|
Windows Sever 2003This is a new helpful section and will grow as time goes on thank you for your patience.
Windows 2003New Features of Windows Server 2003 Active Directory - Scenario Based Windows Server 2003 Operations Compare the Editions of Windows Server 2003 Microsoft Windows Server TechCenter Windows Resource Kits - Web Resources How to troubleshoot startup problems in Windows Server 2003 Introduction to Administering Active Directory Backup and Restore Active Directory on a Windows Server 2003 Network Active Directory Operations Guide Windows Server 2003 Technical Library Users Can Log On Using User Name or User Principal Name The
role of the global catalog Global
catalog replication The replication topology for the global catalog is generated automatically by the Knowledge Consistency Checker (KCC). However, the global catalog is replicated only to other domain controllers that have been designated as global catalogs. Global catalog replication is affected both by the attributes marked for inclusion in the global catalog, and by universal group memberships.
Data Backup and RestoreHOW TO Restore System State Data
Server 2003 TypesHow to promote a domain controller to a global catalog server How to upgrade Windows 2000 domain controllers to Windows Server 2003 Single master operations - Master Roles How to view and transfer FSMO roles in Windows Server 2003 FSMO
Roles For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest. You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools: Active Directory Schema snap-in, Active Directory Domains and Trusts snap-in, Active Directory Users and Computers snap-in Trees and ForestsUnderstanding domain trees and forests How to raise domain and forest functional levels in Windows Server 2003 Domain and Forest Trust Tools and Settings How to view and transfer FSMO roles in Windows Server 2003
Active DirectoryDuring a normal restore operation, Backup operates in nonauthoritative restore mode. That is, any data that you restore, including Active Directory objects, will have their original update sequence number. The Active Directory replication system uses this number to detect and propagate Active Directory changes among the servers in your organization. Because of this, any data that is restored nonauthoritatively will appear to the Active Directory replication system as though it is old, which means the data will never get replicated to your other servers. Instead, the Active Directory replication system will actually update the restored data with newer data from your other servers. Authoritative restore solves this problem. To authoritatively restore Active Directory data, you need to run the Ntdsutil utility after you have restored the System State data but before you restart the server. The Ntdsutil utility lets you mark Active Directory objects for authoritative restore. When an object is marked for authoritative restore its update sequence number is changed so that it is higher than any other update sequence number in the Active Directory replication system. This will ensure that any replicated or distributed data that you restore is properly replicated or distributed throughout your organization. How to restore deleted user accounts and their group memberships in Active Directory Performing a Nonauthoritative Restore of a Domain Controller Performing an Authoritative Restore of Active Directory Objects The effects on trusts and computer accounts when you authoritatively restore Active Directory TrustsActive Directory Operations Guide - Managing Trusts When to create an external trust You can create an external trust to form a one-way or two-way,
nontransitive trust with domains outside of your forest. External
trusts are sometimes necessary when users need access to resources
located in a Windows NT 4.0 domain or in a domain located within
a separate forest that is not joined by a forest trust, as shown
in the figure. Trust protocols With the Kerberos V5 protocol, the client requests a ticket from a domain controller in its account domain to the server in the trusting domain. This ticket is issued by an intermediary trusted by the client and the server. The client presents this trusted ticket to the server in the trusting domain for authentication. Internet Authentication ServiceInternet Authentication Service (IAS) in Microsoft® Windows Server™ 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless, authenticating switch, dial-up and virtual private network (VPN) remote access, and router-to-router connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. IAS supports the Internet Engineering Task Force (IETF) standards for RADIUS described in RFCs 2865 and 2866. Certification authoritiesA certification authority (CA) is an entity entrusted to issue certificates to individuals, computers, or organizations that affirm the identity and other attributes of the certificate subject to other entities. Types of certification authorities Enterprise certification authorities Stand-alone certification authorities Certificate Autoenrollment in Windows Server 2003 Automatic enrollment of user certificates provides a quick and simple way to issue certificates to users and to enable public key infrastructure (PKI) applications, such as smart card logon, Encrypting File System (EFS), Secure Sockets Layer (SSL), Secure/Multipurpose Internet Mail Extension (S/MIME), and others, within an Active Directory directory service environment. User autoenrollment minimizes the high cost of normal PKI deployments and reduces the total cost of ownership (TCO) for a PKI implementation when Windows XP Professional clients are configured to use Active Directory. AuthenticationAuthentication- Keberos - NTLM - SSL Internet Protocol Security (IPsec) is a framework of open standards for protecting communications over Internet Protocol (IP) networks through the use of cryptographic security services. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. The Microsoft implementation of IPsec is based on standards developed by the Internet Engineering Task Force (IETF) IPsec working group.
