Windows 2000 Professional is optimized for use alone as a desktop operating system, as a networked computer in a peer-to-peer workgroup environment, or as a workstation in a Windows 2000 Server domain environment. Windows 2000 Server is optimized for use as a file, print, and application server, as well as a Web-server platform.
The major difference between a workgroup and a domain is where the user account information resides for user logon authentication. For a workgroup, user account information resides in the local security database on each computer in the workgroup. For the domain, the user account information resides in the Active Directory database.
The Security subsystem.
Active Directory is the directory service included in Windows 2000 Server. It stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive hierarchical view of the network and a single point of administration for all network objects.
Windows 2000 sends the logon information to a domain controller, which compares it to the user's information in the directory. If the information matches, the domain controller authenticates the user and issues an access token for the user.
The Windows 2000 Security dialog box provides easy access to important security options, including the ability to lock a computer, change a password, stop programs that are not responding, log off a computer, and shut down the computer. You can also determine the domains to which you are logged on and the user account that you used to log on.
To install the Windows 2000 deployment tools, display the contents of the Deploy.cab file, which is located in the Support\Tools folder on the Windows 2000 CD-ROM. Select all the files you want to extract, right-click a selected file, and then select Extract from the menu. You will be prompted for a destination and the location and name of a folder for the extracted files.
You must have Windows 2000 Server with RIS installed, a DNS server available on the network, a DHCP server available on the network, a Windows 2000 domain to provide Active Directory directory service, and client computers that meet the Net PC specification or have a boot floppy to connect to the RIS server.
Windows 2000 ships with the Windows 2000 Remote Boot Disk Generator, rbfg.exe, which is used to create boot disks. It is found on the RIS server in the folder where the Windows 2000 Professional installation files are stored. The path is RemoteInst\Admin\i386\rbfg.exe.
The boot floppies created using Rbfg only support the PCI-based network adapters listed in the Adapter List. Start Rbfg.exe and then click the Adapter List button to see the list of supported adapters.
No, Windows 2000 Professional requires at least 64 MB of memory. You can install the Directory Service Client for Windows 95 or 98. The laptop would then be able to access Active Directory directory service.
The System Preparation tool adds a system service to the master image that will create a unique local domain security ID (SID) the first time the computer to which the master image is copied is started.
The System Preparation tool adds a Mini-Setup wizard to the master disk image that runs the first time the computer to which the master image is copied is started. It guides the user through entering the user-specific information such as the end-user license agreement, the Product ID, user name, company name, and time zone selection.
The System Preparation tool causes the master image to force the computer on which the master image is copied to run a full Plug and Play device detection. Hence peripherals, such as the network adapter, the video adapter, and sound cards on the computer on which the disk image was copied need not be identical to the ones on the computer on which the image was generated.
Verify that the hardware components meet the minimum requirements for Windows 2000. Also, verify that all of the hardware components that are installed in the new computers are listed on the Windows 2000 HCL. If a component is not listed, contact the manufacturer to verify that a Windows 2000 driver is available.
Start the computer by using the Setup boot disks. When prompted, insert the Windows 2000 Professional CD-ROM, and then continue setup.
You need the DNS domain name of the domain that you are joining. You must also make sure that a computer account for the client exists in the domain, or you must have the user name and password of a user account in the domain with the authority to create computer accounts in the domain. A server running the DNS service and a domain controller in the domain you are joining must be available on the network.
Use a disk partitioning tool to remove any existing partitions, and then create and format a new partition for the Windows 2000 installation.
Locate the path to the shared installation files on the distribution server. Create a 500-MB FAT partition on the target computer (1 GB recommended). Create a client disk with a network client so that you can connect from the computer, without an operating system, to the distribution server.
The MMC displays a list of available extensions for the Computer Management snap-in.
What option determines which extensions MMC displays in the Available Extensions list in this dialog box?
The available extensions depend on which snap-in you select.
How much free space does the Dir command report?
Answer will vary.
Why is there a difference between the free space reported for drive C and the free space reported for C:\Mount?
If you mounted your volume on a drive other than drive C, replace C with the appropriate drive letter.
Windows 2000 displays the Quota Entries For Local Disk (C:) window.
Are any user accounts listed? Why or why not?
Yes. The accounts listed are those that have logged on and gained access to drive C.
Windows 2000 displays the Add New Quota Entry dialog box.
What are the default settings for the user you just set a quota limit for?
Limit disk space to 10 MB and Set the warning level to 6 MB. These are the default settings that are selected for drive C.
Windows 2000 Professional begins copying files from the i386 folder on the CD-ROM to a new i386 folder in the User5 folder on drive C. After copying several files, however, Windows 2000 displays the Error Copying File Or Folder dialog box, indicating that there isn't enough room on the disk.
Why did you get this error message?
You have exceeded your quota limit and since the Deny Disk Space To Users Exceeding Quota Limit check box is selected, once you exceed your quota limit, you can't use more disk space.
Are there any IRQs being shared?
Answer will vary.
If you can't see any output on the secondary display, try the following:
The problem could be one or more of the following:
You would do the following to troubleshoot the problem:
You can leave the disk as a basic disk and then create a combination of primary partitions (up to three) and logical drives in an extended partition; or, you can upgrade the disk to a dynamic disk and create five 2-GB simple volumes.
You can create striped volumes only on dynamic disks. The fact that you are presented with the option to create a partition rather than a volume indicates that the disk you are trying to use is a basic disk. You will need to upgrade all of the disks that you want to use in your striped volume to dynamic disks before you stripe them.
The existing volume is not formatted with Microsoft Windows 2000 File System (NTFS). You can extend only NTFS volumes. You should back up any data on the existing volume, convert it to NTFS, and then extend the volume.
Only Windows 2000 can read dynamic storage.
Format all volumes with NTFS and enable disk quotas for all of the volumes. Specify a limit of 25 MB and select the Deny Disk Space To Users Exceeding Quota Limit check box.
Compress the folders that the Sales department uses to store archive data.
The most likely reason there is no APM is that his computer does not have an APM-based BIOS installed. When Windows 2000 does not detect an APM-based BIOS, Setup does not install APM and there is no APM tab in the Power Options Properties dialog box.
No. Hibernate mode makes your computer appear to be turned off, but it is not. You must shut down your computer to comply with these airline regulations.
Explain to your boss that it is not a good idea to manually change or assign resource settings for Plug and Play devices. Windows 2000 arbitrates resources, but if you manually assign them, then Windows 2000 will not be able to arbitrate the assigned resources if requested by another Plug and Play device.
For the Advanced Options tab to be displayed, the user must be logged on as Administrator or have administrator privileges.
What are the Sales group's effective permissions for the Sales subfolder when they gain access to the Sales subfolder by making a connection to the Data shared folder?
