Académique Documents
Professionnel Documents
Culture Documents
INSTALLATION INFORMATION
MINIMUM HARDWARE REQUIREMENTS TO RUN/MAINTAIN WINDOWS SERVER
• 133 MHz processor minimum (550MHz recommended)—for Enterprise Edition
• 128MB RAM (256 recommended), 1.5GB Hard-Drive Space
USER FACTS
• The account tab in user properties can do all of the following things:
Force users to change password at next logon (User must change password at next logon)
Unlock account (if they have been locked out)
Use multiple UPN names (Example: thand@domain.com, thand@foot.com)
Setup temporary or full-time accounts
• Disabling accounts is the quickest/simplest way to temporary close an account (to copy it
later or to actually re-enable it later)
PROFILES
• Local Profiles are stored in C:\Documents and Settings\
• You have 3 types of profiles: Regular local profile, roaming profile, mandatory profile
• ROAMING and/or MANDATORY Profiles:
1. You have to rename the ntuser.dat file to ntuser.man to make mandatory profile
2. SHARE roaming folder & give Everyone FULL-CONTROL over that folder!
• You can highlight more than one user & type: \\SERVER\PROFILES\%USERNAME%
• New users get the ‘Default User’ profile when login for the first time
DEVICE MANAGER/DRIVERS/MORE
HARDWARE/DEVICES/DRIVERS
• Device Manager is ultimate tool for checking hardware problems (you can use it to disable
devices, roll-back drivers, update drivers, uninstall devices, and more)
In Device Manager use the ‘Scan for hardware changes’ option to locate/find/add devices
RED-X in device manager means disabled device (you can re-enable it again if needed)
Yellow Question Mark (with Black Exclamation): usually means there is a driver problem
Disable device if it is causing problems (this is quickest solution; don’t uninstall)
• If you have a modem, you can use the Diagnostics tab to Query the Modem
DISKS/VOLUMES/ETC…
DISKS: DYNAMIC, BASIC, AND MORE….
• Basic Disk: Primary and Extended partitions (you CANNOT extend them)
• Dynamic Disk: Simple, Spanned, Striped (Spanned & Striped are 2-32 hard drives)
Simple Volume: uses space from one hard-drive but can be expanded; not Fault Tolerant
Uses space from 2-32 hard-drives & can be expanded; but not Fault-Tolerant
SECURITY TEMPLATES
• The three big templates are: compatws, securedc and hisecdc
Compatws.inf: Used to relax settings to work with legacy applications
Hisecdc/Hisecws.inf: Ensures computers only communicate with 2000/XP/2003
Setup Security.inf: Default security settings
WINDOWS XP TOOLS
• The recovery console can be started with CD, repair option, and you can use commands:
bootcfg/rebuild rescan hard-drive & rebuild the boot.ini.
fixboot can repair boot sector also
Copy: can be used to copy files from a CD to the local hard-drive (such as drivers)
• MSCONFIG: This opens the system configuration utility, used to control startup programs
• Local Policies includes Audit Policy, User Rights Assignments & Security Options(know this)
• Audit Policy
Auditing is not enabled by default!
You can monitor ‘Successful’ or ‘Failure’ events
Audit Account Logon Events: Monitor users
logging into the domain!
