disk, you can reboot the master computer. When you reboot the computer,
the Mini-Setup wizard runs. You are prompted to enter user-specific settings
for the master computer. Complete the Mini-Setup wizard to restore the
master computer to a usable state. The Mini-Setup wizard also removes
the C:\sysprep folder.

Duplicating the Master Computer’s Hard Disk

The Sysprep utility included with Windows 2000 enables you to prepare
a master computer for disk duplication. However, Windows 2000 doesn’t
include any capability to physically duplicate the hard disk. This process
must be done by using a third-party software utility, such as PowerQuest’s
Drive Image Pro. Once the master computer’s hard disk is duplicated, it
can be copied to the hard disks in target computers.
After the master computer’s hard disk has been copied to a target
computer, and the target computer is booted, the Mini-Setup wizard runs
so that the user can enter appropriate user-specific information. If you
created a sysprep.inf file before you ran Sysprep, you may have
configured Mini-Setup to be partially or fully automated.The Mini-Setup
wizard also removes the C:\sysprep folder.

Using Remote Installation Services (RIS)

Windows 2000 Server includes another tool that can be used for
deploying Windows 2000 Professional — Remote Installation Services (RIS).
RIS is designed to allow a Windows 2000 Server computer to hold
Windows 2000 Professional installation files and to deploy those files to
target computers while also providing each computer with a unique SID.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1279

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1279

RIS is similar in many ways to an unattended installation or to

Sysprep, but the main differences are that RIS is only used to roll out
Windows 2000 Professional (not Server), and that it works by deploying
Windows 2000 from a Windows 2000 RIS server. With a RIS server, you
can perform over-the-network attended installations of Windows
2000 Professional, over-the-network unattended installations of
Windows 2000 Professional, and over-the-network imaged installations
(either attended or unattended) of Windows 2000 Professional. The
imaged installations are similar to Sysprep installations, but use a RIS server
and tools instead of Sysprep and a third-party disk duplication utility.

EXAM TIP
Microsoft intends for RIS to be the preferred method of rolling
out Windows 2000 Professional. So, make sure you know all about it
for the Windows 2000 exams, especially the Directory Services exam.

RIS can only be used on Windows 2000 networks that use DHCP, DNS,
and Active Directory. RIS requires all of these components to function.
In the next sections I’ll explain how to install and configure RIS, how to
manage RIS images, how to prestage RIS clients, and finally, how to install
a RIS image on a client computer. I’ll also provide you with some tips for
troubleshooting RIS problems.

Installing and Configuring RIS

Before you install RIS, you should determine which Windows 2000 Server
computer on your network will be the RIS server.You can have more than
one RIS server if you want to.
The Windows 2000 Server computer on which you install RIS must
have at least two volumes, or preferably two hard disks. One volume (or
hard disk) contains your Windows 2000 Server installation, and the second
volume (or hard disk) will be used for the RIS installation folder and
images. The volume (or hard disk) used for the RIS installation folder
and images must be formatted with NTFS.You should also ensure that this
volume (or hard disk) is large enough (and has enough free space) to store
multiple RIS images.
You can install RIS just as you do other Windows 2000 Server compo-
nents, by using Add/Remove Programs in Control Panel.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1280

1280 Part IV ▼ Networking and Interoperability

STEP BY STEP

INSTALLING RIS ON A WINDOWS 2000 SERVER COMPUTER

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Add/Remove Programs.
3. In the Add/Remove Programs dialog box, click Add/Remove Windows Components.
4. In the Windows Components screen, select the check box next to Remote
Installation Services, then click Next.
5. When prompted, insert your Windows 2000 Server compact disc into your
computer’s CD-ROM drive, and click OK. When the Microsoft Windows 2000
CD dialog box appears, close it. Windows 2000 installs RIS.
6. In the Completing the Windows Components Wizard screen, click Finish. When
prompted, click Yes to restart your computer.

Once your Windows 2000 Server computer reboots, you’ll need to do a

few more things to make it function as a RIS server. Some of these tasks
may seem a little odd, but you’ll need to perform the actions in the next
few sections to get your RIS server up and running.

Authorizing a RIS Server in Active Directory

Before a RIS server can be used, it must be authorized in Active Directory.
If you installed RIS on a DHCP server on your network that is already
authorized in Active Directory, no further action is necessary to
accomplish this task — because the DHCP server is authorized, the RIS
server is also authorized.
If you installed RIS on a Windows 2000 Server computer that is not
a DHCP server, you’ll have to use the DHCP administrative tool on a
DHCP server on your network to remotely authorize the RIS server
as a DHCP server.This sounds a bit strange, but the long and short of it is
that RIS is tied to DHCP in terms of Active Directory authorization.

STEP BY STEP

AUTHORIZING A RIS SERVER IN ACTIVE DIRECTORY

1. On a Windows 2000 DHCP Server, select Start ➪Programs ➪ Administrative

Tools ➪ DHCP.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1281

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1281

STEP BY STEP Continued

2. In the DHCP dialog box, select Action ➪ Manage authorized servers.

3. In the Manage Authorized Servers dialog box, click Authorize.
4. In the Authorize DHCP Server dialog box, enter the name or IP address of the
RIS server and click OK.
5. A DHCP message appears, indicating that the server you specified will be added
to the authorized DHCP servers list. Click Yes.
6. In the Manage Authorized Servers dialog box, the RIS server now appears in the
Authorized DHCP servers list. Click Close. Close DHCP.

Setting Up a RIS Server

Once the RIS server is authorized in Active Directory, your next step is to
set up the RIS server.Windows 2000 Server includes a RIS Setup wizard to
help you with this task. The wizard sets up the RIS server and creates the
default RIS image. The default RIS image is a copy of the Windows
2000 Professional source files that will be used for deploying Windows 2000
Professional to client computers. The following steps show you how to set
up the RIS server.

STEP BY STEP

SETTING UP THE RIS SERVER

1. From the desktop, select Start ➪ Run.

2. In the Run dialog box, type risetup and click OK.
3. The Remote Installation Services Setup wizard starts. Click Next.
4. In the Remote Installation Folder location screen, either accept the default path
or enter the location for the installation folder. (This can’t be the volume in which
Windows 2000 is installed.) In addition, the volume the installation folder is
created on must be formatted with NTFS. Click Next.
5. The Initial Settings screen appears. By default, the RIS server is not configured to
respond to client computers. You can manually configure it to do so, after this setup
wizard runs, but the easiest way to accomplish this is to select the check box next
to “Respond to client computers requesting service” in this screen. If you want this
RIS server to respond to client requests, select this check box and click Next.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1282

1282 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

6. In the Installation Source Files Location screen, you specify the location of the
Windows 2000 Professional source files that the wizard will copy to create the
default RIS image. Either accept the default path to the Windows 2000
Professional installation files, or specify a new path. This path can be to
a CD-ROM drive or to a network share. Click Next.
7. In the Windows Installation Image Folder Name screen, either accept the default
name for the folder that will contain the default RIS image, or type in a new name.
By default, the folder name is win2000.pro. Click Next.
8. In the Friendly Description and Help Text screen, you can enter a description
and any help text you wish to enter for the default RIS image. The purpose of
this information is to help an end user or a technician select the appropriate
RIS image. Configure this screen as desired, and click Next.
9. In the Review settings screen, click Finish. The RIS server copies files, creates
the remote installation folder, creates the default image of Windows 2000
Professional, and sets up the RIS server. This process takes several minutes.
When this process completes, click Done.

Granting Permission to Create Computer Objects

Once the RIS server is set up, you’re almost ready to begin using it.
However, before doing so, you have to assign the appropriate permission.
During the installation of Windows 2000 Professional on a client
computer that will be a domain member, you must create a computer
object in Active Directory for that client computer. For security reasons,
you don’t want just anyone to be able to create computer objects in Active
Directory. So, in order to permit specific users or technicians to perform
this task, you need to assign these users the “Create Computer Objects”
advanced Active Directory permission.
In order to assign this permission, you must be a member of the
Domain Admins group in the domain. The easiest way to assign this
permission is by using the Delegation of Control wizard in Active
Directory Users and Computers. Depending on how you use RIS, you
may want to create a specific group to which you assign this permission.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1283

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1283

STEP BY STEP

ASSIGNING THE “CREATE COMPUTER OBJECTS” PERMISSION

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of Active Directory Users and Computers, right-click the domain
in which computer objects will be created when performing RIS installations, then
select Delegate Control from the menu that appears.
3. The Delegation of Control wizard starts. Click Next.
4. In the Users or Groups screen, click Add.
5. In the Select Users, Computers, or Groups dialog box, double-click each user
or group to which you want to assign the “Create Computer Objects” permission.
Click OK.
6. In the Users or Groups screen, click Next.
7. The Tasks to Delegate screen appears, as shown in Figure 19-6. Select the check
box next to “Join a computer to the domain.” By selecting this check box, you are
assigning the “Create Computer Objects” permission. Click Next.

FIGURE 19-6 Delegating permission to join a computer to the domain

8. In the Completing the Delegation of Control Wizard screen, click Finish. The
users or groups you selected have now been assigned the “Create Computer
Objects” advanced Active Directory permission.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1284

1284 Part IV ▼ Networking and Interoperability

Creating a RIS Client Boot Disk

Before you can use a RIS server to deploy Windows 2000 Professional, the
client computers on which you want to install Windows 2000 Professional
must be able to communicate with the RIS server.
There are two ways to accomplish this. First, depending on your client
computer hardware, you may not have to do anything to get the client to
communicate with the server. Some computers come equipped with a
network adapter that has a Preboot Execution Environment (PXE) ROM.
When you start a client computer that has a PXE ROM, a message is
displayed, asking if you want to start the computer from the network. If
you select Yes, the computer obtains an IP address from the network’s
DHCP server, then contacts the DNS server to locate a RIS server. Finally,
the client computer contacts the RIS server and starts an over-the-
network installation.
If your client computer’s network adapter does not have a PXE ROM,
you can simulate the existence of the PXE ROM by using a RIS boot
disk.You can use the rbfg.exe utility on the RIS server to create a RIS
boot disk from a blank, formatted floppy disk.A RIS boot disk can be used
by computers that have a supported network adapter card. RIS supports
only PCI-based network adapter cards.

STEP BY STEP

CREATING A RIS BOOT DISK

1. On the RIS server, right-click My Computer and select Explore from the menu
that appears.
2. In the left pane, click the + next to the volume that contains the RIS installation
folder. Click the + next to RemoteInstall. Click the + next to Admin. Highlight the
i386 folder. In the right pane, double-click rbfg.exe.
3. The Windows 2000 Remote Boot Disk Generator dialog box appears, as shown
in Figure 19-7. Notice the Adapter List button. Click this button to view a list of
network adapter cards for which a RIS boot disk can be used. Only PCI-based
network adapter cards are supported.

TIP
Since RIS only supports PCI network adapter cards, this means most
laptop computers can’t use RIS.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1285

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1285

STEP BY STEP Continued

FIGURE 19-7 Creating a RIS boot disk

Insert a blank, formatted floppy disk into drive A:, then click Create Disk.
4. The Remote Boot Disk Generator creates the RIS boot disk. Click No when
asked if you want to create another disk.
5. In the Windows 2000 Remote Boot Disk Generator dialog box, click Close.
Close Windows Explorer.

Configuring RIS Server Options

Before you use your RIS server, you’ll probably want to configure it. For
example, if you didn’t configure the RIS server to respond to client
computers requesting service when you set up the RIS server, you’ll need
to configure the server to do so now. In addition, you might also want to
configure how RIS will generate client computer names during RIS
installations, and where in Active Directory the new client computer
objects will be created.
The RIS server is configured by configuring its Properties in Active
Directory Users and Computers. I’ll show you how to configure the RIS
server in the steps that follow.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1286

1286 Part IV ▼ Networking and Interoperability

STEP BY STEP

CONFIGURING THE RIS SERVER

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box,
expand domains and OUs as appropriate until the RIS server you want to
configure is displayed in the right pane. (By default, all computers are stored
in the Computers container.) In the right pane, right-click the RIS server and
select Properties from the menu that appears.
3. In the RIS server’s Properties dialog box, click the Remote Install tab.
4. The Remote Install tab appears, as shown in Figure 19-8.

FIGURE 19-8 The Remote Install tab

If you didn’t configure the RIS server to respond to client requests when you set
up the RIS server, select the check box next to “Respond to client computers
requesting service.”
4701-1 ch19.f.qc 4/24/00 09:47 Page 1287

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1287

STEP BY STEP Continued

There are a few other options in this dialog box:

 Verify Server: If you’re having problems with the RIS server, and if you’re
running Active Directory Users and Computers on the RIS server, you can
click Verify Server to have Windows 2000 attempt to locate and correct
problems on the RIS server.
 Show Clients: To view a list of all client computers that have received a RIS
image from this server, click Show Clients. (This list is currently empty, but
will not be after you start using the RIS server.)
 Advanced Settings: To configure advanced properties of the RIS server,
click Advanced Settings. Continue to Step 5.
5. The server’s Remote-Installation-Services Properties dialog box appears, as
shown in Figure 19-9.

FIGURE 19-9 Configuring a RIS server’s properties

4701-1 ch19.f.qc 4/24/00 09:47 Page 1288

1288 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

On the New Clients tab, select how the RIS server will assign computer names
to client computers that use the RIS server by selecting a naming scheme from
the drop-down list box. By default, the RIS server uses the user’s logon name
(username) when assigning computer names. This means that the username of
the person performing the installation will be used as the computer name. If one
technician performs multiple RIS installations, this naming scheme may not be
your best choice.
In the “Client account location” section, choose where in Active Directory com-
puter accounts for new client computers will be created. The default selection is
“Default directory service location.” This means that new computer accounts will
be created in the Computers container.
Configure options on this tab as appropriate, then click OK.
6. In the RIS server’s Properties dialog box, click OK.

That about wraps up how to configure basic RIS server properties. In

the sections that follow, I’ll explain how to configure even more RIS server
properties, including RIS server security, and how to manage RIS images.

Configuring RIS Security

In addition to configuring basic RIS server properties, you can also
configure other security options for RIS.You can:
■ Configure the RIS server to only respond to client computers that
have been prestaged for RIS installation in Active Directory.
■ Control access to the RIS server object in Active Directory by
configuring the Security tab in the Remote-Installation-Services
Properties dialog box.
■ Restrict the number of installation options and operating system
choices of users performing a remote installation.
■ Assign NTFS permissions to an answer file once it is associated
with a RIS image and stored on an NTFS volume.
In the rest of this section I’ll explain each of these security measures in
more detail.
To restrict the RIS server so that it responds only to preauthorized
client computers, you can select the “Do not respond to unknown client
4701-1 ch19.f.qc 4/24/00 09:47 Page 1289

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1289

computers” check box in the RIS server’s Properties dialog box.This check
box is located on the Remote Install tab that was shown in Figure 19-8.
When selected, this option prevents a RIS server from responding to a client
computer unless the client computer has been prestaged for RIS installation in Active
Directory. I’ll get into the details of prestaging client computers a bit later in
this chapter, but prestaging essentially consists of creating a computer object
for the new client computer in Active Directory, and assigning the user(s) of
the new client computer appropriate Active Directory permissions to the
computer object. If you select this check box, you can rest at ease, knowing
that only computers that you have authorized will be able to install Windows
2000 Professional by using your RIS server.
To control access to the RIS server’s properties in Active Directory, you
can configure the Security tab in the Remote-Installation-Services
Properties dialog box for the RIS server. To access this Security tab, start
Active Directory Users and Computers, access the Properties of the RIS
server, click the Remote Install tab, then click Advanced Settings, and
finally, click the Security tab. Figure 19-10 shows the Security tab.

FIGURE 19-10 The Security tab

On the Security tab, you can assign Active Directory permissions to the
RIS server object to appropriate users and groups. Assigning permissions
4701-1 ch19.f.qc 4/24/00 09:47 Page 1290

1290 Part IV ▼ Networking and Interoperability

on this tab is the same as assigning permissions to any other Active

Directory object.

CROSS-REFERENCE
For more information on configuring permissions on Active Directory
objects, see Chapter 8.

Another configuration you can make to increase RIS security is to use

Group Policy to restrict the number of installation options and operating
system choices available to users performing a remote installation.When a
user of a client computer initiates a remote installation of Windows 2000
Professional from the RIS server, the user interacts with the Client
Installation wizard to perform the remote installation.This feature enables
you to limit the options and choices the Client Installation wizard offers to
the user.

STEP BY STEP

RESTRICTING INSTALLATION OPTIONS

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs until the domain or OU for which you want to configure Group
Policy is displayed. Right-click the domain or OU, then select Properties from the
menu that appears.
3. In the domain or OU’s Properties dialog box, click the Group Policy tab.
4. On the Group Policy tab, highlight the GPO you want to edit and click Edit.
5. In the left pane of the Group Policy dialog box, in the User Configuration section,
click the + next to Windows Settings. Then highlight Remote Installation Services.
In the right pane, double-click Choice Options.
6. The Choice Options Properties dialog box appears, as shown in Figure 19-11.
In this screen, you can configure screen options that will be offered to all users in
the domain or OU who perform remote installations by using the RIS server. For
each option, you can select one of the following choices:
 Allow: If this option is selected, the Client Installation wizard will display this
option to users affected by this GPO.
 Don’t care: If this option is selected, the Client Installation wizard will dis-
play this option to users affected by this GPO unless a GPO associated
with a parent container specifically denies this option.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1291

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1291

STEP BY STEP Continued

FIGURE 19-11 Configuring remote installation screen options

 Deny: If this option is selected, the Client Installation wizard will not display
this option to users affected by this GPO.
Select the appropriate options in this dialog box, and click OK.
7. Close the Group Policy dialog box.
8. In the domain or OU’s Properties dialog box, click OK.
9. Close Active Directory Users and Computers.

Finally, because all RIS images and their associated answer files are
stored on an NTFS volume, you can increase RIS security by assigning
NTFS permissions to RIS answer files once these files have been associated
with a RIS image. All RIS answer files have a file extension of .sif, and,
once associated with a RIS image, are stored in:
\\RIS_server_name\REMINST\Setup\language\Images\image_name\i386\templates
4701-1 ch19.f.qc 4/24/00 09:47 Page 1292

1292 Part IV ▼ Networking and Interoperability

CROSS-REFERENCE
For more information on assigning NTFS permissions to files and folders,
see Chapter 11.

Managing RIS Images

RIS works by storing Windows 2000 Professional images on a server, and
making those images available, over-the-network, for installation on client
computers.
RIS supports two types of images: CD-based images and Remote
Installation Preparation wizard (RIPrep) images. A CD-based image
consists of the i386 folder from the Windows 2000 Professional compact
disc, plus any other files needed to complete the installation. A Remote
Installation Preparation wizard (RIPrep) image is a complete copy of a
master computer’s hard disk that has been prepared for duplication.
I’ll explain how to manage both of these types of images in the next
two sections.

Working with CD-Based Images

When you set up a RIS server, the Remote Installation Services Setup
wizard creates a default image containing the Windows 2000 Professional
source files by copying these files from a Windows 2000 Professional
compact disc.This default image has a default answer file associated with it
that can’t be used to perform an unattended installation.
If you want to use the RIS server to perform unattended over-the-
network installations, you must associate an appropriate RIS answer file
with the default image on the RIS server.You can either use one of the
two sample RIS answer files included with Windows 2000, or use Setup
Manager to create the answer file. If you use Setup Manager, be sure to
select the Remote Installation Services option on the Product to Install
screen. Answer files for RIS installations end with an .sif extension.You
can’t use an unattend.txt or a sysprep.inf file for RIS installations.
When you associate a RIS answer file with a RIS image, the Windows
2000 Server user interface calls this “adding” an image. Windows 2000
Server even adds a new image description to the Images tab. However, all
that’s really happening is that an answer file is being associated with the
default image — the Windows 2000 Professional source files aren’t being
copied to the RIS server again. This makes it relatively simple for an
administrator to create different RIS answer files for different groups of
4701-1 ch19.f.qc 4/24/00 09:47 Page 1293

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1293

users in the organization without having to take up a lot of disk space on

the RIS server.
There is an occasion when you might really want to add a new
CD-based image that does contain a full set of the Windows 2000
Professional source files from the compact disc, and this is when you want
to deploy Windows 2000 Professional in more than one language version.
For example, some of your users might require an English language version
of Windows 2000 Professional, and other users might require a Japanese
language version. I should point out here that I’m not talking about simply
the ability to read and write files in another language — I’m talking about
an entire version of Windows 2000 Professional where all dialog boxes are
displayed and captioned in another language.
In the steps that follow, I’ll show you how to add an additional CD-based
image to the RIS server.

STEP BY STEP

ADDING AN ADDITIONAL CD-BASED IMAGE

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs until the RIS server on which you want to create an additional
image is displayed in the right pane. Right-click the RIS server, then select
Properties from the menu that appears.
3. In the RIS server’s Properties dialog box, click the Remote Install tab.
4. On the Remote Install tab, click Advanced Settings.
5. In the RIS server’s Remote-Installation-Services Properties dialog box, click the
Images tab.
6. On the Images tab, click Add.
7. The New Answer File or Installation Image screen appears, as shown in
Figure 19-12.
In this screen, you choose whether to associate an RIS answer file to an existing
RIS image, or to add a completely new installation image. The “Associate a new
answer file to an existing image” option is selected by default, and is the option
most commonly used.
The “Add a new installation image” option is only available when running Active
Directory Users and Computers on the RIS server.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1294

1294 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 19-12 Adding a RIS image

TIP
If your RIS server is not a domain controller, you can install the
ADMINPAK on this computer to make Active Directory Users and
Computers available on the RIS server.

Select the appropriate option, and click Next. (The steps that follow assume that
you selected the “Associate a new answer file to an existing image” option. If you
chose to “Add a new installation image,” follow the instructions presented on-
screen to create this image.)
8. In the Unattended Setup Answer File Source screen, select the source where the
answer file you want to associate with the image can be found. Your choices are:
 Windows image sample files: Select this option if you want to use one of
the two sample RIS answer files included with Windows 2000.
 Another remote installation server: Select this option if you want to use
a RIS answer file located on a different RIS server.
 An alternate location: Select this option if you want to specify the path to
a RIS answer file you’ve created by using Setup Manager.
9. Depending on the selection you make, you are either presented with the available
RIS answer files or prompted to browse for one. Specify the answer file you want
to associate with the image and click Next.
10. In the Select an Installation Image screen, specify the image with which you want
to associate the RIS answer file you selected. Click Next.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1295

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1295

STEP BY STEP Continued

11. In the Friendly Description and Help Text screen, you can enter a description and
any help text you wish to enter for this RIS image. The purpose of this information
is to help an end user or a technician select the appropriate RIS image. Configure
this screen as desired, and click Next.
12. In the Review Settings screen, click Finish.
13. The RIS image is created, and is added to the list on the Images tab. Click OK.
14. In the RIS server’s Properties dialog box, click OK.
15. Close Active Directory Users and Computers.

Creating and Managing RIPrep Images

In addition to supporting CD-based images, RIS also supports Remote
Installation Preparation wizard (RIPrep) images. A RIPrep image is a
complete copy of a master computer’s hard disk that has been prepared
for duplication.
RIPrep works in much the same manner as Sysprep (which I discussed
earlier in this chapter).The major difference is that when you use Sysprep
you have to use a third-party disk duplicating utility to copy the master
computer’s hard disk, and when you use RIPrep it copies the master
computer’s hard disk, in the form of an image, to the RIS server, where it
can be copied over-the-network to target computers.
RIPrep is slightly more versatile than Sysprep, however, in that the
target computer’s hardware does not have to match the master computer’s
hardware as exactly as it does to use Sysprep.With RIPrep you don’t have
to match mass storage controllers and hard disk sizes on the master and
target computers.The only requirement is that RIS client computers must
use the same HAL as the master computer.
Preparing a master computer for RIPrep is basically the same as preparing
a master computer for Sysprep. (You might want to take another look at the
“Installing Windows 2000 and Applications on the Master Computer”
section earlier in this chapter.) You need to install Windows 2000
Professional on the master computer, configure all desktop settings, and
install and configure applications so that the master computer is configured
exactly the same way you want the target computers to be configured.You
also need to copy the contents of the Administrator’s profile folder over the
contents of the Default User profile folder on the master computer.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1296

1296 Part IV ▼ Networking and Interoperability

When preparing your master computer for RIPrep, there are a couple
of things you should be careful of.
■ Install Windows 2000 Professional and all applications on the master
computer’s C: drive. RIPrep will only copy the master computer’s
C: drive.
■ Try to use the smallest volume size for the master computer’s C:
drive as possible that will still accommodate the Windows 2000
Professional operating system and all desired applications. If the C:
drive is larger than it needs to be, you might not be able to copy
the image of this drive to client computers that have a smaller
hard disk than the master computer.
Once you’ve prepared your master computer for imaging, you’re ready
to use RIPrep on it to create an RIPrep image. Before you start RIPrep,
close all other applications that may be running on the master computer.

STEP BY STEP

USING RIPREP TO CREATE AN RIPREP IMAGE

1. On the Windows 2000 Professional master computer, log on as Administrator.

Select Start ➪ Run.
2. In the Run dialog box, type \\RIS_server_name\Reminst\Admin\i386\
riprep.exe and click OK. For example, if your RIS server was named RIS1,
you would type \\RIS1\Reminst\Admin\i386\riprep.exe.
3. The Remote Installation Preparation wizard starts. Click Next.
4. In the Server Name screen, enter the name of the RIS server you want this image
to be copied to, then click Next.
5. In the Folder Name screen, type the name of the folder on the RIS server in which
you want RIPrep to store this image. I recommend that you name the folder after
the master computer, so that you can easily recognize the image on the RIS
server. If the folder does not exist, RIPrep will create it for you. Click Next.
6. In the Friendly Description and Help Text screen, you can enter a description and
any help text you wish to enter for this image. The purpose of this information is to
help an end user or a technician select the appropriate RIS image. Configure this
screen as desired, and click Next.
7. If any programs, services, or applications are running on the master computer, a
Programs or Services are Running screen appears, as shown in Figure 19-13.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1297

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1297

STEP BY STEP Continued

FIGURE 19-13 Notification of programs or services that should be stopped

If this screen appears, write down all programs, services, or applications that
need to be stopped. Don’t close the wizard.
First, close any open applications. Then, use the Services tool in Computer
Management to stop each of the listed services.
Back in the Programs or Services are Running screen, click Next.
8. In the Review Settings screen, click Next.
9. In the Completing the Remote Installation Preparation Wizard screen, click Next.
10. RIPrep copies the master computer’s hard disk, creates the RIPrep image, and
stores this image in the specified folder on the RIS server. This process takes
quite a while. When it completes, RIPrep shuts down the master computer.
11. The next time you start the master computer, the Mini-Setup wizard runs, and
you must complete this wizard to return the master computer to a usable state.

One final note about using RIPrep images.You must have at least one
CD-based image installed on your RIS server, in addition to the RIPrep
image(s), in order to perform a RIS installation of an RIPrep image on a
client computer. The reason for this requirement is that if a client
computer needs a specific hardware driver that wasn’t used on the master
computer, RIS can obtain that driver for the client from the CD-based
4701-1 ch19.f.qc 4/24/00 09:47 Page 1298

1298 Part IV ▼ Networking and Interoperability

image during installation. Normally this requirement isn’t an issue, because

during the setup of the RIS server a default CD-based image is created.
However, sometimes a well-meaning administrator might consider
deleting all CD-based images to make room on the hard disk for RIPrep
images.A nice thought, but it won’t work that way.

Prestaging RIS Clients

Prestaging the RIS client is the last step you need to accomplish before
performing an over-the-network installation using RIS. Prestaging the RIS
client is only necessary if you configured security on your RIS server by
selecting the “Do not respond to unknown client computers” check box.
Prestaging essentially consists of:
■ Creating a computer object for the new client computer in Active
Directory
■ Specifying a particular RIS server that will service the computer
object, or permitting the computer object to use any RIS server.
This feature is useful for load balancing between two or more RIS
servers when multiple installations will be performed simultaneously.
■ Assigning the user(s) of the new client computer appropriate
Active Directory permissions to the computer object

STEP BY STEP

PRESTAGING A RIS CLIENT

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, expand
domains and OUs until the domain or OU in which you want to create the computer
account is displayed. Right-click the OU, then select New ➪ Computer from the
menus that appear.
3. In the New Object - Computer dialog box, enter a name for the new client
computer and click Next.
4. In the Managed dialog box, select the check box next to “This is a managed
computer.” Then enter the GUID (globally unique identifier) of the client computer.
You can get the GUID from the system BIOS or on the computer’s case.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1299

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1299

STEP BY STEP Continued

TIP
Only computers that are PC98 or Net PC–compliant have GUIDs. If the
client computer doesn’t have a GUID, you can’t prestage it.

Figure 19-14 shows this dialog box after it has been configured. Notice the
beginning and ending brackets on the GUID. These brackets are required.

FIGURE 19-14 Configuring the new computer object’s GUID

Click Next.
5. In the “Host server” dialog box, select one of these options:
 Any available remote installation server
 The following remote installation server
If you select “The following remote installation server” option, specify the FQDN
of the RIS server you want this client computer to use. You can browse for the
RIS server’s name if you need to.
Click Next.
6. In the New Object - Computer dialog box, click Finish to create the computer
object.
7. In the left pane of the Active Directory Users and Computers dialog box, ensure
that the domain or OU in which you created the computer account is highlighted.
Then, in the right pane, right-click the new computer object and select Properties
from the menu that appears.
8. In the computer’s Properties dialog box, click the Security tab.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1300

1300 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

9. On the Security tab, click Add.

10. In the Select Users, Computers, or Groups dialog box, double-click each user or
group that you want to permit to perform an over-the-network installation on this
computer by using the RIS server. Click OK.
11. On the Security tab, highlight each user or group you added, and select the Allow
check boxes for the Read, Write, Change Password, and Reset Password permis-
sions. After you have granted permissions to each user and group, click OK.
12. Close Active Directory Users and Computers.

Installing a RIS Image on a Client Computer

Now that you’ve installed and configured RIS, created the appropriate RIS
images, and prestaged your client computers (if necessary), you’re ready to
perform an over-the-network installation of Windows 2000 Professional
on a client computer by using the RIS server.
If the client computer has a network adapter card that supports PXE,
you can start a RIS installation by powering on the computer and
choosing to boot from the network.The client computer locates the RIS
server, and then prompts the user to press F12 to begin the installation.
If the client computer doesn’t have a network adapter card that supports
PXE (but does have a network adapter card supported by the Remote
Boot Disk), place a RIS boot disk in the client computer’s A: drive and
power on the computer. The client computer locates the RIS server, and
then prompts the user to press F12 to begin the installation.
If the client computer doesn’t have a network adapter card that supports
PXE, and doesn’t have a network adapter card that’s supported by the
Remote Boot Disk, you won’t be able to use RIS to install Windows 2000
Professional on this client computer.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1301

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1301

STEP BY STEP

INSTALLING WINDOWS 2000 PROFESSIONAL BY USING RIS

1. If the client computer has a network adapter that supports PXE, power on the
computer, then type y to boot from the network.
Or, if the client computer has a network adapter that doesn’t support PXE but
that is supported by a RIS boot disk, insert the RIS boot disk into the computer’s
A: drive and power on the computer.
When prompted, press F12.
2. The Client Installation wizard starts. A Welcome message appears, indicating that
you need a valid logon name and password to begin the RIS installation.
3. In the Logon screen, enter your user name and password. After the logon is
complete, if you are using a RIS boot disk, remove the disk from the A: drive.
4. When the Setup Options screen appears, choose the type of installation you
want to perform: Automatic, Custom, Restart, Maintenance, or Troubleshooting.
(The actual options displayed in this screen depend on how the administrator
configured Choice Options in Group Policy.)
5. The Operating System Choice screen appears, listing the available images that
can be installed on this computer. Select the appropriate image.
6. The Caution screen is displayed, warning that the client computer’s hard disk will
be formatted by this process.
7. The Summary screen is displayed, which lists the options you’ve selected for
this installation.
8. RIS starts the Windows 2000 Professional installation. Follow the instructions
presented onscreen to complete the installation of Windows 2000 Professional.
Depending on the answer file associated with the RIS image, you may have little
or no interaction during the installation. Depending on the type of image you
selected, you may have to reboot the client computer one or more times to
complete the installation.

CROSS REFERENCE
See Chapter 3 for detailed information on how to respond to the screens
displayed during the installation of Windows 2000 Professional.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1302

1302 Part IV ▼ Networking and Interoperability

Troubleshooting RIS Problems

Using RIS is fairly straightforward. However, occasionally problems using
RIS do crop up.The most common RIS-related problems involve a client
computer’s inability to contact or communicate with the RIS server.
When troubleshooting RIS problems, keep these tips in mind:
■ Remember that RIS only supports Windows 2000 Professional as
an installation image. No other operating systems can be installed
by using RIS.
■ Ensure that the DHCP server (and the RIS server, if RIS is installed
on a different computer) is authorized in Active Directory.
■ Only network adapter cards that support PXE version .99c or
later are supported by RIS. If the client computer is unable to
communicate with the RIS server, check the version of PXE,
and, if necessary, upgrade the network adapter card.
■ Only a limited number of PCI-based network adapter cards that
don’t support PXE are supported by the RIS boot disk. If a client
computer is unable to communicate with the RIS server, ensure
that the computer’s network adapter card is on the list of supported
network adapters.
■ If a client computer is unable to communicate with the RIS
server, consider examining the System log (in Event Viewer) on
the DHCP server and the RIS server for DHCP and BINLSVC
error messages.
■ When you run the Client Installation wizard on the client computer,
if the choices displayed on the Setup Options screen don’t include
the options you were expecting, verify that the choice options are
correctly configured in Group Policy, and that this policy applies to
the user performing the installation.
■ If the “Do not respond to unknown client computers” check box
is selected on the RIS server, ensure that client computers have
been correctly prestaged.
■ Ensure that users performing installations on non-prestaged client
computers have been granted the Create Computer Objects
advanced Active Directory permission for the domain or OU
in which the computer objects (for the new client computers)
are being created.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1303

Chapter 19 ▼ Deploying Windows 2000 on Your Network 1303

KEY POINT SUMMARY

This chapter introduced several important Windows 2000 deployment topics:

■ Setup Manager is a wizard included in Windows 2000 that enables you to
create answer files that can automate the installation and setup of Windows
2000 Professional and Windows 2000 Server.
■ You can use Setup Manager to create different types of answer files. You can
create an answer file for a standard, unattended installation; an answer file for
a Sysprep installation; and an answer file for a RIS installation.
■ You can install Setup Manager and the other deployment and support tools by
copying them from the DEPLOY.CAB file in the \SUPPORT\TOOLS folder on
the Windows 2000 compact disc.
■ Sysprep, another Windows 2000 deployment tool, prepares a Windows 2000
Professional or Windows 2000 Server computer for hard disk duplication by
removing user-specific settings. Sysprep doesn’t work on Windows 2000
Server domain controllers.
■ Sysprep can’t be used to actually copy the master computer’s hard disk — you
must use a third-party software utility to duplicate the hard disk and copy the
data to the target computer.
■ Remote Installation Services (RIS) is a Windows 2000 Server service used to
deploy Windows 2000 Professional over-the-network to client computers. RIS
can only be used on Windows 2000 networks that use DHCP, DNS, and
Active Directory.
■ RIS servers must be authorized in Active Directory.
■ You can configure security on the RIS server. If the “Do not respond to unknown
client computers” check box is selected, client computers must be prestaged.
■ RIS supports two types of Windows 2000 Professional images: CD-based
images and RIPrep images.
■ RIS clients must have PCI-based network adapter cards that either support
PXE or are supported by a RIS boot disk.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1304

1304

STUDY GUIDE
This section contains several exercises that are designed to solidify your
knowledge about deploying Windows 2000 and to help you prepare for
the Professional, Server, and Directory Services exams:
■ Assessment Questions: These questions test your knowledge of
the Windows 2000 deployment topics covered in this chapter.
You’ll find the answers to these questions at the end of this chapter.
■ Scenarios: The situation-based questions in scenarios challenge
you to apply your understanding of the material to solve a
hypothetical problem. In this chapter’s scenarios, you are asked
to analyze Windows 2000 deployment scenarios, and then answer
the question or questions that follow each scenario.You don’t need
to be at a computer to do scenarios.Answers to this chapter’s
scenarios are presented at the end of this chapter.
■ Lab Exercise: These exercises are hands-on practice activities that
you perform on a computer.The lab in this chapter gives you an
opportunity to practice several Windows 2000 deployment tasks.

Assessment Questions
1. You want to create an answer file that duplicates the computer’s
configuration on which you are creating the answer file.What is
the easiest way to do this?
A. Manually create an answer file
B. Use Setup Manager
C. Use RIS
D. This type of answer file cannot be created
2. You want to use Sysprep to prepare a Windows 2000 Server domain
controller for disk duplication, but you can’t get the utility to work.
What is the problem?
A. The server is not authorized in Active Directory
B. You do not have Administrative permissions
4701-1 ch19.f.qc 4/24/00 09:47 Page 1305

1305

C. The server contains more than one hard disk

D. Sysprep can’t be used on domain controllers
3. When you run Sysprep on a Windows 2000 computer, what happens
to the user-specific information on the computer?
A. It is preserved in usset.inf.
B. It is saved and automatically reinstalled.
C. It is removed.
D. It is not altered.
4. How do you install RIS?
A. By using the Windows 2000 deployment tools
B. By using the Windows 2000 Server Resource Kit
C. By using Add/Remove Programs
D. You don’t have to install RIS because it is installed by default.
5. Which tool should you use to authorize a RIS server in
Active Directory?
A. The DHCP administrative tool
B. The DNS administrative tool
C. Active Directory Users and Computers
D. Active Directory Sites and Services
6. What must the PCI-based network adapter card in a client computer
support in order to use a RIS server?
A. TCP/IP
B. PXE
C. DHTML
D. UDP
7. What type of images are supported by RIS? (Choose all that apply.)
A. CD-based images
B. Sysprep images
C. RIPrep images
D. Windows 2000 Server images
E. Windows 2000 Professional images
F. Windows 98 images
4701-1 ch19.f.qc 4/24/00 09:47 Page 1306

1306

8. What can you use to create a RIS image that contains an operating
system and applications?
A. RIPrep
B. Sysprep
C. Setup Manager
D. Third-party disk imaging software

Scenarios
Deploying Windows 2000 on a network is a complex task. For each of the
following situations, consider the given facts and answer the question or
questions that follow.
1. You want to perform an unattended over-the-network installation
of Windows 2000 Professional.What basic steps should you take to
accomplish this?
2. You want to perform an unattended CD-based installation of
Windows 2000 Server.What basic steps should you take to
accomplish this?
3. You want to use Sysprep to install Windows 2000 Professional on 100
identical computers. How should you prepare the master computer?
4. You want to use the RIS server on your network to install Windows
2000 Professional and several applications on 100 client computers.
The computers don’t have identical mass storage device controllers,
and don’t have identical hard disks.
a. What type of image should you create?
b. How should you create this image?
5. Your company’s network has two RIS servers. Over the next few
weeks you want to deploy Windows 2000 Professional on 1,000
client computers.The RIS servers are configured to “not respond
to unknown client computers.”
a. What should you do to prestage the client computers?
b. How can you distribute the load between the two RIS servers?
4701-1 ch19.f.qc 4/24/00 09:47 Page 1307

1307

6. You create a RIS boot disk, but it does not work on some of your
client computers.
a. What is the most likely cause of this problem?
b. What should you do to solve the problem?
7. You want to deploy Windows 2000 Professional to 200 client
computers on your network by using a RIS server. Each of the
client computers has a network adapter that has a PXE ROM.You
create an RIPrep image on the RIS server.What steps should you
take to install the image on each of the client computers?

Lab Exercise
Lab 19-1 Deploying Windows 2000
 Professional
 Server
EXAM  Directory Services
MATERIAL

The purpose of this lab is to provide you with an opportunity to practice

several of the Windows 2000 deployment tasks you learned in this chapter.
There are five parts to this lab:
■ Part 1: Using Setup Manager to Create an Answer File for an
Automated Installation of Windows 2000 Professional
■ Part 2: Using Setup Manager to Create an Answer File for an
Automated Installation of Windows 2000 Server
■ Part 3: Installing and Configuring RIS
■ Part 4: Creating a RIS Boot Disk
■ Part 5: Configuring RIS Server Security and Options
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.
4701-1 ch19.f.qc 4/24/00 09:47 Page 1308

1308

Part 1: Using Setup Manager to Create an Answer File for an

Automated Installation of Windows 2000 Professional
In this part, you install Setup Manager and the Windows 2000 deployment
tools. Then you use Setup Manager to create an answer file that can be
used to automate the installation of Windows 2000 Professional.
1. Insert your Windows 2000 Professional compact disc into your
computer’s CD-ROM drive. Close the Microsoft Windows 2000
CD dialog box.
2. From the desktop, right-click My Computer, and select Explore from
the menu that appears.
3. In the left pane, highlight Local Disk (C:). Select File ➪ New ➪ Folder.
4. In the right pane, type in a new folder name of Deployment and
press Enter.
5. In the left pane, click the + next to your CD-ROM drive. Click the
+ next to the SUPPORT folder. Highlight the TOOLS folder. In the
right pane, double-click the DEPLOY file. Select Edit ➪ Select All.
Select Edit ➪ Copy To Folder.
6. In the Browse For Folder dialog box, click the + next to My
Computer. Click the + next to Local Disk (C:). Highlight
Deployment. Click OK.
7. Windows 2000 extracts and copies the contents of the DEPLOY.CAB
file to the DEPLOYMENT folder.
8. In the left pane, click the + next to Local Disk (C:). Highlight the
Deployment folder. In the right pane, double-click setupmgr.
9. The Windows 2000 Setup Manager wizard starts. Click Next.
10. In the New or Existing Answer File screen, accept the default
selection of “Create a new answer file” and click Next.
11. In the Product to Install screen, select the Windows 2000 Unattended
Installation option. Click Next.
12. In the Platform screen, select the Windows 2000 Professional option.
Click Next.
13. In the User Interaction Level screen, select the “Fully automated”
option and click Next.
14. In the License Agreement screen, select the check box next to
“I accept the terms of the License Agreement.” Click Next.
4701-1 ch19.f.qc 4/24/00 09:48 Page 1309

1309

15. In the Customize the Software screen, enter a default user name
of User. Enter your company’s name in the Organization text box.
Click Next.
16. In the Computer Names screen, enter a computer name of w2ktest,
then click Add. Click Next.
17. In the Administrator Password screen, type in a password of
password and confirm it by retyping it. Click Next.
18. In the Display Settings screen, accept the default settings and click
Next.
19. In the Network Settings screen, accept the default option of
“Typical settings” and click Next.
20. In the Workgroup or Domain screen, accept the default option of
Workgroup and click Next.
21. In the Time Zone screen, select your time zone from the drop-down
list box, and click Next.
22. In the Additional Settings screen, select the “No, do not edit the
additional settings” option and click Next.
23. In the Distribution Folder screen, accept the default selection of Yes
and click Next.
24. In the Distribution Folder Name screen, accept the default folder
name and share name. Click Next.
25. In the Additional Mass Storage Drivers screen, click Next.
26. In the Hardware Abstraction Layer screen, click Next.
27. In the Additional Commands screen, click Next.
28. In the OEM Branding screen, click Next.
29. In the Additional Files or Folders screen, click Next.
30. In the Answer File Name screen, accept the default answer filename
and location. Click Next.
31. In the Location of Setup Files screen, accept the default option of
“Copy the files from CD” and click Next. Setup Manager copies the
files from the compact disc.
32. In the Completing the Windows 2000 Setup Manager Wizard screen,
click Finish. Remove the Windows 2000 compact disc from your
computer’s CD-ROM drive. Close Windows Explorer.
4701-1 ch19.f.qc 4/24/00 09:48 Page 1310

1310

Part 2: Using Setup Manager to Create an Answer File for an

Automated Installation of Windows 2000 Server
In this part, you use Setup Manager to create an answer file that can be
used to automate the installation of Windows 2000 Server.
1. Insert your Windows 2000 Server compact disc into your computer’s
CD-ROM drive. Close the Microsoft Windows 2000 CD dialog box.
2. Start Windows Explorer. (Select Start ➪ Programs ➪ Accessories ➪
Windows Explorer.)
3. Repeat Steps 8 through 32 in Part 1 of this lab, except:
In Step 12, select Windows 2000 Server instead of Windows 2000
Professional.
At the completion of Step 15, in the Licensing Mode screen, accept
the default option of “Per server” and click Next. Continue on to
Step 16.
In Step 24, type in a distribution folder name of C:\win2000srv
and a share name of win2000srv and click Next.

Part 3: Installing and Configuring RIS

In this part, you install RIS on a Windows 2000 Server computer. Then
you authorize the RIS server in Active Directory, grant permission to
create computer objects to authenticated users, and set up the RIS server.
Steps 21 through 29 are optional because they require a second hard disk,
formatted with NTFS, in your Windows 2000 Server computer.
1. Select Start ➪ Settings ➪ Control Panel.
2. In the Control Panel dialog box, double-click Add/Remove Programs.
3. In the Add/Remove Programs dialog box, click Add/Remove
Windows Components.
4. In the Windows Components screen, select the check box next to
Remote Installation Services, then click Next.
5. When prompted, insert your Windows 2000 Server compact disc
into your computer’s CD-ROM drive, and click OK.When the
Microsoft Windows 2000 CD dialog box appears, close it.
Windows 2000 installs RIS.
4701-1 ch19.f.qc 4/24/00 09:48 Page 1311

1311

6. In the Completing the Windows Components Wizard screen, click

Finish.When prompted, click Yes to restart your computer. Remove
your Windows 2000 Server compact disc from your computer’s
CD-ROM drive. Boot to Windows 2000 Server and log on as
Administrator. Close Control Panel.
7. Select Start ➪ Programs ➪ Administrative Tools ➪ DHCP.
8. In the DHCP dialog box, select Action ➪ Manage authorized servers.
9. In the Manage Authorized Servers dialog box, click Authorize.
10. In the Authorize DHCP Server dialog box, enter a computer name of
Server01 and click OK.
11. A DHCP message appears, indicating that the server you specified
will be added to the authorized DHCP servers list. Click Yes. Because
you have previously authorized this server as a DHCP server, another
message appears, indicating that the specified server is already present.
Click OK.
12. In the Manage Authorized Servers dialog box, click Close. Close DHCP.
13. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory
Users and Computers.
14. In the left pane of Active Directory Users and Computers,
right-click domain1.mcse, then select Delegate Control from
the menu that appears.
15. The Delegation of Control wizard starts. Click Next.
16. In the Users or Groups screen, click Add.
17. In the Select Users, Computers, or Groups dialog box, double-click
the Authenticated Users group. Click OK.
18. In the Users or Groups screen, click Next.
19. In the Tasks to Delegate screen, select the check box next to
“Join a computer to the domain.” Click Next.
20. In the Completing the Delegation of Control Wizard screen,
click Finish. Close Active Directory Users and Computers.