The Sales group has the Read permission for the Sales subfolder because when shared folder permissions are combined with NTFS permissions, the more restrictive permission applies.
What permissions does User1 have when he or she accesses the User1 subfolder by making a connection to the Users shared folder? What are User1's permissions for the User2 subfolder?
User1 has the Full Control permission for the User1 subfolder because both the shared folder permission and the NTFS permission allow Full Control. User1 can't access the User2 subfolder because she or he has no NTFS permissions to gain access to it.
What is the current priority? Is it the lowest or highest priority?
The current priority is the default of 1, which is the lowest priority.
The two types are local and network-interface print devices. A local print device is connected directly to a physical port of the print server. A network-interface print device is connected to the print server through the network. Also, a network-interface print device requires a network interface card.
You (or the user) must make a connection to the printer from the client computer. When you make a connection to the printer from the client computer, Windows 2000 automatically copies the printer driver to the client computer.
It allows a user to make a connection to a printer without having to use the Add Printer wizard. It makes a connection to a Web site, which displays all of the printers for which the user has permission. The Web site also provides information on the printers to help the user make the correct selection. Also, a Web designer can customize this Web page, for example displaying a floor plan that shows the location of print devices, which makes it easier for users to choose a print device.
To set priorities between the printers so that users can send critical documents to the printer with the highest priority. These documents will always print before documents that are sent from printers with lower priorities.
To speed up printing. Users can print to one printer that has several print devices so that documents do not wait in the print queue. It also simplifies administration; it's easier to manage one printer for several print devices than it is to manage one printer for each print device.
The Manage Documents permission.
Create a separator page that identifies and separates printed documents.
No. You can change the configuration of the print server only to send documents to another printer or print device, which redirects all documents on that printer.
You can control print jobs by setting the printing time. You set the printing time for a document on the General tab of the Properties dialog box for the document. To open the Properties dialog box for a document, select the document in the printer's window, click the Document menu, and then click Properties. Click Only From in the Schedule section of the Properties dialog box, and then set the Only From hour to the earliest time you want the document to begin printing after regular business hours. Set the To time to a couple of hours before normal business hours start. To set the printing time for a document, you must be the owner of the document or have the Manage Documents permission for the appropriate printer.
You can administer any printer on a Windows 2000 print server on the intranet by using any computer running a Web browser, regardless of whether the computer is running Windows 2000 or has the correct printer driver installed. Additionally, a Web browser provides a summary page and reports real-time print device status, and you can customize the interface.
The default permission is Full Control. The Everyone group has access to the volume.
The user has both Read permission and Write permission for the folder because NTFS permissions are cumulative.
The user can modify the file because the file inherits the Modify permission from the folder.
When the file is moved from one folder to another folder on the same NTFS volume, the file retains its permissions. When the file is moved to a folder on a different NTFS volume, the file inherits the permissions of the destination folder.
You must be logged on as Administrator to take ownership of the employee's folders and files. Assign the Take Ownership special access permission to another employee to allow that employee to take ownership of the folders and files. Notify the employee to whom you assigned Take Ownership to take ownership of the folders and files.
Check the permissions that are assigned to the user account and to groups in which the user is a member.
Check whether the user account, or a group of which the user is a member, has been denied permission for the file or folder.
Check whether the folder or file has been copied to any other file or folder or moved to another volume. If it has, the permissions will have changed.
Compress the folders that the Sales department uses to store archive data.
All folders and files in the shared folder.
Full Control, Change, and Read.
The Everyone group is assigned the Full Control permission.
Only the folder, but not necessarily any of the folder's contents. The user would also need NTFS permissions for each file and subfolder in the shared folder to gain access to those files and subfolders.
When you use centralized data folders you can back up data easily.
Put the files that you want to share in a shared folder and keep the default shared folder permission (the Everyone group with the Full Control permission for the shared folder). Assign NTFS permissions to users and groups to control access to all contents in the shared folder or to individual files.
A user name.
Windows 2000 automatically creates accounts called built-in accounts. Two commonly used built-in accounts are Administrator and Guest. You use the built-in Administrator account to manage the overall computer network (for example, creating and modifying user accounts and groups, and setting account properties on user accounts). You use the built-in Guest account to give occasional users the ability to log on and gain access to resources.
What happens?
Four "Reply from 127.0.0.l" messages should appear.
What happens?
Four "Reply from ip_address" messages should appear.
Which IP address settings will the DHCP Service configure for your computer?
IP address and subnet mask.
There will be a pause while Windows 2000 attempts to locate a DHCP server on the network.
What message appears, and what does it indicate?
DHCP Server Unreachable.
Your computer was not assigned an address from a DHCP server because there wasn't one available.
Setting | Value |
---|---|
IP address | Answer will vary. |
Subnet mask | Answer will vary. |
Default gateway | Answer will vary. |
Is this the same IP address that was assigned to your computer in Exercise 3? Why or why not?
No, the IP address isn't the same as the one assigned in Exercise 3. In this exercise, the Automatic Private IP Addressing feature of Windows 2000 assigned the IP address because a DHCP server wasn't available. In Exercise 3, the DHCP Service assigned an IP address.
Were you successful? Why or why not?
Answers will vary. If you don't have a computer that you can use to test your computer's connectivity, you can't do this exercise.
The default gateway might be missing or incorrect. You specify the default gateway in the Internet Protocol (TCP/IP) Properties dialog box (under Network And Dial-Up Connections in My Network Places). Other possibilities are that the default gateway is offline or that the subnet mask is incorrect.
The settings are whether you want to allow others that use the computer to use the connection (access to the connection) and whether you want to allow other computers to access resources through this port (sharing the connection once it is established).
The callback feature causes the remote server to disconnect and call back the client attempting to access the remote server. By using callback, you can have the bill for the telephone call charged to your telephone number rather than to the telephone number of the user who called in. You can also use callback to increase security by specifying the callback number. Even if an unauthorized user calls in, the system calls back at the number you specified, not the number of the unauthorized user.
What error do you receive when attempting to restart the computer?
NTLDR is missing. Press Ctrl+Alt+Del to restart.
Windows 2000 drivers and operating system files are digitally signed by Microsoft to ensure the files have not been tampered with. Some applications overwrite existing operating files as part of their installation process. These files may cause system errors that are difficult to troubleshoot. Device Manager allows you to look at the Driver tab and verify that the digital signer of the installed driver is correct. This can save you many frustrating hours of trying to resolve problems caused by a file that replaced one or more original operating system drivers.
Windows 2000 provides Device Manager, which allows you to verify that the digital signer of the installed driver is correct. Windows 2000 also provides two utilities to verify the digital signatures. The first utility is the File Signature Verification utility (sigverif). Windows 2000 also provides System File Checker (SFC), a command-line utility that you can use to check the digital signature of files.
