Nutshell:
Microsoft
Advanced Server
Date of course: _____________________________________

Name of Student: ___________________________________
Rev 1.2

Created by Michael March
Contact Information: michaelmarch@gmail.com

Not to be reused or copied in anyways without the explicit written agreement between Michael March and the requester, until so granted permission.
Contents
Network Monitor and System Monitor 5
IP Addressing Facts 6
Troubleshooting TCP/IP 6
DHCP Authorization 7
DHCP Scope Facts 8
DHCP Option Facts 8
DHCP Server Backup and Recovery 10
Troubleshooting DHCP 10
DNS Name Resolution Process 11
DNS facts 11
Zone Types 12
Common Resource Records 13
Dynamic DNS Facts 14
AD-Integrated Zone Facts 15
Root Hint Facts 16
DNS Design Guidelines 18
DNS Solutions 19
DNS Troubleshooting Tools 20
Remote Access Facts 22
Troubleshooting Demand Dial Routing 30
NAT Facts 32
DHCP Relay Agent Facts 32
Common Port Numbers 33
Firewall and Proxy Facts 34
VPN Protocols 35
IPSec Facts 36
Preconfigured Templates 37
Template Facts 38
Microsoft Baseline Security Analyzer 38
Security Principles Facts 39
Services Facts 40
SUS Facts 40
WSUS Facts 41


Network Monitor and System Monitor
Two common tools, Network Monitor and System Monitor, are useful in monitoring your system. While both can be used to gather some information related to network performance, Network Monitor is the tool you will use most often to analyze network traffic and gather information about communication between two computers. The following table compares the features of Network Monitor and System Monitor.

Characteristic Network Monitor System Monitor
Data collected Captures packets (or packet fragments) and their contents.
Reports statistics about network traffic. Monitors system statistics, producing counters and charts of system performance.
Monitors local system components including disk, processor, memory, and network statistics.
Data reports View contents of sent and received packets.
View network traffic statistics. View graphs of system performance and counters.
Event tracking Configure triggers to stop capture or execute a command based on a specific network traffic event (or packet type). Configure alerts to log an entry, send a message, or run a program when a counter reaches a specific threshold.
Identifying captured data Configure filters to capture only specific packets or to display only certain packets. Select objects and counters to identify the statistics you want to track.

You should know the following facts about Network Monitor:
• The free version of Network Monitor that comes with Windows can only monitor traffic to and from the local computer.
• To capture all network packets, use the SMS version of Network Monitor.
• Even when using the SMS version, you cannot capture packets sent to other computers on other segments through a switch. (Switched traffic is only sent to the segment where the destination computer sits.)
• Use Dedicated Capture mode with Network Monitor to ensure you capture all packets.


IP Addressing Facts
The following table lists the default IP addressing classes and masks:
Class Address Range Default Mask
A 1.0.0.0 to 126.255.255.255 255.0.0.0
B 128.0.0.0 to 191.255.255.255 255.255.0.0
C 192.0.0.0 to 223.255.255.255 255.255.255.0
D 224.0.0.0 to 239.255.255.255 (multicast addresses)
E 240.0.0.0 to 255.255.255.255 (experimental addresses)

You should also know the following address ranges that are reserved for private addresses. Use these addresses on a private network that is connected to the Internet through a network address translation (NAT) router.
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
Keep in mind the following facts about IP addresses:
The first address in a range on the subnet is the subnet address. Typically, this address is not assigned to hosts.
The last address in a range on the subnet is the broadcast address. Typically, this address is not assigned to hosts.
Troubleshooting TCP/IP
Use the following tips to troubleshoot TCP/IP:
Use Ipconfig /all to verify your IP address, subnet mask, default gateway, and other IP configuration values.
If the IP address is in the APIPA range (169.254.0.0 to 169.254.255.254), the computer could not contact a DHCP server. Use Ipconfig /renew to try contacting the DHCP server again.

Use Ping (Packet Internet Groper) to send small packets to a computer to see if the computer responds. Microsoft recommends the following use of Ping:

• Ping the loopback address (127.0.0.1). This verifies that the TCP/IP protocol stack has been properly installed.

• Ping the local IP address assigned to the machine. This verifies communication to the NIC.

• Ping the default gateway. This verifies connectivity to the default gateway or to another machine on the local network. This verifies that the local network is accessible.
• Ping a remote host. This checks the connectivity between the default gateway and the remote host.

Use Tracert to see the route packets take through an internetwork between two devices.
Use Pathping to view the route of the connection and the connectivity response time. This can help identify where communication latency occurs.
Use the Arp -d * command to remove all dynamic ARP entries from the ARP list. (Arp -d clears the ARP cache.)
Use the Windows system logs to track DHCP service startup and shutdown as well as critical errors.
DHCP Authorization
Be aware of the following facts about DHCP server authorization.
Authorization is required if you are using Active Directory; no authorization is required, however, for a standalone server.
When you authorize a DHCP server, its IP address is added to a list of authorized DHCP server maintained in Active Directory.
When a DHCP server starts, its IP address is compared to the Active Directory list. If it is found, the server is allowed to issue IP addresses. If it is not found, the server is not allowed to issue IP addresses, and the server does not respond to DHCP requests.
Only Windows 2000 or Windows 2003 servers check for authorization.
You can authorize a server before DHCP is installed.

Rogue DHCP servers running other operating systems (like Unix, NetWare, or Windows NT) do not check for authorization before assigning addresses.
A Windows DHCP server checks for authorization when it boots and reauthorizes every five minutes.
You must be a member of the Enterprise Admins group to authorize a server.
In some cases, when you install DHCP on a domain controller, it will be authorized automatically.
When you install DHCP, the server is added automatically to the DHCP console on the local machine. When it is installed on another machine, you must add it manually to the local DHCP console.
DHCP Scope Facts
You should know the following facts about DHCP scopes:
• Use exclusions to prevent the DHCP server from assigning certain IP addresses. For example, exclude any IP addresses for devices that are not DHCP clients.

• Use reservations to make sure a client gets the same IP address each time from the DHCP server. The reservation associates the MAC address with the IP address the client should receive. For example, use a reservation for servers and printers to keep their IP addresses consistent while still assigning the addresses dynamically.

• When using reservations, do not exclude the addresses you want to assign.

• To change the subnet mask used by a scope, you must delete and recreate the scope. You cannot selectively change the subnet mask in an existing DHCP scope.

• The scope must be activated before the DHCP server will assign addresses to clients.
DHCP Option Facts
Through DHCP, you can deliver a wide range of TCP/IP configuration parameters (not just the IP address and mask). Additional parameters are delivered by configuring DHCP options. Options can be set at the following levels:
• Server. Options set on the server are delivered to all clients of that DHCP server.

• Scope. Options set on the scope are delivered to all computers that obtain an IP address from within the scope.

• Class. A class defines a group of computers that share common characteristics. For example, the vendor class can be used to deliver options to Microsoft Windows clients. Class options are delivered to all computers within the class.

• Reserved client. Options set on a reservation are delivered to the specific client.

Options are applied in the order listed above. If conflicting settings are delivered, the last parameters delivered will take precedence over the previous settings.
Common options include:
• 003 Router, the IP address of the default router (the default gateway)
• 006 DNS Servers, the IP address of DNS server or servers
• 015 DNS Domain Name, the domain that the client belongs to; used to update DNS server
• 044 WINS/NBNS Servers, the IP address of WINS server or servers
• 046 WINS/NBT Node Type, controls the order in which a client uses NetBIOS name servers




DHCP Server Backup and Recovery
To move the DHCP service from one server to another, you must perform operations on the source and destination machines.
Source machine:
In DHCP Console, back up DHCP. The backup includes:
• Scopes, exclusions, and reservations.
• DHCP configurations.
• DHCP-related registry settings.
• Stop and disable the DHCP service.
• Copy the DHCP backup files to the destination machine.

On the destination machine:
• Install DHCP.
• Stop the DHCP service.
• In DHCP Console, restore the DHCP backup files.
• Verify the DHCP configuration and start DHCP.

Troubleshooting DHCP

For a Windows 2003 Server DHCP server to deliver IP addresses, the following conditions must be met:
• The server must be authorized.
• The DHCP service must be running (the DHCP server is started).
• The scope must be started.
• There must be IP addresses in the scope that are free to be assigned, or a reservation for the client must be defined.
• The client must be configured to receive its IP address from the DHCP server.
• One useful tool for troubleshooting and fixing DHCP lease problems is Ipconfig. The following table lists the command switches useful in troubleshooting DHCP.

Command Use
Ipconfig /all View TCP/IP configuration including the IP address, mask, default gateway, and any other DHCP-delivered parameters.
In addition, the command shows the IP address of the DHCP server from which configuration information was received.
Ipconfig /renew Renew DHCP configuration for specific or multiple adapters.
Ipconfig /release Releases DHCP configuration and discards IP address configuration for specific or multiple adapters.

