• Part 1: Installing and upgrading Windows 2003

• [1.1] Clean install

• During installation of Windows 2003 if you need to install special storage adapter
that Windows does not have press F6
• You can install to a dynamic disk that was converted from boot or system volume
(MBR presence)
• Product key
o Retail/OEM - one key per install, product activation
o Volume licensing - only one key for multiple instalations
o Product activation is a proof of ownership that uses 25 character key
o You have 14 days to activate your product, if you run out of time you can
still start the server in safe mode (no network)
• Windows 2003 is a server software, some modules are disabled by defalut:
o No audio service (disabled by default)
o Limited video acceleration (DirectX off by default)
• Dynamic update that occurs during the installation is for critical updates only
(not drivers) and need internet connection
• You must have the Unattend.txt or Winnt.sif (copy of unattend.txt when using
CD for install) files if you want to fully automate the remote installation of a
Windows Server 2003 operating system.
• [1.2] Windows editions
• Standard edition
o Maximum of 4 CPU
o Maximum of 4GB of RAM
o Network load balancing
• Enterprise edition
o Can be 32 or 64 bit (64bit edition needs Intel Itanium)
o Has hot add memory capability (on 32bit edition only), clustering
o Maximum of 32GB RAM, 64GB RAM on 64bit
o Maximum of 8 CPUs
o Up to 8 cluster nodes
• Datacentre edition
o Needs to be purchased through Microsoft
o Maximum of 64CPUs, 512GB RAM on 64bit edition
o Up to 8 cluster nodes
• Web edition
o Up to 2 CPUs and maximum of 2GB of RAM
o Used to host websites, web applications including DNS, no non-web
based applications like SQL server
o OEM or volume licensing, cannot buy retail
• XP profesional
o Minimum P233, recommended PII 300
o Minimum 64Mb RAM, recommended 128Mb
o Minimum 1.5Gb of free space on HD, recommended 2Gb
• [1.3] Hardware requierments
• CPU minimum 133Mhz (datacentre edition 400Mhz), recommended 550-733Mhz
• RAM minimum 128Mb (datacentre edition 512Mb), recommended 256Mb
• HD minimum 1.5Gb
• Pentium Pro and Pentium II multiprocessor systems have a bug in them,
multiprocessor support is disabled
• [1.4] Licensing
• To administer Windows 2003 OS licensing for sites or the enterprise, use
Licensing in Administrative Tools.
• The Licensing option in Control Panel manages licensing requirements for a
single computer running a Windows 2003 OS.
• You must have a Client Access License (CAL) for each device or user that
connects to your server.
• Per Device or Per User licensing mode is the best option if your clients
frequently use multiple servers on the network. It is client side licensing used in
enterprises. The number of simultaneous connections to any server is unlimited
for every client.
• Per Server licensing mode is the best licensing option when a server product is
installed on only one server accessed at any time by no more than a subset of
your users. For example if you have 5 CALs 5 clients can connect to your server
on first come basis.
• Use license groups when there is 1 to many, many to 1 or many to many
relationship between users and devices
• License Logging service is needed for license monitoring but not enforcment
• If a client PC is used by 10 or less users only 1 CAL is required
• For control panel licensing you got only 1 licensing type change, for enterprise
licencing you will loose your licences
• You can find your licensing server in 'AD Sites and Services'
• [1.5] General upgrade points
• You need at least Windows NT4 SP5 to upgrade to Windows 2003
• You must upgrade to the same or more powerful edition (i.e. for example from
Windows 2000 Advanced Server to Windows 2003 Enterprise, cannot upgrade to
Windows 2003 Standard)
• If the PC you are upgrading will be (or is) a domain controller you will need NTFS
(among other things to store SYSVOL folder which stores GPO)
• Check partition size, you need minimum of 1.5GB for Windows 2003 installation
• [1.6] Upgrading from Windows NT4 to Windows 2003
• You need to upgrade PDC 1st (Windows 2003 will emulate PDC for older
clients). Note that Windows 2000 and XP PCs will prefer to use Windows 2003
server over NT4. This can cause network congestion problems. Need to change
registry on server to make it look like NT4 PDC.
• You need to upgrade RAS server before you upgrade last BDC (you want to get
rid of the old NTLM authorization method)
• AD installation wizard will start after OS upgrade completes (if PC was a DC). By
default forest functionality level will be set to Windows 2003 interim.
• NT4 mirror and strip sets will not mount on Windows 2003, you need to
o Break mirror and\or kill stripe volume
o If you forget about above, use ftonline utility to mount NT mirror or stripe
in read only mode on Windows 2003
• [1.7] Upgrading from Windows 2000 to Windows 2003
• AD was introduced in Windows 2000 to manage authentication
• You will need to make sure all Windows DC have SP2 or above installed on them
• Before OS upgrade you need to run utility called adprep on the DC
o Adprep.exe is located on Windows 2003 CD. Its role is to go through
Windows 2000 AD schema and include enchancments needed for
Windows 2003 DC to be accepted
o You will need to run adprep.exe /forestprep first on the schema master.
You will need to be a member of both Enterprise admins and Schema
admins. It is recommended to take schema master PC offline during utility
run.
o After you have run adprep.exe /forestprep you will need to run adprep.exe
/domainprep on the infrastructure master in each domain. You need to be
a member of domain admins or enterprise admins. Make sure that before
 the run all changes from adprep.exe /forestprep replicated down to all
DCs.
• [1.8] Domain functional levels
• Forest functional level
o Effects all domains in the forest
o Windows 2000 (default) accepts NT4, 2000 and 2003 DC
o Windows 2003 Interim accepts NT4 and 2003 DC
o Windows 2003 accepts 2003 DC
• Domain functional level
o Effects only one domain
o Windows 2000 mixed (default) accepts NT4, 2000 and 2003 DC
o Windows 2000 native accepts 2000 and 2003 DC
o Windows 2003 interim (you will get this option if you upgraded a totaly
NT4 domain) accepts NT4 and 2003 DC
o Windows 2003 accepts 2003 DC
• == ==
• [edit section] Part 2: Managing and Maintaining Physical &
• [edit section]
• [edit section]
• l drives ==
• [2.1] Plug & play
• For plug & play to operate we need the following:
o Plug & play BIOS
o OS that is plug & play capable
o Device that supports plug & play
• When Windows finds new hardware but is unable to install it we can go to Device
Manager and run troubleshooter as well as look at the error codes
• Uninstalling the device using 'Device manager' only removes the driver and
uninstalls it from the OS (not from the PC!). If the device is not physically
removed from the PC, it will be detected the next time PC boots up. To prevent
this from happening one must disable the device.
• When Windows 2003 fails to detect new hardware use 'Add new hardware
wizard'
• [2.2] Hardware supported
• Virtual Disk service API for storage systems, SANs (storage area networks)
• IEEE 1394, RAID, USB 2.0, Video, Sound
• Wireless supports
o Wireless and cable network bridging
o Roaming and autoconfiguration
• USB 2.0 supports up to 127 devices per root hub and up to 5 deep nested
external hubs. You can see power & bandwith usage by checking out root
properties.
• Windows 2003 has the ability to burn CD-R and CD-RW using IMAPI service,
however it is disabled by default
• You will need a decoder for video DVDs (data DVDs are OK)
• DVD+RW and DVD-RW are not supported, need manufacturer's driver
• [2.3] Access needed to install new hardware
• You will need to be a member of the Administrators group or have 'load and
unload device drivers' user privelage to install new hardware, unless
o Driver the the hardware uses is signed or has the Designed for Windows
Logo
o No further action is required to install the device, no requirement for
Windows to display a user interface. No need to use 'Add Hardware
Wizard'
o Device driver is already on the system
o No network policy settings are preventing you from installing hardware.
• This way ordinary users can for example connect a USB pen drive to the PC
without beeing member of the administrators group
• [2.4] Device Manager can be accessed in 4 ways
• By going to start -> all programs -> administrative tools -> computer managment-
> device manager tree selection
• Control panel -> system -> hardware tab -> device manager button
• R-click on 'My computer' and select properties ->hardware tab -> device
manager button
• Custom made MMC snap-in
• [2.5] Device Manager views
• Devices by type - when you use this view all network adapters present will be
listed under 'network adapters', all disk drives under 'disk drives' etc. This is the
default view.
• Devices by connection - you can for example see what devices are connected
to the motherboard on the PCI slot by expanding Standard PC node and
expanding PCI bus node.
• Resources by type - sorts devices by type, i.e. DMA devices, I/O devices, IRQ
devices and memory devices. Good for IRQ conflict troubleshooting.
• Resources by connection - sorts devices by connection instead of type
• Show hidden devices - shows the non plug and play devices that have been
removed from the PC but have installed drivers.
• [2.6] Device properties tab
• General - for example manufacturer and device status
• Advanced settings - optional, not every device has them. For example, for a
network card we could have card link speed selector.
• Resources tab - shows things like IRQ assignments. You can only edit IRQ if
there is a conflict. Also the device has to be plug and play capable.
• Power managment - not applicable to servers
• Hardware profiles - good mostly for laptops, when say you have different
hardware connected to your PC at the office and at home office. Also can be
used for troubleshooting, you can limit the hardware in each profile.
• [2.7] Driver properties
• Details of installed driver
• Update driver
• Roll back driver (new in Windows 2003)
• Uninistall driver
• Driver signing:
o Harmful driver install prevention
o HCL - Hardware compatabilty list, to be replaced by Windows catalog
o Run d:\i386\winnt32 /checkupgradeonly from Windows 2003 CD to
check hardware compatability
o Command line sigverif.exe is used to check drivers from command line
o By default system is set to warn user if he or she is installing unsigned
driver (other options are: ignore and block)
o Unsigned driver means that the driver was not tested by Microsoft and is
not supported by Microsoft. For most part these drivers are still OK
o When driver is signed by Microsoft it and the hardware are tested by
Microsoft
• Some older devices (like CD-ROM etc.) plug into LPT port on the PC. You will
need to set LPT port to "Legacy plug and play support" on port settings tab for
older devices to work.