Use Task Scheduler to schedule the necessary maintenance utilities to run at specific times.
Which console mode would you use to configure the custom console?
User mode, Full Access.
If both her cached offline copy of the file and the network copy of the file are edited, she should rename her version of the file so that both copies will exist on her hard disk and on the network. She can then compare the two and edit her version, adding any edits made by her boss.
Select the Last Known Good Configuration option to use the LastKnownGood configuration control to start Windows 2000 because it doesn't contain any reference to the new, and possibly faulty, driver.
Which settings did you use for each of the three listed items?
Set Enforce Password History to 5 so that a user must have at least five different passwords before he or she can access a previously used password.
Set Minimum Password Age to one day so that a user must wait 24 hours before he or she can change it again.
Set Maximum Password Age to 21 days so that a user must change his/her password every three weeks.
Were you successful? Why or why not?
You were successful because the minimum password length is set to 6, and the password waters contains six characters.
Were you successful? Why or why not?
You weren't successful because you must wait 24 hours (one day) before you can change your password a second time. A Change Password dialog box appeared indicating that you can't change the password at this time.
Which Account Lockout Policy settings did you use for each of the two conditions?
Set Account Lockout Threshold to 4 to lock out a user account after four failed logon attempts. When you set one of the three Account Lockout Policy options and the other two options have not been set, a dialog box appears indicating that the other two options will be set to default values.
Set Account Lockout Duration to 0 to have locked accounts remain locked until the administrator unlocks them.
What happens?
A Notepad dialog box appears indicating that Access Is Denied.
Use groups to simplify administration by granting rights and assigning permissions once to the group rather than multiple times to each individual member.
Start the Computer Management snap-in and expand Local Users And Groups. Right-click Groups, and then click New Group. Fill in the appropriate fields and then click Create.
When you delete a group, the unique identifier that the system uses to represent the group is lost. Even if you create a second group with the same name, the group will not have the same identifier, so you must grant the group any permissions or rights that it once had, and you must reassign membership to users who need to be a member of that group.
You create local groups and assign the appropriate permissions to them. You can customize local groups to meet your specific needs.
Windows 2000 Professional comes with precreated built-in local groups. You can't create built-in local groups. Built-in local groups give rights to perform system tasks on a single computer, such as backing up and restoring files, changing the system time, and administering system resources.
Set the audit policy for object access and configure the file for the type of access to audit.
By default, only members of the Administrators group can set up and administer auditing. You can also give other users the Manage Auditing and Security log user right, which is required to configure an audit policy and review audit logs.
Forcing users to change passwords regularly decreases the chances of an unauthorized person breaking into your computer. If a user account and password combination for your computer falls into unauthorized hands, forcing users to change their passwords regularly makes it more likely that the user account and password combination will fail, providing more security to the computer.
Longer passwords are more difficult to figure out because there are more characters to discover. In general, you want to do what you can to make it difficult to get unauthorized access to your computers.
If a user forgets his or her password, he or she can ask the administrator to reset the password. If someone repeatedly enters an incorrect password, the person is probably trying to gain unauthorized access to your computer. Setting a limit on the number of failed logon attempts and locking out any user account that exceeds this number makes it more difficult for someone to gain unauthorized access to your computers.
To increase security on your computers, you can force users to press Ctrl+Alt+Del before they can log on. This key combination is recognized only by Windows and ensures that only Windows is receiving the password and not a Trojan horse program waiting to capture your password.
To prevent the last user name from being displayed in the Windows Security or Log On To Windows dialog box, click the Local Policies node in the console tree of the Local Security Settings window, and then click Security Options. In the details pane, right-click Do Not Display Last User Name In Logon Screen, click Security, and then enable this feature.
$OEM$
The UDF file allows each automated setup to be customized with the unique settings contained in the file. To start an unattended setup, the UniqueID contained in the UDF file is specified on the command line. During setup the unique data in the UDF file is merged into the answer file.
The best choice is FAT. Although both Windows 2000 and Windows NT support NTFS, Windows 2000 supports advanced features provided by NTFS 5.0. For example, file encryption is supported in NTFS 5.0, but previous versions of NTFS did not support file encryption. Therefore, when Windows NT is running on a dual-boot computer, it will not be able to read encrypted files created in Windows 2000.
Per Seat licensing is the best choice for this environment. A Per Seat license is more expensive per client computer than Per Server licensing but becomes much less expensive when many client computers access several servers. If Per Server licensing is used in this environment, each server must be individually licensed for client computer access.
You need the DNS domain name of the domain that you are joining. You must also make sure that a computer account for the member server exists in the domain or you must have the user name and password of a user account in the domain with the authority to create computer accounts in the domain. A server running the DNS service and a domain controller in the domain you are joining must be available on the network. If dynamic IP addressing is configured during setup, a server supporting DHCP must be available to assign an address to the computer.
Locate the path to the shared installation files on the distribution server. Create a 671-MB FAT partition on the target computer (2 GB recommended). Create a client disk with a network client so that you can connect from the computer, without an operating system, to the distribution server.
b and e
Answer a is wrong because Windows NT Workstation (3.5x or 4.0) cannot be upgraded to Windows 2000 Server.
Answer c is wrong because Windows NT 3.5 cannot be directly upgraded to Windows 2000 Server.
Answer d is wrong because the Windows 2000 Setup process automatically upgrades NTFS to NTFS version 5.0.
Answer 1: Disk quotas in NTFS version 5.0 allow you to control per-user disk space usage by disk.
Answer 2: Disk compression allows you to compress data at the disk, directory, or file level. Disk compression does not affect a user's allocated quota. Quotas are calculated based on the uncompressed file size.
Answer 3: Remote Storage Services provides an extension to disk space by making removable media accessible for file storage. Infrequently used data is automatically archived to removable media. Archived data is still easily accessible to the user; however, data retrieval is slower than with unarchived data.
The Winnt32.exe /tempdrive: switch and the Winnt.exe /t: switch copy the Windows 2000 Server installation files to the drive specified with the switch. For example, Winn32.exe /tempdrive:d copies all Windows 2000 installation files to the D: partition. Using this switch also tells Setup which partition should be the boot partition for the installation of Windows 2000 Server.
What are the steps for your installation strategy?
For the 30 computers that need to be upgraded, build an answer file and a distribution share using Setup Manager. Further customize the answer file with a text editor. Use a product such as SMS to automate the distribution of operating system upgrades. If SMS is not available, run winnt32 with the /unattend switch and the other switches described in Lesson 1 that are designed to automate the installation process.