An address IP address in the 169.254.0.0 range indicates that the client could not contact the DHCP server and has used APIPA to assign itself an address.
You should recognize the following symptoms of a rogue server:
• Incorrect IP configuration information.
• Duplicate addresses assigned.
• Ipconfig /all shows the DHCP server address incorrectly.
• DHCPNAK messages at the client during lease renewal.
If the client has an address from the wrong server, remove the rogue server, then do Ipconfig /release followed by Ipconfig /renew.
DNS Name Resolution Process
You should be familiar with the DNS name resolution process:
When a DNS name resolution request is forwarded to a DNS server, the DNS server examines its local DNS cache for the IP address.
If the IP address is not in the DNS server's cache, it checks its Hosts file. (Since the Hosts file is a static text file, it is not commonly used.)
If the DNS server is not authoritative and configured for forwarding, the DNS server forwards the request to a higher-level DNS server.
If the DNS server cannot forward the request, or if forwarding fails, the DNS server uses its Root Hints file (also known as Cache.dns). The Root Hints file lists the 13 root DNS servers.
The root DNS server responds with the address of a com, edu, net, or other DNS server type (depending on the request).
The DNS server forwards the request to the high-level DNS server, which can respond with a variety of IP addresses.
DNS facts
DNS translates a hostname to an IP address.
The DNS hierarchy is made up of the following components:
. (dot) domain (also called the root domain)
Top Level Domains (TLDs) (.com, .edu, .gov)
Domains
Hosts
A fully qualified domain name (FQDN) must include the name of the host and the domain, not just the domain.
A forward lookup uses the host name (or the FQDN) to find the IP address.
A reverse lookup uses the IP address to find host name (or FQDN).
A DNS server can forward a DNS request to an upstream DNS server if it cannot resolve a host name to an IP address.
An authoritative server is a DNS server that has a full, complete copy of all the records for a particular domain.
A caching-only DNS server has no zone information; it is not authoritative for any domains.
The Root Hints file (also called the Cache.DNS file) lists the 13 root DNS servers. A DNS server uses the Root Hints file to forward a request to a Root DNS server as a last resort to resolve a host name to an IP address.
A Root DNS server refers DNS servers to .com or .edu or .gov level DNS servers.
Recursion is the process by which a DNS server or host uses root name servers and subsequent servers to perform name resolution. Most client computers do not perform recursion, rather they submit a DNS request to the DNS server and wait for a complete response. Many DNS servers will perform recursion.
Zone Types
The table below lists the types of DNS zones:
Zone Type Description
Standard primary Host name-to-IP address name resolution.
Data is stored in a flat text file.
Read-write copy of the data.
Standard secondary Host name-to-IP address name resolution.
Data is copied from another DNS server.
Read-only copy of the data.
Reverse lookup IP address to host name resolution.
Can be both primary and secondary zones.
Active Directory-integrated Data is stored in Active Directory.
Data is shared between domain controllers.
Data is read-write on all servers with the data.
Provides automatic replication, fault tolerance, and distributed administration of DNS data.
You should also know the following facts about zones:
To configure reverse lookup for a subnetted IP network, enable the Advanced view in the DNS console.
Reverse lookup zones for IPv6 addresses should be created in the ip6.arpa namespace.
Common Resource Records
The table below lists the most common resource records.
Record Type Use
A (host address) The A record maps a DNS host name to an IP address. This is the most common resource record type.
CNAME (canonical name) The CNAME record provides alternate names (or aliases) to hosts that already have an A record.
MX (Mail Exchanger) The MX record identifies servers that can be used to deliver mail.
NS (name server) The NS resource record identifies all name servers that can perform name resolution for the zone. Typically, there is an entry for the primary server and all secondary servers for the zone.
PTR (pointer) In a reverse lookup zone, the PTR record maps an IP address to a host name (i.e. "points" to an A record).
SOA (Start of Authority) The first record in any DNS database file is the SOA. It defines the general parameters for the DNS zone. The SOA record includes parameters such as the authoritative server and the zone file serial number.
SRV (service locator) The SRV record is used by Windows 2003 to register network services. This allows clients to find services (such as domain controllers) through DNS. Windows 2003 automatically creates these records as needed.
Dynamic DNS Facts
For a Windows 2000/XP/2003 client, the following process is used to dynamically update the DNS database.
The client boots and receives an IP address from the DHCP server.
The client sends a DNS update request to update the forward lookup record.
The DHCP server sends an update request to update the reverse lookup record.
For non-dynamic update clients, the DHCP server sends both the forward and reverse lookup updates. You can also configure the DHCP server to perform both tasks for Windows clients.
To enable dynamic updates, use the following steps:
On the Windows DNS server, open the Zone Properties dialog box and enable dynamic updates.
In the TCP/IP Properties of the client, make sure dynamic DNS is enabled (enabled is the default setting).
Note: You may also need to enable dynamic updates on the DHCP server if you're doing dynamic updates by proxy.
You should know the following facts about secure dynamic DNS:
Secure dynamic updates are only available for Active Directory-integrated zones.
To use secure DDNS, a client must be a member of the same Active Directory domain as the DDNS server.
Only the original client can alter or remove records when using secure DDNS.
DNS Client Settings
DNS uses fully qualified domain names (FQDN) to identify a computer. FQDNs are composed of the host name and the domain name (also called a suffix). Windows client computers can be identified using two different DNS suffixes:
Primary suffix, set through the System properties.
Connection-specific suffix, configured through the TCP/IP properties for the network adapter.
With dynamic DNS, client computers can update the DNS database with their host name. Keep in mind the following facts about client dynamic updates:
By default, Windows 2000/XP/2003 clients register their DNS name with the DNS server.
In the TCP/IP properties, Advanced settings, DNS tab, the Register this connection's addresses in DNS setting controls whether the client dynamically registers its name with DNS.
With dynamic DNS enabled on the client, the computer will register its full DNS name from the configuration on the Network Identification tab of the System applet (using the primary suffix).
You can configure the client to register two different DNS names with the DNS server. To do this, in the TCP/IP properties, Advanced settings, DNS tab, identify an additional DNS suffix for the client and enable the Use this connection's DNS suffix in DNS registration option. When enabled, the client will register its name with the connection-specific suffix as well as the primary suffix.
You can also configure the client with custom search suffixes.
By default, when you submit a DNS query without using the fully qualified domain name (FQDN), the client computer appends the computer's domain to the name to perform the DNS lookup. The client will also use parent suffixes to try the request multiple times.
Edit the Advanced TCP/IP properties to customize the search suffixes. You can specify search suffixes outside of the parent suffixes, and modify the order in which suffixes are used for searches.
AD-Integrated Zone Facts
Using Active Directory to manage zone information has the following advantages:
No single point of failure. Changes are made to multiple rather than individual servers.
Fault tolerance. Each host server maintains up-to-date zone information.
Single replication topology. Zone transfers occur through Active Directory replication.
Secure dynamic updates. Only authorized computers can update dynamically.
Simplified management. Any authorized computer can initiate changes to the zone file (not just the primary server).
In Windows 2000, all DNS data is replicated with all domain controllers. With 2003, you have the following options:
Replication Option Where data is replicated
2000 Default All domain controllers in a domain receive the information whether or not they have DNS installed.
DomainDNSZones All domain controllers with DNS in the domain receive the information.
ForestDNSZones All domain controllers with DNS in the forest receive the information. (Used most effectively when you have very important records that need to be available throughout the forest.)
Application Partitions All domain controllers within the application partition. By using an application partition, you can customize which domain controllers will receive the DNS data.
Root Hint Facts
Keep in mind the following facts regarding root hints.
The Cache.dns file holds the 13 root hint addresses for the Internet root servers. The Cache.dns file can be found in two locations:
%SystemRoot%\system32\dns\Cache.dns (the copy in use)
%SystemRoot%\system32\dns\backup\Cache.dns (the copy reserved in the backup location)
If you have a root zone configured on a DNS server, the server will act as a root zone server.
A DNS server configured as a root zone server will never use the root hints file (Cache.dns). It considers itself authoritative. Consequently, the server won't access the Internet to forward DNS queries.
If you want the DNS server to access the Internet, delete the root zone in the DNS Console.
You can configure root hints through the properties of a DNS server or by configuring the DNS server's Cache.dns file. If the server is configured to load data from Active Directory, you must configure root hints using the DNS snap-in because the local Cache.dns is not used (the root hints data is stored in AD).
Stub Zones and Forwarding Facts
You should know the following facts about DNS performance:
A stub zone holds copies of the following DNS record types:
NS records for all DNS servers (primary and secondary).
SOA record for the primary server.
DNS A records (also called glue records) for the DNS servers.
A stub zone is dynamic. It will update itself with changes.
Use a stub zone to provide quick access to the name server list and to provide a method of keeping the name server list updated without replicating zone data.
Conditional forwarding allows DNS queries to be forwarded to specific DNS servers that have specific zones.
Conditional forwarding is static. You set up an IP address which handles a specific type of query.
Conditional forwarding must be updated when changes to forwarders are made.
If a DNS server is configured to use forwarders, you can disable recursion on the DNS server. This means the server submits requests to the forwarder and waits for a response.
Zone Transfer Facts
Replication through standard zones takes place through zone transfers. Secondary servers contact their master servers for new zone information. You should know the following facts about zone transfers:
The zone serial number is modified when changes are made to the zone file.
Zone transfer is initiated when a secondary server checks the master server and finds an incremented zone serial number.
Zone transfer notification occurs when the master server contacts the secondary server when changes have been made.
By default, a DNS server replicates the entire zone database (called a full zone transfer or AXFR).
A partial zone transfer, in which only the changed information is replicated, is also called an incremental zone transfer or IXFR.
To initiate a manual transfer, increment the serial number first. Otherwise, no transfer will occur (a transfer only occurs when the serial number has changed).
You can improve DNS performance by placing multiple DNS servers on your network. For example, you can place a secondary server on the other side of a WAN link to reduce WAN traffic caused by name resolution. However, zone replication traffic must still cross the WAN link.
A caching only server runs DNS but has no zones configured. Use a caching only server to improve performance while eliminating zone transfers.
An Active Directory-integrated zone stores DNS information in Active Directory rather than in a zone file. Zone information is copied automatically when AD replicates.
If a zone is Active Directory-integrated and has no secondary servers, you can disable zone transfers. Zone data will continue to be replicated through Active Directory.
Normally, zone transfers happen automatically at periodic intervals. You can force an update of zone data through the DNS console or by using the Dnscmd command. The following table lists some actions you can take to refresh zone data manually.
DNS Console Action Dnscmd Option Result
Reload Dnscmd /ReloadZone The server reloads zone data from its local copy (it reads the data back in from the zone file on the hard disk).
Transfer from Master Dnscmd /Refresh Initiates a normal zone transfer. The DNS server compares its version number with the version of the zone master. If the version numbers are the same, no zone transfer takes place.
Reload from Master N/A The DNS server dumps its copy of the data and reloads the entire data from the master server.
To force a zone transfer, you can either update the sequence number on the master server and then transfer the data from the master, or you can simply reload the data from the master.
DNS Design Guidelines
Keep in mind the following facts about DNS namespace design:
Active Directory requires DNS.
A split-brain DNS solution allows you to run internal DNS and external DNS that don't communicate with one another. This helps to maintain internal security.
Following are three split-brain DNS configuration options:
Set up the same DNS name internally and externally.
Set up different DNS names internally and externally.
Set up the internal DNS as a subdomain of the external DNS.
The purpose of a split-brain DNS solution is to:
Allow external clients to access only external resources.
Allow internal clients to access all resources.
The table below lists the split-brain DNS configurations.
Split-brain DNS Configuration Implementation
Same Internal and External DNS Names Set both DNS servers as primary to prevent zone transfer traffic.
Allow internal client access to external resources by copying external resource records to the internal DNS server.
Different Internal and External DNS Names To allow internal clients to access external resources, set up a forwarder, either a regular forwarder or a conditional forwarder.
Internal DNS Name as Subdomain of External DNS Name One possible advantage is that you can run separate DNS infrastructures (e.g., an external Unix infrastructure and an internal Microsoft infrastructure).
One danger is that outside queries could include the internal namespace. Use the firewall to block these types of queries.
Set up a forwarder to allow internal clients to access external resources.
DNS Solutions
You have a wide variety of tools to help you in designing a DNS solution. The following table lists various zone types and configuration options and when to use each.
Solution Use
Primary zone Select a primary zone to manage zone data on non-domain controllers or non-Windows DNS servers.
Secondary zone Select a secondary zone to copy read-only zone data from another server. For example, your Windows server can be a secondary server to a non-Windows server, or a non-Windows server can be a secondary server to an Active Directory-integrated zone. Secondary zone servers accomplish three tasks:
Fault tolerance
Load balancing
Reduce name resolution traffic over WAN links
Reverse lookup zone Use a reverse lookup zone to find the host name for a given IP address. For example, use a reverse lookup zone if you need to identify the host name of clients who connect to a server or services. Following are reasons to set up reverse lookup zones:
To use Nslookup by using the IP address.
To use IP filtering in IIS.
To accommodate applications that rely on reverse lookups.
Active Directory-integrated zone Use when you have DNS servers that are also domain controllers. AD-I zones allow multi-master updates to the DNS database, automatically replicate data through Active Directory (rather than conventional DNS replication), secures zone updates, and allow secure dynamic client registration.
Caching only server Use to reduce DNS name resolution traffic over WAN links without the zone transfer traffic.
Zone delegation Use to subdivide a zone into multiple zones. This allows other administrators to manage parts of your name space.
Forwarders Use to send DNS queries to other servers when the current server does not hold the data.
Conditional forwarding Use to forward DNS queries based on the domain name characteristics. Without conditional forwarding, all requests are forwarded to the same servers. With conditional forwarding, requests are forwarded based on the domain name.
Stub zone Use when you need to automatically update lists of name servers for a domain but do not want to replicate zone data.
Root zone Use to make your DNS server authoritative for the entire name space. For example, you can configure a root zone to prevent name queries from being forwarded to the Internet root zone servers.
Root hints Root hints point to the root zone servers. Normally root hints point to the Internet root zone servers. If you have a custom root zone, make sure root hints on internal servers point to your root zone servers.
Dynamic DNS Use to allow clients to update DNS records.
Secure updates Use to prevent unauthorized changes to dynamically-created DNS records. When enabled, only domain members can register DNS records, and only the same computer can modify those records. Secure updates are available only on Active Directory-integrated zones.
DNS Troubleshooting Tools
You should know how to use the tools listed in this table:
Tool Use
Nslookup Use the Nslookup tool to perform DNS name resolution. Enter the name of the host, and Nslookup performs DNS queries to report the host's IP address.
Dnscmd Dnscmd displays the properties of DNS servers, zones, and resource records. You can also use Dnscmd to modify these properties, create and delete zones and resource records, and force replication.
Ping Use Ping to determine if an IP address is accessible. If you can ping an IP address, try to ping the logical name of the host. If the logical name test fails, you should troubleshoot the name resolution system.
Network Monitor Use Network Monitor to analyze and monitor network traffic.
Ipconfig You can use Ipconfig without switches to display the IP address, subnet mask, and default gateway for all adapters. However, the following switches are useful when troubleshooting DNS.
/Displaydns, to display the contents of the local DNS cache.
/Flushdns, to flush the local DNS cache.
/Registerdns, to force a client to register its DNS information.
DNSLint The DNSLint utility helps you to isolate and diagnose DNS problems. You must use one of the three following switches with DNSLint.
/d, to perform domain name tests
/ad, to perform AD tests
/ql, to perform DNS query tests from a list
To provide fault tolerance for DNS servers, use one of the following strategies:
Use Active Directory-integrated zones. If one DNS server goes down, zone data is still stored in Active Directory. Be sure to analyze the replication scope to make sure you have at least two servers holding the DNS data for each zone.
Create secondary zones. If the primary server goes down, you can change one of the secondary zones to the primary zone.
Back up the DNS database. If you have only one DNS server, be sure to back up the DNS database. For non-Active Directory-integrated zones, you can back up the DNS files or copy them to another location. For Active Directory-integrated zones, you must back up the system state data (because DNS is stored in Active Directory).
Remote Access Facts
Keep in mind the following facts about configuring remote access.
The number of dial-up modem connections permitted depends on the number of modems that are installed on the remote access server. If you have only one modem installed on the server, you can only have one modem connection at a time.
Before shutting a remote access server down, terminate all client idle sessions.
To enable clients to receive their addresses from a DHCP server, configure the remote access server to use DHCP for addressing.
When you use PPP as the WAN protocol, you can use DHCP for addressing and encryption.
To allow remote clients to access resources on both the remote access server and the local network, enable both remote access and LAN routing. To restrict access to only the remote access server, enable only remote access.
When you establish a LAN protocol, the client must be configured with all protocols used by all devices on the private network with which it communicates.
To access resources on a remote network, users must be given the appropriate permissions.
Authentication Protocol Comparison
Authentication protocols ensure that remote users have the necessary credentials for remote access. The following table compares the authentication protocols supported by a Windows 2003 remote access server. Protocols are listed in order, from least secure to most secure. As a rule, select the highest level of authentication supported by the clients.
Protocol Characteristics Client Support
Password Authentication Protocol (PAP) Client sends a username and plain text password for authentication.
Password can be easily intercepted.
Use only when no other form of authentication is supported 2003/XP/2000
NT 3.5/4.0
95/98/ME
Shiva Password Authentication Protocol (SPAP) Used to connect to a Shiva LAN Rover.
Uses an encrypted password for authentication.
Password encryption is easily reversible 2003/XP/2000
NT 3.5/4.0
95/98/ME
Challenge Handshake Authentication Protocol (CHAP) Uses a three-way handshake (challenge/response).
Uses MD5 hashing of the shared secret for authentication. 2003/XP/2000
NT 3.5/4.0
95/98/ME
Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1) Similar to MS-CHAP v2, uses challenge/response for authentication.
Server authenticates the client (client cannot authenticate the server).
Encrypts the secret used for authentication 2003/XP/2000
NT 3.5/4.0
95/98/ME
Microsoft Challenge Handshake Authentication Protocol version2 (MS-CHAP v2) Highest level of authentication possible without using EAP.
Uses a challenge/response mechanism for authentication.
Allows both the client and the server to authenticate each other.
Encrypts the secret used for authentication. 2003/XP/2000
NT 4 (SP 4)
98 (SP 1)
95 (with the latest updates for a VPN connection only)
Extensible Authentication Protocol (EAP) Client and server negotiate the characteristics of authentication.
Used for smart cards or biometric authentication. 2003/XP/2000
For wireless clients, the most secure solution uses Protected EAP (PEAP) for an initial authentication to the wireless access point. When using PEAP, select one of the following two options:
PEAP-EAP-TLS. This authentication method uses certificates (either on the local system or on a smart card) to complete the authentication process.
PEAP-MS-CHAP v2. This method uses certificates on the server, but simple passwords on the client. Use this method when the client does not have a certificate.
PEAP support is enabled as follows:
Windows XP SP1, included as a feature of the service pack.
Windows Server 2003.
Windows 2000, supported through a special download and install.
Remote Access Client Configuration
You should know the following facts about remote access client configuration:
The client must be running all networking protocols (such as IP or IPX) that are used on destination computers.
Both the remote access client and the remote access server must use a common WAN protocol (such as PPP).
If your client and server have multiple modems, you can configure both to use multilink. With multilink, multiple physical connections are established to increase the bandwidth of a single connection. When using multilink, enable Bandwidth Allocation Protocol (BAP) to establish and drop links based on link activity.
Callback is a form of security in which the server disconnects the user after authentication then immediately calls the user back. The server can use a preset phone number for each user, or the user can enter a callback phone number after authentication. You cannot use multilink and callback together.
To configure remote clients for DNS, configure them with the IP address of the DNS server on the private network. DNS requests will be automatically routed to the DNS server.
Remote Access Policy Facts
A remote access policy consists of the following components.
Component Description
Conditions Remote access conditions identify which policies apply to incoming connections. The remote access server checks the conditions included with a policy. If all conditions match, the server processes the policy and user account settings to determine what access to allow or deny.
Permissions Permissions determine whether remote access is granted or denied. Permissions come from a combination of settings in the user account and the remote access policy. There are only three possible permission settings:
Grant remote access
Deny remote access
Control access through the remote access policy (only settable in the user account)
Profile A profile is the list of settings that are applied to the connection once access is granted. Profile settings can reject or restrict remote access to connections that:
Use a specific media type
Are initiated during specific days and times
Use specific authentication protocols
Use specific encryption protocols
You should be familiar with the RAPCAP process:
Remote access policies determine the level of access remote clients get to resources.
Authorization for access to resources is determined by three steps:
Conditions
Permissions
Profile settings
Incoming connections are compared to the conditions found in a policy.
If the connection does not match the conditions in the first policy, the next policy in order is checked.
You should put more specific (or restrictive) policies at the top of the list to make sure they're not supplanted by more general policies.
When a match is found, that policy will be used for the connection (no other policies will be checked).
If the connection does not match any conditions in any policy, the connection will be refused.
After a matching policy is found, permissions are checked. If the permissions deny the connection, no other policies are checked.
Permissions identified in the user account override permissions set in the policy (unless Control access through Remote Access Policy is selected).
By default, the user account setting for remote access is set to Deny.
The Control access through Remote Access Policy setting is only available in 2000 native mode or Windows 2003 domain functional level.
If the permissions grant access, the policy profile is checked for additional conditions.
If all profile conditions match, the connection is granted. If not, it is refused.
You can establish enough restrictions through the profile to prevent user access.
You should also know the following facts about RADIUS:
Remote access clients pass authentication credentials to the remote access server.
The remote access server is configured as a RADIUS client to the IAS server. The remote access server forwards authentication credentials onto the IAS server.
Remote access policies configured on the IAS server are used to allow or deny access. The IAS server notifies the remote access server whether access is allowed for the remote access client.
To configure a remote access server as a RADIUS client, configure the authentication provider on the remote access server. Point to the IAS server and configure a shared secret.
On the IAS server, you must identify all RADIUS clients that will use the server as the authentication provider. You will need to supply the same shared secret as was configured on the RADIUS client.
IAS Facts
If your network includes several remote access servers, you can control remote access from a single location by installing a Remote Authentication Dial-In User Service (RADIUS) server. Internet Authentication Service (IAS) is the service you install on a Windows 2000 server to make it a RADIUS server.
You should know the following facts about RADIUS:
Remote access clients pass authentication credentials to the remote access server.
The remote access server is configured as a RADIUS client to the IAS server. The remote access server forwards authentication credentials onto the IAS server.
Remote access policies configured on the IAS server are used to allow or deny access. The IAS server notifies the remote access server whether access is allowed for the remote access client.
To configure a remote access server as a RADIUS client, configure the authentication provider on the remote access server. Point to the IAS server and configure a shared secret.
On the IAS server, you must identify all RADIUS clients that will use the server as the authentication provider. You will need to supply the same shared secret as was configured on the RADIUS client.
Troubleshooting Remote Access
Most remote access problems are caused by misconfiguration. Problems are typically manifested by an error message that describes the nature of the problem. Read the error messages to identify likely causes, and then verify the applicable remote access configuration parameters.
When you try to establish a remote access connection, the following four processes take place:
Opening the port. The system initializes the modem or port used for remote access.
Dialing. The system attempts to connect to the remote system.
Authenticating. After a physical connection with the remote system is made, authentication protocols and credentials are verified.
Registering the computer. The computer is identified on the network and access is granted.
If the connection fails in the first two stages (making the connection):
Verify the hardware and physical connection.
Verify the configuration of the remote access connection object.
Verify that there are free ports on the remote access server to answer the call.
If the connection fails during the last two stages (authenticating and registering the computer):
Verify the username and password against a valid user account.
Check remote access policies.
Verify that authentication protocols match between the client and the server.
Verify remote access addressing.
If a connection can be made, but the client can only access resources on the remote access server (and not on other servers connected to the remote network):
Verify that the client is using all necessary LAN protocols used by servers on the remote network.
Verify that the remote access server is configured for both remote access and LAN routing.
Default and Static Routes
You should know the following facts about routes:
Routes to directly connected networks are automatically created. If a router only needs to communicate with directly-connected networks, no special routes are needed.
Use the Route Print command to view the routing table.
Use the Route Add command to add routes from the command prompt. Use the syntax:
Route add destination_address mask subnet_mask -p
For example, to add a route to network 192.168.1.0 with mask 255.255.255.0, use the command:
Route add 192.168.1.0 mask 255.255.255.0 -p
The -p parameter makes the route permanent. It will be added each time the router reboots.
A default-route is used when no other routes in the routing table are found. You can also add a default-route entry to your routing table.
Keep in mind the following when creating special routes:
For a route to a subnet (network), enter the subnet address and mask.
For a route to a host, enter the host IP address and 255.255.255.255 for the mask.
For the default route, use 0.0.0.0 for the network and 0.0.0.0 for the mask.
Choosing a Routing Solution
The following table lists router solutions and their applications.
Solution Uses
Default routing entries Use when the router has only directly-connected networks.
Static routes Use for small networks (10 subnets or less) that do not change often.
Use to eliminate traffic due to routing updates.
RIP Use for small networks (50 or less subnets) when a dynamic solution is required.
OSPF Use for larger networks (50 or more subnets) when a dynamic solution is required.
Use when you want to minimize (or reduce) traffic due to routing updates.
Windows 2003 supports RIP 1 and RIP 2. RIP has the following characteristics:
RIP uses hop and tick counts to calculate optimal routes.
RIP routing is limited to 15 hops to any location (16 hops indicates the network is unreachable).
At startup, the router advertises itself and information about its directly-connected networks and requests other routers to respond.
RIP broadcasts its entire routing table every 30 seconds.
A RIP broadcast has a limit of 25 network entries. If more networks are in the routing table, additional broadcasts must be made.
At router shutdown, the router advertises that it is going down. Routers receiving this notification remove all routes accessible through the downed router from their tables.
Each route has a timeout value of 180 seconds. Each new broadcast containing information for that route resets the timeout.
Failed routes are detected when the timeout is reached. After the timeout, the route is removed.
RIP 2 supports multicasts, variable subnets, authentication, and next hop addresses.
Demand Dial Routing Facts
The following process is used to establish a demand-dial link:
A host sends a message to a host on the remote network.
The source router identifies the remote network, and initiates a link by calling the destination router.
The destination router answers the call, and verifies the user credentials and permissions.
The destination router identifies the link as a demand-dial link by matching the username with its port name.
Data is transferred to the destination host.
The link stays active until the preconfigured idle disconnect time. If no data has been sent during that time, the link is dropped.
To configure and enable demand-dial routing, complete the following tasks:
Enable demand-dial routing on the server.
Enable the port for use by demand-dial.
Add the port as a demand-dial interface.
Create a user account on the local system or domain that corresponds to the local demand-dial port. (You can use the Demand Dial Interface wizard to create this account automatically.)
Set the credentials for the remote user account that corresponds to the remote demand-dial interface.
Create static routes or configure auto-static updates to add routes to the remote network.
Auto-static updates can be used to populate the routing table with remote routes over a demand dial link. Keep in mind the following about auto-static updates.
A routing protocol is used initially to share routing information. However, the information is sent only once. The routers do not exchange periodic broadcasts.
Because auto-static updates are not performed on a regular basis through the routing protocol's default advertisements, you must either manually perform the update or schedule updates as a scheduled task. When you schedule updates, routing exchanges take place at much longer intervals than the routing protocol's update interval.
You can configure auto-static updates for IP RIP, IPX RIP, and IPX SAP, but not for OSPF.
Troubleshooting Demand Dial Routing
Use the information in the following table to troubleshoot demand dial routing problems:
Problem Cause and Solution
Application and time-out errors Some errors happen with demand-dial routing because the link between the routers is not yet established when data is first sent from a host. The host assumes the link exists and begins sending data. In the meantime, the router must call the remote system and establish the link. The time delay can cause the router buffer to fill, or the delay may lead the application to think the remote system is not responding. In most cases, retrying the request succeeds.
Authentication errors Authentication errors are typically caused by incorrectly configuring the username used by the demand-dial router to contact the remote router. Verify that the username matches the remote port, and that a user account with dial-up permission exists. Also verify the remote access policies and remove any restrictions that incorrectly limit access.
Only one-way communication If one host can connect to the remote router, but a host on the remote network cannot connect back, verify that the username settings for both routers match the remote port name. It is also possible for one router to use an incorrect username, but still be granted a connection if there is a user account with that name. However, the connection will be a remote access connection, not a demand-dial connection.
Endpoint identifier errors Endpoint identifier errors occur when compatible addresses (such as IP addresses on the same subnet) are not assigned to each communicating port. Check to make sure that a DHCP server is available, or that the dial-up line is configured to assign addresses.
Lost auto-static routes If you have configured the server for auto-static routing updates, and the routing table contains data but later is empty, check to make sure that each router can establish a connection with the other. If a connection cannot be made to send the updates, the table will not contain any auto-static routes because they have been deleted. Correct the problem by scheduling auto-static updates or updating routes manually.



