windows server
Nutshell:
Microsoft Server
Date of course: _____________________________________
Name of Student: ___________________________________
Rev 1.1
Contact Information: michaelmarch@gmail.com
Not to be reused or copied in anyways without the explicit written agreement between Michael March and the requester, until so granted permission.
Contents
Terminal Services Facts 5
Remote Assistance Facts 6
Command Switches for Installation 6
Troubleshooting Installation Facts 7
Licensing Facts 8
Automated Installation Facts 8
Network Installation Facts 9
Domain User Account Facts 10
Group Facts 10
Built-in Groups 11
Group Strategy Facts 11
User Profile Facts 13
User Profile Management Tasks 13
Computer Account Facts 14
Troubleshooting Logon 14
Group Policy Facts 15
Installing Devices 16
Device Management Facts 16
Drivers 17
File Verification Programs 17
File System Facts 18
Basic and Dynamic Disks 18
Redundancy and Fault Tolerance 20
Disk Management Facts 21
Volume Mount Points 22
Boot.ini Facts 22
Backup Facts 23
Backup Devices Facts 24
NTFS Permission Facts 25
Shared Folder Facts 25
Share Access Facts 26
Disk Quota Facts 26
File Compression Facts 27
Encryption Facts 28
Offline Settings 29
Internet Information Services (IIS) 30
IIS Security Facts 30
Web Site Identification 33
Printing Facts 33
Advanced Print Configuration 34
Printer Pooling 34
Multiple Printers 35
Managing Printing 35
Troubleshooting Printing Facts 35
IPP Facts 36
Installer Package Facts 36
Software Update Services (SUS) Components 37
SUS Server Configuration 38
SUS Client Configuration 38
SUS Infrastructure Design 40
SUS Facts 41
Account Policies Facts 42
Auditing Facts 43
Security Template Facts 44
Event Facts 45
Monitoring Performance Facts 45
Counters and Values to Watch 46
Volume Shadow Copy Services (VSS) 46
System Recovery Facts 47
Terminal Services Facts
By default, Windows 2003 comes with Remote Desktop enabled. Using Remote Desktop, you can connect to a server and manage it remotely just as you would if you were sitting at the server console. Remote Desktop uses Terminal Services technology. Terminal Services can also be used by end users to connect to the server and run applications. For example, users can connect to a server to run an application that is not supported on the client system.
Keep in mind the following details regarding Remote Desktop.
• Remote Desktop is the same as running Terminal Services in administration mode on previous Windows versions.
• Remote Desktop is limited to two concurrent connections.
• When using Remote Desktop, the user account used to connect to the server must be assigned a password, and must be given explicit permission for Remote Desktop. Allow users for Remote Desktop through the System applet.
• Client computers require client software to make the connection. This software is included with Windows XP or Windows Server 2003, but must be installed separately on other Windows versions (Windows 2000, for example).
Keep in mind the following details regarding Terminal Services.
• You can support many more clients by installing Terminal Services (also called installing application mode for Terminal Services). Use Add/Remove Windows components to install Terminal Services.
• Microsoft allows an evaluation period for Terminal Services of 120 days. You must install a licensing server prior to expiration or the server will stop accepting remote connections.
• Many settings on the RDP-Tcp properties Sessions tab can override individually configured user settings.
• Use the Msg command to send a message to all connected users of a particular terminal services server. You should know the following facts about Msg:
o The syntax is {UserName | SessionName | SessionID} [/server:ServerName] [Message].
o UserName is the name of the user you want to receive the message.
o SessionName is the name of the session you want to receive the message.
o SessionID is the numeric ID of the session whose user you want to receive a message.
o /server:ServerName specifies the terminal server whose session or user you want to receive the message. (If unspecified, /server uses the server to which you are currently logged on.)
o Message is the actual message you wish to send.
• The Query user command-line tool displays the names of any currently logged on users or sessions with Terminal Services.
Remote Assistance Facts
Keep in mind the following details regarding Remote Assistance.
• Both the novice (person requesting assistance) and the expert (person giving assistance) computers must be running either Windows XP (either Home or Professional) or Windows Server 2003.
• To initiate a remote assistance session:
o Select Ask for Remote Assistance in Windows Messenger.
o Send an e-mail through the Help and Support tools (if the infrastructure is configured appropriately).
o Create a Remote Assistance file through Help and Support tools and load it to a network share (if the infrastructure is configured appropriately).
• Generally, the novice must initiate the invitation. If Active Directory is used, the expert can initiate the Remote Assistance connection.
• Invitations require a password (unless Instant Messaging is used) and have an expiration time. Expired invitations cannot be answered.
• When sending an invitation, do not include the password in the invitation text. Communicate it in some other way.
• The helper cannot copy files from a user's computer. The user must explicitly send any files the helper may need.
• The user can take control the computer at any time by pressing the Esc key, Ctrl+C, or clicking Stop Control.
Command Switches for Installation
To start the installation, use:
• Winnt.exe to start installation from a DOS environment.
• Winnt32.exe to start installation from within a 32-bit environment.
The following table lists common switches to use with the installation programs.
Switch Purpose
/makelocalsource Copies installation files from the CD-ROM
/dudisable Disables dynamic updates during installation
/duprepare Prepare downloaded update files for use during installation
/dushare Start the installation with downloaded update files
/u Indicates use of an unattended answer file
/udf Indicates the use of a uniqueness database file
/s Specifies a path to source files
/checkupgradeonly Verifies upgrade compatibility
Troubleshooting Installation Facts
Use the /debuglevel:logfile switch to create an installation debug log. The default debug level is 2. The default log file is C:\%systemroot%\Winnt32.log. The log levels are as follows:
Level Report
0 Severe Errors
1 Errors
2 Warnings
3 Information
4 Detailed information for debugging
You can use System File Checker (Sfc.exe) to verify the integrity of protected system files if an installation appears unstable. You can use the following switches with the Sfc command:
Switch Function
/Scannow Perform a scan immediately
/Scanboot Configures the operating system to perform a scan every time the operating system boots
/Revert Changes the scan behavior back to the default
/Cachesize = size Configures how much disk space can be used to store cached versions of protected system files
To uninstall a service pack or hotfix from the command line, run Spuninst.exe from the service pack or hot fix uninstall folder. Use the following switches with Spuninst:
Switch Function
-u Unattended mode
-f Force other apps to close at shutdown
-z Do not reboot when complete
-q Quiet mode (no user interaction)
To isolate a driver causing an installation to fail, add the /Sos switch to the Boot.ini file. This loads the drivers individually, allowing you to isolate the bad driver.
Licensing Facts
You should know the following facts about licensing:
• The Licensing Logging service is available from the Administrative tools menu.
• The Licensing Logging service allows you to view, add, and delete installed product licenses.
• Per-user licensing is more expensive per client workstation than a per-server licensing model, but it becomes much less expensive when many workstations access several servers.
• Cpl.cfg is the purchasing history file.
• Llsuser.lls is the user information file.
• Llsmap.lls is the license group information.
Automated Installation Facts
Windows provides the ability to perform an unattended installation from a CD-ROM. To perform an unattended installation from a CD-ROM, the following conditions must be met:
• The computer must support booting from a CD-ROM, and must adhere to the El-Torito non-emulation specification.
• The unattended answer file must be renamed to Winnt.sif and copied to a floppy disk so Setup can access it. When Setup displays the message that it is examining the hardware configuration, insert the floppy disk containing the Winnt.sif file.
• The answer file must contain a valid [Data] section with the following entries to the unattended answer file:
o UnattendedInstall=Yes - Value must be set to "yes".
o MSDosInitiated=No - Value must be set to "no" or Setup will stop during the graphical portion of Setup.
o AutoPartition=1 - If the value is set to 1, the installation partition is automatically selected. If the value is set to 0 (zero), you are prompted for the installation partition during the text portion of Setup.
You can also automate installation by preparing a disk image. You then duplicate the disk image to a new hard drive and boot the system. Use the following files to prepare an automated installation using an image:
File Function
Sysprep.exe Prepares a system for duplication
Setupcl.exe Runs a mini-setup wizard when the duplicated drive is booted
Sysprep.inf An optional answer file that automates the mini-setup wizard. Can be copied to a floppy disk.
Note: These files belong in the Sysprep folder at the root of the system drive.
Network Installation Facts
You should know the following facts about Remote Installation Services:
• An RIS server must have the following components installed on it:
o DHCP
o DNS
o RIS
o Active Directory
• Use the Rbfg.exe (Remote Boot Disk Generator) file to create a boot disk for non-PXE compliant network adapters. The boot disk simulates the PXE boot process. The file is located in the RemoteInstall\admin\i386 folder on the RIS server.
• On the workstation, be sure to enable network boot in the BIOS.
• Use the Riprep.exe file to create the image of the reference computer.
To perform a network installation without RIS:
1. Copy the source installation files to a shared network drive.
2. If necessary, update the installation files with service packs or hotfixes.
3. Execute Winnt or Winnt32 from the network share.
To use dynamic updates during an installation, download the updates to a network share. Use the following switches with the Winnt or Winnt32 command to apply dynamic updates during the installation:
Switch Function
/Duprepare:[path to downloaded updates] Prepares the updates for use during installation.
/Dushare:[path to downloaded updates] Starts the installation with the downloaded update files.
/Dudisable Prevents the dynamic update from occurring.
To apply a service pack to the source installation files, use the Update.exe –s:[network_share] command and switch. This applies the service pack changes to the installation files in the network share.
Domain User Account Facts
You should know the following facts about domain (or global) user accounts:
• Domain user accounts let users log on to the network, and allow access to domain resources.
• Active Directory stores these accounts for the entire domain (users have to log on only once to access domain resources).
• Domain user accounts have a variety of properties, such as user information, group membership, user profiles, and dial-in settings.
• A user account can be renamed when users change jobs or need previously assigned permissions to resources.
• Use Active Directory Users and Computers from a domain controller (or workstation with Administrative Tools installed) to configure domain accounts
• When a new account is created, it is replicated to all of the domain controllers in the domain, so any domain controller in the domain can authenticate user logons.
• Each user account has a unique security identifier (SID) to identify the user to the Windows server. A user can log on to the domain from any computer that is a member of the domain and can access resources on that computer or on other computers for which the domain user account has permissions.
• Logon restrictions apply to users, not groups.
Group Facts
• Active Directory defines three scopes that describe the domains on the network from which you can assign members to the group; where the group's permissions are valid; and which groups you can nest.
Scope Description
Global groups Are used to group users from the local domain. Typically, you assign users who perform similar job functions to a global group. A global group can contain user and computer accounts and global groups from the domain in which the global group resides. Global groups can be used to grant permissions to resources in any domain in the forest.
Domain local groups Are used to grant access to resources in the local domain. They have open membership, so they may contain user and computer accounts, universal groups, and global groups from any domain in the forest. A domain local group can also contain other domain local groups from its domain. Domain local groups can be used to grant permissions to resources in the domain in which the domain local group resides.
Universal groups Are used to grant access to resources in any domain in the forest. They have open membership, so you can include user and computer accounts, universal groups, and global groups from any domain in the forest. Universal groups can be used to grant permissions to resources in any domain in the forest. Universal groups are available only in Windows 2000 Native or Windows 2003 domain functional level.
Built-in Groups
Windows domain controllers include several built-in domain local groups, each of which has predefined rights. These groups are automatically created on domain controllers, and are placed in the Built-in folder in Active Directory Users and Computers.
Built-in Group Description
Administrators Full control over the computer, including every available right in the system (the only built-in account that automatically has all rights), including the Take ownership of files or other objects right.
Server Operators Share folders and backup files and folders.
Backup Operators Back up, copy, and restore files on the computer (regardless of permissions). Log on to and shut down the computer. Cannot change security settings.
Account Operators Create, delete, and modify domain user accounts and groups. Cannot modify the Administrators group or any Operators groups.
The basic best practices for user and group security is:
• Create groups based on users' and administrators' needs.
• Assign user accounts to the appropriate groups.
• Assign permissions to each group based on the resource needs of the users in the group and the security needs of your network.
Group Strategy Facts
To make permission assignments easier, assign permissions to a group, then add the accounts that need to use the group's resources. You can add user accounts, computers, and other groups to groups. You should remember the following when assigning members to groups:
• Adding a user account to a group gives that account all the permissions and rights granted to the group (the user must log off and log back on before the change takes effect).
• The same user account can be included in multiple groups. (This multiple inclusion may lead to permissions conflicts, so be aware of the permissions assigned to each group.)
• Nesting is the technique of making a group a member of another group. Using hierarchies of nested groups may make administration simpler--as long as you remember what permissions you have assigned at each level.
The following table shows the three basic recommended approaches to managing users, groups, and permissions.
Strategy Use Description Application
ALP Used on workstations and member servers. A: Place user Accounts
L: Into Local groups
P: Assign Permissions to the local groups Best used in a workgroup environment, not in a domain.
AGDLP Used in mixed mode domains and in native mode domains (does not use universal groups, which are also not available in mixed mode). A: Place user Accounts
G: Into Global groups
DL: Into Domain Local groups
P: Assign Permissions to domain local groups 1. Identify the users in the domain who use the same resources and perform the same tasks. Group these accounts together in global groups.
2. Create new domain local groups if necessary, or use the built-in groups to control access to resources.
3. Combine all global groups that need access to the same resources into the domain local group that controls those resources.
4. Assign permissions to the resources to the domain local group.
AGUDLP Used in native mode domains, when there is more than one domain, and you need to grant access to similar groups defined in multiple domains. A: Place user Accounts
G: Into Global groups
U: Into Universal groups
DL: Into Domain Local groups
P: Assign Permissions to domain local groups Universal groups should be used when you need to grant access to similar groups defined in multiple domains. It is best to add global groups to universal groups, instead of placing user accounts directly in universal groups.
User Profile Facts
You should know the following facts about user profiles:
• Roaming user profiles store the profile contents on centrally-managed network servers and allow users to log on to different workstations while maintaining their Windows desktop.
• Mandatory user profiles allow all users to make changes to their desktops, but those changes are not saved to the profile. Users are forced to start each logon session with the original profile.
• If a user's roaming Windows profile is unavailable during log on, Windows will use a copy of the locally-cached profile, warn the user of a possible network error, and allow the user to log on.
• User account profile configuration and network path information is associated with the account and will move with the account. This allows simple moves of user account objects and minimizes the administrative effort.
User Profile Management Tasks
• The following list describes some common profile management tasks and the recommended method for completing them.
To . . . Do . . .
Create a new profile Log on as a user without a profile. User profiles are created automatically, using the Default Users profile as a template. (You can also set access permissions on a copied profile for use as a new profile.)
Edit an existing profile Log on as the user, then use the Windows interface to modify the desktop, Start Menu, taskbar, and other preferences.
Create Start Menu or Desktop shortcuts Copy the desired shortcuts to the appropriate folder within the user profile.
Copy a profile Use the User Profiles tool to copy the profile to a new location. If you simply copy the subfolders to a new location, registry settings and permissions will not be properly modified.
Note: You cannot copy the profile of a logged on user.
Make a mandatory user profile Use Explorer to rename the Ntuser.dat file to Ntuser.man.
Make a roaming user profile Copy the profile to a network share. Use the Profile tab in the user account properties to enter the path to the user's roaming profile.
Assign a specific profile Edit the properties of the user account (either local or domain user) to identify the specific profile (either to a user roaming or otherwise) to use.
Delete a profile Use the User Profiles tool. Do not simply delete the folder as registry settings will not be modified appropriately.
Note: You cannot delete the profile of a logged on user.
Computer Account Facts
You should know the following facts about computer accounts:
• To join a computer to a domain:
o Create a computer account in Active Directory.
o Join the computer to the domain.
• Members of the Administrators or Account Operators group can join an unlimited number of computers to a domain.
• By default, domain users can join up to 10 computers to a domain from a workstation.
• Computers added to the domain from a workstation are added to the built-in Computers container.