For the 20 identical computers, set up one computer with the operating system and all applications that you need to replicate on all other computers. Copy sysprep.exe, sysprepcl.exe, and sysprep.inf (answer file format) into the $OEM\$1\Sysprep folder. Make sure the [GuiRunOnce] section of the answer file calls sysprep.exe with the -quiet switch to continue the setup without any user interaction. Create an image with a third-party image utility, and copy this image to each of the 20 identical computers. Upon reboot, Mini-Setup will run using information in sysprep.inf to complete the setup.
For the remote sites, use /Syspart to prepare the disks for the second half of the installation. Ship the disks to the remote sites and instruct the local administrators to install them in their servers as the bootable drive, usually by setting the SCSI ID to 0 or 7, depending on the SCSI hardware.
You can also use the bootable CD-ROM method. If you use this method, include a floppy disk containing the winnt.sif file to automate Setup.
The $oem$ folder contains the optional cmdlines.txt file and subfolders for original equipment manufacturer (OEM) files and other files needed to complete or customize automated installation. Folders below $oem$ hold all files that are not part of a standard installation of Windows 2000 Server. These folders map to specific partitions and directories on the computer running an unattended installation. The folders below $oem$ and their purposes are as follows:
$$ | Copies files from this distribution folder location to $windir$ or $systemroot$. For a standard installation of Windows 2000 Server, these variables map to C:\Winnt. There are other folders below this one too, such as Help for OEM help files and System32 for files that must be copied to the System32 directory. |
$1 | Copies files from this distribution folder location to the root of the system drive. This location is equivalent to the %systemdrive% variable. In a typical installation of Windows 2000 Server, this variable maps to the C:\ root. The $1 folder contains a drivers folder for third-party driver installation. |
Drive letter | Folders named after a specific drive letter map to the drive letter on the local computer. For example, if you need to copy files to the E: drive during setup, create an E folder and place files or folders in this folder. |
Text mode | Contains any special HALs or mass storage device drivers required for installing and running Windows 2000 Server. |
Cmdlines.txt runs commands before a user is logged on and in the context of the system account. Any command line or installation that can occur without a user logon can complete using Cmdlines.txt. [GuiRunOnce], a section in the answer file, runs in the context of a user account and after the user logs on for the first time. This is an ideal place to run user specific scripts, such as scripts that add printers or scripts that automatically configure a user's e-mail configuration.
Syspart is a switch of Winnt32.exe. This switch completes the Pre-Copy phase of Windows 2000 Server Setup. After it is complete, the disk used for the Pre-Copy phase can be installed in another computer. Upon booting from this disk, the Text-mode phase of setup continues. Syspart is ideal for dissimilar systems that require a faster setup procedure than is provided by running Windows 2000 Setup manually. Syspart can be further automated by calling an answer file as well as Syspart from the Winnt32 command line.
Sysprep prepares a computer for imaging. After the operating system and applications are installed on a computer, Sysprep is run to prepare it for imaging. Next, an imaging utility is used to create an image of the prepared disk. The image is downloaded to identical or nearly identical computers, and Sysprep Mini-Setup continues to complete the installation. The Mini-Setup process can be further automated with a Sysprep.inf file.
The default response rule enables negotiation with computers requesting IPSec. A default response rule is added to each new policy you create, but it is not automatically activated. A default response rule can be used for any computer that does not require security, but must be able to appropriately respond when another computer requests secured communications. It can also be used as a template for defining custom rules.
A mask is a portion of the IP address that enables IP to distinguish the network ID from the host ID.
An OSPF internetwork always has at least one area called the backbone, whether or not it is subdivided into areas.
The Windows 2000 NWLink Auto Detect feature detects the frame type and network number that are configured on NetWare server(s) on the same network. NWLink Auto Detect is the recommended option for configuring both the network number and the frame type. If the Auto Detect feature selects an inappropriate frame type and network number for a particular adapter, you can manually reset an NWLink frame type or network number for that given adapter.
IPsec is defined by the Internet Engineering Task Force (IETF) IP Security working group.
Secret key cryptography uses a single preshared key. Public key cryptography uses a key pair, one for encrypting data and verifying digital signatures and the second for decrypting data and creating digital signatures.
ISAKMP/Oakley establishes a secure channel between two computers for communication and establishes an SA.
Rules are comprised of IP filters, negotiation policies, authentication methods, IP tunneling attributes, and adapter types.
IP filters are used to check datagrams for a match against each filter specification. This allows for filtering based on the source and destination address, DNS name, protocol, or protocol ports.
System Monitor is used to monitor anything from hardware to software, and can also monitor security events such as Errors Access Permissions, Errors Granted Access, Errors Logon, and IIS Security. Network Monitor focuses exclusively on network activity to allow you to understand the traffic and behavior of your network components. If you install the full version available from Systems Management Server, you can capture and view every packet on the network.
Although you can use Event Viewer to gather information about hardware and software problems, it can also be used to monitor Windows 2000 security events such as valid and invalid logon attempts. The security log can also contain events related to resource use, such as creating, opening, or deleting files or other objects.
You can enable event logging in the Event Logging tab on the properties of a remote access server in Routing and Remote Access.
A primary name server has zone information in locally maintained zone files. A secondary name server must download the zone information, they do not maintain a local file. A master name server is the source of the downloads for a secondary name server (which could be a primary or secondary name server).
A domain is a branch of the DNS name space. A zone is a portion of a domain. A zone exists as a separate file on the disk storing resource records.
In a recursive query, the client instructs the DNS server to respond with either the requested information or an error that the information was not found.
In an iterative query, the DNS server responds with the best answer it has. If the information is not available, the typical answeris a referral to another name server that can help resolve the request.
Database file, cache file, and reverse lookup file.
The boot file is used in the Berkeley Internet Name Daemon implementation to start up and configure the DNS server.
A single DNS server can be configured to host zero, one, or multiple zones.
Dynamic update enables DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use DHCP to obtain an IP address.
The benefit provided by caching-only servers is that they do not generate zone transfer network traffic because they do not contain any zones. A disadvantage of a caching-only server is that when the server is initially started, it has no cached information and must build up this information over time as it services requests.
Dynamic Host Configuration Protocol is a TCP/IP service protocol thatsimplifies the administrative management of IP address configuration by automating address configuration for network clients.
A DHCP server can enable dynamic updates in the DNS name space for any DHCP clients that support these updates. Scope clients can then use DNS with dynamic updates to update their computer name-to-IP address mapping information whenever changes occur to their DHCP-assigned address.
The term client is used to describe a networked computer that requests and uses the DHCP services offered by a DHCP server.
IP Autoconfiguration is the ability of Windows 2000-based clients to automatically configure an IP address and subnet mask if a DHCP server is unavailable at system start time.
Many networks use WINS or DNS (or possibly both) for registering dynamic name-to-address mappings. To provide name resolution services, you must plan for interoperability of DHCP with these services. Most network administrators implementing DHCP also plan a strategy for implementing DNS and WINS servers.
