Active Directory Preparation Tool (adprep.exe) What does ADPrep.exe do? Adprep.

exe is a command-line tool used to prepare a Microsoft Windows 2000 forest or a Windows 2000 domain for the installation of Windows Server 2003 domain controllers. Who does this feature apply to? The changes in ADPrep.exe for Windows Server 2003 Service Pack 1 will be of interest to: IT professionals who support Active Directory, such as Active Directory administrators, Active Directory Schema administrators, Domain Name System (DNS) administrators, and domain controller administrators. Help desk professionals. Application developers. System integrators. What new functionality is added to this feature in Windows Server 2003 Service Pack 1? Adprep.exe enhancement to detect conflicting Exchange Server schema objects Detailed description When Microsoft Exchange Server is deployed in an organization, Exchange Server uses Active Directory as a data store and it extends the Windows 2000 Active Directory schema to enable it to store objects specific to Exchange Server. The ldapDisplayName of the attribute schema ms-Exch-Assistant-Name, ms-Exch-LabeledURI and ms-Exch-House-Identifier defined by Exchange Server conflicts with the iNetOrgPerson schema that Active Directory uses in Windows Server 2003. When Windows Server 2003 Service Pack 1 is installed, Adprep.exe will be able to detect the presence of the schema conflict and block the upgrade of the schema until the issue has been resolved. Why is this change important? Upgrading the Active Directory schema from Windows 2000 to Windows 2003 when these schema objects are present causes the ldapDisplayName to become corrupted and results in issues with Active Directory replication. Fixing the Exchange Server schema objects before the upgrade occurs results in a much smoother upgrade experience. If an organization has a large number of files contained in the GPOs or slow links to replication servers, the FRS synchronization triggered by the /domainprep operation could adversely affect the deployment schedule for Windows Server 2003. By putting this operation at the discretion of the administrator, the impact of this operation can be planned and scheduled as part of the deployment. The deployment of a Windows Server 2003 domain controller can occur after running adprep /forestprep and adprep /domainprep. Resultant Set of Policy (RSoP) functionality will only be operational after running adprep /domainprep /gpprep. What works differently? The Windows 2000 Active Directory schema cannot be upgraded to the Windows Server 2003 schema until the required Exchange Server schema objects are fixed. In Windows Server 2003 Service Pac 1, Adprep.exe will identify that a conflicting schema object exists, prevent the corruption of the schema object by blocking the upgrade, and if possible identify which objects are in conflict so that you can resolve the conflict. Adprep.exe enhancement to perform SYSVOL operations in a separate step

Detailed description In previous versions of Windows Server 2003 running adprep /domainprep resulted in the addition of an inheritable access control entry (ACE) to all Group Policy objects (GPOs) in the SYSVOL folder. This ACE gives Enterprise domain controllers read access to the GPOs to support Resultant Set of Policy (RSoP) functionality for site base policy. The addition of this ACE is detected by the file replication service (FRS) and initiates an FRS synchronization of all GPOs in the SYSVOL folder. In Windows Server 2003 Service Pack 1, the addition of the ACE to the GPOs in the SYSVOL folder is not performed while running adprep /domainprep. Instead, a new switch (/gpprep) has been added to adprep to add the inheritable ACE to the GPO folders in the SYSVOL directory. This allows administrators to update the ACE of the GPO objects at their convenience. How do I resolve these issues? If Adprep.exe detects the presence of the conflicting Exchange Server schema objects, you can use the following procedure to fix these objects and enable Adprep.exe to successfully upgrade your Active Directory schema. To fix conflicting Exchange Server schema objects 1. Log on to the computer that holds the Schema Operation Master role. By default, the first domain controller that you install in your forest is the Schema Operation Master. You must log on using an account that is a member of the Schema Admins security group. 2. Click Start, click Run, type notepad.exe in the Open box, and then click OK. 3. Create the InetOrgPersonPrevent.ldf script by copying the following text including the trailing hyphen after "schemaUpdateNow: 1" to Notepad: Dn: CN=ms-Exch-Assistant-Name, CN=Schema, CN=Configuration, DC=X Changetype: Modify Replace: LDAPDisplayName LDAPDisplayName: msExchAssistantName Dn: CN=ms-Exch-LabeledURI, CN=Schema, CN=Configuration, DC=X Changetype: Modify Replace: LDAPDisplayName LDAPDisplayName: msExchLabeledURI Dn: CN=ms-Exch-House-Identifier, CN=Schema, CN=Configuration, DC=X Changetype: Modify Replace: LDAPDisplayName LDAPDisplayName: msExchHouseIdentifier Dn: Changetype: Modify Add: schemaUpdateNow SchemaUpdateNow: 1 4. On the File menu, click Save. In the Save As dialog box, follow these steps to save the InetOrgPersonPrevent.ldf script: In File name, type the following: \%userprofile%\InetOrgPersonPrevent.ldf In Save as type, click All Files.

In Encoding, click Unicode. Click Save. Close Notepad. 5. Run the InetOrgPersonPrevent.ldf script using the following steps: Click Start, click Run, type cmd in the Open box, and then click OK. At a command prompt, type the following, and then press ENTER: cd %userprofile% Type the following command c:\documents and settings\%username%ldifde -i -f inetorgpersonprevent.ldf -v -c DC=X "domain_name_path_for_forest_root_domain" 6. Verify that the ldapDisplayNames for the CN=ms-Exch-Assistant-Name, CN=ms-ExchLabeledURI, and CN=ms-Exch-House-Identifier attributes in the schema naming context now appear as msExchAssistantName, msExchLabeledURI, and msExchHouseIdentifier. Note In step 5 of the previous procedure note the following details: DC=X is a case-sensitive constant. The domain name path for the root domain must be enclosed in quotation marks. For example, the command syntax for an Active Directory forest whose forest root domain is Contoso.com would be: c:\documents and settings\administrator>ldifde -i -f inetorgpersonprevent.ldf -v -c DC=X "dc=contoso, dc=com" Adprep.exe enhancement to detect other conflicting schema objects Detailed description Many applications use Active Directory as a data store and extend the Windows 2000 Active Directory schema to enable it to store objects specific to the application. If an application defined a non-RFC compliant schema object, such that the ldapDisplayName, object identifier (OID) or other schema attributes conflict with the Windows 2003 Active Directory schema, when Adprep.exe is run it will detect the conflict and display a generic error.

Adprep Adprep Prepares Windows 2000 domains and forests for an upgrade to Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition. Among its tasks, adprep extends the schema, updates default security descriptors of selected objects, and adds new directory objects as required by some applications. Syntax Adprep {/forestprep | /domainprep | /gpprep} When you upgrade Windows 2000 Server to Windows Server 2003 without a service pack installed, prepare the forest using adprep /forestprep and prepare each domain using adprep /domainprep. Adprep /domainprep prepares the domain for upgrade and adds inheritable access control entries (ACEs) to the Group Policy objects (GPOs) in the SYSVOL shared folder, which causes domain-wide replication to occur. The amount of replication traffic that is generated by this operation might affect network conditions adversely.

When you upgrade Windows 2000 Server to Windows Server 2003 with Service Pack 1 (SP1), prepare the forest using adprep /forestprep and prepare each domain using adprep /domainprep. Adprep /domainprep in Windows Server 2003 with SP1 does not add inheritable ACEs to the GPOs in the SYSVOL shared folder and does not cause domain-wide replication to occur. When network conditions are optimal or if a full synchronization of the SYSVOL share will not affect network bandwidth adversely, run adprep /domainprep /gpprep to add the inheritable ACEs to the GPOs in the SYSVOL shared folder. Parameters /forestprep Prepares a Windows 2000 forest for an upgrade to a Windows server 2003 forest. /domainprep Prepares a Windows 2000 domain for an upgrade to a Windows server 2003 domain. /domainprep /gpprep Available only when you prepare a Windows 2000 domain for an upgrade to a Windows Server 2003 SP1 domain. Adds inheritable ACEs to the GPOs that are located in the SYSVOL shared folder, and synchronizes the SYSVOL shared folder among the domain controllers in the domain. /? Displays Help at the command prompt. Remarks You can find Adprep.exe in the \i386 folder of the Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition CDROMs. For more information about using adprep, see the topics under "See Also." To run adprep /forestprep, you must be a member of the Enterprise Admins group and the Schema Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to run this command. For more information, see Default local groups, Default groups, and Using Run as. To run adprep /domainprep, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to run this command. For more information, see Default local groups, Default groups, and Using Run as. To run adprep /domainprep /gpprep, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to run this command. For more information, see Default local groups, Default groups, and Using Run as. You should run adprep from Windows Server 2003 installation media, such as a CD-ROM or a shared network resource. All domain controllers in the forest should be upgraded to Windows 2000 Service Pack 2 or later before preparing the forest for an upgrade to the Windows Server 2003 family. Adprep /forestprep must be run on the schema master. Adprep /domainprep must be run on each infrastructure master in each domain, and only after adprep /forestprep has been run successfully for the forest.