NAT Facts
Network Address Translation (NAT) allows you to connect a private network to the Internet without obtaining registered addresses for every host. Private addresses are translated to the public address of the NAT router.
The NAT router maps port numbers to private IP addresses. Responses to Internet requests include the port number appended by the NAT router. This allows the NAT router to forward responses back to the correct private host.
NAT supports a limit of 5,000 concurrent connections.
NAT provides some security for the private network because it translates or hides the private addresses. In addition, outside hosts cannot normally initiate contact with private hosts (unless explicitly configured).
A NAT router can act as a limited-function DHCP server, assigning addresses to private hosts.
A NAT router can forward DNS requests to the Internet.
NAT does not work with IP protocols that embed an IP address in the packet data. For this reason, you cannot create a VPN on two sides of a NAT router. However, special modifications do allow FTP to function with NAT.
DHCP Relay Agent Facts
To properly configure the Relay Agent, you need to perform three tasks:
Add the Relay Agent via the remote access snap-in.
Configure the router's interface to relay DHCP packets.
Configure the Relay Agent with the main DHCP server's IP address.
Instead of configuring a relay agent, you can also enable BOOTP forwarding on the router, or place a DHCP server on the local subnet.


Common Port Numbers
Port numbers identify a specific service running on a computer. As a best practice, configure your firewall to allow only the ports for the services provided on your network (and block all others). The following table lists port numbers for common services.
Port(s) Service
20, 21 File Transfer Protocol (FTP)
23 Telnet
25 Simple Mail Transfer Protocol (SMTP)
50, 51 IPSec
53 Domain Name Server (DNS)
67, 68 Dynamic Host Configuration Protocol (DHCP)
69 Trivial File Transfer Protocol (TFTP)
80 HyperText Transfer Protocol (HTTP)
88, 749 Kerberos
110 Post Office Protocol (POP3)
119 Network News Transport Protocol (NNTP)
137-139 NetBIOS
143 Internet Message Access Protocol (IMAP4)
161, 162 Simple Network Management Protocol (SNMP)
389 Lightweight Directory Access Protocol (LDAP)
443 HTTP with Secure Sockets Layer (SSL)
500 (UDP), 1701 Layer Two Tunneling Protocol (L2TP)
1723 Point-to-point Tunneling Protocol (PPTP)
For example, to allow HTTP traffic (both normal and secure traffic), open ports 80 and 443.
Firewall and Proxy Facts
Keep in mind the following facts about firewalls and proxy servers.
• A firewall prevents invalid communications from entering a network while allowing valid communications to travel in and out.
• TCP/IP Filtering is a form of a very basic firewall.
• TCP/IP Filtering allows you to block ports that you specify.
• TCP/IP Filtering requires you to enable the setting for all NICs or no NICs.
• ICF blocks all externally generated communications. Communications generated internally can pass through the firewall as well as external responses to those communications.
• You can allow external communications through the firewall by enabling the appropriate ports.
• Packet filtering is available in the RAS Console.
• Packet filtering allows you to specify input and output filters for each NIC.
• Packet filtering allows you to restrict access based on ports, protocols, or IP addresses.
• Packet filtering offers a higher degree of control over network traffic.
• An ingress filter allows you to prevent malicious actions like address spoofing.
• An ingress filter will inspect packet headers to verify them.
• Proxy servers speed up Web caching and restrict access to the Internet.
• Through caching, a proxy server can significantly increase bandwidth performance.
• A proxy server allows you to restrict Internet access through user and group accounts.
• Client browsers can either automatically detect the proxy server or access it through a specific proxy IP address.


VPN Protocols
If you are designing a VPN connection, you must identify the tunneling protocol used for the connection. Windows 2003 supports the following tunneling protocols:
Point-to-Point Tunneling Protocol (PPTP), supported by all 32-bit Microsoft clients.
Layer Two Tunneling Protocol (L2TP), supported by Windows 2000/XP/2003 clients.
The tunneling protocol you choose will also effect the authentication and encryption options available. The following table summarizes these choices.
Tunneling Protocol Authentication Protocol Encryption Protocol OS Support
PPTP EAP* or MS-CHAP (v1 or v2) MPPE 2000/XP/2003
NT 4.0
95/98/ME
L2TP EAP or MS-CHAP (v1 or v2)
Kerberos v5**
Certificates IPSec 2000/XP/2003
*EAP is supported only on Windows 2000/XP/2003.
**IPSec requires machine authentication (not user authentication) through either Kerberos or certificates. Use EAP or MS-CHAP to enforce user authentication.