The primary tool that you use to manage DHCP servers is DHCP Manager, which is a Microsoft Management Console (MMC) component that is added to the Administrative Tools menu when you install the DHCP service.
Most DHCP-related problems are identified as a client IP configuration failure. These failures are most often discovered by clients in one of the following ways:
The server leases the client an address but the client appears to have other network configuration-based problems, such as the inability to register or resolve DNS or NetBIOS names, or to perceive other computers beyond its subnet.
A VPN is a simulated point-to-point connection using encapsulation. This connection can span any underlying network, including the Internet. Security or some form of encryption is usually required to get the "private" part of the definition.
Source and destination IP address, IP protocol identifier, source and destination ports, ICMP type, and ICMP code.
False. In the user interface it appears that RAP is not used. In actuality, the dial-in user settings work in conjunction with RAP.
False. Routing and Remote Access clients do not use DHCP to get an address, but may use DHCPINFORM packets to get other configuration options. The DHCP relay agent must be installed and using the "internal" interface for this to work.
To bring up or drop modem or ISDN links as needed for bandwidth on demand.
It could be possible for competitors to gain access to proprietary product information, or unauthorized users could attempt to maliciously modify Web pages or overload computers so that they are unusable.
Authentication is the process of identifying users who attempt to connect to a network. When users are authenticated on your network, they can utilize network resources based on their access permissions. To provide authentication to network users, you establish user accounts.
To secure your organization's network for access to and from the Internet, you can put a firewall between the two networks. The firewall provides connectivity for network users to the Internet while minimizing the risks that connectivity introduces. It also prevents access to computers on your network from the Internet, except for those computers authorized to have such access.
Microsoft Point-to-Point Encryption (MPPE) and Internet Protocol Security (IPSec).
Manual and automatic with DHCP.
Only one is required. It is recommended to have multiple servers for redundancy.
NetBIOS unique and group names.
NAT allows computers on a small network, such as a home office, to share a single Internet connection.
The translation component is the router on which NAT is enabled. The addressing component provides IP address configuration information to the other computers on the home network. The name resolution component becomes the DNS server for the other computers on the home network. When name resolution requests are received by the NAT computer, it forwards the name resolution requests to the Internet-based DNS server for which it is configured and returns the responses to the home network computer.
The NAT maps (using static or dynamic mappings) all private IP addresses being used on network 10.0.0.0 to the public IP address of 198.200.200.1.
You must configure a static IP address configuration on the resource server including IP address, subnet mask, default gateway, and DNS server. You should exclude the IP address being used by the resource computer from the range of IP addresses being allocated by the NAT computer. Next, you configure a special port, which is a static mapping of a public address and port number to a private address and port number.
A certificate (digital certificate, public-key certificate) is a digital document that attests to the binding of a public key to an entity. The main purpose of a certificate is to generate confidence that the public key contained in the certificate actually belongs to the entity named in the certificate.
Certificates are issued by a CA, which can be any trusted service or entity willing to vouch for the identities of those to whom it issues certificates, and the association of those identities with specific keys.
Enterprise root CA, enterprise subordinate CA, standalone root CA, and standalone subordinate CA.
MY, CA, TRUST, ROOT, and UserDS.
The schema contains a formal definition of the contents and structure of Active Directory, including all attributes, classes, and class properties.
An OU is a container used to organize objects within a domain into logical administrative groups that mirror your organization's functional or business structure. An OU can contain objects such as user accounts, contacts, groups, computers, printers, applications, file shares, and other OUs from the same domain.
A site is a combination of one or more IP subnets that should be connected by a high-speed link. A domain is a logical grouping of servers and other network resources organized under a single name. A site is a component of Active Directory's physical structure, whereas a domain is a component of the logical structure.
An implicit two-way transitive trust is a trust between domains that are part of the Windows 2000 scalable namespace, for example, between parent and child domains within a tree and between the top-level domains in a forest. These trust relationships make all objects in all the domains of the tree available to all other domains in the tree.
An explicit one-way nontransitive trust is a relationship between domains that are not part of the same tree. One-way trusts support connections to existing pre-Windows 2000 domains to allow the configuration of trust relationships with domains in other trees.
The Active Directory Domains and Trusts console manages the trust relationships between domains. The Active Directory Sites and Services console creates sites to manage the replication of Active Directory information. The Active Directory Users and Computers console manages users, computers, security groups, and other objects in Active Directory.
You would use an extension when specific snap-ins need additional functionality. Extensions are snap-ins that provide additional administrative functionality to another snap-in. A standalone snap-in provides one function or a related set of functions.
What is the one Sysvol location requirement?
Sysvol must be located on a Windows 2000 partition that is formatted as NTFS 5.0.
What is the function of Sysvol?
Sysvol is a system volume hosted on all Windows 2000 domain controllers. It stores scripts and part of the group policy objects for both the current domain and the enterprise. systemroot\SYSVOL\SYSVOL stores domain public files.
The My Network Places window appears.
What selections do you see?
Add Network Place and Entire Network.
What do you see?
Your domain set up in the previous exercise, microsoft.com. Answer may vary depending on your domain name.
What selections are listed under microsoft.com?
Builtin, Computers, Domain Controllers, and Users.
The OUs appear as folders with a directory book icon under the domain. Plain folders are specialized containers.
What are the default OUs in your domain?
Domain Controllers. The Builtin, Computers, and Users folders are container objects.
What objects appear in the details pane?
Default-First-Site-Name (the default site created by the Active Directory Installation Wizard), the Inter-Site Transports container, and the Subnets container.
What object appears in the details pane?
DEFAULTIPSITELINK, the default site link created by the Active Directory Installation Wizard.
Some reasons for creating more than one domain are to allow for decentralized network administration, control replication, allow for different password requirements between organizations, manage massive numbers of objects, allow for different Internet domain names, allow for international requirements, and to meet internal political requirements.
Extending an existing namespace provides consistent tree names for internal and external resources, making it easier for users to locate, refer, and use resources. In addition, this plan allows your company to use the same logon and user account names for internal and external resources. Finally, you do not have to reserve an additional DNS namespace.
Your site configuration affects workstation logon and authentication. When a user logs on, Windows 2000 will try to find a domain controller in the same site as the user's computer to service the user's logon request and subsequent requests for network information.
Your site configuration also affects directory replication. You can configure the schedule and path for replication of a domain's directory differently for intersite replication, as opposed to replication within a site. Generally, you should set replication between sites to be less frequent than replication within a site.
The shared system volume is a folder structure that exists on all Windows 2000 domain controllers. It stores scripts and some of the group policy objects for both the current domain and the enterprise. The default location and name for the shared system volume is systemroot\SYSVOL. The shared system volume must be located on a partition or volume formatted with NTFS 5.0.