CAUTION
Skip the rest of this part, and Parts 4 and 5 unless you have a second
hard disk in your Windows 2000 computer that is formatted with NTFS.
4701-1 ch19.f.qc 4/24/00 09:48 Page 1312

1312

21. Insert your Windows 2000 Professional compact disc into your
computer’s CD-ROM drive. Close the Microsoft Windows 2000
CD dialog box. From the desktop, select Start ➪ Run.
22. In the Run dialog box, type risetup and click OK.
23. The Remote Installation Services Setup wizard starts. Click Next.
24. In the Remote Installation Folder location screen, accept the default
path and click Next.
25. In the Initial Settings screen, select the check box next to “Respond
to client computers requesting service.” Click Next.
26. In the Installation Source Files Location screen, accept the default
path to your computer’s CD-ROM drive. Click Next.
27. In the Windows Installation Image Folder Name screen, accept the
default name for the folder that will contain the default RIS image.
Click Next.
28. In the Friendly Description and Help Text screen, accept the default
friendly description and help text, and click Next.
29. In the Review settings screen, click Finish.The RIS server copies
files, creates the remote installation folder, creates the default image of
Windows 2000 Professional, and sets up the RIS server.This process
takes several minutes.When this process completes, click Done.

Part 4: Creating a RIS Boot Disk

In this part, you use your Windows 2000 RIS server to create a RIS boot
disk. This part is optional because it requires that you have a second hard
disk in your Windows 2000 Server computer, formatted with NTFS, and
you must have completed all of Part 3.
1. Right-click My Computer and select Explore from the menu that
appears.
2. In the left pane, click the + next to the volume that contains the
RIS installation folder (this is your second hard disk). Click the +
next to RemoteInstall. Click the + next to Admin. Highlight the
i386 folder. In the right pane, double-click rbfg.exe.
3. The Windows 2000 Remote Boot Disk Generator dialog box
appears. Insert a blank, formatted floppy disk into drive A:, then
click Create Disk.
4701-1 ch19.f.qc 4/24/00 09:48 Page 1313

1313

4. The Remote Boot Disk Generator creates the RIS boot disk. Click
No when asked if you want to create another disk.
5. In the Windows 2000 Remote Boot Disk Generator dialog box, click
Close. Close Windows Explorer.

Part 5: Configuring RIS Server Security and Options

In this part, you configure various RIS server options, including security
options.You also configure RIS security settings in Group Policy. This part
is optional because it requires that you have a second hard disk in your
Windows 2000 Server computer, formatted with NTFS, and you must
have completed all of Part 3.
1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory
Users and Computers.
2. In the left pane of Active Directory Users and Computers dialog box,
click the + next to domain1.mcse. Highlight the Domain Controllers
OU. In the right pane, right-click Server01, and select Properties
from the menu that appears.
3. In the SERVER01 Properties dialog box, click the Remote Install tab.
4. On the Remote Install tab, notice that the check box next to “Respond
to client computers requesting service” is selected.To secure your RIS
server, select the check box next to “Do not respond to unknown client
computers.”Then, click Advanced Settings.
5. In the SERVER01-Remote-Installation-Services Properties dialog
box, select the NP plus MAC naming scheme from the “Generate
client computer names using” drop-down list box.Then select the
“Same location as that of the user setting up the client computer”
option. Click OK.
6. In the SERVER01 Properties dialog box, click OK.
7. In the left pane of the Active Directory Users and Computers dialog
box, right-click domain1.mcse, and select Properties from the menu
that appears.
8. In domain1.mcse Properties dialog box, click the Group Policy tab.
9. On the Group Policy tab, highlight the Default Domain Policy and
click Edit.
4701-1 ch19.f.qc 4/24/00 09:48 Page 1314

1314

10. In the left pane of the Group Policy dialog box, in the User
Configuration section, click the + next to Windows Settings.
Then highlight Remote Installation Services. In the right pane,
double-click Choice Options.
11. In the Choice Options Properties dialog box, in the Automatic Setup
section, select the Allow option. In the Custom Setup section, select
the Allow option. Click OK.
12. Close the Group Policy dialog box.
13. In the domain1.mcse Properties dialog box, click OK.
14. Close Active Directory Users and Computers.

Answers to Chapter Questions

Chapter Pre-Test
1. The deployment tools are located in the \SUPPORT\TOOLS folder on
the Windows 2000 Professional or Server compact disc.The support
tools are located in DEPLOY.CAB.
2. Setup Manager
3. unattend.txt
4. Sysprep (sysprep.exe)
5. You need a third-party software utility to duplicate the master
computer’s hard disk, and to copy that data onto the hard disk of
a target computer.
6. A RIS server must be authorized in Active Directory before it can
be used.
7. Only Windows 2000 Professional can be deployed by using RIS.

Assessment Questions
1. B. Setup Manager provides you with an option to create an answer
file that “duplicates this computer’s configuration.”
2. D. You can use Sysprep on Windows 2000 Professional and Windows
2000 Server computers, but you can’t use Sysprep on Windows 2000
Server domain controllers.
4701-1 ch19.f.qc 4/24/00 09:48 Page 1315

1315

3. C. The user-specific settings are removed by Sysprep.

4. C. RIS is installed by using Add/Remove Programs in Control Panel.
5. A.You must use the DHCP administrative tool to authorize a RIS
server in Active Directory.
6. B. The client computer’s network adapter must support PXE
(Preboot Execution Environment), or the client computer can use a
RIS boot disk if the computer’s PCI-based network adapter card is
supported by the RIS boot disk.
7. A, C, E. RIS supports CD-based images, RIPrep images, and
Windows 2000 Professional images.
8. A. RIPrep is used to create RIS images that contain both an
operating system and applications.

Scenarios
1. Use Setup Manager to create an answer file for the unattended
installation, and to create a shared distribution folder on your
network server.Then, on the target computer, partition and format
the computer’s hard disk by using MS-DOS (or Windows 95 or
Windows 98 DOS).Then load the Client for Microsoft Networks
on the target computer, and map a network drive to the shared
distribution folder.At the command prompt, change the default
drive to the mapped network drive, then type unattend.bat and
press Enter to begin the unattended installation.
2. Use Setup Manager to create an answer file for the unattended
installation, and copy the unattend.txt and unattend.bat files
to a floppy disk.Then, on the target computer, partition and format the
computer’s hard disk by using MS-DOS (or Windows 95 or Windows
98 DOS). Next, boot the computer to DOS and load CD-ROM
drivers for the computer’s CD-ROM drive.Then place the floppy
disk in drive A: and the Windows 2000 Server compact disc in the
CD-ROM drive.At the command prompt, type A:\unattend.bat
and press Enter to begin the unattended installation.
3. Install Windows 2000 Professional and all desired applications on
the master computer. Configure desktop settings, shortcuts, and other
configurable options exactly the way you want them to appear on the
target computers.Then, copy the contents of the Administrator’s profile
folder over the contents of the Default User profile folder.
4701-1 ch19.f.qc 4/24/00 09:48 Page 1316

1316

4. You should create an RIPrep image to accomplish this task.An

RIPrep image is the only image RIS supports that can be used to
install applications as well as the Windows 2000 Professional operating
system. Once the master computer is prepared, use riprep.exe to
create the RIPrep image on the RIS server.
5. To prestage the client computers, you should perform several tasks.
First, create a computer object for each new client computer in Active
Directory.When you create the computer objects, specify which RIS
server will service each computer — this will enable you to distribute
the load between your two RIS servers by assigning equal numbers of
computers to each RIS server. Of course, you must have more than
one RIS server to perform load balancing. Finally, assign the users of
the new client computers appropriate Active Directory permissions
to the computer objects.
6. The most likely cause of this problem is that the client computers
don’t have network adapter cards that are supported by the RIS boot
disk. RIS boot disks only support a limited number of PCI-based
network adapter cards.There is no workaround for this, except to
install a supported PCI-based network adapter card on each of the
client computers.
7. Power on the client computer, then type y to boot from the network.
When prompted, press F12.The Client Installation wizard starts. Enter
your user name and password. Choose the type of installation you
want to perform.Then select the appropriate image to install.Accept
the summary and follow the instructions presented on-screen to
complete the installation of Windows 2000.
4701-1 ch19.f.qc 4/24/00 09:48 Page 1317
4701-1 ch20.f.qc 4/24/00 09:48 Page 1318

 Server
EXAM
MATERIAL

EXAM OBJECTIVES

Server  Exam 70-215

■ Install, configure, monitor, and troubleshoot Terminal Services.
■ Remotely administer servers by using Terminal Services.
■ Configure Terminal Services for application sharing.
■ Configure applications for use with Terminal Services.
4701-1 ch20.f.qc 4/24/00 09:48 Page 1319

C HAP TE R

20
Managing Terminal
Services

I n this chapter, you’ll learn about Terminal Services in Windows 2000.

Terminal Services allows network clients to connect to a Terminal server
and begin a session with that server, where they can use applications that
might not normally function on their desktops. You can also use Terminal
Services to remotely administer a Terminal server on your network from your
own desktop computer. I’ll explore the various features of Terminal Services in
this chapter, including Terminal Services modes, installing and configuring
Terminal Services, installing and configuring applications for use with Terminal
Services, configuring clients, establishing and managing sessions, licensing,
and troubleshooting.

1319
4701-1 ch20.f.qc 4/24/00 09:48 Page 1320

1320 Part IV ▼ Networking and Interoperability

Chapter Pre-Test
1. Which Terminal Services mode allows you to remotely manage
the Terminal server?
2. What tool do you use to install Terminal Services?
3. How does Terminal Services run 16-bit applications?
4. After installing Terminal Services in application server mode,
what must you do to previously installed applications so they
can function with Terminal Services?
5. What are application compatibility scripts?
6. What two methods can be used to install Terminal Services
Client software?
7. What tool can you use to end a client’s Terminal Services session?
8. What command-line utility can be used to remotely control a
Terminal Services session?
9. What licensing requirements are necessary for remote
administration mode?
10. How much time do you have before licensing is required in
application server mode?
4701-1 ch20.f.qc 4/24/00 09:48 Page 1321

Chapter 20 ▼ Managing Terminal Services 1321

What Is Terminal Services?

Terminal Services is a Windows 2000 Server component that provides terminal
emulation to network clients. This means that network clients can access a
Terminal server, begin a session with it, and run applications from the
Terminal server as though the applications were installed locally on the user’s
computer.The term Terminal server is commonly used to refer to the Windows
2000 Server computer on which Terminal Services is installed.

TIP
A Terminal server is also called a Terminal Services server. In Microsoft
documentation, these two terms are used interchangeably.

When a user logs onto a Terminal server, the user sees the Terminal
server’s desktop interface, but keyboard strokes and mouse clicks made on
the user’s end are returned to the Terminal server for processing. In essence,
the user’s computer becomes a “dumb terminal.”All processing is performed
on the server’s end, and the Terminal server can host many Terminal Services
sessions at one time.
So, why would you want to use Terminal Services on your network?
First, if you use Terminal Services for application sharing, you can allow
users to access applications that might not run on their current system.This
feature allows you to have a powerful server computer that can host various
applications without having to provide user desktop systems with the power
to support those applications.
For example, let’s say you want to provide Microsoft Office to a number
of clients that have older computers, older operating systems, and a definite
lack of RAM and processing power.With Terminal Services, those users can
connect to the Terminal server and use those applications just as though
they were installed locally.To the users, it appears as though their systems are
running the applications, when in reality, the applications are being run on
the server’s end. This feature allows you to implement new applications
without having to upgrade current PC hardware and software at the same
time. In conjunction with Group Policy,Terminal Services can provide an
end-user a highly effective desktop configuration and application bank
without having to perform any of the configuration or processing locally.
Aside from providing end-user applications, you can also use Terminal
Services to remotely administer the Terminal servers on your network.
This feature allows you, as the administrator, to remain at your desk while
4701-1 ch20.f.qc 4/24/00 09:48 Page 1322

1322 Part IV ▼ Networking and Interoperability

connecting to various Windows 2000 Server computers (assuming they

run Terminal Services) throughout your network.You can configure and
administer those servers without ever having to leave your desk.
Terminal Services operates in one of two modes: application server mode
or remote administration mode. In application server mode, your Terminal
server can provide applications to systems that cannot run Windows or do
not have the power to run a particular application. In addition, in application
server mode you can remotely administer the Terminal server. In remote
administration mode you can remotely manage and configure the Terminal
server, but you can’t run applications.

EXAM TIP
You can’t run Terminal Services in application server mode and remote
administration mode at the same time. The selections are mutually exclu-
sive. Keep this in mind when you take the Server exam.

Installing and Configuring

Terminal Services
Terminal Services is not installed by default during the installation of
Windows 2000 Server. You can either install Terminal Services during a
custom installation of Windows 2000 Server, or you can install Terminal
Services after Windows 2000 Server is installed by using the Add/Remove
Programs application in Control Panel.
When you install Terminal Services, you need to configure the mode
the Terminal server will function in, either remote administration mode or
application server mode:
■ Choose remote administration mode if you’re only concerned
with remote administration of this Terminal server.
■ Choose application server mode to configure this Terminal
server for application sharing.An added benefit of using application
server mode is that you get the capability of remote administration
of the Terminal server, as well. Because of the large amount of
resources used by Terminal Services, Microsoft recommends that
you install Terminal Services on a member server or stand-alone
server, rather than a domain controller, when using Terminal
Services for application sharing.
4701-1 ch20.f.qc 4/24/00 09:48 Page 1323

Chapter 20 ▼ Managing Terminal Services 1323

Installing and configuring Terminal Services is fairly straightforward, as

the following steps explain.

STEP BY STEP

INSTALLING AND CONFIGURING TERMINAL SERVICES

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Add/Remove Programs.
3. In the Add/Remove Programs dialog box, click Add/Remove Windows Components.
4. In the Windows Components Wizard dialog box, scroll down until Terminal
Services is displayed. Select the check box next to Terminal Services. Click Next.
5. The Terminal Services Setup screen appears as shown in Figure 20-1. Notice the
two modes you can select between.

FIGURE 20-1 Selecting the Terminal Services mode

Select the “Remote administration mode” option if you only want to use Terminal
Services to remotely administer this server.
Select the “Application server mode” option if you want to configure this server for
application sharing. If this mode is selected, you will get the capability of remote
administration of the Terminal server, as well.
Click Next.
6. On the next Terminal Services Setup screen select the appropriate permissions
setting from the two options provided.
4701-1 ch20.f.qc 4/24/00 09:48 Page 1324

1324 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

 Permissions compatible with Windows 2000 Users: This is the most

secure selection for Terminal Services. However, many legacy applications
won’t run when this option is selected.
 Permissions compatible with Terminal Server 4.0 Users: This is the least
secure selection for Terminal Services. However, most legacy applications will
run when this option is selected. This is the default selection.
Click Next.
7. The next Terminal Services Setup screen displays a list of currently installed
applications that may not work correctly after Terminal Services is installed.
These applications might have to be removed and reinstalled. Click Next.
8. Windows 2000 installs Terminal Services. If you have not previously placed your
Windows 2000 compact disc into your CD-ROM drive, insert it and click OK when
prompted. If the Microsoft Windows 2000 CD dialog box appears, close it. In the
Completing the Windows Components Wizard screen, click Finish.
9. In the System Settings Change dialog box, click Yes to restart your computer and
complete the installation of Terminal Services.

Installing Applications for Use with

Terminal Services
Once you have installed Terminal Services in application server mode,
Terminal Services is configured for application sharing.The next step is to
install the desired applications you want Terminal Services clients to be
able to use.
In a perfect world, any application you might want to use would work
perfectly with Terminal Services. Unfortunately, this is not the case. Some
applications simply do not work well in a multisession environment. Some
applications use too much memory or CPU cycles, and some simply do
not work well with multiple users. So, you may have decisions to make and
you may need to perform some testing to ensure that the applications you
want to use will work well with Terminal Services.
When you are deciding which applications to use, you should take a look
at how each application will run on the Terminal server. Applications that
work well with Terminal Services do not use excessive system memory or
4701-1 ch20.f.qc 4/24/00 09:48 Page 1325

Chapter 20 ▼ Managing Terminal Services 1325

CPU cycles.This point alone should make you stop and take a look at both
your applications and your Terminal server. The Terminal server needs a
large hard drive, a fast CPU (probably 600 MHz or higher), and plenty of
RAM (probably 512MB or more). In addition, the applications you use
need to identify users by a username, not a computer name.
When you are choosing applications for use with Terminal Services,
always try to use 32-bit applications. You may have 16-bit applications
you used with previous versions of Windows, such as 3.11, that you
want to make available to the clients of the Terminal server. Although
Terminal Services can run 16-bit applications by translating them using
Win16-on-Win32 (WOW), you can expect a serious performance hit
on the server. Many 16-bit applications will increase the memory each
user needs by 50 percent and processor by 40 percent. In short, if you
use 16-bit applications, you will see performance problems, and not as
many people will be able to use the Terminal server at the same time.
For similar reasons, MS-DOS applications are not recommended for use
with Terminal Services since they tend to consume more system
resources than 32-bit applications.
You must install the applications that you want to use after you install
Terminal Services in application server mode. If the applications you want
to make available to clients are already installed on the Terminal server, you
must uninstall them and reinstall them. In order to install applications for
use with Terminal Services, you must use Add/Remove Programs in
Control Panel to install the application.The reason for this is simple: most
applications are installed for use by a single user — if multiple users are to
use an application, it must be installed in a multiuser format.
Terminal Services provides two application installation modes: execute
mode and install mode. In execute mode, the Terminal server runs an appli-
cation or installs it for a single user. In install mode, the Terminal server
installs the application for use in a multi-user environment. By using
Add/Remove Programs in Control Panel, the server is automatically put in
install mode. If you try to install the application by using the application’s
installation/setup program, the setup will fail on a Terminal server and you
will receive a failure notice.
The following steps explain how to use Add/Remove Programs in
Control Panel to install applications for use with Terminal Services.
4701-1 ch20.f.qc 4/24/00 09:48 Page 1326

1326 Part IV ▼ Networking and Interoperability

STEP BY STEP

INSTALLING AN APPLICATION ON A TERMINAL SERVER

1. Select Start ➪ Settings ➪ Control Panel.

2. In Control Panel, double-click Add/Remove Programs.
3. In the Add/Remove Programs dialog box, click Add New Programs.
4. Click the CD or Floppy command button.
5. Insert the application’s first installation floppy disk or CD-ROM. In the Install
Program From Floppy Disk or CD-ROM dialog box, click Next.
6. The wizard searches for the installation floppy or CD-ROM. In the Run Installation
Program dialog box, click Next.
7. Depending on the application, other windows may appear that ask you to enter
additional information, such as name, CD code, and so on. Follow the instructions
that appear on-screen to complete the installation of the application.

Once you have installed all of the applications you want to use on your
Terminal server, your next task is to try to tweak these applications so that
they work as well as possible with Terminal Services.Windows 2000 Server
includes a collection of application compatibility scripts to optimize many
common applications for use with Terminal Services.The scripts are stored
in the SystemRoot\Application Compatibility Scripts\Install
folder on a Windows 2000 Server computer that has Terminal Services
installed on it, as shown in Figure 20-2.
As Figure 20-2 shows, common scripts include Microsoft Office,
Microsoft Word, Microsoft Excel, Netscape Communicator, and so on.The
content of each script varies depending on the application.The scripts are
designed to perform tasks such as editing the registry as needed, turning off
CPU-intensive features, and adding multiuser support. To use the scripts,
install your application first, locate its script in the Install folder, then
double-click the script’s icon to run the script.You need to run the script
before any users try to access the application on the Terminal server.When
the script completes its processing, log off and log back on before accessing
the application.
4701-1 ch20.f.qc 4/24/00 09:48 Page 1327

Chapter 20 ▼ Managing Terminal Services 1327

FIGURE 20-2 Application Compatibility Scripts

Aside from running available scripts, there are a few other things you
can do to enhance the performance of your applications with Terminal
Services. First, a serious performance problem can be intensive video
usage. Some applications have very active video usage, and these features
can push the Terminal server’s CPU to the max. If possible, reconfigure the
application to use less intensive video settings.
Next, look for features that always run in the background. For example,
Microsoft Word has a spelling checker that constantly runs in the background.
As you type, the spelling checker examines your words and underlines any
words it believes you have misspelled. Although a helpful feature, this does
cause Word to consume more system resources. Once you have identified fea-
tures, like the spelling checker, that run in the background of the application,
turn those features off.
Another option is to identify features in an installed application that are
helpful in a limited way, but that users can live without. For example, the
Office Assistant in Microsoft Office — you know, the little cartoon
paperclip — can be helpful, but users can access the Help files without it.
These little features can consume resources and degrade performance. Look
for ways to turn them off.
4701-1 ch20.f.qc 4/24/00 09:48 Page 1328

1328 Part IV ▼ Networking and Interoperability

A final issue you should think about is application programs that start
other programs. For example, Microsoft Office programs often have a tool-
bar that allows the users to launch other Microsoft applications from that
application.While good on a desktop PC, you should try to remove these
toolbars and features so that users can only open one application at a time.
This conserves system resources, especially memory.
In some cases, the registry can be used to tweak applications so they use
less system resources.This technique is not recommended. If at all possible,
you should use the application’s graphical user interface to configure the
application to work well with Terminal Services.

CAUTION
Editing the registry is a serious operation. Changes made to the registry
become effective immediately, and incorrect changes to the registry can
cause systemwide problems, or even cause Windows 2000 to fail to boot.

Configuring Terminal Services Clients

One of the primary purposes of Terminal Services is to enable network
clients to connect to the Terminal server and run applications. Without
clients,Terminal Services doesn’t have much purpose in life.The software
that is installed on a client computer that enables it to communicate with a
Terminal server is called Terminal Services Client.
The Terminal Services Client is called a “thin client” because it delivers
a 32-bit Windows 2000 environment to a client computer that might not
have this functionality on its own. Additionally, Terminal Services Client
allows desktop PCs to run applications for which they may not have the
processing or memory power to handle on their own.
When a Terminal Services client connects to the Terminal server, a
terminal window appears on the client’s computer, but all processing is
performed on the server. Due to this design,Terminal Services can sup-
port legacy operating systems and hardware. Terminal Services Client
software can be run on Windows-based terminal devices, Intel comput-
ers running Windows 95, 98, Millennium, NT 3.51 or 4.0, and 2000.
Computers running Windows for Workgroups 3.11 are also supported
as Terminal Services clients.
4701-1 ch20.f.qc 4/24/00 09:48 Page 1329

Chapter 20 ▼ Managing Terminal Services 1329

Installing Terminal Services Client Software

The network client computers that need to connect to the Terminal server
normally do not have the necessary software installed by default. Client
computers use special Terminal Services Client software and a protocol
called Remote Desktop Protocol (RDP) to connect to the Terminal
server. RDP is installed and configured on the client during the installation
of Terminal Services Client software, so that the client can communicate
with the Terminal server.
When you install Terminal Services, the Terminal Services Client is copied
to the server.Terminal Services provides a nifty client creator, called Terminal
Services Client Creator, which enables you to create floppy disks so that you
can install the Terminal Services Client software on your client computers.
The trick, of course, is actually getting that software to your clients.
You can use the floppy disk that is created with the Terminal Services
Client Creator, physically visit each computer, and install the software. If
you have a lot of client computers and you don’t want to spend all day
walking around with a floppy disk, you can share the Terminal server’s
folder that contains the Terminal Services Client software and perform
over-the-network installations of that software on the client computers.
The Terminal Services Client software is located in the SystemRoot\
system32\clients\tsclient\net folder on the Windows 2000 Server
computer on which Terminal Services is installed.Two folders reside within
this folder: Win16 and Win32.Windows for Workgroups clients need to have
the Win16 software installed, and x86-based Windows 9x and Windows NT
clients need to have the Win32 software installed. Open the desired folder,
then double-click the Setup icon. You can use either the floppy method
or the over-the-network method for installation — whichever works best
for you.
The following section gives you a step-by-step look at creating the
client setup disks.

STEP BY STEP

CREATING CLIENT INSTALLATION/SETUP DISKS

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Terminal Services Client Creator.

4701-1 ch20.f.qc 4/24/00 09:48 Page 1330

1330 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

2. The Create Installation Disk(s) dialog box appears, as shown in Figure 20-3. Notice
the two Network client options available in this dialog box. Also notice that Terminal
Services Client Creator tells you how many disks you will need for the selected
client software option.

FIGURE 20-3 Creating Terminal Services client installation disks

3. Highlight the appropriate option. Then select the destination floppy drive from the
“Destination drive” spin box. Optionally, you can select the Format Disk(s) check box
to allow the Client Creator to format your floppy disks before the Terminal Services
Client software is copied to them. When you have completed the appropriate selec-
tions in this dialog box, click OK.
4. A dialog box appears telling you to insert the first disk into your disk drive. Insert
the disk, then click OK. Follow any additional instructions that appear to insert
and remove disks as needed.

Once you have created the Terminal Services client installation/setup

disks (or shared the folder containing the Terminal Services Client software),
you’re ready to install the client software on a client computer.The following
steps explain how to install Terminal Services Client software on a 32-bit
Windows client computer.

STEP BY STEP

INSTALLING TERMINAL SERVICES CLIENT SOFTWARE

1. On the client computer, start Windows Explorer, or Windows NT Explorer,

as appropriate.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1331

Chapter 20 ▼ Managing Terminal Services 1331

STEP BY STEP Continued

2. In the left pane, highlight the drive that contains the Terminal Services Client
setup files — this is either the network drive that is connected to the shared
folder that contains the Terminal Services Client software, or the floppy drive
that contains the Terminal Services Client installation/setup floppy disk. In the
right pane, double-click Setup.exe.
3. In the Terminal Services Client Setup welcome dialog box, click Continue.
4. Enter your name and organization in the dialog box provided. Click OK.
5. A confirmation dialog box appears. Click OK.
6. The License Agreement dialog box appears. Read the agreement and click I Agree.
7. In the Terminal Services Client Setup dialog box, click the large installer button.
8. The Terminal Services Client - Choose Program Group dialog box appears. Either
accept the default Program Group selection or choose a new one. Click Continue.
9. Terminal Services Client software files are copied. Insert additional disks if
prompted. When a dialog box notifies you that Terminal Services Client Setup
was completed successfully, click OK. You don’t need to reboot your computer.
10. Close Windows Explorer (or Windows NT Explorer).

Establishing a Terminal Services Session

Once the Terminal Service Client software is installed on the client computer,
users can connect to the Terminal server and begin using applications. Clients
connect to the Terminal server by using Terminal Services Client.
In addition to running applications, once a Terminal Services session is
established on a client computer, the user of that computer can remotely
administer the Terminal server by using the server’s administration tools,
including Active Directory Users and Computers, Computer Management,
and so on.
The following steps explain how to establish a session with the server.

STEP BY STEP

ESTABLISHING A TERMINAL SERVICES SESSION

1. On the client computer, select Start ➪ Programs ➪ Terminal Services Client ➪

Terminal Services Client. The Terminal Services Client dialog box is displayed as
shown in Figure 20-4. Notice that a list of available Terminal servers is displayed
in this dialog box.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1332

1332 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 20-4 Starting the Terminal Services Client

2. Select the name of the Terminal server to which you want to connect from the list of
available servers. If the server you want to access is not listed, type in the server’s
name or IP address in the Server text box.
Select the desired screen area from the “Screen area” drop-down list box. You can
select any screen size up to the current resolution setting on the client computer.
Select the appropriate check boxes:
 Enable data compression: This check box is selected by default, and
should be selected to reduce network traffic to and from the Terminal server.
 Cache bitmaps to disk: Select this check box if you want the local computer
to cache bitmaps to disk to save network traffic. This option is especially useful
when connecting to a Terminal server over a Dial-up Networking connection.
This option is not selected by default.
Click Connect.
3. The Log On to Windows dialog box appears. Enter a user name and password
and click OK.
4. You are now connected to the server that is running Terminal Services. The desktop
of the Terminal server is displayed in the Terminal Services Client dialog box. You
can now run applications and remotely administer the Terminal server as if you were
logged on interactively to the Terminal server.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1333

Chapter 20 ▼ Managing Terminal Services 1333

As the previous section shows, connecting to the Terminal server is rather

easy. If you want to view the Terminal Services session in a full-screen mode
instead of in a window, press Ctrl+Alt+Break. To change from full-screen
mode back to window mode, press Ctrl+Alt+Break again.
You can further configure your Terminal Services connections by using
the Terminal Services Client Connection Manager. The Client
Connection Manager allows you to create shortcuts for your Terminal
Services connections.These shortcuts are used to automate the process of
connecting to a Terminal server and logging on by using a set of prede-
fined connection properties. The following steps explain how to use the
Terminal Services Client Connection Manager to create shortcuts for your
Terminal Services connections.

STEP BY STEP

CREATING A SHORTCUT FOR A TERMINAL SERVICES CONNECTION

1. On the client computer select Start ➪ Programs ➪ Terminal Service Client ➪

Client Connection Manager.
2. In the Client Connection Manager dialog box, select File ➪ New Connection.
3. The Client Connection Manager Wizard starts. Click Next.
4. In the Create A Connection screen, enter a short descriptive name for the connec-
tion in the “Connection name” text box, then enter the server’s name or IP address
in the “Server name or IP address” text box. You can also browse for a Terminal
server. Click Next.
5. The Automatic Logon screen appears, as shown in Figure 20-5. If you want to
automatically log on to the Terminal server when you connect, select the check
box next to “Log on automatically with this information;” then enter an appropriate
user name, password, and domain. Click Next.
6. The Screen Options screen appears. Select the desired screen resolution option.
If you want the connection to be displayed in full screen, select the check box
next to “Full screen.” Click Next.
7. The Connection Properties screen appears. Select the appropriate check
box(es): “Enable data compression,” “Cache bitmaps,” or both. Click Next.
8. The Starting a Program screen appears. By default, Terminal Services opens at
the Windows desktop. However, you can change the default by having Terminal
Services automatically start an application for you and display that application.
To enable this option, select the check box next to “Start the following program,”
then enter the program path and filename in the text box. Click Next.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1334

1334 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

FIGURE 20-5 Automatic logon option

9. The Icon and Program Group screen is displayed. In this dialog box you can
accept the default icon and program group for this connection, or you can specify
different ones. Configure the options on this screen as desired and click Next.
10. In the Completing the Client Connection Manager Wizard screen, click Finish.
The shortcut to the connection now appears in the Client Connection Manager
dialog box, as shown in Figure 20-6.

FIGURE 20-6 Client Connection Manager

4701-1 ch20.f.qc 4/24/00 09:49 Page 1335

Chapter 20 ▼ Managing Terminal Services 1335

You can use this same wizard to create shortcuts for multiple connections,
with each shortcut having a different set of predefined Terminal Services
connection properties. Once created, these shortcuts appear in the Client
Connection Manager dialog box, which you can access by selecting Start ➪
Programs ➪ Terminal Services Client ➪ Client Connection Manager.
To use a shortcut to establish a Terminal Services session, in Client
Connection Manager, right-click the shortcut you want to use and click
Connect.You can also right-click the shortcut and select Properties from the
menu that appears to modify the properties used to establish that particular
Terminal Services connection.The Properties dialog box provides you with
the same options you configured when you originally created the shortcut
to the connection.

TIP
If at any time you need to change the options you selected for a shortcut
to a Terminal Services connection, simply access the Properties dialog
box for the shortcut and make the desired changes. You don’t need to
create a new shortcut to the connection.

Once a Terminal Services session is established, the user of the client

computer can perform tasks and use applications as desired. One issue
I should point out, that could cause some help desk calls, concerns keyboard
shortcuts. The typical keyboard shortcuts, such as Alt + Esc to switch
between applications, don’t work while in a Terminal Services session.These
keyboard shortcuts are intercepted by the local buffer for use on the local
computer, so they’re not sent to the Terminal server.You can obtain a list of
shortcut keys that can be used during a Terminal Services session in
Terminal Services Client Help. To access this feature, start a Terminal
Services session from a client computer, right-click the title bar of the
Terminal Services Client dialog box, then select Help ➪ Terminal Services
Client Help from the menu that appears.

Managing Terminal Services Sessions

Once you have a Terminal server up and running, your applications con-
figured, and your client computers able to connect to the Terminal server,
that’s about all there is to it. But what happens if a client has a problem or
you need to manage a client’s session? Terminal Services provides you with
4701-1 ch20.f.qc 4/24/00 09:49 Page 1336

1336 Part IV ▼ Networking and Interoperability

a couple of ways to manage Terminal Services sessions — you can either

use command-line utilities, or you can use the Terminal Services Manager.
These tools allow you to help clients, to see what a client is doing, and to
perform other Terminal Services management tasks.
There are quite a few Terminal Services command-line utilities you can
use to monitor and control Terminal Services sessions.Table 20-1 lists most
common command-line utilities for managing Terminal Services sessions.
You can use this table as handy reference as well as to review for the
Windows 2000 Server exam.These commands should be run at a command
prompt from within a Terminal Services session.You must be logged on as an
Administrator to use many of these commands.
TABLE 20-1 Terminal Services Command-Line Utilities
Command Explanation

change logon Used to disable and enable logons to the Terminal server
change port Used to modify COM port mappings for
MS-DOS programs
change user Used to change the current user’s .ini file mapping
cprofile Used to remove file associations from a user’s profile
dbgtrace Used to enable and disable debug tracing
flattemp Used to enable and disable flat temporary directories
logoff Used to end a client’s session
msg Used to send messages to Terminal Services clients
query process Used to display information about processes
query session Used to display information about Terminal
Services sessions
query termserver Used to display a list of Terminal servers on the network
query user Used to display information about currently logged
on users
register Used to register programs
reset session Used to reset/delete Terminal Services sessions
shadow Used to remotely control or monitor Terminal
Services sessions
tscon Used to start a Terminal Services session
tsdiscon Used to end a Terminal Services session
4701-1 ch20.f.qc 4/24/00 09:49 Page 1337

Chapter 20 ▼ Managing Terminal Services 1337

Command Explanation

tskill Used to terminate a process on the Terminal server

tsprof Used to copy user information and to change a user’s
profile path
tsshutdn Used to shut down a Terminal server

Aside from using the command-line utilities, you can also use the GUI
Terminal Services Manager to manage Terminal Services sessions. You can
access Terminal Services Manager (which is physically located on the
Terminal server) from either a client after a Terminal Services session has been
established, or on the Terminal server itself. To access Terminal Services
Manager, select Start ➪ Programs ➪ Administrative Tools ➪ Terminal Services
Manager.The Terminal Services Manager dialog box is shown in Figure 20-7.

FIGURE 20-7 Terminal Services Manager

You can perform a number of actions by using Terminal Services

Manager, such as connecting to a Terminal Services session, disconnecting
from a session, logging off a user from a session, sending a message to a user,
and so on. Two of the most important tasks you can perform by using
Terminal Services Manager are monitoring and managing Terminal Services
usage, and using remote control.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1338

1338 Part IV ▼ Networking and Interoperability

TIP
Some Terminal Services Manager actions, such as Remote Control and
Connect, work only when Terminal Services Manager is run from a
Terminal Services client session. When the Terminal Services Manager is
run on the Terminal server console, these features are disabled.

Monitoring Terminal Services Usage

Terminal Services Manager allows you to monitor and manage Terminal
Services usage. As Figure 20-7 shows, the left pane of the console displays
the domains in your network and the Terminal servers that are available in
those domains. Using the left pane, you can switch between Terminal
servers and manage each of them as necessary.The right pane displays the
contents of what is selected in the left pane. For example, if you select a
Terminal server in the left pane, the users connected to that Terminal
server are listed in the right pane. When examining users, the right pane
gives you information such as the user, the session type and ID, the amount
of idle time, and the logon time.This is all well and good, but what can you
actually do in this console? The following sections point out some of the
most important tasks you can perform and provide you with step-by-step
instructions for completing those tasks.
When you select the desired Terminal server in the left pane of the
Terminal Services Manager console, three tabs appear in the right pane:
Users, Sessions, and Processes.These tabs are illustrated in Figure 20-7.You
can expand the Terminal server in the left pane and select the sessions indi-
vidually, but simply selecting the Terminal server in the left pane and then
using the right pane is the easiest approach.The Users tab lists the users that
are currently connected to the Terminal server and those users that have
recently disconnected from the Terminal server.When you highlight a user
in the right pane, there are several actions you can perform in Terminal
Services Manager that affect that user:
■ Disconnect: This action disconnects the user from the Terminal
server.Any unsaved data the user is working on is lost.The user
does not have the option to save data before being disconnected.
■ Send Message: This option allows you to send a message to
the user.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1339

Chapter 20 ▼ Managing Terminal Services 1339

■ Reset: This action resets the Terminal Services clients session and
closes any applications the user has open. Unsaved data is lost.
■ Status: This status option displays input/output statistics for the user’s
session. Figure 20-8 shows a Status dialog box. Notice the various
session statistics displayed in this dialog box.

FIGURE 20-8 Session Statistics

■ Log Off: This action logs the user off the Terminal server.
Many of these Terminal Services Manager actions are available on toolbar
buttons as well. In the next section, I’ll show you how to perform actions in
Terminal Services Manager that affect users.

STEP BY STEP

MANAGING USERS
1. Select Start ➪ Programs ➪ Administrative Tools ➪ Terminal Services Manager.
2. In the left pane, expand the domain that contains the Terminal server you want
to manage. Then highlight the desired Terminal server.
3. In the right pane, highlight the user you want to manage.
4. Select the Actions menu, and then select the action you wish to perform, such
as Disconnect, Send Message, Reset, Status, or Log Off.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1340

1340 Part IV ▼ Networking and Interoperability

Managing Sessions
The Sessions tab in the right pane of the Terminal Services Manager console
presents much of the same types of information displayed on the User tab, but
interprets that information in terms of the session in progress. Figure 20-9
shows the Sessions tab.

FIGURE 20-9 The Sessions tab

The Sessions tab lists the sessions in progress, both by console and by
RDP-Tcp connection number.The Console session refers to the user that
is logged on interactively to the Terminal server. For each session the user
name is listed, as well as the state, type, client name, idle time, logon time,
and so forth. If you highlight a session, then click the Actions menu, you
can choose to disconnect the session, send a message, reset the session, or
view the session’s status.The basic difference between the Sessions tab and
the Users tab is the perspective or point of view — on the Sessions tab you
can view your Terminal Services usage by sessions, and on the Users tab
you can view Terminal Services usage by users.

Managing Processes
The Processes tab in the right pane of the Terminal Services Manager console
enables you to view the system processes in use by the connected users.The
Processes tab is shown in Figure 20-10.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1341

Chapter 20 ▼ Managing Terminal Services 1341

FIGURE 20-10 The Processes tab

The Processes tab lists the user, session, session ID, PID, and image being
used by each process.The PID, or process ID, gives you an ID number for
each image.An image is an executable file that is being run. By examining
the Processes tab, you can determine which user is using which resource. If
the user should not be using the resource, or has been using the resource
for too long, you can end the process.

CAUTION
You should be aware, however, that ending a process in Terminal
Services Manager does not give the user any warning, and all of the
user’s unsaved data will be lost.

STEP BY STEP

ENDING A PROCESS

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Terminal Services Manager.

2. In the left pane, expand the domain that contains the Terminal server you want to
manage. Then highlight the desired Terminal server.
3. In the right pane, click the Processes tab.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1342

1342 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

4. On the Processes tab, locate the user and the process you want to terminate.
Highlight the user’s name, then select Actions ➪ End Process.
5. A Terminal Services Manager warning message appears. Click OK.

TIP
You cannot end all processes for a user at one time. You must individually
select each process the user is running, then end them one at a time.

Using Remote Control

Remote control is a helpful feature of Terminal Services that enables you
to remotely control another user’s session. With remote control, you can
take over that user’s session, just as if you were logged on as the user. For
example, let’s say that users are learning how to run a new application you
have implemented. When a particular user is having a problem with the
application, you don’t have to shut down the application or physically walk
to the user’s desk.You can use remote control to find out what the user is
doing wrong and fix the problem — right from your own workstation.

EXAM TIP
Make sure you’re ultra-clear on this point — you can only use remote control
from a Terminal Services client session. Remote control is disabled when
you run the Terminal Services Manager on the Terminal server console.

The Terminal Services remote control feature is tied to the users

account’s remote control settings in Active Directory, and these settings
determine what you can do with remote control, or if remote control is
even enabled. Before trying to use remote control, you’ll need to check
out the Properties of the user’s account in Active Directory Users and
Computers. Each user account has a Remote control tab, as shown in
Figure 20-11. Notice the various configurable options on the Remote
control tab. The settings shown in Figure 20-11 are the default selections
for all newly created user accounts.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1343

Chapter 20 ▼ Managing Terminal Services 1343

FIGURE 20-11 The Remote control tab

Before you can use Terminal Services remote control for a specific user
account, you’ll need to enable remote control, configure whether the user’s
permission is required for you to remotely control his or her session, and
configure your level of control over the user’s session.You can choose to
simply view the user’s session, or to interact with it.The interaction option
allows you to essentially take over the user’s session. For example, if a user
is having problems saving a document in Microsoft Word, you could take
over the session and save the document for the user. If you select the check
box next to “Require user’s permission,” when you attempt to remotely
control the user’s session, the user is sent a message asking the user to either
accept or deny your request for remote control.
The following step-by-step instructions show you how to configure a
user’s account for remote control.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1344

1344 Part IV ▼ Networking and Interoperability

STEP BY STEP

CONFIGURING A USER’S ACCOUNT FOR REMOTE CONTROL

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users

and Computers.
2. In the left pane, double-click the Users folder or the OU in which the user
account resides.
3. In the right pane, highlight the desired user account and select Action ➪ Properties.
4. In the user’s Properties dialog box, click the Remote control tab.
5. Select the check box next to “Enable remote control” (and optionally, the “Require
user’s permission” check box). Select either the “View the user’s session” option
or the “Interact with the session” option. Click OK.
6. Close Active Directory Users and Computers.

Once your user accounts are configured for remote control, you can
then access the desired sessions and view or interact with the session. Using
remote control is straightforward, but there is one thing you should know
before you use it. When you connect to a user’s session by using remote
control, you will be presented with a Remote Control hot key dialog box.
This dialog box prompts you to select a desired hot key combination
which you can use to end your remote control session. Once you select a
hot key combination, you should be sure to memorize it because you’ll
need it to end your remote control session.

CAUTION
You can use the shadow command-line utility to establish a remote con-
trol session, but you will not be presented with the Remote Control hot
key dialog box. The default Remote Control hot key combination (Ctrl + *
on the numeric keypad) will be used, so be certain you know this hot key
combination before using the shadow command.

STEP BY STEP

ESTABLISHING A REMOTE CONTROL SESSION

1. From a Terminal Services client, log on to the Terminal server as Administrator

(or by using a user account that has administrative privileges).
4701-1 ch20.f.qc 4/24/00 09:49 Page 1345

Chapter 20 ▼ Managing Terminal Services 1345

STEP BY STEP Continued

2. In the Terminal Services Client window, select Start ➪ Programs ➪ Administrative

Tools ➪ Terminal Services Manager.
3. In the left pane, expand the domain that contains the Terminal server you want
to manage. Then highlight the desired Terminal server.
4. In the right pane, highlight the desired user account, then select Actions ➪ Remote
Control.
5. In the Remote Control dialog box, either accept the default hot key combination,
or select a desired hot key combination and click OK.
6. Terminal Services connects you to the user’s session. The remote user may
need to agree to your remote control request before the remote control session
can be established.
7. To end the remote control session, use the hot key combination you selected in
Step 5.

Terminal Services Licensing

Requirements
Ah, licensing. You can’t get away from it, and Terminal Services is no
exception. In order to use Terminal Services for application sharing, you
must meet certain licensing requirements. You can deploy Terminal
Services in application server mode and permit client computers to con-
nect to the Terminal server for 90 days without any licenses. After that
time, licensing must be configured or clients will not be able to connect
to the Terminal server.
If you choose to run your Terminal server in remote administration
mode, which allows Administrators to connect to the Terminal server and
remotely administer it, then you do not need any licensing. A license for
two concurrent connections is built in.

EXAM TIP
Keep the licensing requirements in mind for the Server exam — using
Terminal Services in remote administration mode requires no license;
however, running Terminal Services in application server mode requires
licenses, but you have 90 days to implement the necessary licensing.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1346

1346 Part IV ▼ Networking and Interoperability

In order to configure and manage Terminal Services licensing, you must

install an application to assist you. The following two sections show you
how to install Terminal Services Licensing and how to manage licenses
with it.

Installing Terminal Services Licensing

Terminal Services Licensing is an application that is installed separately from
Terminal Services. Before installing Terminal Services Licensing, you’ll need
to decide if the Terminal server on which you are installing the licensing
software will handle licensing for a single domain/workgroup, or whether it
will manage the licenses for an entire Enterprise.There is not one correct
answer here. It mainly comes down to administration, and how you manage
licenses on your network, either on an enterprise or a domain level.
You install Terminal Services Licensing in the same manner as all other
server components in Windows 2000 — by using Add/Remove Programs
in Control Panel. The following steps show you how to install Terminal
Services Licensing.