IPSec Facts
IPSec is supported only on Windows 2000/XP/2003. How computers use IPSec to communicate is controlled through IPSec policies. Windows comes with the following three IPSec policies:
Policy Characteristics
Client (Respond Only) Can communicate normally (unsecured).
Contains a default response rule that lets it negotiate with servers that request IPSec.
Server (Request Security) Requests security using Kerberos V5 protocol for all IP traffic.
Allows unsecured communication with clients that do not respond to the request.
Secure Server (Require Security) Requires security using Kerberos V5 protocol for all IP traffic.
Does not allow unsecured communication with clients.
You should also know the following facts about IPSec:
• IPSec is identified by displaying two protocols in the Network Monitor: AH (Authentication Header) and ESP (Encapsulating Security Payload).
• AH is displayed in Network Monitor when IPSec is configured for mutual authentication. AH digitally signs each packet to ensure data integrity. AH does not encrypt data.
• ESP is displayed in Network Monitor when IPSec is configured to encrypt frames. ESP encrypts the data portion of the IP packet.
• Use the IP Security Monitor MMC snap-in to verify IPSec traffic.
• To monitor IPSec negotiations, the audit logon events setting must be enabled. The security log file should be set to at least 10 MB in size.
• To view DNS names in IPSec Monitor, enable DNS name resolution.
• Microsoft recommends that you stop the Routing and Remote Access service before stopping the IPSec service.
• Use the Net stop remoteaccess command at the command line to stop the remote access service.
• Use the Net stop policyagent command at the command line to stop the IPSec service.
• An authentication failure occurs when the authentication methods don't match on both machines that are trying to establish a security association.
• A Bad SPI message can appear when the key lifetime is set too low.
• The Audit Logging feature of Windows Server 2003 can be used to monitor IPSec events.


Preconfigured Templates
Security templates are a collection of settings that configure settings to a predefined state. Windows provides the following predefined security templates:
Template Function
Setup Security.inf Created specifically for each computer during setup
Differs depending on whether installation was a clean installation or an upgrade
Contains default security settings applied during installation
Defines default file permissions for system drive root
Used on workstation or servers (not on domain controllers)
Should not be applied through group policy
DC Security.inf Created when server is upgraded to a domain controller
Gives default security settings for files, registry, and system service
Secure*.inf Secures a system without causing application or compatibility issues
Securews.inf can be applied to a workstation or a server
Securedc.inf can be applied to a domain controller
Hisec*.inf Specifies additional security settings beyond the Secure templates
Hisecws.inf can be applied to a workstation or a server
Hisecdc.inf can be applied to a domain controller
Compatws.inf Forces compatibility across Windows platforms
Should not be applied to domain controllers
Remember the following tips when applying templates:
• Use the Setup Security.inf template to restore the system to its default state.
• Apply additional templates to add security (just applying the more secure template might not reset custom settings to their default state).
• Use Group Policy to deploy and periodically enforce templates (the template will be applied at normal group policy application times).
• Don't use Group Policy to distribute the Setup Security.inf template because it is very large and will consume a lot of bandwidth and take time as it is applied to the computer.
• You can customize a preconfigured template to meet your needs. After you modify the template, save it with a new file name to preserve the preconfigured settings.
• Secedit.exe allows you to apply only the parts of a template that you need. (A better solution is to customize the template and save it with a different name.)
Template Facts
Use the Security Analysis and Configuration snap-in to manage security templates, analyze current settings, create custom templates, or import an existing template. When working with templates:
• Compare an existing system with a template to see how the system compares to the template.
• Clear current settings before importing a new template.
• After applying a secure template, you might need to restore group memberships in the Administrators or Power Users group.
• You can also use the Secedit command to analyze and apply templates.
• You should also know the following facts about security analysis:
• The Microsoft Baseline Security Analyzer will tell you which patches have been installed on a particular computer.
• You should also need to verify that patches have not been manually applied.
• Check the Windows Update log to see if a patch came from the Software Update Server or from the Windows Update website.
Use the following key to decipher the meanings of icons when analyzing the system:
= The system does not match the template
= The system meets or exceeds the template
= The template does not define the value
Microsoft Baseline Security Analyzer
The Microsoft Baseline Security Analyzer (MBSA) is a tool you can use to scan the local and remote computers for security compliance. The MBSA tool looks for the following operating system vulnerabilities:
• Installed and missing hotfixes
• Guest account status
• Administrator group membership
• Weak passwords on user accounts
• Non-expiring passwords
• Restrict anonymous access settings
• Auto logon
• File system type used on each drive
• Shares
• Automatic update configuration
• Internet Connection Firewall (ICF) configuration
• Unnecessary services
• Auditing
Program vulnerabilities for programs such as Internet Explorer, Media Player, IIS, SQL, Exchange, and Office
MBSA does not come as part of the 2003 Server installation. You can download it from Microsoft's Web site. You should know the following facts about MBSA:
The analyzer runs in both a GUI and command-prompt mode (run Mbsacli.exe to run from the command line).
You can use MBSA to analyze up to 10,000 remote computers at a time. Results of the analysis can be saved to a file for later review.
MBSA can analyze Windows NT/2000/XP/2003 computers.
You must have administrator privileges to scan a local or remote computer.
To scan a local computer, make sure the Workstation and Server services are enabled.
The computer running MBSA to analyze remote computers must be running the Workstation service and have Microsoft Networks turned on.
The computer that you are analyzing must be running the following services:
• Remote Registry
• Server
• File and Print sharing
To analyze only missing hotfixes and updates, run Mbsacli.exe /hf (this command replaces the Hfnetchk.exe utility).
A similar utility Qfecheck.exe, scans Windows 95/2000/XP computers for missing hotfixes. However, this utility can only analyze the local computer.
Security Principles Facts
Use the following guidelines when considering security:
• Design securities strategies according to the rule of least privilege. This means that you give users the fewest rights and privileges possible while still allowing them to do their jobs. (It is easier to add permissions than it is to remove permissions.)
• Disable unnecessary services as well as file and print sharing when they're not needed.
• Implement a firewall and up-to-date anti-virus software.
• Audit the system regularly.
• Use security templates and Group Policy to apply security settings uniformly across the network.
• Use IPsec and SSL to secure network communications.
• Use SUS to control the updates deployed across the network.
• Use Hfnetchk to scan computers for hot fix levels.
• Use Mbsacli to scan remote computers for security and configuration issues.
Services Facts
You should know the following facts about services:
• Services are programs that run continuously in the background.
• The three service startup behaviors are:
• Automatic
• Manual
• Disabled
• You can control service behaviors (including startup behaviors) through Group Policy.
• Services run under the security privileges of a user account. There are three types of built-in accounts (you can also use custom accounts to run services):
• The Local System account provides full access to the system.
• The Local Service account provides access to particular services.
• The Network Service account provides access to services on the network.
• Because services run using a user account, make sure the password is configured correctly, the user account is not locked, and the user account is enabled.
• Take care not to disable a service upon which other services depend.
• You can view dependent services through the services console or by executing the SC.exe command.
• Use Msconfig.exe to troubleshoot services.
SUS Facts
Software Update Services (SUS) allows you to configure the distribution of operating system patches for clients, including ones related to security. You can deploy SUS in the following ways:
The SUS server approves the updates. Clients contact the SUS server for update approvals then retrieve the updates from the Windows Update server. This requires a great deal of bandwidth.
The SUS server approves and synchronizes the updates. SUS stores the updates locally for clients to retrieve. Reduces bandwidth demands since only the SUS server contacts the Windows Update server.
The SUS servers in various locations would be responsible approving and synchronizing updates and then contacting the Windows Update server.
Use a "master" SUS server to approve and synchronize updates from the Windows Update server. The child SUS servers synchronize updates from the master. If WAN bandwidth between the master and child servers is poor, you may decide against this structure.
In most enterprise implementations, client computers contact local SUS servers to get a list of approved updates and download those updates. In this configuration, SUS client computers must be configured to receive updates from the local SUS server instead of the Windows Update Web site. The easiest way to configure client settings is to use Group Policy to distribute the server name and other update parameters. The following table lists the Automatic Update policies:
Policy Description
Configure Automatic Updates There are three options for configuring the behavior of the Automatic Updates client:
Notify for Download And Notify For Install
Auto Download And Notify For Install
Auto Download And Schedule The Install
Reschedule Automatic Updates Scheduled Installations If a client machine is turned off during a scheduled installation, by default the installation occurs at the next scheduled time. However, this policy allows you to set the installation to occur between 1 and 60 minutes after the system starts up.
No Auto-Restart For Scheduled Automatic Updates and Installations This policy allows Automatic Updates to disregard a required restart when a user is logged on. The user receives a notification about the required restart but is not required to restart the machine.
Specify Intranet Microsoft Update Service Location This policy allows you to redirect clients from the Microsoft Windows Update server to a SUS server on your network. You can also set logging to occur on any server on the network running IIS. IIS logs are found in %Windir%\System32\Logfiles\W3svc1.

WSUS Facts

Nutshell:
Microsoft Server











Date of course: _____________________________________

Name of Student: ___________________________________
Rev 1.1


Contact Information: michaelmarch@gmail.com
Not to be reused or copied in anyways without the explicit written agreement between Michael March and the requester, until so granted permission.
Contents
Terminal Services Facts 5
Remote Assistance Facts 6
Command Switches for Installation 6
Troubleshooting Installation Facts 7
Licensing Facts 8
Automated Installation Facts 8
Network Installation Facts 9
Domain User Account Facts 10
Group Facts 10
Built-in Groups 11
Group Strategy Facts 11
User Profile Facts 13
User Profile Management Tasks 13
Computer Account Facts 14
Troubleshooting Logon 14
Group Policy Facts 15
Installing Devices 16
Device Management Facts 16
Drivers 17
File Verification Programs 17
File System Facts 18
Basic and Dynamic Disks 18
Redundancy and Fault Tolerance 20
Disk Management Facts 21
Volume Mount Points 22
Boot.ini Facts 22
Backup Facts 23
Backup Devices Facts 24
NTFS Permission Facts 25
Shared Folder Facts 25
Share Access Facts 26
Disk Quota Facts 26
File Compression Facts 27
Encryption Facts 28
Offline Settings 29
Internet Information Services (IIS) 30
IIS Security Facts 30
Web Site Identification 33
Printing Facts 33
Advanced Print Configuration 34
Printer Pooling 34
Multiple Printers 35
Managing Printing 35
Troubleshooting Printing Facts 35
IPP Facts 36
Installer Package Facts 36
Software Update Services (SUS) Components 37
SUS Server Configuration 38
SUS Client Configuration 38
SUS Infrastructure Design 40
SUS Facts 41
Account Policies Facts 42
Auditing Facts 43
Security Template Facts 44
Event Facts 45
Monitoring Performance Facts 45
Counters and Values to Watch 46
Volume Shadow Copy Services (VSS) 46
System Recovery Facts 47
Terminal Services Facts
By default, Windows 2003 comes with Remote Desktop enabled. Using Remote Desktop, you can connect to a server and manage it remotely just as you would if you were sitting at the server console. Remote Desktop uses Terminal Services technology. Terminal Services can also be used by end users to connect to the server and run applications. For example, users can connect to a server to run an application that is not supported on the client system.
Keep in mind the following details regarding Remote Desktop.
• Remote Desktop is the same as running Terminal Services in administration mode on previous Windows versions.
• Remote Desktop is limited to two concurrent connections.
• When using Remote Desktop, the user account used to connect to the server must be assigned a password, and must be given explicit permission for Remote Desktop. Allow users for Remote Desktop through the System applet.
• Client computers require client software to make the connection. This software is included with Windows XP or Windows Server 2003, but must be installed separately on other Windows versions (Windows 2000, for example).
Keep in mind the following details regarding Terminal Services.
• You can support many more clients by installing Terminal Services (also called installing application mode for Terminal Services). Use Add/Remove Windows components to install Terminal Services.
• Microsoft allows an evaluation period for Terminal Services of 120 days. You must install a licensing server prior to expiration or the server will stop accepting remote connections.
• Many settings on the RDP-Tcp properties Sessions tab can override individually configured user settings.
• Use the Msg command to send a message to all connected users of a particular terminal services server. You should know the following facts about Msg:
o The syntax is {UserName | SessionName | SessionID} [/server:ServerName] [Message].
o UserName is the name of the user you want to receive the message.
o SessionName is the name of the session you want to receive the message.
o SessionID is the numeric ID of the session whose user you want to receive a message.
o /server:ServerName specifies the terminal server whose session or user you want to receive the message. (If unspecified, /server uses the server to which you are currently logged on.)
o Message is the actual message you wish to send.
• The Query user command-line tool displays the names of any currently logged on users or sessions with Terminal Services.

Remote Assistance Facts
Keep in mind the following details regarding Remote Assistance.
• Both the novice (person requesting assistance) and the expert (person giving assistance) computers must be running either Windows XP (either Home or Professional) or Windows Server 2003.
• To initiate a remote assistance session:
o Select Ask for Remote Assistance in Windows Messenger.
o Send an e-mail through the Help and Support tools (if the infrastructure is configured appropriately).
o Create a Remote Assistance file through Help and Support tools and load it to a network share (if the infrastructure is configured appropriately).
• Generally, the novice must initiate the invitation. If Active Directory is used, the expert can initiate the Remote Assistance connection.
• Invitations require a password (unless Instant Messaging is used) and have an expiration time. Expired invitations cannot be answered.
• When sending an invitation, do not include the password in the invitation text. Communicate it in some other way.
• The helper cannot copy files from a user's computer. The user must explicitly send any files the helper may need.
• The user can take control the computer at any time by pressing the Esc key, Ctrl+C, or clicking Stop Control.
Command Switches for Installation
To start the installation, use:
• Winnt.exe to start installation from a DOS environment.
• Winnt32.exe to start installation from within a 32-bit environment.
The following table lists common switches to use with the installation programs.
Switch Purpose
/makelocalsource Copies installation files from the CD-ROM
/dudisable Disables dynamic updates during installation
/duprepare Prepare downloaded update files for use during installation
/dushare Start the installation with downloaded update files
/u Indicates use of an unattended answer file
/udf Indicates the use of a uniqueness database file
/s Specifies a path to source files
/checkupgradeonly Verifies upgrade compatibility

Troubleshooting Installation Facts
Use the /debuglevel:logfile switch to create an installation debug log. The default debug level is 2. The default log file is C:\%systemroot%\Winnt32.log. The log levels are as follows:
Level Report
0 Severe Errors
1 Errors
2 Warnings
3 Information
4 Detailed information for debugging
You can use System File Checker (Sfc.exe) to verify the integrity of protected system files if an installation appears unstable. You can use the following switches with the Sfc command:
Switch Function
/Scannow Perform a scan immediately
/Scanboot Configures the operating system to perform a scan every time the operating system boots
/Revert Changes the scan behavior back to the default
/Cachesize = size Configures how much disk space can be used to store cached versions of protected system files
To uninstall a service pack or hotfix from the command line, run Spuninst.exe from the service pack or hot fix uninstall folder. Use the following switches with Spuninst:
Switch Function
-u Unattended mode
-f Force other apps to close at shutdown
-z Do not reboot when complete
-q Quiet mode (no user interaction)
To isolate a driver causing an installation to fail, add the /Sos switch to the Boot.ini file. This loads the drivers individually, allowing you to isolate the bad driver.