Audit Logon Events: Monitor users logging into a
specific computer (local computer)
Audit Object Access: Monitor users who are
accessing files/folders
Audit Policy Change: If someone makes a change
• Security Options
Set the “Number of previous logons to cache” policy to “0” (no cached credentials)
Manage auditing and security logs user right: Security logs are generally only available
to administrators on the local level (but this is a group policy you could grant)
GROUP POLICIES (GOOD ONES TO KNOW)
• Administrative Templates (Common Scenarios)
Do not allow client printer redirection policy
Delete cached copies of roaming profiles policy setting (to remove roaming profile off a
computer after that user has logged out….so no-one can access his/her information)
Force domain users to log off when their logon hours expire
Group Policy: (Computer, admin templates, Windows Components, Windows update)
point all client computers to central SUS server
Do not allow client printer redirection policy” is a Group Policy you can use for printers
Group Policy: Log on locally user right (must be given for domain controllers)
Group Policy: Set time limit for disconnected sessions to cut-off sessions (or set this
through user properties in Active Directory)
Group Policy: Offer Remote Assistance (to configure users that can do this); or set this
manually through the System Properties of a computer
TROUBLESHOOTING
TROUBLESHOOTING COMMANDS
• IPCONFIG /ALL (show all TCP/IP information like IP address, subnet mask, etc…)
• IPCONFIG /release or IPCONFIG /renew (Used to acquire new IP address from DHCP)
• IPCONFIG /registerdns (will register with DNS)
• IPCONFIG /flushdns (Will empty your DNS name cache)
• PING (tests connectivity)
• TRACERT (checks each hop/router that your signal goes through, to see where problem is)
• NETSTAT (checks all incoming and outgoing connections)
• NBTSTAT -R (Will empty your NetBIOS name cache)
• NSLOOKUP: DNS command that allows you to type in Computer name and get IP address
• Software Update Services (must have 700MHz, 512MB RAM, 6 GB free disk space), and
(Windows Server 2003, 2000 Server-SP2)
• http://localhost/susadmin (to open SUS admin Web Site to setup SUS options)
• When using SUS, the updates/downloads must be ‘approved’ before sending them out
• The following computers automatically come with Automatic Update software (ability to use
Automatic Updates): Windows XP-SP1(or higher), Windows 2000-SP3(or higher), Windows
Server 2003(all versions): only these systems have Automatic Updates software installed
Note: If you have a Windows 2000-SP2 then you will need to install WUAU22.MSI or update
to Service Pack 3 for this computer to support Automatic Updates
• You must install WUAU22.MSI for automatic updates client software
• You can configure Automatic Updates manually on each computer through the Automatic
Updates tab; or you can do it through Group Policy (quicker and more effective)
• You can use Group Policy to enable Automatic Updates, and you can configure where client
computers where acquire their updates from: (Computer Configuration>Administrative
Templates>Windows Components>Windows update)
• You need to know the following SUS configuration Options:
1. PROXY SERVER SETTINGS:
If you choose to manually use a Proxy Server, you will need a username & password
If you choose the option to ‘Automatically detect Proxy server settings (you will not
need a username & password)
2. NETBIOS NAMING
If you have a client that doesn’t support NetBIOS (something other than a Windows
operating system) you will have to type in a FQDN (fully-qualified domain name)
(Example: pc1.hand.com) instead of just a regular simple NetBIOS name)
3. SYNCHRONIZATION OPTIONS
You can choose to synchronize directly from Windows Update Servers or you can
configure (through group policy) a SUS to update from another local SUS server
4. UPDATES
You can choose to ‘Automatically accept new versions of previously approved
updates’, or you can choose not to do this!
5. SUS STORAGE
You can Store updates locally, or on Windows Server (default is set to local)
If you store locally; remember to remove all locales not needed like Japanese, etc..!
These waste space and bandwidth; so just choose the locale you need!
TERMINAL SERVICES & REMOTE DESKTOP
Traditionally Terminal Services has been used to allow centralized access to applications for users (where
applications are on a central server), or for remote administration of servers (For older Windows systems you
needed Terminal Services to remotely access and manage a server; but now you have Remote Desktop which will
allow you the ability to remotely access & manage a Server). With Terminal Services, you can simply put a single
application on a central server, and then all clients can use terminal services to connect to server and use
application. However, there are many things you need to know about Remote Desktop and Terminal Services.
REMOTE DESKTOP
• Remote Desktop is installed by default, but not enabled by default!
• Remote Desktop: With servers, this program/tool is used mostly to manage/access servers
• Remote Desktop is generally blocked by default when you enable a ‘Firewall’
• Remote Desktop Properties:
You can configure a variety of options for personal remote desktop connections
You can transfer documents through remote desktop, if you select the ‘Disk Drives’ check
box in Remote Desktop properties (not selected by default)
• Add users to ‘Remote Desktop Group’ so they can connect to servers with Terminal Services
• Remote Desktop Web Connection: If you install IIS (Internet Information Services) users can
connect to servers through Internet Explorer; if this is installed.