Adprep /domainprep /gpprep must be run on the infrastructure master of each domain. It can be run anytime after adprep /forestprep and adprep /domainprep have been run, when network bandwidth permits the replication of all GPOs among the domain controllers in the domain. You must wait for the changes made by adprep /forestprep to replicate from the schema master to the infrastructure masters before running adprep /domainprep. If you try to run adprep /domainprep on an infrastructure master before the adprep /forestprep changes have replicated, you will receive notification that the forest preparation has not finished. After you prepare your forests and domains with adprep, you can leave your domain controllers running Windows 2000 for an indefinite length of time, or you can begin the domain controller upgrade immediately. After running adprep, the adprep systemroot\System32\Debug\Adprep\Logs. log files can be found in

For more information about the enhancements to Adprep.exe in Windows Server 2003 with SP1, see article 324392, Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 and in hotfix 324392, in the Microsoft Knowledge Base. For more information about how to prepare your forest and domains using Adprep.exe, see "Overview: Upgrading Windows 2000 Domain Controllers to Windows Server 2003" in article 325379, How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003, in the Microsoft Knowledge Base. Examples To prepare a Windows 2000 forest for upgrade to the Windows server 2003 family, type: Adprep /forestprep To prepare a Windows 2000 domain for upgrade to the Windows server 2003 family, type: Adprep /domainprep Note If you are preparing a Windows 2000 domain for upgrade to Windows Server 2003 without SP1, this command will cause inheritable ACEs to be added to the GPOs in the SYSVOL shared folder, and the SYSVOL share will synchronize, which might cause significant network delays. To prepare a Windows 2000 domain for upgrade to Windows Server 2003 with SP1, by adding inheritable ACEs to the GPOs in the SYSVOL shared folder and synchronizing the SYSVOL shared folder among the domain controllers in a domain, type: Adprep /domainprep /gpprep

Backup System State Data: System state data include boot files, Registry, Com + Class registration database, Certificate service database (If certificate service is installed), Active directory data store & Sysvol folder (If its a domain controller). Note: You cannot use System state back to backup or restore system state data on a remote windows 2000 computer. System State data can only be restored on the local computer. You cant restore System State data over the network to a remote Windows 2000 computer. You cant pick and choose which parts of System State data will be restored. Archive: Archive attribute is a marker that the operating system automatically assigns to all files and folders when they are first installed or created and that need to be backed up. Types of Backup: Normal: Normal Backup backs up all selected files and folders. Removes the archive attributes for all backed up files and folder. A normal backup is a full complete backup. It is the backbone of you backup plan or strategy. Copy: Copy backup backs up all selected files and folder. Does not remove or otherwise affect the archive attributes. Copy backup is used to create extra backup to store off-site. Incremental: Incremental backup backs up all files and folders that are changed since last normal or incremental backup. Remove the archive attributes for all backed up files and folder. If a normal backup is performed on Sunday and from Monday to Friday incremental backup is performed, then Mondays incremental backup will contain only the changes made to data on Monday, Tuesdays Incremental backup will contain only the changes made to data on Tuesday and so on. Differential: Differential backup backs up all selected files and folders that are changed since last normal backup. Does not remove the archive attributes from any files and folder. If a normal backup is performed on Sunday and from Monday to Friday differential backup is performed, Mondays differential backup will contains the changes made to data on Monday; Tuesdays differential backup will contain all the changes made to data on Monday and Tuesday and so on. Daily: Daily backup backs up all selected files and folders that have changed during the day the backup is performed. It doesnt remove or otherwise affect the archive attribute.

Restoring System State Data on Domain Controllers. Because System State data includes the Active Directory data store on a Windows 2000 domain controller, restoring System State data on a domain controller includes restoring Active Directory. There are two types of restores you can perform of Active Directory: Nonauthoritative restore of Active Directory: This is a full restore of System State data, including Active Directory, on a Windows 2000 domain controller. When this type of restore is performed, Active Directory entries on other domain controllers will replace the restored entries when replication of Active Directory occurs. This type of restore should be performed only when you have one domain controller on your network, or when you are primarily concerned with restoring the other components of System State data, such as the registry and system boot files, and you dont want to overwrite the more recent copy of Active Directory located on other domain controllers on your network. Authoritative restore of Active Directory: This is also full restore of System State data, including Active Directory, on a windows 2000 domain controller. After restore is completed, however an additional step is required. Some or all of the restored Active Directory objects are marked as being authoritative. During this process, the objects attribute version numbers are increased. When this type of restore is performed, the restored Active Directory entries that are marked as authoritative will replace the corresponding Active Directory entries on other domain controllers on your network when replication of Active Directory occurs. You should use this type of restore when the Active Directory data store on your networks domain controllers is damaged or when a portion of Active Directory has been accidentally deleted. Directory service restore mode administrator password is required in order to restore System State data on a domain Controller.

Groups Users and Groups When account policies conflict, the policy with the highest priority is applied. The levels of account policy priority, from greatest to least are: Account Account Account Account policies policies policies policies for for for for an OU the domain the domain controller the local computer.

Groups on Local computer Local Groups Built-in Groups Groups in Active Directory Domain Local Groups Global Groups Universal Groups Built-in Groups on Domain Controllers Built-in Local Groups Built-in Global and Universal Groups Built-in Special Groups

Local group - Has local computer permissions and rights only. Global group - The groups permissions and rights exist in the group's domain and domains that have a trust relationship with the group's domain. Global groups may be given rights and permissions of local groups. Only NT Server can create global groups. Domain Local group - Created on Active Directory controllers and are used manage access to resources in the domain. Universal group - Users from multiple domains that perform similar tasks or share resources across the domains. Any group or user in any domain can be a member of the universal group. The universal group is however, not available in Active Directory mixed mode. Local groups can include global groups. They will not include other local groups. Local groups are created in the User Manager. Created groups may be deleted with the User Manager, but built in system groups may not be deleted. When a domain is joined the domain administrators group is added to the local administrators group and the domain users group is added to the local users group on the computer that joins the domain.

Local Groups created on non domain controllers at installation time Administrators - Used to administer the system. It is a good idea to make a backup administrator user. Power Users - Have some administrative privileges such as ability to share directories and printers. Can manage Power Users, Guests and User groups. Users - Have privileges for daily tasks. All users on the computer are normally in this group. Can manage local groups they create. Guests - Have minimal privileges. Can be renamed. But can't be deleted. Backup Operators - Have privileges for performing system backup.

Replicators - A service account that NT uses to perform the replication function. Allows the server to replicate files to the NT workstation machine.

Non-Domain Controller Special Groups These are special groups that are not on the group menu. These groups also exist on domain controllers. System * - Used to manage accounts that provide system services such as the webserver. Everyone * - All on the local machine, in the domain and trusted domains. Interactive * - A user at the local machine. Network * - Anyone who accesses information on this computer over the network (remotely). It can be used to restrict users from getting to specific resources over the network. Creator/Owner * - The owner of the resource. Creator Group - For Apple users or POSIX application users. Anonymous Logon - Any user that used anonymous logon. Authenticated Users - Any Windows 2000 locally or globally authenticated user. Batch - A program that logged on using the logon as batch job user right. Dialup - A user logged on using a phone line, VPN, or cable connection. Service - A service logged on with a user account. Terminal Server Unit - A user logged on using a terminal.

Local Groups on domain controllers Created during Active Directory installation. Administrators * - Those who administer the domain and the server. It initially contains the DOMAIN ADMINS global group. Account Operators * - This group has privileges to to create and manage local and global users and groups in the domain. This group can also shut down the domain controller. This group is only on domain controllers. Backup Operators * - Those who can save file to tape backup media. This group is on all NT servers. Print Operators * - This local group can control the sharing of printers, along with shutting down the domain controller. Server Operators * - Basically this group can do anything on the NT server. They can format the hard drive, restore or backup files or directories, create and control shared directories, control the sharing of printers, lock/unlock the server, shut down the domain controller locally or remotely, and modify the system time. Replicators * - Used to perform directory replication. This group is on all NT servers. Users * - Those who use the server. Guests * - Includes the Guest account and Domain Guests group. Pre-Windows 2000 Compatible Access - Allows Windows NT 4.0 users to get domain access. The everyone needs to be a member of this group when there are NT computers in the domain. Global and Universal Groups Domain Admins * - It is automatically a member of the administrators local group on all machines that are a member of the domain. These way global administrators may remotely administer any machine in the domain. It initially contains the Administrator user account. Domain Users * - Contains all created domain user accounts. On the domain controller, this group is a member of the users local group. It initially contains all users in the domain except for guests. Domain Guests * - Contains the domain Guest account. Enterprise Admins - It is automatically a member of the administrators local group on all machines that are a member of all domains in the forest.

Schema Admins - This group has rights to modify the schema of the Active Directory database. This group only exists on the highest level domain in the forest. Domain Controllers Domain Computers - Computers that are members of the domain. Cert Publishers - Users that can publish security certificates. Group Policy Admins - Users who can modify group policy settings for objects in the domain.

Group Creation Local group - Open the "Computer Management" dialog box by clicking on "My Computer", and "Manage". Click + next to "Local Users and Groups", highlight "Groups", select "Action", and "New Groups". Global group - The Administrative Tool, "Active Directory Users and Computers" is used to create and manage these groups. Group Accounts Pass through authentication is the process of a local user logon being passed to the domain allowing the user to be logged onto the domain at the same time. The local user name and password must be the same as the domain user name and password. Domain user and group accounts are created and stored on the PDC (Primary Domain Controller) SAM (Security Accounts Manager) database. Two types of groups in a domain are: Local groups - These groups are used to manage local resources. They can exist on workstations, member servers, and domain controllers (PDC and BDC). Global groups - These groups can be used on any computer that is a part of the domain. Domain controllers are the only way to create and modify global groups. Three domain global groups built in to the NT domain: Domain Admins - It is automatically a member of the administrators local group on all machines that are a member of the domain. These way global administrators may remotely administer any machine in the domain. Domain Users - Contains all created domain user accounts. On the domain controller, this group is a member of the users local group. Domain Guests - Contains the domain Guest account. Three local groups on the domain controller: Account Operators - This group has privileges to create and manage local and global users and groups in the domain. This group can also shut down the domain controller. Print Operators - This local group can control the sharing of printers, along with shutting down the domain controller. Server Operators - Basically this group can do anything on the NT server. They can format the hard drive, restore or backup files or directories, create and control shared directories, control the sharing of printers, lock/unlock the server, shut down the domain controller locally or remotely, and modify the system time.

Active Directory Groups There are two types of Active Directory groups, each with a different purpose. These are: Security principal groups: These groups can be assigned permissions. Their scope can be: Domain local Global Universal Distribution groups: Used to group users for applications such as mail.