• The easiest way to solve embedded device conflict with an add on device is to
disable the onboard device. For example, to use add on music card, you will
need to disable onboard music card
• Many problems are caused by incorrect drivers, for example graphic card that
displays only 800x600 resolution. Update driver to solve these problems.
• [2.8] HAL - hardware abstraction layer
• Computer driver which is the interface to BIOS, kernel is build on top of this
driver
• You can choose HAL during install by pressing F5
• Multiple processors - when installing a 2nd processor in a single processor
system (UP - uni processor) you will need to update HAL for the CPU from single
CPU to multiple CPU (SMP - symmetric multi processor driver)
• Do not upgrade from standard HAL to ACPI (advanced configuration and power
interface) HAL and vice versa
• [2.9] Windows update & automatic update
• 1st appeared in Windows 98
• Windows 2003 adds scheduling of updates capability
• To access follow: control panel -> system -> system properties -> automatic
update button
• Can set up Windows update properties via GP settings
o Specify Intranet Microsoft Update service location
o Configure automatic updates
o Reschedule Automatic updates scheduled installations
o No auto-restart for scheduled automatic updates
• [2.10] Printers
• Printer - this is how we call a piece of software on your PC
• Print device - this is the actual hardware printer
• Print server - PC to which a local printer is connected - any Windows PC. It is
the computer that sends print jobs to the print device. For a network printer you
send jobs to the server as well.
• Print spooler - also referred to as print queue this is a directory on print server
where jobs are being stored prior to being printed
• Print processor - also known as rendering is the process that determines
whatever a print job needs further processing once job has been sent to the
spooler
• Printer pool - configuration that allows to use one printer for multiple print
devices
• Print driver - piece of software that understands your print device codes
• Physical port - port through which a printer is directly connected to the
computer, COM or LPT
• Logical port - port through which a printer with a network card is attached to
network, much faster than a physical port
• Local printer - printer that uses a physical port and has not been shared
• Network printer - printer that is available to local and network users, can use
either physical or logical port
• Windows server 2003 can be in a "print server" role. In this role the server is set
to manage network printers (this includes local printers connected to other PCs
which are shared)
• You can use UNIX (LPR) protocol, for this you will need to add LPR port. LPR is
included in "print services" for UNIX, which is installed as a separate component
of Windows Server 2003
• You can also have print services for Macintosh and for Netware
• Whenever you hear anything that deals with: LPR, LPD, LPQ think UNIX
• You can load into your Windows 2003 server in "print server" role additional
drivers for other Windows versions (Windows 95/98/NT4/2000/XP)
• You can set printer priority (1-99) as well as printer avability (which means
when the printer will be available timewise) to different user groups as well as
access to the print device itself to different user groups and individual users.
• For network printers that are attached using ethernet cable to the network and
use TCP/IP for communication any Windows 2003 server can be a print server
provided that it is connected to the same network
o To implement above you need to create a new TCP/IP port
o To create a port you will also need IP of the network printer or its share
name (so IP can be pulled from active directory)
• You can print from Windows XP clients to print server computers running a
Windows 2003 by using a Uniform Resource Locator (URL). Internet printing
uses Internet Printing Protocol (IPP).
• For example to use different print priority for two groups you need to setup two
print devices, restrict their use and set priority on them
• If you want to know printer utilization track print queue object in system monitor
• %systemdir%\system32\spool\printers\ is the default location of the spool
folder. You should change it if your server serves many printers.
• A port is defined as the interface that allows the PC to communicate with the print
device. Local ports are for print devices attached to the PC directly.
• Separator pages are used in multi user environments, sample files are found in
%systemroot/system32/ folder with .sep ending
• Print.exe - sends a text file to a printer
• Net Print - displays information about a specified printer queue, displays
information about a specified print job, or controls a specified print job
• [2.11] Printer Poling
• One printer, multiple print devices
• Think of it as load balancing for printers, used in larger enterprises
• Need to use the same driver for all print devices that are member of the pool.
Many newer printer devices will work with older driver, use driver that is the
newest for the oldest printer.
• [2.12] Management of printers using print server role of Windows 2003
server
• Surf to http://printserver/printers/ where 'printserver' is the name (or IP) of your
print server PC
• Can restrict access to this web interface using group policy
• For above to work you will need to install IIS 6
• [2.13] Redirecting print jobs
• You can redirect print jobs provided both printers use the same driver
• When user placed into a queue a request to print a document on a print device
which failed to print BEFORE comencment of printing you can redirect printing to
another printer
• To redirect a print job select print device you want jobs redirected from
• If the new printer is on this print server, just select new port to which the new
printer is attached, otherwise
• Click on 'ports' tab
• Click on 'add port', select local printer and click on 'new port'
• Type in UNC share name of the printer you want the job redirected to, in format
\\other_print_server\share_name
• Check the check box next to the port you just created
• [2.14] Disk drives
• SCSI 15000RPM, 20Mbps transfer
• IDE 7200RPM, 16.7Mbps transfer
• SATA (similar to IDE)
• Both SCSI and SATA support up to 15 drives on a single controller
• IDE drives have 'cable select' option on them which automatically determines
master and slave. It is best practice to manually set jumpers for master and
slave.
• [2.15] ARC path designation (Advanced RISC computing)
• ARC dates back to NT 3.5 days (in the form presented here, otherwise NT 3.1)
• The file boot.ini is used to find '\windows\' directory
• Bootcfg.exe configures, queries, or changes Boot.ini file settings
• Boot.ini switches:
o /debug - for debugging (/nodebug)
o /bootlog - enable boot logging
o /sos - display driver names while they are being loaded during the
Windows boot
• Please note that Microsoft has changed the default install directory from WINNT
to WINDOWS for Windows server 2003. For upgrades we will still use WINNT
directory.
• Multi
o Identifies the controller physical disk is on
o Multi(x) syntax of the ARC path is only used on x86-based computers
o For IDE or pure SCSI disks when OS is on the 1st or 2nd SCSI drive
o The Multi(x) syntax indicates to Windows NT that it should rely on the
computers BIOS to load system files. This means that the operating
system will be using interrupt (INT) 13 BIOS calls to find and load
NTOSKRNL.EXE and any other files needed to boot Windows NT.
o Numbering starts at 0, for example Multi(0), due to technical reasons it
should always be 0
o In a pure IDE system, the Multi(x) syntax will work for up to the 4 drives on
the primary and secondary channels of a dual-channel controller
o In a pure SCSI system, the Multi(x) syntax will work for the first 2 drives on
the first SCSI controller (that is, the controller whose BIOS loads first)
 o In a mixed SCSI and IDE system, the Multi(x) syntax will work only for the
IDE drives on the first controller
• SCSI
o Identifies the controller physical disk is on
o The SCSI(x) syntax is used on both RISC and x86-based computers
o Using SCSI() notation indicates that Windows NT will load a boot device
driver and use that driver to access the boot partition
o On an x86-based computer, the device driver used is NTBOOTDD.SYS,
on a RISC computer, the driver is built into the firmware
o Numbering starts at 0, for example SCSI(0)
o Windows NT Setup always uses Multi(x) syntax for these first two drives
• Disk
o Identifies the physical disk attached to controller
o 0 if Multi(x) present, Disk is only for SCSI
o For SCSI value of Disk(x) is the SCSI ID and can be 0-15 Note: one
channel is always reserved for the controller itself
o Numbering starts at 0, for example Disk(0)
• Rdisk
o Identifies the physical disk attached to controller
o Almost always 0 if SCSI(x) is present, Rdisk is for Multi(x), ordinal for the
disk, usually number 0-3
o Numbering starts at 0, for example Rdisk(0)
• Partition
o Refers to the partition on the hard disk where Windows system folder is
located on
o All partitions receive a number except for type 5 (MS-DOS Extended) and
type 0 (unused) partitions, with primary partitions being numbered first and
then logical drives
o A partition is a logical definition of hard drive space
o Numbering starts at 1, for example Partition(1)
• Signature
o Used when system BIOS or controller hosting the boot partition cannot
use INT-13 Extensions
o The signature() syntax is equivalent to the scsi() syntax
 o Using the signature() syntax instructs Ntldr to locate the drive whose disk
signature matches the value in the parentheses, no matter which SCSI
controller number the drive is connected to
o The signature() value is extracted from the physical disk's Master Boot
Record (MBR)
• [2.16] Easy way to memorize ARC
• There are 5 letters in the word 'Multi' and 5 letters in the word 'Rdisk'
• There are 4 letters in the word 'SCSI' and 4 letters in the word 'Disk'
• 'SCSI' works together with 'Disk' while 'Multi' works together with 'Rdisk'
• When system uses Multi(x) it uses BIOS INT-13 Extensions, so on board BIOS
has to be enabled
• [2.17] Disk Managment MMC snap-in
• To activate: start -> all programs -> administrative tools -> computer managment
-> disk managment tree node
• Another ways is to r-click on My computer and select 'manage' from the list
• Finally you can just create a custom MMC snap in
• Using disk managment, among other things, you can:
o Initialize new disks
o Create new volumes and partitions
• If you r-click and select properties -> general tab you can see location heading
with a number. That number is the ARC number of the HD.
• If you need a disk formatted in FAT or FAT32 you cannot do it from disk
manager, you need to use: format x: /fs:FAT32 Note Windows can format FAT
32 disks up to maximum of 32Gb but can read higher capacity drives
• DiskPart.exe - you can create scripts to automate tasks, such as creating
volumes or converting disks to dynamic.