TERMINAL SERVICES
• Basic Terminal Services Facts:
Terminal Services must be installed on Windows Server 2003 (not installed by default)
Remote Desktop is installed by default; but not enabled
Terminal Services are usually installed so users can access a central server in order to
run a particular application (application is only on central server)
Terminal Services traffic (also Remote Desktop & Remote Assistance) use Port 3389 so
it might have to be enabled/disabled through your firewall
You must add a user to the ‘Remote Desktop Users’ group or the ‘Administrators’ group if
you want someone to have the ability to use Terminal Services to connect to a Server;
but you also need to grant them either Allow log on locally user right (to access domain
controllers) or Allow log on through Terminal Services user right for other server types
(not domain controllers)
If you plan on using Terminal Services – a Enterprise License Server must be created
(but with Windows Server 2003, you can run 120 days without a Terminal Services
licensing server); but you purchase a certain number of ‘licenses’ for allowed user
connections
• The main problems that occurs with Terminal Services connections is that by default
disconnected sessions will remain active & they will not be closed/ended thus Terminal
Services Server performance will slow down; however, you have three main methods to
configure Terminal Services connection properties:
The first, and most effective method is ‘Group Policy’ to configure Terminal Services-
Sessions (Computer Configuration>Administrative Templates>Windows
Components>Terminal Services>Sessions>Set time limit for disconnected sessions (and
therefore End a disconnected session after a specified period of time)
The second method is to open the Terminal Services tool on the Terminal Server and
under Connections right-click RDP-Tcp & open the properties; then under Session tab
you can End a disconnected session after a specified period of time
The third method is to open a user’s properties and in the Sessions tab you can End a
disconnection session after a specified period of time
DOMAIN
• Runas /user:nameofuser: command used to run as another user
• A computer must be apart of a domain to get access to resources on that domain.
PERFORMANCE MONITORING
PERFORMANCE MONITORING
• Task Manager and System Monitor are the best ‘2’ tools for monitoring performance
• A user must be added to the ‘local administrators’ group to view Security Logs in Event
Viewer on a File Server (or grant group policy power to view logs)
• Event Viewer is one of Microsoft’s strongest troubleshooting tools, allowing you to view
System, Application and/or Security log files
TASK MANAGER
• You can use the Task Manager to view a quick snapshot of the server’s performance (CPU
Activity, Page File usage)
You can change priorities of running applications (RealTime, High, AboveNormal,
Average, BelowNormal, Low) (Example: If you don’t want to impact other programs that
much, set a process to run at BelowNormal priority)
You can set ‘Processor Affinity’ (to configure a program to run on one, two or more
processors) (Note: 16-bit legacy programs can only run off of one CPU)
At the bottom of the Processes tab, there is an option to: Show processes from all users
(should be checked if you have more than one user to view all running processes)
SYSTEM MONITOR
• SYSTEM MONITOR: View real-time data about machine (better idea of what’s going on)
• System Monitor is the best tool available (monitoring real-time performance)
• System Monitor Counters you need to know (see below):
COUNTER MAX SETTING
Processor>%Processor 80% or higher (add a new processor)
Memory>Pages/Sec 20 or higher (add more RAM)
PhysicalDisk>Avg. Disk Queue 2 or higher (Defrag or add new drive)
PhysicalDisk>%DiskTime 90% or higher (Defrag or add new drive)
Other Counters to Know
%Free Space counter used to measure available free space
Network Interface> Network Adapter counters are important to know
• LogicalDisk is a counter used to measure partition/volume capacity
• PhysicalDisk is a counter used to measure an entire hard-drive (all volumes on a disk)
• You can save System Monitor Counters as an .HTML file for viewing data later
PERFORMANCE MONITORING
• You can perform ‘memory dumps’ when companies require ‘debugging information’
• The ‘Network Monitor’ is a tool you can use to monitor traffic
BACKUP USERS/GROUPS
• By default members of Administrators, Backup Operators and Server Operators groups will
have permissions to back-up files and folders
• Add a user to the Backup Operators group if you want them to be able to do backups, or
have ability to work with removable storage devices (like tape drives)
• If a user is not a member of the groups above, they can still back-up a folder/file if they are
listed as the owner of the file, or have Read, Modify or Full Control permissions
• You can use Group Policy to give someone the ability to Back up or Restore files and
directories (Computer Configuration>Windows Settings>Local Policies>User Rights Assignment)
BACKUP INFORMATION
• Full (normal) backs up everything selected (no matter what)