STEP BY STEP

INSTALLING TERMINAL SERVICES LICENSING

1. Select Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Add/Remove Programs.
3. In the Add/Remove Programs dialog box, click Add/Remove Windows Components.
4. In the Windows Components Wizard dialog box, scroll down the list of components
and select the check box next to Terminal Services Licensing. Click Next.
5. In the Terminal Services Setup screen, click Next.
6. The Terminal Services Licensing Setup screen appears, as shown in Figure 20-12.
Notice the two license server options in this dialog box: “Your entire enterprise,” and
“Your domain or workgroup.”
Select the appropriate licensing option, and click Next.
7. Windows 2000 configures components. When prompted, insert your Windows
2000 Server compact disc and click OK. If the Microsoft Windows 2000 CD
dialog box appears, close it. Terminal Services Licensing is installed.
8. In the Completing the Windows Components Wizard screen, click Finish.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1347

Chapter 20 ▼ Managing Terminal Services 1347

STEP BY STEP Continued

FIGURE 20-12 Configuring Terminal Services Licensing

9. Close the Add/Remove Programs dialog box.

10. Close Control Panel.

Managing Licenses
Installing the Terminal Services Licensing application is simple. Unfortunately,
understanding Terminal Services licensing is a bit more complex. Terminal
Services licensing is on per seat basis, not on a per user basis. In other words,
computers — not users — are licensed to access the Terminal server.
Let’s start with the Windows 2000 Server computer on which Terminal
Services is installed — that’s your Terminal server. For that computer, you’ll
need a Windows 2000 Server license. This license is included when you
buy Windows 2000 Server.
Next, you’ll need a Windows 2000 Server Client Access License for
each and every computer or Windows-based Terminal that will connect
to the Terminal server, because they’re connecting to a Windows 2000
Server computer.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1348

1348 Part IV ▼ Networking and Interoperability

In addition to these licenses, you’ll need one of the following Terminal

Services–specific client access licenses for each client computer or terminal
that will connect to the Terminal server:
■ Windows 2000 Professional License: This license, which is
included when you purchase Windows 2000 Professional, permits
you to not only install and run Windows 2000 Professional, but also
gives you the right to access Terminal Services on a Windows 2000
Server computer.
■ Windows 2000 Terminal Services Client Access License
(TSCAL): This license provides a client computer or terminal
the right to access Terminal Services on a Windows 2000 Server
computer.
If all this wasn’t bad enough, there are even more licenses that you should
consider purchasing.
Instead of the Terminal Services–specific client access licenses described
in the previous section, you can purchase the Windows 2000 Terminal
Services Internet Connector License.This license allows a maximum of 200
concurrent users to connect anonymously to a Terminal server over the
Internet. This license is suitable for companies that want to demonstrate
Windows-based software over the Internet without having to rewrite this
software as Web-based applications. This type of license isn’t suitable for
most companies, however, because none of the users who access the
Terminal server with this license can be employees of the company.
Finally, if your company wants to enable users who work at home to
connect to the Terminal server, an additional license — the Work at Home
Terminal Services Client Access License — is required.
As you have probably gathered by now,Terminal Services licensing can
get tricky and is easily confusing. The Terminal Services Licensing tool is
designed to make this process somewhat easier, but you’ll have to be the
judge of whether that is true or not. Before taking a look at the Terminal
Services Licensing application, let’s consider how licensing works.
Unfortunately, you can’t simply enter how many licenses you have
purchased in Terminal Services Licensing. Instead, the licensing process
goes through the Microsoft Clearinghouse, which is a database that
Microsoft maintains to activate license servers and install client license
packs. It’s a new approach for Microsoft, and one you can expect to see
more of if it works well.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1349

Chapter 20 ▼ Managing Terminal Services 1349

The process goes like this.The Administrator logs on to the computer that
is running Terminal Services Licensing — this is the computer that will
become the license server. Then, the Administrator starts Terminal Services
Licensing and uses this program to contact the Microsoft Clearinghouse,
typically over the Internet. Microsoft Clearinghouse activates the license
server, and provides the server with a digital certificate to validate it. Once
this is established, the licensing server can then make transactions with the
Microsoft Clearinghouse for additional client licenses. In addition to using
the Internet, the Microsoft Clearinghouse can be contacted by fax and tele-
phone, although the Internet is the preferred and fastest approach.
The following steps explain how to start Terminal Services Licensing
and how to activate the license server.

STEP BY STEP

ACTIVATING THE LICENSE SERVER

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Terminal Services Licensing.

2. The Terminal Services Licensing dialog box appears, as shown in Figure 20-13.
Notice that the Terminal server displayed is not activated.

FIGURE 20-13 Terminal Services Licensing

In the right pane of the Terminal Services Licensing dialog box, highlight the
server you want to activate, and select Action ➪ Activate Server.
3. The Licensing Wizard starts. Click Next.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1350

1350 Part IV ▼ Networking and Interoperability

STEP BY STEP Continued

4. In the “Connection method” screen, select the method you want to use to connect
to the Microsoft Clearinghouse from the drop-down list box. Options you can select
from include the Internet, World Wide Web, Fax, or Telephone.
5. The remaining steps very considerably depending on the connection method
you chose in Step 4. Follow the instructions presented onscreen to complete
the activation of your license server and to purchase client licenses.

Once you have activated the license server and purchased client
licenses, your next task is to examine the licenses for the software you are
making available to Terminal Service clients. In general, the software
licensing that applies to the product in a single-session environment also
applies in a Terminal Services environment. For example, Microsoft Office
97 requires a per-seat license. To meet the licensing requirements in a
multi-user environment, each user that will use Microsoft Office in a
Terminal Services session must have an Office license. Once you meet
these requirements, you’re ready to go.

Troubleshooting Terminal Services

For the most part,Terminal Services is easy to use once it is set up and con-
figured.You are not likely to see a lot of problems, and most of the problems
you will see are easily remedied. Here are a few of the most common
Terminal Services problems and the troubleshooting actions you should take
to resolve these problems:
■ A connection will not automatically log on to the
Terminal server: If a connection will not automatically log on,
even though it is configured to do so, the problem is most likely
with the encryption features of Windows 2000.The Windows
NT version of Terminal Services Client does not recognize the
user and password in the automatic logon part of the connection.
You can fix this problem by right-clicking the connection in
the Windows NT 4.0 version of Client Connection Manager,
clicking the General tab, and selecting the Automatic logon box.
Then, enter the user name and password.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1351

Chapter 20 ▼ Managing Terminal Services 1351

■ An installed application program does not work: If you

are using Terminal Services in application server mode and an
application does not work, then the application was probably
installed prior to the installation of Terminal Services on this
Windows 2000 Server computer. Uninstall the application and
reinstall it using Add/Remove Programs in Control Panel.
■ A Windows for Workgroup client cannot log on, but
receives an error message: Windows for Workgroups, which is
a 16-bit client, must be configured to save the domain password list
by selecting the provided check box. Because of domain security,
the domain controller will not be able to find the password if this
check box is not selected.
■ A Terminal server in application server mode has
stopped allowing clients to log on: The most likely problem
here is licensing.You have 90 free days before you must comply
with Terminal Services licensing requirements. If licensing is not
configured after 90 days, the Terminal server will not permit
clients to access it.
■ When attempting to remotely control a Terminal
Services client session, an error message is received:
There are three possible causes to this problem. First, in order to
use remote control, you must be logged onto the Terminal server
from a client session — when the Terminal Services Manager is
run on the Terminal server console, remote control is disabled.
Second, you must be logged on as Administrator or as a user
with administrative privileges. Finally, the user’s account must
be configured to allow remote control.

KEY POINT SUMMARY

This chapter introduced several important Terminal Services topics:

■ Terminal Services can be installed in either application server mode or remote
administration mode.
■ You can install Terminal Services and Terminal Services Licensing by using the
Add/Remove Programs application in Control Panel.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1352

1352 Part IV ▼ Networking and Interoperability

■ Applications used with Terminal Services can be optimized by using application

compatibility scripts and by manually removing components that are CPU and
memory intensive.
■ Terminal Services Client software is available on the Terminal server after
installation. Use the Terminal Services Client Creator tool to create client
setup/installation floppy disks. You can also create a network share so that
clients can install the Terminal Services Client software over the network.
■ You can connect to a Terminal server by using the Terminal Services Client
or by creating shortcuts to connections in Client Connection Manager.
■ Terminal Services client sessions can be managed by using the Terminal
Services Manager interface or via the command-line utilities.
■ Remote control allows you to either view a client’s session or interactively work
with the session as though you are the user. Remote control is only available
when Terminal Services Manager is run from a Terminal Services client session.
■ When Terminal Services is deployed in remote administration mode, no additional
licenses are required. Two concurrent connection licenses are provided with the
Windows 2000 Server product.
■ When Terminal Services is used in application server mode, you have 90
free days before licenses must be purchased and configured. The Terminal
server must be licensed and client computers must be licensed to access
the Terminal server.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1353

1353

STUDY GUIDE
This section contains several exercises that are designed to solidify your
knowledge about Terminal Services, and to help you prepare for the
Server exam:
■ Assessment Questions: These questions test your knowledge of
the Terminal Services topics covered in this chapter.You’ll find the
answers to these questions at the end of this chapter.
■ Scenarios: The situation-based questions in scenarios challenge you
to apply your understanding of the material to solve a hypothetical
problem. In this chapter’s scenarios, you are asked to analyze Terminal
Services problems, and provide answers to the questions.You don’t
need to be at a computer to do scenarios.Answers to this chapter’s
scenarios are presented at the end of this chapter.
■ Lab Exercise: These exercises are hands-on practice activities
that you perform on a computer.The lab in this chapter gives
you an opportunity to practice installing, configuring, and using
Terminal Services.

Assessment Questions
1. An administrator wants to use both remote administration mode and
application server mode on a Terminal server, but cannot seem to get
the configuration to work.What is the problem?
A. The server does not have the necessary system resources to provide
both modes.
B. The server is not in licensing compliance.
C. Terminal Services does not support using both modes on the
same server.
D. The administrator does not have DNS configured correctly.
2. You want to remotely control a Terminal Services client session
to assist a user.You are logged in as Administrator from a Terminal
Services client, but you receive an error message when you try to
use remote control.What is the most likely cause of the problem?
4701-1 ch20.f.qc 4/24/00 09:49 Page 1354

1354

A. The user does not have administrative privileges.

B. The user’s account is not configured to allow remote control.
C. The server is not configured for Application Server Mode.
D. There is a TCP/IP connectivity problem.
3. You install Microsoft Office on a Terminal server deployed in applica-
tion server mode by using Add/Remove Programs in Control Panel.
What should you do next before Terminal Services clients begin using
this application?
A. Install the multisession feature.
B. Boot Terminal Services in Application Testing Mode.
C. Run the application compatibility script for that Office version.
D. Run Tstest.exe
4. When installing Terminal Services, you want to make certain that the
most secure features are used.Which option should you select?
A. Permissions compatible with Windows 2000 users
B. Permissions compatible with Terminal Server 4.0 users
C. Permissions compatible with Windows NT users
D. Permissions compatible with Windows 98 users
5. You’re having problems with a Terminal server in application server
mode.The server will no longer allow clients to connect, even though
it has been working fine during the past few months.What is the most
likely cause of the problem?
A. The server is experiencing system resource problems.
B. The server’s free licensing period has expired.
C. The server is not running TCP/IP.
D. There is a problem with RDP.
6. What is the default location of the Terminal Services application
compatibility scripts?
A. SystemRoot\Application Compatibility Scripts\
Execute
B. SystemRoot\Application Compatibility Scripts\
Clients
C. SystemRoot\Application Compatibility Scripts\
Windows
4701-1 ch20.f.qc 4/24/00 09:49 Page 1355

1355

D. SystemRoot\Application Compatibility
Scripts\Install
7. You would like to use the command line to end an application that a
Terminal Services client is running.What command can you use?
A. Tscon
B. Tsprof
C. Tsend
D. Tskill
8. When using remote control, how do you end the remote control session
without ending your Terminal Services session as well?
A. Use the hot key combination you selected.
B. Use the Shut Down command.
C. Use the Kill Session command.
D. Just close the Terminal Services window.

Scenarios
The following scenarios provide you with an opportunity to apply the
knowledge you’ve gained in this chapter about Terminal Services. For each
of the following situations, consider the given facts and answer the question
or questions that follow.
1. After installing Terminal Services in application server mode, an
administrator realizes that the applications he wants to make
available do not work.
a. What is the cause of this problem?
b. How would you resolve the problem?
2. An administrator is logged onto the Terminal Services console.
The administrator wants to remotely control a user’s session,
and he verifies that remote control is enabled on the user’s
account. However, the Remote Control option is not available
in the Terminal Services Manager console.
a. What is the cause of this problem?
b. How would you resolve the problem?
4701-1 ch20.f.qc 4/24/00 09:49 Page 1356

1356

Lab Exercise
Lab 20-1 Installing, Configuring, and Using
Terminal Services
 Server

EXAM
MATERIAL

The purpose of this lab is to provide you with an opportunity to practice

the Terminal Services tasks you’ve learned in this chapter.
There are four parts to this lab:
■ Part 1: Installing and Configuring Terminal Services
■ Part 2: Installing an Application for Use with Terminal Services
■ Part 3: Installing Terminal Services Client Software
■ Part 4: Establishing a Terminal Services Session and Remotely
Administering the Terminal Server
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.

Part 1: Installing and Configuring Terminal Services

In this part, you install Terminal Services on your Windows 2000 Server
computer and configure Terminal Services for application sharing.
1. Select Start ➪ Settings ➪ Control Panel.
2. In the Control Panel dialog box, double-click Add/Remove Programs.
3. In the Add/Remove Programs dialog box, click Add/Remove
Windows Components.
4. In the Windows Components Wizard dialog box, scroll down until
Terminal Services is displayed. Select the check box next to Terminal
Services. Click Next.
5. The Terminal Services Setup screen appears. Select the “Application
server mode” option. Click Next.
6. On the next Terminal Services Setup screen accept the default
permissions selection and click Next.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1357

1357

7. The next Terminal Services Setup screen displays a list of applications

that may not work correctly after Terminal Services is installed.These
applications might have to be removed and reinstalled. Click Next.
8. Windows 2000 installs Terminal Services. If you have not previously
placed your Windows 2000 compact disc into your CD-ROM drive,
insert it and click OK when prompted. If the Microsoft Windows 2000
CD dialog box appears, close it. In the Completing the Windows
Components Wizard screen, click Finish.
9. In the System Settings Change dialog box, click Yes to restart your
computer and complete the installation of Terminal Services.

Part 2: Installing an Application for Use with Terminal Services

In this part, you install Adobe Acrobat Reader for use from Terminal
Services client sessions.
1. After you have installed Terminal Services in application server
mode, insert the compact disc that accompanies this book into
your CD-ROM drive. If the Microsoft Windows 2000 CD
dialog box appears, close it.
2. If the Control Panel dialog box is not displayed, select
Start ➪ Settings ➪ Control Panel.
3. Double-click Add/Remove Programs.
4. In the Add/Remove Programs dialog box, click Add New Programs,
then click the CD or Floppy command button.
5. In the Install Program From Floppy Disk or CD-ROM dialog box,
click Next.
6. In the Run Installation Program dialog box, click Browse.
7. In the Browse dialog box, select your computer’s CD-ROM drive
from the “Look in” drop-down list box.
8. Double-click the Adobe Acrobat folder.Then select Programs from
the “Files of type” drop-down list box at the bottom of the Browse
dialog box.
9. Double-click ar405eng.exe, and follow the instructions presented
on-screen to complete the installation of Adobe Acrobat Reader.When
you’re finished installing the application, close the Add/Remove
Programs dialog box.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1358

1358

Part 3: Installing Terminal Services Client Software

In this part, you install Terminal Services Client software on your
Windows 2000 Server computer.
1. If the Control Panel dialog box is not displayed, select Start ➪
Settings ➪ Control Panel.
2. In Control Panel, double-click Add/Remove Programs.
3. In the Add/Remove Programs dialog box, click Add New Programs,
then click the CD or Floppy command button.
4. In the Install Program From Floppy Disk or CD-ROM dialog box,
click Next.
5. In the Run Installation Program dialog box, click Browse.
6. In the Browse dialog box, select Local Disk (C:) from the “Look in”
drop-down list box.Then double-click the WINNT folder, double-click
the system32 folder, double-click the clients folder, double-click
the tsclient folder, double-click the net folder, double-click the
win32 folder, and finally, double-click setup.
7. In the Run Installation Program dialog box, click Next.
8. On the Terminal Services Client Setup welcome screen, click Continue.
9. Enter your name and organization in the dialog box provided and
click OK.
10. A confirmation dialog box appears. Click OK.
11. The License Agreement dialog box appears. Read the agreement
and click the I Agree button.
12. In the Terminal Services Client Setup dialog box, click the large
installer button.
13. Click Yes to assign the same initial settings to all users of Terminal
Services on this computer.
14. Terminal Services Client Setup completes. Click OK.
15. In the After Installation dialog box, click Next.
16. In the Finish Admin Install dialog box, click Finish.
17. Close the Add/Remove Programs dialog box.
18. Close Control Panel.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1359

1359

Part 4: Establishing a Terminal Services Session and

Remotely Administering the Terminal Server
In this part, you establish a Terminal Services client session, and then use
Terminal Services Manager to remotely manage the server from within the
Terminal Services client session.
1. Select Start ➪ Programs ➪ Terminal Services Client ➪ Terminal
Services Client.
2. In the Terminal Services Client dialog box, highlight SERVER01,
then click Connect.
3. In the Log On to Windows dialog box, enter a user name of
Administrator and a password of password. Click OK.
4. In the SERVER01 - Terminal Services Client dialog box, scroll down
until the Start button for the Terminal Services Client dialog box
appears. In the Terminal Services Client window taskbar (not in your
regular Windows taskbar) Select Start ➪ Programs ➪ Administrative
Tools ➪ Terminal Services Manager.
5. In the left pane of the SERVER01 - Terminal Services Manager
dialog box, highlight SERVER01.
6. In the right pane, highlight Administrator. Select Actions ➪ Send
Message.
7. The Send Message dialog box appears. In the Message text box, type
Alan says hello! Click OK. Close the SERVER01 - Terminal
Services Manager dialog box.
8. In the “Message from administrator” dialog box, notice the message
you’ve received. Click OK.
9. Close the Terminal Services Manager dialog box.
10. In the Terminal Services Client dialog box, right-click My Computer,
and select Manage from the menu that appears.
11. Computer Management starts.This is Computer Management for the
Terminal server, not Computer Management for the local computer.
At this point you could use Computer Management to remotely
administer the Terminal server. Close Computer Management.
12. Close the Terminal Services Client dialog box.
13. In the “Disconnect Windows session” dialog box, click OK.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1360

1360

Answers to Chapter Questions

Chapter Pre-Test
1. The Terminal Services remote administration mode allows you to
remotely manage a Windows 2000 Server computer if Terminal
Services is installed on that computer.
2. To install Terminal Services, you use Add/Remove Programs in
Control Panel. In the Add/Remove Programs dialog box, use the
Add/Remove Windows Components feature.
3. Terminal Services uses Win16-on-Win32 (WOW) to translate the
16-bit code.
4. Existing applications must be uninstalled, then reinstalled by using
Add/Remove Programs in Control Panel.
5. Application compatibility scripts are scripts used to optimize
applications for use with Terminal Services.
6. Terminal Services Client software can be installed via a network share
or by using a Terminal Services client setup/installation floppy disk set.
7. You can end a Terminal Services client session by using Terminal
Services Manager or by using a command line-utility.
8. The command-line utility for remote control is shadow.exe.
9. No additional licensing is required for running Terminal Services in
remote administration mode. Licenses for two concurrent connections
are provided.
10. You have 90 days to use Terminal Services in application server mode
before licensing is required.

Assessment Questions
1. C. You cannot use remote administration mode and application server
mode on the same Terminal server at the same time.
2. B. While it is true that there could be a TCP/IP connectivity problem,
the most likely cause of this problem is the user’s account properties.You
must enable remote control for the client by accessing the user account’s
Properties dialog box and selecting the “Enable remote control” check
box on the Remote control tab.
4701-1 ch20.f.qc 4/24/00 09:49 Page 1361

1361

3. C. After installing the application, run the application compatibility

script for that application to optimize its performance with Terminal
Services.
4. A. When installing Terminal Services, you can choose to use permis-
sions compatible with Windows 2000 users only or to use permissions
compatible with Terminal Server 4.0 users.The most secure option is
Windows 2000 users, although some legacy application will not run
under this setting.
5. B. When you install Terminal Services in application server mode,
you have 90 days to purchase licenses before the Terminal server will
stop allowing clients to connect.
6. D. The default location for Terminal Services application compatibility
scripts is SystemRoot\Application Compatibility Scripts\
Install
7. D. Tskill ends a process. Since you want to stop an application, this
is the command you would use.
8. A. Using the hot key combination you selected ends the remote
control session.

Scenarios
1. In Terminal Services application server mode, applications must be
installed after Terminal Services is installed on the Windows 2000 Server
computer.To solve this problem, uninstall the applications, then reinstall
them by using Add/Remove Programs in Control Panel.You must use
Add/Remove Programs in Control Panel and not the application’s
setup program.
2. In order to use remote control, you must be logged on to the
Terminal server from a Terminal Services client session, and you
must be logged on either as Administrator or as an a user with
administrative privileges.You cannot remotely control a client
when you are logged onto the Terminal server console.To solve
the problem, log on to the Terminal server as Administrator by
using a Terminal Services client session — then remote control
will be available.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1364

 Professional
 Server
EXAM
MATERIAL  Networking

EXAM OBJECTIVES

Professional  Exam 70-210

■ Optimize and troubleshoot performance of the Windows 2000
Professional desktop.
■ Optimize and troubleshoot memory performance.
■ Optimize and troubleshoot processor utilization.
■ Optimize and troubleshoot disk performance.
■ Optimize and troubleshoot network performance.
■ Optimize and troubleshoot application performance.

Server  Exam 70-215

■ Monitor and optimize usage of system resources.
■ Manage processes.
■ Set priorities and start and stop processes.
■ Optimize disk performance.
■ Monitor, configure, troubleshoot, and control access to files,
folders, and shared folders.
■ Monitor, configure, troubleshoot, and control access to files
and folders in a shared folder.

Networking  Exam 70-217

■ Manage and monitor network traffic.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1365

C HAP TE R

21
Monitoring, Optimizing,
and Troubleshooting
Performance

I n a perfect world, we could simply configure our computers, walk away, and
they would perform optimally all of the time. Unfortunately, this scenario is
simply not reality. Windows 2000, as with any advanced operating system,
requires monitoring, optimizing, and occasional troubleshooting in order to keep
it working in peak condition. In this chapter, I’ll examine the Windows 2000
processes and tools available to help you monitor and optimize it for its complex
operations. In this chapter, I’ll explain how to use System Monitor, Network
Monitor, and Task Manager, how to monitor shared network folders, and how to
optimize system components and troubleshoot performance problems.

1365
4701-1 ch21.f.qc 4/24/00 09:55 Page 1366

1366 Part V ▼ Monitoring, Optimizing, and Troubleshooting

Chapter Pre-Test
1. Which Windows 2000 tool replaces Windows NT 4.0’s
Performance Monitor?
2. System Monitor functions by using objects, instances, and
__________.
3. Which System Monitor object would you use to examine the
performance of your computer’s hard disk?
4. What does Network Monitor capture?
5. You want to stop a process on your Windows 2000 Server
computer. Which tool can you use to accomplish this?
6. Which Windows 2000 tool can be used to easily monitor shared
network folders?
7. In most cases, what is the best solution to resolve poor memory
performance on a Windows 2000 computer?
8. If your Windows 2000 computer’s hard disk performance
decreases over time, what is the most likely cause of the
problem?
4701-1 ch21.f.qc 4/24/00 09:55 Page 1367

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1367

Monitoring Performance
As with any computer, your Windows 2000 computer’s performance is
based on many factors. Many people are under the mistaken impression
that a fast CPU and plenty of memory will solve any performance prob-
lems they could possibly ever have.While it is true that your hardware dri-
ves much of your system’s performance, a smart network administrator
realizes that it is not only hardware and software that drive performance,
but also how your computer uses that hardware and software.
In a nutshell, you monitor a computer’s performance to determine how
that computer is using its available resources. By monitoring performance,
you can gain a clear picture of which components in your computer are
performing optimally, and which components in your computer may have
some trouble spots. By monitoring performance, you can learn what works
well in your computer, and what doesn’t work well in your computer.
Then you can plan an appropriate course of action to correct any system
problems that are degrading the performance of the Windows 2000 com-
puter or your Windows 2000 network.
Unfortunately, performance tends to be a category of network adminis-
tration that is ignored until there is a problem — this is a reactive approach.
A better approach is a proactive one.Try to get in the habit of periodically
monitoring different components in your computers to make sure that all
hardware and software are working at their peak.This approach ensures the
fastest performance, optimal server availability, and a way for you to solve
computer and network problems proactively — before they ever begin.
Fortunately, the tools you may have used in Windows NT 4.0, such as
Performance Monitor, Network Monitor, and Task Manager, return in
Windows 2000 without too many changes. In the remainder of this chap-
ter, I’ll explain how to use these tools to solve performance problems on
your Windows 2000 computers and on your Windows 2000 network.

Using System Monitor

System Monitor is a Windows 2000 tool that is used to monitor and chart
the performance of system components in a Windows 2000 computer.
System Monitor replaces Windows NT 4.0’s Performance Monitor. In
reality, System Monitor isn’t much different than Performance Monitor.
However, it is organized differently, and like most of the tools in Windows
2000, System Monitor functions as an MMC snap-in.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1368

1368 Part V ▼ Monitoring, Optimizing, and Troubleshooting

You can use System Monitor to:

■ Identify performance problems and bottlenecks
■ Determine current usage of system resources
■ Track performance trends over time
■ Predict future usage of system resources (capacity planning)
■ Determine how system configuration changes affect system
performance
System Monitor is installed, by default, on both Windows 2000
Professional and Windows 2000 Server computers. To access System
Monitor, select Start ➪ Programs ➪ Administrative Tools ➪ Performance.
Alternatively, you can Select Start ➪ Run, then type Perfmon and click
OK. The Performance console, which hosts the System Monitor tool, is
shown in Figure 21-1.

FIGURE 21-1 System Monitor user interface

In the following sections I’ll show you how to configure and use
System Monitor to examine the performance of your computer’s system
components.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1369

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1369

System Monitor Objects, Instances, and Counters

System Monitor works by using objects, instances, and counters to gather
performance data about the components in your Windows 2000 com-
puter.You need to have a firm understanding of these three terms:
■ Object: A system component, such as processor, memory, physical
disk, and so on, is considered a System Monitor object.
■ Instance: If a computer has more than one of a particular object,
such as multiple processors or multiple physical disks, there is more
than one instance of that object. Some objects, such as memory, do
not have instances because there can’t be more than one of that
particular object.
■ Counter: Each instance of an object can be measured in different
ways. Each possible measurement of an instance is called a counter.
Objects often have many different counters available. For example,
when monitoring your physical disk, you can select from an assort-
ment of counters. One measures disk reads, another measures disk
writes, another measures disk time, and so on. Counters allow you
to measure the performance of various aspects of objects.

TIP
Many BackOffice products, such as Systems Management Server, Proxy
Server, Exchange, SQL Server, and so on, add their own counters to
System Monitor when they are installed. You can then use System
Monitor to examine the performance of these products.

So, you have a lot of objects and even more counters to choose from.
Which are the most helpful? And how do you know when you should use
a particular object or counter? Table 21-1 lists the most common counters
used to monitor the performance of memory, physical disk, network,
processor, and application performance.

EXAM TIP
The exams are likely to have questions on using some of the System
Monitor objects and counters described in Table 21-1. Study this table
carefully before you take the exams!
4701-1 ch21.f.qc 4/24/00 09:55 Page 1370

1370 Part V ▼ Monitoring, Optimizing, and Troubleshooting

TABLE 21-1 Commonly Used System Monitor Objects and Counters

Object Counter Description

Memory Pages/sec This counter measures how often data is

written to and read from the paging file.
I use this counter to obtain an overall
view of how memory is utilized by
Windows 2000.
A consistently high number (greater than
5 to 6) indicates that the current amount
of RAM may be insufficient for the
computer.
Network Interface Bytes Total/sec This counter measures the total number
of bytes sent to and received from the
selected network adapter.
On computers with a single network
adapter, this counter is useful for
measuring the total network utilization of
this computer.
Paging File % Usage This counter measures the percentage
of paging file utilization.
A consistently high percentage for this
counter (approaching 100%) may
indicate that you should add RAM to the
computer or enlarge the paging file.
Enlarging the paging file will not speed
up the computer — only adding RAM will
do that.
PhysicalDisk Avg. Disk Queue This counter measures the average
Length number of disk reads and writes waiting
to be performed.
A consistently high number (greater than
4 to 5) may indicate that a faster hard
disk or hard disk controller, or a different
disk configuration (such as a striped
volume or RAID-5 volume) may be
required for adequate system
performance.
PhysicalDisk % Disk Time This counter measures the percentage
of time the disk performs reads and
writes.
A consistently high number (a number
approaching 100 percent) may indicate
that a faster hard disk or hard disk
controller, or a different disk
configuration (such as a striped volume
or RAID-5 volume) may be required for
adequate system performance.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1371

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1371

Object Counter Description

Process % Processor Time This counter measures the percentage

of time that the processor in the
computer is actively used by one or
more threads associated with the
selected program or process.
This counter is useful for determining
which applications or services in a
computer are consuming the most
processor time.
Processor % Processor Time This counter measures the percentage
of time that the processor is actively
used by processes other than the Idle
process. (The Idle process is the time
the processor spends waiting to be
assigned tasks.)
A consistently high number (a number
approaching 100 percent) may indicate
that a faster processor (or an additional
processor) may be required for
adequate system performance.
Server Bytes Total/sec This counter measures the total amount
of network utilization of a Windows
2000 computer. Specifically, it measures
the total number of bytes sent to and
received from all network adapters in the
Windows 2000 computer by the Server
service.
This measurement can be used to
compare utilization of two similar servers
for load balancing purposes. It can also
be used in conjunction with other
measurements to determine network
segment utilization.
Thread % Processor Time This counter measures the percentage of
time that the processor in the computer
is actively used by the selected thread.
This counter is useful for determining
which thread within an application or
service is consuming the most pro-
cessor time.

Using System Monitor to Gather and View Performance Data

Now that you have a basic understanding of the System Monitor objects
and their counters, you’re ready to use the System Monitor tool. In this
section, you’ll learn how to start System Monitor and how to use this tool
4701-1 ch21.f.qc 4/24/00 09:55 Page 1372

1372 Part V ▼ Monitoring, Optimizing, and Troubleshooting

to gather performance data about a Windows 2000 computer and view

this data in a chart.
When System Monitor data is displayed in a chart, the chart presents
performance activity in a graphical format.You can use a System Monitor
chart to view current performance activity, or to view archived perfor-
mance activity from a log file.When viewing current performance activity,
a System Monitor chart provides you with real-time data as it occurs on
your computer.

STEP BY STEP

USING SYSTEM MONITOR TO GATHER AND VIEW DATA IN A CHART

1. Select ➪ Start ➪ Programs ➪ Administrative Tools ➪ Performance.

2. In the right-pane, click the Add button on the tool bar (this button appears as
a + sign).
3. The Add Counters dialog box appears, shown in Figure 21-2.

FIGURE 21-2 Selecting objects, counters, and instances

At the top of the dialog box, select from one of the two options:
 Use local computer counters: Select this option if you want to view per-
formance data from the computer on which you are running System Monitor.
 Select counters from computer: Select this option if you want to view
performance data from this computer, or from other computers on the net-
work. If you select this option (which is selected by default), you must also
select or type in a computer name (in the format \\computer_name) in
the drop-down list box.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1373

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1373

STEP BY STEP Continued

Next, select the object you want to monitor from the “Performance object” drop-
down list box.
Then, select from the following two options:
 All counters: Select this option if you want to measure and view all coun-
ters associated with the object you selected.
 Select counters from list: Select this option if you want to measure and
view only specific counters associated with the object you selected. If you
select this option, also select the counters you want to use from the list box.
Finally, select from the following two options:
 All instances: Select this option if you want to measure and view all
instances of the selected counter(s).
 Select instances from list: Select this option if you want to measure and
view only specific instances of the counters you selected. If you select this
option, also select the instance(s) you want to monitor.

TIP
When you’re configuring this dialog box, click the Explain button at any
time to view a detailed description of the highlighted object and counter
combination. The description is displayed in the Explain Text dialog box
that appears directly below the Add Counters dialog box.

When you finish selecting options for this object, click Add. Repeat this step to
add additional objects and counters as necessary. When you finish selecting
objects and counters, click Close.
4. System Monitor displays measurements of the objects and counters you selected
in a chart in the right pane.

To maximize the size of the chart on your screen, select View ➪

Customize. Then clear the check box next to “Console tree” and click
OK. Figure 21-3 shows a Performance Monitor chart with several objects
and counters selected. Notice the Last,Average, Minimum, Maximum, and
Duration boxes directly below the chart.
When you highlight any counter in the lower section of the dialog box,
that counter’s statistics are displayed in the Last, Average, Minimum,
Maximum, and Duration boxes.Table 21-2 explains the statistics displayed
in each of these boxes.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1374

1374 Part V ▼ Monitoring, Optimizing, and Troubleshooting

FIGURE 21-3 Viewing a System Monitor chart

TABLE 21-2 Statistics Displayed in a System Monitor Chart

Statistic Description

Last This is the most recent measurement of the counter.

Average This is an average of the counter’s measurement over the period of time
represented by the chart.
Minimum This is the lowest measurement of the counter during the period of time
represented by the chart.
Maximum This is the highest measurement of the counter during the period of
time represented by the chart.
Duration This is the number of minutes and seconds represented by the entire
chart. This is the total amount of time it takes System Monitor to graph
from one side of the chart to the other.

If you have difficulty determining which line on the chart represents the
highlighted counter, you can press Ctrl + H to highlight that counter’s line.
Press Ctrl + H again to stop highlighting the counter’s line on the chart.
In addition to viewing the data collected by System Monitor in a chart,
you can also view this data in a report.To view data in a report, click the
View Report button in the toolbar (this button appears as a writing tablet
with lines on it, and is located to the left of the Add button).
4701-1 ch21.f.qc 4/24/00 09:55 Page 1375

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1375

TIP
To find out what each of the buttons in the toolbar can do, place your cur-
sor over that button, and an identification box is displayed.

Figure 21-4 shows a System Monitor report.

FIGURE 21-4 Viewing a System Monitor report

Finally, you can use System Monitor to view historical log file data as
opposed to viewing a computer’s current performance activity.You can cre-
ate log files that can be viewed in System Monitor by using Performance
Logs and Alerts, which is also a snap-in to the Performance MMC.

Using Network Monitor

Network Monitor is a Windows 2000 Server administrative tool that makes it
possible for you to capture, view, and analyze network traffic (packets).
Network Monitor doesn’t ship with Windows 2000 Professional.
Network Monitor can be used to view network statistics, such as: per-
centage of network utilization, number of frames per second, number of
broadcasts per second, and so forth. Network Monitor is useful for trou-
bleshooting network problems, such as bottlenecks and protocol problems,
as well as for determining how busy your network is.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1376

1376 Part V ▼ Monitoring, Optimizing, and Troubleshooting

Network Monitor is capable of capturing entire packets (also referred to

as frames) from the network, and of analyzing the contents of each of these
packets.You can save packets that are captured so you can study them later.
It is important to keep in mind that the Network Monitor that ships with
Windows 2000 is a scaled-down version designed to only capture packets
sent to or from Windows 2000 Server computers.A more robust version of
Network Monitor, that is capable of capturing all packets on the network
segment, ships with Microsoft Systems Management Server.

Installing Network Monitor

Network Monitor is not installed by default during a normal Windows 2000
Server installation, so you’ll need to install it by using Add/Remove Programs
in Control Panel. Installing Network Monitor is very straightforward.

STEP BY STEP

INSTALLING NETWORK MONITOR

1. Select ➪ Start ➪ Settings ➪ Control Panel.

2. In the Control Panel dialog box, double-click Add/Remove Programs.
3. In the Add/Remove Programs dialog box, click Add/Remove Windows
Components.
4. In the Windows Components dialog box, highlight Management and Monitoring
Tools, then click Details.
5. In the Management and Monitoring Tools dialog box, select the check box next to
Network Monitor Tools and click OK.
6. In the Windows Components Wizard dialog box, click Next.
7. When prompted, insert your Windows 2000 compact disc into your computer’s
CD-ROM drive and click OK. Close the Microsoft Windows 2000 CD dialog box.
Windows 2000 installs Network Monitor.
8. In the Completing the Windows Components Wizard screen, click Finish.
9. Close Add/Remove Programs. Close Control Panel.

Using Network Monitor to Capture Packets

Once Network Monitor is installed, you can use it to capture network
packets. Before I actually show you how to use Network Monitor, I want
to introduce you to its main user interface, which is called the Network
4701-1 ch21.f.qc 4/24/00 09:55 Page 1377

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1377

Monitor Capture Window dialog box, or the Capture Window dialog box
for short.
To access Network Monitor, select Start ➪ Programs ➪ Administrative
Tools ➪ Network Monitor. The Capture Window dialog box is shown,
after a capture has been performed, in Figure 21-5. (Until a capture is per-
formed, no statistics appear in this dialog box. I’ll explain how to perform
a capture a little later in this section.)
Graph pane Session Stats pane Total Stats pane Station Stats pane

FIGURE 21-5 The Capture Window dialog box

As Figure 21-5 shows, the Capture Window dialog box has four panes:
the Graph pane, the Session Stats pane, the Total Stats pane, and the Station
Stats pane.You can use the Windows menu or the various buttons on the
toolbar to configure which panes are displayed in this dialog box.
The Graph pane, which is the scrolling box located in the upper left
corner of the Capture Window dialog box, displays five bar graphs. Each of
these bar graphs depicts various network statistics, including % Network
Utilization, Frames Per Second, Bytes Per Second, Broadcasts Per Second,
and Multicasts Per Second.
The Session Stats pane, which is the scrolling list box located in the mid-
dle of the left side of the Capture Window dialog box, displays a summary
4701-1 ch21.f.qc 4/24/00 09:55 Page 1378

1378 Part V ▼ Monitoring, Optimizing, and Troubleshooting

of packets transmitted between pairs of computers or network devices on

the local network segment. Each computer or device in this pane is listed as
either a network address or a computer name. Two statistics columns are
shown between the pairs of network addresses/computer names. The first
column displays the number of packets sent (during the capture period)
from the computer or network device in the Network Address 1 column to
the corresponding computer or device in the Network Address 2 column.
The second column displays the number of packets sent from the computer
or device in the Network Address 2 column to the corresponding com-
puter or device in the Network Address 1 column.
The Total Stats pane, which is the scrolling list box located in the upper
right corner of the Capture Window dialog box, displays five sections, each
of which contains a different type of statistics. The five sections are:
Network Statistics, Captured Statistics, Per Second Statistics, Network
Card (MAC) Statistics, and Network Card (MAC) Error Statistics.
The Station Stats pane is the scrolling box located across the bottom of
the Capture Window dialog box.This pane displays several statistics associ-
ated with each computer or network device that transmitted (or received)
at least one packet to (or from) the Windows 2000 Server computer per-
forming the capture during the capture period. Statistics shown include
Network Address, Frames Sent, Frames Received, Bytes Sent, Bytes
Received, Directed Frames Sent, Multicasts Sent, and Broadcasts Sent.
Now that you’re familiar with the Capture Window dialog box and its
panes, you’re ready to perform a capture. Packets that you capture can be
used for later analysis, and the process of capturing packets doesn’t interfere
with the packets reaching their intended destinations on the network.

STEP BY STEP

CAPTURING PACKETS

1. Select ➪ Start ➪ Programs ➪ Administrative Tools ➪ Network Monitor.

2. In the Microsoft Network Monitor Capture Window dialog box, select Capture ➪
Start.
3. Network Monitor continues to capture network packets until you stop the
process. To stop a capture, select Capture ➪ Stop.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1379

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1379

Configuring a Capture Filter Because a large number of packet statistics

may be displayed in the Capture Window dialog box, you might want to
use a capture filter to limit the type of network packets that Network
Monitor will capture. By default, Network Monitor’s capture filter is con-
figured to capture all packets addressed to or sent by the Windows 2000
Server computer. However, you can change this default behavior so that
only certain types of packets are captured.This feature is useful if you want
to examine only certain types of network traffic.You can configure a cap-
ture filter so that:
■ Only packets using certain protocols are (or are not) captured
■ Only packets to or from specified computers or network devices
are (or are not) captured
■ Only packets containing specific byte patterns are captured
■ Any combination of the preceding three

STEP BY STEP

CONFIGURING A CAPTURE FILTER

1. Select ➪ Start ➪ Programs ➪ Administrative Tools ➪ Network Monitor.

2. In the Microsoft Network Monitor Capture Window dialog box, select Capture ➪
Filter.
3. A Capture Filter dialog box appears, indicating that this version of Network
Monitor can only capture packets sent to or from the local computer. Click OK.
4. The Capture Filter dialog box appears, as shown in Figure 21-6. Notice the
default capture filter is displayed. In the next several steps I’ll show you how to
configure a filter to capture packets by protocol, address pairs, and byte patterns.
5. To configure a capture filter to capture packets by protocol, double-click
SAP/ETYPE = Any SAP or Any ETYPE in the Capture Filter dialog box.
6. The Capture Filter SAPs and ETYPEs dialog box appears, as shown in Figure 21-7.
Highlight the protocol(s) you want to exclude in the Enabled Protocols list box.
Click Disable.
Or, you can click Disable All to exclude all protocols, and then highlight the proto-
col(s) you want to include in the Disabled Protocols list box. Then click Enable.
Click OK.
7. To configure a capture filter to capture packets by their associated computer
name or network address, double-click (Address Pairs) in the Capture Filter
dialog box.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1380

1380 Part V ▼ Monitoring, Optimizing, and Troubleshooting

STEP BY STEP Continued

FIGURE 21-6 The Capture Filter dialog box

FIGURE 21-7 Configuring packets to be captured by protocol

4701-1 ch21.f.qc 4/24/00 09:55 Page 1381

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1381

STEP BY STEP Continued

8. The Address Expression dialog box appears, as shown in Figure 21-8. Note the
Station 1 and Station 2 list boxes.

FIGURE 21-8 Configuring packets to be captured by network address or

computer name

First, select the Include or Exclude option at the top of the dialog box, depending
on whether you want to capture or exclude from capturing packets associated
with a particular pair of computer names or network addresses.
Highlight a computer name or network address from the Station 1 list box. Then,
highlight a direction arrow in the Direction list box to indicate whether the com-
puter name or network address highlighted in the Station 1 list box is the packets’
source address (--->), destination address (<--- ), or can be either the source or
destination address (<-->).
Finally, highlight a computer name or network address from the Station 2 list box.
Click OK. The new address appears in the Capture Filter dialog box. Network
Monitor enables you to configure up to three address pairs in a single capture
filter.
9. To configure a capture filter to capture packets by a specific byte pattern con-
tained in those packets, double-click (Pattern Matches) in the Capture Filter
dialog box.
10. The Pattern Match dialog box appears. Configure the Pattern and Offset (in hex)
text boxes. Click OK.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1382

1382 Part V ▼ Monitoring, Optimizing, and Troubleshooting

STEP BY STEP Continued

CAUTION
Configuring a capture filter by byte pattern is normally done only by
advanced users of Network Monitor. Detailed knowledge of packet con-
struction is required to configure a pattern match filter.

11. The Capture Filter dialog box reappears. Click OK.

Saving Captured Data After you finish performing a capture, you can save
the captured data to a file for later analysis if you like.This feature is help-
ful because you can gather a collection of packet captures over a period of
time, then analyze them at a time that is convenient for you.
To save captured packets to a file, select File ➪ Save As in the Capture
Window dialog box after you stop a capture.Type in a name for the cap-
ture and click Save.
To view the saved file at a later time, select File ➪ Open in the Capture
Window dialog box, and then select the file you saved in the Open dia-
log box.

Using Network Monitor to View Captured Packets

Captured packets are of no use until you view them and interpret the sta-
tistics and information displayed.You can use two primary dialog boxes to
view captured data in Network Monitor: the Capture Window dialog box
and the Capture Summary dialog box. The view you choose depends on
the type of information you seek.
The Capture Window dialog box (the Network Monitor main dialog
box) displays general network activity statistics.This dialog box is useful for
determining current network utilization, the type and number of packets
being sent on the network, and which computers are generating (or
receiving) the most network traffic. These statistics are useful for trouble-
shooting and trend analysis.
The Capture Summary dialog box displays a listing of all packets cap-
tured, and enables individual packet contents to be viewed and analyzed.
This dialog box is useful for troubleshooting protocol and network adapter
driver problems.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1383

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1383

The following sections explain how to view and interpret captured data
by using the Capture Window and Capture Summary dialog boxes.

Using the Capture Window Dialog Box The Capture Window dialog box is
the main Network Monitor dialog box that was shown in Figure 21-5. As
previously mentioned, this dialog box has four panes: the Graph pane, the
Session Stats pane, the Total Stats pane, and the Station Stats pane. In this
section I’ll show you how to use this dialog box to perform some of the
most common network analysis tasks on captured data.
One common task is determining current network utilization.To deter-
mine the current utilization of a network segment, start a Network
Monitor capture, and then watch the % Network Utilization bar graph in
the Graph pane during the entire capture period.This graph displays only the
most recent one-second’s worth of network activity, so you must view it
during the entire capture period to get a feel for overall network utiliza-
tion. A high number on the graph (any number consistently over 50%)
may indicate that there is too much traffic on the network segment.
Another common task is determining which computer is sending or
receiving the most of a specific type of network traffic.You can sort any of
the columns in the Session Stats and Station Stats panes to determine pre-
cisely which computer is sending (or receiving) the most of a specific type
of network traffic. For example, you can sort the Frames Sent column in
the Station Stats pane to determine which computer on the network seg-
ment sent the most packets during the capture period. Similarly, you can
sort the Broadcasts Sent column in the Station Stats pane to determine
which computer sent the most broadcasts during the capture period.You
can also sort the Frames Received column in the Station Stats pane to
determine which computer received the most packets during the capture
period. All the other columns can be sorted, as well, to determine which
computer was responsible for generating the most bytes sent, most directed
frames sent, most multicasts sent, and so forth. When you sort a column,
Network Monitor displays the output in descending order, with the largest
number appearing at the top of the column.To sort a column, right-click
anywhere in the column and select Sort Column.