• Fsutil.exe - perform many NTFS file system related tasks, such as managing
disk quotas, dismounting a volume, or querying volume information.
• Mountvol.exe to mount a volume at an NTFS folder or unmount the volume from
the NTFS folder.
• [2.18] Remote managment
• Computer managment is not just for the local machine, you can also manage
other PCs, to activate r-click on computer managment (local) and select 'connect
to another pc'
• By default Domain Admins are part of local administrators group and you need
these right to connect and administer remote PCs
• If you cannot access Device Manager from the Computer Management extension
snap-ins on a remote computer, ensure that the Remote Registry service is
started on the remote computer.
• Computer Management does not support remote access to computers that are
running Windows 95.
• In remote managment 'Device Manager' is in read only mode
• [2.19] Basic Disks
• Primary partition is the only one that is bootable and there is a maximum of 4
primary partitions
• Extended partitions are not bootable
• Logical drives are created in extended partitions. There are no limits as to the
number of logical drives each extended partition may have.
• Primary partitions and logical drives are assigned drive letters
• Basic Disk FAT is located on the first sector of the hard disk; space is shared
with the MBR
• [2.20] Dynamic disks
• Fault tolerance better than basic disks, due to multiple storage places for
information. 1Mb database is placed at the end of each physical hard disk
containing information about all dynamic disk located in this particular system,
this creates multiple storage spaces of the same data.
• Can be one of the following:
o Simple volume:
 Single disk
 No fault tolerance
 Can be NTFS or FAT
o Spanned volume:

maximum of 32 disks

Cannot extend spanned volumes, need to delete and recreate if not
NTFS or contain system files
 For more information see <a
href="http://technet2.microsoft.com:80/WindowsServer/en/library/50
79e4a1-b0be-4fdf-9b4a-ece7a0755c5c1033.mspx?mfr=true"
target="_blank">MS knowledge base paper</a>
 No fault tolerance
o Extendeding simple volume:
  Similar to spanned volume but uses the same physical HD with
simple volume
 You can extend a simple volume only if it does not have a file
system or if it is formatted using the NTFS file system. You also
need free space on HD and the volume could not have been
originally a basic disk partition (when the conversion from basic to
dynamic has been made on Windows 2000).
 You cannot extend volumes formatted using FAT or FAT32
 You cannot extend a system volume, boot volume, striped volume,
mirrored volume, or RAID-5 volume
o Mirror volume:
 Also known as RAID 1
 The only volume besides simple volume in Windows 2003 which
can boot and system partitions can both reside on
 Can be NTFS or FAT
 Fault tolerance, data is the same on both disks
 To replace the failed mirror in a mirrored volume, right-click the
failed mirror and then click Remove Mirror, and then right-click the
other volume and click Add Mirror to create a new mirror on another
disk
 Variation of mirroring called duplexing uses HD connected to
different controllers for even more fault tolerance
o Striped volume:
 Also known as RAID 0
 Maximum of 32 disks
 Breaks data into 64Kb chunks for writing to different disks that
make up the stripe
 It is recommended to use same type of hard drives for member
drive
 Windows 2003 cannot be installed on software RAID 0
 You cannot extend striped volume, need to recreate it
 No fault tolerance
o RAID 5:
 Made up of three disks with each storing parity information
 Fault tolerance when one disk fails
 Maximum of 32 disks, minimum of 3
  Not available in Windows XP professional
 To replace the failed disk region in a RAID-5 volume, right-click the
RAID-5 volume and then click Repair Volume
• Only in Windows XP Professional, windows 2000 Professional and Windows
2003 Server (all editions) you can use dynamic disks
• Note: if disk fails for which ARC path is in boot.ini system will not boot. You
should have a disk with modified boot.ini
• Mounted volumes - can mount HD as a NTFS folder
• Uninstall disks prior to moving them, Re-scan disk when you attach it
• Dynamic disks can be re-configured without re-boot
• When your boot disk is also a dynamic disk, then you will not be able to dual boot
into OS that is not dynamic disk capable
• Dynamic disks are not supported on laptops due to luck of advantage over basic
disks in this scenario
• Dynamic disk partition table types:
o dynamic GUID partition table (GPT) disks, for 64bit editions of Windows
o dynamic MBR disks, for 32 and 64bit editions of Windows
• The Foreign status occurs when you move a dynamic disk to the local computer
from another computer
• You can have a maximum of 2000 volumes on a dynamic disk, recommended
maximum is 32
• Volumes created after the 26th drive letter has been used must be accessed
using volume mount points
• Hard drives that are connected to the Pc using USB or IEEE 1394 can not be
converted to dynamic volumes
• Volume status descriptions
o Failed - basic or dynamic volume cannot be started automatically or the
disk is damaged
o Failed Redundancy - data on a mirrored or RAID-5 volume is no longer
fault tolerant because one of the underlying disks is not online, has
substatuses
o Formatting - occurs only while a volume is being formatted with a file
system
o Healthy - normal volume status on both basic and dynamic volumes, no
known problems, has substatuses
 o Regenerating - occurs when a missing disk in a RAID-5 volume is
reactivated
o Resynching - occurs when creating a mirror or restarting a computer with
a mirrored volume
o Unknown - occurs when the boot sector for the volume is corrupted
o Data Incomplete - displayed in the Foreign Disk Volumes dialog box, and
occurs when data spans multiple disks, but not all of the disks were
moved.
o Data Not Redundant - displayed in the Foreign Disk Volumes dialog box
when you import all but one of the disks in a mirrored or RAID-5 volume
o Stale Data - displayed in the Foreign Disk Volumes dialog box, and
occurs when a mirrored or RAID-5 volume has stale mirror information,
stale parity information, or I/O errors
• [2.21] Converting to dynamic disk and back to basic disk
• If you convert a boot disk, or if a volume or partition is in use on the disk you
attempt to convert, you must restart the computer for the conversion to succeed.
• The conversion may fail if you change the disk layout of a disk to be converted or
if the disk has I/O errors during the conversion.
• After you convert a basic disk into a dynamic disk, any existing partitions on the
basic disk become (dynamic) simple volumes.
• If you are using shadow copies and they are stored on a different disk then
original you must first dismount and take offline the volume containing the
original files before you convert the disk containing shadow copies to a dynamic
disk.
• If you are converting disks form dynamic to basic the disk being converted must
not have any volumes on it nor contain any data before you can change it back to
a basic disk. If you want to keep your data, back it up before you convert the disk
to a basic disk.
• [2.22] File systems
• FAT 16 bit (File Allocation Table)
• FAT 32 bit
• NTFS (New Technology File System)
• To convert from FAT to NTFS use: convert x: /fs:NTFS
• [2.23] Folder compression (zipped)
• Create new compressed folder (zipped)
• All new items added to that folder will be compressed (zipped)
• For command line operations use compress.exe, which acts like winzip
• [2.24] Compression (NTFS)
• When you compress a whole folder:
o All files are compressed automatically when added but not current folder
occupants
o OR
o Compression can also be applied to current files and subfolders
• Decompression is a reverse process of compression
• Moving a file on the same volume means that the file location is moved in MFT
only, not the physical file itself.
• When you copy a file, no matter whatever on the same volume or not, the
destination file will inherit the destination folder's permissions
• When you move a file on the same volume, it keeps its original permissions
(explicit permissions only). When you move a file to another volume, the move is
treated as a copy operation and the file permissions are inherited from the
destination folder.
• All file attributes behave in the same way with the exception of encryption
• File compression is supported only on NTFS volumes with cluster sizes 4 KB and
smaller
• For command line use compact.exe, it can display and modify compression
attributes but it works only on NTFS
• [2.25] Encryption:
• Only users who created the files, users whom owner gave access to view the file
(new in Windows 2003, additional users need to already be issued certificates)
and recovery agents can decrypt the file
• When moving encrypted file from one volume to another volume, it stays
encrypted. When copying file it also stays encrypted. This behaviour is unique for
encryption!
• Note that user which has NTFS permissions to an encrypted file can delete that
file, even if he/she cannot view that file
• Cannot encrypt and compress at the same time (due to encryption process using
pseudo random salt which cannot be further compressed due to its nature)
• You can zip 1st then encrypt to get encrypted and compressed file
• Executable file cipher.exe is a command line encryption utility
• By default, the recovery agent is the Administrator account on the 1st DC, there
is no default for stand alone server
• For encryption property, moving/copying a file to a FAT system decrypts file
without warning
• It is recommended to store recovery agent certificate on a floppy disk in secured
location. It is also recommended to copy their file to be recovered to the recovery
agent PC where it will be recovered.
• [2.26] How EFS (encrypted file system) works
• When the user chooses to encrypt a file, a file encryption key is generated
• This encryption key, together with encryption algorithm is used to encrypt the
contents of the file
• The file encryption key is encrypted itself using user's public key and stored
together with the encrypted file. The file encryption key is also protected by the
public key of each additional EFS user that has been authorized to decrypt the
file and each recovery agent.
• File can only be decrypted by using user's private key, by using private key of
users given permission to view the file and private key of recovery agent
• Private/public pair is created using user's certificate
• On stand alone machines user's certificate is created the 1st time he or she tries
to encrypt a file
• For domain user certificate is issued by the certification authority - user needs
permission to get a certificate
• Files marked with the System attribute cannot be encrypted, nor can files in the
systemroot directory structure.
• Before users can encrypt or decrypt files and folders that reside on a remote
server, an administrator must designate the remote server as trusted for
delegation.
• If you open the encrypted file over the network, the data that is transmitted over
the network by this process is not encrypted.