Kerberos (protocol) Kerberos is a computer network authentication protocol which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner. Kerberos prevents eavesdropping or replay attacks, and ensures the integrity of the data. Its designers aimed primarily at a client-server model, and it provides mutual authentication both the user and the service verify each other's identity. Kerberos operation What follows is a simplified description of the protocol. The following shortcuts will be used: AS = Authentication Server, TGS = Ticket Granting Server, SS = Service Server. In one sentence: the client authenticates itself to AS, then demonstrates to the TGS that it's authorized to receive a ticket for a service (and receives it), then demonstrates to the SS that it has been approved to receive the service. In more detail: 1. A user enters a username and password on the client. 2. The client performs a one way hash on the entered password, and this becomes the secret key of the client. 3. The client sends a clear-text message to the AS requesting services on behalf of the user. Sample Message: "User XYZ would like to request services". Note: Neither the secret key nor the password is sent to the AS. 4. The AS checks to see if the client is in its database. If it is, the AS sends back the following two messages to the client: o Message A: Client/TGS session key encrypted using the secret key of the user. o Message B: Ticket-Granting Ticket (which includes the client ID, client network address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS. 5. Once the client receives messages A and B, it decrypts message A to obtain the client/TGS session key. This session key is used for further communications with TGS. (Note: The client cannot decrypt the Message B, as it is encrypted using TGS's secret key.) At this point, the client has enough information to authenticate itself to the TGS. 6. When requesting services, the client sends the following two messages to the TGS: o Message C: Composed of the Ticket-Granting Ticket from message B and the ID of the requested service. o Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the client/TGS session key. 7. Upon receiving messages C and D, the TGS decrypts message D (Authenticator) using the client/TGS session key and sends the following two messages to the client: o Message E: Client-to-server ticket (which includes the client ID, client network address, validity period) encrypted using the service's secret key. o Message F: Client/server session key encrypted with the client/TGS session key. 8. Upon receiving messages E and F from TGS, the client has enough information to authenticate itself to the SS. The client connects to the SS and sends the following two messages: o Message G: the client-to-server ticket encrypted using service's secret key. o Message H: a new Authenticator, which includes the client ID, timestamp and is encrypted using client/server session key. 9. The server decrypts the ticket using its own secret key and sends the following message to the client to confirm its true identity and willingness to serve the client: o Message I: the timestamp found in client's recent Authenticator plus 1, encrypted using the client/server session key.

10. The client decrypts the confirmation using its shared key with the server and checks whether the timestamp is correctly updated. If so, then the client can trust the server and can start issuing service requests to the server. 11. The server provides the requested services to the client.

Networking Terminology Ping: Its a Utility to determine whether specific IP address is accessible or not. Ping command sends an ICMP request to obtain ICMP response from a host or a gateway. It is used to troubleshoot network issue. Switch: It is a device that filters and forward data packets between LAN segments based on MAC address. Switch operates on Data link layer. Difference between Switch and Router When a router receives a packet, it looks at the Layer 3 source and destination addresses to determine the path the packet should take. A standard switch relies on the MAC addresses to determine the source and destination of a packet, which is Layer 2 (Data) networking. A switch is a layer 2 device with physical ports. A layer 2 switch communicates using frames on the wire at layer 1.A router is a layer 3 device, which communicates with packets. A packet is encapsulated inside of a frame. A router has interfaces for connection into the network medium. For a router to route over Ethernet, it requires an Ethernet interface. A token ring interface is required for token ring, a frame relay interface for frame relay and so forth.

Definition Layer 3 switch A Layer 3 switch is a high-performance device for network routing. Layer 3 switches actually differ very little from routers. A Layer 3 switch can support the same routing protocols as network routers do. Both inspect incoming packets and make dynamic routing decisions based on the source and destination addresses inside. Both types of boxes share a similar appearance. Layer 3 Switch Layer 3 switches have optimized hardware to pass data as fast as Layer 2 switches, yet they make decisions on how to transmit traffic at Layer 3, just like a router. Within the LAN environment, a Layer 3 switch is usually faster than a router because it is built on switching hardware. Layer 3 switches were conceived as a technology to improve on the performance of routers used in large local area networks (LANs) like corporate intranets. The key difference between Layer 3 switches and routers lies in the hardware technology used to build the unit. The hardware inside a Layer 3 switch merges that of traditional switches and routers, replacing some of a router's software logic with hardware to offer better performance in some situations. Layer 3 switches often cost less than traditional routers. Designed for use within local networks, a Layer 3 switch will typically not possess the WAN ports and wide area network features a traditional router will always have. Router: A router is a computer networking device that forwards data packets across a network towards their destinations, through a process known as routing. Routing occurs at layer 3 (Network Layer). __________________________________________________________________________________

OSI Model: (All People Seem To Need Data Processing) Application Layer: This is the Layer that actually interacts with the Operating system or application whenever the user chooses to transfer files, read message or perform other network related activities. Presentation Layer: Layer 6 takes the data provided by the application layer and converts it into a standard format that the other layers can understand. Session Layer: Layer 5 establishes, maintains and end communication with the receiving device. Transport Layer: This layer maintains Flow Control of data and provides error checking and recovery of data between the devices. Flow control means that the transport layer looks to see if the data is coming from more than one application and integrates each applications data into a single stream for physical network. Network Layer: The way that the data will be sent to the recipient device is determined in this layer. Logical protocols, routing and addressing are handled here. Data Link Layer: In this layer, the appropriate physical protocol is assigned to the data. Also the type of network and the packet sequencing is defined. Physical Layer: This is the level of actual hardware. It defines the physical characteristics of the network such as connections, voltage levels and timing. The OSI reference model is really just a guideline. Actual protocol stacks often combine one or more of the OSI layers into a single layer. __________________________________________________________________________________ Networking TCP/IP: TCP/IP is a suite of protocol that is used on a network to communicate with other computer. TCP/IP is a transport protocol. IP Address: IP address is a 32 bit binary number; it is represented in dotted decimal format. Each 8 bit Octet is represented by whole decimal number. IP address consist of two parts Network ID and Host ID. Subnet Mask: Its a 32 bit binary number, represented in dotted decimal format. A subnet mask specifies which portion of an IP address represents the network ID. A subnet mask allows TCP/IP to determine whether network traffic destined for a given IP address should be transmitted on the local subnet, or whether it should be routed to a remote subnet. NATTING: Natting is a process which enables computers on a private network with Private IP address to communicate with computers on internet that uses registered IP address. __________________________________________________________________________________ Extranet An extranet is a private network that uses Internet technology and the public telecommunication system to securely share part of a business's information or operations with

suppliers, vendors, partners, customers, or other businesses. An extranet can be viewed as part of a company's intranet that is extended to users outside the company. An extranet requires security and privacy. These can include firewall server management, the issuance and use of digital certificates or similar means of user authentication, encryption of messages, and the use of virtual private networks (VPNs) that tunnel through the public network. Companies can use an extranet to: Exchange large volumes of data using Electronic Data Interchange (EDI) Share product catalogs exclusively with wholesalers or those "in the trade" Collaborate with other companies on joint development efforts Jointly develop and use training programs with other companies Provide or access services provided by one company to a group of other companies, such as an online banking application managed by one company on behalf of affiliated banks Share news of common interest exclusively with partner companies Intranet Definition: Intranet is the generic term for a collection of private computer networks within an organization. Intranets are communication tools designed to enable easy information sharing within workgroups. Intranets utilize standard network hardware and software technologies like Ethernet, TCP/IP, Web browsers and Web servers. An organization's intranet often features Internet access but is fire walled so that its computers cannot be reached directly from the outside. A common extension to intranets, called extranets, opens holes in this firewall to provide controlled access to outsiders. Many schools and non-profit groups have deployed intranets, but an intranet is still seen primarily as a corporate productivity tool. Besides email and groupware applications, an intranet generally incorporates internal Web sites, documents, and/or databases to disseminate information. The business value of intranet solutions is generally accepted in larger corporations, but their worth has proven very difficult to quantify in terms of time saved or return on investment. Also Known As: corporate portal, private business network __________________________________________________________________________________ 1) What is encryption? The translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text; encrypted data is referred to as cipher text. There are two main types of encryption: asymmetric encryption (also called public-key encryption) and symmetric encryption. 2) What is VPN? Short for virtual private network, a network that is constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create

networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. 3) What is DHCP? DHCP: Dynamic Host Configuration Protocol service provides centralized management of IP address assignment. DHCP server should be assigned Static IP address. DHCP A TCP/IP service protocol that offers dynamic leased configuration of host IP addresses and distributes other configuration parameters to eligible network clients. DHCP provides safe, reliable and simple TCP/IP network configuration, prevent address conflicts and help conserve the use of client IP addresses on the network. DHCP uses a client/server model where the DHCP server maintains centralized management of IP addresses that are used on the network. DHCP supporting clients can then request and obtain lease of an IP address from a DHCP server as part of their network boot process.

Broadcast An address that is destined for all hosts on a particular network segment.

What is DHCP? DHCP (Dynamic Host Configuration Protocol) is a communications protocol that lets network administrators centrally manage and automate the assignment of Internet Protocol (IP) addresses in an organization's network. Using the Internet Protocol, each machine that can connect to the Internet needs a unique IP address, which is assigned when an Internet connection is created for a specific computer. Without DHCP, the IP address must be entered manually at each computer in an organization and a new IP address must be entered each time a computer moves to a new location on the network. DHCP lets a network administrator supervise and distribute IP addresses from a central point and automatically sends a new IP address when a computer is plugged into a different place in the network. DHCP uses the concept of a "lease" or amount of time that a given IP address will be valid for a computer. The lease time can vary depending on how long a user is likely to require the Internet connection at a particular location. It's especially useful in education and other environments where users change frequently. Using very short leases, DHCP can dynamically reconfigure networks in which there are more computers than there are available IP addresses. The protocol also supports static addresses for computers that need a permanent IP address, such as Web servers. DHCP is an extension of an earlier network IP management protocol, Bootstrap Protocol (BOOTP). DHCP is a more advanced protocol, but both configuration management protocols are commonly used and DHCP can handle BOOTP client requests. Some organizations use both protocols, but understanding how and when to use them in the same organization is important. Some operating systems, including Windows NT/2000, come with DHCP servers. A DHCP or BOOTP client is a program that is located in (and perhaps downloaded to) each computer so that it can be configured.

Operating System The Differences between NT & Windows 2000 are: Windows 2000 uses Kerberos Version 5 Protocol for user logon authentication whereas NT uses NTLM protocol Windows 2000 support Plug & Play whereas NT is not Domain Local, is Group Types in windows 2000, whereas in NT it is Global & local only IE Version is 5.0, in NT it is 4.0 Encrypted File System Support is there in 2000 which is not there in NT. NT supports only Fat16 and NTFS 4.0 version. Whereas 2000 supports FAT 16/32 NTFS5. NT is a Single Master Domain Model, whereas 2000 is a Multi Master Domain model. In NT database name is SAM. IN 2000 it is ADS. Database size in NT is 40MB.Database size in 2000 is 17TB. Supports up to 40,000 objects only in NT, whereas more than 1 million in 2000. NT 4.0 uses single master replication model while Windows 2000 uses Multimaster replication model. NT 4.0 Uses NTLM protocol to authenticate user logon. Do not support Plug & Play Do not support FAT32 and EFS Windows 2000 Uses Kerberos version 5.0 protocol. Its an Internet Standard authentication protocol that provides higher level of security, faster and more efficient. Support Plug and Play Support FAT32 and EFS. FAT32 support up to 2 terabytes. EFS enable you to store files on NTFS partition in an encrypted format, so that even if an unauthorized user removes a hard disk from your computer, that user will be unable to access the sensitive data contained in the encrypted file. Power option enables you to configure energy settings for your computer, especially for Laptops. IE 5.0 is an integral part of Windows 2000 operating system. IE 5.0 also includes Microsoft Outlook Express 5. DC and ADC (Note: DC and ADC maintain Read/Write copy of Active Directory Data store. Reason for ADC is to provide fault tolerance and load balancing for Active Directory Data Store).