• Because the Computers container cannot be linked to policies, create computer accounts beforehand in an OU for computer accounts.
• If the organization uses a separate OU for computers, any computer accounts created automatically in the Computers container must be moved to the correct OU.
• Windows 98 computers cannot use a computer account in a domain.
• You can use the Dsadd and Netdom utilities to create computer accounts.
• A computer account must connect to the network before it will display information about OS and Service Pack changes.
Troubleshooting Logon
Both users and computers must log on to the domain. User logon is accomplished by supplying a valid username and password combination. If users are having trouble logging on, check the following:
• Verify the correct logon name is being used, with the correct UPN suffix. Make sure the corresponding user account exists in Active Directory.
• Make sure the user account is enabled.
• If the user has tried many times unsuccessfully, and receives a message stating the user account is locked, unlock the user account.
• If necessary, change the password for users who might have forgotten the password.
Computer account logon happens automatically in the background. Failure to log on might result in a failure to use network resources or gain access to the local computer. To troubleshoot computer accounts, apply the following steps:
1. If the computer account exists, reset the account in Active Directory.
2. If the account does not exist, create it.
3. If troubles persist, remove the computer from the domain and add it to a workgroup (use a workgroup name not currently in use). Rejoin the domain.
4. Command Prompt Tools
Command Description
DSAdd Create a new object in Active Directory
DSQuery Find the location of information or the setting of an object (allows a search through the whole forest)
DSGet Retrieve property information about an object
DSMod Modify or change an object
DSMove Move objects from one location to another
DSRm Remove (delete) objects
Movetree Move an OU and its contents
Ldifde Create, modify, and delete directory objects on computers running Windows Server 2003. You can also use it to export AD user and group information to other applications and services and populate AD with data from other directory services.
Csvde Imports and exports data from AD using files that store data in the comma-separated value (CSV) format.
Group Policy Facts
Group policy is a tool used to implement system configurations that can be deployed from a central location through GPOs (Group Policy Objects).
You should know the following Group Policy facts:
• GPOs contain hundreds of configuration settings.
• GPOs can be linked to Active Directory sites, domain, or organizational units (OUs).
• GPOs include computer and user sections. Computer settings are applied at startup. User settings are applied at logon.
• A GPO only affects the users and computers beneath the object to which the GPO is linked.
• Group policy settings take precedence over user profile settings.
• A local GPO is stored on a local machine. It can be used to define settings even if the computer is not connected to a network.
• GPOs are applied in the following order:
1. Local
2. Site
3. Domain
4. OU
• If GPOs conflict, the last GPO to be applied overrides conflicting settings.
• The Computers container is not an OU, so it cannot have a GPO applied to it.
• Group policy is not available for Windows 98/NT clients or Windows NT 4.0 domains.
• You can use a GPO for document redirection, which customizes where user files are saved. (For example, you can redirect the My Documents folder to point to a network drive where regular backups occur. Folder redirection requires Active Directory-based group policy.)
• Configuring a domain group policy to delete cached copies of roaming user profiles will remove the cached versions of the profile when a user logs off.
To manually refresh group policy settings, use the Gpupdate command with the following switches:
Switch Function
No switch Refresh user and computer-related group policy.
/target:user Refresh user-related group policy.
/target:computer Refresh computer-related group policy.
Installing Devices
When installing devices:
• Begin by adding the device to the system or plugging the device in. Windows automatically detects and installs drivers for Plug and Play devices.
• For undetected legacy devices, you might need to:
o Run the setup program that came with the device.
o Use the Add New Hardware wizard to install a device driver manually.
o Manually set IRQ, DMA, or I/O addresses
o Manually select and install the driver
Device Management Facts
You should know the following facts about managing devices:
• You can connect to remote computers using the WinMSD utility or Device Manager.
• Use Device Manager to disable devices that you suspect are causing system problems.
• Use Control Panel applets to adjust properties for individual devices like modems or video hardware.
• The Hardware Troubleshooting Wizard steps users through the process of identifying system problems.
• You can manually assign resources using Device Manager.
• If problems with a device prevent you from booting or affects system stability, boot into Safe Mode to disable the device or change the device properties.
Drivers
To update drivers:
• Use Windows Update to automatically check for new drivers.
• Download the new driver and run the program to install it.
• Download the new driver and use Device Manager to update and install the new driver.
To control how unsigned drivers are installed on the system, use the following settings:
• Block (prevents unsigned driver installation)
• Warn (allows installation, but with an error message)
• Ignore/Silently Succeed (install)
To protect against unsigned drivers,
• Enforce driver signing on the system through the System applet or Group Policy.
• Use group membership and user rights to prevent normal users from installing drivers (Power Users or Administrators only can install drivers).
• The Hardware Compatibility List (HCL) includes all devices for which a signed driver is available.
• Driver Rollback allows you to restore an original driver when a new driver causes system problems.
File Verification Programs
• The following table summarizes the file verification tools you can do to verify driver signatures and file integrity.
Program Features
Sigverif.exe GUI-based tool that searches for unsigned files.
By default, it searches only the Windows directory (click the Advanced button to search other locations).
The program returns a list of files without digital signatures.
Driverquery.exe /si Command-line tool that checks the digital signatures of drivers that are in use.
Use the /si switch to request the signature status of the drivers.
The report lists each device, the .inf file for the device, and the signed status of the driver.
Msinfo32.exe GUI-based tool that displays the list of devices and information about each device (including the driver, driver date, and signature status).
The report shows every installed device and the signed status of the drivers.
Sfc.exe /scannow Tool that scans system files to ensure that they have not been replaced or corrupted.
Use the /scannow switch to force an immediate check of the system.
Use the tool to automatically replace bad files.
File System Facts
The following table indicates which file systems support which capabilities.
Feature FAT FAT32 NTFS
Long file names X X X
Larger than 2 GB/4 GB partitions X X
Smaller clusters X X
Enhances file security through permissions X
Folder and file level encryption X
Folder and file level compression X
Disk quotas X
Use the Convert.exe utility to modify the file system without reformatting and losing data. To convert the C:\ drive to NTFS, use the following command:
convert C: /fs:ntfs
Basic and Dynamic Disks
Keep in mind the following when using basic disks.
• A basic disk has a limit of four partitions, only one of which can be an extended partition.
• One primary partition must be marked active.
• Most operating systems can recognize only one primary partition. All other primary partitions are invisible. (Windows NT/2000/XP/Server 2003 can recognize multiple primary partitions.)
• The active primary partition is represented with one drive letter (C:). The extended partition can be divided into multiple logical drives (up to 26).
Keep in mind the following when using dynamic disks.
• Windows 2000/XP/Server 2003 recognize dynamic disks.
• Volumes on dynamic disks are like partitions and logical drives on basic disks.
• A volume can be made of non-contiguous space on a single drive or space taken from more than one drive.
• You cannot install the operating system on a dynamic disk. You can, however, upgrade a basic disk containing the operating system to dynamic after installation.
Keep in mind the following points as you plan whether to implement basic or dynamic disks.
• A hard disk must be either basic or dynamic; it cannot be both at once.
• Windows 2000/XP/Server 2003 use basic storage by default.
• MS-DOS and all versions of Microsoft Windows support basic storage.
• Dynamic storage was new to Windows 2000 and previous Windows operating systems cannot use it (this is especially important if you plan to multi-boot to other operating systems).
• Dynamic storage is not supported on portable computers because they normally have only one internal hard drive and cannot take advantage of advanced dynamic storage features.
To convert a basic disk to a dynamic disk, right click the volume in Computer Management and choose Convert to dynamic disk. Or, use the Diskpart command at the command line.
Volume Characteristics: The following table summarizes volume types and their characteristics.
Volume Type Characteristics
Simple volume Contains a single, contiguous block of space from a single hard disk.
Extended volume Contains space from multiple areas on the disk. An extended volume that spans two disks is a spanned volume.
Spanned volume Combines areas from two or more disks into one storage unit.
Fills the first area, then the second, and so on.
Does not provide fault tolerance. If one hard disk fails, you lose all data.
Cannot contain system or boot files.
Note: Only dynamic disks support extended, spanned, striped, mirrored, or RAID volumes.
Mirrored and RAID volumes are supported only on server versions of Windows. These volume types provide fault tolerance and improve performance.
Redundancy and Fault Tolerance
You should know the following facts about RAID volumes:
Redundant array of Independent Disks (RAID) combines the use of two or more disks for fault tolerance and performance.
• Windows supports three RAID levels: 0 (striping), 1 (mirroring), 5 (stiping with parity).
• RAID0 uses data striping but no redundancy for improving performance.
• RAID1 uses disk mirroring for providing fault tolerance.
• RAID5 uses disk striping with parity for performance and fault tolerance.
• The Windows interface uses the term RAID to refer to RAID 5 or striping with parity.
• Overhead refers to the amount of extra (or "wasted") disk space required to add fault tolerance.
o RAID5 volumes use one disk in the set for fault tolerance (a three-disk set has 33% overhead, a four-disk set has 25% overhead).
o Mirrored volumes have 50% overhead (meaning one disk in two is used for fault tolerance).
The following table summarizes volumes that provide redundancy and fault tolerance.
Volume Type Characteristics
Mirrored volume Stores data to two duplicate disks simultaneously.
Fault tolerant because if one disk fails, data is preserved on the other.
The system switches immediately from the failed disk to the functioning disk to maintain service.
Striped volume Uses storage areas on several different disks.
Improves performance by writing to multiple disks simultaneously.
Uses disk areas similar in size. The amount of space used on each disk is equal to the smallest area.
Saves data from a single file on multiple disks.
Is not fault-tolerant. If one hard disk in the set fails, you lose all data on all disks.
Cannot contain system or boot files.
RAID5 Volume Contain three or more disks.
Like a striped volume, portions of a single file are written to each disk in the set.
RAID5 volumes add fault tolerance to striping through a process called parity (where data recovery information is added to each disk).
Often called a striped set with parity.
Note: Only dynamic disks support extended, spanned, striped, mirrored, or RAID volumes.
Disk Management Facts
Use the following command line commands to manage disks:
Command Description
DiskPart Manage disks, partitions, and volumes by using scripts or direct input from the command prompt
Defrag Locates and consolidates fragmented boot files, data files, and folders on local volumes
Cscript Allows you to run scripts from the command-line-based script host.
You should also know the following facts about disk management:
• When you move a disk that has been installed and used in another computer, you might need to import the disk. In Disk Management, right-click the disk and choose Import Foreign Disks.
• Using Disk Management, you can analyze a disk for defragmentation before using the defragmentation utility.
• Use Disk Management to reactivate volumes in a RAID-5 configuration. This improves performance after a disk in the configuration has been replaced.
You should know the following facts about recovering failed disks:
• To recover a failed disk in a mirror configuration:
1. Break the mirror.
2. Delete the failed disk.
3. Recreate the mirror to a new disk (make sure the disk is upgraded to a dynamic disk first).
• To recover a failed disk in a RAID5 configuration:
1. Repair the volume on a new dynamic disk.
2. Delete the old disk.
• To recover a volume in a failed operating system:
1. Move the disk to a new machine.
2. Import the foreign disk on the new system.
Volume Mount Points
A volume mount point allows you to use another partition in the computer and represent it as a folder in an existing partition. This allows you a great deal of flexibility when you need to expand storage requirements. You should know the following facts about volume mount points:
• Both partitions must be formatted with NTFS.
• You can use either partitions on basic disks or volumes on dynamic disks for volume mount points.
• The folder on the source partition must be empty.
• The target partition must not have a drive letter.
• Multiple folders can reference the same target partition.
Boot.ini Facts
The Boot.ini file is responsible for the following operations:
• Launching the menu for operating system selection during startup
• Pointing to the system files for the selected operating system
• Identifying the controller, hard disk, and partition where the system files are located
The ARC path locates the system file and contains the following elements:
Entry Meaning and Use
MULTI(x)
or
SCSI(x) Identifies the controller location.
Use multi(x) if the disk controller is a SCSI device with its BIOS enabled or is a non-SCSI device.
Use scsi(x) only if the disk controller is a SCSI device with BIOS disabled.
The value for x begins at 0.
DISK(x) Identifies the disk location.
If the first component of the ARC name is scsi, disk(x) indicates which SCSI disk the operating system is located on. The x value begins with 0.
If the first component of the ARC name is multi, this component is always disk(0), and the disk containing the operating system is indicated by the rdisk(x) component.
The value for x begins at 0.
RDISK(x) Identifies the disk location.
If the first component of the ARC name is multi, rdisk(x) indicates which physical disk the operating system is located on. The x value begins at 0.
If the first component of the ARC name is scsi, the rdisk component is always rdisk(0) and the disk containing the operating system is indicated by the disk(x) component.
The value for x begins at 0.
PARTITION(y) Identifies which partition holds the boot files.
The value for y begins at 1.
Backup Facts
Most backup methods use the archive bit on a file to identify files that need to be backed up. When a file is modified, the system automatically flags the file as needing to be archived. When the file is backed up, the backup method may reset (clear) the archive bit to indicate it has been backed up.
The following table shows the type of data backed up using each backup method.
Backup Type Backs Up Resets Archive Bit?
Full Backs up all files regardless of the archive bit. Yes
Incremental Backs up files on which the archive bit is set. Yes
Differential Backs up files on which the archived bit is set. No
Copy Backs up all files regardless of the archive bit status. No
Most of the time, you will perform backups using a strategy that combines backup types. The following table compares common backup strategies.
Strategy Backup Characteristics Restore Characteristics
Full Backup Requires large tapes for each backup.
Takes a long time to perform each backup. To restore, restore only the last backup.
Full + Incremental Incremental backups are quick to perform. This is the fastest backup method. To restore, restore the full backup and every subsequent incremental backup.
Full + Differential Differential backups take progressively longer to complete as time elapses since the last full backup. To restore, restore the last full backup and the last differential backup.
Next to a full backup, this is the fastest restore method.
Note: Do not combine incremental and differential backups.
Keep in mind the following facts about doing backups:
• Back up user data more often than system state data (it changes more frequently).
• Back up system state data whenever you make a system change.
• System state data includes the registry, COM+ Class Registration database, system files, boot files, files under Windows File Protection, and the Certificate Services database.
• During a system data backup, all system data is backed up (system data cannot be backed up selectively in portions).
• Files backed up from one system might not restore to another system. Restore to a system running the same OS.
• Be sure to test your back up and restore strategy. It does no good to back up your data if you can't restore it.
• A normal Directory Services restore refers to a process wherein you restart the domain controller in Directory Services Restore Mode and restore system state data.
• Using the Services snap-in, Windows Backup, or the Scheduled Tasks window, you can start the Task Scheduler service. You must have the Task Scheduler service running before you can schedule a backup.
• In order for a scheduled task to run, you must specify a local service account and password.
Backup Devices Facts
Terms and definitions:
• Removable storage: Storage media (tape) that can be removed from the device.
• Media pool: The space on the removable storage where the backup is performed, and where the backed up files will be physically located.
To configure a backup device, begin by installing the device and making sure it is recognized and configured in Device Manager.
• To install devices, you must be a member of the Power Users or Administrators group.
• For parallel backup devices with bi-directional control, enable enhanced parallel port (EPP) in the BIOS.
After configuring the device, enable the media (the tape) in Computer Management to see the tape itself. There are two modes for viewing media:
• Full mode allows you to see the media pool as well as all the nodes inside the media pool. This lets you select exactly what you want to restore or backup.
• Simple mode lets you see only the media pool.
Make users members of the Backup Operators group to enable them to back up and restore files.
• Backup Operators cannot view, edit, or delete files.
• To allow Backup Operators to eject the backup media, assign the Eject media user right to the Backup Operators group.
NTFS Permission Facts
The following table summarizes the permissions for folders and files.
Permission Allowed Actions
Read View folder details and attributes. View file attributes; open a file.
Write Change folder or file data and attributes.
List Folder Contents Includes all Read actions and adds the ability to view a folder's contents.
Read & Execute Includes all Read actions and adds the ability to run programs.