• Users can use EFS remotely only when both computers are members of the
same Windows Server 2003 family forest
• Encrypted files are not accessible from Macintosh clients
• Encrypting File System (EFS) no longer requires a recovery agent
• [edit section] Part 3: Managing users, computers and groups
• [3.1] User accounts
• User account consist of:
o Name and password
 o SID (security identifier) - consists of a domain SID, which is the same for
all SIDs created in the domain, and a RID, which is unique for each SID
created in the domain. SIDs are unique in the network.
o Can have other attributes, like group membership
• User accounts and computer accounts (as well as groups) are also referred to as
security principals
• Security principals are directory objects that are automatically assigned security
IDs (SIDs)
• Can be either local or domain
• All local user accounts are stored in local database that every PC has except the
domain controller.
• Local accounts cannot be used to grant access to network resources
• At logon time user select whatever he wants to logon into a domain or local PC.
depending on his or her selection system uses local or AD user database
• Username must be unique, for pre-2000 maximum of 20 characters, spaces and
period are OK, but no special characters. Usernames are not case sensitive
while passwords are.
• InetOrgPerson is used in several non-MS LDAP and X.500 directory services to
represent people within an organization, in AD for compatibility
• In order to interactively log in to DC user needs to be member of Domain admins,
Enterprise admins, Account Operators, Administrators, Backup Operators, Print
Operators, and Server Operators or explicitly granted permission to logon
• [3.2] Build in local user accounts
• Administrator - even when the Administrator account has been disabled, it can
still be used to gain access to a computer using Safe Mode
• Guest (by default in disabled state)
• Support account (Support_388945a0)
• [3.3] Build in local groups
• Administrators - full control, by default it's member is the Administrator account.
This account cannot be removed. When joined to a domain, Domains Admin
global group is also added to local administrators group.
• Backup Operators - can backup and restore files on the server ignoring security
settings that protect these files. Can access server from the network,logon locally
and shout down the system.
• DHCP Administrators (installed with the DHCP Server service) - have
administrative access to the Dynamic Host Configuration Protocol (DHCP)
Server service.
• DHCP Users (installed with the DHCP Server service) - have read-only access
to the DHCP Server service.
• Guests - temporary profile created at the logon time, deleted at log off. Member
of the Guest group, no default user rights.
• Help service group - used to set up right common to all support applications,
only member is Support_388945a0, do not add users
• Network configuration operators - can make changes to TCP/IP
• Performance log users - can manage performance counters, logs and alerts
locally or remotely
• Performance monitor users - can monitor performance counters only, locally or
remotely
• Power users - they can add users/shares/groups. The power users cannot:
change Administrators group membership, take ownership of files, load or unload
device drivers and manage security logs.
• Print operators - can manage printers and print queue
• Remote Desktop Users - can remotely logon to the server
• Replicator - the only member should be domain user account used to logon the
replicator service on a DC. Do not add users to this group
• Terminal Server Users - users who are currently logged on to the system using
Terminal Server
• Users - can do common task such as running programs and printing stuff. Can
access locally or through network, all user accounts are members of the Users
group by default.
• WINS Users (installed with WINS service) - permitted read-only access to
Windows Internet Name Service (WINS)
• [3.4] Complex passwords
• Complex password needs to be at least 6 characters long
• Cannot use any part (or all of) of user account name
• A complex password need to consist of 3 out of these 4:
o English uppercase characters
o English lowercase characters
o Base 10 digits
o A special character, such as [,),^
• By default, complex passwords are enabled on DC, disabled on stand alone
servers
• Windows 2003 passwords can be up to 127 characters long. Windows 95/98
passwords can be up to 14 characters long.
• Password reset disks are used on stand alone servers to recover user
password, otherwise users will loose encrypted data
• [3.5] Organization
• On DC on Windows 2000 local users & groups display red X, on Windows 2003
there is no local users & groups
• When installing AD local user accounts and groups are moved to the AD and
local DB is deleted
• Data that is allowed to be stored in the active directory is defined in the active
directory "schema".
• OU (organizational units) are acting as a container for groups, users and other
OU
• You can limit users to logon only on certain computers (but not exclude them
from certain PCs). You can also limit users login hours.
• [3.6] Using profile for local PC
• Local profile is located in 'documents and settings' directory on local PC
• You can use network share for profile location (can be used for backup)
• Mandatory profile - users cannot save changes (they can delete, but it comes
back!)
• Home folders - where you automatically go after you hit 'save as'
• Folder redirection - allows Administrators to redirect personal folders for all
users to a single location
• All user settings and preferences are stored in a file ntuser.dat
• [3.7] Roaming profile
• User sees the same thing on every PC (network profile)
• Enebled on user properties screen in Active Directory Users and Computers;
Cannot be modified using GPO.
• ntuser.dat is stored on network share
• Local profile on local PC is used if network connection cannot be established
• Network problems can occur (network congestion) if large files are saved to the
desktop or 'My Computer'. To resolve this issue use GPO - set file processing
only if user wants to use given file
• Only files that have been changed since the profile was last loaded are saved
• [3.8] Other profile information
• To create a mandatory profile rename ntuser.dat to ntuser.man
• Terminal service profile - different look and feel when connecting through
terminal server. This may be needed if regular profile could have adverse effect
on the network (contains options that for example use a lot of bandwidth)
• [3.9] Account and password options
• Available options are:
• User must change password at the next logon
• User cannot change password
• Password never expires
• Store password using reversible encryption
• Account is disabled
• Smart card required for interactive logon
• Account is trusted for delegation
• Account is sensitive and cannot be delegated
• Use DES encryption for this account
• Do not require kerberos for preauthentication
• [3.10] Terminal services
• Thin clients are like good old dumb terminals
• Terminal services are part of user settings
• Remote control: user in terminal services application mode, similar to remote
assistance
• Use Terminal services Configuration to set session timeouts
• [3.11] Remote access (VPN/Dial-in)
• Remote access is denied by default
• Remote access policy which can use either RRAS or IAS (RADIUS)
• Remote access policy is much more flexible than user Dial-in properties (which in
turn override remote access policy)
• For traveling executive, set 'callback' option to 'set by caller'
• Dial-in
o Dial-in properties allow you to assign a specific IP to user
o This is the only way in Windows 2003 that you can assign a specific IP to
a user
• Routing and remote access protocols
 o MS-chap (Microsoft Challenge Handshake Authentication Protocol) still
supports NTLM (but not by default) Same encryption key is used for all
connections, both authentication and connection data are encrypted
o MS-chap v2 no NTLM and stronger encryption (like salting passed
encrypted password strings) both MS-chap protocols are the only ones
that can change passwords during the authentication process. New key is
used for each connection and direction.
o Chap - need to enable storage of a reversibly encrypted user passwords,
encryption of authentication data through MD5 hashing. No encryption of
connection data.
o PAP (Password Authentication Protocol) passwords are unencrypted as
well as connection data
o SPAP (Shiva Password Authentication Protocol) - less secure than CHAP
or MS-CHAP, no encryption of connection data
o EAP-TLS (Extensible Authentication Protocol - transport level security) -
certification based authentication (EAP) used with smart cards, both
authentication and connection data are encrypted, not supported on stand
alone servers - only for domains.
o EAP-MD5 CHAP (Extensible Authentication Protocol - Message Digest 5
Challenge Handshake Authentication protocol) - this is a version of Chap
that was ported to EAP framework. Encrypts only authentication data, not
connection data, same like Chap.
o Unauthenticated access - connections without credentials, good for
testing
• [3.12] DC/OU/CN example
• Here is how DC/OU/CN work. User is CN - canonical name, DN - distinguished
name. For example, energyshop.com/IT/John Doe DC - energyshop DC - com
OU - IT CN - John Doe
• [3.13] UPN - user principal name
• User principal name in e-mail format which can be used when logging in and not
using dropdown, example joe@mycompany.com. UPN must be unique in the
forest.
• [3.14] Dealing with user passwords
• Do not delete user accounts, disable them instead
• Rename users as a quick way to set up new accounts
• To move users to a different domain in the same forest use movetree.exe
(initiated on the RID master of the domain where object lives). For different forest
need ADMT (AD migration tool).
• [3.15] Password policy
• Enforce password history
• Maximum password age
• Minimum password age
• Minimum password length
• Complexity requirement
• Store passwords using reversible encryption
• [3.16] Account lockout policy
• Account lockout duration
• Account lockout threshold
• Reset account lockout counter after X minutes
• [3.17] Computer accounts
• Managed PCs are computers whose OS was installed using RIS service
(remotely)
• For RIS to work you need a network card that is PXE (pre-execution
environment) enabled
• If you network card is non-PXE but is PCI based you can use Rbfg.exe to create
remote boot disk
• No computer account for Windows 98 systems, Windows 98 can still log in to the
domain, provided that AD client is installed and SMB signing is disabled
• To create computer accounts you need to have 'create computer accounts'
permission
• You can set up common attributes on several user accounts at once using the
multiselect option, you can set: Profile, Organization, Account Tab, Address,
General Tab
• [3.18] RIS - remote installation service
• Each PC has a GUID (globally unique identifier) sometimes called UUID
• You can get PC's GUID from
o From DHCP discovery pockets PC sends when it wants to get IP address
from DHCP server
o PC documentation
o PC startup screen (BIOS)
• RIS options
 o Respond to client PCs requesting service
o Do not respond to unknown PCs (unknown PCs are not found in the AD)
• For RIS following must be available on the network
o Active Directory
o DNS
o DHCP
• [3.19] Contacts
• These are not user accounts
• They are used to add people that are outside of your domain
• [3.20] Automation
• Bulk import data into active directory using csvde.exe (comma separated value
directory exchange), using CSV format. It is easier to modify spreadsheet to
confirm to csvde than ldifde.