Windows Server 2003 supports IPSec tunneling for situations where both tunnel endpoints have static IP addresses. This is primarily useful in gateway-to-gateway implementations. However, it may also work for specialized network security scenarios between a gateway or router and a server. (For example, a Windows Server 2003 router that routes traffic from its external interface to an internal Windows Server 2003-based computer that secures the internal path by establishing an IPSec tunnel to the internal server that provides services to the external clients). Windows Server 2003 IPSec tunneling is not supported for client remote access VPN use because the Internet Engineering Task Force (IETF) IPSec Requests for Comments (RFCs) do not currently provide a remote access solution in the Internet Key Exchange (IKE) protocol for client-to-gateway connections. IETF RFC 2661, Layer Two Tunneling Protocol "L2TP," was specifically developed by Cisco, Microsoft, and others to provide client remote access VPN connections. In Windows Server 2003, client remote access VPN connections are protected using an automatically generated IPSec policy that uses IPSec transport mode (not tunnel mode) when the L2TP tunnel type is selected.
Overview of Server Message Block signing Exploring Kerberos, the Protocol for Distributed Security in Windows 2000 IPSec Policy Configuration IPSec filters are inserted into the IP layer of the computer
TCP/IP networking protocol stack so that they can examine (filter)
all inbound or outbound IP packets. Except for a brief delay required
to negotiate a security relationship between two computers, IPSec
is transparent to end-user applications and operating system services. WMI FILTERINGWindows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer. When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied (except if the client computer is running Windows 2000, in which case the filter is ignored and the GPO is always applied). If the WMI filter evaluates to true, the GPO is applied. Terminal ServicesHow to change Terminal Server's listening port How to manually open ports in Internet Connection Firewall in Windows XP
SecuritySecurity Configuration and Analysis Overview Group Policy can be used to define default settings that will be automatically applied to user and computer accounts in Active Directory. Policy settings can be used to manage desktop appearance, assign scripts, redirect folders from local computers to network locations, determine security options and control what software can be installed on particular computers and what software is available to particular groups of users. Here are a few examples of how Group Policy settings can be used in Active Directory: Set the minimum password length and the maximum length of time
that a password will remain valid. This can be configured for
an entire domain.
There are two kinds of GPOs:
User Configuration and Computer Configuration are further subdivided into a customizable set of MMC extensions to Group Policy. To learn about the default extensions, see Group Policy Object Editor Extensions. Changing the status of a GPO The status of a GPO is Enabled by default. It can be changed to User settings disabled, which affects all settings under User Configuration, or Computer settings disabled, which affects all settings under Computer Configuration, or All settings disabled, which disabled the entire GPO. When you change the status of a GPO, all sites, domains and organizational units that get policy from the GPO are affected. Thus, disabling a GPO is more far-reaching than disabling one of it links. Notes Enforce (previously known as "no override") on a GPO
link takes precedence over Block Inheritance on a domain or organizational
unit. How To Use Software Restriction Policies in Windows Server 2003 Windows 2000 Security Templates Are Incremental Predefined security templates 1 Predefined security templates 2 Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available Microsoft Baseline Security Analyzer MBSA Scanning Options How to apply predefined security templates in Windows Server 2003 Windows 2000 Security Templates Are Incremental How Security Settings Extension Works How To Use Software Restriction Policies in Windows Server 2003 Configure local computer security
What Is Resultant Set of Policy?Tne challenge of Group Policy administration is to understand the cumulative effect of a number of Group Policy objects (GPOs) on any given computer or user, or how changes to Group Policy, such as reordering the precedence of GPOs or moving a computer or user to a different organizational unit (OU) in the directory, might affect the network. The Resultant Set of Policy (RSoP) snap-in offers administrators one solution. Administrators use the RSoP snap-in to see how multiple Group Policy objects affect various combinations of users and computers, or to predict the effect of Group Policy settings on the network. How To Install and Use RSoP in Windows Server 2003
Smart CardsA smart card is a small, tamperproof computer. The smart card itself contains a CPU and some non-volatile storage. In most cards, some of the storage is tamperproof while the rest is accessible to any application that can talk to the card. This capability makes it possible for the card to keep some secrets, such as the private keys associated with any certificates it holds. The card itself actually performs its own cryptographic operations.