Using the Capture Summary Dialog Box To access the Capture Summary
dialog box, in the Capture Window dialog box, select Capture ➪ Display
Captured Data. Figure 21-9 shows the Capture Summary dialog box.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1384

1384 Part V ▼ Monitoring, Optimizing, and Troubleshooting

Notice the dialog box lists, by frame number, all of the packets captured by
Network Monitor during the capture period.

FIGURE 21-9 The Capture Summary dialog box

You can double-click any frame listed in this dialog box to obtain
detailed information about the contents of that packet. For example,
Figure 21-10 shows the packet details view for a specific packet. Notice
the middle pane in the dialog box shows protocol decode information, and
the lower pane in the dialog box shows, in hexadecimal, the entire contents
of the packet.
If there are too many packets displayed in the Capture Summary dialog
box, you can configure a display filter to limit the number of captured
packets displayed. Configuring a display filter is very similar to configuring
a capture filter.

Using Windows Task Manager

Windows Task Manager is a Windows 2000 graphical utility that can be
used to monitor performance statistics, such as CPU and memory usage, to
start and stop applications, and to change a process’s base priority.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1385

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1385

FIGURE 21-10 Viewing packet detail in the Capture Summary dialog box

You can access Windows Task Manager in several different ways:

■ By pressing Ctrl+Shift+Esc
■ By pressing Ctrl+Alt+Delete, and then clicking Task Manager
■ By right-clicking a blank space on the taskbar (on the desktop),
and then selecting Task Manager from the menu that appears
■ By selecting Start ➪ Run, and then typing taskmgr in the Run
dialog box
Figure 21-11 shows the Performance tab in Windows Task Manager.
Notice the CPU Usage History and Memory Usage History sections.
In the following steps I’ll show you how to use the Performance tab to
monitor memory and processor usage. I’ll show you how to use Windows
Task Manager to start a process, stop a process, and change a process’s base
priority later in this chapter.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1386

1386 Part V ▼ Monitoring, Optimizing, and Troubleshooting

FIGURE 21-11 Windows Task Manager

STEP BY STEP

MONITORING MEMORY AND PROCESSOR PERFORMANCE BY USING

TASK MANAGER

1. Press Ctrl+Shift+Esc.
2. In the Windows Task Manager dialog box, click the Performance tab if it is not dis-
played.
3. On the Performance tab, monitor the CPU Usage and Memory Usage statistics.
You can also view the CPU Usage History and Memory Usage History graphs.
When you finish monitoring performance statistics, exit Windows Task Manager.

Monitoring Shared Folders

Windows 2000 enables you to easily monitor shared network folders by
using the Shared Folders tool in Computer Management. The Shared
Folders tool enables you to:
■ View a list of shared folders on the computer
4701-1 ch21.f.qc 4/24/00 09:55 Page 1387

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1387

■ Monitor the number of computers currently connected to each

shared folder
■ View a list of specific users currently connected to shared folders
on the computer
■ Monitor the number of open files, by user
■ Monitor the amount of time each user has been connected to the
computer
■ Stop sharing a folder
■ Close open files in shared folders
■ Disconnect users from the computer
I don’t use this tool very often. However, it is extremely useful for clos-
ing a file in a shared folder when a client computer that was connected to
the file has crashed. It’s also useful for disconnecting users from shared fold-
ers prior to performing server maintenance tasks.

STEP BY STEP

MONITORING SHARED FOLDERS

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Computer Management. (Or,

right-click My Computer and select Manage from the menu that appears.)
2. In the left pane of the Computer Management dialog box, click the + next to
Shared Folders. Three subfolders appear under Shared Folders: Shares,
Sessions, and Open Files.
3. In the left pane, highlight the Shares folder. In the right pane, a list of the shared
folders on your computer is displayed, including the number of client computers
connected to each shared folder. To stop sharing a folder, right-click the folder
and select Stop Sharing from the menu that appears. Click OK to confirm the
action you want to take. To modify the properties of a shared folder, right-click
the folder and select Properties from the menu that appears.
4. In the left pane, highlight the Sessions folder. In the right-pane, a list of users
that are currently connected to shared folders on your computer is displayed, as
shown in Figure 21-12. Notice that the number of files each user has open and
the amount of time the user has been connected to the computer are also dis-
played.
To disconnect a user from all shared folders on the computer, right-click the
user’s name and select Close Session from the menu that appears. Click OK to
confirm the action you want to take.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1388

1388 Part V ▼ Monitoring, Optimizing, and Troubleshooting

STEP BY STEP Continued

FIGURE 21-12 Monitoring user sessions

5. In the left pane, highlight the Open Files folder. In the right pane, a list of files
currently open in shared folders on this computer is displayed. To close a file,
right-click the file, and select Close Open File from the menu that appears. Click
OK to confirm the action you want to take.
6. Close Computer Management.

Optimizing and Troubleshooting

Performance
Where performance is concerned, optimizing and troubleshooting are two
sides of the same coin. Optimizing is the process of configuring system or
network components so they function at their peak.Troubleshooting is the
process of determining which network or system components require
optimization.
You can think of troubleshooting as diagnosing the performance prob-
lem, and optimizing as the solution. In many circumstances, optimization is
performed because a problem has made itself known. However, you can
take an proactive approach, develop an optimization plan, and resolve per-
formance issues that could potentially become problems if no action is
taken.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1389

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1389

In the following sections I’ll explore optimizing and troubleshooting

performance of several key system components, including: memory, proces-
sor, disk, network, and applications.

EXAM TIP
You can expect the Windows 2000 exams — particularly the Professional
exam — to have several questions on these optimizing and troubleshoot-
ing topics. I recommend you review the following sections carefully
before taking the exams.

Optimizing and Troubleshooting Memory

Performance
The single greatest cause of poor memory performance is a lack of RAM.
You can’t have too much RAM in your Windows 2000 computer. The
more RAM you have, the more it can do in a shorter period of time.You
should plan on regular, periodic RAM upgrades so your computer can
meet the ever-increasing demands placed on it by operating systems, appli-
cations, and processes.

IN THE REAL WORLD

Operating systems and applications are constantly being updated and
revised. Each new version seems to need more RAM. For example,
Windows NT Server 4.0 requires a minimum of 16MB of RAM, while
Windows 2000 Server requires a minimum of 256MB of RAM.

Adding RAM can reduce how often the computer reads or writes vir-
tual memory pages to or from the paging file on the hard disk. This is
called reducing paging. Because paging uses both processor time and disk
time, when paging is reduced, the performance of the processor and the
disk are also improved.
When RAM is added to the computer, Windows 2000 automatically
increases the allocation of RAM made available to the disk cache.The disk
cache temporarily stores user requested files from the hard disk in RAM.
Because the disk doesn’t need to be accessed when a file is retrieved from
the cache, files in the cache are more quickly available to users than files on
the disk. Thus, increasing the size of the cache can improve disk perfor-
mance because the number of disk accesses is reduced.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1390

1390 Part V ▼ Monitoring, Optimizing, and Troubleshooting

In addition to installing more physical RAM, you can also optimize

your paging file.The operating system uses the paging file to temporarily
store memory data on the hard disk.As the computer runs low on physical
memory, it uses the paging file to store memory pages, then recalls those
pages from the hard disk as they are needed.To optimize your paging file,
consider trying one or more of the following:
■ Adding RAM, which lessens the use of the paging file
■ Configuring the paging file so that its initial size and maximum
size are equal — this prevents fragmentation of the paging file.
■ Placing the paging file on the physical disk in your system that has
the least amount of activity
■ Placing the paging file on a striped volume
■ Placing multiple, smaller paging files on multiple physical disks in
your system
■ Placing the paging file on any other partition than the boot partition
So, how do you know if you need more memory? First,Windows 2000
will let you know when it is running low on physical memory and will
prompt you to close some of your applications. Additionally, you can use
Windows Task Manager to see how much memory is being used, and how
much of that memory is being paged. This information will give you a
good look at how your computer uses memory and will help you know if
you need to add more RAM. Finally, use System Monitor to chart the
Memory-Pages/sec and Paging File-% Usage counters. When you exam-
ine the chart, if the Paging File-% Usage counter shows the usage of the
paging file is approaching 100%, or if the Memory-Pages/sec counter is
consistently greater than 5 to 6, then you probably need to add RAM.

Optimizing and Troubleshooting Processor

Performance
As computer systems have evolved, the power and speed of processors have
evolved as well. The processor in your Windows 2000 computer must be
fast enough to handle the processing tasks placed on it, and if it can’t, you
will need to take some actions to resolve the problem.A point of warning,
however, before you buy a new processor for a computer: make certain
you have thoroughly examined your computer’s memory.You may think
4701-1 ch21.f.qc 4/24/00 09:55 Page 1391

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1391

the problem is the processor, when in fact you don’t have enough RAM to
handle the processing jobs.
So, use System Monitor and Windows Task Manager to check both your
processor and your memory, so you know exactly what the problem is. If
you determine that your processor is too slow, you have a few decisions to
make. First, you can simply upgrade the processor to a faster one. Or, you
can add a processor so that your computer uses two, or you can keep your
existing processor and remove some of the server’s load by moving other
processes or tasks to different servers.
Before upgrading your processor, take a good look at your entire com-
puter. It may be time for a new computer, in which case, it would probably
be a waste of money to buy a new processor if the entire computer needs
to be replaced anyway.

Optimizing and Troubleshooting Disk Performance

Like other system components, physical disks may also need optimizing and
troubleshooting. Normally, when there’s a disk problem, users will notice a
system slowdown when trying to read or write data to the hard disk.This
can be caused by increased utilization of a slow hard disk, a slow hard disk
controller, or a fragmented hard disk.You can use System Monitor to deter-
mine how the hard disk in your Windows 2000 computer is performing,
and if your disk is, in fact, the bottleneck that is causing poor performance.
The more disks are used, the more likely they are to become frag-
mented.When disks are fragmented, it takes longer to read and write data
to the disks, and users notice this slowdown.You can easily fix a fragmented
disk by using the Windows 2000 Disk Defragmenter tool. You can start
Disk Defragmenter by selecting Start ➪ Programs ➪ Accessories ➪ System
Tools ➪ Disk Defragmenter. Consider periodically running Disk Defrag-
menter (once a week or so) on your hard disks to maximize disk perfor-
mance by minimizing disk fragmentation.
Some older hard disks and hard disk controllers may simply be too slow
to meet your current use requirements. If this is the case, an upgrade is
probably in order.You can also implement other solutions, in addition to
regular disk defragmentation, that can help disk performance:
■ Configure a striped volume across two or more hard disks. Striped
volumes improve read and write performance due to the way data
is striped across the disks.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1392

1392 Part V ▼ Monitoring, Optimizing, and Troubleshooting

■ Configure a RAID-5 volume across three or more hard disks.A

RAID-5 volume dramatically improves read performance because
the data is striped across multiple disks.Write speed is only slightly
improved, because of the need to calculate parity information. In
addition, a RAID-5 volume provides a measure of fault tolerance
that is not provided by a striped volume.

EXAM TIP
You should know that mirrored volumes, while they are an effective fault
tolerance solution, don’t improve disk performance in Windows 2000.

Optimizing and Troubleshooting Network

Performance
Network performance problems can be difficult to locate. Typically, poor
network performance results when too many computers are sending too
much network traffic on a network segment.You can think of the network
segment as a highway and network packets as automobiles.When there are
too many packets, the network becomes congested.Your task, then, is to
determine whether too much network traffic exists.
As I explained earlier in this chapter, you can use both Network
Monitor and System Monitor to examine network traffic trends on your
Windows 2000 network.
If you determine that there is too much network traffic on one or more
network segments, consider further segmenting that network segment by
installing a router or switch.
Another type of network traffic problem occurs when users report slow
network response from a server located on the other side of a WAN link.
In this situation, consider these options:
■ Move the server to the other side of the WAN link so client com-
puters can access the server directly, without having to send network
traffic across the WAN link.
■ Add an additional server of the appropriate type (domain con-
troller, DNS, DHCP,WINS, or global catalog) on the other side of
the WAN link to service the client computers on that side of the
link and to minimize WAN traffic.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1393

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1393

For example, when users access a Windows 2000 domain controller for
logon authentication across a WAN link (and slow server response time is
reported), consider placing an additional domain controller on the same
side of the WAN link as the client computers that need to access it. Placing
the domain controller physically close to the client computers will improve
server response time and reduce WAN link traffic.

Optimizing and Troubleshooting Application

Performance
As a general rule, problems with application performance occur when too
many processes are running, or when some processes are consuming too
many system resources.You can use both System Monitor and Windows
Task Manager to monitor the performance of a process. In addition, you
can use System Monitor to monitor the performance of individual threads
within a process.
As you consider troubleshooting and optimizing application perfor-
mance, you need to understand that Windows 2000 manages processes
based on their priorities. Windows 2000 uses process priorities to deter-
mine which applications (processes) receive the most processor time. A
process priority (sometimes just called a priority) is a number between 0
and 31 that is assigned to an application when it is started.Applications that
have a high priority receive more processor time than applications with a
low priority.When an application is started in Windows 2000, it is assigned
a base priority.Windows 2000 can dynamically raise and lower an applica-
tion’s priority based on changing conditions in the computer.
By default, most user applications are assigned a base priority of 8, the
normal priority.A user application can be assigned a base priority between
0 and 15. A real-time or kernel mode application can be assigned a base
priority between 16 and 31.You can change the base priority of an appli-
cation, as the next section explains.

Starting Applications at Various Priorities

In Windows 2000, the start command is used to start applications at var-
ious base priorities. The start command can be used in batch files and
from the command prompt.The start command can’t be used in short-
cuts to applications. Several switches are commonly used with the
4701-1 ch21.f.qc 4/24/00 09:55 Page 1394

1394 Part V ▼ Monitoring, Optimizing, and Troubleshooting

Windows 2000 start command.These switches are listed and described

in Table 21-3.To view a complete list of switches for the start command,
at the command prompt, type start /? and press Enter.
TABLE 21-3 Commonly Used Windows 2000 start Command Switches
Switch Description

/low Starts the application with a base priority of 4.

/belownormal Starts the application with a base priority of 6.
/normal Starts the application with a base priority of 8. This is the
priority that is normally assigned to most user applications.
Windows 2000 typically starts user applications with a base
priority of 8 when no other priority is specified.
/abovenormal Starts the application with a base priority of 10.
/high Starts the application with a base priority of 13.
/realtime Starts the application with a base priority of 24. Applications
started at the real-time base priority can slow the performance
of the operating system itself. The real-time base priority
should be used with extreme caution and is not recommended
for most applications.
/min Does not affect the base priority of an application. It starts an
application in a minimized window. This switch can be used
in conjunction with a priority switch and, if desired, either the
/separate or /shared switch.
/max Does not affect the base priority of an application. It starts an
application in a maximized window. This switch can be used
in conjunction with a priority switch and, if desired, either the
/separate or /shared switch.
/separate Does not affect the base priority of an application. It starts a
Win16 application in a separate memory space.
/shared Does not affect the base priority of an application. It starts a
Win16 application in the Win16 shared memory space.

Using Windows Task Manager to Manage Processes

Another important part of optimizing and troubleshooting application
performance is managing processes.You can use Windows Task Manager to
manage the processes that are currently running on your Windows 2000
computer.This includes starting and stopping processes, and changing the
base priority of processes.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1395

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1395

STEP BY STEP

STARTING, STOPPING, AND CHANGING THE BASE PRIORITY

OF A PROCESS

1. Start Windows Task Manager. (Press Ctrl+Shift+Esc.)

2. In the Windows Task Manager dialog box, click the Processes tab.
 To start a process, select File ➪ New Task. In the Create New Task dialog
box, type the name of the application, folder, or document that you want to
start and click OK.
 To stop a process, highlight the process you want to stop and click End
Process. Then click Yes in the Task Manager Warning dialog box to stop the
process.
 To end a process and all of its associated sub-processes, right-click
the process and select End Process Tree. Then click Yes in the Task
Manager Warning dialog box to stop the processes.
 To change the base priority of a process, right-click the process and
select Set Priority. Then, select the base priority you want to assign to this
process from the menu that appears. Options include: Realtime, High,
AboveNormal, Normal, BelowNormal, and Low. Figure 21-13 shows the Set
Priority menu.

FIGURE 21-13 Setting a process’s base priority

4701-1 ch21.f.qc 4/24/00 09:55 Page 1396

1396 Part V ▼ Monitoring, Optimizing, and Troubleshooting

STEP BY STEP Continued

If a Task Manager Warning dialog box appears, click Yes to change the
process’s base priority.
3. When you finish managing processes, close Windows Task Manager.

Optimizing Performance of the Server

Optimizing your Windows 2000 Server computer enables you to get the
most out of what you’ve got. There are four primary ways to optimize a
server.You can optimize a server by configuring load balancing across mul-
tiple servers; disabling unused services, protocols, and drivers; scheduling
server-intensive tasks for nonpeak hours; and optimizing the Server service.

Configuring Load Balancing

Configuring load balancing across multiple servers involves spreading
server tasks among more than one server so that no one server is overbur-
dened. Suppose that you have two servers that are primarily used for file
and print services. One of these servers is functioning near peak capacity,
while the other server is hardly being used.To improve overall server per-
formance, consider moving a portion of the busy server’s files to the other
server.This will reduce some of the load on the busy server, and “balance
the load” with the second server.

Disabling Unused Services

Another way to improve server performance is to disable unused services,
protocols, and drivers. Each installed service, protocol, and driver uses
processor time and memory space. Also, some services and protocols gen-
erate additional network traffic. If an installed service, protocol, or driver is
no longer being used, consider removing the service, protocol, or driver;
or, consider configuring the service, protocol, or driver to start manually
instead of automatically.

Scheduling Server-intensive Tasks

Another way to improve server performance is to schedule large, server-
intensive tasks to be performed during nonpeak hours. For example, if you
4701-1 ch21.f.qc 4/24/00 09:55 Page 1397

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1397

must update a large database or generate a large report on a daily basis, and
it isn’t critical that this task be done during business hours, consider sched-
uling the task to run after business hours (and before the tape backup is
run for the night). If the task must be done during business hours, consider
scheduling it to run during a period of lower activity, such as during a
lunch hour.

Optimizing the Server Service

Finally, you can optimize the Server service for the type of tasks the server
normally performs, and for the number of client computers that normally
access the server. The Server service has the following four optimization
options:
■ Minimize memory used: Select this option when fewer than
ten users will access the Windows 2000 Server computer at the
same time, and when a user will sit at the server and use the server
as his or her desktop computer.
■ Balance: Select this option when fewer than sixty-four users will
access the Windows 2000 Server computer at the same time.This
option is also a good choice when the server is used for file and
print services as well as by a distributed application that performs
its own memory caching, such as Microsoft SQL Server.
■ Maximize data throughput for file sharing: Select this option
when more than sixty-four users will access the Windows NT
Server computer at the same time, and when the server is primarily
used as a file and print server. This is the default option for Windows
2000 Server, and is a good selection whenever the server functions
primarily as a file and print server, even if there are fewer than
sixty-four users.
■ Maximize data throughput for network applications: Select
this option when more than sixty-four users will access the
Windows 2000 Server computer at the same time, and when the
server is primarily used for a distributed application that performs
its own memory caching, such as SQL Server.This is a good selec-
tion whenever the server functions primarily as an application
server, even if there are fewer than sixty-four users.This is generally
the best option for Windows 2000 domain controllers.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1398

1398 Part V ▼ Monitoring, Optimizing, and Troubleshooting

STEP BY STEP

CONFIGURING THE SERVER SERVICE

1. From the desktop, right-click My Network Places, then select Properties from the
menu that appears.
2. In the Network and Dial-up Connections folder, right-click any Local
Area Connection, then select Properties from the menu that appears.
3. In the Local Area Connection Properties dialog box, highlight File and Printer
Sharing for Microsoft Networks, then click Properties.
4. The File and Printer Sharing for Microsoft Networks Properties dialog box
appears, as shown in Figure 21-14. Notice the four optimization options.

FIGURE 21-14 Optimizing the Server service

Select the option that will provide the best performance for your Windows 2000
Server computer. Click OK.
5. In the Local Area Connection Properties dialog box, click OK.
6. Close the Network and Dial-up Connections folder.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1399

Chapter 21 ▼ Monitoring, Optimizing, and Troubleshooting Performance 1399

KEY POINT SUMMARY

This chapter introduced several important monitoring, optimization, and trouble-

shooting topics:
■ System Monitor is a Windows 2000 tool that uses objects, instances, and
counters to chart the performance of system components. Objects that are
commonly monitored include: Memory, Network Interface, Paging File,
PhysicalDisk, Process, Processor, Server, and Thread.
■ You can use System Monitor to view current activity or to view historical log file
data. Data can be viewed in a chart or in a report.
■ Network Monitor is a Windows 2000 Server tool that enables you to capture,
view, and analyze network packets. This tool is useful for troubleshooting net-
work problems, such as bottlenecks and protocol problems.
■ Packets captured by using Network Monitor can be saved and analyzed at a
later time. This option allows you to make several captures and compare the
captured data.
■ Windows Task Manager is a Windows 2000 graphical utility that can be used
to monitor performance statistics, such as CPU and memory usage. It can also
be used to stop, start, and change the base priority of processes.
■ You can use the Shared Folders tool in Computer Management to monitor
shared folders. In addition, you can use this tool to close open files and dis-
connect users.
■ The greatest cause of poor memory performance in a Windows 2000 com-
puter is lack of RAM. In addition to optimizing the physical memory in a com-
puter (RAM), you can also optimize your computer’s paging file.
■ Processors may need to be upgraded as a computer’s workload increases.
You can use System Monitor and Windows Task Manager to monitor the per-
formance of your computer’s processor.
■ A common hard disk problem is fragmentation. Windows 2000 includes a
defragmentation utility, called Disk Defragmenter, that you can use to resolve
this problem. As with all system hardware, hard disks and hard disk controllers
need to be upgraded periodically.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1400

1400 Part V ▼ Monitoring, Optimizing, and Troubleshooting

■ If you determine, by using Network Monitor and System Monitor, that there is
too much network traffic on a network segment, consider further segmenting
that network segment by installing a router or a switch.
■ Windows 2000 handles applications based on their priorities. You can use the
start command to start applications at various base priorities. You can also
use Windows Task Manager to start, stop, and change the base priority of a
process.
■ There are several ways to optimize a Windows 2000 Server computer, includ-
ing: configuring load balancing across multiple servers; disabling unused ser-
vices, protocols, and drivers; scheduling server-intensive jobs for nonpeak
hours; and optimizing the Server service.
4701-1 ch21.f.qc 4/24/00 09:55 Page 1401

1401

STUDY GUIDE
This section contains several exercises that are designed to solidify your
knowledge about monitoring, optimizing, and troubleshooting Windows
2000, and to help you prepare for the Professional, Server and Networking
exams:
■ Assessment questions: These questions test your knowledge of
the monitoring, optimization, and troubleshooting topics covered
in this chapter.You’ll find the answers to these questions at the end
of this chapter.
■ Scenarios: The situation-based questions in scenarios challenge
you to apply your understanding of the material to solve a hypo-
thetical problem. In this chapter’s scenarios, you are asked to ana-
lyze performance situations, and to provide answers to the question
or questions presented for each situation.You don’t need to be at a
computer to do scenarios.Answers to this chapter’s scenarios are
presented at the end of this chapter.
■ Lab Exercise: These exercises are hands-on practice activities that
you perform on a computer.The lab in this chapter gives you an
opportunity to practice using several Windows 2000 tools to moni-
tor and optimize performance.

Assessment Questions
1. You want to use System Monitor to see how much of the paging file
on your Windows 2000 computer is being utilized.Which counter
should you use?
A. Paging File-% Usage
B. Paging File-% Usage Peak
C. Memory-Pages/sec
D. Memory-Pool Paged Bytes
4701-1 ch21.f.qc 4/24/00 09:55 Page 1402

1402

2. You want to use System Monitor to see how many disk reads and
writes are having to wait to be serviced.Which PhysicalDisk counter
should you use?
A. % Disk Read Time
B. Split IO/Sec
C. % Idle Time
D. Avg Disk Queue Length
3. You want to examine several counters to determine how applications
are performing on your Windows 2000 computer.Which System
Monitor object should you monitor?
A. PhysicalDisk
B. Process
C. Processor
D. Redirector
4. You want to use Network Monitor to capture network data, but you
only want to capture packets that use a specific protocol.What should
you do?
A. Configure a network filter
B. Configure a capture filter
C. Configure a protocol filter
D. Configure a packet filter
5. You want to determine which users are currently connected to shared
folders on your Windows 2000 computer. In Computer Management,
which subfolder of the Shared Folders tool should you use?
A. Shares
B. Sessions
C. Open Files
6. Which base priority is assigned to most applications, by default?
A. Realtime
B. High
C. Normal
D. Low
4701-1 ch21.f.qc 4/24/00 09:55 Page 1403

1403

7. You want to stop a process that is running on your Windows 2000

computer.Which tool should you use?
A. Computer Management
B. Windows Task Manager
C. Windows Explorer
D. Configure Your Server
8. What is the default optimization setting for the Server service on
Windows 2000 Server computers?
A. Minimize memory used
B. Balance
C. Maximize data throughput for file sharing
D. Maximize data throughput for network applications

Scenarios
Monitoring, optimizing, and troubleshooting performance on your net-
work can be complex tasks. For each of the following situations, consider
the given facts and answer the question or questions that follow.
1. A Windows 2000 computer seems to be running slowly, especially
when several applications are used at the same time.The hard disk
drive indicator light is on almost all of the time, even when users are
not accessing data from the hard disk.
a. What is the most likely cause of the problem?
b. What can you do to verify the cause of the problem?
c. How can you resolve the problem and optimize the situation?
2. A user reports that tasks are taking longer than normal to complete
on a particular Windows 2000 computer, especially when the com-
puter has several tasks to complete at the same time.
a. What is the most likely cause of the problem?
b. What can you do to verify the cause of the problem?
c. How can you resolve the problem and optimize the situation?
4701-1 ch21.f.qc 4/24/00 09:55 Page 1404

1404

3. You notice that a particular Windows 2000 computer takes a long

time to read information from its hard disk.
a. What is the most likely cause (or causes) of the problem?
b. What can you do to verify the cause of the problem?
c. How can you resolve the problem and optimize the situation?
4. Several users report that server response time on a particular Windows
2000 network segment is slow.
a. What is the most likely cause of the problem?
b. What can you do to verify the cause of the problem?
c. How can you resolve the problem and optimize the situation?
5. On a particular Windows 2000 computer, you notice that one specific
application seems to run much slower than other applications.
a. What is the most likely cause of the problem?
b. What can you do to verify the cause of the problem?
c. How can you resolve the problem and optimize the situation?
6. You want to optimize the hard disks on a particular Windows 2000
Server computer.What can you do to accomplish this?

Lab Exercise
Lab 21-1 Monitoring and Optimizing Performance
 Professional
 Server
EXAM  Networking
MATERIAL

The purpose of this lab is to provide you with an opportunity to use sev-
eral Windows 2000 tools to practice monitoring and optimizing the per-
formance of your computer.
There are five parts to this lab:
■ Part 1: Monitoring System Performance by Using System Monitor
■ Part 2: Monitoring Network Performance by Using Network
Monitor
■ Part 3: Using Windows Task Manager to Manage Processes
4701-1 ch21.f.qc 4/24/00 09:55 Page 1405

1405

■ Part 4: Optimizing the Server Service

■ Part 5: Monitoring Access to Shared Folders
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.

Part 1: Monitoring System Performance by Using

System Monitor
In this part you use System Monitor to monitor the performance of your
Windows 2000 Server computer.
1. Select Start ➪ Programs ➪ Administrative Tools ➪ Performance.
2. In the Performance dialog box, in the toolbar in the right pane, click
the Add button (which appears as a + sign).
3. In the Add Counters dialog box, select the “Use local computer
counters” option. Select the Processor object from the “Performance
object” drop-down list box.Then select the % Processor Time
counter, and click Add.
4. Select the Memory object from the “Performance object” drop-down
list box.Then select the Pages/sec counter, and click Add.
5. Select the Network Interface object from the “Performance object”
drop-down list box.Then select the Bytes Total/sec counter, and
click Add.
6. Select the PhysicalDisk object from the “Performance object” drop-
down list box.Then select the % Disk Time counter, and click Add.
Click Close.
7. View the System Monitor chart. Do you notice any problems with
your computer’s processor, memory, network, or disk performance?
8. Close System Monitor.

Part 2: Monitoring Network Performance by Using

Network Monitor
In this part you install Network Monitor.Then you use Network Monitor
to capture network packets and view network performance statistics.
1. Select ➪ Start ➪ Settings ➪ Control Panel.
2. In the Control Panel dialog box, double-click Add/Remove
Programs.
4701-1 ch21.f.qc 4/24/00 09:56 Page 1406

1406

3. In the Add/Remove Programs dialog box, click Add/Remove

Windows Components.
4. In the Windows Components dialog box, highlight Management and
Monitoring Tools, then click Details.
5. In the Management and Monitoring Tools dialog box, select the
check box next to Network Monitor Tools and click OK.
6. In the Windows Components Wizard dialog box, click Next.
7. When prompted, insert your Windows 2000 compact disc into your
computer’s CD-ROM drive and click OK. Close the Microsoft
Windows 2000 CD dialog box.Windows 2000 installs Network
Monitor.
8. In the Completing the Windows Components Wizard screen,
click Finish.
9. Close Add/Remove Programs. Close Control Panel.
10. Select Start ➪ Programs ➪ Administrative Tools ➪ Network Monitor.
11. In the Network Monitor – Select Default Network dialog box,
click OK.
12. In the Select a network dialog box, click the + next to Local
Computer.Then highlight the first network adapter shown in the list.
Click OK.
13. Maximize the Microsoft Network Monitor dialog box. Maximize the
Capture Window dialog box.
14. In the Microsoft Network Monitor Capture Window dialog box,
select Capture ➪ Start.Wait five minutes. During the capture period,
monitor the % Network Utilization bar graph.Then select Capture ➪
Stop.
15. Select Capture ➪ Display Captured Data. In the Capture Summary
dialog box, double-click one of the packets that was captured, and
view the packet detail.
16. Close the Microsoft Network Monitor Capture Summary dialog box.
When prompted to save the capture, click No. If you are prompted to
save the address database, click No.

Part 3: Using Windows Task Manager to Manage Processes

In this part you use Windows Task Manager to start and stop processes and
to change a process’s base priority.
4701-1 ch21.f.qc 4/24/00 09:56 Page 1407

1407

1. Start Windows Task Manager. (Press Ctrl+Shift+Esc.)

2. In the Windows Task Manager dialog box, click the Processes tab.
3. On the Processes tab, select File ➪ New Task.
4. In the Create New Task dialog box, type pinball, then click OK.
5. Pinball opens on your desktop, behind Task Manager. Notice that
PINBALL.EXE appears in the Windows Task Manager processes list.
Highlight PINBALL.EXE, then click End Process.
6. A Task Manager Warning dialog box appears. Click Yes. Pinball is
stopped and no longer appears in the processes list.
7. Select File ➪ New Task.
8. In the Create New Task dialog box, type pinball and click OK.
9. Right-click PINBALL.EXE in the processes list, and select Set
Priority ➪ Realtime from the menus that appear.
10. In the Task Manager Warning dialog box, click Yes.
11. Minimize the Windows Task Manager dialog box and start a game
of Pinball.
12. What happened? The Realtime setting has crashed your computer.
Power off your computer and reboot it to Windows 2000 Server. Log
on as Administrator.

Part 4: Optimizing the Server Service

In this part you use the Network and Dial-up Connections folder to
optimize the Server service on a Windows 2000 domain controller.
1. From the desktop, right-click My Network Places, then select
Properties from the menu that appears.
2. In the Network and Dial-up Connections folder, right-click
any Local Area Connection, then select Properties from the menu
that appears.
3. In the Local Area Connection Properties dialog box, highlight File
and Printer Sharing for Microsoft Networks, then click Properties.
4. In the File and Printer Sharing for Microsoft Networks Properties
dialog box, select the “Maximize data throughput for network appli-
cations” option. Click OK.
5. In the Local Area Connection Properties dialog box, click OK.
6. Close the Network and Dial-up Connections folder.
4701-1 ch21.f.qc 4/24/00 09:56 Page 1408

1408

Part 5: Monitoring Access to Shared Folders

In this part you use the Shared Folders tool in Computer Management to
monitor access to shared folders on your Windows 2000 Server computer.
1. Select Start ➪ Programs ➪ Administrative Tools ➪ Computer
Management.
2. In the left pane of the Computer Management dialog box, click the +
next to Shared Folders.
3. In the left pane, highlight the Shares folder. In the right pane, view
the list of shared folders on your computer. Right-click the Apps
folder, and select Properties from the menu that appears.
4. View the properties of the Apps folder. In the Apps Properties dialog
box, click OK.
5. In the left pane, highlight the Sessions folder. In the right-pane,
view the list of users that are currently connected to shared folders
on your computer.This is probably an empty list, unless you’re on a
network.
6. In the left pane, highlight the Open Files folder. In the right pane,
view the list of files currently open in shared folders on this com-
puter.This is probably also an empty list.
7. Close Computer Management.

Answers to Chapter Questions

Chapter Pre-Test
1. System Monitor
2. System Monitor functions by using objects, instances, and counters.
3. The PhysicalDisk object is used to monitor hard disks.
4. Network Monitor captures network packets.
5. You can use Windows Task Manager to stop a process.
6. You can use the Shared Folders tool in Computer Management
to monitor shared network folders.
7. Usually, adding RAM is the best solution for poor memory
performance.
4701-1 ch21.f.qc 4/24/00 09:56 Page 1409

1409

8. Fragmentation is a common hard disk problem that decreases hard

disk performance.

Assessment Questions
1. A.The Paging File-% Usage counter is used to measure the percent-
age of paging file utilization.
2. D. The Avg Disk Queue Length counter is used to measure the
average number of disk reads and writes waiting to be performed.
3. B. The Process object can be used to monitor application perfor-
mance. (The Thread object is also useful for this task.)
4. B. Configure a capture filter to specify that only packets using a
specific network protocol will be captured.
5. B. The Sessions folder lists the users currently connected to shared
files and folders on the computer.
6. C. By default, most applications are assigned a base priority of Normal.
7. B. Windows Task Manager is used to start and stop processes.
8. C. The Maximize data throughput for file sharing setting is the
default setting, and is appropriate for Windows 2000 Server comput-
ers that are functioning primarily as file servers.The Maximize data
throughput for network applications setting is the preferred setting
for domain controllers.

Scenarios
1. The problem in this scenario is most likely physical memory (RAM).
The computer does not have enough memory to handle all of the
application tasks. Use System Monitor to examine the Memory-
Pages/sec and the Paging File-% Usage counters to confirm the
memory problem.Your best and only practical solution is to add
more RAM to the computer.
2. The most likely cause of this problem is the computer’s processor.You
should, however, rule out the possibility of insufficient RAM first.To
verify the cause of the problem, view the System Monitor Memory-
Pages/sec and the Processor-% Processor Time counters.You can
resolve this problem by upgrading the processor, adding an additional
processor, or removing some of the computer’s workload.
4701-1 ch21.f.qc 4/24/00 09:56 Page 1410

1410

3. In this scenario, the hard disk is either badly fragmented or is too

slow. First, defragment the drive, then check the disk by using the
System Monitor PhysicalDisk-% Disk Time and PhysicalDisk-Avg.
Disk Queue Length counters. If the disk is too slow, you can replace
it with a faster hard disk, or use a striped volume or RAID-5 volume.
4. In this scenario, there is probably too much traffic on the network
segment. Use Network Monitor to monitor % Network Utilization
on the segment.You can solve this problem by installing a router to
further segment the network.
5. The most likely cause of this problem is that the application’s base
priority is set too low. Use Windows Task Manager or System
Monitor to view the application’s base priority.To resolve the prob-
lem, use Windows Task Manager to end unnecessary processes that
may also be running.Then use Task Manager to raise the application’s
base priority.
6. To optimize hard disk performance, first run Disk Defragmenter on
all disks, and implement a defragmentation plan so that disks are
defragmented on a regular basis. Next, make certain that all hard disks
and disk controllers are fast enough to handle the number of reads
and writes required of them. Finally, you can further optimize servers
that have two or more disks by configuring a striped volume, or, if
you have three or more disks, by configuring a RAID-5 volume.
4701-1 ch21.f.qc 4/24/00 09:56 Page 1411
4701-1 ch22.f.qc 4/24/00 09:56 Page 1412

 Directory Services
EXAM
MATERIAL

EXAM OBJECTIVES

Directory Services  Exam 70-217

■ Install, configure, and troubleshoot the components of Active
Directory.
■ Create sites.
■ Create subnets.
■ Create site links.
■ Create site link bridges.
■ Create connection objects.
■ Create global catalog servers.
■ Move server objects between sites.
■ Transfer Operations Master roles.
■ Manage Active Directory performance.
■ Monitor, maintain, and troubleshoot domain controller
performance.
■ Monitor, maintain, and troubleshoot Active Directory
components.
■ Manage and troubleshoot Active Directory replication.
■ Manage intersite replication.
■ Manage intrasite replication.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1413

C HAP TE R

22
Managing, Optimizing,
and Troubleshooting
Active Directory
Performance

T his chapter examines two advanced Active Directory topics: Active

Directory replication and Active Directory performance. It also explores
how to create, manage, and troubleshoot several Active Directory compo-
nents that affect replication and performance.
If you administer a small network, you’ll probably never need to use the
features I’m about to discuss. However, if you administer a large, complex
Windows 2000 network, you may find a few ideas in the following pages that
could improve the way Active Directory works on your network. In addition,
every subject in this chapter is fair game on the Directory Services exam.

1413
4701-1 ch22.f.qc 4/24/00 09:56 Page 1414

1414 Part V ▼ Monitoring, Optimizing, and Troubleshooting

Chapter Pre-Test
1. List the three replication partitions in Active Directory.
2. What is intrasite replication?
3. What is intersite replication?
4. What Windows 2000 Server service is responsible for generating
the replication topology?
5. Until _________ _________ are created and assigned to a site, the
site has no definition and no functionality — it’s just an empty
Active Directory object.
6. True or False: Bridging is automatically configured for all site
links, by default.
7. What are the five operations master roles?
8. What tool can you use to specifically monitor Active Directory
Replication?
4701-1 ch22.f.qc 4/24/00 09:56 Page 1415

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1415

Overview of Active Directory Replication

The term replication, as applied to Active Directory, refers to the process of
copying information — and information updates — from the Active
Directory data store on one domain controller to other domain con-
trollers.The purpose of replication is to synchronize Active Directory data
among the domain controllers in the domain and forest.
Replication of Active Directory is usually partial, meaning that only
changes, and not a complete copy of the Active Directory data store, are
copied. Typically the only time a complete replication is performed is
when you install a new domain controller on the network.
Windows 2000 automatically performs replication in Windows 2000
domains or forests that are fully contained within a single site. Because of
this, unless your network consists of multiple sites, you’ll probably never
have to worry about configuring Active Directory replication. In fact, you
can skip the rest of this chapter — unless, of course, you want to pass the
Directory Services exam.

EXAM TIP
Study this chapter carefully before you take the Directory Services exam.
This chapter alone covers material for 15 of this exam’s objectives. Make
sure you’re thoroughly comfortable with Active Directory replication
before you spend the time and money to take this exam.

For the most part, Windows 2000 Active Directory uses a multimaster
replication model. In multimaster replication, changes can be made on any
domain controller. In addition, changes made on any domain controller are
replicated to all other domain controllers. No one domain controller con-
trols changes made to Active Directory or Active Directory replication, and
so Active Directory is said to use a multimaster model.This is in contrast to
synchronization in Windows NT 4.0, which uses a single-master model,
and all changes to objects are controlled by the primary domain controller.
Active Directory uses update sequence numbers (USNs), along with
stamps, to track changes made to objects stored in the Active Directory
data store. When an object (or any of its attributes) is changed, Active
Directory increases the object’s USN, and assigns the object a unique
stamp that contains a version number, a timestamp, and the GUID of the
domain controller on which the change was made. Because each Active
Directory object exists on all domain controllers in the domain, during
4701-1 ch22.f.qc 4/24/00 09:56 Page 1416

1416 Part V ▼ Monitoring, Optimizing, and Troubleshooting

replication, Active Directory must compare the USNs and stamps of each
object being replicated to determine which version of the object is the
most current. Active Directory replicates only the most current version of
each object, and only replicates objects that have changed since the last
time replication occurred.
In the next few sections I’ll explain three basic Active Directory replica-
tion concepts: replication partitions, intrasite replication, and intersite
replication.

CROSS-REFERENCE
If it’s been a while since you’ve read Chapter 2, you might want to reread
it now before you try to take on the many complex Active Directory con-
cepts in this chapter.

Replication Partitions
The information contained in the Active Directory data store is logically
separated into three categories, which Microsoft calls partitions. Each of
these partitions is replicated separately, on a partition-by-partition basis,
and is replicated to a specified set of replication partners. The Active
Directory replication partitions are:
■ Schema partition: This partition contains the rules that define
how objects are created within a forest.The schema partition is
replicated to all domain controllers in the forest.
■ Configuration partition: This partition contains information
about the logical structure of Active Directory for the entire forest,
including the structure and use of domains, trees, sites, and trust
relationships within the forest.The configuration partition is repli-
cated to all domain controllers in the forest.
■ Domain partition: This partition contains complete, detailed
information about every object in the domain.The domain parti-
tion is replicated only to the domain controllers within this domain.

Intrasite Replication
Intrasite replication is Active Directory replication that takes place within a sin-
gle site. A site, as you may remember, consists of one or more TCP/IP sub-
nets, which are specified by an administrator and are connected by
4701-1 ch22.f.qc 4/24/00 09:56 Page 1417

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1417

high-speed, reliable links. Sites do not necessarily correspond to domains:

you can have two or more sites within a single domain, or you can have mul-
tiple domains in a single site.A site is solely a grouping based on IP addresses.
Windows 2000, by default, automatically performs intrasite replication.
Because intrasite replication takes place between domain controllers
within the same site, and all of the TCP/IP subnets in a site are connected
by high-speed links, intrasite replication is fast. Windows 2000 uses the
Remote Procedure Call (RPC) over IP protocol for intrasite replication.
All intrasite replication is sent in an uncompressed format.
Windows 2000 automatically determines which domain controllers in a
site will replicate with other domain controllers in the site.The Windows
2000 Server service that makes this determination is called the Knowledge
Consistency Checker (KCC).The KCC, which runs on all Windows 2000
domain controllers, builds a list of connections between domain con-
trollers within a site, and these connections dictate the path that replication
takes between domain controllers. The list of connections that the KCC
generates is called the replication topology.
By design, the KCC builds the replication topology to ensure that:
■ Changes made to any object on any domain controller will be
replicated to every domain controller in the site.
■ In addition,Active Directory updates will pass through no more
than three connections between the domain controller on which
the change is made and any other domain controller in the site. (In
routing terms, this would be considered a maximum of three hops.)
Although Windows 2000 automatically creates the replication topology
within a site, you can add additional connections to this topology to opti-
mize replication within a site. I’ll discuss how to create these intrasite con-
nections later in this chapter.
Intrasite replication, by default, takes place once every hour if no
changes are made. If a change is made to an Active Directory object, the
domain controller on which the change is made initiates intrasite replica-
tion with all of its connection partners within five minutes after the change
is made. In addition, domain controllers that receive replication updates
from other domain controllers also initiate intrasite replication within five
minutes after receiving such an update. Because updates are replicated
across no more than three connections (hops), this means that any change
made to an object is replicated to all domain controllers in the site within
15 minutes.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1418

1418 Part V ▼ Monitoring, Optimizing, and Troubleshooting

Intersite Replication
Intersite replication is Active Directory replication that takes place between
sites. Unlike intrasite replication, intersite replication is not automatically
configured and performed by Windows 2000.An Administrator must man-
ually create and configure sites and other Active Directory components
before intersite replication will occur.
Because intersite replication takes place between domain controllers in
different sites that are typically separated by WAN links, intersite replica-
tion is normally slower than intrasite replication, and often should be
scheduled by the administrator so that use of network bandwidth for repli-
cation is minimized during the network’s peak activity hours. All intersite
replication is sent in a compressed format to save network bandwidth.
Two different Windows 2000 protocols can be used for intersite replica-
tion: Remote Procedure Call (RPC) over IP, and Simple Mail Transfer
Protocol (SMTP). RPC over IP is the preferred protocol and requires the
use of fully routed TCP/IP connections between sites. RPC over IP is
faster than SMTP.
However, if you don’t have fully routed TCP/IP connections between
sites, SMTP is your only choice. SMTP can also be used when fully routed
TCP/IP connections exist between sites (but this is not recommended) or
when other protocols that support SMTP (such as X.400) are used
between sites.Another reason SMTP is not recommended is because it can
only be used to replicate the schema and configuration partitions.You can’t
use SMTP to replicate the domain partition.

Managing Components that Affect

Replication
There are numerous Active Directory components that affect replication,
and I’ll introduce you to them shortly. Many of these components must be
created by an Administrator, and, once created, must be configured, main-
tained, or both. Since Windows 2000 automatically configures and per-
forms intrasite replication, the emphasis of this section is on intersite
replication, and the Active Directory components involved in this process.
In the following sections, I’ll define and discuss how to create and con-
figure sites, subnets, site links, site link bridges, and global catalog servers.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1419

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1419

I’ll also explain how to move server objects between sites, and how to
manage and maintain operations master roles.