Modify Includes all Read & Execute and Write actions and adds the ability to add or delete files.
Full Control Includes all other actions and adds the ability to take ownership of and change permissions on the folder.
Use these suggestions to help you plan NTFS permissions.
• Identify the users and their access needs (i.e., the actions they need to be able to perform).
• Based on the types of users you identify, create groups for multiple users with similar needs, and then make users members of groups.
• Assign each group (not user) the permissions appropriate to the group's data access needs. (Grant only the permissions that are necessary.)
• As you assign permissions, take inheritance into account. Set permissions as high as possible on the parent container and allow each child container to inherit the permissions.
• When necessary, you can override inheritance on a case by case basis.
• Deny always overrides Allow, so be careful when you use it.
Shared Folder Facts
The following table lists the share permissions and the level of access the permission allows.
Permission Actions
Read Browse the shared folder and its files
Open files in the shared folder and its subfolders
Copy files from the shared folder
Run programs
Change All Read actions (browse, open files, copy files from the folder, run programs)
Write to files and change file attributes
Create new files and subfolders
Copy files to the shared folder
Delete files or subfolders
Full Control All Read and Change actions
Configure share permissions
Here are some additional facts you should know:
• You can publish a share in Active Directory to allow users to access it more easily.
• If a program in a shared folder crashes and refuses to run on the client computer, terminate the user session using the Shared Folders option in Device Manager.
Share Access Facts
Use both share and NTFS permissions to secure network resources. (When used in combination, remember that the most restrictive set of permissions will apply.) Here is a common strategy for administering resources with share and NTFS permissions:
1. Secure the folder with NTFS permissions.
2. Share the folder using Allow Full Control for Everyone.
An administrative share is a share hidden from browsing. Keep in mind the following facts about Administrative shares.
• Administrative shares are hidden by following the sharename with a $.
• Default Administrative shares are accessible to only members of the Administrators group.
• Any share can be hidden by appending the $ to the sharename.
• A hidden share can only be accessed through the UNC path (they do not appear when you browse).
Disk Quota Facts
Keep the following in mind as you work with disk quotas.
• Quotas can only be set on NTFS volumes. The Quota tab will not be shown for FAT volumes.
• Every file and folder that users create, copy, save, or take ownership of on a volume or partition counts toward their disk quota.
• The space available for applications to save files to is equal to the amount of space left in a user's quota.
• Each NTFS volume or partition on a hard disk has its own set of disk quotas, even if they are on the same hard disk.
• System and application files count toward disk quotas, so the user account which installs software needs a higher limit.
• You cannot set a quota limit on the built-in Administrator account.
• You cannot delete a user's account quota until you remove or take ownership of all of that user's files on the volume.
• You can use the Fsutil.exe command to manage quotas from the command prompt.
Quota configurations:
Configuration State
Disabled File usage data is not collected and storage space is not limited.
Tracked File usage data is collected, but storage space is not limited. Users can exceed their quota limit.
Enforced Warning levels and restrictions are enforced to prevent users from exceeding disk space limitations.
If a user exceeds the quota limit, take one of the following actions:
• Delete files owned by the user.
• Change ownership of files (quota limits are enforced based on owned files).
• Move files to other volumes (quota limits are enforced on a volume or partition basis).
• Increase the quota limit.
You cannot reduce the amount of space used by files by compressing them. Quotas count the uncompressed size of a file toward the quota limit.
File Compression Facts
Keep the following information in mind when working with folder and file compression.
• When you compress a file, Windows makes a copy of the file, compresses it, then replaces the original file with the compressed one.
• When you open a compressed file, Windows decompresses the file. The decompressed file is used by the application.
• You cannot save or copy a compressed folder or file to a disk containing less free space than the folder or file would be uncompressed.
• Compression and encryption cannot be used on folders or files at the same time.
• Apply data compression to files that change size dramatically. For example, bitmap and spreadsheet files compress by a much larger percentage than application or word-processing files.
• Do not compress files that are already compressed using another compression utility.
• Use zipped folders to share compressed files with other computers.
• NTFS compression on volumes with cluster sizes larger than 4 KB is not supported.
Copying and moving files and folders can affect their compressed state. To determine the final state of a file or folder, remember the following rules.
• If you copy or move a compressed file or folder to a non-NTFS partition, the file or folder is uncompressed (other file systems do not support NTFS compression).
• If you copy a compressed file or folder, it inherits the compressed state of the destination folder.
• If you move a compressed file or folder to the same NTFS partition, it retains its compressed state.
• If you move a compressed file or folder to another NTFS partition, it inherits the compressed state of the destination folder.
• If you copy or move a zipped folder, it always remains zipped (regardless of the destination file system).
Compact.exe is a command prompt tool that you can use to set and manage compression. The following table summarizes some options for the Compact.exe command.
Option Action
/C Compresses the specified files. Folders are marked with the compressed attribute.
/S Compresses all subfolders of the specified folder.
/U Uncompresses the specified files. Folders are marked with the uncompressed attribute.
For example, the following command will compress all files in the C:\Documents\Transfer folder, including all subfolders:
Compact /C C:\Documents\Transfer\*.* /S
Encryption Facts
Keep the following information in mind as you work with EFS.
• You must have Write permission to a folder or file to encrypt it.
• Windows transparently unencrypts and encrypts folders and files as users use them.
• You cannot encrypt System or Read-only files.
• Encryption and compression cannot be used on folders or files at the same time.
• If you are having trouble opening encrypted folders or files, make sure you are logged in to the user account that encrypted the folder or file and that you still have permissions for the file.
• In a workgroup, the local Administrator user account is the default recovery agent.
• In a domain, the domain Administrator account is the default recovery agent.
• To recover encrypted files, the files and recovery key need to be on the same computer.
• Without the private key or recovery key, you cannot copy or move an encrypted file. You can however, back up the files and restore them to the computer where a recovery key is located.
• You can also export the recovery key and import it onto the computer storing the files you want to recover.
• You can add additional authorized users to files (not folders) who will be able to open encrypted files.
• Implement encryption through the file or folder properties. Or, use the Cipher command to encrypt files and folders.
Copying and moving files might change the encrypted state of the file. To determine the final state of a file, remember the following rules.
• If you copy or move an encrypted file or folder to a non-NTFS partition, the file or folder is unencrypted (other file systems do not support encryption).
• If you copy or move an encrypted file to an NTFS partition (either to the same one or to a different one), the file remains encrypted.
• If you copy an unencrypted file to an encrypted folder, the file is encrypted.
• If you move an unencrypted file into an encrypted folder, the file remains unencrypted.
• Encryption is preserved when the file is backed up.
Normally, encrypted files are meant to be stored and read on the local computer only. When saving encrypted files on a remote computer, be aware of the following:
• You can only encrypt files stored on remote computers if the computer is trusted for delegation in Active Directory (how to do this is beyond the scope of the course).
• When moving files encrypted on your local system to another computer (for use on that computer), make sure your certificate and private key are available on the other computer. Otherwise, you might be unable to open the file.
• When moving encrypted files to another computer over the network, files are not encrypted while they are in transit. Files might be intercepted as they are transferred. Use IPSec to secure network communications.
Offline Settings
• The following table summarizes the offline files settings that can be configured on a shared folder.
Setting Description
Only the files and programs that users specify will be available offline Users designate and control which files are available offline.
All files and programs that users open from the share will be automatically available offline All files users open from the share are available offline. If Optimized for performance is selected, all programs will be automatically cached so that they will be available locally.
Files or programs from the share will not be available offline Users will not be able to store files from the share offline.
Internet Information Services (IIS)
Use IIS to enable:
• Active Desktop
• Internet Printing
• Remote Desktop
• Share folders (Web folders) for access through IE
You should know the following facts about IIS:
• When you install IIS, a default Web site is automatically created.
• By default, all Web content is stored in the \inetpub\wwwroot directory.
• A virtual directory is used to make content outside of the default directory path available through the Web site.
To make content available on your Web site:
• Place content in the \inetpub\wwwroot directory.
• Web share a folder. This creates a virtual directory in the Web site.
IIS Security Facts
You should know the following facts about securing IIS:
• Anonymous access allows Internet users to access public content on a Web site.
• Windows Authentication allows only authorized users to access protected content. Users are logged into a site automatically and transparently while outside connections are blocked.
• Basic authentication sends user credentials in clear text.
• Digest authentication requires users to have a domain user account.
• Blocking access to a web site by domain name, single computer, or IP network number ensures that only desired connections get through.
• IP address restrictions can be configured which either allow all access except for listed addresses, or block all access except listed addresses.
The following table describes the different authentication methods:
Method Description Best Use
Anonymous Authentication Users can access public portions of the site without user names or passwords.
Uses the IUSR_computername local user account. To give public access to resources that require no security.
Basic Authentication Requires a local or domain user account (user name and password is sent in clear text) Use for non-Windows hosts and clients running any HTTP 1.0 browser
Digest Authentication Functions like Basic Authentication
Authenticates using domain accounts with passwords stored using reversible encryption
Passwords are secured
Requires IE 5.0 or higher
IIS must be running on a domain member To grant access to resources from public networks.
Advanced Digest Authentication Is available for user accounts that are part of Active Directory.
User names and passwords are stored on a domain controller. Requires IE 5 or better and HTTP 1.1 protocol. To grant access to resources from public networks that require more security than given through Digest Authentication.
Integrated Windows Authentication User information is collected through a challenge/response process during which the user name and password are hashed before being sent across the network
Authenticates using Windows authentication methods (NTLM or Kerberos)
Requires Internet Explorer 2.0 or higher (IE 5.0 for Kerberos)
Cannot be used through a proxy server To grant access to resources on an intranet.
Certificate Authentication Uses SSL (Secure Sockets Layer) security through user or server certificates or both. (Available only with Certificate Services.) To allow secure business transactions over the Internet.
.NET Passport Authentication Allows the use of a single sign-in service through SSL, HTTP redirects, cookies, MS JScript, and symmetric key encryption. To grant access to various resources over the Internet.
Authentication methods can be applied to the following:
• Server
• Web site
• FTP site
• Virtual Directory
• File
In addition to authentication, you can secure Web content with Web permissions. The following table describes the IIS permissions you can set for Web sites or Web folders:
Permission Description
Read View file content and properties
Write Modify, delete, or add files or directories
Modify file and directory attributes
Typically only enabled on intranets or private sites
Script Source Access Users can access the source code for files (requires either Read or Write permissions)
Combined with Read permissions, users can view the source code
Combined with Write permissions, users can write to the source code
Typically only enabled on developer intranets
Directory Browsing View directory contents
When enabled, the Web server returns a listing of the directory contents when it cannot find a default home page to display
Use with Read permission
Execute Permissions Controls how scripts and executables run from the Web site
You can allow scripts only, scripts and executables, or prevent either from running
If Web content is on an NTFS partition, you can also use NTFS permissions to secure content. Keep in mind the following when using NTFS permissions for Web content:
• IIS uses the user account to identify the end user and their permissions. To restrict access for users other than the anonymous user, you must choose an authentication method that uses Windows user accounts.
• When both Web and NTFS permissions are used, the most restrictive permissions take effect.
Web Site Identification
You should know the following facts about managing IIS:
• The default Web site is assigned to All Unassigned IP addresses on port 80.
• By default, a Web site will respond to HTTP requests directed to any IP address configured for the host computer.
• When you configure Web site identification, you can configure it to respond to all addresses or to only a specific address.
• On a server that has multiple IP addresses, each IP address can be used for a different site.
• You can host multiple sites by using different ports for each site.
• You can configure a Web site with a host header to enable it to respond to alternate Web site names. A host header solution requires two parts:
o Configure the host header on the Web site.
o Configure the DNS database to associate the host header name with the IP address.
Printing Facts
• The following table lists some key definitions with which you should be familiar.
Term Definition
Print Server The computer where printing is established.
Printer A virtual device inside the print server that can be configured to send output to a printing device.
Print Device The physical device connected to the print server where print output occurs.
Print Driver The software that allows the printer to communicate with the print device.
Print Queue The portion of the hard drive where print jobs are stored before going to the print device.
Printer Port The means by which a print device connects to a print server (parallel port, serial port, or to the printer's NIC).
• When you configure printing, you create a logical printer object that references a print device or points to another logical printer on the network. The following table lists the configuration choices to make to configure each type of printer.
Print Device Location Printer Type Port Type
Connected to the LPT, USB, or COM port of the local computer Local LPT, USB, or COM
Connected directly to the network through a NIC connected to the printer Local TCP/IP (identify the IP address of the print device NIC)
Connected to the LPT, USB, or COM port of a remote computer (with a shared printer) Network UNC path (\\computername\sharename)
• The following table summarizes the permissions that can be assigned to printers. Printer permissions apply to both local and shared printers.
Permission Allowed Actions
Print Send print jobs and manage your own documents
Manage Documents Manage all documents in the queue
Manage Printer Change configuration settings and permissions
Advanced Print Configuration
Printer Pooling
Printer pooling uses a single printer object to represent multiple print devices. With printer pooling,
• Users send print jobs to a single printer
• The print server decides which print device to send the job to
When creating a printer pool, all print devices in the pool:
• Must be the same model (using the same printer driver)
• Should be in the same physical location (because users won't know which physical device their print job prints on)
Printer pools:
• Speed printing by reducing the time that documents spend waiting for a free print device
• Simplify printer administration because you manage multiple devices through a single printer object
Multiple Printers
Configure multiple printer objects for a single print device to control access to the printer based on job roles. To configure multiple printers:
1. Create multiple printer objects, one per group or user with distinct access.
2. For each printer, configure permissions to restrict access.
3. Fine-tune access by editing the Advanced properties for the printer to modify priority (99 is the highest) and restricting printer availability.
Managing Printing
The following table summarizes the printing component you would use to complete each configuration task.
To Configure . . . Edit . . .
Additional drivers for a printer Printer object properties
Print server properties
Job priority Print Queue, job properties
Notification Print server properties
Permissions Printer object properties
Ports Printer object properties
Print server properties
Sharing Printer object properties
Spool file location Print server properties
Troubleshooting Printing Facts
You should know the following facts about troubleshooting printing:
• You can take an unreliable printer out of service by changing its properties to not shared.
• Printer queues and the Event Viewer of the assigned print server will offer the best information regarding printer and print job status.
• By default, print spool files are stored in the C: drive of the server, in \Windows\System32\Spool\Printers.
• If the C: drive fills up, then users will be unable to add print jobs to the queue, the queues will stop, and the system may become unstable (because the pagefile also defaults to drive C:).
IPP Facts
You should know the following facts about IPP:
• IPP can be installed after IIS is installed.
• IPP allows users to access printers and print resources across an intranet or through the Internet.
• IPP requires the use of Internet Explorer 4.0 or better.
• Users access printers and print services through a URL (http://servername/printers).
• Use Internet Explorer 4.0 or better to administer IPP printing from any location.
Installer Package Facts
The following table describes the file extensions that are used with installer packages.
File Extension Description
.msi A Windows Installer package file. Use the Msiexec command to deploy .msi files. Use the /i switch to specify the package file.
.msp A patch file. An .msp file can be applied to an .msi, but the .msi must be redeployed after the patch is applied.
.mst A transform file. Transform files are applied when a software package is assigned or published. Transform files change .msi files. To apply a .mst to a .msi during deployment, append TRANSFORMS= followed by a list of .mst files to the Msiexec command.
.zap A file to reference a Setup.exe file on a network, for example.
Using Group Policy, you can either assign or publish software. You can also associate software packages with either users or computers.
• Applications may be published to users, but not to computers. You can assign applications to either users or computers.
• When you publish an application, it does not appear in the user's Start menu. Instead, the user goes to Add/Remove Programs to install the program.
• Assigning software to a computer installs the software when the computer starts up. Users cannot use Add/Remove Programs to remove computer assigned software.
• Assigning software to a user puts a shortcut on the user’s Start menu. The software is automatically installed when the shortcut is clicked.