Security

Plug and Play New File System

Power Option in Control Panel Internet Explorer 5.0 Domain IE 4.0 is an integral part of Windows NT 4.0 PDC and BDC

Windows 2000 Family Hardware Requirement. Processor Windows Prof Windows Server 2000 2000 P 133 MHz P 133 MHz (Note: Support up RAM 32 MB 64 MB (Notes: Support Recommended RAM 64 MB 128 MB Hard Disk Space 650 MB Free space 950MB. (More disk space is

to 4 processors) Windows Adv Server 2000 P 133 MHz (Note: Support up to 8 processors) P 133 MHz (Note: Support up to 32 processors)

up to 4 GB RAM) 64 MB (Note: Support up to 8 GB RAM) 64 MB (Note: Support up to 64 GB RAM) 128 MB

Windows Data server

2000 centre

128 MB

required if RAM is more than 64 MB). 950MB. (More disk space is required if RAM is more than 64 MB). 950MB. (More disk space is required if RAM is more than 64 MB).

16-bit application A 16 bit application is any software written for MS-DOS or early versions of Microsoft Windows which originally ran on the 16-bit Intel 8088 and Intel 80286 microprocessors. Such applications used a 20-bit segment-offset address representation to extend the range of addressable memory locations beyond what were possible using only 16-bit addresses. ... 32-bit application A 32-bit application is software that runs in a 32-bit flat address space (a flat memory model).In computer architecture, 32-bit is an adjective used to describe integers, memory addresses or other data units that are at most 32 bits (4 octets) wide, or to describe CPU and ALU architectures based on registers, address buses, or data buses of that size NTFS file system A file system that provides performance, security, reliability, and advanced features that are not found in any version of the file allocation table (FAT) file system. For example, NTFS guarantees volume consistency by using standard transaction logging and recovery techniques. If a system fails, NTFS uses its log file and checkpoint information to restore the consistency of the file system. Registry Key HKEY_CLASSES_ROOT: Is a subkey of HKEY_LOCAL_MACHINE\Software. The information stored here ensures that the correct program opens when you open a file by using Windows Explorer. File associations and OLE information HKEY_CURRENT_USER: Contains the root of the configuration information for the user who is currently logged on. The user's folders, screen colors, and Control Panel settings are stored here. This information is referred to as a user's profile. All preferences set for current user HKEY_LOCAL_MACHINE: Contains configuration information particular to the computer (for any user). Settings for hardware, operating system and installed application HKEY_USERS: Contains the root of all user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS. All the current user information for each user of the system HKEY_CURRENT_CONFIG: Contains information about the hardware profile used by the local computer at system start-up. Settings for the display and printers HKEY_Dyn_Data: Performance data.

Windows Registry: HKEY_Classes_Root: File associations and OLE information HKEY_Current_User: All preferences set for current user HKEY_User: All the current user information for each user of the system HKEY_Local_Machine: Settings for hardware, operating system and installed application. HKEY_Current_Configuration: Settings for the display and printers HKEY_Dyn_Data: Performance data. Operating System In computing, an operating system (OS) is the system software responsible for the direct control and management of hardware and basic system operations. Additionally, it provides a foundation upon which to run application software such as word processing programs, web browsers and others. Network operating system (NOS): Software that (a) controls a network and its message (e.g. packet) traffic and queues, (b) controls access by multiple users to network resources such as files, and (c) provides for certain administrative functions, including security. A NOS is not the same as the networking tools provided by some existing OS's, Windows XP for instance. An NOS is an OS that has been specifically written to keep networks running at optimal performance. Boot Sequence in Windows NT What is the NT Boot Process? Or what is the Winnt systems boot sequence A. Firstly the files required for NT to boot are Ntldr - This is a hidden, read-only system file that loads the operating system Boot.ini - This is read-only system file, used to build the Boot Loader Operating System Selection menu on Intel x86-based computers Bootsect.dos - This is a hidden file loaded by Ntldr if another operating system is selected. Ntdetect.com - This is a hidden, read-only system file used to examine the hardware available and to build a hardware list. Ntbootdd.sys - This file is only used by systems that boot from a SCSI disk.

The common Boot sequence files are Ntoskrnl.exe - The Windows NT kernel System - This file is a collection of system configuration settings Device drivers - These are files that support various device drivers Hal.dll - Hardware Abstraction Layer software

The boot sequence is as follows 1. 2. 3. 4. 5. 6. Power on self test (POST) routines are run Master Boot Record is loaded into memory, and the program run The Boot Sector from Active Partition is Loaded into Memory Ntldr is loaded and initialized from the boot sector Change the processor from real mode to 32-bit flat memory mode Ntldr starts the appropriate minifile system drivers. Minifile system drivers are built into Ntldr and can read FAT or NTFS 7. Ntldr reads the Boot.ini file 8. Ntldr loads the operating system selected, on of two things happen *If Windows NT is selected, Ntldr runs Ntdetect.com

9. 10. 11. 12.

*for other operating system, Ntldr loads and runs Bootsect.dos and passes control to it. The Windows NT process ends here Ntdetect.com scans the computer hardware and sends the list to Ntldr for inclusion in HKEY_LOCAL_MACHINE\HARDWARE Ntldr then loads Ntoskrnl.exe, Hal.dll and the system hive Ntldr scans the System hive and loads the device drivers configured to start at boot time Ntldr passes control to Ntoskrnl.exe, at which point the boot process ends and the load phases begin

Multiprocessing, Multithreading, and Multitasking Multiprocessing: Refers to the capacity of an operating system to use more than one processor in a single computer simultaneously. Symmetric Multiprocessing: is a type of multiprocessing in which the system and application process can run on any available processor. Thread: A Thread is a smallest unit of processing that can be scheduled by the Operating system Kernel. Multithreading: All application requires at least one thread. When an application has more than one thread, each thread can be executed independently of the others. This is referred to as multithreading. Individual threads within a single application can even be run on different processor in the same computer. Preemptive multitasking: The Operating system allocates processor time between applications. Because the operating system and not the application allocate processor time between multiple applications, one application can be pre-empted by the operating system, and another application allowed to run. When multiple applications are alternately paused and then allocated processor time, they appear to run simultaneously to the user.

Windows Operating System Release

NT Ver. Marketing Name

Editions

Release Date

Build

NT 3.1

Windows NT 3.1

Workstation (named just Windows July 1993 NT), Advanced Server

528

NT 3.5

Windows NT 3.5

Workstation, Server

September 199 4

807

NT 3.51 Windows NT 3.51

Workstation, Server

May 1995

1057

NT 4.0

Windows NT 4.0

Workstation, Server, Server Enterprise Edition, Terminal July 1996 Server, Embedded

1381

NT 5.0

Windows 2000

Professional, Server, Advanced February 2000 Server, Datacenter Server

2195

NT 5.1

Windows XP

Home, Professional, Media Center (2004 & 2005), Tablet PC, Starter, October 2001 Embedded, N

2600

NT 5.2

Windows Server 2003

Standard, Enterprise, Datacenter, Web, Small Business Server, XP Pro March 2003 x64

3790

NT 6.0

Windows Vista

Starter, Home Basic, Home Premium, Professional, Small 2006 (expected Unknow Business, Enterprise, Ultimate (x64 ) n editions will be available too)

NT 6.0+

Longhorn (codename)

Server

Unknown

2007 (expected Unknow ) n

Port Numbers port / service name common UNIX additional remarks

protocol

daemon(s)

ftp (file transfer in.ftpd,wu.ftpd,prof obsolete:insecure, because unencrypted and 20/tcp and protocol) data tpd; launched by difficult to harden service, please use sshd and scp 21/tcp and login control inetd or sftp instead (see below) Secure, because fully encrypted remote login (ssh) and copy (scp and sftp) service, please use exclusively this full substitute instead of the obsolete ftp, telnet, rlogin, rsh, rcp and so on!

22/tcp

ssh (Secure SHell) sshd

23/tcp

telnet (remote login)

in.telnetd, launched obsolete: unencrypted login, use sshd and ssh by inetd instead, see above standard mail protocol since 30 years, only way to communicate world wide with messages without http measures, for your privacy you need to encrypt mails preferably with the free PGP (pretty good privacy) the name service of the Internet, used by http, smtp and all others to resolve symbolic names into the IP layer addresses, name resolution is done via udp, zone transfers between several name servers via tcp the Internet/web service, unencrypted port (see below, 443, for encrypted counterpart) for standard data transfer from web servers to user agents (browsers, robots, download tools) high security special purpose protocol with ticket system and so on

25/tcp

smtp (simple mail sendmail, postfix, transfer protocol) qmail, etc.