Backs up all files & sets the archive bit to mark them as backed up
Requires only ‘1’ tape for backup & restoration process (which is the least amount of
tapes of all methods you can use)
You can schedule normal backups on a daily basis (not a bad choice); but you should
know that you could combine a normal/full backup with other methods for quick backups
throughout the week (Full & Incremental) or for a full recovery (Full & Differentail)
• Incremental Backups:
Backs up files that have been changed/altered since the last Full/Normal backup
Removes archive bit (marked when file was changed) to show it’s been backed up
Backups each nights data only ---short backups
Full & Incremental backups: Restore full tape, and each incremental tapes (lots of tapes)
Full/Normal with Incremental backups: Quick backups --- Long Recovery
• Differential Backups:
Backs up files that have been changed/altered since the last Full/Normal backup
DOES NOT REMOVE BIT – will backup file and leave archive bit marked
Backups each nights data (and previous nights data)—long time
Full & Different backups: Restore full tape, and last differential tape (just 2 tapes)
Full/Normal with Differential backups: Long backups ---- Quick Recovery
• Restoration of Data:
Full & Different backups: Restore full tape, and last differential tape (just 2 tapes)
Full & Incremental backups: Restore full tape, and each incremental tapes (lots of tapes)
BACKUP/RECOVERY METHODS
• F8 – ADVANCED STARTUP METHODS
Safe Mode: Loads basic drivers
Last Known Good Configuration: Boots to last successful logon (Note: Please note that
when you officially logon; that is when the registry gets marked/updated)
Directory Services Restore Mode: F8 startup choice – allows you to boot computer and
restore the Active Directory database
1. Authoritative Restorations: Domain Controller is restored and will replicate
information to other domain controllers (overriding them)
2. Non-authoritative: Domain Controller restored but no replication will occur!
• ASR BACKUP:
You can create an ASR (Automated System Recovery) floppy disk using backup utility
The ASR floppy disk is simply a copy of the operating system configuration information
You can backup user data using backup utility
Note: You must have an ASR floppy disk & regular user data backup
• ASR RESTORE:
To restore; Boot from XP CD, press F2 during install process which starts ASR wizard
First; use ASR floppy disk to restore operating system configuration data
Second; restore the regular user data from tape (or whatever)
• RECOVERY CONSOLE:
The Recovery Console is an advanced (command-line) tools that can be used to restore
your server to a fully functional state
You can open Recovery Console (Boot from CD, select R=repair)
Or you can install Recovery console using winnt32 /cmdcons command)
Includes Copy command: Copy files from CD to hard-drive if you need them (Example:
Copy ntldr file from CD to local hard drive)
Includes fixmbr and/or fixboot commands: fix master boot records on hard-drives
Includes a variety of other commands such as Enable/Disable if you want to start/stop
services, or Format/Dispart to format drives or control volumes, and more!
ROUTER ROUTER
10.10.20.1 172.16.1.1
/24 /24
CLIENT A CLIENT B SERVER 1 SERVER 2
10.10.20.2 /24 10.10.20.3 /24 DHCP SERVER RIS SERVER
172.16.1.2 /24 172.16.1.3 /24
SIMULATIONS TO PREPARE FOR
SIMULATION: USERS/GROUPS/SHARES
You have two domains: domain.com and foot.com (Windows 2000 native mode)
You are the network administrator for domain.com
You have a group named Sales in the main domain.com that you use to send email messages.
You have a Sales folder on your file server (\\SERVER1\SALES) in domain.com!
You are told to configure Sales group to include users from domain.com and foot.com
You are told to configure Sales group to control access to SALES folder
You must add a user named ‘John’ to the Sales group
Hints
1. Open Active Directory (Control Panel, then Administrative tools)
2. Change Sales group to be a Universal-Security group (instead of distribution group).
3. Add the user John to the Sales group
Note: Be prepared to edit a ‘Group’ account to change scope and add users to it!
SIMULATION: USERS/GROUPS/SHARES/PERMISSIONS
You are the network administrator for domain.com.
You have a Salesgroup and a Businessgroup in domain.com.
You have a file server (\\SERVER1\SALES) in domain.com.
Users of the Salesgroup must be able to create and edit documents, and be able to change
permissions on all files in the SALES folder
Users of the Businessgroup must be able to Read files in the BUSINESS folder.
Ensure that the BUSINESS folder is only point of access for everyone (no other shares)
Hints
1. Open properties of SALES (change permissions to FULL CONTROL for Salesgroup)---but
take ownership power away (BE SURE REMOVE THIS POWER IN ALL SCENARIOS)
2. Make sure the Businessgroup has only READ power over BUSINESS
3. Open Computer Management SHARES and ensure only one share exists for BUSINESS
folder
John Doe has been on leave and has not had access to the network. He comes back but has
forgotten his password, and he accidently locks himself out through bad password attempts.