Software Update Services (SUS) Components
Software Update Services (SUS) is a client-server application that allows you to use a server on your intranet as a centralized point for updating software. Without SUS, clients must communicate with Microsoft's Web site to download and install patches and other updates. With SUS, you can control which updates are installed on network clients.
The following table lists the major SUS components:
Component Description
SUS on an Internet Information Services (IIS) server This is the server-side component of SUS. It synchronizes update information and downloads updates prior to deployment.
SUS Web site Administrative tasks are done through the SUS Web site. Other than installation and configuration, administrative tasks consist primarily of verifying successful server synchronization and update approval prior to client distribution.
Automatic Updates The Automatic Update client downloads updates from the SUS server (or a Windows Update server). It also installs the updates according to the established parameters.
Group Policy settings By configuring Windows Update policies in a GPO, you can configure Automatic Updates clients to synchronize with a SUS server rather than a Windows Updates server.
SUS offers the following advantages:
• You can control which updates clients in your organization receive.
• Clients receive updates from local servers rather than using Internet links to receive updates.
• You can enforce the application of updates throughout your organization.
SUS works as follows:
1. The SUS server downloads information about available updates from the Microsoft Windows Update Web site. The server can also be configured to download the update content itself.
2. An administrator approves the updates that should be applied to network clients.
3. Clients contact the local SUS server to identify approved updates. It then downloads the approved updates from the corresponding server.
SUS Server Configuration
An SUS server manages the updates that clients can install. To install SUS, download the setup software from the Microsoft Website (it is not on the Windows Server 2003 media). Before installing the software, your server must have IIS installed. During installation, you will need to provide the following two paths:
• The path to the update files. These are the actual files that will be used to update clients. For example, you can choose to leave the update files on the Microsoft Windows Update Web site. In this case, clients will download updates from the Microsoft Web site. Alternatively, you can choose to place the files on the SUS server. In this case, clients will download content from your SUS server.
• The path to the update file metadata. The metadata is information about each update file. You will edit the metadata to control how updates are applied to client systems.
The installation program installs the following components:
• Software Update Synchronization Service (to download content to the SUS server).
• IIS Web site (to service requests from Automatic Update clients).
• SUS administration Web site (where you synchronize the SUS server and approve updates).
After installation, use a Web browser and go to http://SUSservername/SUSadmin to manage the SUS server. SUS administration consists of three tasks:
• Configuring SUS server settings.
• Synchronizing updates (downloading updates from the Microsoft update Web site).
• Approving updates (identifying which updates to deliver to clients and configuring how those updates will be applied.
SUS Client Configuration
Each client computer must have the Windows Automatic Updates client software to utilize automatic updates. This software is included automatically with Windows Server 2003, Windows XP Service Pack 1, and Windows 2000 Service Pack 3. It can be added to other operating systems as a special download.
Client computers will communicate with an SUS server to identify available updates. You can customize which server the clients use to receive updates. By default, clients contact the Microsoft Web site. For a custom solution, configure clients to contact your SUS server.
You can also customize how clients download updates:
Download Description
Automatic Downloads arrive without user intervention or notification.
Notification The system waits for a user with administrator credentials to log on before sending a notification of available update downloads via a balloon above the System Tray.
You can also customize what the client does with the updates after they are installed.
Installation Description
Automatic (Scheduled) Upon successful download, an event is registered in the system event log. When a user with local administrative privileges logs on, the user can install the updates manually any time before the scheduled installation time. At the scheduled installation time, a local administrator can cancel the installation, delaying it until the next scheduled installation. A user with non-administrator privileges receives a warning message but cannot delay update installation. If no one is logged on, the installation occurs automatically.
Notification Upon successful download, an event is registered in the system event log. When a user with local administrative privileges logs on, the user can install the updates manually.
The easiest way to configure client settings is to use Group Policy to distribute the server name and other update parameters. The following table lists the Automatic Update policies:
Policy Description
Configure Automatic Updates There are three options for configuring the behavior of the Automatic Updates client:
• Notify for Download And Notify For Install
• Auto Download And Notify For Install
• Auto Download And Schedule The Install
Reschedule Automatic Updates Scheduled Installations If a client machine is turned off during a scheduled installation, by default the installation occurs at the next scheduled time. However, this policy allows you to set the installation to occur between 1 and 60 minutes after the system starts up.
No Auto-Restart For Scheduled Automatic Updates and Installations This policy allows Automatic Updates to disregard a required restart when a user is logged on. The user receives a notification about the required restart but is not required to restart the machine.
Specify Intranet Microsoft Update Service Location This policy allows you to redirect clients from the Microsoft Windows Update server to a SUS server on your network. You can also set logging to occur on any server on the network running IIS. IIS logs are found in %Windir%\System32\Logfiles\W3svc1.
SUS Infrastructure Design
Software Update Services (SUS) offers you great flexibility in designing where updates are stored and who controls which updates are approved. You can also configure multiple servers within your organization to distribute the load or customize the list of approved updates.
Configuration Characteristics Uses
Approve updates locally, download content from Microsoft The local SUS server downloads update metadata (information about available updates) from the Windows Update Web site.
An administrator approves applicable updates.
Clients identify approved updates using the local SUS server, but download content from the Windows Update Web site. Use when all clients have a fast Internet connection and Internet link usage is not a concern.
Approve updates locally, download content locally The local SUS server downloads update metadata and synchronizes update installation files from the Windows update Web site.
An administrator approves applicable updates.
Clients identify approved updates using the local SUS server and download the updates from the local server. Use to minimize downloads through an Internet link (updates are downloaded through the Internet only once).
Use when Internet links are slow or unreliable.
Multiple server topology Place an SUS server in each location.
Each SUS server synchronizes content from Windows Update Web site.
An administrator at each location approves a list of approved updates for local clients.
Clients receive updates from the nearest SUS server. Use when each location has different approved update needs.
Use when your organization has multiple sites with their own Internet connection.
Centralized client/server topology Configure one SUS server to synchronize content with the Windows Update Web site.
Configure a list of approved updates on the central server.
Configure additional servers to synchronize update content and the list of approved updates with the central server.
Clients receive updates from the nearest SUS server. Use in a large organization to enforce consistent update policies (local SUS servers receive a list of approved updates from the central server).
Decentralized client/server topology Configure one SUS server to synchronize update content with the Windows Update Web site.
Configure additional servers to synchronize update content with the central server.
Configure a list of approved updates on each SUS server.
Clients receive updates from the SUS server that holds approved updates that should apply to the client. Use to minimize downloading of update content while allowing different sites or organizations to maintain their own list of approved updates.
SUS Facts
You should know the following facts about SUS facts:
• SUS is not available through the Windows Server 2003 installation media. Download the SUS server software from the Microsoft Web site.
• Software Update Services allows you to configure the distribution of operating system patches for clients, including ones related to security.
• GPO settings for configuring Windows Automatic Updates are stored in the Wuau.adm template. You must manually copy this template file from the SUS server to the %systemroot%\inf folder of any computer used to configure group policy.
• To prevent clients from using Windows Update, edit Group Policy settings to prevent users from manually downloading patches.
• SUS with Service Pack 1 does not support 64-bit versions of Windows.
• Software Update Services does not support updating drivers, although the Automatic Updates client will detect and report them. You must install drivers manually from Windows Update.
• Software Update Service only distributes patches for the operating system. You can't use Software Update Services to distribute patches for anything else, including other Microsoft products. However, you can use a software distribution policy (or Systems Management Server) to distribute application updates.
• The NoAutoRebootWithLoggedOnUsers policy setting will allow logged on users to avoid rebooting after a service pack installation (although the service pack installation won't be completed until the next restart.)
• The Windows Update Server is responsible for synchronizing and approving updates.
• Clients of SUS need the Automatic Updates Client (Wuau22.msi) which can be deployed through group policy.
• Clients also need to be redirected from Windows Update to the SUS server through a GPO.
Account Policies Facts
• Account policies control passwords and login properties. Settings in the local GPO are used if the computer is a member of a workgroup. Settings in the domain GPO are used for computers that are members of a domain. Policy settings are applied to the computer, not the user.
• The following table describes the password settings.
Setting Description
Password history This setting requires users to input unique passwords. The system can store up to 24 passwords, so the user can't repeat previous passwords.
Maximum password age This setting requires the user to change the password after a given length of time.
Minimum password age This setting keeps users from changing passwords immediately after they've reset their passwords. This prevents users from defying the password history by entering several passwords to get back to a preferred password.
Minimum password length This prevents people from using passwords that are too short.
Password complexity This setting requires users to create a password with a minimum of three of the four types of special characters (e.g., lower case letters, upper case letters, numbers, or !, @, #, $, %, ^, &, *). This setting also disallows use of dictionary words or any part of the user login identification.
Reversible encryption This setting requires the system to store the password with reversible encryption.
• Use account lockout to protect user accounts from guessing and prevent accounts from being used when hacking attempts are detected. The following table describes account lockout settings.
Setting Description
Lockout duration This setting determines the length of time the account will be disabled. When set to 0, an administrator must unlock the account.
Lockout threshold This setting determines the number of attempts a user can make before the account is locked.
Reset account lockout This setting determines the amount of time that must pass before the account is enabled.
Auditing Facts
You can configure the following audit policies in Group Policy.
Audit Category Trigger Event(s)
Account logon Audits logon through a user account
Recorded by the local computer for the local account, recorded by domain controller for the AD account
Account management Add, rename, disable/enable, delete, or change the password for a user account
Logon Log on or off of the local system
Make a network connection to a local computer
Object access File, folder, printer access
Policy change Change account password or logon settings, user rights, or audit policies
Privilege use User exercises user rights
An administrator takes ownership of an object
Process tracking An application performs an action
This is used mainly for program debugging and tracking
System events Shutdown, restart, service starts
An event affects security or the security log
Keep in mind the following about configuring auditing:
• Auditing can be enabled to log successful or failed events (or both).
• Because auditing consumes system resources and might result in a lot of generated data, enable auditing only on the events you are interested in.
• View audit entries in the Event Viewer Security log.
• Set the CrashOnAuditFail registry entry to prevent users from logging on to the system when entries can't be written to the security log.
• To monitor a domain for unauthorized user access, configure the domain with a group policy to Audit Logon Events.
• For file auditing to occur, the files must be on NTFS partitions.
• With auditing configured, clearing the log generates an event identifying when the log was clear and by whose authority.
Security Template Facts
Windows provides the following predefined security templates:
Template Function
Setup Security.inf Created specifically for each computer during setup
Differs depending on whether installation was a clean installation or an upgrade
Contains default security settings applied during installation
Defines default file permissions for system drive root
Used on workstation or servers (not on domain controllers)
Should not be applied through group policy
DC Security.inf Created when server is upgraded to a domain controller
Gives default security settings for files, registry, and system service
Secure*.inf Secures a system without causing application or compatibility issues
Securews.inf can be applied to a workstation or a server
Securedc.inf can be applied to a domain controller
Hisec*.inf Specifies additional security settings beyond the Secure templates
Hisecws.inf can be applied to a workstation or a server
Hisecdc.inf can be applied to a domain controller
Compatws.inf Forces compatibility across Windows platforms
Should not be applied to domain controllers
Use the Security Analysis and Configuration snap-in to manage security templates, analyze current settings, create custom templates, or import an existing template. When working with templates:
• Compare an existing system with a template to see how the system compares to the template.
• Clear current settings before importing a new template.
• After applying a secure template, you might need to restore group memberships in the Administrators or Power Users group.
• You can also use the Secedit command to analyze and apply templates.
You should also know the following facts about security analysis:
• The Microsoft Baseline Security Analyzer will tell you which patches have been installed on a particular computer.
• You should also need to verify that patches have not been manually applied.
• Check the Windows Update log to see if a patch came from the Software Update Server or from the Windows Update website.
Event Facts
You should know the following facts about events:
• The System Log records informational, warning, and error messages. Error and warning messages are the most serious.
• The default extension for saved logs is .Evt.
• Shutdown events have an event ID 1074.
• Event Viewer is the location where most errors and warnings are logged.
• The File Replication Services log lists errors or events related to the copying of information between domain controllers during a replication cycle. This log is available through Event Viewer on Windows Server 2003 machines that function as domain controllers.
• Examine the Security Log to find the results for system audits.
• Additional logs (such as the DNS Log) are added when you install various services.
Monitoring Performance Facts
You should know the following facts about monitoring system performance:
• Task Manager shows a summary of a system's performance.
• System Monitor measures the performance of a workstation or other workstations on a network.
• You can configure an automatic schedule of monitoring.
• A System Idle process near 100% may indicate a connectivity problem with a server.
• The Performance tool is capable of monitoring remote computers. Monitoring of server performance should be done from a computer other than the server.
• If you aren't sure what a specific counter or measure is used for, select it and click the Explain button.
• The Performance Logs and Alerts console in the Performance tools can be configured to trigger an alert when certain thresholds are reached.
• The Report View presents counters in a hierarchical display using words, not graphical representations.
• You can run the WinMSD utility from a command prompt to view such information as Internet security.
Counters and Values to Watch
• The following table outlines the major objects and critical counter values:
Object Purpose Counters Optimum
Processor Measures the CPU performance % Processor time < 80% sustained Physicaldisk Measures how the individual, physical disks are performing (the read/writes and percentage to be written to the disk) % Disk time > 2 times the number of drives is high
Memory Measures RAM performance Pages/sec 0 pages/sec is a good reading
Network Measures the performance of the system on the network Bytes total/sec < Network capacity
Volume Shadow Copy Services (VSS)
VSS is a component of the backup system that takes a point-in-time snapshot of files on the disk. By enabling VSS, you can recover lost (deleted) files and back up open files.
You enable VSS on a volume through Explorer. After VSS is enabled, all shared folders on the volume will be shadow copied. You can customize where files are copied to, the limit that copied files can take up, and the interval at which copies will be made.
Through shadow copies, you can recover lost, damaged, or overwritten files by accessing the previous versions of the files cached by the server. The Previous Copies tab in the Properties dialog box of a folder or file lists the previous copies you can access. The Previous Copies tab is available under the following circumstances:
• Shadow Copies must be enabled on the server.
• The client must have the Shadow Copy client software (installed to the %systemroot%\System32\Clients\Twclient\x86 folder on the Windows Server 2003 system).
• You must access the file's properties through a shared folder (if you access the properties for a file on the local machine, the Previous Copies tab won't be available, even if the file is shared and VSS is running).
System Recovery Facts
Windows offers you several different ways to recover from a system failure. Here are some methods you can use to recover from system problems (methods are listed in the general order you would perform when trying to recover the system).
Tool Use
Driver Rollback Use this tool to uninstall recent driver changes and revert to a previous version. In Device Manager, edit the properties of the device.
Last Known Good Configuration This option reboots the system using the last successful hardware profile. However, it can only be used if you have not logged on after the last change.
Safe Mode Boots Windows with a limited number of drivers and features enabled. Press F8 during boot to enter Safe Mode. After booting into Safe Mode, you can use Device Manager to rollback drivers, disable devices, uninstall devices, or reinstall or update drivers.
Recovery Console This is a command-line interface. Before a problem exists, you must install Recovery Console. Install it by using the winnt32.exe /cmdcons command to install the recovery tools on the system. Use Recovery Console to fix boot sector or master boot record (MBR). You can also remove or update system files and repartition hard disks.
Automated System Recovery This restores original Windows 2003 Server drivers and files as well as files from the ASR backup set.
Keep in mind the following facts about using Automated System Recovery (ASR).
• You need an ASR backup tape set and a Windows 2003 Server CD to restore a system.
• Use the ASR diskette with a valid backup to restore the system.
• The ASR diskette is a boot diskette that contains limited system configuration information. The rest of the information is on the backup tape.
• The ASR diskette contains the Asr.sif and Asrpnp.sif files. Copies of these files are placed on the system so you can copy them manually.
• To restore a system, press the F2 key when prompted and insert the ASR floppy disk. ASR will restore disk configurations and install the original operating system software.