53/udp and DNS (domain 53/tcp name system)

bind (Berkeley Internet Name Domain)

80/tcp

http (Hyper Text httpd (= apache, A Transfer Protocol) PAtCHy [web] = www (World sErver) Wide Web) kerberos krshd

88/tcp

110/tcp

pop3 (Post Office popper, launched by post retrieval service of storing mail servers with Protocol version inetd encryption possibilities 3) rpc.statd, (sun)rpc (remote insecure remote calls of special information rpc.rusersd,rpc.wall procedure call) services d nntp (Network News Transfer Protocol) ntp (Network Time Protocol) netbios-ns (NETBIOS Name Service) leafnode the internet news server query service modern world wide time service for synchronisation with nuclear clock driven time standard special name service for a still too widespread proprietary OS and its SMB (Server Message Block) system, needed in union with the following service

111/udp

119/tcp

123/udp

(x)ntpd

137/udp

nmbd

139/tcp

netbios-ssn smbd (Samba (NETBIOS Session daemon) Service Network) imap2 (Internet Message Access Protocol version 2) snmp (Simple Network Management Protocol)

special session service for that proprietary OS and its SMB (Server Message Block) system, works together with immediately above service

143/tcp

imapd (Interactive rather insecure and therefore only locally suitable Mail Access Protocol mail retrieval service, for non-local purposes prefer Daemon), launched pop3 (see above) by inetd base of communication between very different technical units (not only computers), they have to share the network capability and these protocol rules only: CAUTION: very insecure (no limiting of allowed requesting IP addresses possible) the Internet chat service modern mail retrieval service, successor of imap2 (see above), but still pop3 may the better alternative (see above too) network distributed, domain organized directory service, connection part, see also immediately below network distributed, domain organized directory service, listener/contoller part, see also immediately above encrypted (via TLS/SSL) counterpart to above http/80 entry, the only acceptable way, to do online credit card transactions always active to log other hosts informations, because otherwise the daemon won't start network printer queue

161/tcp

snmpd

194/tcp

irc (Internet Relay ircd Chat) imap3 (Interactive Mail Access imapd Protocol version 3) ldap (Lightweight Directory Access ldapd Protocol) ldap (Lightweight slapd (Standalone Directory Access Lightweight Access Protocol) Protocol Daemon https (HyperText Transfer Protocol httpd (= apache) Secure) system log listener print spooler syslogd lpd (Line Printer Daemon)

220/tcp

389/tcp

389/udp

443/tcp

514/udp 515/tcp

554/tcp

rsvpd (Resource rtsp (Real Time reSerVations Stream Protocol) Protocol Daemon) cupsd --- CUPS ipp (Internet (Common Unix Printing Protocol) Printing System) Daemon flexlm (FLEXible lmgrd (License License Manager) ManaGeR Daemon)

used by Real Media for video and audio streaming

631/tcp

unencrypted port for (local) printer access via browser and CUPS client

744/udp

network bound license evaluation system

901/tcp

swat (Samba Web swat, launched by Administration inetd Tool)

browser/web bound Samba administration (see above, 137/nmbd and 139/smbd), use with care: it's not encrypted without additional measures

993/tcp

imaps (Interactive Mail Access imapd, launched by TLS/SSL encrypted mail retrieval system (see also Protocol Secure inetd imap above) version 4) ircs (Internet Relay Chat Secure) ircd the Internet chat system TLS/SSL encrypted, see also irc above

994/tcp

995/tcp

pop3s (Post Office popper, launched by TLS/SSL encrypted mail retrieval system (see also Protocol Secure inetd pop3 above) version 3) nfsd, rpc.nfsd, NFS (Network File needs (sun)rpc and System by Sun) portmap too rpc.mountd needs NFS (Network File (sun)rpc and System by Sun) portmap too network sharing of filesystems, only suitable for local networks network sharing of filesystems, only suitable for local networks

2049/tcp

2049/udp

2401/tcp

RCS (revision control system) based network version cvspserver control, suitable even for Internet cooperation, but cvs, launched by (Concurrent than usage via ssh (see above) is recommended, inetd (alternatively Version System because this pserver protocol does only a not really by sshd, see above) Password server) secure scrambling of passwords (only suitable for anonymous checkout otherwise) standard GUI base server of the X/Open Group, the ports above 6000 up to 6063 are addressed via X (X window system display (variable: upper case) setting to 1, 2 and so server) on, instead of 0, for the ports 6001, 6002 and so on instead of 6000 (display number part 1 = port offset) see http above: usually privately=non-public used http port

6000/tcp (-x11 6063/tcp)

8080/tcp

http-alt httpd (= apache) (alternative http)

Active Directory Active Directory (codename Cascade) is an implementation of LDAP directory services by Microsoft for use in Windows environments. Active Directory allows administrators to assign enterprise wide policies, deploy programs to many computers, and apply critical updates to an entire organization. An Active Directory stores information and settings relating to an organization in a central, organized, accessible database. Active Directory networks can vary from a small installation with a few hundred objects, to a large installation with millions of objects. NOTE: LDAP - In computer networking, the Lightweight Directory Access Protocol, or LDAP, is a standardized networking protocol designed for querying and modifying directory services. The AD database, the directory store, in Windows 2000 uses the JET Blue-based Extensible Storage Engine (ESE98), limited to 16 terabytes and 1 billion objects in each domain controller's database (a theoretical limit, only 100 million or so have been tested. NT4's Security Account Manager could support no more that 40,000 objects). Called NTDS.DIT, it has two main tables: the data table and the link table. In Windows 2003 a third main table was added for security descriptor single instancing. The Extensible Storage Engine (ESE), formerly known as JET Blue, is a multi-user database from Microsoft that supports full Data Manipulation Language (DML) and Data Definition Language (DDL). ESE is optimized for fast retrieval of data. The underlying ESE database is stored in two files, one with extension .edb and the other with extension .stm. The data is these files are stored in the ESE file format. ESE also defines a low level API to the underlying database structures. The ESE API is used by Microsoft Exchange Server and other database such as Active Directory (Ntds.dit). Exchange 2000/2003 and Active Directory uses a version of ESE called ESE98, while Exchange 5.5 uses an older version called ESE97. Windows 2000 Server has the following services and functionality built-in: Routing and Remote Access Service (RRAS) support Virtual Private Network (VPN) support DNS, including Dynamic DNS. The DNS service is necessary to be able to run Active Directory Internet Connection Sharing (ICS) Microsoft Connection Manager Administration Kit and Connection Point Services DFS support Hierarchical Storage Management support, a service that runs in conjunction with NTFS that automatically transfers files that are not used for some period of time to less expensive storage media Fault tolerant volumes, namely it supports Mirrored and RAID-5 Group policy (part of Active Directory)

IntelliMirror support Kerberos authentication Public Key Infrastructure (PKI) support Terminal Services and support for the Remote Desktop Protocol (RDP) Internet Information Server (IIS) 5

Troubleshooting Active Directory Performance Replication: Replication refers to the process of copying information and information updates from Active Directory data store on one domain controller to other domain controllers. The purpose of replication is to synchronize Active Directory data among the domain controllers in the domain and forest. Replication of Active directory is usually partial, meaning that only changes, and not a complete copy of the Active Directory data store, are copied. Typically the only time a complete replication is performed is when you install a new domain controller on the network. Widows 2000 automatically performs replication in windows 2000 domain or forests that are fully contained within a single site. Windows 2000 Active Directory uses a multimaster replication mode, means changes can be made on any domain controller and are replicated to all other domain controller. No one domain controller controls changes made to Active Directory or Active directory replication. Windows NT 4.0 uses single master model in which all changes to the object are controlled by the Primary Domain Controller. Active Directory uses update sequence number (USN), along with stamps, to track changes made to objects stored in Active directory data store. When an object (or any of its attributes) is changed, Active Directory increases the objects USN, and assigns the object a unique stamp that contains a version number, a timestamp, and the GUID of the domain controller on which the change was made. Because each Active Directory object exists on all domain controllers in the domain, during replication, Active Directory compare the USNs and stamps of each object being replicated to determine which version of the object is the most current. Active directory replicates only the most current version of each object, and only replicates objects that have changed since the last time replication occurred.

Active directory replication partitions are: Schema partition: This partition contains the rules that define how objects are created within a forest. The schema partition is replicated to all domain controllers in the forest. Configuration partition: This partition contains information about the logical structure of Active Directory for the entire forest, including structure and use of domains, trees, sites and trust relationships within the forest. The configuration partition is replicated all domain controllers in the forest. Domain partition: This partition contains complete, detailed information about every object in the domain. The domain partition is replicated only to the domain controllers within this domain.

Intrasite Replication: Intrasite Replication is Active Directory replication that takes place within a single site. A site consists of one or more TCP/IP subnets, which are specified by an administrator and are connected by high-speed, reliable links. Sites do not necessarily correspond to domains: you can have two or more sites within a single domain, or you can have multiple domains in a single site. A site is solely a grouping based on IP addresses. Windows 2000, by default, automatically performs intrasite replication. Windows 2000 automatically configures and performs intrasite replications. Because intrasite replication takes place between domain controllers within the same site, and all of the TCP/IP subnets in a site are connected by high-speed links, intrasite replication is fast. Windows 2000 uses RPC (Remote Procedure Call (RPC) over IP protocol for intrasite replication. All intrasite replication is sent in an uncompressed format. Windows 2000 automatically determines which domain controllers in a site will replicate with other domain controllers in the site. The windows 2000 server service that makes this determination is called the Knowledge Consistency Checker (KCC). The KCC, which runs on all Windows 2000 domain controllers, builds a list of connections between domain controllers within a site, and these connections dictate the path that replication, takes between domain controllers. The list of connections that the KCC generates is called the replication topology. By design, the KCC builds the replication topology to ensure that: -Changes made to any object on any domain controller will be replicated to every domain controller in the site. -In addition, Active Directory updates will pass through no more than three connections between the domain controller on which the change is made and any other domain controller in the site. Intrasite replication by default takes place once every hour if no changes are made. If a change is made to an Active directory object, the domain controller on which the change is made initiates intrasite replication with all of its connection partners within five minutes after the changes is made. In addition, domain controllers that receive replication updates from other domain controllers also initiate intrasite replication within five minutes after receiving such update. Because updates are replicated across no more than three connections (hops), this means that any changes made to an object is replicated to all domain controllers in the site within 15 minutes.

Intersite Replication: Intersite replication is Active Directory replication that takes place between sites. Unlike intrasite replication, intersite replication is not automatically configured and performed by windows 2000. An administrator must manually create and configures sites and other Active Directory components before intersite replication will occur. Intersite replication takes place between domain controllers in different sites that are typically separated by WAN links, intersite replication is normally slower than intrasite replication, and often should be scheduled by the administrator so that use of network bandwidth for replication is minimized during the networks peak activity hours. All intersite replication is sent in a compressed format to save network bandwidth.

Two different Windows 2000 protocols can be used for intersite replication: RPC over IP and SMTP. RPC over IP is the preferred protocol and requires the use of fully routed TCP/IP connections between sites. RPC over IP is faster than SMTP. SMTP is not recommended because it can only be used to replicate the schema and configuration partitions. It doesnt replicate domain partition.