• Executable file ldifde.exe stands for: LDAP data interexchange format directory
exchange
• Executable file ldifde is used to import AND modify active directory, csvde can
only import
• Import creates accounts with blank passwords, best to create accounts in
disabled state by specifying user control value of 514
• [3.21] Build in domain user accounts
• Administrator - when the Administrator account is disabled, it can still be used to
gain access to a domain controller using Safe Mode
• Guest (in disabled state by default)
• Support
• krbtgt
• [3.22] Domain Groups
• Security - can have object permissions (but also works just for e-mail
distribution)
• Distribution - only for e-mail
• Group scopes:
o Domain local
o Global
o Universal
• [3.23] Built in domain local groups
• Domain local groups can contain users and groups from any trusted domain.
• Account operators - can create and administer domain user accounts and
groups
• Administrators - full control over domain
• Backup operators - ignores security in order to backup or restore files
• Guests - has same access as domain users group
• Incoming forest trust builders - can create incoming, one way trusts to this
forest
• Network configuration operators - can modify network settings like TCP/IP
• Performance log users - can remotely configure and view performance logs
• Performance monitor users - can remotely view performance logs
• Pre-Windows 2000 computer access (for win NT) - has read permission to all
users and groups in the domain and the right to access DC from network
• Print operators - administrator for printers
• Remote desktop users - can logon into any PC in the domain remotely (only
logon ability, nothing else)
• Replicators - supports file replication in the domain
• Server operators - can manage DC, shout down, create shares, manage disks
and more
• Terminal server license servers - local group for Terminal Server license
servers
• Users - cannot install new applications, can run applications that already exist,
cannot logon to DC
• [3.24] Global groups
• Used to organize users but only from its own domain
• Create by job function or job description
• DNS update proxy - can preform updates to the DNS on behalf of other clients.
When secure dynamic updates are enabled on DNS, the DHCP servers must be
made members of this group to be able to update clients.
• Domain admins - complete administrative rights in the domain. Member of
Administrators domain local group (as well as local Administrators group on all
PCs)
• Domain computers - all PCs that are joined to the domain
• Domain controllers - all DC are members of this group
• Domain guests - used to grant access to users that don't have valid user
account in the domain. Member of domain local guest group by default
• Domain users - all users are members of this group. Normal access to
workstations. When new share gets created, they get 'read' access
• Group policy creator owner - members can create and mange GP.
Administrator account is a member of this group by default.
• [3.25] Universal groups
• Used for many to many relationships, like many users that need to access
resources in many domains
• Can contain users, global groups, local groups from any domain in the forest
• Cannot contain users from domains that are outside the forest
• Universal groups are used to organize users across domains
• It is recommended to place only global groups inside universal groups
• You need to have domain functional level set to at least Windows 2000 native
• Build in (admin in root domain is the only member) :
o Enterprise admins - have access to all domains in the forest
o Schema admins
• [3.26] Access between domains
• We trust in the authentication of another DC
• Automatic trusts between parent and child domains are set in Windows 2000
native or above
• Types:
o 2 way trusts (NT4 domains) - need to be set up at both sides (i.e. from
domain A to B 1 setup and 1 from B to A == no automation)
o 2 way transitive trusts (Windows 2000)
o Forest trust (Windows 2003)
• [3.27] Remember the acronym AGLP
• Accounts - create users accounts
• Global groups - place users in global groups
• Local groups - place global group into local group
• Permissions - assign permissions to the local group
• [3.28] Windows 2000/Windows 2003 domain vis mixed mode
• Universal group is added in Windows 2000 native mode
• Group nesting - same type of group in same type
• Changing of group types (distribution vis security) is enabled in Windows 2000
native mode
• For Windows 2000/ Windows 2003 domain we are going to use AGULP
• U stands for universal group
• We place global groups into universal group and universal groups into local
groups
• [3.29] MMC
• Access control
o Author mode - full customization of the MMC console
o User mode-full access - as author mode, except that users cannot add
or remove snap-ins, change console options, create Favorites, or create
taskpads
o User mode-limited access, multiple windows - access only to those
parts of the console tree that were visible when the console file was
saved. Users can create new windows but cannot close any existing
windows.
o User mode-limited access, single window - as 'user mode limited
access, multiple windows' but users cannot create new windows
• [3.30] Special groups (special identities)
• Anonymous Logon - users and services that access a computer and its
resources through the network without using an account name, password, or
domain name
• Everyone - all current network users
• Network - users currently accessing a given resource over the network
• Interactive - all users currently logged on to a particular computer and accessing
a given resource located on that computer
• Special groups can be assigned rights and permissions to resources but their
memberships cannot be modified or viewed and scopes do not apply. Users are
added automatically.
• [3.31] Other points
• Home folder can be on local PC or a network share
• Rename Guest and Administrator accounts, for local accounts use GPO
• PC and DC use a secure channel to communicate password changes every 30
days. If they are out of synchronization you will need to reset the PC (message
is: 'Domain member failed to authenticate'). This is by going to the computer
account and clicking on 'reset account'.
• [edit section] Part 4: Managing and monitoring access to resources
• [4.1] ACL - access control list
• Every object in AD has ACL
• ACE - access control entries
• ACL is a list of ACEs. Each ACE has deny or accept action and an associated
SID (security identifier).
• The process of checking user access is preformed in this way:
o User SID is checked against ACE on ACL list of the resource user wants
to access
o Also groups that the user belongs to (group SID) is checked against ACE
in ACL
o If there is no entry, then access is denied
o Accept if ACE = SIDs in ACL and associated ACE action is accept
o Windows resolves SID and presents name as ACE
o Deny right takes precedence over allow right in group and user security
context. This is true even for Administrator and object owner.
• [4.2] General NTFS permissions for files
• Read - also allows for viewing of file attributes
• Write
• Read and execute
• Modify = read + write + delete + execute
• Full control
• [4.3] General NTFS permissions for folders
• Read - also allows to view folder attributes
• Write
• Read and execute
• Modify = read, execute, write, delete
• List folder contents, includes subfolders
• Full control = all of above permissions plus permission change permission plus
ownership change permission
• [4.4] Share permissions
• Only applicable for folders, no share permissions for files
• Read = read file data, file names and subfolder names + execute (default
assigned to everyone group)
• Change = read permission + delete files and subfolders + write
• Full control = all of above permissions + change of share permissions right only
• Share permissions do not apply to users that are logged into the OS interactively
(i.e. locally)
• NTFS general permissions always apply, even for a share i.e. user needs two
read permissions in order to access a file over the network
• Use NTFS permissions to tighten security
• To add share form command prompt: net share 'folder name'='path'
• To delete share form command prompt: net delete 'folder name'
• When a share name ends in $ it is hidden and cannot be browsed to, full name
needs to be typed in
• Share permissions are not included in a backup or restore of a data volume
• Share permissions do not replicate through the File Replication service
• [4.5] Special permissions
• In Windows 2003 object ownership can be given to another user, not just taken
by the current user as in Windows 2000
• When user is in multiple groups the least restrictive permissions are chosen
• Special permissions:
o Traverse folder/ execute file
o List folder/ read data
o Read attributes
o Read extended attributes (created by program)
o Create file/write data
o Create folders/append data
o Write attribute
o Write extended attribute
o Delete subfolders and files
o Delete
o Read permissions
o Change permissions
o Take ownership
o Synchronize (not users and groups)
• Everyone group is no longer granted full control (it is granted read and execute
only). The built-in Everyone group includes Authenticated Users and Guests, but
no longer includes members of the Anonymous logon group.
• A quick way to see the permission structure is to click on 'view effective
permissions'
• The Effective Permissions tool only produces an approximation of the
permissions that a user has. The actual permissions the user has may be
different, since permissions can be granted or denied based on how a user logs
 on. This logon-specific information cannot be determined by the Effective
Permissions tool, since the user is not logged on; therefore, the effective
permissions it displays reflect only those permissions specified by the user or
group and not the permissions specified by the logon.
• [4.6] Explicit permissions and inherited permissions for files and folders
• There are two types of permissions: explicit permissions and inherited
permissions.
• Explicit permissions are those that are set by default when the object is
created, by user action.
• Inherited permissions are those that are propagated to an object from a parent
object. Inherited permissions ease the task of managing permissions and ensure
consistency of permissions among all objects within a given container.
• Explicit permissions take precedence over inherited permissions, even inherited
Deny permissions. This has nothing to do with user and group security context.
• [4.7] Inherited permissions (file and folders)
• All files and folders inherit their permissions from the parent folder by default
• There are three ways to make changes to inherited permissions:
o Make the changes to the parent folder, and then the file or folder will
inherit these permissions. Remember this is not related to user and group
security!
o Select the opposite permission (Allow or Deny) to override the inherited
permission.
o Clear the 'Allow inheritable permissions from the parent to propagate to
this object and all child objects. Include these with entries explicitly defined
here' check box. You can then make changes to the permissions or
remove the user or group from the permissions list. However, the file or
folder will no longer inherit permissions from the parent folder. You be
presented with a confirmation dialog that has these options
 You can 'copy' permission entries making all entries explicit
(convert inherited entries into explicit)
 Or you can remove all inherited permissions and keep only the
current explicit permissions
• You cannot change parent permissions inside a child object - they show as
grayed out if inheritance is on.
• If the object is inheriting conflicting settings from different parents then the setting
inherited from the parent closest to the object in the subtree will have
precedence.
• Only inheritable permissions are inherited by child objects. When setting
permissions on the parent object, you can decide whether folders or subfolders
can inherit them with Apply onto.