Microsoft Server
Date of course: _____________________________________
Name of Student: ___________________________________
Rev 1.1
Contact Information: michaelmarch@gmail.com
Not to be reused or copied in anyways without the explicit written agreement between Michael March and the requester, until so granted permission.
Contents
Terminal Services Facts 5
Remote Assistance Facts 6
Command Switches for Installation 6
Troubleshooting Installation Facts 7
Licensing Facts 8
Automated Installation Facts 8
Network Installation Facts 9
Domain User Account Facts 10
Group Facts 10
Built-in Groups 11
Group Strategy Facts 11
User Profile Facts 13
User Profile Management Tasks 13
Computer Account Facts 14
Troubleshooting Logon 14
Group Policy Facts 15
Installing Devices 16
Device Management Facts 16
Drivers 17
File Verification Programs 17
File System Facts 18
Basic and Dynamic Disks 18
Redundancy and Fault Tolerance 20
Disk Management Facts 21
Volume Mount Points 22
Boot.ini Facts 22
Backup Facts 23
Backup Devices Facts 24
NTFS Permission Facts 25
Shared Folder Facts 25
Share Access Facts 26
Disk Quota Facts 26
File Compression Facts 27
Encryption Facts 28
Offline Settings 29
Internet Information Services (IIS) 30
IIS Security Facts 30
Web Site Identification 33
Printing Facts 33
Advanced Print Configuration 34
Printer Pooling 34
Multiple Printers 35
Managing Printing 35
Troubleshooting Printing Facts 35
IPP Facts 36
Installer Package Facts 36
Software Update Services (SUS) Components 37
SUS Server Configuration 38
SUS Client Configuration 38
SUS Infrastructure Design 40
SUS Facts 41
Account Policies Facts 42
Auditing Facts 43
Security Template Facts 44
Event Facts 45
Monitoring Performance Facts 45
Counters and Values to Watch 46
Volume Shadow Copy Services (VSS) 46
System Recovery Facts 47
Terminal Services Facts
By default, Windows 2003 comes with Remote Desktop enabled. Using Remote Desktop, you can connect to a server and manage it remotely just as you would if you were sitting at the server console. Remote Desktop uses Terminal Services technology. Terminal Services can also be used by end users to connect to the server and run applications. For example, users can connect to a server to run an application that is not supported on the client system.
Keep in mind the following details regarding Remote Desktop.
• Remote Desktop is the same as running Terminal Services in administration mode on previous Windows versions.
• Remote Desktop is limited to two concurrent connections.
• When using Remote Desktop, the user account used to connect to the server must be assigned a password, and must be given explicit permission for Remote Desktop. Allow users for Remote Desktop through the System applet.
• Client computers require client software to make the connection. This software is included with Windows XP or Windows Server 2003, but must be installed separately on other Windows versions (Windows 2000, for example).
Keep in mind the following details regarding Terminal Services.
• You can support many more clients by installing Terminal Services (also called installing application mode for Terminal Services). Use Add/Remove Windows components to install Terminal Services.
• Microsoft allows an evaluation period for Terminal Services of 120 days. You must install a licensing server prior to expiration or the server will stop accepting remote connections.
• Many settings on the RDP-Tcp properties Sessions tab can override individually configured user settings.
• Use the Msg command to send a message to all connected users of a particular terminal services server. You should know the following facts about Msg:
o The syntax is {UserName | SessionName | SessionID} [/server:ServerName] [Message].
o UserName is the name of the user you want to receive the message.
o SessionName is the name of the session you want to receive the message.
o SessionID is the numeric ID of the session whose user you want to receive a message.
o /server:ServerName specifies the terminal server whose session or user you want to receive the message. (If unspecified, /server uses the server to which you are currently logged on.)
o Message is the actual message you wish to send.
• The Query user command-line tool displays the names of any currently logged on users or sessions with Terminal Services.
Remote Assistance Facts
Keep in mind the following details regarding Remote Assistance.
• Both the novice (person requesting assistance) and the expert (person giving assistance) computers must be running either Windows XP (either Home or Professional) or Windows Server 2003.
• To initiate a remote assistance session:
o Select Ask for Remote Assistance in Windows Messenger.
o Send an e-mail through the Help and Support tools (if the infrastructure is configured appropriately).
o Create a Remote Assistance file through Help and Support tools and load it to a network share (if the infrastructure is configured appropriately).
• Generally, the novice must initiate the invitation. If Active Directory is used, the expert can initiate the Remote Assistance connection.
• Invitations require a password (unless Instant Messaging is used) and have an expiration time. Expired invitations cannot be answered.
• When sending an invitation, do not include the password in the invitation text. Communicate it in some other way.
• The helper cannot copy files from a user's computer. The user must explicitly send any files the helper may need.
• The user can take control the computer at any time by pressing the Esc key, Ctrl+C, or clicking Stop Control.
Command Switches for Installation
To start the installation, use:
• Winnt.exe to start installation from a DOS environment.
• Winnt32.exe to start installation from within a 32-bit environment.
The following table lists common switches to use with the installation programs.
Switch Purpose
/makelocalsource Copies installation files from the CD-ROM
/dudisable Disables dynamic updates during installation
/duprepare Prepare downloaded update files for use during installation
/dushare Start the installation with downloaded update files
/u Indicates use of an unattended answer file
/udf Indicates the use of a uniqueness database file
/s Specifies a path to source files
/checkupgradeonly Verifies upgrade compatibility
Troubleshooting Installation Facts
Use the /debuglevel:logfile switch to create an installation debug log. The default debug level is 2. The default log file is C:\%systemroot%\Winnt32.log. The log levels are as follows:
Level Report
0 Severe Errors
1 Errors
2 Warnings
3 Information
4 Detailed information for debugging
You can use System File Checker (Sfc.exe) to verify the integrity of protected system files if an installation appears unstable. You can use the following switches with the Sfc command:
Switch Function
/Scannow Perform a scan immediately
/Scanboot Configures the operating system to perform a scan every time the operating system boots
/Revert Changes the scan behavior back to the default
/Cachesize = size Configures how much disk space can be used to store cached versions of protected system files
To uninstall a service pack or hotfix from the command line, run Spuninst.exe from the service pack or hot fix uninstall folder. Use the following switches with Spuninst:
Switch Function
-u Unattended mode
-f Force other apps to close at shutdown
-z Do not reboot when complete
-q Quiet mode (no user interaction)
To isolate a driver causing an installation to fail, add the /Sos switch to the Boot.ini file. This loads the drivers individually, allowing you to isolate the bad driver.
Licensing Facts
You should know the following facts about licensing:
• The Licensing Logging service is available from the Administrative tools menu.
• The Licensing Logging service allows you to view, add, and delete installed product licenses.
• Per-user licensing is more expensive per client workstation than a per-server licensing model, but it becomes much less expensive when many workstations access several servers.
• Cpl.cfg is the purchasing history file.
• Llsuser.lls is the user information file.
• Llsmap.lls is the license group information.
Automated Installation Facts
Windows provides the ability to perform an unattended installation from a CD-ROM. To perform an unattended installation from a CD-ROM, the following conditions must be met:
• The computer must support booting from a CD-ROM, and must adhere to the El-Torito non-emulation specification.
• The unattended answer file must be renamed to Winnt.sif and copied to a floppy disk so Setup can access it. When Setup displays the message that it is examining the hardware configuration, insert the floppy disk containing the Winnt.sif file.
• The answer file must contain a valid [Data] section with the following entries to the unattended answer file:
o UnattendedInstall=Yes - Value must be set to "yes".
o MSDosInitiated=No - Value must be set to "no" or Setup will stop during the graphical portion of Setup.
o AutoPartition=1 - If the value is set to 1, the installation partition is automatically selected. If the value is set to 0 (zero), you are prompted for the installation partition during the text portion of Setup.
You can also automate installation by preparing a disk image. You then duplicate the disk image to a new hard drive and boot the system. Use the following files to prepare an automated installation using an image:
File Function
Sysprep.exe Prepares a system for duplication
Setupcl.exe Runs a mini-setup wizard when the duplicated drive is booted
Sysprep.inf An optional answer file that automates the mini-setup wizard. Can be copied to a floppy disk.
Note: These files belong in the Sysprep folder at the root of the system drive.
Network Installation Facts
You should know the following facts about Remote Installation Services:
• An RIS server must have the following components installed on it:
o DHCP
o DNS
o RIS
o Active Directory
• Use the Rbfg.exe (Remote Boot Disk Generator) file to create a boot disk for non-PXE compliant network adapters. The boot disk simulates the PXE boot process. The file is located in the RemoteInstall\admin\i386 folder on the RIS server.
• On the workstation, be sure to enable network boot in the BIOS.
• Use the Riprep.exe file to create the image of the reference computer.
To perform a network installation without RIS:
1. Copy the source installation files to a shared network drive.
2. If necessary, update the installation files with service packs or hotfixes.
3. Execute Winnt or Winnt32 from the network share.
To use dynamic updates during an installation, download the updates to a network share. Use the following switches with the Winnt or Winnt32 command to apply dynamic updates during the installation:
Switch Function
/Duprepare:[path to downloaded updates] Prepares the updates for use during installation.
/Dushare:[path to downloaded updates] Starts the installation with the downloaded update files.
/Dudisable Prevents the dynamic update from occurring.
To apply a service pack to the source installation files, use the Update.exe –s:[network_share] command and switch. This applies the service pack changes to the installation files in the network share.
Domain User Account Facts
You should know the following facts about domain (or global) user accounts:
• Domain user accounts let users log on to the network, and allow access to domain resources.
• Active Directory stores these accounts for the entire domain (users have to log on only once to access domain resources).
• Domain user accounts have a variety of properties, such as user information, group membership, user profiles, and dial-in settings.
• A user account can be renamed when users change jobs or need previously assigned permissions to resources.
• Use Active Directory Users and Computers from a domain controller (or workstation with Administrative Tools installed) to configure domain accounts
• When a new account is created, it is replicated to all of the domain controllers in the domain, so any domain controller in the domain can authenticate user logons.
• Each user account has a unique security identifier (SID) to identify the user to the Windows server. A user can log on to the domain from any computer that is a member of the domain and can access resources on that computer or on other computers for which the domain user account has permissions.
• Logon restrictions apply to users, not groups.
Group Facts
• Active Directory defines three scopes that describe the domains on the network from which you can assign members to the group; where the group's permissions are valid; and which groups you can nest.
Scope Description
Global groups Are used to group users from the local domain. Typically, you assign users who perform similar job functions to a global group. A global group can contain user and computer accounts and global groups from the domain in which the global group resides. Global groups can be used to grant permissions to resources in any domain in the forest.
Domain local groups Are used to grant access to resources in the local domain. They have open membership, so they may contain user and computer accounts, universal groups, and global groups from any domain in the forest. A domain local group can also contain other domain local groups from its domain. Domain local groups can be used to grant permissions to resources in the domain in which the domain local group resides.
Universal groups Are used to grant access to resources in any domain in the forest. They have open membership, so you can include user and computer accounts, universal groups, and global groups from any domain in the forest. Universal groups can be used to grant permissions to resources in any domain in the forest. Universal groups are available only in Windows 2000 Native or Windows 2003 domain functional level.
Built-in Groups
Windows domain controllers include several built-in domain local groups, each of which has predefined rights. These groups are automatically created on domain controllers, and are placed in the Built-in folder in Active Directory Users and Computers.
Built-in Group Description
Administrators Full control over the computer, including every available right in the system (the only built-in account that automatically has all rights), including the Take ownership of files or other objects right.
Server Operators Share folders and backup files and folders.
Backup Operators Back up, copy, and restore files on the computer (regardless of permissions). Log on to and shut down the computer. Cannot change security settings.
Account Operators Create, delete, and modify domain user accounts and groups. Cannot modify the Administrators group or any Operators groups.
The basic best practices for user and group security is:
• Create groups based on users' and administrators' needs.
• Assign user accounts to the appropriate groups.
• Assign permissions to each group based on the resource needs of the users in the group and the security needs of your network.
Group Strategy Facts
To make permission assignments easier, assign permissions to a group, then add the accounts that need to use the group's resources. You can add user accounts, computers, and other groups to groups. You should remember the following when assigning members to groups:
• Adding a user account to a group gives that account all the permissions and rights granted to the group (the user must log off and log back on before the change takes effect).
• The same user account can be included in multiple groups. (This multiple inclusion may lead to permissions conflicts, so be aware of the permissions assigned to each group.)
• Nesting is the technique of making a group a member of another group. Using hierarchies of nested groups may make administration simpler--as long as you remember what permissions you have assigned at each level.
The following table shows the three basic recommended approaches to managing users, groups, and permissions.
Strategy Use Description Application
ALP Used on workstations and member servers. A: Place user Accounts
L: Into Local groups
P: Assign Permissions to the local groups Best used in a workgroup environment, not in a domain.
AGDLP Used in mixed mode domains and in native mode domains (does not use universal groups, which are also not available in mixed mode). A: Place user Accounts
G: Into Global groups
DL: Into Domain Local groups
P: Assign Permissions to domain local groups 1. Identify the users in the domain who use the same resources and perform the same tasks. Group these accounts together in global groups.
2. Create new domain local groups if necessary, or use the built-in groups to control access to resources.
3. Combine all global groups that need access to the same resources into the domain local group that controls those resources.
4. Assign permissions to the resources to the domain local group.
AGUDLP Used in native mode domains, when there is more than one domain, and you need to grant access to similar groups defined in multiple domains. A: Place user Accounts
G: Into Global groups
U: Into Universal groups
DL: Into Domain Local groups
P: Assign Permissions to domain local groups Universal groups should be used when you need to grant access to similar groups defined in multiple domains. It is best to add global groups to universal groups, instead of placing user accounts directly in universal groups.
User Profile Facts
You should know the following facts about user profiles:
• Roaming user profiles store the profile contents on centrally-managed network servers and allow users to log on to different workstations while maintaining their Windows desktop.
• Mandatory user profiles allow all users to make changes to their desktops, but those changes are not saved to the profile. Users are forced to start each logon session with the original profile.
• If a user's roaming Windows profile is unavailable during log on, Windows will use a copy of the locally-cached profile, warn the user of a possible network error, and allow the user to log on.
• User account profile configuration and network path information is associated with the account and will move with the account. This allows simple moves of user account objects and minimizes the administrative effort.
User Profile Management Tasks
• The following list describes some common profile management tasks and the recommended method for completing them.
To . . . Do . . .
Create a new profile Log on as a user without a profile. User profiles are created automatically, using the Default Users profile as a template. (You can also set access permissions on a copied profile for use as a new profile.)
Edit an existing profile Log on as the user, then use the Windows interface to modify the desktop, Start Menu, taskbar, and other preferences.
Create Start Menu or Desktop shortcuts Copy the desired shortcuts to the appropriate folder within the user profile.
Copy a profile Use the User Profiles tool to copy the profile to a new location. If you simply copy the subfolders to a new location, registry settings and permissions will not be properly modified.
Note: You cannot copy the profile of a logged on user.
Make a mandatory user profile Use Explorer to rename the Ntuser.dat file to Ntuser.man.
Make a roaming user profile Copy the profile to a network share. Use the Profile tab in the user account properties to enter the path to the user's roaming profile.
Assign a specific profile Edit the properties of the user account (either local or domain user) to identify the specific profile (either to a user roaming or otherwise) to use.
Delete a profile Use the User Profiles tool. Do not simply delete the folder as registry settings will not be modified appropriately.
Note: You cannot delete the profile of a logged on user.
Computer Account Facts
You should know the following facts about computer accounts:
• To join a computer to a domain:
o Create a computer account in Active Directory.
o Join the computer to the domain.
• Members of the Administrators or Account Operators group can join an unlimited number of computers to a domain.
• By default, domain users can join up to 10 computers to a domain from a workstation.
• Computers added to the domain from a workstation are added to the built-in Computers container.
• Because the Computers container cannot be linked to policies, create computer accounts beforehand in an OU for computer accounts.