Creating Sites
Sites provide a means of grouping computers so that required services (such
as logon and authentication) are provided by nearby computers instead of
by computers located across costly, slow links. If your network consists of
several locations that are connected by slow-to-medium speed WAN links,
you might want to consider using sites to manage your network.
Active Directory replication uses sites to determine replication areas and
their boundaries. Intrasite replication occurs freely and automatically over
high-speed local area connections. Intersite replication, in contrast, can be
carefully controlled by an administrator to limit the amount of replication
traffic transmitted over WAN links.
When Active Directory is installed,Windows 2000 creates a single, orig-
inal site named Default-First-Site-Name. All other sites must be manually
created by the Administrator.You can use the Active Directory Sites and
Services administrative tool to create and manage sites. Active Directory
Sites and Services is available on all domain controllers, and on all other
Windows 2000 computers on which the ADMINPAK has been installed.

EXAM TIP
The primary tool for creating and configuring Active Directory compo-
nents and replication is Active Directory Sites and Services. I recom-
mend you use this tool to practice creating sites and other components
that affect replication. You’ll be glad you did.

STEP BY STEP

CREATING SITES

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Sites and

Services.
2. The AD Sites and Services dialog box appears, as shown in Figure 22-1.
In the left pane of the AD Sites and Services dialog box, right-click the Sites con-
tainer, and select New Site from the menu that appears.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1420

1420 Part V ▼ Monitoring, Optimizing, and Troubleshooting

STEP BY STEP Continued

FIGURE 22-1 Active Directory Sites and Services

3. In the New Object – Site dialog box, enter a name for the new site. Then select a
site link object for this site from the list box. If you have not yet created any site
links, highlight DEFAULTIPSITELINK. Click OK.
4. Active Directory confirms that the site has been created, as shown in Figure 22-2.
Notice the various tasks you should perform to complete the configuration of the
site. I’ll explain how to perform many of these tasks in the sections that follow.
Click OK.

FIGURE 22-2 Active Directory message: a site has been created

5. The new site appears in the AD Sites and Services dialog box. Close Active
Directory Sites and Services.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1421

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1421

If you want to configure your newly created site, right-click the site in
Active Directory Sites and Services, and select Properties from the menu
that appears. In the site’s Properties dialog box you can configure a descrip-
tion of the site, the location of the site, and Active Directory permissions
for the site object.You can also view the object’s properties, and create and
configure Group Policy objects (GPOs) for the site in this dialog box.

Creating Subnets
A site, by definition, is a grouping of TCP/IP subnets. Before you created
an additional site, you never really had to think about subnets, because
when only the default site exists,Windows 2000 assumes that if no subnets
are specified, all existing subnets belong to the default site.
However, now that you’ve created one or more additional sites, you
must specify the TCP/IP subnets that belong to each site. Until subnet
objects are created and assigned to a site, the site has no definition and no
functionality — it’s just an empty Active Directory object.
You can create and manage subnets, like sites, by using Active Directory
Sites and Services.

STEP BY STEP

CREATING AND ASSIGNING SUBNETS

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Sites and

Services.
2. In the left pane of the AD Sites and Services dialog box, click the + next to the
Sites container. Then right-click the Subnets container, and select New Subnet
from the menu that appears.
3. The New Object – Subnet dialog box appears. In the Address text box, type in the
IP address of the subnet. In the Mask text box, type in the subnet mask for the
subnet. Then, highlight the site to which you want to assign this subnet from the
list in the lower portion of the dialog box. Figure 22-3 shows this dialog box after
it has been configured. Click OK.
4. The subnet is created and assigned. Close Active Directory Sites and Services.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1422

1422 Part V ▼ Monitoring, Optimizing, and Troubleshooting

STEP BY STEP Continued

FIGURE 22-3 Creating a new subnet object in Active Directory

Creating Site Links

A site link is an object in Active Directory that specifies a list of two or
more sites that are connected to each other, the cost associated with the
site link, and a replication schedule.The KCC uses site link information to
determine the path over which replication between sites will occur. Site
links can be configured to use either IP or SMTP for intersite replication.
Normally, an administrator assigns a low cost to a site link that is associ-
ated with two sites when those two sites are connected by a high-speed
WAN link. Conversely, the administrator assigns a high cost to a site link
when two sites are connected by a low-speed WAN link.
You may remember that when you created your first additional site that
you had to select a site link object for that site. The only site link object
you could choose was a site link named DEFAULTIPSITELINK. If your
company has only two sites, using the default site link is all you need to do.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1423

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1423

If you have more than two sites, you should manually create a site link for
each pair of sites that are connected to each other. Normally, an admini-
strator creates a site link for each WAN link used by the company’s network.
Because of this practice, a site link is usually associated with exactly two sites.
Figure 22-4 shows two common configurations of site links.

Seattle-Boston Boston-Miami

Seattle Boston Miami

Denver Omaha New York

Houston-Denver Houston-New York

Houston-Omaha

Houston

FIGURE 22-4 Common site link configurations

However, it’s possible to create a site link that is associated with more
than two sites. In this situation, the site link implies that each site associated
with the site link has a WAN link connection to every other site associated
with the site link.This configuration also implies that the WAN links are of
the same speed and cost. Figure 22-5 shows one site link that is associated
with three sites. Note that there are three WAN links involved, and that
each WAN link has the same speed.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1424

1424 Part V ▼ Monitoring, Optimizing, and Troubleshooting

London

T1 Link T1 Link

Site Link:
Paris-London-Munich

T1 Link

Paris Munich

FIGURE 22-5 Using a single site link for three sites

Site links can be configured to use either IP or SMTP for intersite replication.

CAUTION
You should decide which protocol you want to use for intersite replication
before you create a site link — you can’t change a site link’s protocol after
it is created.

Site links, like other site components, are created and managed by using
Active Directory sites and services.

STEP BY STEP

CREATING AND CONFIGURING SITE LINKS

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Sites and

Services.
2. In the left pane of the AD Sites and Services dialog box, click the + next to the
Sites container. Click the + next to the Inter-Site Transports container. Then right-
click either the IP or SMTP container, depending on which protocol you want the
site link to use.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1425

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1425

STEP BY STEP Continued

TIP
When you select the IP container, you’re actually selecting the RPC over
IP protocol.

Select New Site Link from the menu that appears.

3. In the New Object – Site Link dialog box, type in a name for the site link. Site links
are often named for the sites with which they are associated. For example, a site
link associated with sites located in Seattle and Denver might be called Seattle-
Denver.
Next, in the “Sites not in this site link” list box, highlight the sites you want to
associate with this site link. Click Add to move these sites to the “Sites in this site
link” list box. A site link must contain at least two sites. Click OK.
4. The site link is created. In the left pane of the AD Sites and Services dialog box,
highlight either the IP or SMTP container, depending on which container you
created your site link in. Then, in the right-pane, double-click the site link you
just created.
5. The site link’s Properties dialog box appears, as shown in Figure 22-6.

FIGURE 22-6 Configuring a site link

4701-1 ch22.f.qc 4/24/00 09:56 Page 1426

1426 Part V ▼ Monitoring, Optimizing, and Troubleshooting

STEP BY STEP Continued

On the General tab, you can enter a description for the site link. You can also add
and remove sites from the site link.
You can also assign a higher or lower cost to the site link. The default cost associ-
ated with a new site link is 100. The range for this setting is 1 – 32,767.
You can change the replication interval, which is 180 minutes (3 hours), by
default. This setting must be changed in 15 minute increments.
Finally, you can schedule when intersite replication can and can’t occur by click-
ing Change Schedule and configuring a replication schedule. (This dialog box
looks and works just like the dialog box used to set a user’s logon hours.)
Make any needed configurations on the General tab. You can view the object’s
properties by clicking the Object tab, and you can set Active Directory permis-
sions for the site link object by clicking the Security tab.
When you finish configuring the site link, click OK.
6. Close Active Directory Sites and Services.

Creating Site Link Bridges

A site link bridge is an Active Directory object that groups two or more site
links in order to create a “virtual site link” between all of the sites specified
by the grouped site links. The purpose of a site link bridge is to enable
replication between sites that use site links but that are not directly associ-
ated with each other via site links.
Here’s an example of how a site link bridge might work. Suppose that
you have three sites: Site A, Site B, and Site C. You use two site links,
Site_Link A-B, and Site_Link B-C. However, sites A and C are not directly
associated by a site link. Figure 22-7 shows this site link configuration.

Site_Link A-B Site_Link B-C

Site A Site B Site C

FIGURE 22-7 Site links between Site A, Site B, and Site C

You can create a site link bridge that specifies Site_Link A-B and
Site_Link B-C.This site link bridge would enable Site A to replicate data
to Site C by using Site_Link A-B and Site_Link B-C.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1427

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1427

So why would you ever want to use a site link bridge? Well, the fact of
the matter is that in the large majority of cases, you would never want to
use a site link bridge, because by default, all site links are bridged.This means
that replication takes place between all sites, by default, even if a specific
pair of sites is not directly associated by the use of site links. So, going back
to my earlier example, this means replication will occur between Site A
and Site C even if I never configure the site link bridge.
So why am I even talking about site link bridges? Well, for one reason,
because they’re tested on the Directory Services exam. And because an
administrator of an extremely large, complex network might someday
want to disable Active Directory’s automatic bridging feature and manually
configure site link bridges so he or she can finely control how intersite
replication occurs.
Before you create a site link bridge, you should disable Active Directory’s
feature that automatically bridges all site links. Then, after you create site
link bridges, you should be prepared to maintain and update your site link
bridges every time you add or remove a site or a site link.
Site link bridges, like other site components, are created and managed
by using Active Directory sites and services.

STEP BY STEP

CREATING A SITE LINK BRIDGE

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Sites and

Services.
2. In the left pane of the AD Sites and Services dialog box, click the + next to the
Sites container. Click the + next to the Inter-Site Transports container. Then right-
click either the IP or SMTP container, depending on the protocol for which you
want to disable the automatic site link bridging feature. Select Properties from the
menu that appears.

TIP
When you disable automatic site link bridging, it is disabled for all site
links that use the selected protocol, either IP or SMTP.

3. In the IP (or SMTP) Properties dialog box, clear the check box next to “Bridge all
site links.” Click OK.
4. In the left pane, right-click the IP or SMTP container, depending on the protocol
for which you want to create a site link bridge. Select New Site Link Bridge from
the menu that appears.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1428

1428 Part V ▼ Monitoring, Optimizing, and Troubleshooting

STEP BY STEP Continued

5. In the New Object – Site Link Bridge dialog box, enter a name for the site link
bridge in the Name text box. Then, in the “Site links not in this site link bridge” list
box, highlight the site links that you want to associate with this site link bridge.
Click Add to cause these site links to be moved to the “Site links in this site link
bridge” list box. Click OK.
6. The site link bridge is created. Close Active Directory Sites and Services.

Creating Global Catalog Servers

A global catalog server is a Windows 2000 domain controller that has an addi-
tional duty — it maintains the global catalog.You may recall that the global
catalog is a master, searchable database that contains information about
every object in every domain in a forest. The global catalog contains a
complete replica of all objects in Active Directory for its host domain, and,
in addition, contains a partial replica of all objects in Active Directory for
every other domain in the forest.
A global catalog server performs two important functions: It provides
group membership information during logon and authentication, and it
helps users locate resources in Active Directory.
By default, the first domain controller established in a domain serves as
the global catalog server. And, by default, there is only one global catalog
server in each domain. For small domains that are fully contained within a
single site, this is a good idea, but on multisite networks you might choose
to have one or more global catalog servers in each site. In a multisite net-
work, because global catalog servers are used for logon and authentication,
and because users commonly search the global catalog to locate objects, it’s
often beneficial to have these services performed by a nearby server, rather
than by a server located on the other side of a slow WAN link.
When multiple global catalog servers are used in a single domain, only
the normal replication between domain controllers occurs — no additional
replication within the domain occurs.When multiple global catalog servers
are used in a multiple domain environment, additional replication between
the domains occurs, because each global catalog server maintains a partial
replica of all Active Directory objects for every other domain in the forest,
in addition to a full replica of all Active Directory objects in its own
domain.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1429

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1429

You can establish additional global catalog servers by using Active

Directory Sites and Services.

STEP BY STEP

CREATING AN ADDITIONAL GLOBAL CATALOG SERVER

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Sites and

Services.
2. In the left pane of the AD Sites and Services dialog box, click the + next to the
Sites container. Click the + next to the site that contains the domain controller
which you want to configure as an additional global catalog server. Click the +
next to the Servers container. Click the + next to the specific server you want to
configure. Right-click NTDS Settings, and select Properties from the menu that
appears.
3. In the NTDS Settings Properties dialog box, select the check box next to Global
Catalog. Click OK.
4. The server is now configured as a global catalog server. Close Active Directory
Sites and Services.

Moving Server Objects Between Sites

When you first install Active Directory on the first domain controller on
your Windows 2000 network,Active Directory automatically adds a server
object for the domain controller to the Servers container in the default
site. If you install additional domain controllers on your network before
you create sites, server objects for these domain controllers are also added
to the Servers container in the default site.

TIP
It’s kind of confusing, but domain controllers actually have two objects in
Active Directory. One object is stored in the Domain Controller’s con-
tainer within a domain, and the second is stored in the Servers container
within a site.

When you later create sites, the server objects for the existing domain
controllers will not automatically be moved to the Servers container in the
appropriate site, even if the IP addresses of these domain controllers belong
to a subnet that has been created and associated with one of the new sites.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1430

1430 Part V ▼ Monitoring, Optimizing, and Troubleshooting

An administrator must manually move the Active Directory server object

for the existing domain controller to the appropriate site.
It’s a different story, however, when new domain controllers are created
after sites and subnets have been established. When a new domain con-
troller is installed after sites are created,Active Directory automatically adds
a server object for the new domain controller to the Servers container in
the site to which its IP address belongs.
If you need to move the server objects for existing domain controllers to
a different site, the following steps show you how to accomplish this task.

STEP BY STEP

MOVING SERVER OBJECTS

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Sites and

Services.
2. In the left pane of the AD Sites and Services dialog box, click the + next to the
Sites container. Click the + next to the site that contains the domain controller
object you want to move. Click the + next to the Servers container. Right-click the
server object you want to move, and select Move from the menu that appears.
3. The Move Server dialog box appears, as shown in Figure 22-8.

FIGURE 22-8 Moving a server object

Highlight the site to which you want to move the server object. Click OK.
4. The server is moved. Close Active Directory Sites and Services.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1431

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1431

After you’ve moved servers into your new sites, you may want to spec-
ify a particular domain controller in each site that will be used for intersite
replication.This domain controller is called the bridgehead server.The KCC
automatically chooses a bridgehead server for each site, but you can man-
ually override the KCC’s choice.
When you designate a domain controller as a preferred bridgehead
server, it’s generally a good idea to specify the domain controller located
closest to the router that connects the two sites.

STEP BY STEP

DESIGNATING A BRIDGEHEAD SERVER

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Sites and

Services.
2. In the left pane of the AD Sites and Services dialog box, click the + next to the
Sites container. Click the + next to the site that contains the domain controller
you want to designate as a bridgehead server for the site. Click the + next to the
Servers container. Right-click the desired server, and select Properties from the
menu that appears.
3. The server’s Properties dialog box appears, as shown in Figure 22-9. Notice the
“This server is a preferred bridgehead server for the following transports” list box.

FIGURE 22-9 Specifying a bridgehead server

4701-1 ch22.f.qc 4/24/00 09:56 Page 1432

1432 Part V ▼ Monitoring, Optimizing, and Troubleshooting

STEP BY STEP Continued

In the “Transports available for inter-site data transport” list box, highlight the pro-
tocol (or protocols) for which this server will function as a bridgehead server for
this site. Click Add to move this protocol (or protocols) to the “This server is a
preferred bridgehead server for the following transports” list box. Click OK.
4. Close Active Directory Sites and Services.

Managing and Maintaining Operations

Master Roles
When Microsoft designed Windows 2000, its goal was to have every
domain controller equal — instead of having a primary domain controller
(PDC) and backup domain controllers (BDCs) like Windows NT 4.0 had,
Microsoft wanted to have one class of domain controller that could per-
form every domain controller–related task.
However, when Microsoft implemented Active Directory, it discovered
that a purely multimaster design just wasn’t going to work for Windows
2000.Although most domain controller–related tasks can be performed by
any domain controller, a few critical tasks had to be limited to one domain
controller in a domain, or to one domain controller in a forest. The
result — a largely multimaster design, with some restricted single master
operations. These operations are called flexible single master operations
(FSMO). The term flexible refers to the fact that an administrator can
choose which domain controller will perform the particular restricted sin-
gle master operation.
There are five different types of flexible single master operations roles
(often called operations master roles) that a domain controller can perform:
schema master, domain naming master, PDC emulator, relative ID master, and
infrastructure master. Each of these roles defines a specific set of flexible sin-
gle master operations that only the domain controller assigned to that role
can perform.

CROSS-REFERENCE
See the “Understanding Flexible Single Master Operations (FSMO)”
section in Chapter 2 for detailed descriptions of each of the operations
master roles.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1433

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1433

When you first install Active Directory on the first domain controller in
the forest, that domain controller automatically assumes all five of the
operations master roles. As you add domain controllers, you can manually
reassign or transfer these operations master roles to other domain con-
trollers as needed.
In the following sections I’ll explain how to transfer operations master
roles and how to seize operations master roles.

Transferring Operations Master Roles

You should carefully consider which domain controllers on your network
will perform each of the operations master roles. In general, when select-
ing a server that will perform an operations master role, the server should
be located in a site that is central to your network.The goal here is that the
server should be easily accessible from any computer on the network.
In addition, a domain controller that performs an operations master role
should be highly reliable, because there’s only one server that performs the
specialized operations, and if it’s not available, those operations can’t be
performed.

TIP
Microsoft recommends that the infrastructure master role be assigned to
a domain controller that does not also function as a global catalog server.
However, the infrastructure master should have a high-speed network
connection to a global catalog server.

If you need to shut down a domain controller that performs an opera-

tions master role for maintenance, it’s important that you transfer that
server’s role to another domain controller on the network so that network
operations are not interrupted.
The tool you use to transfer an operations master role to another domain
controller depends on the role you want to transfer. If you want to transfer
the relative ID master, the PDC emulator, or the infrastructure master role,
you can use Active Directory Users and Computers. If you want to transfer
the schema master role you can use the Active Directory snap-in to the
MMC. If you want to transfer the domain naming master role you can use
Active Directory Domains and Trusts. Finally, you can transfer any opera-
tions master role by using the ntdsutil.exe command-line utility.
4701-1 ch22.f.qc 4/24/00 09:56 Page 1434

1434 Part V ▼ Monitoring, Optimizing, and Troubleshooting

The first step in transferring an operations master role is connecting to

the domain controller to which the role will be transferred. In the follow-
ing section I’ll show you how to transfer an operations master role by using
Active Directory Users and Computers.

STEP BY STEP

TRANSFERRING OPERATIONS MASTER ROLES

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Users and

Computers.
2. In the left pane of the Active Directory Users and Computers dialog box, right-
click Active Directory Users and Computers (server_name) at the top of the tree,
and select Connect to Domain Controller from the menu that appears.
3. In the Connect to Domain Controller dialog box, highlight the domain controller to
which you want to transfer an operations master role, so that this server appears
in the “Change to” text box. (This is not the computer that is currently performing
the operations master role, but the computer to which you want to reassign the
role.) Click OK.
4. In the left pane of the Active Directory Users and Computers dialog box, right-
click the domain in which you want to transfer operations master roles, and select
Operations Masters from the menu that appears.
5. The Operations Master dialog box appears, as shown in Figure 22-10. Notice the
three tabs in this dialog box: RID, PDC, and Infrastructure.
Click the tab associated with the type of operations master role you want to transfer.
The “Operations master” list box displays the name of the server currently per-
forming the selected role.
To transfer the operations master role to the server displayed in the second list
box, click Change.
6. In the Active Directory confirmation dialog box, click Yes to transfer the operations
master role.
7. Active Directory displays a message indicating that the role was successfully
transferred. Click OK.
8. In the Operations Master dialog box, click OK.
9. Close Active Directory Users and Computers.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1435

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1435

STEP BY STEP Continued

FIGURE 22-10 Transferring an operations master role

Seizing Operations Master Roles

When a domain controller that performs an operations master role fails,
and you decide (for whatever reason) to never bring this server back on-
line, you should reassign the operations master role this domain controller
performed to another domain controller. This process is called “seizing”
operations master roles.

CAUTION
If you bring a domain controller that previously performed an operations
master role back on-line after its role has been seized, serious Active
Directory problems may result. Never seize a role unless you’re sure the
server that failed will not be used again on your network.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1436

1436 Part V ▼ Monitoring, Optimizing, and Troubleshooting

Microsoft didn’t go out of their way to make seizing an operations mas-

ter role an easy task to perform — and this is probably a good thing.You
can only perform this task by using the ntdsutil.exe command-line
utility.
As with transferring an operations master role, the first step in the “seiz-
ing” process is to connect to the domain controller to which the role (that
was performed by the failed server) will be assigned.

STEP BY STEP

SEIZING AN OPERATIONS MASTER ROLE

1. Select Start ➪ Programs ➪ Accessories ➪ Command Prompt.

2. At the command prompt, type ntdsutil and press Enter.
3. At the ntdsutil prompt, type roles and press Enter.
4. At the fsmo maintenance prompt, type connections and press Enter.
5. At the server connections prompt, type
connect to server FQDN_of_server_you_want_to_connect_to

and press Enter.

6. At the server connections prompt, type quit and press Enter.
7. At the fsmo maintenance prompt, type
seize role_you_want_to_transfer

and press Enter. For example, you could type seize PDC, seize RID master,
seize schema master, seize domain naming master, or seize infrastruc-
ture master.

TIP
If you want to use the ntdsutil.exe command-line utility to transfer
roles, instead of typing seize (and the name of the role), type transfer
and the name of the role.

8. A Role Seizure Confirmation Dialog box appears. Click Yes to seize the role.
9. At the fsmo maintenance prompt, type quit and press Enter.
10. At the ntdsutil prompt, type quit and press Enter.
11. At the command prompt, type Exit.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1437

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1437

Managing Active Directory Replication

Now that you understand what Active Directory replication is, and are
familiar with the numerous Active Directory components that affect repli-
cation, you’re ready to decide if you want to manually manage intrasite or
intersite replication, or if Windows 2000’s default configurations for repli-
cation will be adequate for your network.
You can manage both intrasite replication and intersite replication.
However, there are substantially fewer things you can do to manage intrasite
replication than intersite replication.You can use the Active Directory Sites
and Services administrative tool to manage Active Directory replication.
In the next two sections I’ll explain some of the ways you can manage
intrasite and intersite replication.

Managing Intrasite Replication

Because intrasite replication is automatically configured and performed by
Windows 2000, administrators don’t normally need to do much to manage
it. One task that is commonly performed, however, is to specify the sched-
ule Active Directory will use for replication, thereby controlling when
scheduled replication takes place.

TIP
You can configure when scheduled replication takes place, but you can’t
schedule update replication.

Here’s how you can change when scheduled Active Directory intrasite
replication occurs.

STEP BY STEP

CHANGING WHEN SCHEDULED REPLICATION OCCURS

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Sites and

Services.
2. In the left pane of the AD Sites and Services dialog box, click the + next to the
Sites container. Then highlight the site for which you want to configure the repli-
cation schedule. In the right pane, right-click NTDS Site Settings, and select
Properties from the menu that appears.
3. In the NTDS Site Settings Properties dialog box, click Change Schedule.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1438

1438 Part V ▼ Monitoring, Optimizing, and Troubleshooting

STEP BY STEP Continued

4. The Schedule for NTDS Site Settings dialog box appears, as shown in Figure
22-11. Notice that, by default, replication is scheduled to occur once per hour,
seven days a week, 24 hours a day.

FIGURE 22-11 Scheduling replication

You can configure, for each hour of each day, whether scheduled replication will
occur once per hour, twice per hour, four times per hour, or not at all. For example,
maybe you don’t want replication to occur during the hours you schedule for tape
backup throughout the site. To make these configurations, highlight the hour(s) you
want to configure, then select the appropriate option for that time period.

CAUTION
If you select the “None” option for all days and all hours, replication will
not occur until you manually force it to do so. This is not a preferred
practice.

When you finish configuring the replication schedule for the site, click OK.
5. In the NTDS Site Settings Properties dialog box, click OK.
6. Close Active Directory Sites and Services.

In addition to configuring the Active Directory replication schedule,

you might want to manually configure the replication topology within a
site. Every 15 minutes the KCC automatically generates the replication
topology, and by doing so determines which domain controllers in a site
will replicate with one another.The KCC does this by generating connec-
4701-1 ch22.f.qc 4/24/00 09:57 Page 1439

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1439

tions between pairs of domain controllers that it determines should repli-

cate with one another. Normally, an administrator can just let the KCC do
its job, because the default replication settings will work just fine.
It’s possible, however, in some instances, that the administrator might
want to manually specify replication partners. It’s really a rare occasion
when any administrator might do this in real life, but let me try to dream
up a plausible scenario. Suppose that you want to ensure that Active
Directory updates are replicated to all domain controllers in the site within
five minutes, instead of the default 15 minutes. To accomplish this, you
could modify the replication topology in such a way to ensure that updates
from any domain controller need to pass through no more than one con-
nection (hop) between domain controllers (instead of the normal three).
To implement this change to the replication topology, you’d need to create
connection objects between each domain controller and every other
domain controller in the site.
Connection objects don’t replace the KCC replication topology.
Instead, connection objects are used in addition to the connections created
by the KCC.The only exception to this rule is if you create a connection
object for a connection automatically generated by the KCC — in this
case, the KCC won’t duplicate your efforts by replicating twice over the
specified connection.
When creating connection objects, keep in mind that these connections
specify a one-way communications path. In order for two domain con-
trollers to replicate with each other, you need to create two connection
objects — one on each server that points at the other server.You can create
connection objects by using Active Directory Sites and Services.

STEP BY STEP

CREATING CONNECTION OBJECTS

1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory Sites and

Services.
2. In the left pane of the AD Sites and Services dialog box, click the + next to the
Sites container. Click the + next to the site that contains the domain controller for
which you want to create a new connection. Click the + next to the Servers con-
tainer. Click the + next to the desired server. Under the server, highlight NTDS
Settings. The server’s existing connections (both the connections automatically
generated by the KCC and any manually created connections) are displayed in
the right pane, as shown in Figure 22-12.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1440

1440 Part V ▼ Monitoring, Optimizing, and Troubleshooting

STEP BY STEP Continued

FIGURE 22-12 Viewing replication connections

Select Action ➪ New Active Directory Connection.

3. In the Find Domain Controllers dialog box, double-click the domain controller
in the list to which you want the domain controller you selected in Step 2 to
connect.
4. In the New Object – Connection dialog box, click OK.
5. After you’ve created a connection object, you can manually run the KCC to force
an update of the replication topology. To do this, in the left pane of the AD Sites
and Services dialog box, right-click NTDS Settings, and select All Tasks ➪ Check
Replication Topology.
6. In the Check Replication Topology dialog box, click OK.
7. To update your view of the server’s connections, in the AD Sites and Services
dialog box, select Action ➪ Refresh. The server’s current connections are dis-
played in the right pane.
8. Close Active Directory Sites and Services.

TIP
If you create a connection that duplicates an automatically generated
connection, the next time the KCC runs it will delete the duplicate auto-
matically generated connection.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1441

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1441

Managing Intersite Replication

The most important aspect of managing intersite replication is the plan-
ning you do before you ever implement it. As you know, intersite replica-
tion is not automatically configured and performed by Windows 2000 —
an administrator must manually create and configure various Active
Directory components before intersite replication will occur. I’ve told you
about the components involved in intersite replication throughout this
chapter so far, but before you rush right out and create them on your net-
work, you need to have a plan.
There are several questions you should ask yourself when planning for
intersite replication:
■ How many sites do I really need, and what are their boundaries?
■ Do I have enough domain controllers and global catalog servers to
implement these sites, and to service the clients located in these sites?
■ Which protocol should I use for intersite replication, RPC over IP
or SMTP?
■ Do I need to create site links, or can I use the default IP site link?
■ If I need site links, how will I determine the cost to associate with
each site link, so that each site link is used appropriately?
■ If I need site links, do I also need to create site link bridges, or
should I use Active Directory’s automatic bridging feature?
■ Do I need to designate bridgehead servers, or can any domain con-
troller in the site perform this function?
■ Are my operations master roles being performed by the appropri-
ate domain controllers, or do I need to transfer some of these roles
to other servers?
Once you’ve answered these questions, you should have the information
you need to solidify your plan for intersite replication. From there, it’s just
a matter of mechanics, the creating and configuring of the components
you will use on your network.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1442

1442 Part V ▼ Monitoring, Optimizing, and Troubleshooting

Managing Active Directory Performance

If you have a relatively small network and a lot of bandwidth, why bother
managing Active Directory performance? After all, you probably don’t
need to, right? Wrong.What if you don’t have enough domain controllers
to service all of your client requests, or if your domain controllers don’t
have enough RAM or processor power to adequately perform their duties?
You do have at least two domain controllers, in case one fails, don’t you?
Performance is a common network concern. And it can be a critical
issue on large networks, especially on those that are connected by slow
WAN links.
Managing Active Directory performance is generally a two-step process.
First, you monitor performance of domain controllers and other Active
Directory components to determine if there is currently a performance
problem, and, if so, to isolate where that problem is occurring. Second, you
use this data to help you optimize the performance of Active Directory.
There are several tools you can use to help you manage and monitor
Active Directory performance. In addition to the Active Directory man-
agement tools you’re already familiar with (Active Directory Users and
Computers, Active Directory Sites and Services, and Active Directory
Domains and Trusts), you can also use System Monitor and Active
Directory Replication Monitor to monitor Active Directory performance.
In the next two sections I’ll explain how to use these tools to monitor
and optimize the performance of Active Directory.

Monitoring Performance of Domain Controllers and

Other Active Directory Components
Because all of the Active Directory components I’ve discussed in this chap-
ter (such as sites, subnets, site links, site link bridges, global catalog servers,
and so on) are found on Windows 2000 domain controllers, one approach
to monitoring these objects is to monitor the domain controllers them-
selves.You might also want to monitor Active Directory replication itself.
There are two primary tools you can use to monitor these items.You
can use System Monitor to monitor performance of domain controllers
and replication.You can also use Active Directory Replication Monitor to
monitor replication.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1443

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1443

System Monitor counters that you might find helpful for monitoring
performance of domain controllers include:
■ Memory - Pages/sec
■ Network Interface - Bytes Total/sec
■ Processor - % Processor Time
■ PhysicalDisk - Avg. Disk Queue Length
These counters will help you determine if the system resources, such as
memory, disk, processor, and network, are sufficient for the domain con-
troller. In addition, domain controllers have an additional object in System
Monitor that is useful for monitoring domain controller operations and
replication. The object is named NTDS, and it has numerous counters. A
couple of counters that are particularly useful for monitoring replication are:
■ NTDS - DRA Outbound Bytes Total/sec
■ NTDS - DRA Inbound Bytes Total/sec
These counters measure the amount of replication traffic sent and
received by the domain controller. If you want to monitor only intrasite
traffic, use counters that measure uncompressed traffic only. To monitor
only intersite traffic, use counters that measure compressed traffic only.

CROSS-REFERENCE
Details on how to use System Monitor are presented in Chapter 21.

Active Directory Replication Monitor is a Windows 2000 Server tool

specifically designed to monitor Active Directory replication.With Active
Directory Replication Monitor you can monitor replication on specific
domain controllers, view the replication topology (connections) on a
server-by-server basis, view replication statistics for each replication parti-
tion on each domain controller, and so on. You can also manually force
replication of a partition (or of all partitions on a domain controller) to
occur by using this tool.
Active Directory Replication Monitor is not installed by default.You can
install Active Directory Replication Monitor by installing the Windows
2000 Support Tools from the Windows 2000 Server compact disc.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1444

1444 Part V ▼ Monitoring, Optimizing, and Troubleshooting

STEP BY STEP

INSTALLING ACTIVE DIRECTORY REPLICATION MONITOR

1. Insert your Windows 2000 server compact disc into your computer’s CD-ROM
drive. When the Microsoft Windows 2000 CD dialog box appears, click Browse
This CD.
2. In the right pane, double-click the SUPPORT folder. Double-click the TOOLS
folder. Double-click SETUP.
3. The Windows 2000 Support Tools Setup wizard starts. Click Next.
4. In the User Information screen, type your name and organization. Click Next.
5. In the Select An Installation Type screen, select the Typical option. Click Next.
6. In the Begin Installation screen, click Next.
7. Windows 2000 installs the Support Tools. In the Completing the Windows 2000
Support Tools Setup Wizard screen, click Finish.
8. Close the TOOLS dialog box. Close the Microsoft Windows 2000 CD dialog box.

Now that you’ve installed the Windows 2000 Support Tools, you can use
Active Directory Replication Monitor.

STEP BY STEP

USING ACTIVE DIRECTORY REPLICATION MONITOR

1. Select Start ➪ Run.

2. In the Run dialog box, type replmon and click OK.
3. The Active Directory Replication Monitor dialog box appears. Select Edit ➪ Add
Monitored Server.
4. The Add Monitored Server wizard starts. Select the “Search the directory for the
server to add” option. Then select the domain in which you want to monitor repli-
cation from the drop-down list box. Click Next.
5. In the Add Server to Monitor dialog box, click the + next to the site that contains
the domain controller you want to monitor. Highlight the domain controller you
want to monitor. Click Finish.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1445

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1445

STEP BY STEP Continued

6. Repeat Steps 3 through 5 until you’ve added all of the domain controllers you
want to monitor. Figure 22-13 shows Active Directory Replication Monitor after
four servers have been added. Notice that for each server the three replication
partitions are displayed: schema, configuration, and domain. Also notice that
when you expand a replication partition, a list of domain controllers to which that
partition is replicated is displayed.

FIGURE 22-13 Monitoring replication partitions and servers

Also notice that when a server is highlighted in the left pane, replication statistics
for that server are displayed in the right pane. Finally, notice the globe on the
server named NAT. This globe indicates that this server is a global catalog server.
7. To manually force replication to occur on any of the partitions displayed, right-click
the partition, and select Synchronize This Directory Partition with All Servers from
the menu that appears.
8. In the Synchronizing Naming Context with Replication Partners dialog box, click OK.
9. In the Replication Monitor confirmation dialog box, click Yes to force replication to
occur. When notified that the synchronization completed successfully, click OK.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1446

1446 Part V ▼ Monitoring, Optimizing, and Troubleshooting

STEP BY STEP Continued

10. To view the replication connections (which this tool calls replication topology)
for a domain controller, right-click the domain controller, then select Show
Replication Topologies from the menu that appears. Figure 22-14 shows select-
ing this option. Notice all of the tasks you can perform and information you can
view for each server by using this tool.
11. In the View Replication Topology dialog box, select View ➪ Connection
Objects Only.
12. A graphical representation of the domain controllers you are monitoring is dis-
played. Right-click any domain controller displayed, and select Show Intra-Site
Connections.

FIGURE 22-14 Selecting replication menu items

13. Active Directory Replication Monitor displays the connections from the selected
domain controller to all other monitored servers in the site to which the domain
controller has connections. Figure 22-15 shows the intrasite connections from
SERVER01 to three other domain controllers in the site.
Close the View Replication Topology dialog box.
14. Close Active Directory Replication Monitor.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1447

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1447

STEP BY STEP Continued

FIGURE 22-15 Viewing a graphical representation of a server’s replication

connections

Optimizing Active Directory Performance

Once you’ve monitored the performance of domain controllers and Active
Directory replication on your network, you’ll probably know if you have
any Active Directory performance problems. If monitoring doesn’t indi-
cate any problems, and replication is working correctly (and not exces-
sively impacting other network traffic), you probably have a system that
doesn’t require further optimization. If you do have some performance
problems, however, at least now you probably have a good idea where the
problems are.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1448

1448 Part V ▼ Monitoring, Optimizing, and Troubleshooting

If performance problems are indicated, here are a few things you might
choose to do to optimize Active Directory performance:
■ If monitoring indicates a hardware bottleneck on one or more
domain controllers (such as memory, disk, or processor), consider
upgrading the servers’ hardware or replacing the server with a
more powerful computer.
■ If users at a remote location (that does not have a domain con-
troller) report slow authentication and other Active Directory
operations, consider creating a site for the remote location and
placing one or more domain controllers, a DNS server, and a
global catalog server at the remote site.
■ If users within a site report slow authentication and other Active
Directory operations, consider adding one or more domain con-
trollers to the site.
■ If replication is consuming excessive amounts of network band-
width, either within a site or between sites, considering scheduling
replication to occur less frequently during peak usage hours.
■ If you become aware that an inappropriate domain controller is
being used for intersite replication, consider designating a more
appropriate domain controller as the bridgehead server for that site.

Troubleshooting Active Directory

Components, Replication, and
Performance
Active Directory is the most complex feature of Windows 2000. Because
of this, troubleshooting Active Directory components, replication, and
domain controller performance can be a detailed, painstaking task.
Sometimes the problem is readily apparent — like when a user can’t log on
to the domain. Other times, the problem is less apparent, but still an issue.
And sometimes a problem will even resolve itself, given a little time.
It’s impossible to list all of the Active Directory problems you might
encounter on your network, but in Table 22-1 I’ve listed a few of the prob-
lems you’re most likely to encounter, along with some recommended solu-
tions for solving these problems.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1449

Chapter 22 ▼ Managing, Optimizing, and Troubleshooting Active Directory Performance 1449

TABLE 22-1 Active Directory Problems and Solutions

Problem Possible Cause/Recommended Solution

A user in your Los Angeles site The most likely cause of this problem is that
reports that he can’t log on using the user’s account information has not yet
his new user account. You created been replicated to the Los Angeles site.
the user’s account 10 minutes ago Either wait for replication to occur, or force
in your New York site. replication to occur immediately by using
either Active Directory Sites and Services or
Active Directory Replication Monitor.
You recently created additional sites, The most likely cause of this problem is that
and created subnets for these sites. existing server objects have not been moved
However, users in the new sites are to the new sites.
being authenticated by domain Move the server objects for the domain
controllers in the original site. In controllers that are physically located in the
addition, uncompressed replication new sites to the appropriate site by using
traffic is being sent across a WAN Active Directory Sites and Services.
link between sites.
Monitoring indicates that processor The possible causes of this problem are: the
utilization on one of your domain server doesn’t have enough RAM, or a fast
controllers (that is also a global enough processor; or the server is
catalog server, a DNS server, a overloaded, or both.
DHCP server, and a WINS server) Possible solutions include: upgrading the
is consistently over 70 percent. server’s hardware or replacing the server with
Users report slow response time a more powerful computer. Or, consider
from this server. transferring some of the services currently
provided by this domain controller to another
domain controller or server.
Users in one large site report slow The most likely cause of this problem is that
logon authentication and long the domain controllers in the site are
computer boot times. overburdened by client requests.
Add one or more additional domain
controllers to this site.
You recently disabled automatic The most likely cause of this problem is that
bridging and created a site link bridge. the site link to the site not receiving the
However, one of your sites is not replication updates is not specified in the
receiving all replication updates from site link bridge.
the other sites. Reconfigure the site link bridge to include the
site link to the affected site, or create an
additional site link bridge, depending on your
network and site configuration.
You are unable to create a new The most likely cause of this problem is that
domain in the forest after the failure the failed domain controller performed the
of one your domain controllers. domain naming master role.
Either bring the failed domain controller back
on line, or have another domain controller
seize the domain naming master role.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1450

1450 Part V ▼ Monitoring, Optimizing, and Troubleshooting

KEY POINT SUMMARY

This chapter introduced several important Windows 2000 Active Directory replica-
tion and performance topics:
■ There are three replication partitions in Active Directory: the schema partition,
the configuration partition, and the domain partition.
■ Intrasite replication is Active Directory replication that takes place within a
single site. Windows 2000 automatically configures and performs intrasite
replication.
■ Intersite replication is Active Directory replication between sites. Unlike
intrasite replication, intersite replication is not automatically configured and
performed by Windows 2000, but must be manually configured by an
Administrator.
■ There are numerous Active Directory components that affect replication,
including sites, subnets, site links, and site link bridges. You can create and
manage all of these components by using Active Directory Sites and Services.
■ There are five operations master roles: schema master, domain naming master,
PDC emulator, relative ID master, and infrastructure master. You can manually
transfer these roles to different domain controllers if necessary.
■ You can manage intrasite replication by configuring when scheduled replica-
tion will occur. You can also create connection objects to manually specify
replication partners if needed.
■ It’s important to have a comprehensive plan in place before you implement
intersite replication.
■ There are two primary tools you can use to monitor the performance of Active
Directory objects: System Monitor and Active Directory Replication Monitor.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1451

1451

STUDY GUIDE
This section contains several exercises that are designed to solidify your
knowledge about managing, optimizing, and troubleshooting Active
Directory replication and performance.These exercises will also help you
prepare for the Directory Services exam:
■ Assessment Questions: These questions test your knowledge of
the Active Directory replication and performance topics covered in
this chapter.You’ll find the answers to these questions at the end of
this chapter.
■ Scenarios: The situation-based questions in scenarios challenge
you to apply your understanding of the material to solve a hypo-
thetical problem. In this chapter’s scenarios, you are asked to evalu-
ate several replication and performance-related situations, and to
answer the questions that follow each scenario.You don’t need to
be at a computer to do scenarios.Answers to this chapter’s scenar-
ios are presented at the end of this chapter.
■ Lab Exercise: These exercises are hands-on practice activities
that you perform on a computer.The lab in this chapter gives
you an opportunity to practice creating various Active Directory
components.

Assessment Questions
1. You want to create additional sites to manage replication on your
Windows 2000 network.What tool should you use to create the sites?
A. Active Directory Users and Computers
B. Active Directory Domains and Trusts
C. Active Directory Sites and Services
D. Active Directory Replication Monitor
2. You recently created two additional sites on your Windows 2000
network, and created and assigned subnets to those sites.You had 20
existing domain controllers before you created the new sites. Eight
of these domain controllers will be used in the two new sites.What
should you do to ensure that intersite replication occurs?
4701-1 ch22.f.qc 4/24/00 09:57 Page 1452

1452

A. Move the server objects for the eight domain controllers to their
new sites.
B. Add new objects to the Domain Controllers container for each of
the eight domain controllers.
C. Change the IP addresses of each of the eight domain controllers
so the IP addresses are within the range of IP addresses used by
subnets in the new sites.
D. Nothing — Active Directory will automatically move the server
objects for the eight domain controllers to their new sites.
3. You decide to add a global catalog server to your site.What tool
should you use to cause a domain controller to function as a global
catalog server?
A. Active Directory Users and Computers
B. Active Directory Sites and Services
C. Network and Dial-up Connections folder
D. The System application
4. You decide to transfer the infrastructure master role to a different
domain controller.There are five domain controllers in the domain.
To what domain controller should you not transfer the infrastructure
master role?
A. The domain controller that is also the schema master
B. The domain controller that is located physically close to a router
C. The domain controller located in the same site as your senior
network administrator
D. The domain controller that also is a global catalog server
5. What is the minimum number of sites you must have before you can
create a site link bridge?
A. 1
B. 2
C. 3
D. 4
6. You have fully routed TCP/IP connections between the three sites on
your Windows 2000 network.You want to accomplish replication as
quickly as possible between these sites.Which protocol should you
use for intersite replication?
4701-1 ch22.f.qc 4/24/00 09:57 Page 1453

1453

A. RPC over IP
B. SMTP
C. DHCP Relay Agent
D. RIP Version 2 for Internet Protocol
7. You use two sites on your Windows 2000 network.You decide you
want to manually specify a particular domain controller in each site
that will be used for intersite replication.What should you do?
A. Create a site link to connect the two domain controllers.
B. Designate the desired domain controller in each site as a bridge-
head server.
C. Configure the desired domain controller in each site to be a
global catalog server.
D. Create a new connection object for the desired domain controller
in each site.
8. You want to view a graphic representation of the replication topology
connections on a specific domain controller.What tool should you
use to do this?
A. Active Directory Users and Computers
B. Active Directory Sites and Services
C. Active Directory Replication Monitor
D. Network and Dial-up Connections folder

Scenarios
Managing Active Directory components and replication on your network
can be an extremely complex task. For each of the following situations,
consider the given facts and answer the question or questions that follow.
1. Users in your large, rapidly expanding site report that searches of
Active Directory are becoming slower.What can you do to speed up
Active Directory search response time for users?
2. You recently created sites and subnets on your Windows 2000 net-
work.Your company’s existing domain controllers will be used in the
new sites.What should you do next?
4701-1 ch22.f.qc 4/24/00 09:57 Page 1454

1454

3. You determine that the domain controller performing the infrastruc-

ture master role is also a global catalog server.There are 25 domain
controllers in the domain.What should you do about this situation,
if anything?
4. You recently disabled automatic bridging on your Windows 2000
network and created a site link bridge. Now, all of the domain con-
trollers in a remote site are not receiving all replication updates from
other sites.
a. What is the most likely cause of this problem?
b. What should you do to resolve the problem?
5. Your company’s Seattle site is experiencing rapid growth. Monitoring
indicates that utilization of the domain controllers in your Seattle site
is increasing as well.What should you do to manage and maintain
Active Directory performance as the site continues to grow?
6. Monitoring indicates that processor utilization on one of your com-
pany’s domain controllers is consistently over 70 percent.This domain
controller is also a global catalog server, a DNS server, a DHCP
server, and a RIS server. Users are reporting slow response time from
this domain controller.
a. What is the most likely cause of this problem?
b. What should you do to resolve the problem?
7. You recently created sites and subnets for the new sites. However,
when you use System Monitor, you determine that uncompressed
replication traffic is still being sent over your WAN links.
a. What is the most likely cause of this replication problem?
b. What should you do to resolve the problem?
8. You use Active Directory Replication Monitor to determine that the
domain controller in one of your sites that is being used for intersite
replication is physically located several subnets away from the router
that connects this site to other sites.What should you do to better
manage intersite replication?
9. Your company’ network has five domain controllers in a single loca-
tion.You don’t use sites.You want to ensure that Active Directory
updates are replicated to all five domain controllers as quickly as pos-
sible.What should you do to achieve maximum speed of intrasite
replication?
4701-1 ch22.f.qc 4/24/00 09:57 Page 1455

1455

Lab Exercise
Lab 22-1 Managing Active Directory Components
that Affect Replication
 Directory Services

EXAM
MATERIAL

The purpose of this lab is to provide you with an opportunity to create

and configure several Active Directory components that affect replication.
First you rename the default site, then you create and configure sites, sub-
nets, site links, and a site link bridge.
Begin this lab by booting your computer to Windows 2000 Server and
logging on as Administrator.
1. Select Start ➪ Programs ➪ Administrative Tools ➪ Active Directory
Sites and Services.
2. In the left pane of the AD Sites and Services dialog box, click the +
next to the Sites container. Right-click the Default-First-Site-Name
site, and select Rename from the menu that appears.Type in a new
site name of Seattle and press Enter.
3. In the left pane of the AD Sites and Services dialog box, right-click
the Sites container, and select New Site from the menu that appears.
4. In the New Object – Site dialog box, enter a name of Denver.Then
highlight a site link object of DEFAULTIPSITELINK. Click OK.
5. Active Directory confirms that the site has been created. Click OK.
6. In the left pane of the AD Sites and Services dialog box, right-click
the Sites container, and select New Site from the menu that appears.
7. In the New Object – Site dialog box, enter a name of Houston.
Then highlight a site link object of DEFAULTIPSITELINK.
Click OK.
8. Active Directory confirms that the site has been created. Click OK.
9. In the left pane of the AD Sites and Services dialog box, right-click
the Subnets container, and select New Subnet from the menu that
appears.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1456

1456

10. The New Object – Subnet dialog box appears. In the Address text
box, type 192.168.0.0. In the Mask text box, type 255.255.255.0.
Then, highlight the Seattle site in the Site Name list box. Click OK.
11. In the left pane of the AD Sites and Services dialog box, right-click
the Subnets container, and select New Subnet from the menu that
appears.
12. The New Object – Subnet dialog box appears. In the Address text
box, type 192.168.101.0. In the Mask text box, type 255.255.255.0.
Then, highlight the Denver site in the Site Name list box. Click OK.
13. In the left pane of the AD Sites and Services dialog box, right-click
the Subnets container, and select New Subnet from the menu that
appears.
14. The New Object – Subnet dialog box appears. In the Address text
box, type 10.1.1.0. In the Mask text box, type 255.255.255.0.Then,
highlight the Houston site in the Site Name list box. Click OK.
15. In the left pane of the AD Sites and Services dialog box, click the +
next to the Inter-Site Transports container.Then right-click the IP
container, and select New Site Link from the menu that appears.
16. In the New Object – Site Link dialog box, type in a name of
Seattle-Denver. Next, in the “Sites not in this site link” list box,
highlight Seattle and Denver. Click Add. Click OK.
17. In the left pane of the AD Sites and Services dialog box, right-click the
IP container, and select New Site Link from the menu that appears.
18. In the New Object – Site Link dialog box, type in a name of
Denver-Houston. Next, in the “Sites not in this site link” list box,
highlight Seattle and Denver. Click Add. Click OK.
19. In the left pane of the AD Sites and Services dialog box, right-click
the IP container. Select Properties from the menu that appears.
20. In the IP Properties dialog box, clear the check box next to “Bridge
all site links.” Click OK.
21. In the left pane of the AD Sites and Services dialog box, right-click
the IP container. Select New Site Link Bridge from the menu that
appears.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1457

1457

22. In the New Object – Site Link Bridge dialog box, type in a name of
Seattle-Denver-Houston.Then, in the “Site links not in this site
link bridge” list box, highlight Seattle-Denver and Denver-Houston.
Click Add. Click OK.
23. The site link bridge is created. Close Active Directory Sites and
Services.