• [4.8] Ownership
• Ownership general points:
o To decrypt a file owner still needs correct private/public key pair
o File owner always has 'change permissions' permission
o An administrator who needs to repair or change permissions on a file must
begin by taking ownership of the file.
o Every object has an owner, whether in an NTFS volume or Active
Directory. By default, in the Windows Server 2003 family, the owner is the
Administrators group.
o Transferring ownership (new in Windows 2003) is preferred to giving users
'take ownership right'.
• Ownership can be taken by:
o An administrator. By default, the Administrators group is given the Take
ownership of files or other objects user right.
o Anyone or any group who has the Take ownership permission on the
object in question.
o A user who has the Restore files and directories privilege.
• Ownership can be transferred in the following ways:
o The current owner can grant the Take ownership permission to another
user, allowing that user to take ownership at any time. The user must
actually take ownership to complete the transfer. Or transfer ownership by
using 'Other users or groups' button.
o An administrator can take ownership.
o A user who has the Restore files and directories privilege can use 'Other
users or groups' button and choose any user or group to assign ownership
to.
• [4.9] Ways to create shares in Windows 2003
• Using MMC
• Server roles (file server role)
• Using explorer
• [4.10] Share options
• Offline caching occurs when users have local copies of network files
• Offline caching is also controled by the use of group policy
• Offline caching is turned on by default when a share is created on the server
• The following settings are available on the client
o Use of the offline feature
o Synchronize when logging on
o Encrypt offline files cache
o Prohibit making available file and folders offline
o Configure slow link speed
• Windows XP computer can allow a maximum of 10 simultaneous connections to
a shared folder
• Share permissions are managed like NTFS permissions but you cannot block
inheritance and there are no special permissions
• [4.11] Special shares
• drive letter$ - shared resource that enables administrators to connect to the root
directory of a drive
• ADMIN$ - resource that is used during remote administration of a computer. The
path of this resource is always the path to the system root (ex. c:\windows)
• IPC$ - resource that shares the named pipes that are essential for
communication between programs. You use IPC$ during remote administration
of a computer and when you view a computer's shared resources. You cannot
delete this resource.
• NETLOGON - required resource that is used on domain controllers
• SYSVOL - required resource that is used on domain controllers
• PRINT$ - resource that is used during remote administration of printers
• FAX$ - shared folder on a server that is used by fax clients in the process of
sending a fax
• You cannot browse to $ shares (cannot see them in Explorer)
• [4.12] Web sharing
• You can share your folders online, web sharing of folders - viewed using IE
• You need to install IIS on the server
• You will need to allow directory browsing permission for files other then .htm
and .asp to be accessible
• [4.13] Shadow copies (new in Windows 2003)
• Accidental deletions
• Accidental overwrites
• File corruption
• Need to run VSS - volume shadow copy service
• Snapshot are taken at default or user defined intervals
• There can be at any time maximum of 64 different snapshots stored on the
system
• Windows XP and 2000 need installation of client software, twcli32.msi
• Information is stored in the hidden system folder 'system volume information'
• Form command prompt: vssadmin create shadow /for=volume
• If you need to restore a file using shadow copies that has been deleted you will
need to restore the whole folder
• Shadow copies can be accessed from:
o Windows explorer
o Shared folders snap-in
o Command prompt
• If you want to move shadow copy storage location you need to destroy and
recreate the shadow
• [4.14] Distributed file system (DFS)
• DFS exposes shared folders without explicitly starting where it is located
• DFS is like an index for shares on the network
• Domain based root (preferred) or standalone root
• Replication fault tolerance (for domain only)
• Stored in active directory (DFS root - domain based)
• To access distributed file system go to start -> all programs -> Administrative
tools -> Distributed file system
• DFS on the Windows 2003 can only be used with the NTFS file system
• Set replication policy for DFS
• Do not create FRS replica sets on a volume that is managed by Remote Storage
(performance hit)
• Automatic file replication through the File Replication service (FRS) is only
available with domain DFS
• Dfsutil.exe and dfscmd.exe are command line tools used to administer DFS
• [4.15] Enabling auditing for files, folders and printers
• You will need to enable auditing for object access policy
• And you also need to enable auditing for individual files and folders through
NTFS security or through printer security
• [4.16] Auditing
• Account logon events - success or failure of domain logon
• Account logon management - events such as resetting passwords and
modifying user properties
• Directory services - any time user access AD an event is generated
• Logon events - success or failure of local logon or logon to a share
• Object access - file, folder or printer access
• Policy change - success or failure of change of security options, user rights,
account policies and audit policies. Both domain and local PC changes are
tracked.
• Process tracking - useful for applications
• System - system events such as shutting down PC or clearing the logs
• [4.17] Terminal services
• Any Windows PC with client installed can connect to the terminal server
• There is no need to install terminal services if one intends only to use it for
administrative purposes
• Terminal server can be transparent to users (for example thin clients)
• In order for the user to connect to the terminal server he or she needs local logon
right
• All clients need a CAL (Windows 2000 and XP have one build in)
• You need to have terminal services licensing installed on DC in a single domain
environment, it will need to connect to Microsoft. If it cannot connect to Microsoft
clearing house it will still issue temporary licenses. It can also connect to the
clearing house by fax or phone.
• Licensing server can issue temporary CAL (non-renewable) for 120 days
• Terminal server client connection uses RDP protocol
• There is an option of remote control of user if server is in application server role
• Terminal services are not installed by default
• Before users can use terminal services you will need to grant users access to
RDP in Terminal Services configuration
• Tscc.msc - terminal services clients and connections MMC, you can override AD
user account settings
• To install Terminal Services programs use 'Add & remove programs' when all
user sessions are disconnected
• There are compatability scripts available for many popular programs
• Use Terminal Services GP to configure one or more terminal servers, or to
manage Terminal Server user settings
• [4.18] Remote desktop
• Remote desktop connection = terminal services client
• Remote desktop is installed and activated by default. For multiple remote
desktop connections try Remote Desktops MMC.
• Remote desktop depends on terminal services service
• [4.19] Remote assistance
• For Windows 2003 and XP
• Concurrent session with logged in user
• Logged in user has to authorize access
• You can send invitation from 'Help and Support' menu. You can send invitations
through e-mail or Microsoft messanger. You also need to supply a connection
password.
• You can also offer remote assistance to others (disabled in GP by default)
• [4.20] User rights
• Administrators can assign specific rights to group accounts or to individual user
accounts. If a user is a member of multiple groups, the user's rights are
cumulative, which means that the user has more than one set of rights. The only
time that rights assigned to one group might conflict with those assigned to
another is in the case of certain logon rights.
• There are two types of user rights:
o Privileges, such as the right to back up files and directories
o Logon rights, such as the right to logon to a system locally
• [4.21] Security best practices
• Use Deny permission to exclude users
• Use security templates rather than individual permissions
• Avoid changing default permission on system objects (including AD objects)
• Never deny Everyone group access to an object. Instead just remove Everyone
group.
• Assign permissions as high as possible up the inheritance tree
• Privileges can sometimes override permissions
• Assign permissions to groups rather than single users
• Avoid giving 'Full control' permission, give users what they need to do their work
• Minimize the number of ACEs that apply to children (are inheritable)
• Assign the same permissions to multiple objects, this way the AD will only have
to store one copy of ACL
• When possible, assign access rights on a broad level rather then specific
• [edit section] Part 5: Managing and maintaining a server environment
• [5.1] Performance and system events
• Task manager
• Event viewer
• System monitor (to activate you can run prefmon.exe from command line)
• Performance logs and alerts
• Network monitor
• [5.2] Performance
• To set process priority at run time, go use start "process name" /"priority
value"
• Another way is to: cmd /c start /"priority setting""application name" -- you
cannot use this from the run menu
• Priority types:
o Real time (you will need Administrator access to set this priority level)
o High
o Above normal
o Normal
o Below normal
o Low
• Relog - extracts performance counters from performance counter logs into other
formats, such as text-TSV, text-CSV, binary-BIN, or SQL
• Logman - manages and schedules performance counter and event trace log
collections on local and remote systems
• [5.3] Performance indicators
• Memory: pages faults/sec - data not found in CPU cache creates a fault, most
processors can handle large amounts of soft page faults, compare with memory:
pages/sec
• Available memory in bytes - need more if less than 10% available (could be an
application memory leak)
• Memory: pages/sec - hard drive access to page file, a rate of 20 or more
indicates a need for more RAM
• Page file percent close to 100, need more space on file or more RAM
• Physical disk: percentage disk time above 70% - is too high, if paging file
usage is excessive as well it indicates more RAM is needed otherwise a disk is
the bottleneck
• Physical disk average queue length above 2 - check paging file and physical
memory
• Physical disk current queue length - a value above 2 indicates a problem
• CPU close to 100% - need more CPU power if situation continues for excessive
amounts of time
• Number of open files indicates how busy the server is, compare to baseline
• Server: bytes total/sec - indicates network throughput
• Baselining is the process of determining average/normal system performance.
Should be done over a period of 3 to 4 weeks using counter logs.
• Performance logs and alerts are used to perform long term analysis:
o Using the default Windows 2003 data provider or another application
provider, trace logs record detailed system application events when
certain activities, such as a disk I/O operation occurs. When the event
occurs, your OS logs the system data to a file. A parsing tool is required to
interpret the trace log output, like Tracerpt
o When counter logs are in use, the service obtains data from the system
when the update interval has elapsed, rather than waiting for a specific
event.
• [5.4] Log file settings
• Maximum log size
• Overwrite log events as needed
• Overwrite log events older than X days
• Do not overwrite events (clear log manually)
• Microsoft recommends keeping 7 day logs
• [5.5] Log files
• DefaultDefalut log files:
o Application
o Security
o System
• Active directory adds:
o Directory service log
o File replication service log
• DNS adds: DNS service log
• Log file extension is .evt (files with this extension can be viewed by event viewer)
• Tracerpt - processes event trace logs or real-time data from instrumented event
trace providers
• [5.6] Log filtering
• Event type
• Event source
• Event ID
• User
• Computer
• Date range
• [5.7] Event information
• Eventvwr - used to lunch event viewer
• Eventtriggers.exe - displays and configures event triggers on local or remote
machines.