Active Directory components that affect replication are Sites, Subnets, Site links and Site link bridges. Site Link A site link is an object in Active Directory that specifies a list of two or more sites that are connected to each other, the cost associated with the site link, and a replication schedule. The KCC uses site link information to determine the path over which replication between sites will occur. Site links can be configured to use either IP or SMTP for intersite replication. Site Link Bridges A site link bridge is an Active Directory object that groups two or more site links in order to create a virtual site link between all of the sites specified by the grouped site links. The purpose of site Link Bridge is to enable replication between sites that use site links but that are not directly associated with each other via site links Bridgehead server Once the server is moved to new sites, you may want to specify a particular domain controller in each site that will be used for intersite replication. This domain controller is called the bridgehead server. The KCC automatically chooses a bridgehead server for each site, but you can manually override the KCCs choice.

Functions of Global Catalog: A global catalog server performs two important functions: -It provides group membership information during logon and authentication, -It helps user to locate resources in Active Directory.

FSMO Microsoft implemented Active directory, it discovered that a purely multimaster design just wasnt going to work for Windows 2000. Although most domain controller-related tasks can be performed by any domain controller, a few critical tasks had to be limited to one domain controller in a domain, or to one domain controller in a forest. The result a largely multimaster design, with some restricted single master operations. These operations are called flexible single master operations (FSMO).

Two primary tools used to monitor the performance of Active directory objects: System Monitor Active Directory Replication Monitor.

Windows 2003 Forest Functional Level Features: Here are some enhancements you get under the hood with Windows 2003 forest functional level: Linked Value Replication (LVR) improvement: Under Win2K when a second change is initiated before the replication function completed the first change; you could only guess which change would win in AD. Now those changes merge successfully. Global Catalog indexing improvement: Under Win2K, when a new object is added, GC would essentially dump its index and start re-indexing, which could cause massive network traffic among the DCS. Global Catalog servers now retain their indexes when a new attribute is added; the index adds only the change. Intersite Topology Generator (ISTG) improvements: Under Win2K, you faced a practical limit of 200 and 250 AD sites. Now, you can have literally thousands of AD sites without the system even breaking a sweat. Domain rename feature: Cross-Forest Trust: Defunct Schema Object:

Using Adprep is to upgrade schema to Windows 2003 levels and give it a new version number. Run Adprep /forestprep one time on the schema master of the root domain of the Win2K forest. Run Adprep /domainprep one time for each domain on the infrastructure master of each domain. DNS New tool for testing Windows 2003 DNS from Microsoft (DNSLint) It helps to diagnose common AD-related DNS errors. DNSLint /ad switch. Generates HTML report about the state of DNS affairs. Conditional Forwarding Stub-zones

File System FAT File Allocation table (FAT) file system is used by windows 2000 in a modified version of the FAT file system used by MS-DOS. FAT file system does not support files and folder security in Windows 2000. Any User logged on locally to a computer has full control of all the files and folders located in the FAT volume on that computer. You can use share permission to control users access to shared folder over the network. Share permission affects only the access of files and folders over the network, not when someone is logged n locally. Filename can be upto 255 characters in length. Speed of Access to FAT volume depends on volume size, number of files in a folder and fragmentation. Windows 2000 access files in FAT volume smaller than 512 MB faster than it accesses the file in similar sized FAT32 and NTFS volume. The Maximum size of FAT volume on all operating systems except windows 2000 and Windows NT is 2GB. Both Windows 2000 and Windows NT support FAT volume upto 4GB. This is possible because Windows NT support a larger cluster size (up to 64K) than do other operating system. FAT file system do not support file compression. FAT32 FAT32 file system used in windows 2000 is the same as the FAT32 file system that was released with Windows 95 OSR2 and windows 98. FAT32 is supported only in windows 2000. FAT32 do not support file and folder security in Windows 2000, so user who logged on locally has full control to all files and folders located in FAT32 volumes on that computer. You can use share permission to control users access to shared folder over the network. Share permission affects only the access of files and folders over the network, not when someone is logged n locally Filename can be upto 255 characters in length. Windows 2000 accesses files in FAT32 volumes larger than 512MB faster than it access files in similar-sized FAT volumes, but slower than it access files in similar-sized NTFS volumes Maximum Volume size of FAT32 is 2 TB, but using the disk management utilities contained in Windows 2000 only enables you to create and format a FAT32 volume upto 32GB only. FAT32 do not support file compression NTFS Windows NT file system (NTFS) is the most powerful file system supported by windows 2000 and Windows NT. To dual boot between Windows NT and Windows 2000 you must have Windows NT SP4 or later. NTFS provides files and folder level security for both local and remote users on a network. NTFS security controls access to files on an NTFS volume by utilizing the users security identifier (SID) to determine which files that user can access. Each file and folder on an NTFS volume has an access control list (ACL) associated with it. ACL is a list that contains user ad group SIDs, with the associated privileges of each user and group.

Filename can be upto 255 characters in length. NTFS provides faster access than the FAT or FAT32 file systems to files stored on a large volume that contains many files. NTFS uses an enhanced binary tree to locate files. A binary tree search is a faster mechanism for searching through a large number of filenames than the sequential read mechanism used on FAT and FAT32 volumes. The maximum theoretical size of an NTFS volume is 16 exabytes (an Exabyte is one billion billion bytes or a giga-gigabyte). Actual implementation on current industry standard hardware, functional limitation is 2TB. NTFS support file compression, EFS and disk quotas are support only in Widows 2000. CDFS CD-ROM UDF DVD HPFS HPFS is not supported in Windows 2000. Windows NT support.

Disk Type Basic Disks: In windows 2000 basic terms refers to the hard disks that use industry standard partitioning and formatting, and contain primary and or extended partition. A Basic disk can contain a maximum of four partitions, it can contain up to four primary partitions, but only one extended partition. Only windows 2000 can read dynamic disks. Dynamic Disks: In windows 2000 dynamic disc refers to hard disks that contain Windows 2000 dynamic volumes which are not in industry standard format. Dynamic volumes do not use primary partition, extended partition or logical drives. These dynamic volumes are manually created by using Disk Management. Dynamic disk can support unlimited number of volumes, versus the four partition maximum of basic disks. Windows 2000 do not support dynamic disks on laptop computers but you can create and configure on some of them. Partition Type Primary Partition: A primary partition is a partition on a basic disk that can be configured as the active partition. The active partition is the partition that contains the files necessary to load the operating system. When the computer boots, it attempts to load the operating system from the active primary partitions on the first hard disk in the computer. Active partition can be designated to any primary partition on the first hard disk. In windows 2000 terminology the active partition is also called system partition. Extended partition: An extended partition is a partition on a basic disk that can be subdivided into one or more logical drives. A Logical drive is a volume that is created from some or all of the space in an extended partition, and that is assigned a drive letter.

Volume Type Simple Volumes: A simple volume is volume that consists of formatted disk space on a single hard disk. You can create simple volumes only on dynamic disks. A simple volume can be formatted with FAT, FAT32, or NTFS. Provides no fault tolerance, no speed gain or loss Supports on all windows 2000 operating system. Spanned volumes: Spanned volume consists of formatted disk space on more than one hard disk that is treated as a single volume. Spanned volume can be created only on dynamic disk. The areas of disk space that make up spanned volume do not need to be of identical size. A spanned volume can be formatted with FAT, FAT32 or NTFS. Spanned volume do not perform fault tolerance, no speed gain or loss Striped volumes: A striped volume consists of identical-size areas of formatted disk space locate on two or more dynamic disks. In striped volume data is stored, a block at a time evenly and sequentially among all of the disks in the striped volume. A striped volume is accessed by using a single drive letter. Striped volumes are created in dynamic disks. A striped volume can be formatted with FAT, FAT32 or NTFS. Provides no fault tolerance. Striped volume provides faster disk access than any other windows 2000 volume type, because they stores a single files across multiple disks and can be read simultaneously. A striped volume is also known as RAID level 0 (Redundant Array of Inexpensive Disks). Supported by all windows 2000 operating system. Mirrored volumes: A mirror volume consists of a simple volume that is exactly duplicated, in its entirety, onto a second dynamic disk. Mirrored volume is accessed by using single drive. Can be formatted with FAT, FAT32 or NTFS. Mirrored volumes are created on dynamic disc. Provided highest level of fault tolerance Mirrored volumes are also known as RAID level 1. RAID-5 volumes: A RAID-5 volume consists of identical sized areas of formatted disks space located on three or more dynamic disks. In RAID-5 volume, data is stored a block at a time, evenly and sequentially among all the disks. In addition to data, parity information is also written across all of the disks in the RAID-5 volume. This parity information enables RAID-5 volume to provide the fault tolerance that striped volumes cannot. RAID-5 is accessed by using single drive letter. RAID-5 volumes can be formatted with FAT, FAT32 or NTFS. Read performance is same as striped volume, but write performance is little slower because of the processor time required to generate parity information. RAID-5 is support only on windows 2000 server and windows 2000 advance server.

Windows 2000 Workgroup: Work group is a logical grouping of Networked computers, in which one or more of the computers has one or more shared resources, such as shared folder or shared printer. Domain: Domain is a logical grouping of Networked computers, in which all of the computer share common active directory data store that contains user account security information.

Active directory Active directory is a directory service used in Windows 2000. Active directory consist of two parts, a Centralized hierarchical database that contain information of users and resources on a network and a service that manage the database and enables user of computers on the network to access the database. In Windows 2000 the database is called Active Directory data store. Active Directory data stores contain information about various types of network object including printers, share folders, user accounts, groups and computers. Windows 2000 server computer that have a copy of Active Directory data store and that run active directory are called domain controllers. In Windows 2000 domain, a read/write copy of Active directory data store is physically located on each domain controller in the domain. Purpose of Active Directory To provide user logon and authentication. To enable Administrators to organize and manage user accounts, groups and network resources. To enable authorized users to easily locate network resources, regardless of where they are located on the network. Active Directory Structure Logical Component: Domain, Tree, Forest, Organizational Unit & Global Catalog. Physical Component: Domain Controller and Sites.

Object: An Object is a record in the directory that is defined by distinct set of attributes. Class: A Class is simply a template that is used to define the attributes of an object when it is created. (E.g. Computer, Contact, Group, Organizational Unit, domain, Printer, User and shared folder). Schema: Schema is a set of rules of classes of Object and their attributes that are stored in Active directory. Global Catalog: Global Catalog is a master searchable index that contains information of every object in every domain in a forest. Organizational Unit: Organizational Unit is a type of Active Directory object, and are sometime called container objects. They contain object and other organizational from their own domain. Trees: In Active directory terminology, a domain tree is a hierarchical grouping of one or more domains that must have a single root domain and may have one or more child domains. Forest: A group of one or more domain trees, linked by transitive trust that shares a common schema and Global Catalog.