Licensing Facts
You should know the following facts about licensing:
• The Licensing Logging service is available from the Administrative tools menu.
• The Licensing Logging service allows you to view, add, and delete installed product licenses.
• Per-user licensing is more expensive per client workstation than a per-server licensing model, but it becomes much less expensive when many workstations access several servers.
• Cpl.cfg is the purchasing history file.
• Llsuser.lls is the user information file.
• Llsmap.lls is the license group information.
Automated Installation Facts
Windows provides the ability to perform an unattended installation from a CD-ROM. To perform an unattended installation from a CD-ROM, the following conditions must be met:
• The computer must support booting from a CD-ROM, and must adhere to the El-Torito non-emulation specification.
• The unattended answer file must be renamed to Winnt.sif and copied to a floppy disk so Setup can access it. When Setup displays the message that it is examining the hardware configuration, insert the floppy disk containing the Winnt.sif file.
• The answer file must contain a valid [Data] section with the following entries to the unattended answer file:
o UnattendedInstall=Yes - Value must be set to "yes".
o MSDosInitiated=No - Value must be set to "no" or Setup will stop during the graphical portion of Setup.
o AutoPartition=1 - If the value is set to 1, the installation partition is automatically selected. If the value is set to 0 (zero), you are prompted for the installation partition during the text portion of Setup.
You can also automate installation by preparing a disk image. You then duplicate the disk image to a new hard drive and boot the system. Use the following files to prepare an automated installation using an image:
File Function
Sysprep.exe Prepares a system for duplication
Setupcl.exe Runs a mini-setup wizard when the duplicated drive is booted
Sysprep.inf An optional answer file that automates the mini-setup wizard. Can be copied to a floppy disk.
Note: These files belong in the Sysprep folder at the root of the system drive.
Network Installation Facts
You should know the following facts about Remote Installation Services:
• An RIS server must have the following components installed on it:
o DHCP
o DNS
o RIS
o Active Directory
• Use the Rbfg.exe (Remote Boot Disk Generator) file to create a boot disk for non-PXE compliant network adapters. The boot disk simulates the PXE boot process. The file is located in the RemoteInstall\admin\i386 folder on the RIS server.
• On the workstation, be sure to enable network boot in the BIOS.
• Use the Riprep.exe file to create the image of the reference computer.
To perform a network installation without RIS:
1. Copy the source installation files to a shared network drive.
2. If necessary, update the installation files with service packs or hotfixes.
3. Execute Winnt or Winnt32 from the network share.
To use dynamic updates during an installation, download the updates to a network share. Use the following switches with the Winnt or Winnt32 command to apply dynamic updates during the installation:
Switch Function
/Duprepare:[path to downloaded updates] Prepares the updates for use during installation.
/Dushare:[path to downloaded updates] Starts the installation with the downloaded update files.
/Dudisable Prevents the dynamic update from occurring.
To apply a service pack to the source installation files, use the Update.exe –s:[network_share] command and switch. This applies the service pack changes to the installation files in the network share.



Domain User Account Facts
You should know the following facts about domain (or global) user accounts:
• Domain user accounts let users log on to the network, and allow access to domain resources.
• Active Directory stores these accounts for the entire domain (users have to log on only once to access domain resources).
• Domain user accounts have a variety of properties, such as user information, group membership, user profiles, and dial-in settings.
• A user account can be renamed when users change jobs or need previously assigned permissions to resources.
• Use Active Directory Users and Computers from a domain controller (or workstation with Administrative Tools installed) to configure domain accounts
• When a new account is created, it is replicated to all of the domain controllers in the domain, so any domain controller in the domain can authenticate user logons.
• Each user account has a unique security identifier (SID) to identify the user to the Windows server. A user can log on to the domain from any computer that is a member of the domain and can access resources on that computer or on other computers for which the domain user account has permissions.
• Logon restrictions apply to users, not groups.
Group Facts
• Active Directory defines three scopes that describe the domains on the network from which you can assign members to the group; where the group's permissions are valid; and which groups you can nest.
Scope Description
Global groups Are used to group users from the local domain. Typically, you assign users who perform similar job functions to a global group. A global group can contain user and computer accounts and global groups from the domain in which the global group resides. Global groups can be used to grant permissions to resources in any domain in the forest.
Domain local groups Are used to grant access to resources in the local domain. They have open membership, so they may contain user and computer accounts, universal groups, and global groups from any domain in the forest. A domain local group can also contain other domain local groups from its domain. Domain local groups can be used to grant permissions to resources in the domain in which the domain local group resides.
Universal groups Are used to grant access to resources in any domain in the forest. They have open membership, so you can include user and computer accounts, universal groups, and global groups from any domain in the forest. Universal groups can be used to grant permissions to resources in any domain in the forest. Universal groups are available only in Windows 2000 Native or Windows 2003 domain functional level.
Built-in Groups
Windows domain controllers include several built-in domain local groups, each of which has predefined rights. These groups are automatically created on domain controllers, and are placed in the Built-in folder in Active Directory Users and Computers.
Built-in Group Description
Administrators Full control over the computer, including every available right in the system (the only built-in account that automatically has all rights), including the Take ownership of files or other objects right.
Server Operators Share folders and backup files and folders.
Backup Operators Back up, copy, and restore files on the computer (regardless of permissions). Log on to and shut down the computer. Cannot change security settings.
Account Operators Create, delete, and modify domain user accounts and groups. Cannot modify the Administrators group or any Operators groups.
The basic best practices for user and group security is:
• Create groups based on users' and administrators' needs.
• Assign user accounts to the appropriate groups.
• Assign permissions to each group based on the resource needs of the users in the group and the security needs of your network.
Group Strategy Facts
To make permission assignments easier, assign permissions to a group, then add the accounts that need to use the group's resources. You can add user accounts, computers, and other groups to groups. You should remember the following when assigning members to groups:
• Adding a user account to a group gives that account all the permissions and rights granted to the group (the user must log off and log back on before the change takes effect).
• The same user account can be included in multiple groups. (This multiple inclusion may lead to permissions conflicts, so be aware of the permissions assigned to each group.)
• Nesting is the technique of making a group a member of another group. Using hierarchies of nested groups may make administration simpler--as long as you remember what permissions you have assigned at each level.
The following table shows the three basic recommended approaches to managing users, groups, and permissions.
Strategy Use Description Application
ALP Used on workstations and member servers. A: Place user Accounts
L: Into Local groups
P: Assign Permissions to the local groups Best used in a workgroup environment, not in a domain.
AGDLP Used in mixed mode domains and in native mode domains (does not use universal groups, which are also not available in mixed mode). A: Place user Accounts
G: Into Global groups
DL: Into Domain Local groups
P: Assign Permissions to domain local groups 1. Identify the users in the domain who use the same resources and perform the same tasks. Group these accounts together in global groups.
2. Create new domain local groups if necessary, or use the built-in groups to control access to resources.
3. Combine all global groups that need access to the same resources into the domain local group that controls those resources.
4. Assign permissions to the resources to the domain local group.
AGUDLP Used in native mode domains, when there is more than one domain, and you need to grant access to similar groups defined in multiple domains. A: Place user Accounts
G: Into Global groups
U: Into Universal groups
DL: Into Domain Local groups
P: Assign Permissions to domain local groups Universal groups should be used when you need to grant access to similar groups defined in multiple domains. It is best to add global groups to universal groups, instead of placing user accounts directly in universal groups.

User Profile Facts
You should know the following facts about user profiles:
• Roaming user profiles store the profile contents on centrally-managed network servers and allow users to log on to different workstations while maintaining their Windows desktop.
• Mandatory user profiles allow all users to make changes to their desktops, but those changes are not saved to the profile. Users are forced to start each logon session with the original profile.
• If a user's roaming Windows profile is unavailable during log on, Windows will use a copy of the locally-cached profile, warn the user of a possible network error, and allow the user to log on.
• User account profile configuration and network path information is associated with the account and will move with the account. This allows simple moves of user account objects and minimizes the administrative effort.
User Profile Management Tasks
• The following list describes some common profile management tasks and the recommended method for completing them.
To . . . Do . . .
Create a new profile Log on as a user without a profile. User profiles are created automatically, using the Default Users profile as a template. (You can also set access permissions on a copied profile for use as a new profile.)
Edit an existing profile Log on as the user, then use the Windows interface to modify the desktop, Start Menu, taskbar, and other preferences.
Create Start Menu or Desktop shortcuts Copy the desired shortcuts to the appropriate folder within the user profile.
Copy a profile Use the User Profiles tool to copy the profile to a new location. If you simply copy the subfolders to a new location, registry settings and permissions will not be properly modified.
Note: You cannot copy the profile of a logged on user.
Make a mandatory user profile Use Explorer to rename the Ntuser.dat file to Ntuser.man.
Make a roaming user profile Copy the profile to a network share. Use the Profile tab in the user account properties to enter the path to the user's roaming profile.
Assign a specific profile Edit the properties of the user account (either local or domain user) to identify the specific profile (either to a user roaming or otherwise) to use.
Delete a profile Use the User Profiles tool. Do not simply delete the folder as registry settings will not be modified appropriately.
Note: You cannot delete the profile of a logged on user.

Computer Account Facts
You should know the following facts about computer accounts:
• To join a computer to a domain:
o Create a computer account in Active Directory.
o Join the computer to the domain.
• Members of the Administrators or Account Operators group can join an unlimited number of computers to a domain.
• By default, domain users can join up to 10 computers to a domain from a workstation.
• Computers added to the domain from a workstation are added to the built-in Computers container.
• Because the Computers container cannot be linked to policies, create computer accounts beforehand in an OU for computer accounts.
• If the organization uses a separate OU for computers, any computer accounts created automatically in the Computers container must be moved to the correct OU.
• Windows 98 computers cannot use a computer account in a domain.
• You can use the Dsadd and Netdom utilities to create computer accounts.
• A computer account must connect to the network before it will display information about OS and Service Pack changes.
Troubleshooting Logon
Both users and computers must log on to the domain. User logon is accomplished by supplying a valid username and password combination. If users are having trouble logging on, check the following:
• Verify the correct logon name is being used, with the correct UPN suffix. Make sure the corresponding user account exists in Active Directory.
• Make sure the user account is enabled.
• If the user has tried many times unsuccessfully, and receives a message stating the user account is locked, unlock the user account.
• If necessary, change the password for users who might have forgotten the password.
Computer account logon happens automatically in the background. Failure to log on might result in a failure to use network resources or gain access to the local computer. To troubleshoot computer accounts, apply the following steps:
1. If the computer account exists, reset the account in Active Directory.
2. If the account does not exist, create it.
3. If troubles persist, remove the computer from the domain and add it to a workgroup (use a workgroup name not currently in use). Rejoin the domain.
4. Command Prompt Tools
Command Description
DSAdd Create a new object in Active Directory
DSQuery Find the location of information or the setting of an object (allows a search through the whole forest)
DSGet Retrieve property information about an object
DSMod Modify or change an object
DSMove Move objects from one location to another
DSRm Remove (delete) objects
Movetree Move an OU and its contents
Ldifde Create, modify, and delete directory objects on computers running Windows Server 2003. You can also use it to export AD user and group information to other applications and services and populate AD with data from other directory services.
Csvde Imports and exports data from AD using files that store data in the comma-separated value (CSV) format.
Group Policy Facts
Group policy is a tool used to implement system configurations that can be deployed from a central location through GPOs (Group Policy Objects).
You should know the following Group Policy facts:
• GPOs contain hundreds of configuration settings.
• GPOs can be linked to Active Directory sites, domain, or organizational units (OUs).
• GPOs include computer and user sections. Computer settings are applied at startup. User settings are applied at logon.
• A GPO only affects the users and computers beneath the object to which the GPO is linked.
• Group policy settings take precedence over user profile settings.
• A local GPO is stored on a local machine. It can be used to define settings even if the computer is not connected to a network.
• GPOs are applied in the following order:
1. Local
2. Site
3. Domain
4. OU
• If GPOs conflict, the last GPO to be applied overrides conflicting settings.
• The Computers container is not an OU, so it cannot have a GPO applied to it.
• Group policy is not available for Windows 98/NT clients or Windows NT 4.0 domains.
• You can use a GPO for document redirection, which customizes where user files are saved. (For example, you can redirect the My Documents folder to point to a network drive where regular backups occur. Folder redirection requires Active Directory-based group policy.)
• Configuring a domain group policy to delete cached copies of roaming user profiles will remove the cached versions of the profile when a user logs off.
To manually refresh group policy settings, use the Gpupdate command with the following switches:
Switch Function
No switch Refresh user and computer-related group policy.
/target:user Refresh user-related group policy.
/target:computer Refresh computer-related group policy.
Installing Devices
When installing devices:
• Begin by adding the device to the system or plugging the device in. Windows automatically detects and installs drivers for Plug and Play devices.
• For undetected legacy devices, you might need to:
o Run the setup program that came with the device.
o Use the Add New Hardware wizard to install a device driver manually.
o Manually set IRQ, DMA, or I/O addresses
o Manually select and install the driver
Device Management Facts
You should know the following facts about managing devices:
• You can connect to remote computers using the WinMSD utility or Device Manager.
• Use Device Manager to disable devices that you suspect are causing system problems.
• Use Control Panel applets to adjust properties for individual devices like modems or video hardware.
• The Hardware Troubleshooting Wizard steps users through the process of identifying system problems.
• You can manually assign resources using Device Manager.
• If problems with a device prevent you from booting or affects system stability, boot into Safe Mode to disable the device or change the device properties.