Because some changes are impractical to perform in multimaster fashion, one or more domain controllers can be assigned to perform operations that are single-master (not permitted to occur at different places in a network at the same time). Operations master roles are assigned to domain controllers to perform single-master operations.
The Active Directory Users and Computers console are used to create OUs.
You must create a site, associate a subnet with the site, connect the site using site links, and select a licensing computer for the site.
The Active Directory Installation Wizard automatically creates an object named Default-First-Site-Name in the Sites container and an object named DEFAULTIPSITELINK in the IP container.
IP replication protocol.
Create site links, configure site link attributes (such as site link cost, replication frequency, and replication availability), and create site link bridges.
Replication frequency is the duration between replications on a site link. Replication availability is when a site link is available to replicate directory information.
A bridgehead server provides some ranking or criteria for choosing which domain controller should be preferred as the recipient for inter-site replication. The bridgehead server then distributes the directory information via inter-site replication.
Multimaster update and enhanced security are based on the capabilities of Active Directory. Zones are replicated and synchronized to new domain controllers automatically whenever a new zone is added to an Active Directory domain. By integrating storage of your DNS namespace in Active Directory, you simplify planning and administration for both DNS and Active Directory. Directory replication is faster and more efficient than with standard DNS replication.
The SOA resource record identifies which name server is the authoritative source of information for data within this domain. The first record in the zone database file must be the SOA record. The SOA resource record also stores properties such as version information and timings that affect zone renewal or expiration. These properties affect how often transfers of the zone are done between servers authoritative for the zone.
When you delegate zones within a namespace, you must also create SOA resource records to point to the authoritative DNS server for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers being made authoritative for the new zone.
An IXFR query allows the secondary server to pull only those zone changes it needs to synchronize its copy of the zone with its source, either a primary or secondary copy of the zone maintained by another DNS server. An AXFR query provides a full transfer of the entire zone database.
Windows 2000 displays the Find dialog box.
In the Find dialog box, what object type can you select for a search?
Users, Contacts, and Groups; Computers; Printers; Shared Folders; Organizational Units; Custom Search, and Remote Installation Clients (if Remote Installation Services [RIS] is installed).
The list of users and groups in the domain.
Groups that Have Permissions for the Security1 OU
User Account or Group | Assigned Permissions |
---|---|
Account Operators | Advanced permissions |
Administrators | Inherits the Read, Write, and Create All Child Objects permissions and also has advanced permissions |
Authenticated Users | Read |
Domain Admins | Full Control |
Enterprise Admins | Inherits Full Control |
Pre-Windows 2000 Compatible Access | Advanced permissions |
Print Operators | Advanced permissions |
SYSTEM | Full Control |
How can you tell if any of the default permissions are inherited from the domain, which is the parent object?
The permissions that are assigned to Administrators are inherited from the parent object. The check boxes for inherited permissions are shown as shaded.
The Permission Entry For Security1 dialog box appears.
What object permissions are assigned to Account Operators? What can Account Operators do in this OU? (Hint: Check each permission entry for Account Operators in the Permission Entries box in the Access Control Settings For Security1 dialog box.)
The permissions that are assigned to Account Operators are Create User Objects, Delete User Objects, Create Group Objects, Delete Group Objects, Create Computer Objects, and Delete Computer Objects. Account operators can only create and delete user accounts, groups, and computers.
Do any objects within this OU inherit the permissions assigned to the Account Operators group? Why or why not?
No. Objects within this OU do not inherit these permissions. The Apply To column in the Permission Entries list in the Access Control Settings For Security1 dialog box shows that permissions granted to Account Operators are applied to This Object Only.
Permissions for the Secretary1 User Account
Group | Assigned Permissions |
---|---|
Account Operators | Full Control |
Administrators | Inherits all permissions, except the Full Control and Delete All Child Objects permissions, and also has advanced permissions |
Authenticated Users | Read permission for General, Personal, Public, and Web Information |
Cert Publishers | Advanced |
Domain Admins | Full Control |
Enterprise Admins | Inherits Full Control |
Everyone | Change Password |
Pre-Windows 2000 Compatible Access | Inherits Read, Read Phone and Mail Options, Read General Information, Read Group Membership, Read Personal, Public, Remote Access, Logon, and Web Information, and Read Account Restrictions |
RAS and IAS Servers | Read permission for Group Membership, Remote Access Information, Account Restrictions, and Logon Information |
SELF | Read, Change Password, Receive As, Send As; Read permission for Phone and Mail Options, General Information, Group Membership, Personal Information, Public Information, Remote Access Information, Account Restrictions, Logon Information, and Web Information; Write permission for Phone and Mail Options, Personal Information, and Web Information |
SYSTEM | Full Control |
Are the standard permissions for a user object the same as those for an OU object? Why or why not?
No. Standard permissions for each type of object are different. The reason for the differences is that different object types are used for different tasks, and therefore the security needs for each object type differ.
Are any of the standard permissions inherited from Security1, the parent object? How can you tell?
Only the standard permissions that are assigned to Administrators, and Enterprise Admins are inherited from the parent object. The check boxes for inherited permissions are shown as shaded.
What do the permissions of the Account Operators group allow its members to do with the user object?
Account Operators have Full Control. A member of the group can make any changes to a user object, including deleting it.
Did Windows 2000 require you to specify the OU in which your user account is located as part of the logon process? Why or why not?
No. Windows 2000 automatically locates the user object in Active Directory, independent of its exact location.
What user objects are visible in the Security1 OU?
The Secretary1 and Assistant1 user accounts, also User20, User 21, and User22.
Which permissions allow you to see these objects? (Hint: Refer to your answers in Lesson 2.)
The Assistant1 user account automatically belongs to the Authenticated Users built-in group, which has Read permission for the OU.
For the user account with the logon name Secretary1, change the logon hours. Were you successful? Why or why not?
No. The Assistant1 user account does not have Write permission for the Secretary1 object.
For the Assistant1 user account, under which you are currently logged on, change the logon hours. Were you successful? Why or why not?
No. The Assistant1 user account does not have Write permission for the Assistant 1 object.
Were you successful? Why or why not?
Yes. The Assistant1 user account has been assigned Full Control permission for all user objects in the OU. This includes the permission to change the logon hours.
Were you successful? Why or why not?
No. The Assistant1 user account has not been assigned any permissions for the Users container.
The global catalog contains a partial replica of the entire directory, so it stores information about every object in a domain tree or forest. Because the global catalog contains information about every object, a user can find information regardless of which domain in the tree or forest contains the data. Active Directory automatically generates the contents of the global catalog from the domains that make up the directory.
Place all of the sales personnel user accounts in an OU, and then delegate control of the OU to the manager of the Sales department.