Jane Smith is a contractor who worked for your domain.com for her temporary 3 months. She is
hired as a full-time employee for foot.com, but when she tries to login on her first day, she finds
out her account has expired and she can’t login.
Hints:
1. Open control panel, admin tools, active directory and open OU with people
2. Reset password first for John, and type Password12 & also unlock his account (because it
was locked out)….don’t forget to also choose Account option “User must change password
at next logon”
3. Change Janes properties and the account expires to ‘NEVER’ (she was just a contractor)
and change her UPN to include foot.com (because it was domain.com and must be
changed)
Note: Be prepared to make changes to users and edit their accounts in Account tab!
SIMULATION: SUS
You are the network administrator for domain.com!
Server1 is running SUS (Software Update Services). Server2 is additional SUS you add later.
Hints:
1. Open SUS icon on desktop of SERVER2 to officially open SUS admin
2. Select Set Options in SUS
3. Select Synchronize from local SUS and type in SERVER1 (to automatic synchronization)
4. Select option underneath to Synchronize list of approved items
5. Select option to automatically approve new versions of previously approved updates
You create a shared folder named Users on SERVER1 which has been created to store user’s
folder’s for customized desktop settings.
You must:
1. Open control panel, admin tools, active directory and open OU with people
2. Highlight all users in SALES OU & configure their profile tabs to say:
\\SERVER4\users\%username%
3. Open control panel, system icon, then advanced tab & user profiles; then select John’s
account and browse to default user folder, add everyone and yes to finish
SIMULATION: PROFILES
You are the network administrator for domain.com!
A shared folder \\SERVER1\SHAREDFOLDER has been created to store user folder for
customized desktop settings.
HINTS:
• Highlight all users in BUSINESS OU and set their profile tab to:
\\SERVER1\SHAREDFOLDER\%username%
• Open Control panel, System icon and select Settings under User Profiles in Advanced tab
• Know how to use the advanced tool to copy users account to Default User folder and permit
‘Everyone’ to use it (KNOW HOW TO USE THIS TOOL)
HINTS:
1. For BUSINESS FOLDER, open the properties and:
First change the Share permissions: Change Everyone to have Full-Control (this way
you can adjust NTFS permissions to control power)
Second change the NTFS permissions: Add SalesGroup and give them read power, and
add Administrators and give them FULL CONTROL
Note: Don’t worry about giving Everyone Full-Control Share permissions – because Users
automatically are added with Read power thus restricting permissions.
You must:
1. Open control panel, admin tools, active directory and open OU with people
2. Open Computer Container OU, right-click on SERVERA and delete it
3. Reset SERVER 2
4. Move SERVER3 and 4 to SALES OU (right-click Move)
5. Double-click SERVER1 and add to SALES global security group
SIMULATION: DISKS
You are the network administrator for domain.com!
Your main hard-drive (DISK0) holds all data with database that is used and added to daily.
DISK0 is near full capacity and you are told to move data from DISK0 to newly added DISK1.
DISK1 has a single partition that is formatted as FAT32 (no data on it though).
• Configure Disk1 so that it can be extended in the future to increase disk space without
moving or deleting data
• Configure Disk1 for optimum write performance
HINTS:
1. Use control panel, admin tools, computer management, DISK MANAGEMENT
2. Delete any previous partitions on DISK1 to clear space
3. Convert Disk1 to Dynamic disk; then create new volume using maximum space and ensure it
is set to use NTFS
SIMULATION: SHARES/PERMISSIONS
You are the network administrator for domain.com!
HINTS:
1. Create share folder named MARKETING and add SalesGroup with read share power---then
remove the Everyone group in share permissions (THIS IS QUICKEST METHOD)
2. Open FINANCE folder and select option to create a ‘NEW SHARE’ and add FINANCE$ as
the new share; then remove the regular FINANCE share
3. Add Admins and give full-control SHARE permission and remove everyone
You must:
• Create a user account for Bill in SALES OU that contains same information as Jane Smith
(username=BillB and password should be Password12, only login to SERVER1)
• Ensure all employees in SALES OU have new fax number
HINTS:
1. Open control panel, admin tools, active directory and open OU with people
2. Open Sales OU and copy Anna’s account to create BillB account, use Password12
password and BillB username, and select “user must change password at next logon”
checkbox-----open his properties and configure Log On To box to SERVER1
3. Highlight all users in SALES and give new fax number