Answers to Chapter Questions

Chapter Pre-Test
1. The three replication partitions in Active Directory are: the schema
partition, the configuration partition, and the domain partition.
2. Intrasite replication is Active Directory replication that takes place
within a single site.Windows 2000, by default, automatically performs
intrasite replication.
3. Intersite replication is Active Directory replication between sites.
Unlike intrasite replication, intersite replication is not automatically
configured and performed by Windows 2000, but must be manually
configured by an Administrator.
4. The Knowledge Consistency Checker (KCC)
5. Until subnet objects are created and assigned to a site, the site has no
definition and no functionality — it’s just an empty Active Directory
object.
6. True
7. The five operations master roles are: schema master, domain naming
master, PDC emulator, relative ID master, and infrastructure master.
8. Active Directory Replication Monitor

Assessment Questions
1. C. Active Directory Sites and Services is the appropriate tool to cre-
ate and manage sites.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1458

1458

2. A. You must use Active Directory Sites and Services to move the
server objects for the eight domain controllers to their new sites.
3. B. Use Active Directory Sites and Services to modify the NTDS
settings for the server object to configure the server as a global
catalog Server.
4. D. Microsoft recommends that you not transfer the infrastructure
master role to the domain controller that also serves as a global cata-
log server. If you do this (and you have more than one domain con-
troller in the domain), the infrastructure master won’t function.
5. C. Because you must have a minimum of two site links to create a
site link bridge, and because each site link requires a minimum of two
sites, you must have a minimum of three site links to create a site link
bridge. See Figure 22-7.
6. A. RPC over IP and SMTP are the only replication protocols you
can use, and RPC is much faster.
7. B. The server that is designated as the bridgehead server is used for
intersite replication.
8. C. Although you can view a list of a specific domain controller’s
replication connections by using Active Directory Sites and Services,
Active Directory Replication Monitor is a better answer because it is
the only tool that enables you to view a graphic representation of a
server’s connections.

Scenarios
1. Probably the best thing you can do to speed up searches of Active
Directory is to add an additional global catalog server to the site.
2. Use Active Directory Sites and Services to move the server objects
(for the existing domain controllers that will be used in the new sites)
to the new sites.You may also need to create and configure site links.
3. Either designate a different domain controller to function as the global
catalog server (by using Active Directory Sites and Services), or trans-
fer the infrastructure master role to a different domain controller (by
using Active Directory Users and Computers or the ntdsutil.exe
command-line utility).
4701-1 ch22.f.qc 4/24/00 09:57 Page 1459

1459

When more than one domain controller is present in a domain,

and the infrastructure master role is performed by the same domain
controller that hosts the global catalog, the infrastructure master
won’t work.
4. The most likely cause of this problem is that the site link to the site
not receiving all replication updates is not included in the site link
bridge.To resolve this problem, reconfigure the site link bridge to
include the site link to the affected site, or create an additional site
link bridge, depending on your network configuration.
5. To manage and maintain Active Directory performance, add addi-
tional domain controllers (and an additional global catalog server, if
appropriate) in the Seattle site.This will maintain current desired per-
formance levels, and prepare for future growth.
6. The most likely cause of this problem is that the server has too many
services installed on it, or doesn’t have enough RAM or processor
power to adequately perform all of its tasks.To resolve the problem,
either transfer some of the services currently provided by this server
to another domain controller or server, as appropriate, or upgrade the
server’s hardware.
7. The most likely cause of this problem is that server objects for exist-
ing domain controllers have not been moved to the new sites. Move
the server objects to the new sites by using Active Directory Sites and
Services.
8. Use Active Directory Sites and Services to designate a domain con-
troller that is located on the same subnet as the intersite router as the
preferred bridgehead server for the site.
9. Use Active Directory Sites and Services to manually create connec-
tion objects between each domain controller and every other domain
controller, so that every domain controller has four manually created
connection objects.
4701-1 ch22.f.qc 4/24/00 09:57 Page 1460
4701-1 AppA.f.qc 4/24/00 10:11 Page 1463

AP P E N D IX

A
Windows 2000 MCSE
Core Exam Objectives

I n this appendix, you’ll find four tables listing the exam objectives for each
of the four core Microsoft Windows 2000 MCSE certification exams. Each
table is an exhaustive cross-reference chart that links every exam objective to
the corresponding materials (text and labs) in this book where the subject mat-
ter is covered.
The tables you’ll find in this appendix are:

■ Table A-1: Exam 70-210 — Installing, Configuring, and Administering

Microsoft Windows 2000 Professional
■ Table A-2: Exam 70-215 — Installing, Configuring, and Administering
Microsoft Windows 2000 Server
■ Table A-3: Exam 70-216 — Implementing and Administering a Microsoft
Windows 2000 Network Infrastructure
■ Table A-4: Exam 70-217 — Implementing and Administering a Microsoft
Windows 2000 Directory Services Infrastructure

1463
4701-1 AppA.f.qc 4/24/00 10:11 Page 1464

1464 Resources

TABLE A-1 Exam 70-210 — Installing, Configuring, and Administering

Microsoft Windows 2000 Professional
Exam Objective Chapter Section

Installing Windows 2000 Professional

Perform an attended Chapter 3 Hardware Requirements for Installation
installation of Windows Getting Ready to Install Windows 2000
2000 Professional. The Installation Process
Perform an unattended Chapter 19 Using Setup Manager
installation of Windows Using an Answer File to Perform an
2000 Professional. Unattended Installation
Install Windows 2000 Chapter 19 Using Remote Installation Services (RIS)
Professional by using
Windows 2000 Server
Remote Installation
Services (RIS).
Install Windows 2000 Chapter 19 Using Sysprep
Professional by using the
System Preparation Tool.
Create unattended answer Chapter 19 Creating an Answer File by Using Setup
files by using Setup Manager
Manager to automate the
installation of Windows
2000 Professional.
Upgrade from a previous Chapter 4 Entire Chapter
version of Windows to
Windows 2000
Professional.
Apply update packs to Chapter 4 Obtaining Upgrade Packs for Software
installed software Upgrading to Windows 2000
applications. Professional
Prepare a computer to Chapter 4 Preparing a Computer to Meet Upgrade
meet upgrade requirements. Requirements
Deploy service packs. Chapter 10 Using Group Policy to Deploy Service
Packs for Applications
Troubleshoot failed Chapter 3 Troubleshooting Common Installation
installations. Problems

Implementing and Conducting Administration of Resources

Monitor, manage, and Chapter 11 Managing File and Folder Attributes
troubleshoot access to Managing NTFS File and Folder Security
files and folders. Taking Ownership of Files and Folders
Optimizing Access to Files and Folders
Troubleshooting Common Resource
Access and Permission Problems
4701-1 AppA.f.qc 4/24/00 10:11 Page 1465

Appendix A ▼ Windows 2000 MCSE Core Exam Objectives 1465

Exam Objective Chapter Section

Configure, manage, Chapter 11 Managing File and Folder Attributes

and troubleshoot file Using the Compress Attribute
compression. Troubleshooting Common Resource
Access and Permission Problems
Control access to files and Chapter 11 Managing NTFS File and Folder Security
folders by using permissions. Taking Ownership of Files and Folders
Optimize access to files Chapter 11 Optimizing Access to Files and Folders
and folders.
Manage and troubleshoot Chapter 11 Managing Shared Folders
access to shared folders. Troubleshooting Common Resource
Access and Permission Problems
Create and remove shared Chapter 11 Sharing a Folder
folders. Modifying a Share
Administrative Shares
Control access to shared Chapter 11 Shared Folder Permissions
folders by using permissions. How User and Group Permissions
Combine
Manage and troubleshoot Chapter 18 Managing Web Services
Web server resources. Installing IIS Components
Configuring a Web Site
Using Personal Web Manager
Publishing Web Content
Creating a Virtual Directory
Managing Web Server Security
Monitoring Access to Files and Folders
in Web Sites
Troubleshooting Web Services
Connect to local and Chapter 12 Adding and Connecting to Printers
network print devices. Sharing a Printer
Configuring Printer Properties
Manage printers and Chapter 12 Adding and Connecting to Printers
print jobs. Sharing a Printer
Configuring Printer Properties
Managing Print Jobs
Control access to printers Chapter 12 Configuring Printer Permissions
by using permissions.
Connect to an Internet Chapter 12 Connecting to Internet Printers
printer.
Connect to a local print Chapter 12 Adding and Connecting to Printers
device. Adding Local Plug and Play Printers
Adding Other Local Printers
Configure and manage Chapter 6 Working with File Systems
file systems. Creating and Formatting Partitions

Continued 
4701-1 AppA.f.qc 4/24/00 10:11 Page 1466

1466 Resources

TABLE A-1 (continued)

Exam Objective Chapter Section

Convert from one file Chapter 6 Converting from FAT or FAT32 to NTFS
system to another file
system.
Configure file systems by Chapter 6 Working with File Systems
using NTFS, FAT32, or FAT. Creating and Formatting Partitions

Implementing, Managing, and Troubleshooting Hardware Devices and Drivers

Implement, manage, and Chapter 6 Implementing, Configuring, and Managing
troubleshoot disk devices. Disks and Volumes
Troubleshooting Disks and Volumes
Install, configure, and Chapter 5 Add/Remove Hardware
manage DVD and CD-ROM Using Device Manager
devices.
Monitor and configure disks. Chapter 6 Implementing, Configuring, and Managing
Disks and Volumes
Monitor, configure, and Chapter 6 Implementing, Configuring, and Managing
troubleshoot volumes. Disks and Volumes
Troubleshooting Disks and Volumes
Monitor and configure Chapter 14 Monitoring and Configuring Removable
removable media, such as Media
tape devices.
Implement, manage, and Chapter 5 Display
troubleshoot display devices. Troubleshooting Desktop Settings and
Video Adapters
Add/Remove Hardware
Using Device Manager
Troubleshooting Hardware
Configure multiple-display Chapter 5 Display
support. Configuring Display Settings and
Multiple-Display Support
Install, configure, and Chapter 5 Display
troubleshoot a video Troubleshooting Desktop Settings and
adapter. Video Adapters
Add/Remove Hardware
Using Device Manager
Troubleshooting Hardware
Implement, manage, and Chapter 5 Add/Remove Hardware
troubleshoot mobile Power Options
computer hardware. Using Device Manager
Configuring and Managing Card Services
Troubleshooting Hardware
Configure Advanced Power Chapter 5 Configuring Advanced Power
Management (APM). Management (APM)
4701-1 AppA.f.qc 4/24/00 10:11 Page 1467

Appendix A ▼ Windows 2000 MCSE Core Exam Objectives 1467

Exam Objective Chapter Section

Configure and manage Chapter 5 Configuring and Managing Card Services

card services.
Implement, manage, and Chapter 5 Add/Remove Hardware
troubleshoot input and Using Device Manager
output (I/O) devices. Troubleshooting Hardware
Monitor, configure, and Chapter 5 Add/Remove Hardware
troubleshoot I/O devices, Chapter 12 Using Device Manager
such as printers, scanners, Troubleshooting Hardware
multimedia devices, mouse, Keyboard
keyboard, and smart card Mouse
reader. Scanners and Cameras
Sounds and Multimedia
Configuring Printer Properties
Troubleshooting Common Printing
Problems
Monitor, configure, and Chapter 5 Sounds and Multimedia
troubleshoot multimedia Scanners and Cameras
hardware, such as cameras. Add/Remove Hardware
Using Device Manager
Troubleshooting Hardware
Install, configure, and Chapter 15 Installing and Configuring Modems
manage modems. Installing Modems
Configuring Modems
Install, configure, and Chapter 5 Add/Remove Hardware
manage Infrared Data Using Device Manager
Association (IrDA) devices. Wireless Link
Scanners and Cameras
Install, configure, and Chapter 5 Add/Remove Hardware
manage wireless devices. Using Device Manager
Wireless Link
Scanners and Cameras
Install, configure, and Chapter 5 Add/Remove Hardware
manage USB devices. Using Device Manager
Update drivers. Chapter 5 Uninstalling, Disabling, Enabling, and
Updating Device Drivers
Monitor and configure Chapter 5 Upgrading from a Single Processor to
multiple processing units. Multiple Processors
Install, configure, and Chapter 5 Add/Remove Hardware
troubleshoot network Using Device Manager
adapters. Troubleshooting Hardware

Continued 
4701-1 AppA.f.qc 4/24/00 10:11 Page 1468

1468 Resources

TABLE A-1 (continued)

Exam Objective Chapter Section

Monitoring and Optimizing System Performance and Reliability

Manage and troubleshoot Chapter 5 Managing Driver Signing
driver signing.
Configure, manage, and Chapter 5 Scheduled Tasks Folder
troubleshoot the Task
Scheduler.
Manage and troubleshoot Chapter 5 Configuring and Troubleshooting
the use and synchronization Offline Files
of offline files.
Optimize and troubleshoot Chapter 21 Optimizing and Troubleshooting
performance of the Performance
Windows 2000 Optimizing and Troubleshooting Memory
Professional desktop. Performance
Optimizing and Troubleshooting
Processor Performance
Optimizing and Troubleshooting Disk
Performance
Optimizing and Troubleshooting
Network Performance
Optimizing and Troubleshooting
Application Performance
Optimize and troubleshoot Chapter 21 Optimizing and Troubleshooting Memory
memory performance. Performance
Optimize and troubleshoot Chapter 21 Optimizing and Troubleshooting
processor utilization. Processor Performance
Optimize and troubleshoot Chapter 21 Optimizing and Troubleshooting
disk performance. Disk Performance
Optimize and troubleshoot Chapter 21 Optimizing and Troubleshooting
network performance. Network Performance
Optimize and troubleshoot Chapter 21 Optimizing and Troubleshooting
application performance. Application Performance
Manage hardware profiles. Chapter 5 Creating and Managing Hardware Profiles
Recover systems and Chapter 14 Recovering User Data and System
user data. State Data
Using Backup to Restore User Data
Using Backup to Restore System
State Data
Recover systems and user Chapter 14 Recovering User Data and System
data by using Windows State Data
Backup. Using Backup to Restore User Data
Using Backup to Restore System
State Data
4701-1 AppA.f.qc 4/24/00 10:11 Page 1469

Appendix A ▼ Windows 2000 MCSE Core Exam Objectives 1469

Exam Objective Chapter Section

Troubleshoot system r Chapter 14 Using Safe Mode to Troubleshoot and

estoration by using Restore a System
Safe Mode.
Recover systems and user Chapter 14 Using the Recovery Console to Restore
data by using the Recovery a System
Console.

Configuring and Troubleshooting the Desktop Environment

Configure and manage Chapter 9 Managing User Profiles
user profiles.
Configure support for Chapter 5 Configuring Support for Multiple
multiple languages or Languages and Locations
multiple locations.
Enable multiple-language Chapter 5 Adding Support for Your Language
support. and Location
Configuring Support for Multiple
Languages and Locations
Configure multiple-language Chapter 5 Adding Support for Your Language
support for users. and Location
Configuring Support for Multiple
Languages and Locations
Configure local settings. Chapter 5 Configuring Local Settings
Configure Windows 2000 Chapter 5 Configuring Support for Multiple
Professional for multiple Languages and Locations
locations.
Install applications by using Chapter 10 Configuring Group Policy Settings to
Windows Installer packages. Manage Software Deployment
Preparing Software for Deployment
Deploying and Maintaining Software by
Using Group Policy
Configure and troubleshoot Chapter 5 Display
desktop settings. Troubleshooting Desktop Settings and
Video Adapters
Configure and troubleshoot Chapter 5 Fax
fax support. Add/Remove Hardware
Device Manager
Troubleshooting Hardware
Configure and troubleshoot Chapter 5 Accessibility Options
accessibility services.

Continued 
4701-1 AppA.f.qc 4/24/00 10:11 Page 1470

1470 Resources

TABLE A-1 (continued)

Exam Objective Chapter Section

Implementing, Managing, and Troubleshooting Network Protocols and Services

Configure and troubleshoot Chapter 16 Configuring TCP/IP
the TCP/IP protocol. Troubleshooting TCP/IP Configuration
Problems
Connect to computers by Chapter 15 Creating a Dial-up Connection to a
using dial-up networking. Remote Access Server
Creating a Connection to Another
Computer
Creating a VPN Connection
Connect to computers by Chapter 15 Creating a VPN Connection
using a virtual private
network (VPN) connection.
Create a dial-up connection Chapter 15 Creating a Dial-up Connection to a
to connect to a remote Remote Access Server
access server.
Connect to the Internet by Chapter 15 Creating a Dial-up Connection to
using dial-up networking. the Internet
Configure and troubleshoot Chapter 15 Configuring Internet Connection Sharing
Internet Connection Sharing. Enabling Internet Connection Sharing
Troubleshooting Internet Connection
Sharing
Connect to shared Chapter 11 Connecting to Shared Folders
resources on a Microsoft
network.

Implementing, Monitoring, and Troubleshooting Security

Encrypt data on a hard Chapter 11 Managing File and Folder Attributes
disk by using Encrypting Using the Encrypt Attribute
File System (EFS).
Implement, configure, Chapter 10 Managing Group Policy
manage, and troubleshoot Managing Local Group Policy
local Group Policy. Troubleshooting Group Policy
Implement, configure, Chapter 9 Creating and Managing User Accounts
manage, and troubleshoot Creating Local User Accounts
local user accounts. Configuring Local User Accounts
Troubleshooting User Accounts,
User Rights, Account Policies, and
Authentication
4701-1 AppA.f.qc 4/24/00 10:11 Page 1471

Appendix A ▼ Windows 2000 MCSE Core Exam Objectives 1471

Exam Objective Chapter Section

Implement, configure, Chapter 13 Managing Auditing

manage, and troubleshoot Monitoring and Analyzing Security Events
auditing. Troubleshooting Auditing and Security
Implement, configure, Chapter 9 Creating User Accounts
manage, and troubleshoot Configuring and Managing User Account
account settings. Properties
Troubleshooting User Accounts,
User Rights, Account Policies, and
Authentication
Implement, configure, Chapter 9 Managing Account Policies
manage, and troubleshoot
account policy.
Create and manage local Chapter 9 Creating and Managing User Accounts
users and groups. Creating Local User Accounts
Configuring Local User Accounts
Creating and Managing Group Accounts
Groups on the Local Computer
Implement, configure, Chapter 9 Managing User Rights
manage, and troubleshoot Troubleshooting User Accounts,
user rights. User Rights, Account Policies, and
Authentication
Implement, configure, Chapter 9 Understanding User Authentication
manage, and troubleshoot Troubleshooting User Accounts,
local user authentication. User Rights, Account Policies, and
Authentication
Configure and troubleshoot Chapter 9 Configuring and Managing User Account
local user accounts. Properties
Configuring Local User Accounts
Troubleshooting User Accounts,
User Rights, Account Policies, and
Authentication
Configure and troubleshoot Chapter 9 Configuring and Managing User Account
domain user accounts. Properties
Configuring Domain User Accounts
Troubleshooting User Accounts,
User Rights, Account Policies, and
Authentication
Implement, configure, Chapter 13 Using Security Templates
manage, and troubleshoot Using Security Configuration and Analysis
a security configuration. Troubleshooting Auditing and Security
4701-1 AppA.f.qc 4/24/00 10:11 Page 1472

1472 Resources

TABLE A-2 Exam 70-215 — Installing, Configuring, and Administering

Microsoft Windows 2000 Server
Exam Objective Chapter Section

Installing Windows 2000 Server

Perform an attended Chapter 3 Hardware Requirements for Installation
installation of Windows Getting Ready to Install Windows 2000
2000 Server. The Installation Process
Perform an unattended Chapter 19 Using Setup Manager
installation of Windows
2000 Server.
Create unattended answer Chapter 19 Creating an Answer File by Using Setup
files by using Setup Manager
Manager to automate the
installation of Windows
2000 Server.
Create and configure Chapter 19 Entire Chapter
automated methods
for installation of
Windows 2000.
Upgrade a server from Chapter 4 Entire Chapter
Microsoft Windows
NT 4.0.
Deploy service packs. Chapter 10 Using Group Policy to Deploy Service
Packs for Applications
Troubleshoot failed Chapter 3 Troubleshooting Common Installation
installations. Problems

Installing, Configuring, and Troubleshooting Access to Resources

Install and configure Chapter 15 Installing and Configuring Network
network services for Clients and Services for Interoperability
interoperability.
Monitor, configure, Chapter 12 Adding and Connecting to Printers
troubleshoot, and control Sharing a Printer
access to printers. Configuring Printer Properties
Configuring Print Server Properties
Managing Print Jobs
Troubleshooting Common Printing
Problems
Monitor, configure, Chapter 11 Managing File and Folder Attributes
troubleshoot, and control Chapter 21 Managing Shared Folders
access to files, folders, Managing NTFS File and Folder Security
and shared folders. Taking Ownership of Files and Folders
Optimizing Access to Files and Folders
Troubleshooting Common Resource
Access and Permission Problems
Monitoring Shared Folders
4701-1 AppA.f.qc 4/24/00 10:11 Page 1473

Appendix A ▼ Windows 2000 MCSE Core Exam Objectives 1473

Exam Objective Chapter Section

Configure, manage, and Chapter 11 Configuring and Managing the

troubleshoot a stand-alone . Distributed File System (Dfs)
Distributed file system (Dfs) Troubleshooting Common Resource
Access and Permission Problems
Configure, manage, and Chapter 11 Configuring and Managing the
troubleshoot a domain- Distributed File System (Dfs)
based Distributed file Troubleshooting Common Resource
system (Dfs). Access and Permission Problems
Monitor, configure, Chapter 11 Managing File and Folder Attributes
troubleshoot, and control Managing NTFS File and Folder Security
local security on files and Taking Ownership of Files and Folders
folders. Troubleshooting Common Resource
Access and Permission Problems
Monitor, configure, Chapter 11 Managing Shared Folders
troubleshoot, and control Chapter 21 Troubleshooting Common Resource
access to files and folders Access and Permission Problems
in a shared folder. Monitoring Shared Folders
Monitor, configure, Chapter 18 Managing Web Services
troubleshoot, and control Publishing Web Content
access to files and folders Creating a Virtual Directory
via Web services. Managing Web Server Security
Monitoring Access to Files and Folders
in Web Sites
Troubleshooting Web Services
Monitor, configure, Chapter 18 Configuring a Web Site
troubleshoot, and control Publishing Web Content
access to Web sites. Creating a Virtual Directory
Creating a Virtual Server
Managing Web Server Security
Monitoring Access to Files and Folders
in Web Sites
Troubleshooting Web Services

Configuring and Troubleshooting Hardware Devices and Drivers

Configure hardware devices. Chapter 5 Add/Remove Hardware
Using Device Manager
Display
Fax
Game Controllers
Keyboard
Mouse
Power Options
Scanners and Cameras
Sounds and Multimedia
Wireless Link

Continued 
4701-1 AppA.f.qc 4/24/00 10:11 Page 1474

1474 Resources

TABLE A-2 (continued)

Exam Objective Chapter Section

Configure driver signing Chapter 5 Managing Driver Signing

options.
Update device drivers. Chapter 5 Uninstalling, Disabling, Enabling, and
Updating Device Drivers
Troubleshoot problems Chapter 5 Troubleshooting Hardware
with hardware. Add/Remove Hardware
Using Device Manager

Managing, Monitoring, and Optimizing System Performance, Reliability,

and Availability
Monitor and optimize Chapter 21 Entire Chapter
usage of system
resources.
Manage processes. Chapter 21 Using Windows Task Manager to Manage
Processes
Set priorities and start Chapter 21 Optimizing and Troubleshooting
and stop processes. Application Performance
Starting Applications at Various Priorities
Using Windows Task Manager to Manage
Processes
Optimize disk performance. Chapter 21 Optimizing and Troubleshooting Disk
Performance
Manage and optimize Chapter 14 Managing and Optimizing the Availability
availability of system state of User Data and System State Data
data and user data. Backing Up User Data and System
State Data
Recover systems and Chapter 14 Recovering User Data and System
user data. State Data
Using Backup to Restore User Data
Using Backup to Restore System
State Data
Recover systems and user Chapter 14 Recovering User Data and System
data by using Windows State Data
Backup. Using Backup to Restore User Data
Using Backup to Restore System
State Data
Troubleshoot system Chapter 14 Using Safe Mode to Troubleshoot and
restoration by using Restore a System
Safe Mode.
Recover systems and user Chapter 14 Using the Recovery Console to Restore
data by using the Recovery a System
Console.
4701-1 AppA.f.qc 4/24/00 10:11 Page 1475

Appendix A ▼ Windows 2000 MCSE Core Exam Objectives 1475

Exam Objective Chapter Section

Managing, Configuring, and Troubleshooting Storage Use

Configure and manage Chapter 9 Managing User Profiles
user profiles.
Monitor, configure, and Chapter 6 Implementing, Configuring, and Managing
troubleshoot disks and Disks and Volumes
volumes. Troubleshooting Disks and Volumes
Configure data Chapter 11 Managing File and Folder Attributes
compression. Using the Compress Attribute
Monitor and configure Chapter 11 Configuring and Monitoring Disk Quotas
disk quotas.
Recover from disk failures. Chapter 6 Recovering from Disk Failure

Configuring and Troubleshooting Windows 2000 Network Connections

Install, configure, and Chapter 15 Configuring Internet Connection Sharing
troubleshoot shared Enabling Internet Connection Sharing
access. Troubleshooting Internet Connection
Sharing
Install, configure, and Chapter 17 Enabling and Configuring Remote Access
troubleshoot a virtual Adding and Configuring Inbound
private network (VPN). Connection Ports
Adding and Configuring VPN Ports
Troubleshooting Remote Access
Install, configure, and Chapter 15 Installing, Configuring, and
troubleshoot network Chapter 16 Troubleshooting Protocols
protocols. Installing and Configuring Network
Protocols
Troubleshooting Network Protocols
Configuring TCP/IP
Troubleshooting TCP/IP Configuration
Problems
Install and configure Chapter 15 Installing and Configuring Network
network services. Chapter 16 Clients and Services for Interoperability
Installing Network Services
Configuring Bindings and Provider Order
Configuring Services
Installing and Configuring a DHCP Server
Using a WINS Server to Resolve
NetBIOS Names
Installing WINS
Configure, monitor, and Chapter 17 Entire Chapter
troubleshoot remote
access.

Continued 
4701-1 AppA.f.qc 4/24/00 10:11 Page 1476

1476 Resources

TABLE A-2 (continued)

Exam Objective Chapter Section

Configure inbound Chapter 17 Adding and Configuring Inbound

connections. Connection Ports
Create a remote access Chapter 17 Using Remote Access Policies to
policy. Control Access
Configure a remote access Chapter 17 Configuring a Profile for a Remote
profile. Access Policy
Install, configure, monitor, Chapter 20 Entire Chapter
and troubleshoot Terminal
Services.
Remotely administer Chapter 20 Establishing a Terminal Services Session
servers by using Terminal Managing Terminal Services Sessions
Services. Using Remote Control
Configure Terminal Chapter 20 Installing and Configuring Terminal
Services for application Services
sharing.
Configure applications for Chapter 20 Installing Applications for Use with
use with Terminal Services. Terminal Services
Configure the properties Chapter 15 Configuring Connection Properties
of a connection.
Install, configure, and Chapter 5 Add/Remove Hardware
troubleshoot network Using Device Manager
adapters and drivers. Troubleshooting Hardware

Implementing, Monitoring, and Troubleshooting Security

Encrypt data on a hard disk Chapter 11 Managing File and Folder Attributes
by using Encrypting File Using the Encrypt Attribute
System (EFS).
Implement, configure, Chapter 10 Entire Chapter
manage, and troubleshoot
policies in a Windows
2000 environment.
Implement, configure, Chapter 10 Managing Group Policy
manage, and troubleshoot Managing Local Group Policy
Local Policy in a Windows Troubleshooting Group Policy
2000 environment.
Implement, configure, Chapter 10 Managing System Policy
manage, and troubleshoot
System Policy in a Windows
2000 environment.
4701-1 AppA.f.qc 4/24/00 10:11 Page 1477

Appendix A ▼ Windows 2000 MCSE Core Exam Objectives 1477

Exam Objective Chapter Section

Implement, configure, Chapter 13 Managing Auditing

manage, and troubleshoot Monitoring and Analyzing Security Events
auditing. Troubleshooting Auditing and Security
Implement, configure, Chapter 9 Creating and Managing User Accounts
manage, and troubleshoot Creating Local User Accounts
local accounts. Configuring Local User Accounts
Troubleshooting User Accounts,
User Rights, Account Policies, and
Authentication
Implement, configure, Chapter 9 Managing Account Policies
manage, and troubleshoot Troubleshooting User Accounts,
Account Policy. User Rights, Account Policies, and
Authentication
Implement, configure, Chapter 13 Using Security Templates
manage, and troubleshoot Using Security Configuration and Analysis
security by using the Troubleshooting Auditing and Security
Security Configuration
Tool Set.

TABLE A-3 Exam 70-216 — Implementing and Administering a Microsoft

Windows 2000 Network Infrastructure
Exam Objective Chapter Section

Installing, Configuring, Managing, Monitoring, and Troubleshooting DNS in a

Windows 2000 Network Infrastructure
Install, configure, and Chapter 7 Installing, Configuring, Managing, and
troubleshoot DNS. Troubleshooting DNS
Install the DNS Server Chapter 7 Installing the DNS Server Service
service.
Configure a root name Chapter 7 Configuring a Root Server
server.
Configure zones. Chapter 7 Creating and Configuring Zones
Configure a caching-only Chapter 7 Configuring a Caching-Only Server
server.
Configure a DNS client. Chapter 7 Configuring a DNS Server as its
Own Client
Configuring Clients to Use a DNS Server
Configure zones for Chapter 7 Configuring Zones for Dynamic Updates
dynamic updates.

Continued 
4701-1 AppA.f.qc 4/24/00 10:11 Page 1478

1478 Resources

TABLE A-3 (continued)

Exam Objective Chapter Section

Test the DNS Server Chapter 7 Testing, Monitoring, and Troubleshooting

service. DNS
Implement a delegated Chapter 7 Creating DNS Subdomains and
zone for DNS. Implementing Zone Delegation
Manually create DNS Chapter 7 Manually Creating DNS Resource
resource records. Records
Manage and monitor DNS. Chapter 7 Installing, Configuring, Managing, and
Troubleshooting DNS
Testing, Monitoring, and Troubleshooting
DNS

Installing, Configuring, Managing, Monitoring, and Troubleshooting DHCP in a

Windows 2000 Network Infrastructure
Install, configure, and Chapter 16 Installing and Configuring a DHCP
troubleshoot DHCP. Server
Install the DHCP Server Chapter 16 Installing the DHCP Service
service.
Create and manage DHCP Chapter 16 DHCP Scopes, Superscopes, and
scopes, superscopes, and Multicast Scopes
multicast scopes.
Configure DHCP for DNS Chapter 16 Configuring DHCP for DNS Integration
integration.
Authorize a DHCP server in Chapter 16 Authorizing a DHCP Server in Active
Active Directory. Directory
Manage and monitor DHCP. Chapter 16 Monitoring a DHCP Server

Configuring, Managing, Monitoring, and Troubleshooting Remote Access in a

Windows 2000 Network Infrastructure
Configure and troubleshoot Chapter 17 Entire Chapter
remote access.
Configure inbound Chapter 17 Adding and Configuring Inbound
connections. Connection Ports
Create a remote access Chapter 17 Using Remote Access Policies to
policy. Control Access
Configure a remote access Chapter 17 Configuring a Profile for a Remote
profile. Access Policy
Configure a virtual private Chapter 17 Enabling and Configuring Remote
network (VPN). Access
Adding and Configuring Inbound
Connection Ports
Adding and Configuring VPN Ports
4701-1 AppA.f.qc 4/24/00 10:11 Page 1479

Appendix A ▼ Windows 2000 MCSE Core Exam Objectives 1479

Exam Objective Chapter Section

Configure multilink Chapter 17 Configuring PPP

connections. Configuring Multilink Connection Options
Configure Routing and Chapter 17 Configuring IP and DHCP Integration
Remote Access for DHCP
Integration.
Manage and monitor Chapter 17 Enabling and Configuring Remote
remote access. Access
Using Remote Access Policies to
Control Access
Monitoring Remote Access
Configure remote access Chapter 17 Configuring Security
security. Using Remote Access Policies to
Control Access
Configure authentication Chapter 17 Configuring Security
protocols. Configuring Authentication Methods
Configure encryption Chapter 17 Configuring Security
protocols. Configuring Encryption
Create a remote access Chapter 17 Using Remote Access Policies to
policy. Control Access

Installing, Configuring, Managing, Monitoring, and Troubleshooting Network

Protocols in a Windows 2000 Network Infrastructure
Install, configure, and Chapter 15 Installing, Configuring, and
troubleshoot network Troubleshooting Protocols
protocols.
Install and configure Chapter 16 Configuring TCP/IP
TCP/IP.
Install the NWLink protocol. Chapter 15 Installing, Configuring, and
Troubleshooting Protocols
Installing and Configuring Network
Protocols
Configure network bindings, Chapter 15 Configuring Bindings and Provider Order
Configure TCP/IP packet Chapter 16 Configuring TCP/IP Packet Filters
filters.
Configure and troubleshoot Chapter 16 Configuring TCP/IP Packet Filters
network protocol security. Configuring and Troubleshooting IPSec
Manage and monitor Chapter 21 Using System Monitor
network traffic. Using Network Monitor
Configure and troubleshoot Chapter 16 Configuring and Troubleshooting IPSec
IPSec.

Continued 
4701-1 AppA.f.qc 4/24/00 10:12 Page 1480

1480 Resources

TABLE A-3 (continued)

Exam Objective Chapter Section

Enable IPSec. Chapter 16 Enabling IPSec

Configure IPSec for Chapter 16 Configuring and Troubleshooting IPSec
transport mode. Enabling IPSec
Configure IPSec for Chapter 16 Configuring and Troubleshooting IPSec
tunnel mode. Creating and Customizing IPSec Policies
Customize IPSec policies Chapter 16 Creating and Customizing IPSec Policies
and rules.
Manage and monitor IPSec. Chapter 16 Configuring and Troubleshooting IPSec
Monitoring IPSec

Installing, Configuring, Managing, Monitoring, and Troubleshooting WINS in a

Windows 2000 Network Infrastructure
Install, configure, and Chapter 16 Using a WINS Server to Resolve
troubleshoot WINS. NetBIOS Names
Installing WINS
Planning and Configuring WINS
Replication
Monitoring a WINS Server
Troubleshooting WINS
Configure WINS replication. Chapter 16 Planning and Configuring WINS
Replication
Configure NetBIOS name Chapter 16 NetBIOS Name Resolution
resolution. Using Lmhosts Files to Resolve
NetBIOS Names
Using a WINS Server to Resolve
NetBIOS Names
Configuring NetBIOS Name Resolution
Options on Client Computers
Manage and monitor WINS. Chapter 16 Using a WINS Server to Resolve
NetBIOS Names
Installing WINS
Monitoring a WINS Server

Installing, Configuring, Managing, Monitoring, and Troubleshooting IP Routing in a

Windows 2000 Network Infrastructure
Install, configure, and Chapter 16 Routing TCP/IP
troubleshoot IP routing
protocols.
Update a Windows 2000- Chapter 16 Static Routing
based routing table by Enabling Routing
means of static routes. Updating a Routing Table by Adding
Static Routes
4701-1 AppA.f.qc 4/24/00 10:12 Page 1481

Appendix A ▼ Windows 2000 MCSE Core Exam Objectives 1481

Exam Objective Chapter Section

Implement Demand-Dial Chapter 16 Managing Ports, Interfaces, and Demand-

Routing. Dial Routing
Manage and monitor IP Chapter 16 Routing TCP/IP
routing. Monitoring TCP/IP Routing
Manage and monitor border Chapter 16 Installing and Configuring Open Shortest
routing. Path First (OSPF)
Configuring Border Routing
Manage and monitor Chapter 16 Installing and Configuring Open Shortest
internal routing. Path First (OSPF)
Configuring OSPF to Use a Routing
Interface
Monitoring TCP/IP Routing
Manage and monitor IP Chapter 16 Routing TCP/IP
routing protocols. Monitoring TCP/IP Routing

Installing, Configuring, and Troubleshooting Network Address Translation (NAT)

Install Internet Connection Chapter 15 Configuring Internet Connection Sharing
Sharing. Enabling Internet Connection Sharing
Troubleshooting Internet Connection
Sharing
Install NAT. Chapter 16 Installing and Configuring Network
Address Translation (NAT)
Configure NAT properties. Chapter 16 Configuring NAT Properties
Configure NAT interfaces. Chapter 16 Configuring NAT Interfaces

Installing, Configuring, Managing, Monitoring, and Troubleshooting

Certificate Services
Install and configure Chapter 18 Managing Certificate Services
Certificate Authority (CA). Installing and Configuring Certificate
Services
Create certificates. Chapter 18 Creating and Issuing Certificates
Issue certificates. Chapter 18 Creating and Issuing Certificates
Revoke certificates. Chapter 18 Revoking Certificates
Remove the Encrypting Chapter 18 Managing Encrypting File System (EFS)
File System (EFS) Recovery Agents
recovery keys.
4701-1 AppA.f.qc 4/24/00 10:12 Page 1482

1482 Resources

TABLE A-4 Exam 70-217 — Implementing and Administering a Microsoft

Windows 2000 Directory Services Infrastructure
Exam Objective Chapter Section

Installing, Configuring, and Troubleshooting Active Directory

Install, configure, and Chapter 7 Installing Active Directory
troubleshoot the Chapter 22 Verifying and Troubleshooting an Active
components of Active Directory Installation
Directory. Managing Components that Affect
Replication
Troubleshooting Active Directory
Components, Replication, and
Performance
Install Active Directory. Chapter 7 Installing Active Directory
Create sites. Chapter 22 Creating Sites
Create subnets. Chapter 22 Creating Subnets
Create site links. Chapter 22 Creating Site Links
Create site link bridges. Chapter 22 Creating Site Link Bridges
Create connection objects. Chapter 22 Managing Intrasite Replication
Create global catalog Chapter 22 Creating Global Catalog Servers
servers.
Move server objects Chapter 22 Moving Server Objects Between Sites
between sites.
Transfer Operations Master Chapter 22 Managing and Maintaining Operations
roles. Master Roles
Transferring Operations Master Roles
Seizing Operations Master Roles
Verify Active Directory Chapter 7 Verifying and Troubleshooting an Active
installation. Directory Installation
Implement an organizational Chapter 8 Implementing an Organizational Unit
unit (OU) structure. (OU) Structure
Back up and restore Active Chapter 14 Using Backup to Perform a Backup
Directory Using Backup to Restore System
State Data
Restoring System State Data on Domain
Controllers
Perform an authoritative Chapter 14 Using Backup to Restore System
restore of Active Directory. State Data
Restoring System State Data on Domain
Controllers
4701-1 AppA.f.qc 4/24/00 10:12 Page 1483

Appendix A ▼ Windows 2000 MCSE Core Exam Objectives 1483

Exam Objective Chapter Section

Recover from a system Chapter 14 Recovering from a System Failure

failure. Using Safe Mode to Troubleshoot and
Restore a System
Using the Recovery Console to Restore
a System
Using the Emergency Repair Disk to
Restore a System

Installing, Configuring, Managing, Monitoring, and Troubleshooting DNS for

Active Directory
Install, configure, and Chapter 7 Installing, Configuring, Managing, and
troubleshoot DNS for Troubleshooting DNS
Active Directory. Installing DNS for Active Directory
Integrate an Active Chapter 7 Integrating an Active Directory DNS with
Directory DNS with a non- a Non-Active Directory DNS
Active Directory DNS.
Configure zones for Chapter 7 Configuring Zones for Dynamic Updates.
dynamic updates.
Manage, monitor, and Chapter 7 Installing, Configuring, Managing, and
troubleshoot DNS. Troubleshooting DNS
Testing, Monitoring, and Troubleshooting
DNS
Manage replication of DNS Chapter 7 Managing Replication of DNS
data.