Permissions assigned directly to the object remain the same. The object also inherits permissions from the new OU. Any permissions previously inherited from the old OU no longer affect the object.
OU or container.
You must indicate that you need to back up System State data. For Windows 2000 Server operating systems, the System State data comprises the registry, COM+ Class Registration database, system boot files, and the Certificate Services database (if the server is a certificate server). If the server is a domain controller, Active Directory and the SYSVOL directory are also contained in the System State data.
When you restart the computer in Directory Services Restore Mode, you must log on as an Administrator by using a valid Security Accounts Manager (SAM) account name and password, not the Active Directory Administrator's name and password. This is because Active Directory is offline, and account verification cannot occur. Rather, the SAM accounts database is used to control access to Active Directory while it is offline. You specified this password when you set up Active Directory.
You should examine the directory service event logs in Event Viewer.
A performance object is a logical connection of performance counters associated with a resource or service that can be monitored. A performance counter is a condition that applies to a performance object.
Counter logs collect performance counter data for a specified interval. Trace logs record data collected by the operating system provider or one or more nonsystem providers when certain activities such as a disk I/O operation or a page fault occur. When counter logs are in use, the Performance Logs and Alerts service obtains data from the system when the update interval has elapsed, rather than waiting for a specific event, as for trace logs.
Alerts can log an entry in the application event log, send a network message to a computer, start a performance data log, or run a program when the alert counter's value exceeds or falls below a specified setting.
The Active Directory Replication Monitor tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication through a graphical interface. The Active Directory Replication Monitor is a graphical tool accessed on the Tools menu within Windows 2000 Support Tools.
Click Start, point to Programs, point to Administrative Tools, and then click Computer Management. In the console tree of Computer Management, expand System Tools, and then expand Shared Folders. In the console tree, click Open Files under Shared Folders.
Create a site, associate a subnet with the site, connect the site using site links, and select a licensing computer for the site.
The Active Directory Installation wizard automatically creates an object named Default-First-Site-Name in the Sites container and an object named DEFAULTIPSITELINK in the IP container.
IP replication protocol.
Create site links, configure site link attributes (such as site link cost, replication frequency, and replication availability), and create site link bridges.
What appears in the details pane?
The policies available for the Start Menu & Task Bar category appear in the details pane.
How can you tell at a glance that this setting is enabled?
The setting is listed as enabled in the details pane.
The Windows Security dialog box appears.
Are you able to lock the workstation? Why?
No, the Lock Computer option is not available. Assistant1 is unable to lock the workstation because the DispatchPolicy GPO was linked to the Security1 OU in Exercise 8.
Does the Search command appear on the Start menu?
No.
Does the Run command appear on the Start menu?
No.
Are you able to lock the workstation? Why?
Yes, the Lock Computer option is available. Assistant1 is able to lock the computer because the Sales group was filtered from the DispatchPolicy GPO scope in Exercise 7.
Group Policy is implemented in the following order: site, domain, and then OU.
The tasks for implementing Group Policy are creating a GPO; creating a snap-in for the GPO; delegating administrative control of the GPO; specifying Group Policy settings for the GPO; disabling unused Group Policy settings; indicating any GPO processing exceptions; filtering the scope of the GPO; and linking the GPO to a site, domain, or OU.
Block Policy Inheritance is applied directly to the site, domain, or OU. It is not applied to GPOs, nor is it applied to GPO links. Thus Block Policy Inheritance deflects all Group Policy settings that reach the site, domain, or OU from above (by way of linkage to parents in the Active Directory hierarchy) no matter what GPOs those settings originate from. GPO links set to No Override are always applied and cannot be blocked using the Block Policy Inheritance option.
Any GPO linked to a site, domain, or OU (not the local GPO) can be set to No Override with respect to that site, domain, or OU so that none of its policy settings can be overwritten. When more than one GPO has been set to No Override, the one highest in the Active Directory hierarchy (or higher in the hierarchy specified by the administrator at each fixed level in Active Directory) takes precedence. No Override is applied to the GPO link.
You assign a software application when you want everyone to have the application on his or her computer. An application can be published to both computers and users.
You publish a software application when you want the application to be available to people managed by the GPO, should the person want the application. With published applications it is up to each person to decide whether or not to install the published application. An application can only be published to users.
Application Data, Desktop, My Documents, My Pictures, and Start Menu.
Remote Installation Services (RIS) are software services that allow an administrator to set up new client computers remotely without having to visit each client. The target clients must support remote booting. There are two types of remote boot-enabled client computers: Computers with Pre-Boot eXecution Environment (PXE) Dynamic Host Configuration Protocol (DHCP)-based remote boot ROMS and computers with network cards supported by the RIS Boot Disk.
Pre-Boot eXecution Environment (PXE) is a new form of remote boot technology that has been created within the computing industry. PXE provides companies with the ability to use their existing TCP/IP network infrastructure with DHCP to discover RIS servers on the network. Net PC/PC98-compliant systems can take advantage of the remote boot technology included in the Windows 2000 OS. Net PC/PC98 refers to the annual guide for hardware developers co-authored by Microsoft with Intel, including contributions from Compaq and other industry hardware manufacturers. PC98 is intended to provide standards for hardware development that advance the PC platform and enable Microsoft to include advanced features, like RIS, in the Windows platform.
For computers that do not contain a PXE-based remote boot ROM, Windows 2000 provides the administrator with a tool to create a remote boot disk for use with RIS. The RIS remote boot disk can be used with a variety of PCI-based network adapter cards. Using the RIS boot disk eliminates the need to retrofit existing client computers with new network cards that contain a PXE-based remote boot ROM to take advantage of the Remote OS Installation feature. The RIS boot disk simulates the PXE remote boot sequence and supports frequently used network cards.
The Remote Installation Preparation (RIPrep) image is a clone of a standard corporate desktop configuration, complete with operating system configurations, desktop customizations, and locally installed applications. After first installing and configuring the Windows 2000 Professional OS, its services, and any standard applications on a computer, the network administrator runs a wizard that prepares the installation image and replicates it to an available RIS server on the network for installation on other clients.
Users of a remote boot-enabled client use the Client Installation wizard to select installation options, OSs, and maintenance and troubleshooting tools. The wizard prompts the user for his or her user name, password, and domain name. After the user's credentials have been validated, the wizard displays the installation options that are available for the user. After the user selects an option, the selected OS installation image is copied to the client computer's local hard disk.
Record your decisions to audit successful events, failed events, or both for the actions listed in Table 21.7.