Windows 2003 ToolsWorking with MMC console files Step-by-Step Guide to Using the Security Configuration Tool Set Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller CERTUTIL tasks for backing up and restoring certificates Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 and in hotfix 324392 How To Use Software Restriction Policies in Windows Server 2003 - HASH VALUE Enhancements to Adprep.exe in Windows Server 2003 How to use Netdom.exe to reset machine account passwords of a Windows Server 2003 domain controller Terminal ServicesStep-by-Step Guide for Configuring Group Policy for Terminal Services
PKIWindows Server 2003 PKI Operations Guide MMCAdd Security Configuration and Analysis to an MMC console
Network Load Balancing and Cluster Server ClustersHow To Set Up TCP/IP for Network Load Balancing in Windows Server 2003 How To Perform Basic Network Load Balancing Procedures in Windows Server 2003 Microsoft Cluster Service Installation Resources How to properly restore cluster information How to configure Windows clustering groups for hot spare support Troubleshooting Network Load Balancing
Administrators use cluster management applications to configure, control, and monitor clusters. Cluster Administrator is an example of a cluster management application. Any system, regardless of whether it is a cluster node, can install Cluster Administrator. Cluster Administrator allows administrators to manage cluster
objects, establish groups, initiate failover, handle maintenance,
and monitor cluster activity through a convenient graphical interface.
Third-party developers can extend the functionality of Cluster
Administrator by implementing extension DLLs. Cluster.exe is a command-line interface for administering server
clusters. For a list of available commands, type 'cluster /?'
in a command prompt window or consult the documentation included
with the operating system
Distributed File SystemOverview of the Distributed File System Solution in Microsoft Windows Server 2003 R2 The Windows Server 2003 operating systems have a number of components to enhance your storage capabilities, including Distributed File System (DFS), File Replication System (FRS), Virtual Disk Service (VDS), and Volume Shadow Copy Service (VSS), and Windows SharePoint Services. The page provides resources for learning more about these components and technologies.
Group PoliciesGroup Policy is the primary administrative tool for defining and controlling how programs, network resources, and the operating system operate for users and computers in an organization. In an Active Directory environment, Group Policy is applied to users or computers on the basis of their membership in sites, domains, or organizational units.
Group Policy Management Console Gpresult Displays Group Policy settings and Resultant Set of Policy (RSoP) for a user or a computer. Gpupdate Refreshes local Group Policy settings and Group Policy settings that are stored in Active Directory, including security settings. This command supersedes the now obsolete /refreshpolicy option for the secedit command. How To Configure Group Policies to Set Security for System Services in Windows Server 2003 Loopback
processing of Group Policy How to use Group Policy to remotely install software in Windows Server 2003
How
to assign software to a specific group by using a Group Policy
RSoP overview Resultant Set of Policy (RSoP) is an addition to Group Policy that makes policy implementation and troubleshooting easier. RSoP is a query engine that polls existing policies and planned policies, and then reports the results of those queries. It polls existing policies based on site, domain, domain controller, and organizational unit. RSoP gathers this information from the Common Information Management Object Model (CIMOM) database (otherwise known as CIM-compliant object repository) through Windows Management Instrumentation (WMI).
Ntdsutil Ntdsutil.exe is a command-line tool that provides management
facilities for Active Directory. Use Ntdsutil.exe to perform database
maintenance of Active Directory, manage and control single master
operations, and remove metadata left behind by domain controllers
that were removed from the network without being properly uninstalled.
This tool is intended for use by experienced administrators.
Secedit The Secedit.exe command line tool, when called from a batch file or automatic task scheduler, can be used to automatically create and apply templates and analyze system security. It can also be run dynamically from a command line. This tool is useful when you have multiple computers on which security must be analyzed or configured, and need to perform these tasks off-hours. Configures and analyzes system security by comparing your current configuration to at least one template.
Windows Recovery ConsoleDescription of the Windows 2000 Recovery Console How To Use the Recovery Console on a Windows Server 2003-Based Computer That Does Not Start Recovery Console Tools and Settings Recovering from a lost or corrupted quorum log
DNSDomain Name System (DNS) Center Knowledge Base Articles Conditional Forwarding in Windows Server 2003 Root hints are the names and addresses of servers that are authoritative for the root zone of the DNS namespace. Root hints are necessary for resolving external names, such as the names of Internet host computers. Root hints are the names and addresses of servers that are authoritative for the root zone of the DNS namespace. Root hints are necessary for resolving external names, such as the names of Internet host computers.