Drivers
To update drivers:
• Use Windows Update to automatically check for new drivers.
• Download the new driver and run the program to install it.
• Download the new driver and use Device Manager to update and install the new driver.
To control how unsigned drivers are installed on the system, use the following settings:
• Block (prevents unsigned driver installation)
• Warn (allows installation, but with an error message)
• Ignore/Silently Succeed (install)
To protect against unsigned drivers,
• Enforce driver signing on the system through the System applet or Group Policy.
• Use group membership and user rights to prevent normal users from installing drivers (Power Users or Administrators only can install drivers).
• The Hardware Compatibility List (HCL) includes all devices for which a signed driver is available.
• Driver Rollback allows you to restore an original driver when a new driver causes system problems.
File Verification Programs
• The following table summarizes the file verification tools you can do to verify driver signatures and file integrity.
Program Features
Sigverif.exe GUI-based tool that searches for unsigned files.
By default, it searches only the Windows directory (click the Advanced button to search other locations).
The program returns a list of files without digital signatures.
Driverquery.exe /si Command-line tool that checks the digital signatures of drivers that are in use.
Use the /si switch to request the signature status of the drivers.
The report lists each device, the .inf file for the device, and the signed status of the driver.
Msinfo32.exe GUI-based tool that displays the list of devices and information about each device (including the driver, driver date, and signature status).
The report shows every installed device and the signed status of the drivers.
Sfc.exe /scannow Tool that scans system files to ensure that they have not been replaced or corrupted.
Use the /scannow switch to force an immediate check of the system.
Use the tool to automatically replace bad files.

File System Facts
The following table indicates which file systems support which capabilities.
Feature FAT FAT32 NTFS
Long file names X X X
Larger than 2 GB/4 GB partitions X X
Smaller clusters X X
Enhances file security through permissions X
Folder and file level encryption X
Folder and file level compression X
Disk quotas X
Use the Convert.exe utility to modify the file system without reformatting and losing data. To convert the C:\ drive to NTFS, use the following command:
convert C: /fs:ntfs
Basic and Dynamic Disks
Keep in mind the following when using basic disks.
• A basic disk has a limit of four partitions, only one of which can be an extended partition.
• One primary partition must be marked active.
• Most operating systems can recognize only one primary partition. All other primary partitions are invisible. (Windows NT/2000/XP/Server 2003 can recognize multiple primary partitions.)
• The active primary partition is represented with one drive letter (C:). The extended partition can be divided into multiple logical drives (up to 26).
Keep in mind the following when using dynamic disks.
• Windows 2000/XP/Server 2003 recognize dynamic disks.
• Volumes on dynamic disks are like partitions and logical drives on basic disks.
• A volume can be made of non-contiguous space on a single drive or space taken from more than one drive.
• You cannot install the operating system on a dynamic disk. You can, however, upgrade a basic disk containing the operating system to dynamic after installation.
Keep in mind the following points as you plan whether to implement basic or dynamic disks.
• A hard disk must be either basic or dynamic; it cannot be both at once.
• Windows 2000/XP/Server 2003 use basic storage by default.
• MS-DOS and all versions of Microsoft Windows support basic storage.
• Dynamic storage was new to Windows 2000 and previous Windows operating systems cannot use it (this is especially important if you plan to multi-boot to other operating systems).
• Dynamic storage is not supported on portable computers because they normally have only one internal hard drive and cannot take advantage of advanced dynamic storage features.
To convert a basic disk to a dynamic disk, right click the volume in Computer Management and choose Convert to dynamic disk. Or, use the Diskpart command at the command line.
Volume Characteristics: The following table summarizes volume types and their characteristics.
Volume Type Characteristics
Simple volume Contains a single, contiguous block of space from a single hard disk.
Extended volume Contains space from multiple areas on the disk. An extended volume that spans two disks is a spanned volume.
Spanned volume Combines areas from two or more disks into one storage unit.
Fills the first area, then the second, and so on.
Does not provide fault tolerance. If one hard disk fails, you lose all data.
Cannot contain system or boot files.
Note: Only dynamic disks support extended, spanned, striped, mirrored, or RAID volumes.
Mirrored and RAID volumes are supported only on server versions of Windows. These volume types provide fault tolerance and improve performance.





Redundancy and Fault Tolerance
You should know the following facts about RAID volumes:
Redundant array of Independent Disks (RAID) combines the use of two or more disks for fault tolerance and performance.
• Windows supports three RAID levels: 0 (striping), 1 (mirroring), 5 (stiping with parity).
• RAID0 uses data striping but no redundancy for improving performance.
• RAID1 uses disk mirroring for providing fault tolerance.
• RAID5 uses disk striping with parity for performance and fault tolerance.
• The Windows interface uses the term RAID to refer to RAID 5 or striping with parity.
• Overhead refers to the amount of extra (or "wasted") disk space required to add fault tolerance.
o RAID5 volumes use one disk in the set for fault tolerance (a three-disk set has 33% overhead, a four-disk set has 25% overhead).
o Mirrored volumes have 50% overhead (meaning one disk in two is used for fault tolerance).
The following table summarizes volumes that provide redundancy and fault tolerance.
Volume Type Characteristics
Mirrored volume Stores data to two duplicate disks simultaneously.
Fault tolerant because if one disk fails, data is preserved on the other.
The system switches immediately from the failed disk to the functioning disk to maintain service.
Striped volume Uses storage areas on several different disks.
Improves performance by writing to multiple disks simultaneously.
Uses disk areas similar in size. The amount of space used on each disk is equal to the smallest area.
Saves data from a single file on multiple disks.
Is not fault-tolerant. If one hard disk in the set fails, you lose all data on all disks.
Cannot contain system or boot files.
RAID5 Volume Contain three or more disks.
Like a striped volume, portions of a single file are written to each disk in the set.
RAID5 volumes add fault tolerance to striping through a process called parity (where data recovery information is added to each disk).
Often called a striped set with parity.
Note: Only dynamic disks support extended, spanned, striped, mirrored, or RAID volumes.

Disk Management Facts
Use the following command line commands to manage disks:
Command Description
DiskPart Manage disks, partitions, and volumes by using scripts or direct input from the command prompt
Defrag Locates and consolidates fragmented boot files, data files, and folders on local volumes
Cscript Allows you to run scripts from the command-line-based script host.
You should also know the following facts about disk management:
• When you move a disk that has been installed and used in another computer, you might need to import the disk. In Disk Management, right-click the disk and choose Import Foreign Disks.
• Using Disk Management, you can analyze a disk for defragmentation before using the defragmentation utility.
• Use Disk Management to reactivate volumes in a RAID-5 configuration. This improves performance after a disk in the configuration has been replaced.
You should know the following facts about recovering failed disks:
• To recover a failed disk in a mirror configuration:
1. Break the mirror.
2. Delete the failed disk.
3. Recreate the mirror to a new disk (make sure the disk is upgraded to a dynamic disk first).
• To recover a failed disk in a RAID5 configuration:
1. Repair the volume on a new dynamic disk.
2. Delete the old disk.
• To recover a volume in a failed operating system:
1. Move the disk to a new machine.
2. Import the foreign disk on the new system.





Volume Mount Points
A volume mount point allows you to use another partition in the computer and represent it as a folder in an existing partition. This allows you a great deal of flexibility when you need to expand storage requirements. You should know the following facts about volume mount points:
• Both partitions must be formatted with NTFS.
• You can use either partitions on basic disks or volumes on dynamic disks for volume mount points.
• The folder on the source partition must be empty.
• The target partition must not have a drive letter.
• Multiple folders can reference the same target partition.
Boot.ini Facts
The Boot.ini file is responsible for the following operations:
• Launching the menu for operating system selection during startup
• Pointing to the system files for the selected operating system
• Identifying the controller, hard disk, and partition where the system files are located
The ARC path locates the system file and contains the following elements:
Entry Meaning and Use
MULTI(x)
or
SCSI(x) Identifies the controller location.
Use multi(x) if the disk controller is a SCSI device with its BIOS enabled or is a non-SCSI device.
Use scsi(x) only if the disk controller is a SCSI device with BIOS disabled.
The value for x begins at 0.
DISK(x) Identifies the disk location.
If the first component of the ARC name is scsi, disk(x) indicates which SCSI disk the operating system is located on. The x value begins with 0.
If the first component of the ARC name is multi, this component is always disk(0), and the disk containing the operating system is indicated by the rdisk(x) component.
The value for x begins at 0.
RDISK(x) Identifies the disk location.
If the first component of the ARC name is multi, rdisk(x) indicates which physical disk the operating system is located on. The x value begins at 0.
If the first component of the ARC name is scsi, the rdisk component is always rdisk(0) and the disk containing the operating system is indicated by the disk(x) component.
The value for x begins at 0.
PARTITION(y) Identifies which partition holds the boot files.
The value for y begins at 1.
Backup Facts
Most backup methods use the archive bit on a file to identify files that need to be backed up. When a file is modified, the system automatically flags the file as needing to be archived. When the file is backed up, the backup method may reset (clear) the archive bit to indicate it has been backed up.
The following table shows the type of data backed up using each backup method.
Backup Type Backs Up Resets Archive Bit?
Full Backs up all files regardless of the archive bit. Yes
Incremental Backs up files on which the archive bit is set. Yes
Differential Backs up files on which the archived bit is set. No
Copy Backs up all files regardless of the archive bit status. No
Most of the time, you will perform backups using a strategy that combines backup types. The following table compares common backup strategies.
Strategy Backup Characteristics Restore Characteristics
Full Backup Requires large tapes for each backup.
Takes a long time to perform each backup. To restore, restore only the last backup.
Full + Incremental Incremental backups are quick to perform. This is the fastest backup method. To restore, restore the full backup and every subsequent incremental backup.
Full + Differential Differential backups take progressively longer to complete as time elapses since the last full backup. To restore, restore the last full backup and the last differential backup.
Next to a full backup, this is the fastest restore method.
Note: Do not combine incremental and differential backups.
Keep in mind the following facts about doing backups:
• Back up user data more often than system state data (it changes more frequently).
• Back up system state data whenever you make a system change.
• System state data includes the registry, COM+ Class Registration database, system files, boot files, files under Windows File Protection, and the Certificate Services database.
• During a system data backup, all system data is backed up (system data cannot be backed up selectively in portions).
• Files backed up from one system might not restore to another system. Restore to a system running the same OS.
• Be sure to test your back up and restore strategy. It does no good to back up your data if you can't restore it.
• A normal Directory Services restore refers to a process wherein you restart the domain controller in Directory Services Restore Mode and restore system state data.
• Using the Services snap-in, Windows Backup, or the Scheduled Tasks window, you can start the Task Scheduler service. You must have the Task Scheduler service running before you can schedule a backup.
• In order for a scheduled task to run, you must specify a local service account and password.
Backup Devices Facts
Terms and definitions:
• Removable storage: Storage media (tape) that can be removed from the device.
• Media pool: The space on the removable storage where the backup is performed, and where the backed up files will be physically located.
To configure a backup device, begin by installing the device and making sure it is recognized and configured in Device Manager.
• To install devices, you must be a member of the Power Users or Administrators group.
• For parallel backup devices with bi-directional control, enable enhanced parallel port (EPP) in the BIOS.
After configuring the device, enable the media (the tape) in Computer Management to see the tape itself. There are two modes for viewing media:
• Full mode allows you to see the media pool as well as all the nodes inside the media pool. This lets you select exactly what you want to restore or backup.
• Simple mode lets you see only the media pool.
Make users members of the Backup Operators group to enable them to back up and restore files.
• Backup Operators cannot view, edit, or delete files.
• To allow Backup Operators to eject the backup media, assign the Eject media user right to the Backup Operators group.