Answers may vary. Possible answers include the following:
Account logon events: Failed (for network access attempts)
Account management: Successful (for administrator actions) Directory service access: Failed (for unauthorized access)
Logon events: Failed (for network access attempts)
Object access: Successful (for printer use) and Failed (for unauthorized access)
Policy change: Successful (for administrator actions)
Privilege use: Successful (for administrator actions and backup procedures) Process tracking: Nothing (useful primarily for developers)
System events: Successful and Failed (for attempts to breach the server)
The Auditing Entry For Users dialog box appears.
Review the default audit settings for object access by members of the Everyone group. How do the audited types of access differ from the types of access that are not audited?
All types of access that result in a change of the object are audited; types of access that do not result in a change of the object are not audited.
On which computer or computers does Windows 2000 record log entries for Active Directory access? Will you be able to review them?
Windows 2000 records auditing events for Active Directory access at domain controllers, at the organizational unit (OU) level. Because you configured auditing for a domain controller, you will be able to view auditing events for Active Directory access. If you had configured auditing for the Local Computer, or the Default Domain Policy, you would not be able to view auditing events for Active Directory access.
In the details pane, what is indicated in the Policy column? In the Database Setting column? In the Computer Setting column?
The Policy column indicates the policy name for the analysis results. The Database Setting column indicates the security value in your template. The Computer Setting column indicates the current security level in the system.
In the Policy column, what does the red X indicate? What does the green check mark indicate?
A red X indicates a difference in the data from the database configuration. A green check mark indicates consistency with data in the database configuration.
You set the audit policy on the member server; the audit policy must be set on the computer where the folder is located.
Directory service access tracks whether a user gained access to an Active Directory object. Object access tracks whether a user gained access to a file, folder, or printer.
Successful events appear with a key icon. Unsuccessful events appear with a lock icon.
User rights are different from permissions because user rights apply to user accounts and permissions are attached to objects.
A security template is a physical representation of a security configuration, a single file where a group of security settings is stored. Locating all security settings in one place streamlines security administration.
The Security Configuration and Analysis console uses a database to perform configuration and analysis functions.
Remote Administration mode allows for two remote control sessions with the computer running Terminal Services. No Terminal Service client license is necessary for this function. In Application Server mode, a Terminal Service client license is required for each session. The Terminal Service continues to function for 90 days without Terminal Service client licenses installed on the Terminal Services License server.
Port value will vary but should be between 2000-9999.
The indexing service has been started because the Web browser did not report the inability to perform a search. Because the phrase was not found it could be that you have not configured the Indexing Service to catalog the iisHelp folder or the Indexing Service has not completed the task of indexing this folder's contents.
WebDAV security is managed by the file system and Internet Services. Therefore, access could be denied because the physical directory for WebDAV has an access compatibility list (ACL) that does not allow the browser client to access the folder. If access is allowed at the file system level, verify that Read, Write, and Directory Browsing on the WebDAV virtual directory is enabled. For Active Server Pages (ASP) support also make sure to enable Script source access.
NTLM authentication protects authentication information from being transmitted across a network from the Telnet client to the Telnet server. A user is authenticated in the context of the current logon. If authentication is necessary, NTLM challenge/response authentication protects logon information. This is an important security feature of Windows 2000 Telnet.
A mounted drive to an empty folder allows for folder redirection. When you store files in a folder that points to a mounted partition, the files are redirected to the partition. This feature provides limited resource consolidation. A Dfs root provides a central point where disparate resources are consolidated through Dfs links. These links are then presented to the users as a single share containing folders. This feature provides robust resource consolidation.
New Root Replica and Replication Policy are available only for domain Dfs roots. In the practice a standalone Dfs root was configured. A new root replica makes it possible to replicate the Dfs root to other servers on the network. This feature provides fault tolerance and load balancing. If a server hosting the Dfs root fails, users access the Dfs root from the other replicas. If all servers replicating the Dfs root are available, they will load balance user requests. Replication policy allows you to configure the settings for replicating the Dfs root and Dfs shares below it.
KCC creates a ring topology for intra-domain replication. This topology provides a path for Active Directory store updates to flow from one domain controller to the next. It also provides two replication paths, a path on either side of the ring to continue replication even if the ring structure is temporarily broken.
System Volume data and domain Dfs roots and Dfs links configured for replication.
You deleted the Boot.ini file. Boot.ini allows for multiboot. If this file is missing, the default operating system starts. To recover this file, run the Emergency Repair Disk (ERD), choose Manual Repair, and then choose Inspect Startup Environment.
This option is available only if an installed tape device and its driver supports hardware compression.
You can simulate a power failure by disconnecting the main power supply to the UPS device. During the test, the computer and peripherals connected to the UPS device should remain operational, messages should display, and events should continue to be logged.
In addition, you should wait until the UPS battery reaches a low level to verify that a graceful shutdown occurs. Then restore the main power to the UPS device and check the event log to ensure that all actions were logged and there were no errors.
Note that this procedure requires a UPS that communicates with the computer through a Component Object Model (COM) port or a proprietary interface provided with the UPS.
Filter for Address Pairs, where you specify the media access control (MAC) address of each computer, and Pattern Matches, where you filter for specific patterns in Hex or ASCII contained in the frames.
Using the Security tab of the SNMP Service Properties dialog box, make the following configuration changes:
Private keys are associated with the creation of digital signatures. You use a private key to transform data in such a way that users are able to verify that only you could have created the encrypted data. Decrypting the data is achieved through the application of the public key. However, only the private key is used to create the digital signature.
Windows NT client computers will authenticate to both Windows 2000 and Windows NT Servers using NT LAN Manager (NTLM) credentials (Windows NT domain name, username, and encrypted password). Windows 2000 client computers authenticate to the computers running Windows 2000 Server using Kerberos authentication (domain name, username, Kerberos-encrypted password), and they authenticate to the computers running Windows NT Server using NTLM authentication.
A template can be applied to a security configuration database created by the Security Analysis and Configuration snap-in. After the database is created, the current settings of the computer can be compared to the settings dictated by the policy. After reviewing discrepancies between policy and computer security settings, the same snap-in can be used to configure the computer's security settings to the template's settings.
The Certificate Services Enrollment page is a Web page that allows for the easy creation and monitoring of certificate requests, and for the retrieval of CRLs and certificates.
Use Active Directory Users And Computers to open a group policy (typically the Default Domain group policy object [GPO] or the Default Domain controller Policy GPO). Navigate to the Audit Policy node below the Windows Settings - Security Settings - Local Policies node. In the details pane, double-click Audit Object Access and enable success or failure attempts as appropriate. Using Windows Explorer, navigate to the specific file or folder that you need to access. Access the properties of the file or folder object, click the Security tab, then click the Advanced button. From the Access Control Settings dialog box, select View/Edit to modify the audit policy of a selected user or group or add a new user or group to audit. Be cautious about how much file object auditing you configure. This feature can be processor intensive if it is configured improperly.