• If the organization uses a separate OU for computers, any computer accounts created automatically in the Computers container must be moved to the correct OU.
• Windows 98 computers cannot use a computer account in a domain.
• You can use the Dsadd and Netdom utilities to create computer accounts.
• A computer account must connect to the network before it will display information about OS and Service Pack changes.
Troubleshooting Logon
Both users and computers must log on to the domain. User logon is accomplished by supplying a valid username and password combination. If users are having trouble logging on, check the following:
• Verify the correct logon name is being used, with the correct UPN suffix. Make sure the corresponding user account exists in Active Directory.
• Make sure the user account is enabled.
• If the user has tried many times unsuccessfully, and receives a message stating the user account is locked, unlock the user account.
• If necessary, change the password for users who might have forgotten the password.
Computer account logon happens automatically in the background. Failure to log on might result in a failure to use network resources or gain access to the local computer. To troubleshoot computer accounts, apply the following steps:
1. If the computer account exists, reset the account in Active Directory.
2. If the account does not exist, create it.
3. If troubles persist, remove the computer from the domain and add it to a workgroup (use a workgroup name not currently in use). Rejoin the domain.
4. Command Prompt Tools
Command Description
DSAdd Create a new object in Active Directory
DSQuery Find the location of information or the setting of an object (allows a search through the whole forest)
DSGet Retrieve property information about an object
DSMod Modify or change an object
DSMove Move objects from one location to another
DSRm Remove (delete) objects
Movetree Move an OU and its contents
Ldifde Create, modify, and delete directory objects on computers running Windows Server 2003. You can also use it to export AD user and group information to other applications and services and populate AD with data from other directory services.
Csvde Imports and exports data from AD using files that store data in the comma-separated value (CSV) format.
Group Policy Facts
Group policy is a tool used to implement system configurations that can be deployed from a central location through GPOs (Group Policy Objects).
You should know the following Group Policy facts:
• GPOs contain hundreds of configuration settings.
• GPOs can be linked to Active Directory sites, domain, or organizational units (OUs).
• GPOs include computer and user sections. Computer settings are applied at startup. User settings are applied at logon.
• A GPO only affects the users and computers beneath the object to which the GPO is linked.
• Group policy settings take precedence over user profile settings.
• A local GPO is stored on a local machine. It can be used to define settings even if the computer is not connected to a network.
• GPOs are applied in the following order:
1. Local
2. Site
3. Domain
4. OU
• If GPOs conflict, the last GPO to be applied overrides conflicting settings.
• The Computers container is not an OU, so it cannot have a GPO applied to it.
• Group policy is not available for Windows 98/NT clients or Windows NT 4.0 domains.
• You can use a GPO for document redirection, which customizes where user files are saved. (For example, you can redirect the My Documents folder to point to a network drive where regular backups occur. Folder redirection requires Active Directory-based group policy.)
• Configuring a domain group policy to delete cached copies of roaming user profiles will remove the cached versions of the profile when a user logs off.
To manually refresh group policy settings, use the Gpupdate command with the following switches:
Switch Function
No switch Refresh user and computer-related group policy.
/target:user Refresh user-related group policy.
/target:computer Refresh computer-related group policy.
Installing Devices
When installing devices:
• Begin by adding the device to the system or plugging the device in. Windows automatically detects and installs drivers for Plug and Play devices.
• For undetected legacy devices, you might need to:
o Run the setup program that came with the device.
o Use the Add New Hardware wizard to install a device driver manually.
o Manually set IRQ, DMA, or I/O addresses
o Manually select and install the driver
Device Management Facts
You should know the following facts about managing devices:
• You can connect to remote computers using the WinMSD utility or Device Manager.
• Use Device Manager to disable devices that you suspect are causing system problems.
• Use Control Panel applets to adjust properties for individual devices like modems or video hardware.
• The Hardware Troubleshooting Wizard steps users through the process of identifying system problems.
• You can manually assign resources using Device Manager.
• If problems with a device prevent you from booting or affects system stability, boot into Safe Mode to disable the device or change the device properties.
Drivers
To update drivers:
• Use Windows Update to automatically check for new drivers.
• Download the new driver and run the program to install it.
• Download the new driver and use Device Manager to update and install the new driver.
To control how unsigned drivers are installed on the system, use the following settings:
• Block (prevents unsigned driver installation)
• Warn (allows installation, but with an error message)
• Ignore/Silently Succeed (install)
To protect against unsigned drivers,
• Enforce driver signing on the system through the System applet or Group Policy.
• Use group membership and user rights to prevent normal users from installing drivers (Power Users or Administrators only can install drivers).
• The Hardware Compatibility List (HCL) includes all devices for which a signed driver is available.
• Driver Rollback allows you to restore an original driver when a new driver causes system problems.
File Verification Programs
• The following table summarizes the file verification tools you can do to verify driver signatures and file integrity.
Program Features
Sigverif.exe GUI-based tool that searches for unsigned files.
By default, it searches only the Windows directory (click the Advanced button to search other locations).
The program returns a list of files without digital signatures.
Driverquery.exe /si Command-line tool that checks the digital signatures of drivers that are in use.
Use the /si switch to request the signature status of the drivers.
The report lists each device, the .inf file for the device, and the signed status of the driver.
Msinfo32.exe GUI-based tool that displays the list of devices and information about each device (including the driver, driver date, and signature status).
The report shows every installed device and the signed status of the drivers.
Sfc.exe /scannow Tool that scans system files to ensure that they have not been replaced or corrupted.
Use the /scannow switch to force an immediate check of the system.
Use the tool to automatically replace bad files.
File System Facts
The following table indicates which file systems support which capabilities.
Feature FAT FAT32 NTFS
Long file names X X X
Larger than 2 GB/4 GB partitions X X
Smaller clusters X X
Enhances file security through permissions X
Folder and file level encryption X
Folder and file level compression X
Disk quotas X
Use the Convert.exe utility to modify the file system without reformatting and losing data. To convert the C:\ drive to NTFS, use the following command:
convert C: /fs:ntfs
Basic and Dynamic Disks
Keep in mind the following when using basic disks.
• A basic disk has a limit of four partitions, only one of which can be an extended partition.
• One primary partition must be marked active.
• Most operating systems can recognize only one primary partition. All other primary partitions are invisible. (Windows NT/2000/XP/Server 2003 can recognize multiple primary partitions.)
• The active primary partition is represented with one drive letter (C:). The extended partition can be divided into multiple logical drives (up to 26).
Keep in mind the following when using dynamic disks.
• Windows 2000/XP/Server 2003 recognize dynamic disks.
• Volumes on dynamic disks are like partitions and logical drives on basic disks.
• A volume can be made of non-contiguous space on a single drive or space taken from more than one drive.
• You cannot install the operating system on a dynamic disk. You can, however, upgrade a basic disk containing the operating system to dynamic after installation.
Keep in mind the following points as you plan whether to implement basic or dynamic disks.
• A hard disk must be either basic or dynamic; it cannot be both at once.
• Windows 2000/XP/Server 2003 use basic storage by default.
• MS-DOS and all versions of Microsoft Windows support basic storage.
• Dynamic storage was new to Windows 2000 and previous Windows operating systems cannot use it (this is especially important if you plan to multi-boot to other operating systems).
• Dynamic storage is not supported on portable computers because they normally have only one internal hard drive and cannot take advantage of advanced dynamic storage features.
To convert a basic disk to a dynamic disk, right click the volume in Computer Management and choose Convert to dynamic disk. Or, use the Diskpart command at the command line.
Volume Characteristics: The following table summarizes volume types and their characteristics.
Volume Type Characteristics
Simple volume Contains a single, contiguous block of space from a single hard disk.
Extended volume Contains space from multiple areas on the disk. An extended volume that spans two disks is a spanned volume.
Spanned volume Combines areas from two or more disks into one storage unit.
Fills the first area, then the second, and so on.
Does not provide fault tolerance. If one hard disk fails, you lose all data.
Cannot contain system or boot files.
Note: Only dynamic disks support extended, spanned, striped, mirrored, or RAID volumes.
Mirrored and RAID volumes are supported only on server versions of Windows. These volume types provide fault tolerance and improve performance.
Redundancy and Fault Tolerance
You should know the following facts about RAID volumes:
Redundant array of Independent Disks (RAID) combines the use of two or more disks for fault tolerance and performance.
• Windows supports three RAID levels: 0 (striping), 1 (mirroring), 5 (stiping with parity).
• RAID0 uses data striping but no redundancy for improving performance.
• RAID1 uses disk mirroring for providing fault tolerance.
• RAID5 uses disk striping with parity for performance and fault tolerance.
• The Windows interface uses the term RAID to refer to RAID 5 or striping with parity.
• Overhead refers to the amount of extra (or "wasted") disk space required to add fault tolerance.
o RAID5 volumes use one disk in the set for fault tolerance (a three-disk set has 33% overhead, a four-disk set has 25% overhead).
o Mirrored volumes have 50% overhead (meaning one disk in two is used for fault tolerance).
The following table summarizes volumes that provide redundancy and fault tolerance.
Volume Type Characteristics
Mirrored volume Stores data to two duplicate disks simultaneously.
Fault tolerant because if one disk fails, data is preserved on the other.
The system switches immediately from the failed disk to the functioning disk to maintain service.
Striped volume Uses storage areas on several different disks.
Improves performance by writing to multiple disks simultaneously.
Uses disk areas similar in size. The amount of space used on each disk is equal to the smallest area.
Saves data from a single file on multiple disks.
Is not fault-tolerant. If one hard disk in the set fails, you lose all data on all disks.
Cannot contain system or boot files.
RAID5 Volume Contain three or more disks.
Like a striped volume, portions of a single file are written to each disk in the set.
RAID5 volumes add fault tolerance to striping through a process called parity (where data recovery information is added to each disk).
Often called a striped set with parity.
Note: Only dynamic disks support extended, spanned, striped, mirrored, or RAID volumes.
Disk Management Facts
Use the following command line commands to manage disks:
Command Description
DiskPart Manage disks, partitions, and volumes by using scripts or direct input from the command prompt
Defrag Locates and consolidates fragmented boot files, data files, and folders on local volumes
Cscript Allows you to run scripts from the command-line-based script host.
You should also know the following facts about disk management:
• When you move a disk that has been installed and used in another computer, you might need to import the disk. In Disk Management, right-click the disk and choose Import Foreign Disks.
• Using Disk Management, you can analyze a disk for defragmentation before using the defragmentation utility.
• Use Disk Management to reactivate volumes in a RAID-5 configuration. This improves performance after a disk in the configuration has been replaced.
You should know the following facts about recovering failed disks:
• To recover a failed disk in a mirror configuration:
1. Break the mirror.
2. Delete the failed disk.
3. Recreate the mirror to a new disk (make sure the disk is upgraded to a dynamic disk first).
• To recover a failed disk in a RAID5 configuration:
1. Repair the volume on a new dynamic disk.
2. Delete the old disk.
• To recover a volume in a failed operating system:
1. Move the disk to a new machine.
2. Import the foreign disk on the new system.
Volume Mount Points
A volume mount point allows you to use another partition in the computer and represent it as a folder in an existing partition. This allows you a great deal of flexibility when you need to expand storage requirements. You should know the following facts about volume mount points:
• Both partitions must be formatted with NTFS.
• You can use either partitions on basic disks or volumes on dynamic disks for volume mount points.
• The folder on the source partition must be empty.
• The target partition must not have a drive letter.
• Multiple folders can reference the same target partition.
Boot.ini Facts
The Boot.ini file is responsible for the following operations:
• Launching the menu for operating system selection during startup
• Pointing to the system files for the selected operating system
• Identifying the controller, hard disk, and partition where the system files are located
The ARC path locates the system file and contains the following elements:
Entry Meaning and Use
MULTI(x)
or
SCSI(x) Identifies the controller location.
Use multi(x) if the disk controller is a SCSI device with its BIOS enabled or is a non-SCSI device.
Use scsi(x) only if the disk controller is a SCSI device with BIOS disabled.
The value for x begins at 0.
DISK(x) Identifies the disk location.
If the first component of the ARC name is scsi, disk(x) indicates which SCSI disk the operating system is located on. The x value begins with 0.
If the first component of the ARC name is multi, this component is always disk(0), and the disk containing the operating system is indicated by the rdisk(x) component.
The value for x begins at 0.
RDISK(x) Identifies the disk location.
If the first component of the ARC name is multi, rdisk(x) indicates which physical disk the operating system is located on. The x value begins at 0.
If the first component of the ARC name is scsi, the rdisk component is always rdisk(0) and the disk containing the operating system is indicated by the disk(x) component.
The value for x begins at 0.
PARTITION(y) Identifies which partition holds the boot files.
The value for y begins at 1.
Backup Facts
Most backup methods use the archive bit on a file to identify files that need to be backed up. When a file is modified, the system automatically flags the file as needing to be archived. When the file is backed up, the backup method may reset (clear) the archive bit to indicate it has been backed up.
The following table shows the type of data backed up using each backup method.
Backup Type Backs Up Resets Archive Bit?
Full Backs up all files regardless of the archive bit. Yes
Incremental Backs up files on which the archive bit is set. Yes
Differential Backs up files on which the archived bit is set. No
Copy Backs up all files regardless of the archive bit status. No
Most of the time, you will perform backups using a strategy that combines backup types. The following table compares common backup strategies.
Strategy Backup Characteristics Restore Characteristics
Full Backup Requires large tapes for each backup.
Takes a long time to perform each backup. To restore, restore only the last backup.
Full + Incremental Incremental backups are quick to perform. This is the fastest backup method. To restore, restore the full backup and every subsequent incremental backup.
Full + Differential Differential backups take progressively longer to complete as time elapses since the last full backup. To restore, restore the last full backup and the last differential backup.
Next to a full backup, this is the fastest restore method.
Note: Do not combine incremental and differential backups.
Keep in mind the following facts about doing backups:
• Back up user data more often than system state data (it changes more frequently).
• Back up system state data whenever you make a system change.
• System state data includes the registry, COM+ Class Registration database, system files, boot files, files under Windows File Protection, and the Certificate Services database.
• During a system data backup, all system data is backed up (system data cannot be backed up selectively in portions).
• Files backed up from one system might not restore to another system. Restore to a system running the same OS.
• Be sure to test your back up and restore strategy. It does no good to back up your data if you can't restore it.
• A normal Directory Services restore refers to a process wherein you restart the domain controller in Directory Services Restore Mode and restore system state data.
• Using the Services snap-in, Windows Backup, or the Scheduled Tasks window, you can start the Task Scheduler service. You must have the Task Scheduler service running before you can schedule a backup.
• In order for a scheduled task to run, you must specify a local service account and password.
Backup Devices Facts
Terms and definitions:
• Removable storage: Storage media (tape) that can be removed from the device.
• Media pool: The space on the removable storage where the backup is performed, and where the backed up files will be physically located.
To configure a backup device, begin by installing the device and making sure it is recognized and configured in Device Manager.
• To install devices, you must be a member of the Power Users or Administrators group.
• For parallel backup devices with bi-directional control, enable enhanced parallel port (EPP) in the BIOS.
After configuring the device, enable the media (the tape) in Computer Management to see the tape itself. There are two modes for viewing media:
• Full mode allows you to see the media pool as well as all the nodes inside the media pool. This lets you select exactly what you want to restore or backup.
• Simple mode lets you see only the media pool.
Make users members of the Backup Operators group to enable them to back up and restore files.
• Backup Operators cannot view, edit, or delete files.
• To allow Backup Operators to eject the backup media, assign the Eject media user right to the Backup Operators group.
NTFS Permission Facts
The following table summarizes the permissions for folders and files.
Permission Allowed Actions
Read View folder details and attributes. View file attributes; open a file.
Write Change folder or file data and attributes.
List Folder Contents Includes all Read actions and adds the ability to view a folder's contents.
Read & Execute Includes all Read actions and adds the ability to run programs.