Difference between Domain Controller and Additional Domain Controller

DC holds FSMO roles and Global Catalog. ADC does not hold any FSMO roles and neither any service. ADC is used for redundancy.

FSMO Role Schema Master Schema Master Is the Only domain controller that can make changes to schema There is only one Schema Master throughout the forest. Domain Naming Master Domain naming master is the only domain controller that can add or remove domain to or from forest. The task is isolated to ensure that when a domain is created, its name is unique within the forest. When any new domain is added within the forest it contact the Domain Naming Master to verify that the name doesnt exist and it adds the new domain in the forest. There is only one Domain Naming master within the forest. PDC Emulator PDC emulator performs two different roles depending on how active directory is configured. IF PDC emulator is configured to interact with Windows NT BDC or with computer that do not have Active Directory Client software installed, Active directory is said to be operating in mixed mode. When Active directory operates in mixed mode, the PDC emulator acts like Windows NT PDC. In this situation PDC emulator synchronize the data with Windows NT BDC. Any computers that do not have Directory service Client Software installed and that wants to make user accounts changes, that computer must contact the PDC emulator to make the desired changes. When Active Directory is configured to interact only with Windows 2000 domain controller or with computers that have Directory service client software installed, Active directory is said to be operating in Native mode. When Active directory operates in Native mode it receives password changes more quickly than other domain controller in the domain. Due to this preferential treatment PDC emulator is said to have the most current version of users password. Therefore if other domain controllers fail to authenticate the user due to incorrect password, it will forward the users authentication request to PDC emulator, and then convey the PDC emulator to either accept or deny to the user. There can be only one PDC emulator in each domain in a forest.

Relative ID Master When a security principal object is created such as user, group and computers, Active Directory assigns each object and SID (Security Identifier). An SID consists of two parts, Domain SID and Relative ID. Domain SID identifies the domain in which the object is created and is same for all the object created in that domain. Relative ID identifies the object in the domain and is unique for each object in the domain. Relative ID Master is the domain controller in the domain which assigns a range of Relative ID master to each domain controller in the domain to create SID. Because of this assignment the potential of issuing duplicate SID to newly created Security principal object is eliminated. There is only one Relative Master for each domain in a forest. Infrastructure Master Infrastructure Master is the domain controller in the domain that updates group membership information when a group member (user from other domains) is renamed or moved. There is only one Infrastructure Master for each domain in a forest.

Sysvol Folder The sysvol folder stores the server's copy of the domains public files. The content of the Sysvol folder are replicated to all domain controllers in the domain. The sysvol folder must be located on an NTFS 5.0 volume. Path C:\winnt\sysvol Sysvol is typically used to house scripts and group policies, which are stored on each DC on an NT file system (NTFS) partition and replicated to all Dc in the same domain using FRS replication mechanism.

Trust Relationship A trust relationship, or trust, is an agreement between two domains that enables users in one domain to be authenticated by a domain controller in another domain and therefore to access shared resources in the other domain. Trusting Domain: Trusting domain is the domain that has resources to share with user accounts in the trusted domain. Trusted Domain: Trusted domain is the domain that contains the user accounts that wants to access the shared resources in the trusting domain. The trusted domain is trusted by trusting domain.

DNS with Active Directory Active Directory uses the same hierarchical naming convention as DNS. Because of this, the client computer uses DNS servers to locate Active Directory domain controllers and other Active Directory resources on the network. Without DNS, Active Directory couldnt function, because client computers wouldnt be able to locate these domain controllers and resources. Bottom line is, Active Directory is dependent on DNS. Active Directory cant be implemented until the DNS server service is installed.

Types of Trust in Windows 2000 Intransitive Trust: An intransitive trust is a trust relationship between two domains that does not extend beyond these two domains to other domains. An intransitive trust is a one-way trust relationship. Transitive Trust: Transitive Trust is a trust relationship between two windows 2000 domains in the same domain tree (or forest) that can extend beyond these two domains or other trusted domains within the same domain tree or forest. A transitive trust is always a two way trust, meaning that both of the domains trust each other. By default all Windows 2000 trusts within a domain tree (or forest) are transitive trusts. Explicit Trust: An Explicit trust is a trust that an administrator creates, versus a trust that is automatically created by Windows 2000. An explicit trust can be either transitive or intransitive. Explicit trusts are sometimes used when you need to manage trusts between a Windows 2000 domain and a Windows NT domain. Explicit trusts are also used in large, multidomain forests to shorten the path between two domains and to shorten the time required for authentication and logon.

Objects in Active Directory are referenced by using one of three Active Directory name types: Relative Distinguish name (RDN) RDN name is a name that is assigned to the object by the administrator when the object is created. For E.g. AllanC. RDN name only identifies the object; it doesnt identify the objects location within Active Directory. Distinguish name (DN) DN consists of RDN, plus the objects location in the Active Directory. An objects DN include its RDN, the name of the organizational units that contain the object (if any), and the FQDN of the domain. E.g. AlllanC@US.Exportsinc.com. User principal name (UPN) A UPN is a shortened version of DN that is typically used for logon and email purpose. A UPN consists of the RDN plus the FQDN of the domain. E.g. AllanC@Exportsinc.com.

Replication: The term replication, as applied to Active Directory, refers to the process of copying information and information updates from the Active Directory data store on one

domain controller to other domain controllers. The purpose of replication is to synchronize Active Directory data among the domain controllers in the domain and forest. Types of Active Directory information get replicated The Schema: The schema is replicated to all domain controllers in the forest. Configuration data: This data which includes high-level forest, tree, domain structure, trust and configuration information is replicated to all domain controllers in the forest. Domain data: Detailed information about every object in the domain is replicated only to the domain controllers within this domain.

Sites: A site consists of one or more TCP/IP subnets, which are specified by an administrator. If a site contains more than one subnet, the subnets should be connected by high-speed, reliable links. Sites do not correspond to domains. You can have two or more sites within a single domain, or you can have multiple domains in a single site. A site is solely a grouping based on IP address.

Group Policy Object A collection of Group Policy settings. Group Policy objects are essentially the documents created by the Group Policy snap-in, a Windows utility. Group Policy objects are stored at domain level, and they affect users and computers contained in the sites, domains and Organizational units. In addition, each windows computer has exactly one group of settings stored locally, called the local Group Policy Object.

DNS DNS: DNS is a distributed database with a hierarchical structure that can serve as a foundation for host name resolution in a TCP/IP network.

DNS with Active Directory Active Directory uses the same hierarchical naming convention as DNS. Because of this, the client computer uses DNS servers to locate Active Directory domain controllers and other Active Directory resources on the network. Without DNS, Active Directory couldnt function, because client computers wouldnt be able to locate these domain controllers and resources. Bottom line is, Active Directory is dependent on DNS. Active Directory cant be implemented until the DNS server service is installed.

Zone A zone is a storage database for either a DNS domain or for a DNS domain and one or more of its subdomains. This storage database is often implemented as a special text file, called a zone file. Forward Lookup Zone is a zone that contains the host name to IP address mappings and information about available services for either a DNS domain or a DNS domain and one or more of its subdomain. A DNS server uses forward lookup zone when a client computer knows the host name, but doesnt know the associated IP address. Reverse lookup Zone is a zone that contains IP address to host name mappings information. A DNS server uses reverse lookup zone when a client computer knows the IP address, but doesnt know the associated host name. Types of DNS Server Standard primary Primary sever stores DNS entries (IP to host name and other DNS resource records) in a zone file that is maintained on this server. Primary server maintains the master copy of zone file. Because of this when any changes is made to the zone, they should be made only on standard primary server. There can only be one standard primary server for a zone. Active Directory integrated Primary This type of DNS is just like a standard primary server, except that it stores DNS entries in Active directory-integrated (Primary) DNS server for a zone. When any changes need to be made to the zone, they can be made on any active directoryintegrated (primary) DNS server that contains the zone. Standard Secondary Secondary DNS server stores copies of zones that it obtains from Standard Primary or Active directory integrated primary, or another standard secondary DNS server. The process of copying a zone to a standard secondary DNS server is called a zone transfer/replication. There can be multiple secondary DNS servers for a zone.

Master Master DNS server provides a copy of zone to a standard secondary DNS server. The Secondary DNS server receiving the copy of the zone is sometimes called the slave in this relationship. The type of DNS servers that can function as masters are standard primary, Active directoryintegrated primary and standard secondary. Caching-only This type of DNS server does not store any zones whatsoever. It resolves host name to IP addresses for client computers, and stores the resulting mapping information in its cache. If client computer requests resolution for a host name that exists in the cache, the DNS server provides the cached information to the client computer without contacting other DNS servers to resolve the query. Mapping information remains in the cache for a specified amount of time called TTL and then is flushed from the cache. Forwarder This type of DNS server is designated to perform host name resolution for other DNS servers on a companys internal network when the host name to be resolved resides in an external DNS domain. The forwarder resolves the host name resolution request, caches the results, and returns the mapping information to the internal DNS server that requested it. Forwarder role is played by the same computer that functions as companys firewall. The two primary advantages of this arrangement are. -DNS executes numerous queries required to perform host name resolution. These queries are external rather than internal, thus reducing internal traffic. In addition, the forwarder maintains a cache of all externally resolved names, thus eliminating repeated queries for the same information. -Because the forwarder is often configured as caching-only DNS server, the companys internal zone information is protected from hackers on the internet. Root Server Root Server maintains a copy of Zone for the root domain, either the root domain for the internet, or the root domain for a companys private, internal network. The purpose of root server is to enable other DNS servers on a network to access second level domains on the internet, or to access second level domains on the internal network.

Types of DNS Zone Forward lookup zone Forward Lookup Zone is a zone that contains the host name to IP address mappings and information about available services for either a DNS domain or a DNS domain and one or more of its subdomain. Reverse lookup zone Reverse lookup Zone is a zone that contains IP address to host name mappings information. A DNS server uses reverse lookup zone when a client computer knows the IP address, but doesnt know the associated host name. Standard primary zone This type of zone can be either a forward lookup zone or reverse lookup zone. In either case, the standard primary zone is the master copy of that zone. All other copies of the standard primary zone are standard secondary zone.