Installing, Configuring, Managing, Monitoring, Optimizing, and Troubleshooting

Change and Configuration Management
Implement and troubleshoot Chapter 10 Managing Group Policy
Group Policy.
Create a Group Policy Chapter 10 Creating Group Policy Objects in Active
object (GPO). Directory
Link an existing GPO. Chapter 10 Linking an Existing Group Policy Object
Delegate administrative Chapter 10 Configuring Security for Group Policy
control of Group Policy. Objects
Modify Group Policy Chapter 10 Modifying Group Policy Inheritance
inheritance.
Filter Group Policy settings Chapter 10 Configuring Security for Group Policy
by associating security
groups to GPOs.Objects
Modify Group Policy. Chapter 10 Configuring and Modifying Group Policy
Objects
Modifying the Order in Which Group
Policy is Applied

Continued 
4701-1 AppA.f.qc 4/24/00 10:12 Page 1484

1484 Resources

TABLE A-4 (continued)

Exam Objective Chapter Section

Manage and troubleshoot Chapter 10 Configuring Group Policy Settings to

user environments by using Manage User Environments
Group Policy.
Control user environments Chapter 10 Configuring Group Policy Settings to
by using Administrative Manage User Environments
Templates.
Assign script policies to Chapter 10 Configuring Group Policy Settings to
users and computers. Manage Scripts
Manage and troubleshoot Chapter 10 Configuring Group Policy Settings to
software by using Group Manage Software Deployment
Policy.
Deploy software by using Chapter 10 Preparing Software for Deployment
Group Policy. Deploying and Maintaining Software by
Using Group Policy
Troubleshooting Software Deployment
Maintain software by using Chapter 10 Deploying and Maintaining Software by
Group Policy. Using Group Policy
Using Group Policy to Deploy Service
Packs for Applications
Configure deployment Chapter 10 Deploying and Maintaining Software by
options. Using Group Policy
Troubleshoot common Chapter 10 Troubleshooting Software Deployment
problems that occur during
software deployment.
Manage network Chapter 10 Configuring Group Policy Settings to
configuration by using Manage User Environments
Group Policy.
Deploy Windows 2000 by Chapter 19 Using Remote Installation Services (RIS)
using Remote Installation
Services (RIS).
Install an image on a RIS Chapter 19 Installing a RIS image on a Client
client computer. Computer
Create a RIS boot disk. Chapter 19 Creating a RIS Client Boot Disk
Configure remote Chapter 19 Configuring RIS Server Options
installation options.
Troubleshoot RIS problems. Chapter 19 Troubleshooting RIS Problems
Manage images for Chapter 19 Managing RIS Images
performing remote Working with CD-Based Images
installations. Creating and Managing RIPrep Images
4701-1 AppA.f.qc 4/24/00 10:12 Page 1485

Appendix A ▼ Windows 2000 MCSE Core Exam Objectives 1485

Exam Objective Chapter Section

Configure RIS security. Chapter 19 Configuring RIS Security

Authorize a RIS server. Chapter 19 Authorizing a RIS Server in Active
Directory
Grant computer account Chapter 19 Granting Permission to Create Computer
creation rights. Objects
Prestage RIS client . Chapter 19 Prestaging RIS Clients
computers for added
security and load balancing

Managing, Monitoring, and Optimizing the Components of Active Directory

Manage Active Directory Chapter 8 Managing Active Directory Objects
objects.
Move Active Directory Chapter 8 Moving Objects in Active Directory
objects.
Publish resources in Active Chapter 8 Publishing Resources in Active Directory
Directory. Chapter 12 Sharing a Printer
Locate objects in Active Chapter 8 Locating Objects in Active Directory
Directory.
Create and manage Chapter 9 Using NET USER to Create User
accounts manually or by Accounts
scripting.
Control access to Active Chapter 8 Controlling Access to Active Directory
Directory objects. Objects
Delegate administrative Chapter 8 Delegating Administration of Active
control of objects in Active Directory Objects
Directory.
Manage Active Directory Chapter 22 Managing Active Directory Performance
performance.
Monitor, maintain, and Chapter 22 Monitoring Performance of Domain
troubleshoot domain Controllers and Other Active Directory
controller performance. Components
Troubleshooting Active Directory
Components, Replication, and
Performance
Monitor, maintain, and Chapter 22 Monitoring Performance of Domain
troubleshoot Active Controllers and Other Active Directory
Directory components. Components
Troubleshooting Active Directory
Components, Replication, and
Performance

Continued 
4701-1 AppA.f.qc 4/24/00 10:12 Page 1486

1486 Resources

TABLE A-4 (continued)

Exam Objective Chapter Section

Manage and troubleshoot Chapter 22 Managing Components that Affect

Active Directory replication. Replication
Managing Active Directory Replication
Troubleshooting Active Directory
Components, Replication, and
Performance
Manage intersite replication. Chapter 22 Intersite Replication
Managing Components that Affect
Replication
Managing Active Directory Replication
Managing Intersite Replication
Manage intrasite replication. Chapter 22 Intrasite Replication
Managing Active Directory Replication
Managing Intrasite Replication

Configuring, Managing, Monitoring, and Troubleshooting Active Directory

Security Solutions
Configure and troubleshoot Chapter 13 Using Security Templates
security in a Directory Chapter 10 Using Security Configuration and
Services infrastructure. Analysis
Troubleshooting Auditing and Security
Configuring Group Policy Settings to
Manage Security
Apply security policies by Chapter 10 Configuring Group Policy Settings to
using Group Policy. Manage Security
Create, analyze, and modify Chapter 13 Using Security Templates
security configurations by Using Security Configuration and
using Security Configuration Analysis
and Analysis and Security
Templates.
Implement an audit policy. Chapter 13 Managing Auditing
Monitor and analyze Chapter 13 Monitoring and Analyzing Security Events
security events.
4701-1 AppB.f.qc 4/24/00 10:12 Page 1487

AP P E N D IX

B
What You Need to Know
to Prepare for the Exams

T he Microsoft Windows 2000 MCSE certification exams aren’t easy, and

require a great deal of preparation. The exam questions measure real-
world skills. Your ability to answer these questions correctly will be greatly
improved by as much hands-on experience with the Windows 2000 product
as you can get. That said, this appendix provides some practical and innova-
tive ways for you to prepare for the Windows 2000 exams.

1487
4701-1 AppB.f.qc 4/24/00 10:12 Page 1488

1488 Resources

Know Your Exam

Before you take any certification exam, make sure you’ve got the latest
scoop on it. For the Microsoft Windows 2000 MCSE certification exams,
that means going directly to the horse’s mouth, or in this case, to
Microsoft’s Web site.
The exam objectives published in this book are current as of the date
this book went to press, but Microsoft reserves the right to change exam
objectives at any time. Microsoft publishes an Exam Preparation Guide for
each exam that contains vital information, not the least of which is a com-
plete list of the exam’s objectives.You can view and print the latest Exam
Preparation Guides for the Windows 2000 MCSE certification exams by
visiting the following Web sites:
http://www.microsoft.com/Mcp/exam/stat/SP70-210.htm
http://www.microsoft.com/Mcp/exam/stat/SP70-215.htm
http://www.microsoft.com/Mcp/exam/stat/SP70-216.htm
http://www.microsoft.com/Mcp/exam/stat/SP70-217.htm

If for some reason you aren’t able to access the Exam Preparation Guides
at these sites, try the main Microsoft Training & Certification Web site:
http://www.microsoft.com/train_cert

Or even better, visit the Microsoft Certified Professional Program Web site:
http://www.microsoft.com/mcp

While you’re visiting this site, there are a number of pages I recommend
you take a look at, including: the “Step-by-Step Guide” to certification,
“How Microsoft Certified Professional Exams Are Developed,” “Practice
Test,” “MCP Programs in Forefront of Testing Innovations,” “What to
Expect at the Testing Center,” “Your Exam Results,” and so on. By the
time you’re finished, you’ll have a much better feel for the exams.
I want to say just a few words about exam format and the types of ques-
tions to expect. When the Microsoft Windows 2000 MCSE certification
exams are first released, the exams will probably include around 50 to 70
items each. Later on, after Microsoft has had time to gather and process sta-
tistics from each of these exams, it will probably convert the exams to
adaptive exams. A computer adaptive exam typically involves fewer ques-
tions (normally about 15 to 30) than a standard, fixed-form exam, and
based on whether the examinee answers each question correctly or incor-
4701-1 AppB.f.qc 4/24/00 10:12 Page 1489

Appendix B ▼ What You Need to Know to Prepare for the Exams 1489

rectly, the computer determines the difficulty of the next question pre-
sented. Aside from the number of questions and the amount of time
allowed to take the exam, the main difference between a traditional, fixed-
form exam and an adaptive exam is that in a fixed-form exam you can skip
questions, or go back and review previously answered items, but on an
adaptive exam you can’t do this.
In addition to standard multiple-choice items, you may see some non-
standard types of questions on the Windows 2000 MCSE certification
exams. For example, plan on finding some really long, complex multiple-
choice questions in which you have to determine, for a specific action
taken, precisely what results are achieved.You might encounter a “Select-
and-Place” item that requires you to drag-and-drop an answer on an
appropriate field.You may also find (particularly after the exam has been
out for a while) some simulation questions in which you’re asked to per-
form a Windows 2000 task by working with a simulated user interface.
To become familiar with the types of questions found on the exams, I
recommend you download and run the demos from the Microsoft
Certified Professional Program Web site, and I strongly urge you do as many
practice tests as you can get your hands on, such as those included on the
compact disk that accompanies this book, before you take any of the exams.

Know Your Testing Center

Microsoft exams are given at authorized testing centers. In the United
States and Canada, you can register (and pay) for an exam by calling Sylvan
Prometric at (800) 755-EXAM. (That’s 800-755-3926.) Outside the
United States and Canada, contact your local Sylvan Prometric
Registration Center.You may also be able to register for an exam online at
http://www.sylvanprometric.com.
I urge you to check out your testing center before you take an exam. Call
ahead.Ask about the hardware they use for their testing computers. If some
computers are faster than others, ask for the seat numbers of the faster
computers, and request one of those seats when you schedule your testing
appointment with Sylvan Prometric.You might even consider visiting the
testing center before you schedule an exam there. This will give you an
opportunity to see what the testing environment will be like.
When you arrive at the testing center, you’ll need to show two forms of
identification, including one photo ID.You’ll also need to accept the terms
4701-1 AppB.f.qc 4/24/00 10:12 Page 1490

1490 Resources

of a Microsoft Non-Disclosure Agreement before you take an exam.You

may also have to complete a demographic survey before you take an exam.
Finally, if you’ve never taken a Microsoft certification exam before, you can
take an exam tutorial before you begin.

Tips for Before, During, and After the Exam

I’m sure that everyone who’s ever studied for and passed a certification
exam has their own ideas about what helped them pass: tricks, tips, a lucky
rabbit’s foot, and so on. Here are some of the things that work for me, and
that I recommend you do:

Before the Exam

■ Do the Lab Exercises in this book. Get as much hands-on practice
with Windows 2000 as you can stand.Then get more.
■ Review the Key Point Summary sections and answer all of the
Assessment Questions at the end of each chapter just before taking
an exam.
■ Pay special attention to the Exam Tips throughout this book — these
pointers will help you focus on important exam-related topics.
■ Take as many practice exams as possible.
■ Take the exam preparation process seriously.These exams are tough!
■ Don’t study all night before the test.A good night’s sleep is often
better preparation than the extra studying.
■ Try to schedule the exam during your own “peak” time of day. In
other words, if you’re a morning person, try not to schedule the
exam for 3:00 p.m.

On Exam Day
■ Dress comfortably.The more comfortable you are, the more you’ll
be able to focus on the exam.
■ Don’t drink a lot of coffee or other beverage before taking an
exam. I think you know where I’m headed.You don’t want to
spend precious exam time running back and forth to the restroom.
4701-1 AppB.f.qc 4/24/00 10:12 Page 1491

Appendix B ▼ What You Need to Know to Prepare for the Exams 1491

■ Arrive at the testing center 10 to 15 minutes early, and don’t forget

your picture ID.
■ If you have any questions about the rules for the exam, ask the
exam administrator before the exam begins.The exams are timed, so
avoid using valuable test time for questions you could have asked
earlier.

During the Exam

■ Answer the easy items first. Unless you’re taking an adaptive exam,
the testing software enables you to move forward and backward
through the exam. Go through all of the items on the test once,
answering the items you’re sure of first; then go back and spend
time on the harder items.
■ Remember, there aren’t any trick questions.The correct answer
will always be among the list of choices.
■ When choosing an answer, eliminate the most obviously incorrect
answers first. (Think of this as using your “50-50” on Who Wants to
be a Millionaire.) This will make it easier for you to select the
answer that seems most right to you.
■ Answer all of the items on the exam.An unanswered item is scored
as an incorrect answer. So, if you’re unsure of an answer, it can’t
hurt to make an educated guess.
■ I know it’s difficult, but try to relax. During the exam, take a few
deep breaths here and there. People often make avoidable, careless
mistakes when they’re stressed and when they rush.

After the Exam

■ After you finish the exam, the testing center will give you a writ-
ten examination score report indicating whether you passed or
failed, and how you performed on each section.
■ If you don’t pass an exam the first time, you can use this report to
determine the areas where you need additional study.Then, you
can retake the exam at a later date for an additional fee.
4701-1 AppB.f.qc 4/24/00 10:12 Page 1492

1492 Resources

TIP
Microsoft has revised its policy for retaking exams, primarily to increase
security. If you don’t pass an exam the first time, you can take it again at
any time. If you don’t pass the exam the second time, you must wait at
least 14 days until you retake it again.

■ Don’t get discouraged if you don’t pass an exam the first time — or
the second time. Many highly intelligent, seasoned professionals fail
a test once, twice, or more times before eventually passing it. If at
first you don’t succeed, try, try again.
4701-1 appC.f.qc 4/24/00 10:12 Page 1493

AP P E N D IX

C
What’s on the CD-ROM

Production: Much of the text in this file is placeholder text

that will be replaced in pages. Please allow 10 book pages
for this appendix. Thanks.

The CD-ROM included with this book contains the

following materials:
■ BeachFront Quizzer exam simulation software
■ .avi files with demonstrations of the labs in this
book
■ VMWare trial version
■ Diskeeper 5.0 trial version
■ Adobe Acrobat Reader
■ An electronic version of this book, Windows
2000 MCSE Study System, in .pdf format
The following sections describe each product and
include detailed instructions for installation and use.

BeachFront Quizzer
The version of the BeachFront Quizzer software included
on the CD-ROM gives you the opportunity to test your

1493
4701-1 appC.f.qc 4/24/00 10:12 Page 1494

1494 Resources

knowledge with simulated exam questions.The features of the BeachFront

Quizzer product include:
■ Features study sessions, standard exams, and adaptive exams
■ New exam every time
■ Historical analysis
If you want more exam questions, you can purchase the full retail ver-
sion of the BeachFront Quizzer software from BeachFront Quizzer. See
the BeachFront Quizzer ad in the back of this book.

STEP BY STEP

INSTALLING BEACHFRONT QUIZZER

1. Open My Computer. Double-click your CD-ROM drive (usually D:). Double click
the BFQuiz folder. Double-click plain_quiz32a.exe. The BeachFront
Quizzer setup program starts.
2. On the welcome screen, click Next to continue to the license agreement screen.
Read the agreement, and click I Agree to continue.
3. On the Choose Destination Location screen, click Next to accept the default file
location (C:\Quizzer). If you want to install the files to a different location, click
Browse and select the file location. After you click Next, the installation begins.
4. After the installation, you will be asked to install Adobe Acrobat Reader. You need
Acrobat Reader to enhance the BeachFront Quizzer product. The test questions
are mapped to the contents of the book, which you access with the Acrobat
(PDF) files. Click the check box marked “Install Adobe Acrobat Reader,” and
click Next.
5. The Acrobat Reader installation program starts. The Acrobat Reader welcome
screen appears first. Click next to continue. The License agreement screen
appears next. Read the agreement, and click I Accept to continue.
6. The Choose Destination Location screen appears. If you want to choose a differ-
ent location, click Browse and select the destination to install the files to. To
accept the default, click Next to continue.
7. The Acrobat Reader installation program runs. After the installer is finished, a dia-
log box will appear that reads “Thank you for choosing Acrobat Reader.” Click OK
to finish.
8. You’re returned to the BeachFront Quizzer installation process. The next screen
gives you the option to install the online books. These are the Acrobat (PDF) files
that contain the text of the book and are linked to the questions. You should install
these to get the most benefit out of BeachFront Quizzer. Check the “Install sup-
plied online books” checkbox, and click Next.
4701-1 appC.f.qc 4/24/00 10:12 Page 1495

Appendix C ▼ What’s on the CD-ROM 1495

STEP BY STEP Continued

9. The online books install. When they’re done, click Finish to complete the installa-
tion. You have the option of starting the BeachFront Quizzer engine now, or later.

USING BEACHFRONT QUIZZER

1. Start BeachFront Quizzer by selecting Start ➪ Programs ➪ BeachFront Quizzer.

The select Exam Screen appears.
2. Select the exam you want to practice for and click OK. A legal warning window
appears. Click OK to continue.
3. You will be asked for the CD key. The CD key can be found in a file named
Password.txt within the BFQuiz folder. Enter the CD key and click OK.
4. The BeachFront Quizzer test engine starts. Select the category you wish to study,
and the study mode you want to use, and click Start.

Lab Demonstrations
The lab demos folder contains .avi files with visual tutorials for perform-
ing some of the labs presented in this book.

STEP BY STEP

INSTALLING AND VIEWING THE .AVI FILES

1. Start Windows Explorer, and then open the Acrobat Reader folder in
\\IDGBcert\software\acrobat.
2. In the acrobat folder, double-click rs40eng.exe and follow the instructions
presented on-screen for installing Adobe Acrobat Reader.
3. To view the electronic version of the book, after you have installed Adobe Acrobat
Reader, start Windows Explorer and open the books folder.
4. In the books folder, double-click the Acrobat (PDF) file for the chapter or appen-
dix file you want to view.
4701-1 appC.f.qc 4/24/00 10:12 Page 1496

1496 Resources

VMware
VMware, from VMware, Inc., is an application that enables you to manage
multiple computers from one workstation. It enables you to run multiple
operating systems at once without dual booting.

STEP BY STEP

INSTALLING VMWARE

1. Start Windows Explorer, and then open the Acrobat Reader folder in
\\IDGBcert\software\acrobat.
2. In the acrobat folder, double-click rs40eng.exe and follow the instructions
presented on-screen for installing Adobe Acrobat Reader.
3. To view the electronic version of the book, after you have installed Adobe Acrobat
Reader, start Windows Explorer and open the books folder.
4. In the books folder, double-click the Acrobat (PDF) file for the chapter or appen-
dix file you want to view.

Diskeeper 5 Trial Version

Diskeeper 5, from Executive Software, is an advanced disk defragmenter
application. It can defragment volumes on remote computers, and can be
set to defragment volumes according to a schedule.

STEP BY STEP

INSTALLING DISKEEPER

1. Start Windows Explorer, and then open the Acrobat Reader folder in
\\IDGBcert\software\acrobat.
2. In the acrobat folder, double-click rs40eng.exe and follow the instructions
presented on-screen for installing Adobe Acrobat Reader.
3. To view the electronic version of the book, after you have installed Adobe Acrobat
Reader, start Windows Explorer and open the books folder.
4. In the books folder, double-click the Acrobat (PDF) file for the chapter or appen-
dix file you want to view.
4701-1 appC.f.qc 4/24/00 10:12 Page 1497

Appendix C ▼ What’s on the CD-ROM 1497

The Adobe Acrobat Reader

Adobe’s Acrobat Reader is a helpful program that will enable you to view
the electronic version of this book in the same page format as the actual
book.

STEP BY STEP

1. Start Windows Explorer, and then open the Acrobat Reader folder in
\\IDGBcert\software\acrobat.
2. In the acrobat folder, double-click rs40eng.exe and follow the instructions
presented on-screen for installing Adobe Acrobat Reader.
3. To view the electronic version of the book, after you have installed Adobe Acrobat
Reader, start Windows Explorer and open the books folder.
4. In the books folder, double-click the Acrobat (PDF) file for the chapter or appen-
dix file you want to view.
4701-1 appC.f.qc 4/24/00 10:12 Page 1498
4701-1 GL.f.qc 4/24/00 10:12 Page 1499

Glossary

access control list (ACL) is physically located on each domain controller

An access control list (ACL) is a list of SIDs and in the domain. The Active Directory data store
the associated access privileges assigned to is also called the directory. See also Active
each SID. Each object and network resource has Directory; directory, the; directory service.
an ACL associated with it. See also SID.
Active Directory Users and Computers
Accessibility Options Active Directory Users and Computers is the
Accessibility Options is a Control Panel primary administrative tool used to perform
application that is used to configure the keyboard, management tasks with OUs and other Active
sound, display, and mouse options on a computer Directory objects. By default, this tool is only
to accommodate users that are physically installed on domain controllers, but you can make
challenged, including persons who have difficulty it available on any Windows 2000 computer by
striking multiple keys simultaneously on a installing the ADMINPAK.
keyboard, persons who are visually or hearing
active partition
impaired, or persons who have difficulty holding
or clicking a mouse. The active partition is a primary partition on
the first hard disk in a computer that has been
Active Directory marked active by a partitioning program, such
Active Directory is the directory service used by as Fdisk or Disk Manager. The active partition
Windows 2000. It is a core new feature of the contains the files necessary to load the operating
Windows 2000 operating system. See also system. In Windows 2000 terminology, the active
Active Directory data store, directory service. partition is also called the system partition. See
also primary partition.
Active Directory data store
The Active Directory data store is the database in Add/Remove Hardware
Active Directory that contains information about Add/Remove Hardware is a Control Panel
various types of network objects, including application that is a wizard used to add, remove,
printers, shared folders, user accounts, groups, unplug, and troubleshoot the hardware in a
and computers. In a Windows 2000 domain, a computer.
read/write copy of the Active Directory data store

1499
4701-1 GL.f.qc 4/24/00 10:12 Page 1500

1500 Glossary

Add/Remove Programs area code rules

Add/Remove Programs is a Control Panel Area code rules enable you to treat different
application used to install and remove third-party prefixes within the same area code differently —
software and to add and remove optional some as local calls, and some as long distance
Windows 2000 components. calls.

administrative shares auditing

Every time you start Windows 2000 on a Auditing is a Windows 2000 feature that, when
computer, Windows 2000 automatically creates enabled, allows you to collect security-related
several hidden shares that only members of the information concerning the success and failure
Administrators group (on the local computer) of specified events, such as file access, printer
have permissions to access. These shares are access, logon and logoff, and security policy
referred to as administrative shares because they changes. Windows 2000 auditing is divided into
are used by Administrators to perform two areas: system access auditing and object
administrative tasks. access auditing. Audited events are written to
the Security Log in Event Viewer.
advanced permissions
Advanced permissions (also called special backup domain controller (BDC)
permissions) are individual NTFS permissions A BDC is a Windows NT Server computer that
that are combined to form the standard NTFS is configured to maintain a backup copy of the
permissions. Advanced NTFS permissions are Windows NT Server domain directory database
assigned by clicking the Advanced command (SAM). The BDC receives updates to the domain
button on the Security tab in a file or folder’s directory database from the primary domain
Properties dialog box. controller (PDC) via a process called
synchronization. See also primary domain
Advanced Power Management (APM) controller, domain controller.
APM is an older power management scheme that
Windows 2000 supports only on laptop and banner page
other mobile computers. In general, APM is useful A banner page is another term for a separator
on laptop computers that have BIOS support page. See also separator page.
for APM.
basic disk
application programming interface (API) A basic disk refers to a hard disk that uses
An API is a set of operating system functions that industry-standard partitioning and formatting, and
can be called by an application running on the contains primary partitions, extended partitions, or
computer. Windows 2000 supports the Win32, both. See also dynamic disk, extended partition,
Win16, POSIX, MS-DOS, and OS/2 1.x APIs. primary partition.

attributes
Attributes are specific properties of Windows
2000 files and folders. Many attributes are
assigned by administrators or users to protect
files and folders. Other file and folder attributes
are automatically applied to system files during
the installation of Windows 2000.
4701-1 GL.f.qc 4/24/00 10:12 Page 1501

Glossary 1501

bindings card services

Bindings are associations between a network Card services is a term used to refer to the
service and a protocol, or between a protocol and device drivers used by CardBus/PCMCIA
a network adapter card. Bindings specify three controllers.
specific properties of a local area connection:
which installed client(s) or service(s) the CDFS
connection uses, which protocol(s) are used by CDFS stands for Compact Disc File System.
(or bound to) each selected client or service, and CDFS supports access to compact discs, and is
the order in which selected protocols are used by only used on CD-ROM devices that read or write
each associated client or service. See also compact discs.
provider order.
certificate
blocking inheritance A certificate is a cryptographic tool used for
If you configure an object to not inherit encrypting and decrypting data, digitally signing
permissions from its parent object, this is referred files and other data, and performing user
to as blocking inheritance. See also inheritance. authentication. A certificate consists of two
parts: a public key and a private key.
browsing
Browsing is the process of viewing a list of certificate authority (CA)
computers and their available shared resources, An organization that uses a computer to create,
or viewing a list of files and folders on a local or issue and manage certificates is called a
network-connected drive. certification authority (CA). This term is also used
for the actual server that performs the task of
built-in groups issuing and managing certificates. In Windows
Built-in groups are groups with preset 2000, the server on which Certificate Services is
characteristics that are automatically created installed is a CA, and is also called a certificate
during the installation of Windows 2000. server. The CA receives requests for certificates
from other computers on the network, then
built-in local groups verifies the credentials in the request, and finally
Built-in local groups are groups that have the creates and issues the certificate. See also
rights and permissions that enable their members certificate, Certificate Services.
to perform specific tasks on the local computer.
See also built-in groups. Certificate Services
Certificate Services is a Windows 2000 Server
built-in special groups service used to create, issue, and manage
Built-in special groups are created by Windows certificates on a Windows 2000 network. If your
2000 that are used for specific purposes by the network is connected to the Internet, you may
operating system. Special groups are sometimes need the encryption and other security features
called system groups. See also built-in groups. that can be provided by certificates and
Certificate Services. See also certificate,
cache certification authority (CA).
Cache is a section of memory used to temporarily
store files from the hard disk. child domain
A child domain is any domain that is below
another domain in the domain tree hierarchy.
See also domain, domain tree, parent domain.
4701-1 GL.f.qc 4/24/00 10:12 Page 1502

1502 Glossary

child object computer system policy

An Active Directory object that is contained in the A computer system policy is a collection of
parent object is referred to as a child object. See settings that specifies a local computer’s
also parent object. configuration. A computer system policy enforces
the specified configuration on all users of a
class particular Windows NT 4.0, Windows 95, or
A class is a template that is used to create a Windows 98 client computer. There are two
specific type of Active Directory object. The types of computer system policies: an individual
specific attributes that an object has are defined computer policy and the Default Computer policy.
by the object’s class. There are many classes of See also individual computer policy, Default
Active Directory objects, including: Computer, Computer policy, System Policy.
Contact, Group, Organizational Unit, Domain,
Printer, User, and Shared Folder. See also Active container, container object
Directory, object. A container object (sometimes called a container
for short) is any Active Directory object that can
client contain other objects. An OU is a container
A client is a computer that is capable of object. See also organizational unit (OU).
accessing resources on other computers
(servers) across a network. Some computers are Continuous connection
configured with both client and server software. A Continuous connection is a local HP (DLC)
See also server. A client is also a piece of printer configuration that causes the Windows
software that enables a computer to access 2000 computer to monopolize all DLC
resources on another computer on the network. connections to the HP JetDirect adapter, and
permits only this Windows 2000 computer to
cluster connect to the HP print device using the DLC
A cluster is a group of computers that, from a protocol. See also Job Based connection.
client and application point of view, appear as a
single computer. See also Windows Clustering. Control Panel
Windows 2000 Control Panel is an exhaustive
COM+ programs collection of applications, sometimes called
COM+ programs are applications that are written applets. These applications, which are
to the Component Object Model (COM) and to automatically installed during installation of
take advantage of Component Services such as Windows 2000, are used to install and configure
load balancing, queuing, and role-based security. various components, applications, hardware,
protocols, and services.
computer name
A computer name is a unique name that Windows CSID
2000 uses to identify a particular computer on CSID stands for Called Station Identifier. CSID
the network. The computer name is also used as is used by the fax service to identify itself to other
the computer’s NetBIOS name. You can use a fax machines that send it faxes.
computer name that is longer than 15 characters,
but Windows 2000 will only use the first 15 default gateway
characters for the computer’s NetBIOS name. No A default gateway is a TCP/IP configuration
two computers on the same internetwork should setting that specifies the IP address of the router
have the same computer name. on the local network segment.
4701-1 GL.f.qc 4/24/00 10:12 Page 1503

Glossary 1503

Default Computer policy Dfs link

The Default Computer policy is created when a A Dfs link is a special type of subfolder in a Dfs
System Policy file is initially created. The Default root that acts as a pointer to a specific shared
Computer policy applies to a client computer only folder on the network. See also Distributed File
if the computer does not have an individual System (Dfs), Dfs root.
computer policy. See also computer system
policy, individual computer policy, System Policy. Dfs link replica
A Dfs link replica is an additional pointer attached
Default User policy to a Dfs link. This pointer points to an alternate
The Default User policy is created when an location where a user can access a copy of the
Administrator initially creates a System Policy file. shared folder (that the Dfs link points to) if the
When initially created, it doesn’t contain any server hosting the original shared folder is
settings that restrict users. The Default User unavailable. See also Dfs link.
policy applies to a user only if the user does not
have an individual user policy. See also user Dfs root
system policy, System Policy, individual user A Dfs root is a special type of shared folder that
policy. can contain files, folders, Dfs links, and other Dfs
roots. To the user, a Dfs root appears in a browse
demand paging list just like any other shared folder. See also
Demand paging is a process used by the Virtual Distributed File System (Dfs), Dfs link, stand-
Memory Manager that involves reading pages of alone Dfs root, domain Dfs root.
memory from the paging file into RAM, and
writing pages of memory from RAM into the DHCP
paging file as required by the operating system. DHCP stands for Dynamic Host Configuration
See also paging file. Protocol. The Dynamic Host Configuration
Protocol (DHCP) service provides centralized
desktop management of IP address assignment. The
The desktop is the screen that is displayed after DHCP service can be installed on any Windows
Windows 2000 boots and you log on. 2000 Server computer that has a manually
assigned static IP address for each connection
desktop operating system on the computer.
A desktop operating system is an operating
system that is designed to be used by an digital signature
individual user on his or her desktop. A desktop A digital signature is a tag appended to a file by
operating system is not designed to be used on a its creator. This tag consists of digitally coded
network server. information that identifies the file’s creator and
enables Windows 2000 to verify that the file has
device driver not been altered or corrupted (by a virus or other
A device driver is a special type of program that means) since it was created.
enables an operating system, such as Windows
2000, to recognize and work with a particular directory
hardware device. A directory is a folder. In Windows 2000
terminology, the terms directory and folder are
synonymous.
4701-1 GL.f.qc 4/24/00 10:12 Page 1504

1504 Glossary

directory, the distinguished name (DN)

“The directory” is what the Active Directory data A distinguished name (DN) consists of an
store is commonly referred to as. See also Active object’s relative distinguished name (RDN) plus
Directory data store. the object’s location in Active Directory. The DN
supplies the complete path to the object. An
directory service object’s DN includes its RDN, the name of the
A directory service is a centralized, hierarchical organizational unit(s) that contains the object (if
database that contains information about users any), and the FQDN of the domain. For example,
and resources on a network. See also Active suppose that I create a user named AlanC in an
Directory, Active Directory data store. organizational unit called US in a domain named
Exportsinc.com. The DN of this user would
Disk Management be: [email protected]. See
Disk Management is a graphical tool that is a also fully qualified domain name (FQDN),
snap-in to the Microsoft Management Console organizational unit, relative distinguished name.
(MMC). You can use Disk Management to: create
and format partitions; upgrade a disk from basic Distributed file system (Dfs)
to dynamic; revert from a dynamic disk to a basic The Distributed file system (Dfs) is a file system
disk; create and format a simple, spanned, that enables an administrator to make shares that
striped, mirrored, or RAID-5 volume; delete are stored on various servers on the network
volumes; troubleshoot disk configuration appear to users as though they are stored within
problems; and recover from hard disk failures in a single share on a single server. The use of Dfs
mirrored and RAID-5 volumes. See also Microsoft makes finding network resources easier for users,
Management Console (MMC), RAID-5 volume, because users don’t have to know which server
simple volume, spanned volume, striped volume, physically contains the shared resource they are
mirrored volume. trying to access. See also Dfs root, Dfs link.

disk quotas distribution groups

Disk quotas is a Windows 2000 volume Distribution groups are primarily used to send
management tool that is enabled on a volume- e-mail messages to a specified list of users.
by-volume basis. Once enabled, disk quotas You can’t assign permissions and user rights to
automatically track disk space usage on a user- distribution groups. See also groups, security
by-user basis, and can prevent individual users groups.
from exceeding the disk space limitations that
they have been assigned by an Administrator. DNS
DNS stands for Domain Name System. The
disk striping primary purpose of DNS, which consists of a
Disk striping is a term associated with striped set of specified naming rules and implementation
volumes. Disk striping alludes to the process standards, is to provide host name resolution.
wherein a file is written, or striped, one block at a See also DNS server, DNS domain namespace.
time; first to one disk, then to the next disk, and
then to the next disk, and so on, until all of the
data in the file has been evenly distributed among
all of the disks in the striped volume. See also
striped volume.
4701-1 GL.f.qc 4/24/00 10:12 Page 1505

Glossary 1505

DNS domain namespace domain controller

DNS is implemented as a hierarchical structure A domain controller is a Windows 2000 Server
often called the DNS domain namespace. The computer that contains a read/write copy of the
trees and subtrees that make up the DNS domain Active Directory data store. See also Active
namespace are called DNS domains. The DNS Directory data store.
domain namespace is graphically represented as
an inverted tree structure, with the root of the tree domain Dfs root
at the top. See also DNS, root domain. A domain Dfs root is a type of Dfs root that can
be hosted on any Windows 2000 Server
DNS entries computer in the domain. In addition, an object
DNS entries consist of IP address to host name representing the Dfs root is published in Active
mapping information and other DNS resource Directory. You can create a replica of a domain
records. Dfs root on one or more Windows 2000 Server
computers on your network to provide load
DNS server balancing and fault tolerance. If one of the servers
A DNS server is a computer that has the that hosts the Dfs root (or its replica) is not
capability to use DNS to provide host name available, users can still access the Dfs root on
resolution to client computers. The Windows one of the other servers. See also Distributed file
2000 DNS Server service (or its equivalent), system (Dfs), Dfs root, stand-alone Dfs root.
when installed on a server, is what gives that
server the ability to provide host name resolution. domain Dfs root replica
See also DNS, DNS Server service, host name A domain Dfs root replica is a shared folder that
resolution. is a copy of a domain Dfs root that is stored on a
different Windows 2000 Server computer than
DNS Server service the original Dfs root. The primary purpose of a
DNS is implemented in Windows 2000 via the domain Dfs root replica is to provide load
DNS Server service. This service is supported balancing and fault tolerance, so that if the server
only on Windows 2000 Server and Advanced that hosts the original domain Dfs root is not
Server computers — you can’t install the DNS available, users can still access the domain Dfs
Server service on a Windows 2000 Professional domain root. See also domain Dfs root.
computer. See also DNS, DNS server.
domain local groups
domain Domain local groups are groups that are created
A domain is a logical grouping of networked and maintained in Active Directory on Windows
computers in which one or more of the computers 2000 domain controllers. Domain local groups
has one or more shared resources, such as a are used to control access to resources located
shared folder or a shared printer, and in which all on any computer in a Windows 2000 domain.
of the computers share a common central domain
directory database that contains user account Domain Name System (DNS)
security information. In Windows 2000, all of the See DNS.
computers in a domain share a common Active
Directory data store that contains user account,
resource, security, and other information.
Domains are the fundamental units that make
up the Active Directory. See also workgroup.
4701-1 GL.f.qc 4/24/00 10:12 Page 1506

1506 Glossary

domain naming master dynamic routing

The domain naming master is one of five Dynamic routing is intelligent IP routing. In
operations master roles. The domain naming dynamic routing, a router automatically builds and
master is the only domain controller that can add updates its routing table. In a dynamic routing
domains to or remove domains from the forest. environment, administrators don’t have to
There can be only one domain naming master in a manually configure the routing table on each
forest. See also flexible single master operation, individual router. As changes are made to the
operations master roles. network, dynamic routers automatically adjust
their routing tables to reflect these changes.
domain SID
The domain SID is the portion of a SID that dynamic update
identifies the domain in which the object is This term is used to refer to client computers and
created. See also SID, relative ID. servers that can register and update their host
names and IP addresses with the DNS server
domain tree without administrator intervention. The Windows
A domain tree, in Active Directory terminology, is 2000 DNS Server service supports the dynamic
a hierarchical grouping of one or more domains update protocol. See also DNS, DNS Server
that must have a single root domain, and may service.
have one or more child domains. See also Active
Directory, domain, parent domain, child domain. dynamic volume
A dynamic volume is a Windows 2000 volume
domain user account that does not use primary partitions, extended
A domain user account enables a user to log on partitions, or logical drives. Dynamic volumes are
to the domain and to access resources in the created by using Disk Management. See also
domain. See also local user account. Disk Management, extended partition, logical
drive, primary partition.
dual boot
Dual boot refers to the capability of a computer eject(ing)
to permit a user to select from more than one Ejecting is a term used for the physical discon-
operating system during the boot process. (Only necting of a hardware device, particularly a PC
one operating system can be selected and run at Card, from a computer.
a time.)
Emergency Repair Disk
DVD An Emergency Repair Disk, which you can create
DVD stands for digital video disc. See also UDF. by using Backup, is a floppy disk used to repair
Windows 2000 system files that become
dynamic disk accidentally corrupted or erased due to viruses or
A dynamic disk refers to a hard disk that contains other causes. An Emergency Repair Disk is
Windows 2000 dynamic volume(s). See also primarily used to repair and restart a Windows
basic disk, dynamic volume. 2000 computer that won’t boot.
4701-1 GL.f.qc 4/24/00 10:12 Page 1507

Glossary 1507

Encrypting File System (EFS) Executive Services

The Encrypting File System (EFS) enables you Executive Services (also called the Windows NT
to store files on an NTFS volume in an encrypted Executive, or the Executive) is a kernel mode
format, so that if an unauthorized user removes component that functions as an interface between
a hard disk from your computer, that user will be user mode and kernel mode. Its purpose is to pass
unable to access the sensitive data contained in information between user mode subsystems and
the encrypted files. EFS provides the capability kernel mode components. In addition, Executive
of the Encrypt attribute. Services is responsible for the transfer of
information and instructions between the various
enhanced metafile (EMF) kernel mode components. Executive Services can
A Windows 2000 enhanced metafile (EMF) is be thought of as the glue that holds Windows
an intermediate printing file format created by a 2000 together. See also kernel mode, user mode.
Windows 2000 client computer when it prints to
a shared network printer on a Windows 2000 explicit permission
computer. An EMF requires less processor time An explicit permission is a permission that is
to produce than a RAW file, and is smaller in size directly assigned to an object, as opposed to a
than a RAW file for the same print job. permission that is inherited by an object. See also
inheritance.
environment subsystems
Environment subsystems, which each include the extended partition
application programming interface (API) of the An extended partition is a partition on a basic disk
operating system they are designed to support, that can be subdivided into one or more logical
enable applications to run in the Windows 2000 drives, but cannot be the active partition. See
environment as if they were running in the also logical drive, active partition.
operating system they were designed for. See
also application programming interface (API). extensible
Extensible is a term used when describing the
environment variables benefits of Active Directory. Active Directory is
Environment variables are values that specify said to be extensible because new classes of
information about your computer and operating objects can be added. In addition, new attributes
system. Windows 2000 and applications use can be added to classes of objects already
environment variables to locate certain types of present.
information, such as the location of system files,
or the name of the currently logged on user. FAT32 file system
You can use the System application to configure The FAT32 file system, which is supported by
both user environment variables and system Windows 2000, Windows 95 OSR2, and
environment variables. See also user environment Windows 98, but was not supported by earlier
variables and system environment variables. versions of Windows NT, allocates disk space in
a more efficient manner than pervious versions of
exabyte the FAT file system. Windows 2000 will format
An exabyte is a billion gigabytes FAT32 partitions up to 32GB in size. In addition,
(1,152,921,504,606,846,976 bytes). Windows 2000 supports the use of FAT32
partitions larger than 32GB that have been
formatted by other operating systems. See also
file allocation (FAT) file system.
4701-1 GL.f.qc 4/24/00 10:12 Page 1508

1508 Glossary

fault tolerance FilterKeys

Fault tolerance refers to the ability of a computer FilterKeys is an Accessibility Options feature
or operating system to continue operations when that instructs Windows 2000 to ignore quick or
a severe error or failure occurs, such as the loss repeated keystrokes, or to slow the repeat rate of
of a hard disk or a power outage. a key when it is held down. FilterKeys can be
helpful when a user’s hands tremble while typing,
fault tolerance boot disk or when a user cannot remove a finger quickly
A fault tolerance boot disk is a user-created once he or she has pressed a key.
floppy disk that can enable you to boot your
computer from the second disk in a mirrored flexible single master operation
volume should the first hard disk in the mirrored When an administrator can choose which domain
volume fail. See also fault tolerance, mirrored controller will perform a particular type of restricted
volume. single master operation, the operation (task) is
referred to as a flexible single master operation.
file allocation table (FAT) file system See also single master operation, multiple master
FAT (sometimes called FAT16) is a type of file operation, operations master roles.
system that is used by several operating systems,
including Windows 2000. Windows 2000 does flexible single master operations roles
not support security or auditing on FAT partitions. See operations master roles.
The maximum size of a FAT partition on a
Windows 2000 (or Windows NT) computer is folder
4GB. See also FAT32 file system. A folder is a directory. In Windows 2000
terminology, the terms folder and directory are
file association synonymous.
A file association exists when an application is
configured to open files with a specified file forest
extension. For example, files with the .doc A forest is a group of one or more domain trees,
extension are normally opened, by default, by linked by transitive trusts, that shares a common
WordPad. Once Microsoft Word is installed on a schema and global catalog.
computer, the association is changed so that files
with the .doc extension are opened by Word. forward lookup zone
A forward lookup zone is a zone that contains
file attributes host name to IP address mappings and
File attributes are markers assigned to files that information about available services for either a
describe properties of the file and limit access to DNS domain or a DNS domain and one or more
the file. File attributes include Archive, Compress, of its subdomains. See also zone, DNS.
Hidden, Read-only, and System.
fully qualified domain name (FQDN)
file system An FQDN is a fancy term for the way computers
A file system is an overall architecture for naming, are named and referenced on the Internet. The
storing, and retrieving files on a disk. format for an FQDN is server_name.domain_
name.root_domain_name. For example, a
server named wolf in the alancarter domain
in the com root domain has a fully qualified domain
name of wolf.alancarter.com. Fully
qualified domain names always use lowercase
characters. DNS domain names are FQDNs.
4701-1 GL.f.qc 4/24/00 10:12 Page 1509

Glossary 1509

gigabyte (GB) Group Policy

A gigabyte is 1,024 megabytes (MB), or Group Policy is a policy that contains rules and
1,073,741,824 bytes. settings that are applied to Windows 2000
computers, their users, or both, that are located in
global catalog a specific part of Active Directory. There are two
A global catalog is a master, searchable database kinds of Group Policy: Local Group Policy and
that contains information about every object in Group Policy. Group Policy consists of two
every domain in a forest. The global catalog components: an Active Directory object, called a
contains a complete replica of all objects in the Group Policy object (GPO), and a series of files
Active Directory for its host domain, and, in and folders that are automatically created when
addition, contains a partial replica of all objects the GPO is created. Each GPO is associated with
in the Active Directory for every other domain a specific Active Directory container object, such
in the forest. The global catalog, in conjunction as a site, a domain, or an organizational unit (OU).
with various search tools, is what enables See also Active Directory, Local Group Policy.
administrators and users to search for and quickly
locate an object, regardless of where the object groups
is located on the network. By default, Windows Groups are collections of user accounts. Using
2000 automatically creates a global catalog on groups is a convenient and efficient way to assign
the first domain controller that is installed in a user rights and permissions to multiple users.
forest. See also Active Directory, domain, forest,
global catalog server, and object. Group scope
When you select from the three kinds of groups
global catalog server in Active Directory, the Windows 2000 user
A global catalog server is a domain controller that interface calls this selecting the Group scope.
has an additional duty — it maintains a global The possible selections for Group scope are
catalog. See also global catalog. domain local group, global group, or universal
group. See also domain local groups, global
global groups groups, universal groups.
Global groups, like domain local groups, are
groups that are created and maintained in Active group system policy
Directory on Windows 2000 domain controllers. A group system policy is a policy that applies to a
Global groups, however, are primarily used to group of users. A group system policy applies to
organize users that perform similar tasks or have all users that are members of a group (that has a
similar network access requirements. See also group policy) and that do not have individual user
domain local groups. policies. Group system policies have the same
configurable options as user system policies. See
also user system policy, System Policy.