Modify Includes all Read & Execute and Write actions and adds the ability to add or delete files.
Full Control Includes all other actions and adds the ability to take ownership of and change permissions on the folder.
Use these suggestions to help you plan NTFS permissions.
• Identify the users and their access needs (i.e., the actions they need to be able to perform).
• Based on the types of users you identify, create groups for multiple users with similar needs, and then make users members of groups.
• Assign each group (not user) the permissions appropriate to the group's data access needs. (Grant only the permissions that are necessary.)
• As you assign permissions, take inheritance into account. Set permissions as high as possible on the parent container and allow each child container to inherit the permissions.
• When necessary, you can override inheritance on a case by case basis.
• Deny always overrides Allow, so be careful when you use it.
Shared Folder Facts
The following table lists the share permissions and the level of access the permission allows.
Permission Actions
Read Browse the shared folder and its files
Open files in the shared folder and its subfolders
Copy files from the shared folder
Run programs
Change All Read actions (browse, open files, copy files from the folder, run programs)
Write to files and change file attributes
Create new files and subfolders
Copy files to the shared folder
Delete files or subfolders
Full Control All Read and Change actions
Configure share permissions
Here are some additional facts you should know:
• You can publish a share in Active Directory to allow users to access it more easily.
• If a program in a shared folder crashes and refuses to run on the client computer, terminate the user session using the Shared Folders option in Device Manager.
Share Access Facts
Use both share and NTFS permissions to secure network resources. (When used in combination, remember that the most restrictive set of permissions will apply.) Here is a common strategy for administering resources with share and NTFS permissions:
1. Secure the folder with NTFS permissions.
2. Share the folder using Allow Full Control for Everyone.
An administrative share is a share hidden from browsing. Keep in mind the following facts about Administrative shares.
• Administrative shares are hidden by following the sharename with a $.
• Default Administrative shares are accessible to only members of the Administrators group.
• Any share can be hidden by appending the $ to the sharename.
• A hidden share can only be accessed through the UNC path (they do not appear when you browse).
Disk Quota Facts
Keep the following in mind as you work with disk quotas.
• Quotas can only be set on NTFS volumes. The Quota tab will not be shown for FAT volumes.
• Every file and folder that users create, copy, save, or take ownership of on a volume or partition counts toward their disk quota.
• The space available for applications to save files to is equal to the amount of space left in a user's quota.
• Each NTFS volume or partition on a hard disk has its own set of disk quotas, even if they are on the same hard disk.
• System and application files count toward disk quotas, so the user account which installs software needs a higher limit.
• You cannot set a quota limit on the built-in Administrator account.
• You cannot delete a user's account quota until you remove or take ownership of all of that user's files on the volume.
• You can use the Fsutil.exe command to manage quotas from the command prompt.
Quota configurations:
Configuration State
Disabled File usage data is not collected and storage space is not limited.
Tracked File usage data is collected, but storage space is not limited. Users can exceed their quota limit.
Enforced Warning levels and restrictions are enforced to prevent users from exceeding disk space limitations.
If a user exceeds the quota limit, take one of the following actions:
• Delete files owned by the user.
• Change ownership of files (quota limits are enforced based on owned files).
• Move files to other volumes (quota limits are enforced on a volume or partition basis).
• Increase the quota limit.
You cannot reduce the amount of space used by files by compressing them. Quotas count the uncompressed size of a file toward the quota limit.
File Compression Facts
Keep the following information in mind when working with folder and file compression.
• When you compress a file, Windows makes a copy of the file, compresses it, then replaces the original file with the compressed one.
• When you open a compressed file, Windows decompresses the file. The decompressed file is used by the application.
• You cannot save or copy a compressed folder or file to a disk containing less free space than the folder or file would be uncompressed.
• Compression and encryption cannot be used on folders or files at the same time.
• Apply data compression to files that change size dramatically. For example, bitmap and spreadsheet files compress by a much larger percentage than application or word-processing files.
• Do not compress files that are already compressed using another compression utility.
• Use zipped folders to share compressed files with other computers.
• NTFS compression on volumes with cluster sizes larger than 4 KB is not supported.
Copying and moving files and folders can affect their compressed state. To determine the final state of a file or folder, remember the following rules.
• If you copy or move a compressed file or folder to a non-NTFS partition, the file or folder is uncompressed (other file systems do not support NTFS compression).
• If you copy a compressed file or folder, it inherits the compressed state of the destination folder.
• If you move a compressed file or folder to the same NTFS partition, it retains its compressed state.
• If you move a compressed file or folder to another NTFS partition, it inherits the compressed state of the destination folder.
• If you copy or move a zipped folder, it always remains zipped (regardless of the destination file system).
Compact.exe is a command prompt tool that you can use to set and manage compression. The following table summarizes some options for the Compact.exe command.
Option Action
/C Compresses the specified files. Folders are marked with the compressed attribute.
/S Compresses all subfolders of the specified folder.
/U Uncompresses the specified files. Folders are marked with the uncompressed attribute.
For example, the following command will compress all files in the C:\Documents\Transfer folder, including all subfolders:
Compact /C C:\Documents\Transfer\*.* /S
Encryption Facts
Keep the following information in mind as you work with EFS.
• You must have Write permission to a folder or file to encrypt it.
• Windows transparently unencrypts and encrypts folders and files as users use them.
• You cannot encrypt System or Read-only files.
• Encryption and compression cannot be used on folders or files at the same time.
• If you are having trouble opening encrypted folders or files, make sure you are logged in to the user account that encrypted the folder or file and that you still have permissions for the file.
• In a workgroup, the local Administrator user account is the default recovery agent.
• In a domain, the domain Administrator account is the default recovery agent.
• To recover encrypted files, the files and recovery key need to be on the same computer.
• Without the private key or recovery key, you cannot copy or move an encrypted file. You can however, back up the files and restore them to the computer where a recovery key is located.
• You can also export the recovery key and import it onto the computer storing the files you want to recover.
• You can add additional authorized users to files (not folders) who will be able to open encrypted files.
• Implement encryption through the file or folder properties. Or, use the Cipher command to encrypt files and folders.
Copying and moving files might change the encrypted state of the file. To determine the final state of a file, remember the following rules.
• If you copy or move an encrypted file or folder to a non-NTFS partition, the file or folder is unencrypted (other file systems do not support encryption).
• If you copy or move an encrypted file to an NTFS partition (either to the same one or to a different one), the file remains encrypted.
• If you copy an unencrypted file to an encrypted folder, the file is encrypted.
• If you move an unencrypted file into an encrypted folder, the file remains unencrypted.
• Encryption is preserved when the file is backed up.
Normally, encrypted files are meant to be stored and read on the local computer only. When saving encrypted files on a remote computer, be aware of the following:
• You can only encrypt files stored on remote computers if the computer is trusted for delegation in Active Directory (how to do this is beyond the scope of the course).
• When moving files encrypted on your local system to another computer (for use on that computer), make sure your certificate and private key are available on the other computer. Otherwise, you might be unable to open the file.
• When moving encrypted files to another computer over the network, files are not encrypted while they are in transit. Files might be intercepted as they are transferred. Use IPSec to secure network communications.
Offline Settings
• The following table summarizes the offline files settings that can be configured on a shared folder.
Setting Description
Only the files and programs that users specify will be available offline Users designate and control which files are available offline.
All files and programs that users open from the share will be automatically available offline All files users open from the share are available offline. If Optimized for performance is selected, all programs will be automatically cached so that they will be available locally.
Files or programs from the share will not be available offline Users will not be able to store files from the share offline.
Internet Information Services (IIS)
Use IIS to enable:
• Active Desktop
• Internet Printing
• Remote Desktop
• Share folders (Web folders) for access through IE
You should know the following facts about IIS:
• When you install IIS, a default Web site is automatically created.
• By default, all Web content is stored in the \inetpub\wwwroot directory.
• A virtual directory is used to make content outside of the default directory path available through the Web site.
To make content available on your Web site:
• Place content in the \inetpub\wwwroot directory.
• Web share a folder. This creates a virtual directory in the Web site.
IIS Security Facts
You should know the following facts about securing IIS:
• Anonymous access allows Internet users to access public content on a Web site.
• Windows Authentication allows only authorized users to access protected content. Users are logged into a site automatically and transparently while outside connections are blocked.
• Basic authentication sends user credentials in clear text.
• Digest authentication requires users to have a domain user account.
• Blocking access to a web site by domain name, single computer, or IP network number ensures that only desired connections get through.
• IP address restrictions can be configured which either allow all access except for listed addresses, or block all access except listed addresses.
The following table describes the different authentication methods:
Method Description Best Use
Anonymous Authentication Users can access public portions of the site without user names or passwords.
Uses the IUSR_computername local user account. To give public access to resources that require no security.
Basic Authentication Requires a local or domain user account (user name and password is sent in clear text) Use for non-Windows hosts and clients running any HTTP 1.0 browser
Digest Authentication Functions like Basic Authentication
Authenticates using domain accounts with passwords stored using reversible encryption
Passwords are secured
Requires IE 5.0 or higher
IIS must be running on a domain member To grant access to resources from public networks.
Advanced Digest Authentication Is available for user accounts that are part of Active Directory.
User names and passwords are stored on a domain controller. Requires IE 5 or better and HTTP 1.1 protocol. To grant access to resources from public networks that require more security than given through Digest Authentication.
Integrated Windows Authentication User information is collected through a challenge/response process during which the user name and password are hashed before being sent across the network
Authenticates using Windows authentication methods (NTLM or Kerberos)
Requires Internet Explorer 2.0 or higher (IE 5.0 for Kerberos)
Cannot be used through a proxy server To grant access to resources on an intranet.
Certificate Authentication Uses SSL (Secure Sockets Layer) security through user or server certificates or both. (Available only with Certificate Services.) To allow secure business transactions over the Internet.
.NET Passport Authentication Allows the use of a single sign-in service through SSL, HTTP redirects, cookies, MS JScript, and symmetric key encryption. To grant access to various resources over the Internet.
Authentication methods can be applied to the following:
• Server
• Web site
• FTP site
• Virtual Directory
• File
In addition to authentication, you can secure Web content with Web permissions. The following table describes the IIS permissions you can set for Web sites or Web folders:
Permission Description
Read View file content and properties
Write Modify, delete, or add files or directories
Modify file and directory attributes
Typically only enabled on intranets or private sites
Script Source Access Users can access the source code for files (requires either Read or Write permissions)
Combined with Read permissions, users can view the source code
Combined with Write permissions, users can write to the source code
Typically only enabled on developer intranets
Directory Browsing View directory contents
When enabled, the Web server returns a listing of the directory contents when it cannot find a default home page to display
Use with Read permission
Execute Permissions Controls how scripts and executables run from the Web site
You can allow scripts only, scripts and executables, or prevent either from running
If Web content is on an NTFS partition, you can also use NTFS permissions to secure content. Keep in mind the following when using NTFS permissions for Web content:
• IIS uses the user account to identify the end user and their permissions. To restrict access for users other than the anonymous user, you must choose an authentication method that uses Windows user accounts.
• When both Web and NTFS permissions are used, the most restrictive permissions take effect.
Web Site Identification
You should know the following facts about managing IIS:
• The default Web site is assigned to All Unassigned IP addresses on port 80.
• By default, a Web site will respond to HTTP requests directed to any IP address configured for the host computer.
• When you configure Web site identification, you can configure it to respond to all addresses or to only a specific address.
• On a server that has multiple IP addresses, each IP address can be used for a different site.
• You can host multiple sites by using different ports for each site.
• You can configure a Web site with a host header to enable it to respond to alternate Web site names. A host header solution requires two parts:
o Configure the host header on the Web site.
o Configure the DNS database to associate the host header name with the IP address.
Printing Facts
• The following table lists some key definitions with which you should be familiar.
Term Definition
Print Server The computer where printing is established.
Printer A virtual device inside the print server that can be configured to send output to a printing device.
Print Device The physical device connected to the print server where print output occurs.
Print Driver The software that allows the printer to communicate with the print device.
Print Queue The portion of the hard drive where print jobs are stored before going to the print device.
Printer Port The means by which a print device connects to a print server (parallel port, serial port, or to the printer's NIC).
• When you configure printing, you create a logical printer object that references a print device or points to another logical printer on the network. The following table lists the configuration choices to make to configure each type of printer.
Print Device Location Printer Type Port Type
Connected to the LPT, USB, or COM port of the local computer Local LPT, USB, or COM
Connected directly to the network through a NIC connected to the printer Local TCP/IP (identify the IP address of the print device NIC)
Connected to the LPT, USB, or COM port of a remote computer (with a shared printer) Network UNC path (\\computername\sharename)
• The following table summarizes the permissions that can be assigned to printers. Printer permissions apply to both local and shared printers.
Permission Allowed Actions
Print Send print jobs and manage your own documents
Manage Documents Manage all documents in the queue
Manage Printer Change configuration settings and permissions
Advanced Print Configuration
Printer Pooling
Printer pooling uses a single printer object to represent multiple print devices. With printer pooling,
• Users send print jobs to a single printer
• The print server decides which print device to send the job to
When creating a printer pool, all print devices in the pool:
• Must be the same model (using the same printer driver)
• Should be in the same physical location (because users won't know which physical device their print job prints on)
Printer pools:
• Speed printing by reducing the time that documents spend waiting for a free print device
• Simplify printer administration because you manage multiple devices through a single printer object
Multiple Printers
Configure multiple printer objects for a single print device to control access to the printer based on job roles. To configure multiple printers:
1. Create multiple printer objects, one per group or user with distinct access.
2. For each printer, configure permissions to restrict access.
3. Fine-tune access by editing the Advanced properties for the printer to modify priority (99 is the highest) and restricting printer availability.
Managing Printing
The following table summarizes the printing component you would use to complete each configuration task.
To Configure . . . Edit . . .
Additional drivers for a printer Printer object properties
Print server properties
Job priority Print Queue, job properties
Notification Print server properties
Permissions Printer object properties
Ports Printer object properties
Print server properties
Sharing Printer object properties
Spool file location Print server properties
Troubleshooting Printing Facts
You should know the following facts about troubleshooting printing:
• You can take an unreliable printer out of service by changing its properties to not shared.
• Printer queues and the Event Viewer of the assigned print server will offer the best information regarding printer and print job status.
• By default, print spool files are stored in the C: drive of the server, in \Windows\System32\Spool\Printers.
• If the C: drive fills up, then users will be unable to add print jobs to the queue, the queues will stop, and the system may become unstable (because the pagefile also defaults to drive C:).
IPP Facts
You should know the following facts about IPP:
• IPP can be installed after IIS is installed.
• IPP allows users to access printers and print resources across an intranet or through the Internet.
• IPP requires the use of Internet Explorer 4.0 or better.
• Users access printers and print services through a URL (http://servername/printers).
• Use Internet Explorer 4.0 or better to administer IPP printing from any location.
Installer Package Facts
The following table describes the file extensions that are used with installer packages.
File Extension Description
.msi A Windows Installer package file. Use the Msiexec command to deploy .msi files. Use the /i switch to specify the package file.
.msp A patch file. An .msp file can be applied to an .msi, but the .msi must be redeployed after the patch is applied.
.mst A transform file. Transform files are applied when a software package is assigned or published. Transform files change .msi files. To apply a .mst to a .msi during deployment, append TRANSFORMS= followed by a list of .mst files to the Msiexec command.
.zap A file to reference a Setup.exe file on a network, for example.
Using Group Policy, you can either assign or publish software. You can also associate software packages with either users or computers.
• Applications may be published to users, but not to computers. You can assign applications to either users or computers.
• When you publish an application, it does not appear in the user's Start menu. Instead, the user goes to Add/Remove Programs to install the program.
• Assigning software to a computer installs the software when the computer starts up. Users cannot use Add/Remove Programs to remove computer assigned software.
• Assigning software to a user puts a shortcut on the user’s Start menu. The software is automatically installed when the shortcut is clicked.