• Eventcreate.exe - enables an administrator to create a custom event in a
specified event log
• Eventquery.vbs - lists the events and event properties from one or more event
logs
• [5.8] Page file
• Page file size should be at least 1-1.5 times the size of physical RAM
• Don't let system manage the size of the page file (fragmentation of page file due
to constant resizes)
• Set minimum=maximum size of the page file in order to prevent any page file
resizes
• If you move page file from the system drive you will no longer get any memory
dumps
• You will need to restart your PC once you make changes to the page file
• [5.9] Disk quotas
• Disk quota applies to everyone using the volume except administrators
• Remember that every user needs few Mb (min 2) for storage of the profile which
is needed for logging in
• Quota entry can be created per user but not per group, only volumes and users
have quota entries
• Quota limit is calculated using the uncompressed file size, thus compressing files
will not create more space
• The default quota entry is for all users of given volume. You can add additional
quota entries on per user basis only.
• Once again, quota entries are per user per volume, no groups are allowed.
• Remember that once a user uses a volume with quota set on it an entry is
automatically added. Thus, if you had a general entry for all users and later on
some users run out of space and need more you modify quota entries not add
new ones.
• Disk quota is only applied to the files that are being added after the quota entry
got created, it doesn't apply to files that were already there
• Each file can contain up to 64kb of metadata that is not applied towards users
quota limit
• Fsutil is used to manage quota from command line
• To free some space run disk cleanup, from command prompt: cleanmgr.exe
(note it doesn't clear internet temporary files)
• [5.10] Defragmenting
• You will need at least 15% of free HD space in order to defragment
• You may need to repeat the process several times in order to achieve planned
results
• Defragmenting should be done on every volume every 1 to 2 months
• You cannot schedule defragmenting task (unless you use custom scripts)
• Windows defragmenter works with FAT16, FAT32 and NTFS
• On modern computer systems that use NTFS and don't use the file system
extensively (desktops) the benefits of defragmenting a hard drive are measurable
but not noticable for the end user. Thus defragmenting is only significant
performance tool for file servers.
• [5.11] Internet Information server 6 (IIS.6)
• Can server files from local/network/redirected URL
• IIS runs as w3wp.exe process
• You can run multiple sites using one of these methods:
o Different IP per site
o Use headers, not preferred method, no SSL/HTTPS, need HTTP 1.1
compliant browser
o Different port per site
• Front page extensions are to be used with front page only
• To create Virtual directory you can use regular wizard or web share a folder
• IIS 6 is not installed by default in Windows 2003 (it was in Windows 2000)
• For anonymous access IIS6 uses IUSR_computerName account
• IWAM_computerName account is for IIS to start out of process applications
• All users of the website have to authorize to the domain, even anonymous users
(by default users are anonymous)
• You can backup just IIS using the IIS manager or isbackup.vbs. Backup copies
store only the metabase configuration and schema. (not site content)
• Custom error templates (.htm) are located in %systemroot
%\help\iishelp\common\
• Other:
o Can change home directory
o Can change default document name
o You can limit bandwidth and total connections numbers
o Different logging options
• Certificates are used with SSL, can have personal certificates
• SMTP and e-mail services are not the best, use in emergency, try to avoid
• ISAPI filters - internet server application programming interface filters
• Content expiry - this setting tells client browser whatever it should use cached
copy or load new data from the website
• Web service access permission and NTFS permissions work together, more
restrictive choosen, recommended to use NTFS
• [5.12] Application pools in IIS.6
• IIS modes of operation
o Worker process isolation mode, which runs all processes in an isolated
environment (needed for application pools)
o IIS 5.0 isolation mode, in which you can run Web applications that are
not compatible with worker process isolation mode
• Application pools are like separate memory spaces in which sites live. More
formally, an application pool is a configuration that links one or more applications
to a set of one or more worker processes.
• Two ways to recycle the assigned worker process
o By default, the worker process that is to be terminated is kept running until
after a new worker process is started up
o Alternatively, the WWW service can terminate a worker process and then
start a new worker process
• An application pool that uses more than one worker process is called a Web
garden
• When more than one server is used to host a website we have a web farm
• [5.13] Authentication methods
• Integrated Windows authorization, uses kerberos or NTLM depending on
client capability, popular on intranets. Uses domain user or local user account
information passed hashed over the network. If AD (not required) is installed can
use Kerberos if not NTLM.
• Digest authorization, uses MD5 algorithm transmission, no password are
transmitted. Values are compared to AD (user needs account in AD, AD needs to
be installed). This is used when integrated Windows authorization is not
available. Requires the accounts to store passwords using reversible encryption.
Internet Explorer 5.0, HTTP 1.1 at minimum.
• Basic authorization, uses clear text passwords (base64 encoded), supported by
almost any environment, AD or local account
• .Net authorization - native Windows XP and 2003 support
• Can restrict access based on IP or/and domain name
• Kerberos authentication is used by computers that have account in AD and are
above Windows NT4.
• [5.14] Website Logging
• Web site logging can be out of synchronization with local time - enable log
rollover for local time.
• Web site logging formats:
o W3C Extended Log File Format (default)
o Microsoft IIS Log File Format
o NCSA Common Log File Format
o ODBC Logging
• [5.15] SUS - software update service
• SUS - software update service, can distribute updates (need to be approved by
the admin before distribution occurs) to clients.
• Minimum requirements for the clients to connect to SUS are Windows XP SP1,
or Win2k SP3 or later.
• SUS server is really just a webpage with ActiveX functionality that piggybacks on
top of IIS.
• In order for SUS to work you need to point client computers to SUS server using
GPO
• You need to install SUS10SP1.exe on the server
• Server computer must be running at least version 5 of IIS
• SUS virtual administrative directory http://yourservername/SUSadmin
• SUS needs NTFS with at least 100Mb to install package and 6Gb for storing
updates, SUS runs from the 'default website' and stores all data there
• SUS notification is shown for Administrators only
• If you have P III 700, 512Mb RAM SUS server can handle up to 15000 clients
• SUS server is not set to synchronize with Windows update site by defalut,
administrator must do that or manually synchronize
• [5.16] Services
• HTTP - hypertext transfer protocol TCP port 80
• SSL - Secure socket layers TCP port 443
• SMTP - TCP port 25. Files stored in LocalDrive:\Inetpub\Mailroot
• SNMP - simple network management protocol used to provide information about
TCP/IP hosts, UDP port 161.
• FTP - only basic authentication allowed, TCP port 20 (data) TCP port 21
(control). Files stored in LocalDrive:\Inetpub\Ftproot
• POP - TCP port 110
• DNS - UDP port 53 (query) TCP port 53 (zone transfer)
• NNTP - TCP port 119. Files stored in LocalDrive:\Inetpub\Nntpfile\Root
• PPTP - Point to point tuneling protocol TCP port 1723
• L2TP/IPSec - UDP ports 500, 1701 and 4500
• [5.17] Other points
• By default Windows 2003 Server uses 25% of RAM for system cache (Windows
2003 server assumes it will be a file server)
• Dos and 16bit programs run as NTVDM processes. Windows 64bit editions
cannot run 16bit programs.
• You should assign more RAM for the system cache if server is a file server
• [edit section] Part 6: Managing and implementing disaster recovery
• [6.1] Overview
• Document everything in your plan, test your plan
• Posses a 'recovery toolkit' with stuff like backup utilities/system utilities etc.
• Make sure you backup:
o User data
o Critical system files
o Critical applications
• Recovery point - how much data can we loose? Most medium size companies
are OK with loosing up to 24h - thus daily backup is OK.
• Time frame for recovery - how long does it take to recover affected systems
• Hot sites are ultimate backup solution (a hot site can take on all functions of the
current site, is kept synchronized and is in a different physical location)
• Backup files have .bkf extension
• When files are backed up they retain all of their original attributes including
encryption
• File attributes are lost when you restore backup to a FAT volume
• [6.2] Backup types
• Normal (full) - Clears archive bit, backs up all data on volume that is beeing
baced up.
• Incremental - backs up only these files that have their archive bit set to 1 (since
last full or incremental backup). Clears archive bit. Restore process will have to
chain multiple incremental backups. This backup is fastest when combined with
normal backup.
• Differential - backs up only these files whose archive bit is set to 1. Does not
clear archive bit, no chaining of backups during restore process
• Copy - only backup type that can back up registry and other critical system files.
Like full backup, but does not clear or set any archive bits. This type of backup is
used for archiving or when backing up between incremental and normal backup
routine.
• Daily - backs up only these files that were modified today. Does not clear archive
bit.
• You can exclude files from being backed up
• System state - boot and system files, AD (if DC), SYSVOL directory (if DC),
COM+ Class Registration database, registry, Cluster service information (if
server is part of a cluster), IIS Metadirectory (if installed) - only for local system!
• All backed up files keep their file attributes, unless you are restoring to FAT
• For command prompt use: ntbackup.exe
• Backup cannot be preformed to CD-R and DVD-R
• When NTBackup creates a backup set it also creates a listing of files and folders
included on the set, called a catalog. It is stored on both the disk of the server
and the backup set itself.