NTFS Permission Facts
The following table summarizes the permissions for folders and files.
Permission Allowed Actions
Read View folder details and attributes. View file attributes; open a file.
Write Change folder or file data and attributes.
List Folder Contents Includes all Read actions and adds the ability to view a folder's contents.
Read & Execute Includes all Read actions and adds the ability to run programs.
Modify Includes all Read & Execute and Write actions and adds the ability to add or delete files.
Full Control Includes all other actions and adds the ability to take ownership of and change permissions on the folder.
Use these suggestions to help you plan NTFS permissions.
• Identify the users and their access needs (i.e., the actions they need to be able to perform).
• Based on the types of users you identify, create groups for multiple users with similar needs, and then make users members of groups.
• Assign each group (not user) the permissions appropriate to the group's data access needs. (Grant only the permissions that are necessary.)
• As you assign permissions, take inheritance into account. Set permissions as high as possible on the parent container and allow each child container to inherit the permissions.
• When necessary, you can override inheritance on a case by case basis.
• Deny always overrides Allow, so be careful when you use it.
Shared Folder Facts
The following table lists the share permissions and the level of access the permission allows.
Permission Actions
Read Browse the shared folder and its files
Open files in the shared folder and its subfolders
Copy files from the shared folder
Run programs
Change All Read actions (browse, open files, copy files from the folder, run programs)
Write to files and change file attributes
Create new files and subfolders
Copy files to the shared folder
Delete files or subfolders
Full Control All Read and Change actions
Configure share permissions
Here are some additional facts you should know:
• You can publish a share in Active Directory to allow users to access it more easily.
• If a program in a shared folder crashes and refuses to run on the client computer, terminate the user session using the Shared Folders option in Device Manager.
Share Access Facts
Use both share and NTFS permissions to secure network resources. (When used in combination, remember that the most restrictive set of permissions will apply.) Here is a common strategy for administering resources with share and NTFS permissions:
1. Secure the folder with NTFS permissions.
2. Share the folder using Allow Full Control for Everyone.
An administrative share is a share hidden from browsing. Keep in mind the following facts about Administrative shares.
• Administrative shares are hidden by following the sharename with a $.
• Default Administrative shares are accessible to only members of the Administrators group.
• Any share can be hidden by appending the $ to the sharename.
• A hidden share can only be accessed through the UNC path (they do not appear when you browse).
Disk Quota Facts
Keep the following in mind as you work with disk quotas.
• Quotas can only be set on NTFS volumes. The Quota tab will not be shown for FAT volumes.
• Every file and folder that users create, copy, save, or take ownership of on a volume or partition counts toward their disk quota.
• The space available for applications to save files to is equal to the amount of space left in a user's quota.
• Each NTFS volume or partition on a hard disk has its own set of disk quotas, even if they are on the same hard disk.
• System and application files count toward disk quotas, so the user account which installs software needs a higher limit.
• You cannot set a quota limit on the built-in Administrator account.
• You cannot delete a user's account quota until you remove or take ownership of all of that user's files on the volume.
• You can use the Fsutil.exe command to manage quotas from the command prompt.
Quota configurations:
Configuration State
Disabled File usage data is not collected and storage space is not limited.
Tracked File usage data is collected, but storage space is not limited. Users can exceed their quota limit.
Enforced Warning levels and restrictions are enforced to prevent users from exceeding disk space limitations.
If a user exceeds the quota limit, take one of the following actions:
• Delete files owned by the user.
• Change ownership of files (quota limits are enforced based on owned files).
• Move files to other volumes (quota limits are enforced on a volume or partition basis).
• Increase the quota limit.
You cannot reduce the amount of space used by files by compressing them. Quotas count the uncompressed size of a file toward the quota limit.
File Compression Facts
Keep the following information in mind when working with folder and file compression.
• When you compress a file, Windows makes a copy of the file, compresses it, then replaces the original file with the compressed one.
• When you open a compressed file, Windows decompresses the file. The decompressed file is used by the application.
• You cannot save or copy a compressed folder or file to a disk containing less free space than the folder or file would be uncompressed.
• Compression and encryption cannot be used on folders or files at the same time.
• Apply data compression to files that change size dramatically. For example, bitmap and spreadsheet files compress by a much larger percentage than application or word-processing files.
• Do not compress files that are already compressed using another compression utility.
• Use zipped folders to share compressed files with other computers.
• NTFS compression on volumes with cluster sizes larger than 4 KB is not supported.
Copying and moving files and folders can affect their compressed state. To determine the final state of a file or folder, remember the following rules.
• If you copy or move a compressed file or folder to a non-NTFS partition, the file or folder is uncompressed (other file systems do not support NTFS compression).
• If you copy a compressed file or folder, it inherits the compressed state of the destination folder.
• If you move a compressed file or folder to the same NTFS partition, it retains its compressed state.
• If you move a compressed file or folder to another NTFS partition, it inherits the compressed state of the destination folder.
• If you copy or move a zipped folder, it always remains zipped (regardless of the destination file system).
Compact.exe is a command prompt tool that you can use to set and manage compression. The following table summarizes some options for the Compact.exe command.
Option Action
/C Compresses the specified files. Folders are marked with the compressed attribute.
/S Compresses all subfolders of the specified folder.
/U Uncompresses the specified files. Folders are marked with the uncompressed attribute.
For example, the following command will compress all files in the C:\Documents\Transfer folder, including all subfolders:
Compact /C C:\Documents\Transfer\*.* /S
Encryption Facts
Keep the following information in mind as you work with EFS.
• You must have Write permission to a folder or file to encrypt it.
• Windows transparently unencrypts and encrypts folders and files as users use them.
• You cannot encrypt System or Read-only files.
• Encryption and compression cannot be used on folders or files at the same time.
• If you are having trouble opening encrypted folders or files, make sure you are logged in to the user account that encrypted the folder or file and that you still have permissions for the file.
• In a workgroup, the local Administrator user account is the default recovery agent.
• In a domain, the domain Administrator account is the default recovery agent.
• To recover encrypted files, the files and recovery key need to be on the same computer.
• Without the private key or recovery key, you cannot copy or move an encrypted file. You can however, back up the files and restore them to the computer where a recovery key is located.
• You can also export the recovery key and import it onto the computer storing the files you want to recover.
• You can add additional authorized users to files (not folders) who will be able to open encrypted files.
• Implement encryption through the file or folder properties. Or, use the Cipher command to encrypt files and folders.
Copying and moving files might change the encrypted state of the file. To determine the final state of a file, remember the following rules.
• If you copy or move an encrypted file or folder to a non-NTFS partition, the file or folder is unencrypted (other file systems do not support encryption).
• If you copy or move an encrypted file to an NTFS partition (either to the same one or to a different one), the file remains encrypted.
• If you copy an unencrypted file to an encrypted folder, the file is encrypted.
• If you move an unencrypted file into an encrypted folder, the file remains unencrypted.
• Encryption is preserved when the file is backed up.
Normally, encrypted files are meant to be stored and read on the local computer only. When saving encrypted files on a remote computer, be aware of the following:
• You can only encrypt files stored on remote computers if the computer is trusted for delegation in Active Directory (how to do this is beyond the scope of the course).
• When moving files encrypted on your local system to another computer (for use on that computer), make sure your certificate and private key are available on the other computer. Otherwise, you might be unable to open the file.
• When moving encrypted files to another computer over the network, files are not encrypted while they are in transit. Files might be intercepted as they are transferred. Use IPSec to secure network communications.
Offline Settings
• The following table summarizes the offline files settings that can be configured on a shared folder.
Setting Description
Only the files and programs that users specify will be available offline Users designate and control which files are available offline.
All files and programs that users open from the share will be automatically available offline All files users open from the share are available offline. If Optimized for performance is selected, all programs will be automatically cached so that they will be available locally.
Files or programs from the share will not be available offline Users will not be able to store files from the share offline.

Internet Information Services (IIS)
Use IIS to enable:
• Active Desktop
• Internet Printing
• Remote Desktop
• Share folders (Web folders) for access through IE
You should know the following facts about IIS:
• When you install IIS, a default Web site is automatically created.
• By default, all Web content is stored in the \inetpub\wwwroot directory.
• A virtual directory is used to make content outside of the default directory path available through the Web site.
To make content available on your Web site:
• Place content in the \inetpub\wwwroot directory.
• Web share a folder. This creates a virtual directory in the Web site.
IIS Security Facts
You should know the following facts about securing IIS:
• Anonymous access allows Internet users to access public content on a Web site.
• Windows Authentication allows only authorized users to access protected content. Users are logged into a site automatically and transparently while outside connections are blocked.
• Basic authentication sends user credentials in clear text.
• Digest authentication requires users to have a domain user account.
• Blocking access to a web site by domain name, single computer, or IP network number ensures that only desired connections get through.
• IP address restrictions can be configured which either allow all access except for listed addresses, or block all access except listed addresses.





The following table describes the different authentication methods:
Method Description Best Use
Anonymous Authentication Users can access public portions of the site without user names or passwords.
Uses the IUSR_computername local user account. To give public access to resources that require no security.
Basic Authentication Requires a local or domain user account (user name and password is sent in clear text) Use for non-Windows hosts and clients running any HTTP 1.0 browser
Digest Authentication Functions like Basic Authentication
Authenticates using domain accounts with passwords stored using reversible encryption
Passwords are secured
Requires IE 5.0 or higher
IIS must be running on a domain member To grant access to resources from public networks.
Advanced Digest Authentication Is available for user accounts that are part of Active Directory.
User names and passwords are stored on a domain controller. Requires IE 5 or better and HTTP 1.1 protocol. To grant access to resources from public networks that require more security than given through Digest Authentication.
Integrated Windows Authentication User information is collected through a challenge/response process during which the user name and password are hashed before being sent across the network
Authenticates using Windows authentication methods (NTLM or Kerberos)
Requires Internet Explorer 2.0 or higher (IE 5.0 for Kerberos)
Cannot be used through a proxy server To grant access to resources on an intranet.
Certificate Authentication Uses SSL (Secure Sockets Layer) security through user or server certificates or both. (Available only with Certificate Services.) To allow secure business transactions over the Internet.
.NET Passport Authentication Allows the use of a single sign-in service through SSL, HTTP redirects, cookies, MS JScript, and symmetric key encryption. To grant access to various resources over the Internet.



Authentication methods can be applied to the following:
• Server
• Web site
• FTP site
• Virtual Directory
• File
In addition to authentication, you can secure Web content with Web permissions. The following table describes the IIS permissions you can set for Web sites or Web folders:
Permission Description
Read View file content and properties
Write Modify, delete, or add files or directories
Modify file and directory attributes
Typically only enabled on intranets or private sites
Script Source Access Users can access the source code for files (requires either Read or Write permissions)
Combined with Read permissions, users can view the source code
Combined with Write permissions, users can write to the source code
Typically only enabled on developer intranets
Directory Browsing View directory contents
When enabled, the Web server returns a listing of the directory contents when it cannot find a default home page to display
Use with Read permission
Execute Permissions Controls how scripts and executables run from the Web site
You can allow scripts only, scripts and executables, or prevent either from running
If Web content is on an NTFS partition, you can also use NTFS permissions to secure content. Keep in mind the following when using NTFS permissions for Web content:
• IIS uses the user account to identify the end user and their permissions. To restrict access for users other than the anonymous user, you must choose an authentication method that uses Windows user accounts.
• When both Web and NTFS permissions are used, the most restrictive permissions take effect.



Web Site Identification
You should know the following facts about managing IIS:
• The default Web site is assigned to All Unassigned IP addresses on port 80.
• By default, a Web site will respond to HTTP requests directed to any IP address configured for the host computer.
• When you configure Web site identification, you can configure it to respond to all addresses or to only a specific address.
• On a server that has multiple IP addresses, each IP address can be used for a different site.
• You can host multiple sites by using different ports for each site.
• You can configure a Web site with a host header to enable it to respond to alternate Web site names. A host header solution requires two parts:
o Configure the host header on the Web site.
o Configure the DNS database to associate the host header name with the IP address.
Printing Facts
• The following table lists some key definitions with which you should be familiar.
Term Definition
Print Server The computer where printing is established.
Printer A virtual device inside the print server that can be configured to send output to a printing device.
Print Device The physical device connected to the print server where print output occurs.
Print Driver The software that allows the printer to communicate with the print device.
Print Queue The portion of the hard drive where print jobs are stored before going to the print device.
Printer Port The means by which a print device connects to a print server (parallel port, serial port, or to the printer's NIC).
• When you configure printing, you create a logical printer object that references a print device or points to another logical printer on the network. The following table lists the configuration choices to make to configure each type of printer.


Print Device Location Printer Type Port Type
Connected to the LPT, USB, or COM port of the local computer Local LPT, USB, or COM
Connected directly to the network through a NIC connected to the printer Local TCP/IP (identify the IP address of the print device NIC)
Connected to the LPT, USB, or COM port of a remote computer (with a shared printer) Network UNC path (\\computername\sharename)
• The following table summarizes the permissions that can be assigned to printers. Printer permissions apply to both local and shared printers.
Permission Allowed Actions
Print Send print jobs and manage your own documents
Manage Documents Manage all documents in the queue
Manage Printer Change configuration settings and permissions

Advanced Print Configuration
Printer Pooling
Printer pooling uses a single printer object to represent multiple print devices. With printer pooling,
• Users send print jobs to a single printer
• The print server decides which print device to send the job to
When creating a printer pool, all print devices in the pool:
• Must be the same model (using the same printer driver)
• Should be in the same physical location (because users won't know which physical device their print job prints on)
Printer pools:
• Speed printing by reducing the time that documents spend waiting for a free print device
• Simplify printer administration because you manage multiple devices through a single printer object

Multiple Printers
Configure multiple printer objects for a single print device to control access to the printer based on job roles. To configure multiple printers:
1. Create multiple printer objects, one per group or user with distinct access.
2. For each printer, configure permissions to restrict access.
3. Fine-tune access by editing the Advanced properties for the printer to modify priority (99 is the highest) and restricting printer availability.
Managing Printing
The following table summarizes the printing component you would use to complete each configuration task.
To Configure . . . Edit . . .
Additional drivers for a printer Printer object properties
Print server properties
Job priority Print Queue, job properties
Notification Print server properties
Permissions Printer object properties
Ports Printer object properties
Print server properties
Sharing Printer object properties

Spool file location Print server properties


Troubleshooting Printing Facts
You should know the following facts about troubleshooting printing:
• You can take an unreliable printer out of service by changing its properties to not shared.
• Printer queues and the Event Viewer of the assigned print server will offer the best information regarding printer and print job status.
• By default, print spool files are stored in the C: drive of the server, in \Windows\System32\Spool\Printers.
• If the C: drive fills up, then users will be unable to add print jobs to the queue, the queues will stop, and the system may become unstable (because the pagefile also defaults to drive C:).

IPP Facts
You should know the following facts about IPP:
• IPP can be installed after IIS is installed.
• IPP allows users to access printers and print resources across an intranet or through the Internet.
• IPP requires the use of Internet Explorer 4.0 or better.
• Users access printers and print services through a URL (http://servername/printers).
• Use Internet Explorer 4.0 or better to administer IPP printing from any location.
Installer Package Facts
The following table describes the file extensions that are used with installer packages.
File Extension Description
.msi A Windows Installer package file. Use the Msiexec command to deploy .msi files. Use the /i switch to specify the package file.
.msp A patch file. An .msp file can be applied to an .msi, but the .msi must be redeployed after the patch is applied.
.mst A transform file. Transform files are applied when a software package is assigned or published. Transform files change .msi files. To apply a .mst to a .msi during deployment, append TRANSFORMS= followed by a list of .mst files to the Msiexec command.
.zap A file to reference a Setup.exe file on a network, for example.
Using Group Policy, you can either assign or publish software. You can also associate software packages with either users or computers.
• Applications may be published to users, but not to computers. You can assign applications to either users or computers.
• When you publish an application, it does not appear in the user's Start menu. Instead, the user goes to Add/Remove Programs to install the program.
• Assigning software to a computer installs the software when the computer starts up. Users cannot use Add/Remove Programs to remove computer assigned software.
• Assigning software to a user puts a shortcut on the user’s Start menu. The software is automatically installed when the shortcut is clicked.

Software Update Services (SUS) Components
Software Update Services (SUS) is a client-server application that allows you to use a server on your intranet as a centralized point for updating software. Without SUS, clients must communicate with Microsoft's Web site to download and install patches and other updates. With SUS, you can control which updates are installed on network clients.
The following table lists the major SUS components:
Component Description
SUS on an Internet Information Services (IIS) server This is the server-side component of SUS. It synchronizes update information and downloads updates prior to deployment.
SUS Web site Administrative tasks are done through the SUS Web site. Other than installation and configuration, administrative tasks consist primarily of verifying successful server synchronization and update approval prior to client distribution.
Automatic Updates The Automatic Update client downloads updates from the SUS server (or a Windows Update server). It also installs the updates according to the established parameters.
Group Policy settings By configuring Windows Update policies in a GPO, you can configure Automatic Updates clients to synchronize with a SUS server rather than a Windows Updates server.
SUS offers the following advantages:
• You can control which updates clients in your organization receive.
• Clients receive updates from local servers rather than using Internet links to receive updates.
• You can enforce the application of updates throughout your organization.
SUS works as follows:
1. The SUS server downloads information about available updates from the Microsoft Windows Update Web site. The server can also be configured to download the update content itself.
2. An administrator approves the updates that should be applied to network clients.
3. Clients contact the local SUS server to identify approved updates. It then downloads the approved updates from the corresponding server.