Software Update Services (SUS) Components
Software Update Services (SUS) is a client-server application that allows you to use a server on your intranet as a centralized point for updating software. Without SUS, clients must communicate with Microsoft's Web site to download and install patches and other updates. With SUS, you can control which updates are installed on network clients.
The following table lists the major SUS components:
Component Description
SUS on an Internet Information Services (IIS) server This is the server-side component of SUS. It synchronizes update information and downloads updates prior to deployment.
SUS Web site Administrative tasks are done through the SUS Web site. Other than installation and configuration, administrative tasks consist primarily of verifying successful server synchronization and update approval prior to client distribution.
Automatic Updates The Automatic Update client downloads updates from the SUS server (or a Windows Update server). It also installs the updates according to the established parameters.
Group Policy settings By configuring Windows Update policies in a GPO, you can configure Automatic Updates clients to synchronize with a SUS server rather than a Windows Updates server.
SUS offers the following advantages:
• You can control which updates clients in your organization receive.
• Clients receive updates from local servers rather than using Internet links to receive updates.
• You can enforce the application of updates throughout your organization.
SUS works as follows:
1. The SUS server downloads information about available updates from the Microsoft Windows Update Web site. The server can also be configured to download the update content itself.
2. An administrator approves the updates that should be applied to network clients.
3. Clients contact the local SUS server to identify approved updates. It then downloads the approved updates from the corresponding server.
SUS Server Configuration
An SUS server manages the updates that clients can install. To install SUS, download the setup software from the Microsoft Website (it is not on the Windows Server 2003 media). Before installing the software, your server must have IIS installed. During installation, you will need to provide the following two paths:
• The path to the update files. These are the actual files that will be used to update clients. For example, you can choose to leave the update files on the Microsoft Windows Update Web site. In this case, clients will download updates from the Microsoft Web site. Alternatively, you can choose to place the files on the SUS server. In this case, clients will download content from your SUS server.
• The path to the update file metadata. The metadata is information about each update file. You will edit the metadata to control how updates are applied to client systems.
The installation program installs the following components:
• Software Update Synchronization Service (to download content to the SUS server).
• IIS Web site (to service requests from Automatic Update clients).
• SUS administration Web site (where you synchronize the SUS server and approve updates).
After installation, use a Web browser and go to http://SUSservername/SUSadmin to manage the SUS server. SUS administration consists of three tasks:
• Configuring SUS server settings.
• Synchronizing updates (downloading updates from the Microsoft update Web site).
• Approving updates (identifying which updates to deliver to clients and configuring how those updates will be applied.
SUS Client Configuration
Each client computer must have the Windows Automatic Updates client software to utilize automatic updates. This software is included automatically with Windows Server 2003, Windows XP Service Pack 1, and Windows 2000 Service Pack 3. It can be added to other operating systems as a special download.
Client computers will communicate with an SUS server to identify available updates. You can customize which server the clients use to receive updates. By default, clients contact the Microsoft Web site. For a custom solution, configure clients to contact your SUS server.
You can also customize how clients download updates:
Download Description
Automatic Downloads arrive without user intervention or notification.
Notification The system waits for a user with administrator credentials to log on before sending a notification of available update downloads via a balloon above the System Tray.
You can also customize what the client does with the updates after they are installed.
Installation Description
Automatic (Scheduled) Upon successful download, an event is registered in the system event log. When a user with local administrative privileges logs on, the user can install the updates manually any time before the scheduled installation time. At the scheduled installation time, a local administrator can cancel the installation, delaying it until the next scheduled installation. A user with non-administrator privileges receives a warning message but cannot delay update installation. If no one is logged on, the installation occurs automatically.
Notification Upon successful download, an event is registered in the system event log. When a user with local administrative privileges logs on, the user can install the updates manually.
The easiest way to configure client settings is to use Group Policy to distribute the server name and other update parameters. The following table lists the Automatic Update policies:
Policy Description
Configure Automatic Updates There are three options for configuring the behavior of the Automatic Updates client:
• Notify for Download And Notify For Install
• Auto Download And Notify For Install
• Auto Download And Schedule The Install
Reschedule Automatic Updates Scheduled Installations If a client machine is turned off during a scheduled installation, by default the installation occurs at the next scheduled time. However, this policy allows you to set the installation to occur between 1 and 60 minutes after the system starts up.
No Auto-Restart For Scheduled Automatic Updates and Installations This policy allows Automatic Updates to disregard a required restart when a user is logged on. The user receives a notification about the required restart but is not required to restart the machine.
Specify Intranet Microsoft Update Service Location This policy allows you to redirect clients from the Microsoft Windows Update server to a SUS server on your network. You can also set logging to occur on any server on the network running IIS. IIS logs are found in %Windir%\System32\Logfiles\W3svc1.
SUS Infrastructure Design
Software Update Services (SUS) offers you great flexibility in designing where updates are stored and who controls which updates are approved. You can also configure multiple servers within your organization to distribute the load or customize the list of approved updates.
Configuration Characteristics Uses
Approve updates locally, download content from Microsoft The local SUS server downloads update metadata (information about available updates) from the Windows Update Web site.
An administrator approves applicable updates.
Clients identify approved updates using the local SUS server, but download content from the Windows Update Web site. Use when all clients have a fast Internet connection and Internet link usage is not a concern.
Approve updates locally, download content locally The local SUS server downloads update metadata and synchronizes update installation files from the Windows update Web site.
An administrator approves applicable updates.
Clients identify approved updates using the local SUS server and download the updates from the local server. Use to minimize downloads through an Internet link (updates are downloaded through the Internet only once).
Use when Internet links are slow or unreliable.
Multiple server topology Place an SUS server in each location.
Each SUS server synchronizes content from Windows Update Web site.
An administrator at each location approves a list of approved updates for local clients.
Clients receive updates from the nearest SUS server. Use when each location has different approved update needs.
Use when your organization has multiple sites with their own Internet connection.
Centralized client/server topology Configure one SUS server to synchronize content with the Windows Update Web site.
Configure a list of approved updates on the central server.
Configure additional servers to synchronize update content and the list of approved updates with the central server.
Clients receive updates from the nearest SUS server. Use in a large organization to enforce consistent update policies (local SUS servers receive a list of approved updates from the central server).
Decentralized client/server topology Configure one SUS server to synchronize update content with the Windows Update Web site.
Configure additional servers to synchronize update content with the central server.
Configure a list of approved updates on each SUS server.
Clients receive updates from the SUS server that holds approved updates that should apply to the client. Use to minimize downloading of update content while allowing different sites or organizations to maintain their own list of approved updates.
SUS Facts
You should know the following facts about SUS facts:
• SUS is not available through the Windows Server 2003 installation media. Download the SUS server software from the Microsoft Web site.
• Software Update Services allows you to configure the distribution of operating system patches for clients, including ones related to security.
• GPO settings for configuring Windows Automatic Updates are stored in the Wuau.adm template. You must manually copy this template file from the SUS server to the %systemroot%\inf folder of any computer used to configure group policy.
• To prevent clients from using Windows Update, edit Group Policy settings to prevent users from manually downloading patches.
• SUS with Service Pack 1 does not support 64-bit versions of Windows.
• Software Update Services does not support updating drivers, although the Automatic Updates client will detect and report them. You must install drivers manually from Windows Update.
• Software Update Service only distributes patches for the operating system. You can't use Software Update Services to distribute patches for anything else, including other Microsoft products. However, you can use a software distribution policy (or Systems Management Server) to distribute application updates.
• The NoAutoRebootWithLoggedOnUsers policy setting will allow logged on users to avoid rebooting after a service pack installation (although the service pack installation won't be completed until the next restart.)
• The Windows Update Server is responsible for synchronizing and approving updates.
• Clients of SUS need the Automatic Updates Client (Wuau22.msi) which can be deployed through group policy.
• Clients also need to be redirected from Windows Update to the SUS server through a GPO.
Account Policies Facts
• Account policies control passwords and login properties. Settings in the local GPO are used if the computer is a member of a workgroup. Settings in the domain GPO are used for computers that are members of a domain. Policy settings are applied to the computer, not the user.
• The following table describes the password settings.
Setting Description
Password history This setting requires users to input unique passwords. The system can store up to 24 passwords, so the user can't repeat previous passwords.
Maximum password age This setting requires the user to change the password after a given length of time.
Minimum password age This setting keeps users from changing passwords immediately after they've reset their passwords. This prevents users from defying the password history by entering several passwords to get back to a preferred password.
Minimum password length This prevents people from using passwords that are too short.
Password complexity This setting requires users to create a password with a minimum of three of the four types of special characters (e.g., lower case letters, upper case letters, numbers, or !, @, #, $, %, ^, &, *). This setting also disallows use of dictionary words or any part of the user login identification.
Reversible encryption This setting requires the system to store the password with reversible encryption.
• Use account lockout to protect user accounts from guessing and prevent accounts from being used when hacking attempts are detected. The following table describes account lockout settings.
Setting Description
Lockout duration This setting determines the length of time the account will be disabled. When set to 0, an administrator must unlock the account.
Lockout threshold This setting determines the number of attempts a user can make before the account is locked.
Reset account lockout This setting determines the amount of time that must pass before the account is enabled.
Auditing Facts
You can configure the following audit policies in Group Policy.
Audit Category Trigger Event(s)
Account logon Audits logon through a user account
Recorded by the local computer for the local account, recorded by domain controller for the AD account
Account management Add, rename, disable/enable, delete, or change the password for a user account
Logon Log on or off of the local system
Make a network connection to a local computer
Object access File, folder, printer access
Policy change Change account password or logon settings, user rights, or audit policies
Privilege use User exercises user rights
An administrator takes ownership of an object
Process tracking An application performs an action
This is used mainly for program debugging and tracking
System events Shutdown, restart, service starts
An event affects security or the security log
Keep in mind the following about configuring auditing:
• Auditing can be enabled to log successful or failed events (or both).
• Because auditing consumes system resources and might result in a lot of generated data, enable auditing only on the events you are interested in.
• View audit entries in the Event Viewer Security log.
• Set the CrashOnAuditFail registry entry to prevent users from logging on to the system when entries can't be written to the security log.
• To monitor a domain for unauthorized user access, configure the domain with a group policy to Audit Logon Events.
• For file auditing to occur, the files must be on NTFS partitions.
• With auditing configured, clearing the log generates an event identifying when the log was clear and by whose authority.
Security Template Facts
Windows provides the following predefined security templates:
Template Function
Setup Security.inf Created specifically for each computer during setup
Differs depending on whether installation was a clean installation or an upgrade
Contains default security settings applied during installation
Defines default file permissions for system drive root
Used on workstation or servers (not on domain controllers)
Should not be applied through group policy
DC Security.inf Created when server is upgraded to a domain controller
Gives default security settings for files, registry, and system service
Secure*.inf Secures a system without causing application or compatibility issues
Securews.inf can be applied to a workstation or a server
Securedc.inf can be applied to a domain controller
Hisec*.inf Specifies additional security settings beyond the Secure templates
Hisecws.inf can be applied to a workstation or a server
Hisecdc.inf can be applied to a domain controller
Compatws.inf Forces compatibility across Windows platforms
Should not be applied to domain controllers
Use the Security Analysis and Configuration snap-in to manage security templates, analyze current settings, create custom templates, or import an existing template. When working with templates:
• Compare an existing system with a template to see how the system compares to the template.
• Clear current settings before importing a new template.
• After applying a secure template, you might need to restore group memberships in the Administrators or Power Users group.
• You can also use the Secedit command to analyze and apply templates.
You should also know the following facts about security analysis:
• The Microsoft Baseline Security Analyzer will tell you which patches have been installed on a particular computer.
• You should also need to verify that patches have not been manually applied.
• Check the Windows Update log to see if a patch came from the Software Update Server or from the Windows Update website.
Event Facts
You should know the following facts about events:
• The System Log records informational, warning, and error messages. Error and warning messages are the most serious.
• The default extension for saved logs is .Evt.
• Shutdown events have an event ID 1074.
• Event Viewer is the location where most errors and warnings are logged.
• The File Replication Services log lists errors or events related to the copying of information between domain controllers during a replication cycle. This log is available through Event Viewer on Windows Server 2003 machines that function as domain controllers.
• Examine the Security Log to find the results for system audits.
• Additional logs (such as the DNS Log) are added when you install various services.
Monitoring Performance Facts
You should know the following facts about monitoring system performance:
• Task Manager shows a summary of a system's performance.
• System Monitor measures the performance of a workstation or other workstations on a network.
• You can configure an automatic schedule of monitoring.
• A System Idle process near 100% may indicate a connectivity problem with a server.
• The Performance tool is capable of monitoring remote computers. Monitoring of server performance should be done from a computer other than the server.
• If you aren't sure what a specific counter or measure is used for, select it and click the Explain button.
• The Performance Logs and Alerts console in the Performance tools can be configured to trigger an alert when certain thresholds are reached.
• The Report View presents counters in a hierarchical display using words, not graphical representations.
• You can run the WinMSD utility from a command prompt to view such information as Internet security.
Counters and Values to Watch
• The following table outlines the major objects and critical counter values:
Object Purpose Counters Optimum
Processor Measures the CPU performance % Processor time < 80% sustained Physicaldisk Measures how the individual, physical disks are performing (the read/writes and percentage to be written to the disk) % Disk time > 2 times the number of drives is high
Memory Measures RAM performance Pages/sec 0 pages/sec is a good reading
Network Measures the performance of the system on the network Bytes total/sec < Network capacity
Volume Shadow Copy Services (VSS)
VSS is a component of the backup system that takes a point-in-time snapshot of files on the disk. By enabling VSS, you can recover lost (deleted) files and back up open files.
You enable VSS on a volume through Explorer. After VSS is enabled, all shared folders on the volume will be shadow copied. You can customize where files are copied to, the limit that copied files can take up, and the interval at which copies will be made.
Through shadow copies, you can recover lost, damaged, or overwritten files by accessing the previous versions of the files cached by the server. The Previous Copies tab in the Properties dialog box of a folder or file lists the previous copies you can access. The Previous Copies tab is available under the following circumstances:
• Shadow Copies must be enabled on the server.
• The client must have the Shadow Copy client software (installed to the %systemroot%\System32\Clients\Twclient\x86 folder on the Windows Server 2003 system).
• You must access the file's properties through a shared folder (if you access the properties for a file on the local machine, the Previous Copies tab won't be available, even if the file is shared and VSS is running).
System Recovery Facts
Windows offers you several different ways to recover from a system failure. Here are some methods you can use to recover from system problems (methods are listed in the general order you would perform when trying to recover the system).
Tool Use
Driver Rollback Use this tool to uninstall recent driver changes and revert to a previous version. In Device Manager, edit the properties of the device.
Last Known Good Configuration This option reboots the system using the last successful hardware profile. However, it can only be used if you have not logged on after the last change.
Safe Mode Boots Windows with a limited number of drivers and features enabled. Press F8 during boot to enter Safe Mode. After booting into Safe Mode, you can use Device Manager to rollback drivers, disable devices, uninstall devices, or reinstall or update drivers.
Recovery Console This is a command-line interface. Before a problem exists, you must install Recovery Console. Install it by using the winnt32.exe /cmdcons command to install the recovery tools on the system. Use Recovery Console to fix boot sector or master boot record (MBR). You can also remove or update system files and repartition hard disks.
Automated System Recovery This restores original Windows 2003 Server drivers and files as well as files from the ASR backup set.
Keep in mind the following facts about using Automated System Recovery (ASR).
• You need an ASR backup tape set and a Windows 2003 Server CD to restore a system.
• Use the ASR diskette with a valid backup to restore the system.
• The ASR diskette is a boot diskette that contains limited system configuration information. The rest of the information is on the backup tape.
• The ASR diskette contains the Asr.sif and Asrpnp.sif files. Copies of these files are placed on the system so you can copy them manually.
• To restore a system, press the F2 key when prompted and insert the ASR floppy disk. ASR will restore disk configurations and install the original operating system software.
0comments
Post a Comment