GUID
GUID stands for globally unique identifier. A
GUID is typically a 32-digit hexadecimal number
that uniquely identifies an object within the entire
Active Directory.
4701-1 GL.f.qc 4/24/00 10:12 Page 1510

1510 Glossary

Hardware Abstraction Layer (HAL) host name resolution

The HAL is a kernel mode component that is Host name resolution is the process of resolving
designed to hide the varying characteristics of a computer’s user-friendly host name (such as
hardware so that all hardware platforms appear www.idgbooks.com) to the IP address of that
the same to the Microkernel. As a result, only the computer.
HAL, and not the entire Microkernel, needs to
address each and every hardware platform. HPFS
The HAL can communicate directly with the HPFS stands for high performance file system.
computer’s hardware. See also kernel mode, This is the file system used by OS/2. Windows
Microkernel. 2000 does not support HPFS. Windows NT
used to support HPFS, but HPFS support was
Hardware Compatibility List (HCL) dropped for Windows NT version 4.0.
The HCL is a list of hardware that is supported
by Windows 2000. The HCL is shipped with IIS
Windows 2000. You can also access the latest Internet Information Services (IIS) is Windows
version of the HCL at http.//www. 2000’s Web server. IIS is actually a collection of
microsoft.com/hcl. several services. Some of the most commonly
used components of IIS are World Wide Web
hardware profile Server, File Transfer Protocol (FTP) Server,
A hardware profile is a list of devices (and FrontPage 2000 Server Extensions, SMTP
settings for each of these devices) that Windows Service, and NNTP Service. IIS 5.0 is an integral
2000 starts when you boot your computer. The part of Windows 2000 Professional, Windows
primary reason for creating hardware profiles is 2000 Server, and Windows 2000 Advanced
to manage the different hardware configurations Server.
used by laptop computers.
Indexing Service
hertz (Hz) The Indexing Service is a Windows 2000 service
Hz is a unit of frequency measurement equivalent that indexes Web site content and other
to one cycle per second. documents on a Windows 2000 computer so
these items can be searched by users. You can
hierarchical structure think of the Indexing Service as a Windows 2000
A hierarchical structure refers to a manner of search engine.
organizing a group of interrelated elements in
which the elements are ranked or stacked, one individual computer policy
above the other. An example of a hierarchical An individual computer policy applies to a single,
structure that you are probably familiar with is an specific client computer. Normally, an individual
organizational chart. The Active Directory has a computer policy is created only when a client
hierarchical structure. computer requires a unique policy that differs
from the Default Computer policy. See also
host Default Computer policy, computer system policy,
A host is a computer that is connected to a System Policy.
TCP/IP network, such as the Internet.
4701-1 GL.f.qc 4/24/00 10:12 Page 1511

Glossary 1511

individual user policy interactive logon authentication

An individual user policy applies to a single, Interactive logon authentication is the process of
specific user. Normally, an individual user policy is verifying a user’s credentials for the purpose of
created only when a user requires a unique policy determining whether the user is permitted to log
that differs from any existing Default User or on to a local Windows 2000 computer. See also
group system policy. See also Default User user authentication, network authentication.
policy, user system policy, System Policy.
Internet connection sharing
infrastructure master Internet connection sharing, when enabled,
The infrastructure master is one of five operations permits other computers on your local area
master roles. The infrastructure master is the network to use a specific dial-up (or local area)
domain controller in the domain that updates connection on a computer to connect to the
group membership information when group Internet. Internet connection sharing is commonly
members (who are users from other domains) used in a home or small-office network setting
are renamed or moved. There can be only one when a single Internet connection must be shared
infrastructure master in each domain in a forest. by multiple computers. Internet connection
See also flexible single master operation, sharing should not be used on networks that have
operations master roles. existing routers, DNS servers, or DHCP servers.

inheritance Internet Information Services (IIS)

Inheritance refers to the permissions an object See IIS.
receives simply because it is contained in another
object — in other words, because an object is a Internet Protocol security (IPSec)
child (or grandchild) object of a particular parent See IPSec.
object. When an object inherits permissions, it’s
not because the permissions have been applied Internet Explorer 5
specifically to the object in question, but rather Internet Explorer 5 is Microsoft’s newest Web
because permissions have been set on the parent browser, and is an integral part of the Windows
object that contains the object in question. The 2000 operating systems.
concept of inheritance applies to objects in
internetwork
Active Directory, and also to NTFS permissions
set on files and folders. An internetwork consists of multiple network
segments connected by routers or WAN links.
input locale
interrupt (IRQ)
An input locale consists of an input language and
location combination (such as English [United An interrupt (or interrupt request) is a unique
States]), a keyboard layout, and local settings number between two and fifteen that is assigned
for the presentation of numbers, currency, time, to a hardware peripheral in a computer. No two
and date. devices in the computer should have the same
interrupt, unless the devices are capable of
input/output sharing an interrupt, and are correctly configured
See I/O. to do so.
4701-1 GL.f.qc 4/24/00 10:12 Page 1512

1512 Glossary

intersite replication I/O Manager

Intersite replication is Active Directory replication The I/O Manager is a kernel mode component
that takes place between sites. Unlike intrasite that is responsible for all input and output to disk
replication, intersite replication is not storage subsystems. As it manages input and
automatically configured and performed by output, the I/O Manager also serves as a
Windows 2000. An Administrator must manually manager and supporter of communications
create and configure sites and other Active between the various drivers. The I/O Manager
Directory components before intersite replication can communicate directly with system hardware
will occur. See also intrasite replication, if it has the appropriate hardware device drivers.
replication, site. Subcomponents of the I/O Manager include a
Cache Manager, file system drivers, and device
intranetwork drivers. See also kernel mode.
An intranetwork is a TCP/IP internetwork that is
not connected to the Internet. For example, a IP address
company’s multi-city internetwork can be called An IP address is a 32-bit binary number, broken
an intranetwork as long as it is not connected to into four 8-bit sections (called octets), that
the Internet. See also internetwork. uniquely identifies a computer or other network
device on a network that uses TCP/IP. IP
intransitive trust addresses must be unique — no two computers or
An intransitive trust is a trust relationship between other network devices on an internetwork should
two domains that is bounded by the two domains, have the same IP address. An IP address is
and does not extend beyond these two domains normally represented in a dotted decimal format.
to other domains. An intransitive trust is a one- A sample IP address is 192.168.59.5.
way trust. See also one-way trust, trust
relationship. IPSec
IPSec (which is short for Internet Protocol
intrasite replication security) is a collection of security protocols and
Intrasite replication is Active Directory replication cryptography services that encrypts TCP/IP
that takes place within a single site. Windows traffic between two computers, thus preventing
2000, by default, automatically performs intrasite unauthorized users who capture network traffic
replication. See also intersite replication, from viewing or modifying sensitive data.
replication, site.
IRQ
I/O IRQ stands for interrupt request, which is
I/O stands for input/output. sometimes shortened to interrupt.

Job Based connection

A Job Based connection is a local HP (DLC)
printer configuration that permits all Windows
2000 (and Windows NT 4.0) computers on the
network that have the DLC protocol installed to
access the HP JetDirect adapter for printing. See
also Continuous connection.
4701-1 GL.f.qc 4/24/00 10:12 Page 1513

Glossary 1513

joining a domain license group

When a Windows 2000 computer is configured A license group is a group of users that is
so that it becomes a member of a domain, the assigned a specific number of licenses. License
process is referred to as joining a domain. Each groups enable Licensing to correctly track license
Windows 2000 computer must belong to either a usage when an organization uses the Per Seat
workgroup or a domain. licensing mode and has an unequal number of
users and computers.
Kerberos version 5 protocol
The Kerberos version 5 protocol is an Internet local user account
standard authentication protocol that provides a A local user account enables a user to log on to
higher level of security and faster, more efficient the local computer and to access that computer’s
authentication than the Windows NT/LAN resources. See also domain user account.
Manager protocol.
logging on
kernel Logging on is the process of supplying a user
A kernel is the core component of an operating name and password, and having that user name
system. and password authenticated by a Windows 2000
computer. A user is said to “log on” to a
kernel mode Windows 2000 computer.
Kernel mode refers to a highly privileged mode of
operation in Windows 2000. “Highly privileged” logical drive
means that all code that runs in kernel mode can A logical drive is a volume that is created from
access the hardware directly, and can access any some or all of the space in an extended partition,
memory address. A program that runs in kernel and that is assigned a drive letter. The term
mode is always resident in memory — it can’t be logical drive is also used to refer to any volume or
written to a paging file. See also user mode, network-connected drive that is assigned a drive
paging file. letter. See also extended partition.

kilobyte (KB) Local Group Policy

A kilobyte is 1,024 bytes. Local Group Policy consists of a series of files
and folders that are automatically created during
Layer Two Tunneling Protocol (L2TP) the installation of Windows 2000 on the local
The Layer Two Tunneling Protocol (L2TP), like computer. Local Group Policy files and folders
PPTP, permits a VPN connection between two are stored in the SystemRoot\System32\
computers over an existing TCP/IP network GroupPolicy folder. Local Group Policy
connection. The major difference between PPTP applies to the local computer, and to users that
and L2TP is that PPTP uses Microsoft Point- log on to the local computer. See also Group
to-Point Encryption (MPPE), while L2TP uses Policy.
IPSec for encryption. In addition, L2TP is rapidly
becoming the industry standard tunneling local groups
protocol. Currently, only Windows 2000 remote Local groups are groups that are created and
access clients and remote access servers maintained on an individual Windows 2000
support L2TP. See also Point-to-Point Tunneling computer (that is not a domain controller). Local
Protocol (PPTP). groups can be created by members of the
Administrators, Power Users, and Users groups.
4701-1 GL.f.qc 4/24/00 10:12 Page 1514

1514 Glossary

logon rights Microsoft Management Console (MMC)

Logon rights are a type of user right that The MMC is a Windows 2000 feature that hosts
determines whether a user is permitted to administrative tools used to perform administrative
authenticate (log on) to a Windows 2000 tasks on your Windows 2000 computer and
computer, and if so, how that user is permitted network. The MMC is not a management tool
to log on. See also user rights, privileges. itself, but rather is a shell designed to provide a
common user interface for the administrative tools,
LPD called snap-ins, that it contains. See also snap-in.
LPD stands for line printer daemon, and is the
print server software used by UNIX computers. Microsoft RAS protocol
See also LPR. The Microsoft RAS protocol (also called
AsyBEUI) is supported by the Windows 2000
LPR Routing and Remote Access service to enable
LPR stands for line printer remote, and is the inbound connections from legacy client
client software used to access LPD printers. computers, including MS-DOS, Windows for
See also LPD. Workgroups, and Windows NT 3.1. The only
transport protocol that can be used with
mandatory user profile AsyBEUI is NetBEUI.
A mandatory user profile is a user profile that,
when assigned to a user, can’t be changed by the million bits per second (Mbps)
user. A user can make changes to desktop and Mbps is a measurement of data transmission
work environment settings during a single logon speed that is used to describe WAN links and
session, but these changes are not saved to the other network connections.
mandatory user profile when the user logs off.
Each time the user logs on, the user’s desktop mirrored volume
and work environment settings revert to those A mirrored volume consists of a simple volume
contained in the mandatory user profile. See also that is exactly duplicated, in its entirety, onto a
user profile. second dynamic disk. Mirrored volumes are also
known as RAID level 1. See also dynamic disk,
master RAID, simple volume.
A master is a type of DNS server that provides a
copy of the zone to a standard secondary DNS MouseKeys
server. See also slave. MouseKeys is an Accessibility Options feature
that enables you to move the cursor by pressing
megabyte (MB) the keys on your keyboard’s 10-key pad instead
A megabyte is 1,024 kilobytes, or 1,048,576 of by using a mouse.
bytes.
MS-DOS
Microkernel MS-DOS is a computer operating system
The Microkernel is a kernel mode component that developed by Microsoft. MS-DOS stands for
is the very heart of the Windows 2000 operating Microsoft Disk Operating System.
system. It handles interrupts, schedules threads,
and synchronizes processing activity. The
Microkernel also communicates with the
Hardware Abstraction Layer (HAL). See also
Hardware Abstraction Layer (HAL), kernel mode.
4701-1 GL.f.qc 4/24/00 10:12 Page 1515

Glossary 1515

multiple master operation Network Monitor

When more than one domain controller is able to Network Monitor is a Windows 2000 Server
perform a specific task, that task is referred to as administrative tool that makes it possible for
a multiple master operation. See also single you to capture, view, and analyze network traffic
master operation, flexible single master (packets). Network Monitor doesn’t ship with
operations. Windows 2000 Professional.

multiprocessing NTFS
Multiprocessing refers to the capability of an See Windows NT file system.
operating system to use more than one processor
in a single computer simultaneously. NTFS permissions
NTFS permissions are permissions assigned to
multithreading individual files and folders on NTFS volumes th
When an application has more than one thread, at are used to control access to these files and
each thread can be executed independently of folders. NTFS permissions apply to local users as
the other. This is referred to as multithreading. well as to users who connect to a shared folder
See also thread. over the network. If NTFS permissions are more
restrictive than share permissions, the NTFS
NetBIOS name resolution permissions will be applied. See also shared
When a user attempts to connect to a computer folder permissions.
selected from a browse list by the remote
computer’s NetBIOS name, the user’s computer object
must first obtain the IP address associated with An Active Directory object is a record in the
the remote computer’s NetBIOS name. This directory that is defined by a distinct set of
process is called NetBIOS name resolution. attributes. There are many classes of objects.
Once the user’s computer has resolved the See also Active Directory, class.
remote computer’s NetBIOS name to its IP
address, it can then establish TCP/IP network ODBC
communications with the remote computer. ODBC stands for Open Database Connectivity.
ODBC is a software specification that enables
network adapter card ODBC-enabled applications (such as Microsoft
A network adapter is an adapter card in a Excel) to connect to databases (such as
computer that enables the computer to connect Microsoft SQL Server and Microsoft Access).
to a network.
offline files
network authentication Offline files are files that are stored on a network
Network authentication is the process of verifying server and, in addition, are configured on the
a user’s credentials for the purpose of local computer so they can be used when the
determining whether the user is permitted to computer is not connected to the network.
access network resources, such as a shared
folder, a shared printer, or a network service. one-way trust
See also user authentication, interactive logon A one-way trust means that a single trust
authentication. relationship exists between two domains. See
also intransitive trust, trust relationship, two-way
trust.
4701-1 GL.f.qc 4/24/00 10:12 Page 1516

1516 Glossary

operations master roles paging file

There are five operations master roles: schema A paging file (sometimes called a page file or a
master, domain naming master, PDC emulator, swap file) is a file used as a computer’s virtual
relative ID master, and infrastructure master. See memory. Pages of memory that are not currently
also flexible single master operation, schema in use can be written to a paging file to make
master, domain naming master, PDC emulator, room for data currently needed by the processor.
relative ID master, infrastructure master. See also virtual memory.

organizational unit (OU) parent domain

An organizational unit (OU) is a type of Active A parent domain is any domain that is above
Directory object. Organizational units, which are another domain in the domain tree hierarchy. See
sometimes called container objects, can contain also child domain, domain, domain tree.
objects and other organizational units. An
organizational unit is used to organize related parent object
objects and other organizational units in the A parent object is an Active Directory container
Active Directory in much the same way that a object that contains other objects. See also child
folder is used to organize related files and other object.
folders in a volume. See also Active Directory,
object. partition
The space on hard disks is divided into areas
OS/2 subsystem called partitions. A partition is a portion of a hard
The OS/2 subsystem is a user mode subsystem. disk that can be formatted with a file system, or
This subsystem obtains its user interface and combined with other partitions to form a larger
screen functions from the Win32 subsystem, and logical drive. Partitions are represented by drive
requests Executive Services to perform all other letters, for example, C:, D:, and so on. See also
functions for it. See also user mode, Win32 logical drive.
subsystem, Executive Services.
PDC emulator
owner The PDC emulator is one of five operations
The creator of a file or folder is its owner (except master roles. The PDC emulator either acts like a
that when a member of the Administrators group Windows NT 4.0 PDC, or receives preferential
on the local computer creates a file or folder, the treatment for replication of password changes,
Administrators group — not the user — is the owner depending on whether Active Directory is
of the file or folder). The owner of a file or folder configured to operate in mixed-mode or native-
has special status and can always assign or mode. There can be only one PDC emulator in
change NTFS permissions to users and groups each domain in a forest. See also flexible single
for that file or folder. Only files and folders on master operation, operations master roles.
NTFS volumes have owners. See also take
ownership. permissions
Permissions control access to resources, such as
packet shares, files, folders, and printers on a Windows
A packet is a group of bytes sent over the NT computer.
network as a block of data.
4701-1 GL.f.qc 4/24/00 10:12 Page 1517

Glossary 1517

Plug and Play POSIX subsystem

Plug and Play is a specification that makes it The POSIX subsystem is a user mode subsystem
possible for hardware devices to be automatically designed to run POSIX 1.x compatible
recognized and configured by the operating applications. This subsystem uses the Win32
system without user intervention. subsystem to provide its screen and graphical
displays, and requests Executive Services to
Point-to-Point Multilink Protocol perform all other functions for it. See also POSIX,
The Point-to-Point Multilink Protocol is an extension user mode, Win32 subsystem, Executive
of PPP. Point-to-Point Multilink Protocol combines Services.
the bandwidth from multiple physical connections
into a single logical connection. This means that preemptive multitasking
multiple modem, ISDN, digital link, or X.25 In preemptive multitasking, the operating system
connections can be bundled together to form a allocates processor time between applications.
single logical connection with a much higher Because Windows 2000, not the application,
bandwidth than a single connection can support. allocates processor time between multiple
applications, one application can be preempted
Point-to-Point Protocol (PPP) by the operating system, and another application
The Point-to-Point Protocol (PPP) is currently the enabled to run. When multiple applications are
industry standard remote connection protocol. alternately paused and then allocated processor
PPP connections support multiple transport time, they appear to run simultaneously to the user.
protocols, including: TCP/IP, NWLink
IPX/SPX/NetBIOS Compatible Transport primary domain controller (PDC)
Protocol, AppleTalk, and NetBEUI. A PDC is a Windows NT Server computer that
is configured to maintain the primary copy of the
Point-to-Point Tunneling Protocol (PPTP) Windows NT Server domain directory database
The Point-to-Point Tunneling Protocol (PPTP) (also called the SAM). The PDC sends domain
permits a virtual private network (VPN) connection directory database updates to backup domain
between two computers over an existing TCP/IP controllers (BDCs) via a process called
network connection. The existing TCP/IP network synchronization. See also backup domain
connection can be over the Internet, a local area controller, domain controller.
network, or a remote access TCP/IP connection.
All standard transport protocols are supported primary partition
within the PPTP connection. A primary partition is a partition on a basic disk
that can be configured as the active partition. A
POSIX primary partition can only be formatted as a single
Portable Operating System Interface for logical drive. See also active partition, logical
Computing Environments (POSIX) was drive.
developed as a set of accepted standards for
writing applications for use on various UNIX print device (or printing device)
computers. POSIX environment applications In Windows 2000, the term print (or printing)
consist of applications developed to meet the device refers to the physical device that produces
POSIX standards. These applications are printed output — what is more commonly referred
sometimes referred to as POSIX-compliant to as a “printer.”
applications. Windows 2000 provides support for
POSIX-compliant applications via the POSIX
subsystem. See also POSIX subsystem.
4701-1 GL.f.qc 4/24/00 10:12 Page 1518

1518 Glossary

printer RADIUS (Remote Authentication Dial-in

In Windows 2000, the term printer does not User Service)
represent a physical device that produces printed RADIUS is an industry standard authentication
output. Rather, a printer is the software interface service. It is typically used by ISPs to maintain
between the Windows 2000 operating system a centralized user accounts database. RADIUS
and the device that produces the printed output. is often used in an enterprise environment to
provide centralized authentication and accounting
printer pool services for multiple remote access servers.
When a printer has multiple ports (and multiple
print devices) assigned to it, this is called a RAID
printer pool. Users print to a single printer, and RAID stands for redundant array of inexpensive
the printer load balances its print jobs between disks.
the print devices assigned to it.
RAID-5 volume
print job A RAID-5 volume consists of identical-sized
A print job is all of the data and commands areas of formatted disk space located on three or
needed to print a document. more dynamic disks. In a RAID-5 volume, data is
stored, a block at a time, evenly and sequentially,
print server among all of the disks in the volume. In addition to
A print server is a computer that hosts a shared data, parity information is also written across all
printer. of the disks in the RAID-5 volume. This parity
information enables RAID-5 volumes to provide
privileges the fault tolerance that striped volumes can’t.
Privileges are a type of user right that enables a See also dynamic disk, RAID, striped volume.
user to perform specific tasks. See also user
rights, logon rights. RAM
Random access memory, or RAM, is the physical
protocol memory installed in a computer.
A protocol is a combination of conventions and
rules for communicating on a network. RAW file
A RAW file is print file that is ready to send to
provider order the printer, as is, and no further processing is
Provider order specifies which installed client the required.
local area connection uses first when it attempts
to connect to a server or a printer. See also recovery agent
bindings. When used in reference to the Encrypt attribute
and the Encrypting File System (EFS), a recovery
publishing agent is a user account that is assigned a special
When used in connection with Active Directory, key (certificate) that permits it to unencrypt (that
publishing refers to the act of creating an Active is, recover) all encrypted files on the computer.
Directory object for a shared folder, shared Typically the Administrator account is a recovery
printer, or other network resource. agent. See also Encrypting File System (EFS).

query
A DNS request is called a query. See also simple
query, recursive query.
4701-1 GL.f.qc 4/24/00 10:12 Page 1519

Glossary 1519

Recovery Console remote access

The Recovery Console is a limited version of the Remote access is a feature that enables client
Windows 2000 operating system that only has a computers to use dial-up and VPN connections
command-line interface. The Recovery Console to connect to a remote access server. Once a
is helpful when you need to manually start or connection with the remote access server is
stop a service, repair the master boot record, or established, the client computer has access
manually copy files from a floppy disk or compact to the network the remote access server is
disc to the computer’s hard disk in order to connected to. Remote access enables users of
restore a system. remote computers to use the network as though
they were directly connected to it. Remote
recursive query access is implemented in Windows 2000 by
A recursive query is a query that a DNS server the Routing and Remote Access service.
can’t resolve by itself — it must contact one or
more additional DNS servers to resolve the query. Remote Installation Services (RIS)
Remote Installation Services (RIS) is a Windows
refresh 2000 Server service used to deploy Windows
The term refresh means to update the display 2000 Professional over-the-network to client
with current information. computers. RIS can only be used on Windows
2000 networks that use DHCP, DNS, and Active
relative distinguished name (RDN) Directory. When installed on a Windows 2000
A relative distinguished name (RDN) is the name Server computer, the computer is called a RIS
that is assigned to the object by the administrator server.
when the object is created. For example, when I
create a user named AlanC, the RDN of that user replication
is AlanC. Replication, as applied to Active Directory, refers
to the process of copying information and
relative ID information updates from the Active Directory
The relative ID is the portion of a SID that identifies data store on one domain controller to other
the object in the domain. The relative ID is unique domain controllers. The purpose of replication is
for each object created in the domain. See also to synchronize Active Directory data among the
SID, domain SID. domain controllers in the domain and forest. See
also Active Directory, Active Directory data store.
relative ID master
As applied to DNS, replication is the process of
The relative ID master (sometimes called the RID copying a zone to a standard secondary DNS
master or the relative identifier master) is one of server. This process is also called a zone transfer.
five operations master roles. The relative ID
master is the domain controller in the domain that resource records
assigns a range of relative IDs to each domain A resource record is any entry in a zone. See also
controller in the domain for use in creating SIDs. zone.
There can be only one relative ID master in each
domain in a forest. See also relative ID, SID, reverse lookup zone
flexible single master operation, operations A reverse lookup zone is a zone that contains IP
master roles. address to host name mappings. The mappings in
a reverse lookup zone are the opposite of those
contained in a forward lookup zone. See also
forward lookup zone.
4701-1 GL.f.qc 4/24/00 10:12 Page 1520

1520 Glossary

RIS Safe Mode

See Remote Installation Services (RIS). Safe Mode is a special startup mode of Windows
2000 that uses default settings and the minimum
roaming user profile number of files and device drivers required to start
A roaming user profile is a user profile that is Windows 2000. If a Windows 2000 computer
stored on a Windows 2000 Server computer. won’t boot normally, you may be able to boot it in
Because the profile is stored on a server instead Safe Mode.
of on the local computer, it is available to the user
regardless of which Windows 2000 computer on scavenging
the network the user logs on to. See also user Scavenging is the process of searching for and
profile. deleting stale resource records in zones.

root domain schema

The DNS domain at the top (or root) of the tree In Active Directory terminology, the schema is a
is called the root domain. It is often represented formal definition — a set of rules — of all of the
by a period (.). See also DNS, DNS domain classes of objects and their attributes that are
namespace. stored in the directory. The schema governs the
structure of the directory, including how various
root hints objects in the directory fit into the directory’s
Root hints are server name and IP address hierarchical structure. See also Active Directory,
combinations that point to root servers located class, hierarchical structure, object.
either on the Internet or on your organization’s
private network. schema master
The schema master is one of five flexible
router operations master roles. The schema master is
A router is a network device that uses protocol- the only domain controller that can make changes
specific addressing information to forward to the schema. There can be only one schema
packets from a source computer on one network master in a forest. See also flexible single master
segment across one or more routers to a operation, operations master roles.
destination computer on another network
segment. scope
A DHCP scope is a range of IP addresses on a
routing DHCP server that can be assigned to DHCP
Routing is the process of forwarding packets clients that reside on a single subnet. See also
from a source computer on one network segment DHCP.
across one or more routers to a destination
computer on another network segment by using script
protocol-specific addressing information. Devices A script is a text file with a .bat, .js, or .vbs
that perform routing are called routers. extension that can be used to configure a user’s
environment, to start programs, to install
software, or to perform various other tasks. You
can use Group Policy to manage various types of
scripts, including startup, shutdown, logon, and
logoff scripts.
4701-1 GL.f.qc 4/24/00 10:12 Page 1521

Glossary 1521

SCSI security template

SCSI stands for Small Computer System A security template is a text-based .inf file that
Interface. SCSI is a hardware specification for contains predefined security settings that can be
cables, adapter cards, and the devices that they applied to one or more computers. A security
manage, such as hard disks, CD-ROMs, and template can also be used to compare a
scanners. computer’s existing security configuration against
a predefined, standard security configuration. The
second-level domain Security Templates snap-in to the MMC is used
The DNS domains in the layer under top-level to create, edit, and manage security templates.
domains are called second-level domains. These
domains are subdomains of top-level domains. segment
Many businesses have a second-level domain In network terminology, a segment refers to a
that is a subdomain of the com domain, such network subnet that is not subdivided by a bridge
as microsoft.com. See also top-level or a router. The term segment can also be used
domain, DNS. as a verb, describing the process of dividing the
network into multiple subnets by using a bridge or
security groups a router.
There are two fundamental types of groups in
Windows 2000: security groups and distribution separator page
groups. Security groups are primarily used to You can configure a printer on a Windows 2000
assign permissions and user rights to multiple computer so that a separator page is printed at
users. In addition, security groups can be used by the beginning of every document. Using separator
some e-mail programs to send messages to the pages at the beginning of print jobs enables
list of users that are members of the group. See users to locate their print jobs at the print device
also groups, distribution groups. easily. Separator pages are sometimes called
banner pages.
security principal object
In Active Directory terminology, security principal Serial Line Internet Protocol (SLIP)
objects include users, groups, and computers. The Serial Line Internet Protocol (SLIP) is an
older connection protocol commonly associated
Security subsystem with UNIX computers. SLIP connections are only
The Security subsystem (sometimes called the supported on the client side of the remote access
Integral subsystem) is a user mode subsystem. connection — a Windows 2000 remote access
This subsystem supports the logon process and server doesn’t support incoming SLIP
also supports and provides security for Active connections. The only transport protocol that
Directory. The Security subsystem obtains its SLIP supports is TCP/IP.
user interface and screen functions from the
Win32 subsystem, and requests Executive server
Services to perform all other functions for it. A server is a computer on a network that is
See also Active Directory, user mode, Win32 capable of sharing resources with other
subsystem, Executive Services. computers on the network. Many computers are
configured as both clients and servers, meaning
that they can both access resources located on
other computers across-the-network, and they
can share their resources with other computers
on the network. See also client.
4701-1 GL.f.qc 4/24/00 10:12 Page 1522

1522 Glossary

service ShowSounds
A service is a program that performs specific ShowSounds is an Accessibility Options feature.
tasks for other programs. When ShowSounds is enabled, applications
display captions for the speech and sounds they
service dependencies generate.
Service dependencies are the services and
drivers that must be running before the service SID
in question can start. SID stands for security identifier. A SID is a
unique number created by the Windows 2000
Setup Manager Security subsystem that is assigned to security
The Windows 2000 Setup Manager wizard principal objects when they are created. A SID
(called Setup Manager for short) is a tool that consists of two parts: a domain SID and a relative
enables you to create answer files in order to ID. Windows 2000 uses SIDs to grant or deny a
automate the installation and setup of Windows security principal object access to other objects
2000 Professional and Windows 2000 Server. and network resources. See also domain SID,
relative ID, security principal object.
share
A share is another name for a shared folder. See simple query
also shared folder. A simple query is a query that a DNS server can
resolve without contacting any other DNS
share permissions servers. See also query, DNS server.
Share permissions are another name for shared
folder permissions. See also shared folder simple volume
permissions. A simple volume is a volume that consists of
formatted disk space on a single hard disk.
shared folder Simple volumes can only be created on dynamic
In Windows 2000, folders are shared to enable disks. See also dynamic disk, volume.
users to access network resources. A folder can’t
be accessed by users across the network until it single master operation
is shared or placed within another folder that is When only one domain controller can perform a
shared. Once a folder is shared, users with the specific task, that task is referred to as a single
appropriate permissions can access the shared master operation. See also multiple master
folder (and all subfolders and files that the shared operation, flexible single master operations.
folder contains) over the network.
site
shared folder permissions A site consists of one or more TCP/IP subnets,
Shared folder permissions control user access to which are specified by an administrator.
shared folders. Shared folder permissions only Additionally, if a site contains more than one
apply when users connect to the folder over the subnet, the subnets should be connected by high-
network — they do not apply when users access speed, reliable links. Sites do not correspond to
the folder on the local computer. Shared folder domains — you can have two or more sites within a
permissions apply to the shared folder, its files, single domain, or you can have multiple domains
and subfolders (in other words, to the entire in a single site. A site is solely a grouping based
directory tree under the shared folder). on IP addresses. Sites are configured by using
Active Directory Sites and Services.
4701-1 GL.f.qc 4/24/00 10:12 Page 1523

Glossary 1523

site link spanned volume

A site link is an object in Active Directory that A spanned volume consists of formatted disk
specifies a list of two or more sites that are space on more than one hard disk that is treated
connected to each other, the cost associated as a single volume. Spanned volumes can only be
with the site link, and a replication schedule. created on dynamic disks. See also dynamic disk.

site link bridge special permissions

A site link bridge is an Active Directory object that Special permissions (also called advanced
groups two or more site links in order to create a permissions) are individual NTFS permissions
“virtual site link” between all of the sites specified that are combined to form the standard NTFS
by the grouped site links. The purpose of a site link permissions. Special NTFS permissions are
bridge is to enable replication between sites that assigned by clicking the Advanced command
use site links but that are not directly associated button on the Security tab in a file or folder’s
with each other via site links. See also site link, Properties dialog box.
intersite replication, replication.
stand-alone Dfs root
slave A stand-alone Dfs root is a type of Dfs root that
The secondary DNS server receiving a copy of can be hosted on any individual Windows 2000
a zone from a master DNS server is sometimes Server computer. A stand-alone Dfs root is not
called the slave in this relationship. See also published in Active Directory. In addition, you
master. can’t create a replica of a stand-alone Dfs root for
load balancing or fault tolerance purposes. If the
smart card server that hosts a stand-alone Dfs root isn’t
A smart card is a security device that contains a available, the Dfs root is not available to users.
unique, encrypted set of authentication credentials. See also Distributed file system (Dfs), Dfs root,
When used in conjunction with a smart card domain Dfs root.
reader that has been installed on a computer, the
use of smart cards eliminates the need for users to Standby
transmit user names and passwords across the Standby is a low power usage state where all
network when logging on. unnecessary devices, such as monitors and hard
disks, are turned off.
snap-in
The tools contained in the Microsoft Management static routing
Console (MMC) are referred to as snap-ins. See Static routing is basic, no-frills IP routing. No
also Microsoft Management Console (MMC). additional software is necessary to implement
static routing in multihomed Windows 2000
SoundSentry Server computers. Static routers are not capable
SoundSentry is an Accessibility Options feature. of automatically building a routing table. In a
When SoundSentry is enabled, Windows 2000 static routing environment, administrators must
displays a visual warning when the computer manually configure the routing table on each
makes a sound. individual router. If the network layout changes,
the network administrator must manually update
source-compatible the routing tables to reflect the changes.
Applications are sometimes said to be “source-
compatible” across hardware platforms. This
means that the application must be recompiled for
each hardware platform that you want to run it on.
4701-1 GL.f.qc 4/24/00 10:12 Page 1524

1524 Glossary

StickyKeys synchronization
StickyKeys is an Accessibility Options feature that Synchronization is a process performed by the
enables a user to execute keyboard commands NetLogon service on a Windows NT Server
that normally require striking two or more keys computer. In this process, domain user and group
simultaneously by striking one key at a time. account update information is periodically copied
from the Primary Domain Controller (PDC) to
striped volume each backup domain controller (BDC) in the
A striped volume consists of identical-sized areas domain.
of formatted disk space located on two or more
dynamic disks. In a striped volume, data is stored, Sysprep
a block at a time, evenly and sequentially, among Sysprep (sysprep.exe) is a Windows 2000
all of the disks in the striped volume. Striped deployment tool designed for large organizations
volumes are also known as RAID level 0, and are and OEMs. Sysprep prepares a Windows 2000
sometimes referred to as disk striping. See also computer’s hard disk for duplication, thus making
disk striping, dynamic disk, RAID. it possible for that computer’s hard disk to be
copied to other computers. Sysprep can be
subfolder used on either Windows 2000 Professional or
A subfolder is a folder that is located within Windows 2000 Server computers, but can’t
another folder. Subfolders can contain other be used on a Windows 2000 Server domain
subfolders, as well as files. controller. Sysprep requires the use of third-party
disk duplication software.
subnet mask
A subnet mask specifies which portion of an IP System Monitor
address represents the network ID and which System Monitor is a Windows 2000 tool that is
portion represents the host ID. A subnet mask used to monitor and chart the performance of
enables TCP/IP to correctly determine whether system components in a Windows 2000
network traffic destined for a given IP address computer. System Monitor replaces Windows NT
should be transmitted on the local subnet, or 4.0’s Performance Monitor. System Monitor
whether it should be routed to a remote subnet. functions as an MMC snap-in.
A subnet mask should be the same for all
computers and other network devices on a given System Policy
network segment. A subnet mask is a 32-bit System Policy is a collection of Administrator-
binary number, broken into four 8-bit sections created user, group, and computer system
(octets), that is normally represented in a dotted policies that enable an administrator to manage
decimal format. A common subnet mask is non-Windows 2000 client computers (and their
255.255.255.0. This particular subnet mask users) on a Windows 2000 network.
specifies that TCP/IP will use the first three
octets of an IP address as the network ID, and system environment variables
use the last octet as the host ID. System environment variables are environment
variables that apply to all users and to the
symmetric multiprocessing operating system. See also environment variables
Symmetric multiprocessing is an efficient type of and user environment variables.
multiprocessing in which system processes and
applications can be run on any available
processor. See also multiprocessing.
4701-1 GL.f.qc 4/24/00 10:12 Page 1525

Glossary 1525

system groups Task Scheduler

System groups is another term for built-in special The Scheduled Tasks folder, sometimes
groups. See also built-in groups, built-in special called the Scheduled Task tool or the Task
groups. Scheduler, is a tool used to schedule a program,
command, script, document, or batch file to run
SystemRoot at a specified time.
Throughout this book, I use the term
SystemRoot to refer to the folder that TCP/IP
Windows 2000 is installed in. The default The Transmission Control Protocol/Internet
installation folder for Windows 2000 is Protocol (TCP/IP) is a widely used transport
C:\Winnt. protocol that provides robust capabilities for
Windows 2000 networking. TCP/IP is a fast,
System State data routable enterprise protocol. TCP/IP is the
System State data includes various critical protocol used on the Internet. TCP/IP is supported
operating system files, folders, and databases. by many other operating systems, including:
The actual components of System State data Windows NT, Windows 95, Windows 98,
vary depending on the Windows 2000 operating NetWare, Macintosh, UNIX, MS-DOS, and IBM
system you’re using and the services installed on mainframes. TCP/IP is typically the recommended
that operating system. For all Windows 2000 protocol for large, heterogeneous networks.
computers, System State data includes the
operating system boot files, the registry, and TCP/IP packet filtering
the COM+ Class Registration database. On TCP/IP packet filtering (sometimes called TCP/IP
a Windows 2000 Server computer that has filtering) is a Windows 2000 TCP/IP security
Certificate Services installed, System State data feature. You can use this feature to control the
also includes the Certificate Services database. type of TCP/IP packets that a Windows 2000
Finally, on a Windows 2000 Server that is a computer on your network will receive. You can
domain controller, System State data also includes also use TCP/IP filtering to control the type of
the Active Directory data store and the contents of TCP/IP packets that each routing interface on
the SYSVOL folder. See also user data. your Windows 2000 Server computer (when it’s
functioning as a router) will receive, forward,
take ownership or both.
Each file or folder on an NTFS volume has an
owner. If you need to change or assign NTFS TechNet
permissions to a file or folder, but don’t have the Microsoft TechNet is an invaluable knowledge
Full Control NTFS permission (or the Change base and troubleshooting resource. TechNet is
Permissions special NTFS permission) to the file published monthly by Microsoft on multiple
or folder, the only way you can change or assign compact discs. TechNet includes a complete set
permissions is to take ownership of the file or of all Microsoft operating system Resource Kits
folder. Taking ownership of a file or folder is done (currently in a help file format), the entire Microsoft
by using Windows Explorer. See also owner. Knowledge Base, and supplemental compact
discs full of patches, fixes, and drivers (so you
don’t have to spend time downloading them).
4701-1 GL.f.qc 4/24/00 10:12 Page 1526

1526 Glossary

terabyte (TB) top-level domain

A terabyte is 1,024 gigabytes, or The DNS domains directly under the root domain
1,099,511,627,776 bytes. are called top-level domains. Common top-level
DNS domains include com, edu, net, org, and
Terminal server so on. See also root domain, DNS.
Terminal server is a term commonly used to refer
to the Windows 2000 Server computer on which transitive trust
Terminal Services is installed. A Terminal server is A transitive trust is a trust relationship between
also sometimes called a Terminal Services server. two Windows 2000 domains in the same domain
See also Terminal Services. tree (or forest) that can extend beyond these two
domains to other trusted domains within the
Terminal Services same domain tree (or forest). A transitive trust is
Terminal Services is a Windows 2000 Server always a two-way trust. By default, all Windows
component that provides terminal emulation to 2000 trusts within a domain tree (or forest) are
network clients. Terminal Services enables users transitive trusts. See also domain, domain tree,
of client computers to remotely perform forest, trust relationship, two-way trust.
processor-intensive and network-intensive tasks
from their client computers. The application runs tree
on the server running Terminal Services, so the See domain tree.
user can take advantage of the processing power
and network connectivity of the server, while fully trust relationship, trust
controlling the application from the client A trust relationship, or trust, is an agreement
computer’s keyboard and monitor. See also between two domains that enables users in one
Terminal server. domain to be authenticated by a domain
controller in another domain, and therefore to
terminate-and-stay-resident (TSR) access shared resources in the other domain.
program See also trusted domain, trusting domain.
A terminate-and-stay-resident program is an MS-
DOS program that stays loaded in memory, even trusted domain
when it is not running. The trusted domain is the domain that contains
the user accounts that want to access the shared
thread resources in the trusting domain. The trusted
A thread is the smallest unit of processing that domain is trusted by the trusting domain. See
can be scheduled by the Windows 2000 kernel. also trust relationship, trusting domain.
All applications require at least one thread. See
also multithreading. trusting domain
The trusting domain is the domain that has
ToggleKeys resources to share with users accounts in the
ToggleKeys is an Accessibility Options feature trusted domain. The trusting domain trusts the
that causes Windows 2000 to play a tone every trusted domain. See also trust relationship,
time the Caps Lock, Num Lock, and Scroll Lock trusted domain.
keys are pressed. A high tone is played when the
key is first pressed, and a lower tone is played TSID
when Caps Lock, Num Lock, or Scroll Lock is TSID stands for Transmitting Station Identifier.
pressed again (and turned off). This feature is TSID is used by the fax service to identify itself to
helpful for visually impaired users. fax machines that this computer sends faxes to.
4701-1 GL.f.qc 4/24/00 10:12 Page 1527

Glossary 1527

TTL UPS
TTL stands for Time-To-Live. TTL is often used by UPS stands for uninterruptible power supply.
protocols such as TCP/IP and IPX/SPX to A UPS is a fault-tolerance device that enables
determine the number of routers a packet can a computer to continue operations for a short
cross before it is discarded (killed). period of time after a power outage.

two-way trust user account

In a two-way trust relationship, two domains trust A user account is a record that contains unique
each other. See also intransitive trust, one-way user information, such as user name, password,
trust, transitive trust, trust relationship. and any logon restrictions. User accounts enable
users to log on to Windows 2000 computers,
UDF and to access resources on the network.
UDF stands for Universal Disk Format. UDF is a
file system used to access read-only DVD discs. user authentication
Like CDFS, this file system is not used on a User authentication is the process of verifying a
computer’s hard disk, but only on DVD-ROM user’s credentials for the purpose of determining
devices. See also DVD, CDFS. whether the user is permitted to access a local
computer or a network resource, such as a
uninstall(ing) shared folder or shared printer. In Windows
Sometimes you may want to completely remove 2000, user authentication is performed by either
all drivers associated with a hardware device. the local computer (if the user logs on by using a
Windows 2000 refers to this process as local user account) or by a domain controller (if
“uninstalling.” the user logs on by using a domain user account).

universal groups user data

Universal groups, like domain local groups and User data is a broad category that includes
global groups, are groups that are created and application files and folders, operating system
maintained in Active Directory on Windows 2000 files and folders, and user-created files and
domain controllers. Universal groups, however, folders. In short, user data includes all files and
are used to organize users from multiple domains folders on the Windows 2000 computer that
that perform similar job tasks or have similar aren’t held open at all times by Windows 2000.
network access requirements, or to control See also System State data.
access to shared resources in multiple domains.
See also domain local groups, global groups. user environment variables
User environment variables apply only to a specific
universal naming convention (UNC) user. See also environment variables and system
UNC is a naming convention. A UNC name environment variables.
consists of a server name and a shared resource
name in the following format: \\Server_ user logon name
name\Share_name. In this format, Server_ A user logon name is the term Active Directory
name represents the name of the server that the Users and Computers uses to refer to a user
shared folder is located on, and Share_name name.
represents the name of the shared folder.
4701-1 GL.f.qc 4/24/00 10:12 Page 1528

1528 Glossary

user mode user system policy

Within the Windows 2000 architecture, user A user system policy is a collection of settings
mode is referred to as a less privileged processor that restrict a user’s program and network options
mode because it does not have direct access to and can enforce a specified configuration on the
hardware. Applications and their subsystems run user’s work environment. There are two types of
in user mode. User mode applications are limited user system policies: an individual user policy
to assigned memory address spaces and can’t and the Default User policy. See also individual
directly access other memory address spaces. system policy, Default User policy, System Policy.
User mode uses specific application
programming interfaces (API’s) to request system verbose mode
services from a kernel mode component. See Verbose mode refers to running an application in
also application programming interface (API), such a way that the application returns the
kernel mode. maximum amount of information and detail to the
user. The verbose mode is initiated on many
user principal name (UPN) applications by using the /v switch.
A user principal name (UPN) is a shortened
version of the distinguished name (DN) that is virtual directory
typically used for logon and e-mail purposes. A A virtual directory is a child Web site that doesn’t
UPN consists of the relative distinguished name contain Web content. Rather, it is a pointer to an
(RDN) plus the FQDN of the domain. Another actual folder that contains its Web content. A
way you can think of a UPN is as a DN stripped virtual directory is created on a Windows 2000
of all organizational unit references. See also Web server. The folder containing the Web
distinguished name, fully qualified domain name content can be located either on the Windows
(FQDN), relative distinguished name. 2000 Web server, or on any other computer on
the network that is a member of the domain to
user profile which the Web server belongs.
A user profile is a folder that contains a collection
of settings, options, and files that specify a user’s Virtual DOS Machine (VDM)
desktop and all other user-definable settings for a A VDM is a Win32 application that emulates
user’s work environment. You can use the User an Intel 486 computer running the MS-DOS
Profiles tab in the System application to copy, operating system.
delete, and change the type of user profiles.
virtual memory
user rights Virtual memory is the physical space on a hard
User rights authorize users and groups to perform disk that Windows 2000 treats as though it was
specific tasks on a Windows 2000 computer or RAM. Virtual memory is implemented in Windows
in a Windows 2000 domain. User rights are not 2000 by the use of paging files. See also
the same as permissions: user rights enable paging file.
users to perform tasks, whereas permissions
enable users to access objects, such as files, virtual private network (VPN)
folders, printers, and Active Directory objects. A VPN is a private, encrypted connection across
a public network. A VPN connection is a private,
encrypted connection between two computers
(or networks) that can already communicate with
each other by using TCP/IP.
4701-1 GL.f.qc 4/24/00 10:12 Page 1529

Glossary 1529

virtual server Windows 2000 Datacenter Server

A virtual server is a pseudo WWW server with its Microsoft Windows 2000 Datacenter Server is
own unique fully qualified domain name (FQDN). the most powerful of the Windows 2000 operating
To the Internet user accessing the virtual server, a systems. It is a 32-bit operating system optimized
virtual server appears to be a separate server; but for enterprise applications, such as extremely
in reality, a virtual server is not a separate server, large databases and realtime online transaction
but more like an extra shared folder on the processing, or other industrial applications that
Windows 2000 Server Web server that is require phenomenal amounts of processor power.
accessed by specifying a different FQDN.
Windows 2000 Professional
volume Microsoft Windows 2000 Professional is a 32-bit
A volume is an area of disk space (often called a operating system that is optimized for use on
partition) on one or more hard disks that has been desktop computers. It contains not only the
formatted with a file system. features and functionality of Windows NT
Workstation 4.0, but also the best features of
Win32 subsystem Windows 98 as well.
The Win32 subsystem is a user mode subsystem.
All 32-bit Windows applications run in this Windows 2000 Server
subsystem. The Win32 subsystem provides its Microsoft Windows 2000 Server is a powerful
own screen and keyboard functions, and requests 32-bit operating system that is optimized for
Executive Services to perform all other functions network file, print, application, and Web servers.
for it. This subsystem also provides screen and Windows 2000 Server is the next generation of
keyboard functions for all of the other user mode Windows NT Server 4.0, and is the operating
subsystems. See also user mode, Executive system of choice for most business server
Services. applications.

Window Manager Windows Clustering

Window Manager is a kernel mode component Windows Clustering is a technology which,
that is responsible for providing the graphical when implemented on 2 to 32 Windows 2000
user interface. Window Manager communicates Advanced Server computers, provides high
directly with the graphics device drivers, which in availability and load balancing. Windows
turn communicate directly with the hardware. See Clustering is implemented on Windows 2000
also kernel mode. Advanced Server by installing the Cluster
Service. See also cluster.
Windows 2000 Advanced Server
Microsoft Windows 2000 Advanced Server is Windows NT File System (NTFS)
a powerful 32-bit operating system that is NTFS is a file system supported only by Windows
optimized for servers in an enterprise network 2000 and Windows NT. NTFS is the most
environment. This operating system is often a powerful file system supported by Windows
good intermediate choice for a heavily-used 2000. Advantages of using NTFS include
server, such as a SQL server, when you need a extended attributes, file-level security, and ability
more powerful hardware platform than Windows to use partitions larger than 32GB.
2000 Server supports, but don’t need the
capabilities (or the added hardware and software
expense) associated with Windows 2000
Datacenter Server.
4701-1 GL.f.qc 4/24/00 10:12 Page 1530

1530 Glossary

WINS zone file

Windows Internet Name Service (WINS) is a A zone is often implemented as a special text file,
Windows 2000 Server service that provides called a zone file. The terms zone and zone file
NetBIOS name resolution services to client are often used interchangeably. See also zone.
computers. See also NetBIOS name resolution.
zone transfer
workgroup The process of copying a zone to a standard
A workgroup is a logical grouping of networked secondary DNS server is called a zone transfer.
computers in which one or more of the computers Microsoft sometimes calls this process
has one or more shared resources, such as a replication.
shared folder or a shared printer. See also
domain.

zone
A zone is a storage database for either a DNS
domain or for a DNS domain and one or more of
its subdomains. See also zone file.