Active Directory-integrated zone This type of zone can be either a forward lookup zone or reverse lookup zone. In either case, the Active Directory-integrated zone is the master copy of that zone. However because Active Directory supports multiple master replication, there can be more than one instance of the Active Directory-integrated zone on different DNS servers. In addition, copies of Active Directory-integrated zone can be created as standard secondary zones. Standard secondary zone This type of zone is a copy of either a standard primary zone or an Active Directory-integrated zone. Standard secondary zones must be created on different DNS servers than the DNS server that contains the master copy of the zone. The purpose of standard secondary zones is to provide load balancing and fault tolerance for the zone. Resource record A Standard host name resource record. Contains host name to IP address mapping. CNAME Alias resource record. Used to map an additional host name (that is, an alias) to the actual name of the host. MX Mail exchanger resource record. Used to map a DNS domain name to the host name of the mail server for that domain. PTR Pointer resource record. Used to map IP addresses to their associated host names. These records are only used in reverse lookup zones. SRV Service locator (SRV) resource record. Used to map a specific service (or TCP/IP port number) to a list of servers that provide that service. SOA

DNS troubleshooting tools Monitoring tab Nslookup.exe Windows 2000 help DNS Event log

Organizational Unit (OU) is a type of Active Directory object. OUs which are sometimes called container objects, are specially designed to contain objects and other organization units from their own domain.

Windows 2003 Family Windows 2003 Standard Edition Four way symmetric Multiprocessing Eliminate swap files if you have enough memory Supports two-node NLB. Win2K didnt support NLB. 4 Processor and 4 GB RAM Wont be available in 64-Bit edition. Minimum requirement (P II 133 MHz, 128 MB RAM, 1.5 GB disk). Real world requirement (P 4 2 GHz, 256MB 1 GB RAM, 9 GB + Storage for data) Windows 2003 Enterprise Edition Cant upgrade from Windows 2003 Standard to Enterprise. Clustering has increased to 8 nodes from 4 nodes in Win2K Adv Server and Win2k Data center Server. NLB increased to 8 nodes from 4 nodes in Win2K Adv Server. 8 Processor and 32 GB RAM Terminal Services offer a new load-balancing feature in the Terminal Services Session Directory. The feature provides a front-end NLB that lets clients easily find an available Terminal Server in a Terminal Server farm. Microsoft will support the Microsoft Metadirectory Services (MMS) add-on, a centralized service meant to bridge the gap between disparate directories such as AD and iPlanet. Hot-add memory, lets you add memory to a server while its running and allocate that memory to the rest of the server. Non-Uniform Memory Access (NUMA) is a hardware specific feature that returns lowlevel information from the hardware to NUMA-compliant applications. This returned data can fine-tune NUMA-aware applications in real time based on the systems total stress level. Windows 2003, 64-Bit Enterprise Edition support 8 processor and 64 GB RAM maximum. Minimum requirement (P II, 133 MHz, 128 MB RAM, 2.0 GB disk) Real world requirement (P 4 2 GHz, 256MB 1 GB RAM, 9 GB + Storage for data). Enterprise 64-Bit (Itanium 1 733 MHz, 128 MB RAM, 2.0 GB disk) Real world requirement for Enterprise 64-Bit (Itanium 1 or Itanium 2, 733 MHz, 256 MB - 1 GB RAM, 9GB + Storage for data. Windows 2003 Datacenter Server Edition Windows 2003 datacenter edition is available only from OEM It supports up to 32 processor and up to 64 GB of RAM. Clustering capabilities equals that of Windows 2003 Enterprise Edition (eight nodes). Data center edition supports hyperthreading. Hyperthreading lets certain Intel processors and make it appear and work as if it were really two physical processors. On some single processor hyperthreading systems, Windows appears to be using two processors. Windows 2003 64-Bit edition supports 8 64 processor and 512 GB RAM maximum. Windows 2003 Small business Server Edition (not yet released). Windows 2003 Web Edition Windows 2003 Web edition can only be purchased from web edition partner (HP, Dell, IBM, NEC & Unisys). Cant be a DC, but it can be a domain member Support up to 2 GB RAM and 2 Processors

Do not support Clustering, NLB, Windows Media Services, Remote Installation Service (RIS), 64-bit Itanium family processors, Hot-Add memory, NUMA and ICF. Its single purpose is to server Web pages. Wont be available in 64-Bit edition. Minimum requirement (P II 133 MHz, 128 MB RAM, 1.5 GB disk)

New Features Internet Information services (IIS) 6.0 Offers improved architecture and improved speed. Microsoft has moved HTTP processor from user mode to kernel mode, a move that makes IIS dramatically faster. Using the Remote Administration Mode, you can administer your web server from any Web browser anywhere in the World. IIS 6.0 is not installed by default. Remote access includes new feature The Network Access Quarantine Control feature that lets you Quarantine users. If the client systems dont run software that you specify, such as a service pack or a virus scanner, those clients systems are quarantined and cant access your network. Remote desktop for administration (Terminal services in Remote Administration mode). Win2K has two modes for Terminal services Full Terminal Services mode (Application server mode) Terminal Services Administrator Mode. After loading terminal services mode, Win2K requires a reboot. In Windows 2003 it by default loads the necessary files for the equivalent of Terminal Services Administrator Mode. To finish enabling Terminal Services Administrator Mode, you need only select the Remote Desktop checkbox on the Remote tab of the servers System properties. Shutdown Event Tracking Microsoft included a small reporting window into which administrators can type precisely why they choose to shut down a server. The EventcombMT tool from the Windows Server 2003 Resource Kit can parse the logs from all servers and highlight why administrators reboot servers. You can disable the shutdown event tracker from GPEDIT.MSC Computer Settings Display Shutdown Event Tracker. Manage your Server Windows 2003 wizards often offer a faster way to accomplish a task. For e.g. you can easily add or remove a server role. Volume Shadow Copy for Shares In conjunction with an XP client, this feature lets users roll back a data file to a particular point in time or restore a deleted file. IP Security (IPSec) over NAT IPSec didnt work 100 percent if either of the machines were behind a NAT or NAT-style router or firewall in Win2K server. In Windows 2003 IPSec over NAT feature can encrypt both the header and payload parts of a packet over NAT. Its an excellent new feature for servers in DMZs or in other areas that use NAT. Driver rollback

You can use the Driver Rollback feature to rollback the current driver to the most recent previously installed driver. Internet Connection Firewall. Software Updates with SUS Using the Software Update service helps ensure that new Microsoft patches are well integrated into your environment. You can test the patches you want to update in a test lab and then distribute the patches you need to your servers and clients

Mode or Functional Level Win2k Mixed Mode Win2K DCs, Windows 2003 DCs and Windows NT 4.0 BDCs. Win2K Native Mode Win2K DCs and Windows 2003 DCs. Windows 2003 Interim Level Windows 2003 DCs and NT 4.0 BDCs. Windows 2003 Functional Level Windows 2003 DCs.

Active directory Users and computers version 5.2.x In windows 2003 Active Directory Users and Computers, you can still move items by right-clicking and selecting Move rather than by using the new drag and drop feature. Selecting Multiple items within Active Directory Users and Computers and change some element of all the items information. (E.g. changing all the users business address to a different location). Saved Query function. (For E.g. If you want to find all users who met certain criteria within a specific OU or across the entire domain who have not logged on since last 30 days). In previous version you have to use ADSI script through VBScript to perform this search. Group Policy Management Console Group Policy Management Console is an add-on for Windows 2003 and windows XP Prof. the GPMCs goal is to provide a Group Policy-centric view of the environment a birds-eye view of Group Policy Objects (GPOs). In Win2k, you need to know where each Group Policy is maintained in relation to each domain and OU and sometimes in relation to each AD site. Download the Windows Installer (.msi) file from Microsoft and place it where you want to perform your Group Policy management. You can see all the GPOs at once; simply expand the tree to find your forests, domain and OUs. Youll also see a special folder called Group Policy Objects. You can create new GPO through the GPMC. After you create a GPO, you can edit it by right clicking it and selecting Edit. Doing so launch the Group Policy Editor, which you can then use to se the policies you want to implement. In Win2K if you attempt to manipulate GPOs, a dialog box offers you only one choice to click Open and launch the console. New feature of GPMCs includes backup and recovery of GPOs. Increased reporting from HTML based reports that show the settings inside a GPO. Resultant Set of Policy modeling. This modeling feature lets you determine what policies a user will be assigned if he or she moves, for e.g. from one OU to another OU. This modeling capability works only if youre connected to a Windows 2003 DC in the domain in which youre trying to perform the modeling.

Exchange ForestPrep: The ForestPrep utility performs all Exchange 2000 setup tasks that require EnterpriseAdmin and SchemaAdmin permissions, as it makes changes in the configuration container of Active Directory. ForestPrep extends your Active Directory schema to include Exchange-specific information. ForestPrep also creates objects in Active Directory and gives permissions on those objects to the account designated as the Exchange 2000 administrator. DomainPrep: The DomainPrep utility performs the Exchange 2000 setup tasks that require DomainAdmin permissions; it should be run by a member of the DomainAdmin group. You need to run DomainPrep once in each domain that contains an Exchange 2000 server and in any domain that hosts Exchange users. (An Exchange domain that contains mail-enabled users, but no Exchange servers, is a user domain). This utility creates the groups and permissions necessary for Exchange servers to read and modify user attributes. DomainPrep creates two new domain groups: Exchange Domain Servers (a windows 2000 global security group) and Exchange Enterprise Servers (a Windows 2000 domain local security group).

Exchange 2000 components: Information Store Service Manage access to database, called stores, for user messages and public folder contents. System Attendant Provides service and link monitoring, creation of recipient email addresses, generation of routing tables and many other general support functions. Simple Mail Transport Protocol (SMTP) Provides routing functions to deliver messages between servers. Active Directory. Maintains information that describes the organization, users, servers, and distributions lists. An organization is a grouping of servers running Exchange 2000 in a forest.

Exchange Server Family Exchange 2000 server is limited to a single 16 GB database per server. It doesnt support chat, Windows Clustering or distributed configuration. Exchange 2000 Enterprise Server Unlimited message storage and the ability to host multiple stores on a server. Exchange 2000 Conferencing Server