SUS Server Configuration
An SUS server manages the updates that clients can install. To install SUS, download the setup software from the Microsoft Website (it is not on the Windows Server 2003 media). Before installing the software, your server must have IIS installed. During installation, you will need to provide the following two paths:
• The path to the update files. These are the actual files that will be used to update clients. For example, you can choose to leave the update files on the Microsoft Windows Update Web site. In this case, clients will download updates from the Microsoft Web site. Alternatively, you can choose to place the files on the SUS server. In this case, clients will download content from your SUS server.
• The path to the update file metadata. The metadata is information about each update file. You will edit the metadata to control how updates are applied to client systems.
The installation program installs the following components:
• Software Update Synchronization Service (to download content to the SUS server).
• IIS Web site (to service requests from Automatic Update clients).
• SUS administration Web site (where you synchronize the SUS server and approve updates).
After installation, use a Web browser and go to http://SUSservername/SUSadmin to manage the SUS server. SUS administration consists of three tasks:
• Configuring SUS server settings.
• Synchronizing updates (downloading updates from the Microsoft update Web site).
• Approving updates (identifying which updates to deliver to clients and configuring how those updates will be applied.
SUS Client Configuration
Each client computer must have the Windows Automatic Updates client software to utilize automatic updates. This software is included automatically with Windows Server 2003, Windows XP Service Pack 1, and Windows 2000 Service Pack 3. It can be added to other operating systems as a special download.
Client computers will communicate with an SUS server to identify available updates. You can customize which server the clients use to receive updates. By default, clients contact the Microsoft Web site. For a custom solution, configure clients to contact your SUS server.
You can also customize how clients download updates:


Download Description
Automatic Downloads arrive without user intervention or notification.
Notification The system waits for a user with administrator credentials to log on before sending a notification of available update downloads via a balloon above the System Tray.
You can also customize what the client does with the updates after they are installed.
Installation Description
Automatic (Scheduled) Upon successful download, an event is registered in the system event log. When a user with local administrative privileges logs on, the user can install the updates manually any time before the scheduled installation time. At the scheduled installation time, a local administrator can cancel the installation, delaying it until the next scheduled installation. A user with non-administrator privileges receives a warning message but cannot delay update installation. If no one is logged on, the installation occurs automatically.
Notification Upon successful download, an event is registered in the system event log. When a user with local administrative privileges logs on, the user can install the updates manually.
The easiest way to configure client settings is to use Group Policy to distribute the server name and other update parameters. The following table lists the Automatic Update policies:
Policy Description
Configure Automatic Updates There are three options for configuring the behavior of the Automatic Updates client:
• Notify for Download And Notify For Install
• Auto Download And Notify For Install
• Auto Download And Schedule The Install
Reschedule Automatic Updates Scheduled Installations If a client machine is turned off during a scheduled installation, by default the installation occurs at the next scheduled time. However, this policy allows you to set the installation to occur between 1 and 60 minutes after the system starts up.
No Auto-Restart For Scheduled Automatic Updates and Installations This policy allows Automatic Updates to disregard a required restart when a user is logged on. The user receives a notification about the required restart but is not required to restart the machine.
Specify Intranet Microsoft Update Service Location This policy allows you to redirect clients from the Microsoft Windows Update server to a SUS server on your network. You can also set logging to occur on any server on the network running IIS. IIS logs are found in %Windir%\System32\Logfiles\W3svc1.
SUS Infrastructure Design
Software Update Services (SUS) offers you great flexibility in designing where updates are stored and who controls which updates are approved. You can also configure multiple servers within your organization to distribute the load or customize the list of approved updates.
Configuration Characteristics Uses
Approve updates locally, download content from Microsoft The local SUS server downloads update metadata (information about available updates) from the Windows Update Web site.
An administrator approves applicable updates.
Clients identify approved updates using the local SUS server, but download content from the Windows Update Web site. Use when all clients have a fast Internet connection and Internet link usage is not a concern.
Approve updates locally, download content locally The local SUS server downloads update metadata and synchronizes update installation files from the Windows update Web site.
An administrator approves applicable updates.
Clients identify approved updates using the local SUS server and download the updates from the local server. Use to minimize downloads through an Internet link (updates are downloaded through the Internet only once).
Use when Internet links are slow or unreliable.
Multiple server topology Place an SUS server in each location.
Each SUS server synchronizes content from Windows Update Web site.
An administrator at each location approves a list of approved updates for local clients.
Clients receive updates from the nearest SUS server. Use when each location has different approved update needs.
Use when your organization has multiple sites with their own Internet connection.
Centralized client/server topology Configure one SUS server to synchronize content with the Windows Update Web site.
Configure a list of approved updates on the central server.
Configure additional servers to synchronize update content and the list of approved updates with the central server.
Clients receive updates from the nearest SUS server. Use in a large organization to enforce consistent update policies (local SUS servers receive a list of approved updates from the central server).
Decentralized client/server topology Configure one SUS server to synchronize update content with the Windows Update Web site.
Configure additional servers to synchronize update content with the central server.
Configure a list of approved updates on each SUS server.
Clients receive updates from the SUS server that holds approved updates that should apply to the client. Use to minimize downloading of update content while allowing different sites or organizations to maintain their own list of approved updates.

SUS Facts
You should know the following facts about SUS facts:
• SUS is not available through the Windows Server 2003 installation media. Download the SUS server software from the Microsoft Web site.
• Software Update Services allows you to configure the distribution of operating system patches for clients, including ones related to security.
• GPO settings for configuring Windows Automatic Updates are stored in the Wuau.adm template. You must manually copy this template file from the SUS server to the %systemroot%\inf folder of any computer used to configure group policy.
• To prevent clients from using Windows Update, edit Group Policy settings to prevent users from manually downloading patches.
• SUS with Service Pack 1 does not support 64-bit versions of Windows.
• Software Update Services does not support updating drivers, although the Automatic Updates client will detect and report them. You must install drivers manually from Windows Update.
• Software Update Service only distributes patches for the operating system. You can't use Software Update Services to distribute patches for anything else, including other Microsoft products. However, you can use a software distribution policy (or Systems Management Server) to distribute application updates.
• The NoAutoRebootWithLoggedOnUsers policy setting will allow logged on users to avoid rebooting after a service pack installation (although the service pack installation won't be completed until the next restart.)
• The Windows Update Server is responsible for synchronizing and approving updates.
• Clients of SUS need the Automatic Updates Client (Wuau22.msi) which can be deployed through group policy.
• Clients also need to be redirected from Windows Update to the SUS server through a GPO.
Account Policies Facts
• Account policies control passwords and login properties. Settings in the local GPO are used if the computer is a member of a workgroup. Settings in the domain GPO are used for computers that are members of a domain. Policy settings are applied to the computer, not the user.
• The following table describes the password settings.
Setting Description
Password history This setting requires users to input unique passwords. The system can store up to 24 passwords, so the user can't repeat previous passwords.
Maximum password age This setting requires the user to change the password after a given length of time.
Minimum password age This setting keeps users from changing passwords immediately after they've reset their passwords. This prevents users from defying the password history by entering several passwords to get back to a preferred password.
Minimum password length This prevents people from using passwords that are too short.
Password complexity This setting requires users to create a password with a minimum of three of the four types of special characters (e.g., lower case letters, upper case letters, numbers, or !, @, #, $, %, ^, &, *). This setting also disallows use of dictionary words or any part of the user login identification.
Reversible encryption This setting requires the system to store the password with reversible encryption.
• Use account lockout to protect user accounts from guessing and prevent accounts from being used when hacking attempts are detected. The following table describes account lockout settings.
Setting Description
Lockout duration This setting determines the length of time the account will be disabled. When set to 0, an administrator must unlock the account.
Lockout threshold This setting determines the number of attempts a user can make before the account is locked.
Reset account lockout This setting determines the amount of time that must pass before the account is enabled.
Auditing Facts
You can configure the following audit policies in Group Policy.
Audit Category Trigger Event(s)
Account logon Audits logon through a user account
Recorded by the local computer for the local account, recorded by domain controller for the AD account
Account management Add, rename, disable/enable, delete, or change the password for a user account
Logon Log on or off of the local system
Make a network connection to a local computer
Object access File, folder, printer access
Policy change Change account password or logon settings, user rights, or audit policies
Privilege use User exercises user rights
An administrator takes ownership of an object
Process tracking An application performs an action
This is used mainly for program debugging and tracking
System events Shutdown, restart, service starts
An event affects security or the security log
Keep in mind the following about configuring auditing:
• Auditing can be enabled to log successful or failed events (or both).
• Because auditing consumes system resources and might result in a lot of generated data, enable auditing only on the events you are interested in.
• View audit entries in the Event Viewer Security log.
• Set the CrashOnAuditFail registry entry to prevent users from logging on to the system when entries can't be written to the security log.
• To monitor a domain for unauthorized user access, configure the domain with a group policy to Audit Logon Events.
• For file auditing to occur, the files must be on NTFS partitions.
• With auditing configured, clearing the log generates an event identifying when the log was clear and by whose authority.




Security Template Facts
Windows provides the following predefined security templates:
Template Function
Setup Security.inf Created specifically for each computer during setup
Differs depending on whether installation was a clean installation or an upgrade
Contains default security settings applied during installation
Defines default file permissions for system drive root
Used on workstation or servers (not on domain controllers)
Should not be applied through group policy
DC Security.inf Created when server is upgraded to a domain controller
Gives default security settings for files, registry, and system service
Secure*.inf Secures a system without causing application or compatibility issues
Securews.inf can be applied to a workstation or a server
Securedc.inf can be applied to a domain controller
Hisec*.inf Specifies additional security settings beyond the Secure templates
Hisecws.inf can be applied to a workstation or a server
Hisecdc.inf can be applied to a domain controller
Compatws.inf Forces compatibility across Windows platforms
Should not be applied to domain controllers
Use the Security Analysis and Configuration snap-in to manage security templates, analyze current settings, create custom templates, or import an existing template. When working with templates:
• Compare an existing system with a template to see how the system compares to the template.
• Clear current settings before importing a new template.
• After applying a secure template, you might need to restore group memberships in the Administrators or Power Users group.
• You can also use the Secedit command to analyze and apply templates.
You should also know the following facts about security analysis:
• The Microsoft Baseline Security Analyzer will tell you which patches have been installed on a particular computer.
• You should also need to verify that patches have not been manually applied.
• Check the Windows Update log to see if a patch came from the Software Update Server or from the Windows Update website.

Event Facts
You should know the following facts about events:
• The System Log records informational, warning, and error messages. Error and warning messages are the most serious.
• The default extension for saved logs is .Evt.
• Shutdown events have an event ID 1074.
• Event Viewer is the location where most errors and warnings are logged.
• The File Replication Services log lists errors or events related to the copying of information between domain controllers during a replication cycle. This log is available through Event Viewer on Windows Server 2003 machines that function as domain controllers.
• Examine the Security Log to find the results for system audits.
• Additional logs (such as the DNS Log) are added when you install various services.
Monitoring Performance Facts
You should know the following facts about monitoring system performance:
• Task Manager shows a summary of a system's performance.
• System Monitor measures the performance of a workstation or other workstations on a network.
• You can configure an automatic schedule of monitoring.
• A System Idle process near 100% may indicate a connectivity problem with a server.
• The Performance tool is capable of monitoring remote computers. Monitoring of server performance should be done from a computer other than the server.
• If you aren't sure what a specific counter or measure is used for, select it and click the Explain button.
• The Performance Logs and Alerts console in the Performance tools can be configured to trigger an alert when certain thresholds are reached.
• The Report View presents counters in a hierarchical display using words, not graphical representations.
• You can run the WinMSD utility from a command prompt to view such information as Internet security.





Counters and Values to Watch
• The following table outlines the major objects and critical counter values:
Object Purpose Counters Optimum
Processor Measures the CPU performance % Processor time < 80% sustained Physicaldisk Measures how the individual, physical disks are performing (the read/writes and percentage to be written to the disk) % Disk time > 2 times the number of drives is high
Memory Measures RAM performance Pages/sec 0 pages/sec is a good reading
Network Measures the performance of the system on the network Bytes total/sec < Network capacity
Volume Shadow Copy Services (VSS)
VSS is a component of the backup system that takes a point-in-time snapshot of files on the disk. By enabling VSS, you can recover lost (deleted) files and back up open files.
You enable VSS on a volume through Explorer. After VSS is enabled, all shared folders on the volume will be shadow copied. You can customize where files are copied to, the limit that copied files can take up, and the interval at which copies will be made.
Through shadow copies, you can recover lost, damaged, or overwritten files by accessing the previous versions of the files cached by the server. The Previous Copies tab in the Properties dialog box of a folder or file lists the previous copies you can access. The Previous Copies tab is available under the following circumstances:

• Shadow Copies must be enabled on the server.
• The client must have the Shadow Copy client software (installed to the %systemroot%\System32\Clients\Twclient\x86 folder on the Windows Server 2003 system).
• You must access the file's properties through a shared folder (if you access the properties for a file on the local machine, the Previous Copies tab won't be available, even if the file is shared and VSS is running).
System Recovery Facts
Windows offers you several different ways to recover from a system failure. Here are some methods you can use to recover from system problems (methods are listed in the general order you would perform when trying to recover the system).
Tool Use
Driver Rollback Use this tool to uninstall recent driver changes and revert to a previous version. In Device Manager, edit the properties of the device.
Last Known Good Configuration This option reboots the system using the last successful hardware profile. However, it can only be used if you have not logged on after the last change.
Safe Mode Boots Windows with a limited number of drivers and features enabled. Press F8 during boot to enter Safe Mode. After booting into Safe Mode, you can use Device Manager to rollback drivers, disable devices, uninstall devices, or reinstall or update drivers.
Recovery Console This is a command-line interface. Before a problem exists, you must install Recovery Console. Install it by using the winnt32.exe /cmdcons command to install the recovery tools on the system. Use Recovery Console to fix boot sector or master boot record (MBR). You can also remove or update system files and repartition hard disks.
Automated System Recovery This restores original Windows 2003 Server drivers and files as well as files from the ASR backup set.
Keep in mind the following facts about using Automated System Recovery (ASR).
• You need an ASR backup tape set and a Windows 2003 Server CD to restore a system.
• Use the ASR diskette with a valid backup to restore the system.
• The ASR diskette is a boot diskette that contains limited system configuration information. The rest of the information is on the backup tape.
• The ASR diskette contains the Asr.sif and Asrpnp.sif files. Copies of these files are placed on the system so you can copy them manually.
• To restore a system, press the F2 key when prompted and insert the ASR floppy disk. ASR will restore disk configurations and install the original operating system software.