• [6.3] Backup log
• By default 10 backup logs are kept on the server
• There are three logging options:
o No log
o Summary log (default)
o Detailed log
• [6.4] Restore options
• Do not replace files (default)
• Replace only if the file on disk is older
• Always replace files
• Options do you have to restore the files to
o Restore to alternate location
o Restore to single folder
o Restore to original location
• [6.5] Authorative vis normal (non-authorative restore) vis primary restore
• DC use Universal sequence numbers (USN) to keep track of state
• Authorative restore makes sure that the current DC is the one with master copy
• Authorative restore is used in situations when you accidentally deleted something
in AD and now want it undeleted
• To run restore, use: ntdsutil.exe
• Use ntdsutil.exe utility is used to mark specific objects as authorative
• A primary restore is used to rebuild a domain from backup when the only DC in
domain or all domain controllers have failed.
• Select primary restore only when restoring the first replica set to the network.
• [6.6] Running normal (non-authorative restore) steps
• Boot the DC into Directory Services restore mode and enter restore password
• Run ntbackup.exe and restore system state backup. After restore completes you
need to restart the PC
• [6.7] Running authorative restore steps
• Preform steps like in 5.6 except the reboot in step 2
• Start ntdsutil.exe utility and type 'authorative restore'
• At the ntdsutil prompt type 'restore database'
• When restore completes reboot your DC
• [6.8] Running primary restore steps
• Proceed as in normal (non-authorative) restore, but when restoring replicated
data sets, mark the 'restored data as the primary data for all replicas' box
• [6.9] Boot problems
• Hit F8 for boot menu during startup
• Last known good configuration is the control set in the registry (current settings,
like used drivers)
• Last known good configuration is still good choice only if user has not logged on
since problem arouse
• Safe mode does not backup the 'Last known good configuration'
• To access recovery console: 'winnt32.exe /cmdcons' - this places recovery
console option into boot.ini
• Recovery console is good for missing boot files
• Can run recovery console from Windows 2003 CD, to run console from CD boot
from CD and press R (repair installation)
• When boot files are missing you will have to copy new ones from installation CD
• Directory services restore mode:
o This is like a safe mode for a domain controller
o Active directory is not started
• [6.10] Advanced boot options
• Safe mode - in boot.ini /safeboot:minimal /sos /bootlog /noguiboot
• Safe mode with networking - in boot.ini /safeboot:network /sos /bootlog
/noguiboot
• Safe mode with command prompt - in boot.ini /safeboot:minimal(alternateshell)
/sos /bootlog /noguiboot
• Enable boot logging - in boot.ini /bootlog
• Enable VGA mode - in boot.ini /basevideo
• Last known good configuration - in boot.ini
• Directory services restore mode (Windows domain controllers only) - in boot.ini
/safeboot:dsrepair /sos
• Debugging mode - in boot.ini /debug
• [6.11] ASR - Automated system recovery
• Replaces ERD (emergency repair disk)
• Stores system state data
• Need Windows 2003 CD and ASR floppy to do a clean install and apply system
settings
• ASR is needed to recover from boot failures
• To create ASR disk either run ntbackup.exe from command prompt or go to: start
-> all programs -> accessories -> system tools ->backup
• Using ASR recovers the system up to the point ASR was created
• If you create ASR for system without floppy files are saved to the %systemroot
%\repair folder on the server. ASR restore will not work without a floppy drive and
the floppy disk.
• To preform ASR recovery you need:
o ASR floppy disk
o ASR Backup set
o Windows 2003 setup CDROM
• [6.12] Best practices for backup
• Develop backup and restore strategies and test them; train people.
• Always create an Automated System Recovery (ASR) backup set when the
operating system changes
• Always choose to create a backup log for each backup
• Keep at least three copies of the backup media. Secure both the storage device
and the backup media.
• Perform a trial restoration periodically to verify that your files were properly
backed up
• Use volume shadow copies when performing a backup (default setting)
• [6.13] Other points
• System state data can only be restored and backed up locally (there are 3rd
party software utilities that can restore and backup over the network)
• Using 'last known good configuration' can be used to recover from most stop
errors if the user has not logged in BUT server must be able to boot, i.e. if ntldr
error need to use ASR or recovery console
• For major hardware failures such as motherboard replacement you will need to
reinstall Windows Server 2003. However, you will still need to restore system
state prior to full Windows boot in order to preserve original SID.
• Recovery password can be different than administrator password
• For problems with boot files use recovery console and copy needed files over
from the CD
• [edit section] Part 7: Active directory primer
• [7.1] The operations master roles (FSMO (Flexible Single Master
Operations) roles)
• Every forest must have the following roles: Schema master and Domain naming
master
• Every domain in the forest must have the following roles: PDC emulator master,
RID master and Infrastructure master
• At any time, there can be only one DC acting out his role in his respective scope
• Domain naming master - addition or removal of domains in the forest
• Infrastructure master
o Responsible for updating references from objects in its domain to objects
in other domains
o Compares its data with that of a global catalog
o Unless there is only one domain controller in the domain, the infrastructure
master role should not be assigned to the domain controller that is hosting
the global catalog.
• Primary domain controller (PDC) emulator master
o Needed for computers operating without Windows 2000 or Windows XP
Pro client software or if domain contains Windows NT BDCs
o PDC is responsible for synchronizing the time on all DCs throughout the
domain
o External time source net time \\ServerName /setsntp:TimeSource
o If a logon authentication fails at another DC due to a bad password, that
DC will forward the authentication request to the PDC emulator before
rejecting the logon attempt since PDC emulator gets preferential treatment
o Supports both NTLM and Kerberos authentication
• Relative ID (RID) master - allocates sequences of relative IDs (RIDs) to each of
the various domain controllers in its domain
• Schema master - all updates and modifications to the schema, need additional
DLL to be registered if transferred
• [7.2] AD troubleshooting and seizing a FSMO role
• Use ntdsutil.exe to transfer FSMO roles
• Use ntdsutil.exe utility for AD related tasks
• Do not seize the FSMO role if you can transfer it instead. Seizing the FSMO role
is a drastic step that should be considered only if the current operations master
will never be available again.
• Before seizing the chosen FSMO role, use the repadmin utility to verify whether
the new operations master has received any updates performed by the previous
role holder, and then remove the current operations master from the network.
• [7.3] Other AD information
• Dcpromo.exe is used to promote member service to DC and to demote DC back
to member service
• A global catalog is a DC that stores a copy of all AD objects in a forest. It stores
a full copy of all objects in the directory for its host domain and a partial copy of
all objects for all other domains in the forest. It is managed from 'Active Directory
Sites and Services'.
• Netdom - This command-line tool enables administrators to manage Windows
2003 and Windows 2000 domains and trust relationships from the command line
(need support tools suptools.msi)
• The DS*.exe family of tools
o Dsadd - adds a computer, contact, group, organization unit, or user to a
directory
o Dsmove - moves any object from its current location in the directory to a
new location, as long as the move can be accommodated within a single
domain controller, and renames an object without moving it in the directory
tree
o Dsquery - queries and finds a list of computers, groups, organizational
units, servers, or users in the directory by using specified search criterion
o Dsrm - deletes an object of a specific type or any general object from the
directory
o Dsget - displays selected attributes of a computer, contact, group,
organizational unit, server or user in a directory
o Dsmod - modifies an existing object of a specific type in the directory
• [7.4] Other GP information
• GPUpdate - refreshes local GP settings and GP settings that are stored in AD,
including security settings
• Order in which Group Policies get applied: Local computer, Site, Domain, OU.
This means that Site GP are more relevant than Local, Domain more relevant
than Site and OU the most relevant.
• OU is the smallest scope to which you can delegate authority or apply GP
against
• RSoP.msc - Resultant set of Policies is a GP tool that can be loaded as a
Management Console snap-in. Resultant set of policies is the final set of policies
that is applied to the user and computer.
• Gpedit.msc - GP editor MMC
• [7.5] DHCP
• Dhcploc.exe - displays the DHCP servers active on the subnet including
unauthorized servers
• DHCP server must be authorized in the AD before it can give out addresses
• IP autoconfiguration - when PC does not get IP address from DHCP it by
default autoconfigures itself to address in range 169.254.x.x
• [7.6] Other points
• Whoami - returns domain name, computer name, user name, group names,
logon identifier, and privileges for the user who is currently logged on
• Removable Storage makes it easy for you to track your removable storage
media (tapes and optical disks). Use rss or rsm utilities
• Media pool description:
o Blank or Foreign tape - unrecognized
o Newly formatted tape - free
o Tapes previously used by NTBackup - backup
o Tapes not cataloged - import
• Windows File Protection (WFP) - prevents the replacement of protected system
files such as .sys, .dll, .ocx, .ttf, .fon, and .exe files. Turned on by default. Original
files are stored in %SYSTEMROOT%\system32\dllcache
• Systeminfo.exe or msinfo32 (has to be executed from Run window NOT
command line) - can be used to display system information
• MBSA Microsoft Baseline Security Analyzer
o mbsacli.exe for command line, mbsa.exe for GUI
o Windows NT 4.0 Service Pack 4 (SP4) and later (remote scan only),
Windows 2000, XP, 2003
o IIS 4.0, 5.0, 5.1 or 6.0 are supported by scan
o Internet Explorer 5.01 or later are supported by scan
o SQL 7.0, 2000 are supported by scan
o Office 2000, Office XP, or Office 2003 are supported by scan
o Security update checks, password checks, Windows system check
• Regedit.exe - used to edit registry (only one editor in 2003)
• Runas is also known as secondary logon, you need to have Secondary Logon
service running to use it. This command line utility is used to run programs within
different user's security context. For example, network administrator is logged on
as a regular user and needs to run system utility that requires administrative
privelages. Instead of loging out and back in as an administrator, the user could
 use runas command which uses the following syntax: runas
/user:ComputerName\UserName "program name"
• qchain.exe is used for multiple hot fixes (so as not to have to restart server
multiple times)