Domain Name System (DNS) Center TCP/IP
Fundamentals for Microsoft Windows Contrasting stub zones and conditional forwarders
Terminal ServerTerminal Server is a Terminal Services role service that supports sharing of Windows-based programs or the full Windows desktop. Users can connect to a terminal server to run programs, save files, and use network resources on that server.
Windows 2003 IISHow To Configure IIS Web Site Authentication in Windows Server 2003
How to perform an unattended Emergency Management Services installation of Windows Server 2003 Windows SharePoint Services 2.0 Overview
Planning and Implementing Server Roles and Server Security How to view and transfer FSMO roles in Windows Server 2003
Configure security for servers that are assigned specific roles. Plan security for servers that are assigned specific roles. Roles might include domain controllers, Web servers, database servers, and mail servers. Deploy the security configuration for servers that are assigned specific roles. Create custom security templates based on server roles.
Planning, Implementing, and Maintaining a Network Infrastructure Plan a host name resolution strategy. Plan a DNS namespace design. Plan zone replication requirements. Plan a forwarding configuration. Plan for DNS security. Examine the interoperability of DNS with third-party DNS solutions.
Planning, Implementing, and Maintaining Server Availability Plan services for high availability. Plan a high availability solution that uses clustering services. Plan a high availability solution that uses Network Load Balancing. Plan a backup and recovery strategy. Identify appropriate backup types. Methods include full, incremental, and differential. Plan a backup strategy that uses volume shadow copy. Plan system recovery that uses Automated System Recovery (ASR).
Planning and Maintaining Network Security Plan secure network administration methods. Create a plan to offer Remote Assistance to client computers. Plan for remote administration by using Terminal Services. Plan security for wireless networks. Plan security for data transmission. Secure data transmission between client computers to meet security requirements. Secure data transmission by using IPSec.
Planning, Implementing, and Maintaining Security Infrastructure Configure Active Directory directory service for certificate
publication. Plan a public key infrastructure (PKI) that uses Certificate Services. Identify the appropriate type of certificate authority to support certificate issuance requirements. Plan the enrollment and distribution of certificates. Plan for the use of smart cards for authentication. Plan a framework for planning and implementing security. Plan for security monitoring. Plan a change and configuration management framework for security. Plan a security update infrastructure. Tools might include Microsoft
Baseline Security Analyzer and Microsoft Software Update Services. Planning and Implementing an Active Directory Infrastructure Plan a strategy for placing global catalog servers. Evaluate network traffic considerations when placing global catalog servers. Evaluate the need to enable universal group caching.
Implement an Active Directory directory service forest and domain structure. Create the forest root domain. Create a child domain. Create and configure Application Data Partitions. Install and configure an Active Directory domain controller. Set an Active Directory forest and domain functional level based on requirements. Establish trust relationships. Types of trust relationships might
include external trusts, shortcut trusts, and cross-forest trusts. Managing and Maintaining an Active Directory Infrastructure Manage an Active Directory forest and domain structure. Manage trust relationships. Manage schema modifications. Add or remove a UPN suffix. Restore Active Directory directory services. Perform an authoritative restore operation. Perform a nonauthoritative restore operation. Planning and Implementing User, Computer, and Group Strategies Plan a user authentication strategy. Plan a smart card authentication strategy. Create a password policy for domain users. Planning and Implementing Group Policy
Plan Group Policy strategy. Plan a Group Policy strategy by using Resultant Set of Policy
(RSoP) Planning mode. Plan a strategy for configuring the user environment by using
Group Policy. Plan a strategy for configuring the computer environment by using
Group Policy. Configure the user environment by using Group Policy. Distribute software by using Group Policy. Automatically enroll user certificates by using Group Policy. Redirect folders by using Group Policy. Configure user security settings by using Group Policy. Managing and Maintaining Group Policy Troubleshoot issues related to Group Policy application deployment.
Tools might include RSoP and the gpresult command. Troubleshoot the application of Group Policy security settings.
Tools might include RSoP and the gpresult command.
|
||||||||||||||
Computer Networking Tucson |
